From fa2b8932f9a11a3cf4791205e891d6c38ab3796d Mon Sep 17 00:00:00 2001
From: Chris Ross <Tratcher@Outlook.com>
Date: Tue, 28 Jan 2014 15:53:20 -0800
Subject: [PATCH 001/493] Initial commit with build infrastructure.

---
 .gitattributes | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 .gitignore     | 31 +++++++++++++++++++++++++++++++
 NuGet.Config   | 13 +++++++++++++
 build.cmd      | 16 ++++++++++++++++
 makefile.shade |  7 +++++++
 5 files changed, 117 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 NuGet.Config
 create mode 100644 build.cmd
 create mode 100644 makefile.shade

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000000..bdaa5ba982
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,50 @@
+*.doc  diff=astextplain
+*.DOC	diff=astextplain
+*.docx	diff=astextplain
+*.DOCX	diff=astextplain
+*.dot	diff=astextplain
+*.DOT	diff=astextplain
+*.pdf	diff=astextplain
+*.PDF	diff=astextplain
+*.rtf	diff=astextplain
+*.RTF	diff=astextplain
+
+*.jpg  	binary
+*.png 	binary
+*.gif 	binary
+
+*.cs text=auto diff=csharp 
+*.vb text=auto
+*.resx text=auto
+*.c text=auto
+*.cpp text=auto
+*.cxx text=auto
+*.h text=auto
+*.hxx text=auto
+*.py text=auto
+*.rb text=auto
+*.java text=auto
+*.html text=auto
+*.htm text=auto
+*.css text=auto
+*.scss text=auto
+*.sass text=auto
+*.less text=auto
+*.js text=auto
+*.lisp text=auto
+*.clj text=auto
+*.sql text=auto
+*.php text=auto
+*.lua text=auto
+*.m text=auto
+*.asm text=auto
+*.erl text=auto
+*.fs text=auto
+*.fsx text=auto
+*.hs text=auto
+
+*.csproj text=auto
+*.vbproj text=auto
+*.fsproj text=auto
+*.dbproj text=auto
+*.sln text=auto eol=crlf
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000..5cf7c13c7e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,31 @@
+[Oo]bj/
+[Bb]in/
+*.xap
+*.user
+/TestResults
+*.vspscc
+*.vssscc
+*.suo
+*.cache
+*.docstates
+_ReSharper.*
+*.csproj.user
+*[Rr]e[Ss]harper.user
+_ReSharper.*/
+packages/*
+artifacts/*
+msbuild.log
+PublishProfiles/
+*.psess
+*.vsp
+*.pidb
+*.userprefs
+*DS_Store
+*.ncrunchsolution
+*.log
+*.vspx
+/.symbols
+nuget.exe
+build/
+*net45.csproj
+*k10.csproj
\ No newline at end of file
diff --git a/NuGet.Config b/NuGet.Config
new file mode 100644
index 0000000000..ab583b0ff7
--- /dev/null
+++ b/NuGet.Config
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/" />
+    <add key="NuGet.org" value="https://nuget.org/api/v2/" />
+  </packageSources>
+  <packageSourceCredentials>
+    <AspNetVNext>
+      <add key="Username" value="aspnetreadonly" />
+      <add key="ClearTextPassword" value="4d8a2d9c-7b80-4162-9978-47e918c9658c" />
+    </AspNetVNext>
+  </packageSourceCredentials>
+</configuration>
\ No newline at end of file
diff --git a/build.cmd b/build.cmd
new file mode 100644
index 0000000000..c3b2462019
--- /dev/null
+++ b/build.cmd
@@ -0,0 +1,16 @@
+@echo off
+cd %~dp0
+
+IF EXIST .nuget\NuGet.exe goto restore
+echo Downloading latest version of NuGet.exe...
+md .nuget
+@powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://www.nuget.org/nuget.exe' -OutFile '.nuget\NuGet.exe'"
+
+:restore
+IF EXIST build goto run
+.nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
+xcopy packages\KoreBuild\build build\ /Y
+.nuget\NuGet.exe install Sake -version 0.2 -o packages
+
+:run
+packages\Sake.0.2\tools\Sake.exe -I build -f makefile.shade %*
diff --git a/makefile.shade b/makefile.shade
new file mode 100644
index 0000000000..6357ea2841
--- /dev/null
+++ b/makefile.shade
@@ -0,0 +1,7 @@
+
+var VERSION='0.1'
+var FULL_VERSION='0.1'
+var AUTHORS='Microsoft'
+
+use-standard-lifecycle
+k-standard-goals

From 869a4ec267b9a1a0e9de18894319a281dfba85c8 Mon Sep 17 00:00:00 2001
From: Levi Broderick <levib@yahoo.com>
Date: Tue, 28 Jan 2014 17:14:26 -0800
Subject: [PATCH 002/493] Initial implementation of
 Microsoft.AspNet.Security.DataProtection

---
 .../Algorithms.cs                             |  65 ++++++
 .../BCRYPT_KEY_DATA_BLOB_HEADER.cs            |  23 ++
 .../BCryptAlgorithmFlags.cs                   |  11 +
 .../BCryptAlgorithmHandle.cs                  |  16 ++
 .../BCryptBuffer.cs                           |  13 ++
 .../BCryptBufferDesc.cs                       |  20 ++
 .../BCryptEncryptFlags.cs                     |   9 +
 .../BCryptGenRandomFlags.cs                   |  10 +
 .../BCryptHashHandle.cs                       |  16 ++
 .../BCryptKeyDerivationBufferType.cs          |  24 ++
 .../BCryptKeyHandle.cs                        |  16 ++
 .../BCryptUtil.cs                             | 221 ++++++++++++++++++
 .../Constants.cs                              |  83 +++++++
 .../CryptographicException.cs                 |  15 ++
 .../DataProtectionProvider.cs                 |  77 ++++++
 .../DataProtectionProviderImpl.cs             |  26 +++
 .../DataProtectorImpl.cs                      | 160 +++++++++++++
 .../IDataProtectionProvider.cs                |  12 +
 .../IDataProtector.cs                         |  33 +++
 .../Properties/AssemblyInfo.cs                |  30 +++
 .../Resources/Res.Designer.cs                 |  82 +++++++
 .../Resources/Res.resx                        | 126 ++++++++++
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |  19 ++
 .../UnsafeNativeMethods.cs                    | 159 +++++++++++++
 .../Util/BufferUtil.cs                        |  66 ++++++
 .../project.json                              |  10 +
 26 files changed, 1342 insertions(+)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Constants.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/project.json

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
new file mode 100644
index 0000000000..850a7415f7
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
@@ -0,0 +1,65 @@
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+
+    internal unsafe static class Algorithms {
+
+        public static readonly BCryptAlgorithmHandle AESAlgorithmHandle = CreateAESAlgorithmHandle();
+        public static readonly BCryptAlgorithmHandle HMACSHA256AlgorithmHandle = CreateHMACSHA256AlgorithmHandle();
+        public static readonly BCryptAlgorithmHandle HMACSHA512AlgorithmHandle = CreateHMACSHA512AlgorithmHandle();
+        public static readonly BCryptAlgorithmHandle SP800108AlgorithmHandle = CreateSP800108AlgorithmHandle();
+
+        private static BCryptAlgorithmHandle CreateAESAlgorithmHandle() {
+            // create the AES instance
+            BCryptAlgorithmHandle algHandle;
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_AES_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: 0);
+            if (status != 0 || algHandle == null || algHandle.IsInvalid) {
+                throw new CryptographicException(status);
+            }
+
+            // change it to use CBC chaining; it already uses PKCS7 padding by default
+            fixed (char* pCbcMode = Constants.BCRYPT_CHAIN_MODE_CBC) {
+                status = UnsafeNativeMethods.BCryptSetProperty(algHandle, Constants.BCRYPT_CHAINING_MODE, (IntPtr)pCbcMode, (uint)((Constants.BCRYPT_CHAIN_MODE_CBC.Length + 1 /* trailing null */) * sizeof(char)), dwFlags: 0);
+            }
+            if (status != 0) {
+                throw new CryptographicException(status);
+            }
+
+            return algHandle;
+        }
+        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle() {
+            // create the HMACSHA-256 instance
+            BCryptAlgorithmHandle algHandle;
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA256_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
+            if (status != 0 || algHandle == null || algHandle.IsInvalid) {
+                throw new CryptographicException(status);
+            }
+
+            return algHandle;
+        }
+
+        private static BCryptAlgorithmHandle CreateHMACSHA512AlgorithmHandle() {
+            // create the HMACSHA-512 instance
+            BCryptAlgorithmHandle algHandle;
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA512_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
+            if (status != 0 || algHandle == null || algHandle.IsInvalid) {
+                throw new CryptographicException(status);
+            }
+
+            return algHandle;
+        }
+
+        private static BCryptAlgorithmHandle CreateSP800108AlgorithmHandle() {
+            // create the SP800-108 instance
+            BCryptAlgorithmHandle algHandle;
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SP800108_CTR_HMAC_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: 0);
+            if (status != 0 || algHandle == null || algHandle.IsInvalid) {
+                throw new CryptographicException(status);
+            }
+
+            return algHandle;
+        }
+
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
new file mode 100644
index 0000000000..25fbecc1d2
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
@@ -0,0 +1,23 @@
+using System;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375524(v=vs.85).aspx
+    [StructLayout(LayoutKind.Sequential)]
+    internal struct BCRYPT_KEY_DATA_BLOB_HEADER {
+        // from bcrypt.h
+        private const uint BCRYPT_KEY_DATA_BLOB_MAGIC = 0x4d42444b; //Key Data Blob Magic (KDBM)
+        private const uint BCRYPT_KEY_DATA_BLOB_VERSION1 = 0x1;
+
+        public uint dwMagic;
+        public uint dwVersion;
+        public uint cbKeyData;
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void Initialize(ref BCRYPT_KEY_DATA_BLOB_HEADER pHeader) {
+            pHeader.dwMagic = BCRYPT_KEY_DATA_BLOB_MAGIC;
+            pHeader.dwVersion = BCRYPT_KEY_DATA_BLOB_VERSION1;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
new file mode 100644
index 0000000000..aa091e9c25
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
@@ -0,0 +1,11 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    // from bcrypt.h
+    [Flags]
+    internal enum BCryptAlgorithmFlags {
+        BCRYPT_ALG_HANDLE_HMAC_FLAG = 0x00000008,
+        BCRYPT_CAPI_AES_FLAG = 0x00000010,
+        BCRYPT_HASH_REUSABLE_FLAG = 0x00000020,
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
new file mode 100644
index 0000000000..6346215a9a
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
@@ -0,0 +1,16 @@
+using System;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    internal sealed class BCryptAlgorithmHandle : SafeHandleZeroOrMinusOneIsInvalid {
+        // Called by P/Invoke when returning SafeHandles
+        private BCryptAlgorithmHandle()
+            : base(ownsHandle: true) {
+        }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle() {
+            return (UnsafeNativeMethods.BCryptCloseAlgorithmProvider(handle, dwFlags: 0) == 0);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
new file mode 100644
index 0000000000..3ffbc5156f
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
@@ -0,0 +1,13 @@
+using System;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx
+    [StructLayout(LayoutKind.Sequential)]
+    internal struct BCryptBuffer {
+        public uint cbBuffer; // Length of buffer, in bytes
+        public BCryptKeyDerivationBufferType BufferType; // Buffer type
+        public IntPtr pvBuffer; // Pointer to buffer
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
new file mode 100644
index 0000000000..0e5336f496
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
@@ -0,0 +1,20 @@
+using System;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375370(v=vs.85).aspx
+    [StructLayout(LayoutKind.Sequential)]
+    internal unsafe struct BCryptBufferDesc {
+        private const int BCRYPTBUFFER_VERSION = 0;
+
+        public uint ulVersion; // Version number
+        public uint cBuffers; // Number of buffers
+        public BCryptBuffer* pBuffers; // Pointer to array of buffers
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void Initialize(ref BCryptBufferDesc bufferDesc) {
+            bufferDesc.ulVersion = BCRYPTBUFFER_VERSION;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
new file mode 100644
index 0000000000..55a2af8300
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
@@ -0,0 +1,9 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    // from bcrypt.h
+    [Flags]
+    internal enum BCryptEncryptFlags {
+        BCRYPT_BLOCK_PADDING = 0x00000001,
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
new file mode 100644
index 0000000000..250d7e0ee6
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
@@ -0,0 +1,10 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    // from bcrypt.h
+    [Flags]
+    internal enum BCryptGenRandomFlags {
+        BCRYPT_RNG_USE_ENTROPY_IN_BUFFER = 0x00000001,
+        BCRYPT_USE_SYSTEM_PREFERRED_RNG = 0x00000002,
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
new file mode 100644
index 0000000000..317a5f4bf1
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
@@ -0,0 +1,16 @@
+using System;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    internal sealed class BCryptHashHandle : SafeHandleZeroOrMinusOneIsInvalid {
+        // Called by P/Invoke when returning SafeHandles
+        private BCryptHashHandle()
+            : base(ownsHandle: true) {
+        }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle() {
+            return (UnsafeNativeMethods.BCryptDestroyHash(handle) == 0);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
new file mode 100644
index 0000000000..0fb2e84347
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
@@ -0,0 +1,24 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    // from bcrypt.h
+    internal enum BCryptKeyDerivationBufferType {
+        KDF_HASH_ALGORITHM = 0x0,
+        KDF_SECRET_PREPEND = 0x1,
+        KDF_SECRET_APPEND = 0x2,
+        KDF_HMAC_KEY = 0x3,
+        KDF_TLS_PRF_LABEL = 0x4,
+        KDF_TLS_PRF_SEED = 0x5,
+        KDF_SECRET_HANDLE = 0x6,
+        KDF_TLS_PRF_PROTOCOL = 0x7,
+        KDF_ALGORITHMID = 0x8,
+        KDF_PARTYUINFO = 0x9,
+        KDF_PARTYVINFO = 0xA,
+        KDF_SUPPPUBINFO = 0xB,
+        KDF_SUPPPRIVINFO = 0xC,
+        KDF_LABEL = 0xD,
+        KDF_CONTEXT = 0xE,
+        KDF_SALT = 0xF,
+        KDF_ITERATION_COUNT = 0x10,
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
new file mode 100644
index 0000000000..cd6e48fc88
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
@@ -0,0 +1,16 @@
+using System;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    internal sealed class BCryptKeyHandle : SafeHandleZeroOrMinusOneIsInvalid {
+        // Called by P/Invoke when returning SafeHandles
+        private BCryptKeyHandle()
+            : base(ownsHandle: true) {
+        }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle() {
+            return (UnsafeNativeMethods.BCryptDestroyKey(handle) == 0);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
new file mode 100644
index 0000000000..4ba8237436
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
@@ -0,0 +1,221 @@
+using System;
+using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.Util;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    internal unsafe static class BCryptUtil {
+        
+        // constant-time buffer comparison
+        [MethodImpl(MethodImplOptions.NoOptimization)]
+        public static bool BuffersAreEqualSecure(byte* p1, byte* p2, uint count) {
+            bool retVal = true;
+            while (count-- > 0) {
+                retVal &= (*(p1++) == *(p2++));
+            }
+            return retVal;
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static void CheckOverflowUnderflow(int input) {
+            var unused = checked((uint)input);
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static void CheckOverflowUnderflow(uint input) {
+            var unused = checked((int)input);
+        }
+
+        // helper function to wrap BCryptCreateHash
+        public static BCryptHashHandle CreateHash(BCryptAlgorithmHandle algorithmHandle, byte* key, int keyLengthInBytes) {
+            CheckOverflowUnderflow(keyLengthInBytes);
+
+            BCryptHashHandle retVal;
+            int status = UnsafeNativeMethods.BCryptCreateHash(algorithmHandle, out retVal, IntPtr.Zero, 0, key, (uint)keyLengthInBytes, dwFlags: 0);
+            if (status != 0 || retVal == null || retVal.IsInvalid) {
+                throw new CryptographicException(status);
+            }
+
+            return retVal;
+        }
+
+        // helper function to wrap BCryptEncrypt; returns number of bytes written to 'output'
+        // assumes the output buffer is large enough to hold the ciphertext + any necessary padding
+        public static int DecryptWithPadding(BCryptKeyHandle keyHandle, byte* input, int inputLength, byte* iv, int ivLength, byte* output, int outputLength) {
+            CheckOverflowUnderflow(inputLength);
+            CheckOverflowUnderflow(ivLength);
+            CheckOverflowUnderflow(outputLength);
+
+            // BCryptEncrypt destroys the 'iv' parameter, so we need to pass a duplicate instead of the original
+            if (ivLength > Constants.MAX_STACKALLOC_BYTES) {
+                throw new InvalidOperationException();
+            }
+            byte* pDuplicatedIV = stackalloc byte[ivLength];
+            BufferUtil.BlockCopy(from: (IntPtr)iv, to: (IntPtr)pDuplicatedIV, byteCount: ivLength);
+
+            uint retVal;
+            int status = UnsafeNativeMethods.BCryptDecrypt(keyHandle, input, (uint)inputLength, IntPtr.Zero, pDuplicatedIV, (uint)ivLength, output, (uint)outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            if (status != 0) {
+                throw new CryptographicException(status);
+            }
+
+            return checked((int)retVal);
+        }
+
+        // helper function to wrap BCryptKeyDerivation using SP800-108-CTR-HMAC-SHA512
+        public static void DeriveKeysSP800108(BCryptAlgorithmHandle kdfAlgorithmHandle, BCryptKeyHandle keyHandle, string purpose, BCryptAlgorithmHandle encryptionAlgorithmHandle, out BCryptKeyHandle encryptionKeyHandle, BCryptAlgorithmHandle hashAlgorithmHandle, out BCryptHashHandle hmacHandle, out BCryptKeyHandle kdfKeyHandle) {
+            const int ENCRYPTION_KEY_SIZE_IN_BYTES = 256 / 8;
+            const int HMAC_KEY_SIZE_IN_BYTES = 256 / 8;
+            const int KDF_SUBKEY_SIZE_IN_BYTES = 512 / 8;
+            const int TOTAL_NUM_BYTES_TO_DERIVE = ENCRYPTION_KEY_SIZE_IN_BYTES + HMAC_KEY_SIZE_IN_BYTES + KDF_SUBKEY_SIZE_IN_BYTES;
+
+            // keep our buffers on the stack while we're generating key material
+            byte* pBuffer = stackalloc byte[TOTAL_NUM_BYTES_TO_DERIVE]; // will be freed with frame pops
+            byte* pNewEncryptionKey = pBuffer;
+            byte* pNewHmacKey = &pNewEncryptionKey[ENCRYPTION_KEY_SIZE_IN_BYTES];
+            byte* pNewKdfSubkey = &pNewHmacKey[HMAC_KEY_SIZE_IN_BYTES];
+
+            try {
+                fixed (char* pszPrfAlgorithmName = Constants.BCRYPT_SHA512_ALGORITHM) {
+                    // Create a buffer to hold the hash algorithm name, currently hardcoded to HMACSHA512
+                    uint numBuffers = 1;
+                    BCryptBuffer* pBCryptBuffers = stackalloc BCryptBuffer[2];
+                    pBCryptBuffers[0].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
+                    pBCryptBuffers[0].pvBuffer = (IntPtr)pszPrfAlgorithmName;
+                    pBCryptBuffers[0].cbBuffer = (uint)((Constants.BCRYPT_SHA512_ALGORITHM.Length + 1) * sizeof(char)); // per http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx, need to include terminating null
+                    fixed (char* pszPurpose = (String.IsNullOrEmpty(purpose) ? (string)null : purpose)) {
+                        // Create a buffer to hold the purpose string if it is specified (we'll treat it as UTF-16LE)
+                        if (pszPurpose != null) {
+                            numBuffers = 2;
+                            pBCryptBuffers[1].BufferType = BCryptKeyDerivationBufferType.KDF_LABEL;
+                            pBCryptBuffers[1].pvBuffer = (IntPtr)pszPurpose;
+                            pBCryptBuffers[1].cbBuffer = checked((uint)(purpose.Length * sizeof(char)));
+                        }
+
+                        // .. and the header ..
+                        BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
+                        BCryptBufferDesc.Initialize(ref bufferDesc);
+                        bufferDesc.cBuffers = numBuffers;
+                        bufferDesc.pBuffers = pBCryptBuffers;
+
+                        uint numBytesDerived;
+                        int status = UnsafeNativeMethods.BCryptKeyDerivation(keyHandle, &bufferDesc, pBuffer, TOTAL_NUM_BYTES_TO_DERIVE, out numBytesDerived, dwFlags: 0);
+                        if (status != 0 || numBytesDerived != TOTAL_NUM_BYTES_TO_DERIVE) {
+                            throw new CryptographicException(status);
+                        }
+                    }
+                }
+
+                // At this point, we have all the bytes we need.
+                encryptionKeyHandle = ImportKey(encryptionAlgorithmHandle, pNewEncryptionKey, ENCRYPTION_KEY_SIZE_IN_BYTES);
+                hmacHandle = CreateHash(hashAlgorithmHandle, pNewHmacKey, HMAC_KEY_SIZE_IN_BYTES);
+                kdfKeyHandle = ImportKey(kdfAlgorithmHandle, pNewKdfSubkey, KDF_SUBKEY_SIZE_IN_BYTES);
+            }
+            finally {
+                BufferUtil.ZeroMemory(pBuffer, TOTAL_NUM_BYTES_TO_DERIVE);
+            }
+        }
+
+        // helper function to wrap BCryptDuplicateHash
+        public static BCryptHashHandle DuplicateHash(BCryptHashHandle hashHandle) {
+            BCryptHashHandle retVal;
+            int status = UnsafeNativeMethods.BCryptDuplicateHash(hashHandle, out retVal, IntPtr.Zero, 0, dwFlags: 0);
+            if (status != 0 || retVal == null || retVal.IsInvalid) {
+                throw new CryptographicException(status);
+            }
+
+            return retVal;
+        }
+
+        // helper function to wrap BCryptEncrypt; returns number of bytes written to 'output'
+        // assumes the output buffer is large enough to hold the ciphertext + any necessary padding
+        public static int EncryptWithPadding(BCryptKeyHandle keyHandle, byte* input, int inputLength, byte* iv, int ivLength, byte* output, int outputLength) {
+            CheckOverflowUnderflow(inputLength);
+            CheckOverflowUnderflow(ivLength);
+            CheckOverflowUnderflow(outputLength);
+
+            // BCryptEncrypt destroys the 'iv' parameter, so we need to pass a duplicate instead of the original
+            if (ivLength > Constants.MAX_STACKALLOC_BYTES) {
+                throw new InvalidOperationException();
+            }
+            byte* pDuplicatedIV = stackalloc byte[ivLength];
+            BufferUtil.BlockCopy(from: (IntPtr)iv, to: (IntPtr)pDuplicatedIV, byteCount: ivLength);
+
+            uint retVal;
+            int status = UnsafeNativeMethods.BCryptEncrypt(keyHandle, input, (uint)inputLength, IntPtr.Zero, pDuplicatedIV, (uint)ivLength, output, (uint)outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            if (status != 0) {
+                throw new CryptographicException(status);
+            }
+
+            return checked((int)retVal);
+        }
+
+        // helper function that's similar to RNGCryptoServiceProvider, but works directly with pointers
+        public static void GenRandom(byte* buffer, int bufferBytes) {
+            CheckOverflowUnderflow(bufferBytes);
+
+            int status = UnsafeNativeMethods.BCryptGenRandom(IntPtr.Zero, buffer, (uint)bufferBytes, BCryptGenRandomFlags.BCRYPT_USE_SYSTEM_PREFERRED_RNG);
+            if (status != 0) {
+                throw new CryptographicException(status);
+            }
+        }
+
+        // helper function that wraps BCryptHashData / BCryptFinishHash
+        public static void HashData(BCryptHashHandle hashHandle, byte* input, int inputBytes, byte* output, int outputBytes) {
+            CheckOverflowUnderflow(inputBytes);
+            CheckOverflowUnderflow(outputBytes);
+
+            int status = UnsafeNativeMethods.BCryptHashData(hashHandle, input, (uint)inputBytes, dwFlags: 0);
+            if (status != 0) {
+                throw new CryptographicException(status);
+            }
+
+            status = UnsafeNativeMethods.BCryptFinishHash(hashHandle, output, (uint)outputBytes, dwFlags: 0);
+            if (status != 0) {
+                throw new CryptographicException(status);
+            }
+        }
+
+        // helper function that wraps BCryptImportKey with a key data blob
+        public static BCryptKeyHandle ImportKey(BCryptAlgorithmHandle algHandle, byte* key, int keyBytes) {
+            CheckOverflowUnderflow(keyBytes);
+
+            byte[] heapAllocatedKeyDataBlob = null;
+            int numBytesRequiredForKeyDataBlob = checked(keyBytes + sizeof(BCRYPT_KEY_DATA_BLOB_HEADER));
+            if (numBytesRequiredForKeyDataBlob > Constants.MAX_STACKALLOC_BYTES) {
+                heapAllocatedKeyDataBlob = new byte[numBytesRequiredForKeyDataBlob]; // allocate on heap if we cannot allocate on stack
+            }
+
+            int status;
+            BCryptKeyHandle retVal;
+            fixed (byte* pHeapAllocatedKeyDataBlob = heapAllocatedKeyDataBlob) {
+                // The header is first
+                BCRYPT_KEY_DATA_BLOB_HEADER* pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*)pHeapAllocatedKeyDataBlob;
+                if (pKeyDataBlobHeader == null) {
+                    byte* temp = stackalloc byte[numBytesRequiredForKeyDataBlob]; // won't be released until frame pops
+                    pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*)temp;
+                }
+                BCRYPT_KEY_DATA_BLOB_HEADER.Initialize(ref *pKeyDataBlobHeader);
+                pKeyDataBlobHeader->cbKeyData = (uint)keyBytes;
+
+                // the raw material immediately follows the header
+                byte* pKeyDataRawMaterial = (byte*)(&pKeyDataBlobHeader[1]);
+
+                try {
+                    BufferUtil.BlockCopy(from: (IntPtr)key, to: (IntPtr)pKeyDataRawMaterial, byteCount: keyBytes);
+                    status = UnsafeNativeMethods.BCryptImportKey(algHandle, IntPtr.Zero, Constants.BCRYPT_KEY_DATA_BLOB, out retVal, IntPtr.Zero, 0, (byte*)pKeyDataBlobHeader, (uint)numBytesRequiredForKeyDataBlob, dwFlags: 0);
+                }
+                finally {
+                    // zero out the key we just copied
+                    BufferUtil.ZeroMemory(pKeyDataRawMaterial, keyBytes);
+                }
+            }
+
+            if (status != 0 || retVal == null || retVal.IsInvalid) {
+                throw new CryptographicException(status);
+            }
+            return retVal;
+        }
+
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
new file mode 100644
index 0000000000..c6ca8cbb7c
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
@@ -0,0 +1,83 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    // from bcrypt.h
+    internal static class Constants {
+        internal const int MAX_STACKALLOC_BYTES = 256; // greatest number of bytes that we'll ever allow to stackalloc in a single frame
+
+        // BCrypt(Import/Export)Key BLOB types
+        internal const string BCRYPT_OPAQUE_KEY_BLOB = "OpaqueKeyBlob";
+        internal const string BCRYPT_KEY_DATA_BLOB = "KeyDataBlob";
+        internal const string BCRYPT_AES_WRAP_KEY_BLOB = "Rfc3565KeyWrapBlob";
+
+        // Microsoft built-in providers.
+        internal const string MS_PRIMITIVE_PROVIDER = "Microsoft Primitive Provider";
+        internal const string MS_PLATFORM_CRYPTO_PROVIDER = "Microsoft Platform Crypto Provider";
+
+        // Common algorithm identifiers.
+        internal const string BCRYPT_RSA_ALGORITHM = "RSA";
+        internal const string BCRYPT_RSA_SIGN_ALGORITHM = "RSA_SIGN";
+        internal const string BCRYPT_DH_ALGORITHM = "DH";
+        internal const string BCRYPT_DSA_ALGORITHM = "DSA";
+        internal const string BCRYPT_RC2_ALGORITHM = "RC2";
+        internal const string BCRYPT_RC4_ALGORITHM = "RC4";
+        internal const string BCRYPT_AES_ALGORITHM = "AES";
+        internal const string BCRYPT_DES_ALGORITHM = "DES";
+        internal const string BCRYPT_DESX_ALGORITHM = "DESX";
+        internal const string BCRYPT_3DES_ALGORITHM = "3DES";
+        internal const string BCRYPT_3DES_112_ALGORITHM = "3DES_112";
+        internal const string BCRYPT_MD2_ALGORITHM = "MD2";
+        internal const string BCRYPT_MD4_ALGORITHM = "MD4";
+        internal const string BCRYPT_MD5_ALGORITHM = "MD5";
+        internal const string BCRYPT_SHA1_ALGORITHM = "SHA1";
+        internal const string BCRYPT_SHA256_ALGORITHM = "SHA256";
+        internal const string BCRYPT_SHA384_ALGORITHM = "SHA384";
+        internal const string BCRYPT_SHA512_ALGORITHM = "SHA512";
+        internal const string BCRYPT_AES_GMAC_ALGORITHM = "AES-GMAC";
+        internal const string BCRYPT_AES_CMAC_ALGORITHM = "AES-CMAC";
+        internal const string BCRYPT_ECDSA_P256_ALGORITHM = "ECDSA_P256";
+        internal const string BCRYPT_ECDSA_P384_ALGORITHM = "ECDSA_P384";
+        internal const string BCRYPT_ECDSA_P521_ALGORITHM = "ECDSA_P521";
+        internal const string BCRYPT_ECDH_P256_ALGORITHM = "ECDH_P256";
+        internal const string BCRYPT_ECDH_P384_ALGORITHM = "ECDH_P384";
+        internal const string BCRYPT_ECDH_P521_ALGORITHM = "ECDH_P521";
+        internal const string BCRYPT_RNG_ALGORITHM = "RNG";
+        internal const string BCRYPT_RNG_FIPS186_DSA_ALGORITHM = "FIPS186DSARNG";
+        internal const string BCRYPT_RNG_DUAL_EC_ALGORITHM = "DUALECRNG";
+        internal const string BCRYPT_SP800108_CTR_HMAC_ALGORITHM = "SP800_108_CTR_HMAC";
+        internal const string BCRYPT_SP80056A_CONCAT_ALGORITHM = "SP800_56A_CONCAT";
+        internal const string BCRYPT_PBKDF2_ALGORITHM = "PBKDF2";
+        internal const string BCRYPT_CAPI_KDF_ALGORITHM = "CAPI_KDF";
+
+        // BCryptGetProperty strings
+        internal const string BCRYPT_OBJECT_LENGTH = "ObjectLength";
+        internal const string BCRYPT_ALGORITHM_NAME = "AlgorithmName";
+        internal const string BCRYPT_PROVIDER_HANDLE = "ProviderHandle";
+        internal const string BCRYPT_CHAINING_MODE = "ChainingMode";
+        internal const string BCRYPT_BLOCK_LENGTH = "BlockLength";
+        internal const string BCRYPT_KEY_LENGTH = "KeyLength";
+        internal const string BCRYPT_KEY_OBJECT_LENGTH = "KeyObjectLength";
+        internal const string BCRYPT_KEY_STRENGTH = "KeyStrength";
+        internal const string BCRYPT_KEY_LENGTHS = "KeyLengths";
+        internal const string BCRYPT_BLOCK_SIZE_LIST = "BlockSizeList";
+        internal const string BCRYPT_EFFECTIVE_KEY_LENGTH = "EffectiveKeyLength";
+        internal const string BCRYPT_HASH_LENGTH = "HashDigestLength";
+        internal const string BCRYPT_HASH_OID_LIST = "HashOIDList";
+        internal const string BCRYPT_PADDING_SCHEMES = "PaddingSchemes";
+        internal const string BCRYPT_SIGNATURE_LENGTH = "SignatureLength";
+        internal const string BCRYPT_HASH_BLOCK_LENGTH = "HashBlockLength";
+        internal const string BCRYPT_AUTH_TAG_LENGTH = "AuthTagLength";
+        internal const string BCRYPT_PRIMITIVE_TYPE = "PrimitiveType";
+        internal const string BCRYPT_IS_KEYED_HASH = "IsKeyedHash";
+        internal const string BCRYPT_IS_REUSABLE_HASH = "IsReusableHash";
+        internal const string BCRYPT_MESSAGE_BLOCK_LENGTH = "MessageBlockLength";
+
+        // Property Strings
+        internal const string BCRYPT_CHAIN_MODE_NA = "ChainingModeN/A";
+        internal const string BCRYPT_CHAIN_MODE_CBC = "ChainingModeCBC";
+        internal const string BCRYPT_CHAIN_MODE_ECB = "ChainingModeECB";
+        internal const string BCRYPT_CHAIN_MODE_CFB = "ChainingModeCFB";
+        internal const string BCRYPT_CHAIN_MODE_CCM = "ChainingModeCCM";
+        internal const string BCRYPT_CHAIN_MODE_GCM = "ChainingModeGCM";
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
new file mode 100644
index 0000000000..1737c90f38
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
@@ -0,0 +1,15 @@
+using System;
+
+#if !NET45
+namespace System.Security.Cryptography {
+    internal sealed class CryptographicException : Exception {
+        internal CryptographicException(string message)
+            : base(message) {
+
+        }
+
+        internal CryptographicException(int unused) {
+        }
+    }
+}
+#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
new file mode 100644
index 0000000000..75320aee41
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
@@ -0,0 +1,77 @@
+using System;
+using System.Globalization;
+using System.Reflection;
+using Microsoft.AspNet.Security.DataProtection.Resources;
+using Microsoft.AspNet.Security.DataProtection.Util;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    public unsafe static class DataProtectionProvider {
+
+        const int MASTER_KEY_REQUIRED_LENGTH = 512 / 8;
+
+        private static readonly byte[] MASTER_SUBKEY_GENERATOR = GetMasterSubkeyGenerator();
+
+        private static byte[] GetMasterSubkeyGenerator() {
+            TypeInfo typeInfo = typeof(DataProtectionProvider).GetTypeInfo();
+
+            byte[] retVal = new byte[sizeof(Guid) * 2];
+            fixed (byte* pRetVal = retVal) {
+                Guid* guids = (Guid*)pRetVal;
+                guids[0] = typeInfo.GUID;
+#if NET45
+                guids[1] = typeInfo.Module.ModuleVersionId;
+#else
+                guids[1] = default(Guid);
+#endif
+            }
+            return retVal;
+        }
+
+        /// <summary>
+        /// Creates a new IDataProtectorFactory with a randomly-generated master key.
+        /// </summary>
+        public static IDataProtectionProvider CreateNew() {
+            byte* masterKey = stackalloc byte[MASTER_KEY_REQUIRED_LENGTH];
+            try {
+                BCryptUtil.GenRandom(masterKey, MASTER_KEY_REQUIRED_LENGTH);
+                return CreateImpl(masterKey, MASTER_KEY_REQUIRED_LENGTH);
+            }
+            finally {
+                BufferUtil.ZeroMemory(masterKey, MASTER_KEY_REQUIRED_LENGTH);
+            }
+        }
+
+        /// <summary>
+        /// Creates a new IDataProtectorFactory with the provided master key.
+        /// </summary>
+        public static IDataProtectionProvider CreateFromKey(byte[] masterKey) {
+            if (masterKey == null) {
+                throw new ArgumentNullException("masterKey");
+            }
+            if (masterKey.Length < MASTER_KEY_REQUIRED_LENGTH) {
+                string errorMessage = String.Format(CultureInfo.CurrentCulture, Res.DataProtectorFactory_MasterKeyTooShort, MASTER_KEY_REQUIRED_LENGTH);
+                throw new ArgumentOutOfRangeException("masterKey", errorMessage);
+            }
+
+            fixed (byte* pMasterKey = masterKey) {
+                return CreateImpl(pMasterKey, masterKey.Length);
+            }
+        }
+
+        private static DataProtectionProviderImpl CreateImpl(byte* masterKey, int masterKeyLengthInBytes) {
+            // We don't use the master key directly. We derive a master subkey via HMAC_{master_key}(MASTER_SUBKEY_GENERATOR).
+            byte* masterSubkey = stackalloc byte[MASTER_KEY_REQUIRED_LENGTH];
+            try {
+                using (var hashHandle = BCryptUtil.CreateHash(Algorithms.HMACSHA512AlgorithmHandle, masterKey, masterKeyLengthInBytes)) {
+                    BCryptUtil.HashData(hashHandle, masterKey, masterKeyLengthInBytes, masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
+                }
+                BCryptKeyHandle kdfSubkeyHandle = BCryptUtil.ImportKey(Algorithms.SP800108AlgorithmHandle, masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
+                return new DataProtectionProviderImpl(kdfSubkeyHandle);
+            }
+            finally {
+                BufferUtil.ZeroMemory(masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
+            }
+        }
+
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
new file mode 100644
index 0000000000..f78cde3fc6
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
@@ -0,0 +1,26 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    internal unsafe sealed class DataProtectionProviderImpl : IDataProtectionProvider {
+
+        private readonly BCryptKeyHandle _kdfSubkeyHandle;
+
+        public DataProtectionProviderImpl(BCryptKeyHandle kdfSubkeyHandle) {
+            _kdfSubkeyHandle = kdfSubkeyHandle;
+        }
+
+        public IDataProtector CreateProtector(string purpose) {
+            BCryptKeyHandle newAesKeyHandle;
+            BCryptHashHandle newHmacHashHandle;
+            BCryptKeyHandle newKdfSubkeyHandle;
+
+            BCryptUtil.DeriveKeysSP800108(Algorithms.SP800108AlgorithmHandle, _kdfSubkeyHandle, purpose, Algorithms.AESAlgorithmHandle, out newAesKeyHandle, Algorithms.HMACSHA256AlgorithmHandle, out newHmacHashHandle, out newKdfSubkeyHandle);
+            return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newKdfSubkeyHandle);
+        }
+
+        public void Dispose() {
+            _kdfSubkeyHandle.Dispose();
+        }
+
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
new file mode 100644
index 0000000000..1aeacc31b8
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
@@ -0,0 +1,160 @@
+using System;
+using System.Diagnostics;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.Resources;
+using Microsoft.AspNet.Security.DataProtection.Util;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    internal unsafe sealed class DataProtectorImpl : IDataProtector {
+
+        private const int AES_BLOCK_LENGTH_IN_BYTES = 128 / 8;
+        private const int MAC_LENGTH_IN_BYTES = 256 / 8;
+
+        private readonly BCryptKeyHandle _aesKeyHandle;
+        private readonly BCryptHashHandle _hmacHashHandle;
+        private readonly BCryptKeyHandle _kdfSubkeyHandle;
+
+        public DataProtectorImpl(BCryptKeyHandle aesKeyHandle, BCryptHashHandle hmacHashHandle, BCryptKeyHandle kdfSubkeyHandle) {
+            _aesKeyHandle = aesKeyHandle;
+            _hmacHashHandle = hmacHashHandle;
+            _kdfSubkeyHandle = kdfSubkeyHandle;
+        }
+
+        private static int CalculateTotalProtectedDataSize(int unprotectedDataSize) {
+            Debug.Assert(unprotectedDataSize >= 0);
+
+            // Calculates 
+            int numFullBlocks = unprotectedDataSize / AES_BLOCK_LENGTH_IN_BYTES;
+            return checked(AES_BLOCK_LENGTH_IN_BYTES /* IV */ + (numFullBlocks + 1) * AES_BLOCK_LENGTH_IN_BYTES /* ciphertext w/ padding */ + MAC_LENGTH_IN_BYTES /* HMAC */);
+        }
+
+        private static CryptographicException CreateGenericCryptographicException() {
+            return new CryptographicException(Res.DataProtectorImpl_BadEncryptedData);
+        }
+
+        public IDataProtector CreateSubProtector(string purpose) {
+            BCryptKeyHandle newAesKeyHandle;
+            BCryptHashHandle newHmacHashHandle;
+            BCryptKeyHandle newKdfSubkeyHandle;
+
+            BCryptUtil.DeriveKeysSP800108(Algorithms.SP800108AlgorithmHandle, _kdfSubkeyHandle, purpose, Algorithms.AESAlgorithmHandle, out newAesKeyHandle, Algorithms.HMACSHA256AlgorithmHandle, out newHmacHashHandle, out newKdfSubkeyHandle);
+            return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newKdfSubkeyHandle);
+        }
+
+        public void Dispose() {
+            _aesKeyHandle.Dispose();
+            _hmacHashHandle.Dispose();
+            _kdfSubkeyHandle.Dispose();
+        }
+
+        public byte[] Protect(byte[] unprotectedData) {
+            if (unprotectedData == null) {
+                throw new ArgumentNullException("unprotectedData");
+            }
+
+            // When this method finishes, protectedData will contain { IV || ciphertext || HMAC(IV || ciphertext) }
+            byte[] protectedData = new byte[CalculateTotalProtectedDataSize(unprotectedData.Length)];
+
+            fixed (byte* pProtectedData = protectedData) {
+                // first, generate a random IV for CBC mode encryption
+                byte* pIV = pProtectedData;
+                BCryptUtil.GenRandom(pIV, AES_BLOCK_LENGTH_IN_BYTES);
+
+                // then, encrypt the plaintext contents
+                byte* pCiphertext = &pIV[AES_BLOCK_LENGTH_IN_BYTES];
+                int expectedCiphertextLength = protectedData.Length - AES_BLOCK_LENGTH_IN_BYTES - MAC_LENGTH_IN_BYTES;
+                fixed (byte* pPlaintext = unprotectedData) {
+                    int actualCiphertextLength = BCryptUtil.EncryptWithPadding(_aesKeyHandle, pPlaintext, unprotectedData.Length, pIV, AES_BLOCK_LENGTH_IN_BYTES, pCiphertext, expectedCiphertextLength);
+                    if (actualCiphertextLength != expectedCiphertextLength) {
+                        throw new InvalidOperationException("Unexpected error while encrypting data.");
+                    }
+                }
+
+                // finally, calculate an HMAC over { IV || ciphertext }
+                byte* pMac = &pCiphertext[expectedCiphertextLength];
+                using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle)) {
+                    // Use a cloned hash handle since IDataProtector instances could be singletons, but BCryptHashHandle instances contain
+                    // state hence aren't thread-safe. Our own perf testing shows that duplicating existing hash handles is very fast.
+                    BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_BLOCK_LENGTH_IN_BYTES + expectedCiphertextLength, pMac, MAC_LENGTH_IN_BYTES);
+                }
+            }
+
+            return protectedData;
+        }
+
+        public byte[] Unprotect(byte[] protectedData) {
+            if (protectedData == null) {
+                throw new ArgumentNullException("protectedData");
+            }
+
+            byte[] retVal = null;
+            try {
+                retVal = UnprotectImpl(protectedData);
+            }
+            catch {
+                // swallow all exceptions; we'll homogenize
+            }
+
+            if (retVal != null) {
+                return retVal;
+            }
+            else {
+                throw CreateGenericCryptographicException();
+            }
+        }
+
+        private byte[] UnprotectImpl(byte[] protectedData) {
+            Debug.Assert(protectedData != null);
+
+            // is the protected data even long enough to be valid?
+            if (protectedData.Length < AES_BLOCK_LENGTH_IN_BYTES /* IV */ + AES_BLOCK_LENGTH_IN_BYTES /* min ciphertext size = 1 block */ + MAC_LENGTH_IN_BYTES) {
+                return null;
+            }
+
+            fixed (byte* pProtectedData = protectedData) {
+                // calculate pointer offsets
+                byte* pIV = pProtectedData;
+                byte* pCiphertext = &pProtectedData[AES_BLOCK_LENGTH_IN_BYTES];
+                int ciphertextLength = protectedData.Length - AES_BLOCK_LENGTH_IN_BYTES /* IV */ - MAC_LENGTH_IN_BYTES /* MAC */;
+                byte* pSuppliedMac = &pCiphertext[ciphertextLength];
+
+                // first, ensure that the MAC is valid
+                byte* pCalculatedMac = stackalloc byte[MAC_LENGTH_IN_BYTES];
+                using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle)) {
+                    // see comments in Protect(byte[]) for why we duplicate the hash
+                    BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_BLOCK_LENGTH_IN_BYTES + ciphertextLength, pCalculatedMac, MAC_LENGTH_IN_BYTES);
+                }
+                if (!BCryptUtil.BuffersAreEqualSecure(pSuppliedMac, pCalculatedMac, MAC_LENGTH_IN_BYTES)) {
+                    return null; // MAC check failed
+                }
+
+                // next, perform the actual decryption
+                // we don't know the actual plaintext length, but we know it must be strictly less than the ciphertext length
+                int plaintextBufferLength = ciphertextLength;
+                byte[] heapAllocatedPlaintext = null;
+                if (ciphertextLength > Constants.MAX_STACKALLOC_BYTES) {
+                    heapAllocatedPlaintext = new byte[plaintextBufferLength];
+                }
+
+                fixed (byte* pHeapAllocatedPlaintext = heapAllocatedPlaintext) {
+                    byte* pPlaintextBuffer = pHeapAllocatedPlaintext;
+                    if (pPlaintextBuffer == null) {
+                        byte* temp = stackalloc byte[plaintextBufferLength]; // will be released when frame pops
+                        pPlaintextBuffer = temp;
+                    }
+
+                    int actualPlaintextLength = BCryptUtil.DecryptWithPadding(_aesKeyHandle, pCiphertext, ciphertextLength, pIV, AES_BLOCK_LENGTH_IN_BYTES, pPlaintextBuffer, plaintextBufferLength);
+                    Debug.Assert(actualPlaintextLength >= 0 && actualPlaintextLength < ciphertextLength);
+
+                    // truncate the return value to accomodate the plaintext size perfectly
+                    byte[] retVal = new byte[actualPlaintextLength];
+                    fixed (byte* pRetVal = retVal) {
+                        BufferUtil.BlockCopy(from: (IntPtr)pPlaintextBuffer, to: (IntPtr)pRetVal, byteCount: actualPlaintextLength);
+                    }
+                    return retVal;
+                }
+            }
+        }
+
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
new file mode 100644
index 0000000000..520359930e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
@@ -0,0 +1,12 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    public interface IDataProtectionProvider : IDisposable {
+        /// <summary>
+        /// Given a purpose, returns a new IDataProtector that has unique cryptographic keys tied to this purpose.
+        /// </summary>
+        /// <param name="purpose">The consumer of the IDataProtector.</param>
+        /// <returns>An IDataProtector.</returns>
+        IDataProtector CreateProtector(string purpose);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
new file mode 100644
index 0000000000..c932d4522c
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
@@ -0,0 +1,33 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+    /// <summary>
+    /// Represents an object that can perform cryptographic operations.
+    /// </summary>
+    public interface IDataProtector : IDisposable {
+        /// <summary>
+        /// Given a subpurpose, returns a new IDataProtector that has unique cryptographic keys tied <em>both</em> the purpose
+        /// that was used to create this IDataProtector instance <em>and</em> the purpose that is provided as a parameter
+        /// to this method.
+        /// </summary>
+        /// <param name="purpose">The sub-consumer of the IDataProtector.</param>
+        /// <returns>An IDataProtector.</returns>
+        IDataProtector CreateSubProtector(string purpose);
+
+        /// <summary>
+        /// Cryptographically protects some input data.
+        /// </summary>
+        /// <param name="unprotectedData">The data to be protected.</param>
+        /// <returns>An array containing cryptographically protected data.</returns>
+        /// <remarks>To retrieve the original data, call Unprotect on the protected data.</remarks>
+        byte[] Protect(byte[] unprotectedData);
+
+        /// <summary>
+        /// Retrieves the original data that was protected by a call to Protect.
+        /// </summary>
+        /// <param name="protectedData">The protected data to be decrypted.</param>
+        /// <returns>The original data.</returns>
+        /// <remarks>Throws CryptographicException if the <em>protectedData</em> parameter has been tampered with.</remarks>
+        byte[] Unprotect(byte[] protectedData);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..38a4928ff0
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
@@ -0,0 +1,30 @@
+using System;
+using System.Reflection;
+using System.Resources;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following 
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("Microsoft.AspNet.Security.DataProtection")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyProduct("Microsoft.AspNet.Security.DataProtection")]
+
+// Setting ComVisible to false makes the types in this assembly not visible 
+// to COM components.  If you need to access a type in this assembly from 
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("130d9afa-6535-42bf-ba70-610b677d5acf")]
+
+[assembly: AssemblyCompany("Microsoft Corporation")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+[assembly: NeutralResourcesLanguage("en-US")]
+
+// for OOB servicing
+[assembly: AssemblyMetadata("Serviceable", "True")]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs
new file mode 100644
index 0000000000..d62ce5ee40
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs
@@ -0,0 +1,82 @@
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//     Runtime Version:4.0.30319.34003
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+namespace Microsoft.AspNet.Security.DataProtection.Resources {
+    using System;
+    using System.Reflection;
+    
+    
+    /// <summary>
+    ///   A strongly-typed resource class, for looking up localized strings, etc.
+    /// </summary>
+    // This class was auto-generated by the StronglyTypedResourceBuilder
+    // class via a tool like ResGen or Visual Studio.
+    // To add or remove a member, edit your .ResX file then rerun ResGen
+    // with the /str option, or rebuild your VS project.
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    internal class Res {
+        
+        private static global::System.Resources.ResourceManager resourceMan;
+        
+        private static global::System.Globalization.CultureInfo resourceCulture;
+        
+        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+        internal Res() {
+        }
+        
+        /// <summary>
+        ///   Returns the cached ResourceManager instance used by this class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Resources.ResourceManager ResourceManager {
+            get {
+                if (object.ReferenceEquals(resourceMan, null)) {
+                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Microsoft.AspNet.Security.DataProtection.Res.resources", typeof(Res).GetTypeInfo().Assembly);
+                    resourceMan = temp;
+                }
+                return resourceMan;
+            }
+        }
+        
+        /// <summary>
+        ///   Overrides the current thread's CurrentUICulture property for all
+        ///   resource lookups using this strongly typed resource class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Globalization.CultureInfo Culture {
+            get {
+                return resourceCulture;
+            }
+            set {
+                resourceCulture = value;
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The master key is too short. It must be at least {0} bytes in length..
+        /// </summary>
+        internal static string DataProtectorFactory_MasterKeyTooShort {
+            get {
+                return ResourceManager.GetString("DataProtectorFactory_MasterKeyTooShort", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The data to decrypt is invalid..
+        /// </summary>
+        internal static string DataProtectorImpl_BadEncryptedData {
+            get {
+                return ResourceManager.GetString("DataProtectorImpl_BadEncryptedData", resourceCulture);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx
new file mode 100644
index 0000000000..f28f1d7003
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="DataProtectorFactory_MasterKeyTooShort" xml:space="preserve">
+    <value>The master key is too short. It must be at least {0} bytes in length.</value>
+  </data>
+  <data name="DataProtectorImpl_BadEncryptedData" xml:space="preserve">
+    <value>The data to decrypt is invalid.</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
new file mode 100644
index 0000000000..244f118df0
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -0,0 +1,19 @@
+using System;
+using System.Runtime.InteropServices;
+
+#if !NET45
+namespace Microsoft.Win32.SafeHandles {
+    internal abstract class SafeHandleZeroOrMinusOneIsInvalid : SafeHandle {
+        // Called by P/Invoke when returning SafeHandles
+        protected SafeHandleZeroOrMinusOneIsInvalid(bool ownsHandle)
+            : base(IntPtr.Zero, ownsHandle) {
+        }
+
+        public override bool IsInvalid {
+            get {
+                return (handle == IntPtr.Zero || handle == (IntPtr)(-1));
+            }
+        }
+    }
+}
+#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
new file mode 100644
index 0000000000..34689a9917
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -0,0 +1,159 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Runtime.InteropServices;
+using System.Security;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNet.Security.DataProtection {
+#if NET45
+    [SuppressUnmanagedCodeSecurity]
+#endif
+    internal unsafe static class UnsafeNativeMethods {
+
+        private const string BCRYPT_LIB = "bcrypt.dll";
+        private const string KERNEL32_LIB = "kernel32.dll";
+
+        /*
+         * BCRYPT.DLL
+         */
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375377(v=vs.85).aspx
+        internal static extern int BCryptCloseAlgorithmProvider(
+            [In] IntPtr hAlgorithm,
+            [In] uint dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375383(v=vs.85).aspx
+        internal static extern int BCryptCreateHash(
+            [In] BCryptAlgorithmHandle hAlgorithm,
+            [Out] out BCryptHashHandle phHash,
+            [In] IntPtr pbHashObject,
+            [In] uint cbHashObject,
+            [In] byte* pbSecret,
+            [In] uint cbSecret,
+            [In] uint dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375391(v=vs.85).aspx
+        internal static extern int BCryptDecrypt(
+            [In] BCryptKeyHandle hKey,
+            [In] byte* pbInput,
+            [In] uint cbInput,
+            [In] IntPtr pPaddingInfo,
+            [In] byte* pbIV,
+            [In] uint cbIV,
+            [In] byte* pbOutput,
+            [In] uint cbOutput,
+            [Out] out uint pcbResult,
+            [In] BCryptEncryptFlags dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
+        internal static extern int BCryptDestroyHash(
+            [In] IntPtr hHash);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375404(v=vs.85).aspx
+        internal static extern int BCryptDestroyKey(
+            [In] IntPtr hKey);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375413(v=vs.85).aspx
+        internal static extern int BCryptDuplicateHash(
+            [In] BCryptHashHandle hHash,
+            [Out] out BCryptHashHandle phNewHash,
+            [In] IntPtr pbHashObject,
+            [In] uint cbHashObject,
+            [In] uint dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375421(v=vs.85).aspx
+        internal static extern int BCryptEncrypt(
+            [In] BCryptKeyHandle hKey,
+            [In] byte* pbInput,
+            [In] uint cbInput,
+            [In] IntPtr pPaddingInfo,
+            [In] byte* pbIV,
+            [In] uint cbIV,
+            [In] byte* pbOutput,
+            [In] uint cbOutput,
+            [Out] out uint pcbResult,
+            [In] BCryptEncryptFlags dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375443(v=vs.85).aspx
+        internal static extern int BCryptFinishHash(
+            [In] BCryptHashHandle hHash,
+            [In] byte* pbOutput,
+            [In] uint cbOutput,
+            [In] uint dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375458(v=vs.85).aspx
+        internal static extern int BCryptGenRandom(
+            [In] IntPtr hAlgorithm,
+            [In] byte* pbBuffer,
+            [In] uint cbBuffer,
+            [In] BCryptGenRandomFlags dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375468(v=vs.85).aspx
+        internal static extern int BCryptHashData(
+            [In] BCryptHashHandle hHash,
+            [In] byte* pbInput,
+            [In] uint cbInput,
+            [In] uint dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375475(v=vs.85).aspx
+        internal static extern int BCryptImportKey(
+            [In] BCryptAlgorithmHandle hAlgorithm,
+            [In] IntPtr hImportKey, // unused
+            [In, MarshalAs(UnmanagedType.LPWStr)] string pszBlobType,
+            [Out] out BCryptKeyHandle phKey,
+            [In] IntPtr pbKeyObject, // unused
+            [In] uint cbKeyObject,
+            [In] byte* pbInput,
+            [In] uint cbInput,
+            [In] uint dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/hh448506(v=vs.85).aspx
+        internal static extern int BCryptKeyDerivation(
+            [In] BCryptKeyHandle hKey,
+            [In] BCryptBufferDesc* pParameterList,
+            [In] byte* pbDerivedKey,
+            [In] uint cbDerivedKey,
+            [Out] out uint pcbResult,
+            [In] uint dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375479(v=vs.85).aspx
+        internal static extern int BCryptOpenAlgorithmProvider(
+            [Out] out BCryptAlgorithmHandle phAlgorithm,
+            [In, MarshalAs(UnmanagedType.LPWStr)] string pszAlgId,
+            [In, MarshalAs(UnmanagedType.LPWStr)] string pszImplementation,
+            [In] BCryptAlgorithmFlags dwFlags);
+
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375504(v=vs.85).aspx
+        internal static extern int BCryptSetProperty(
+            [In] SafeHandle hObject,
+            [In, MarshalAs(UnmanagedType.LPWStr)] string pszProperty,
+            [In] IntPtr pbInput,
+            [In] uint cbInput,
+            [In] uint dwFlags);
+
+        /*
+         * KERNEL32.DLL
+         */
+
+        [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi)]
+        internal static extern void RtlZeroMemory(
+            [In] IntPtr Destination,
+            [In] UIntPtr /* SIZE_T */ Length);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
new file mode 100644
index 0000000000..36a781aa17
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
@@ -0,0 +1,66 @@
+using System;
+using System.Runtime.CompilerServices;
+
+namespace Microsoft.AspNet.Security.DataProtection.Util {
+    internal unsafe static class BufferUtil {
+        private static readonly byte[] _emptyArray = new byte[0];
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void BlockCopy(IntPtr from, IntPtr to, int byteCount) {
+            BlockCopy(from, to, checked((uint)byteCount)); // will be checked before invoking the delegate
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void BlockCopy(IntPtr from, IntPtr to, uint byteCount) {
+            BlockCopySlow((byte*)from, (byte*)to, byteCount);
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static void BlockCopySlow(byte* from, byte* to, uint byteCount) {
+            // slow, but works
+            while (byteCount-- != 0) {
+                *(to++) = *(from++);
+            }
+        }
+
+        /// <summary>
+        /// Creates a new managed byte[] from unmanaged memory.
+        /// </summary>
+        public static byte[] ToManagedByteArray(byte* ptr, int byteCount) {
+            return ToManagedByteArray(ptr, checked((uint)byteCount));
+        }
+
+        /// <summary>
+        /// Creates a new managed byte[] from unmanaged memory.
+        /// </summary>
+        public static byte[] ToManagedByteArray(byte* ptr, uint byteCount) {
+            if (byteCount == 0) {
+                return _emptyArray; // degenerate case
+            }
+            else {
+                byte[] bytes = new byte[byteCount];
+                fixed (byte* pBytes = bytes) {
+                    BlockCopy(from: (IntPtr)ptr, to: (IntPtr)pBytes, byteCount: byteCount);
+                }
+                return bytes;
+            }
+        }
+
+        /// <summary>
+        /// Clears a memory buffer.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void ZeroMemory(byte* buffer, int byteCount) {
+            ZeroMemory(buffer, checked((uint)byteCount));
+        }
+
+        /// <summary>
+        /// Clears a memory buffer.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void ZeroMemory(byte* buffer, uint byteCount) {
+            UnsafeNativeMethods.RtlZeroMemory((IntPtr)buffer, (UIntPtr)byteCount); // don't require 'checked': uint -> UIntPtr always guaranteed to succeed
+        }
+
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
new file mode 100644
index 0000000000..ea163de588
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -0,0 +1,10 @@
+{
+  "version": "0.1-alpha-*",
+  "configurations": {
+    "net45" : {},
+    "k10" : {}
+  },
+  "compilationOptions": {
+    "allowUnsafe": true
+  }
+}
\ No newline at end of file

From baf338cc8330366425a7c5b2f04037214d49dcb1 Mon Sep 17 00:00:00 2001
From: Louis DeJardin <lodejard@microsoft.com>
Date: Tue, 28 Jan 2014 17:48:49 -0800
Subject: [PATCH 003/493] Apply code formatting

---
 DataProtection.sln                            |  34 ++++
 DataProtection.sln.DotSettings                |   2 +
 .../Algorithms.cs                             |  44 +++--
 .../BCRYPT_KEY_DATA_BLOB_HEADER.cs            |  11 +-
 .../BCryptAlgorithmFlags.cs                   |   8 +-
 .../BCryptAlgorithmHandle.cs                  |  14 +-
 .../BCryptBuffer.cs                           |   8 +-
 .../BCryptBufferDesc.cs                       |  11 +-
 .../BCryptEncryptFlags.cs                     |   8 +-
 .../BCryptGenRandomFlags.cs                   |   8 +-
 .../BCryptHashHandle.cs                       |  14 +-
 .../BCryptKeyDerivationBufferType.cs          |   8 +-
 .../BCryptKeyHandle.cs                        |  14 +-
 .../BCryptUtil.cs                             | 161 +++++++++++-------
 .../Constants.cs                              |   8 +-
 .../CryptographicException.cs                 |   2 +-
 .../DataProtectionProvider.cs                 |  57 ++++---
 .../DataProtectionProviderImpl.cs             |  19 ++-
 .../DataProtectorImpl.cs                      | 100 +++++++----
 .../IDataProtectionProvider.cs                |   8 +-
 .../IDataProtector.cs                         |   8 +-
 .../Properties/AssemblyInfo.cs                |   8 +-
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |   2 +-
 .../UnsafeNativeMethods.cs                    |   9 +-
 .../Util/BufferUtil.cs                        |  54 +++---
 25 files changed, 395 insertions(+), 225 deletions(-)
 create mode 100644 DataProtection.sln
 create mode 100644 DataProtection.sln.DotSettings

diff --git a/DataProtection.sln b/DataProtection.sln
new file mode 100644
index 0000000000..e33ff9ff38
--- /dev/null
+++ b/DataProtection.sln
@@ -0,0 +1,34 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNet.Security.DataProtection.net45", "src\Microsoft.AspNet.Security.DataProtection\Microsoft.AspNet.Security.DataProtection.net45.csproj", "{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNet.Security.DataProtection.k10", "src\Microsoft.AspNet.Security.DataProtection\Microsoft.AspNet.Security.DataProtection.k10.csproj", "{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+	EndGlobalSection
+EndGlobal
diff --git a/DataProtection.sln.DotSettings b/DataProtection.sln.DotSettings
new file mode 100644
index 0000000000..c843b27a2b
--- /dev/null
+++ b/DataProtection.sln.DotSettings
@@ -0,0 +1,2 @@
+<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:Boolean x:Key="/Default/CodeStyle/CodeFormatting/CSharpFormat/WRAP_LINES/@EntryValue">False</s:Boolean></wpf:ResourceDictionary>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
index 850a7415f7..58985150bb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
@@ -1,65 +1,75 @@
 using System;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-
-    internal unsafe static class Algorithms {
-
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal static unsafe class Algorithms
+    {
         public static readonly BCryptAlgorithmHandle AESAlgorithmHandle = CreateAESAlgorithmHandle();
         public static readonly BCryptAlgorithmHandle HMACSHA256AlgorithmHandle = CreateHMACSHA256AlgorithmHandle();
         public static readonly BCryptAlgorithmHandle HMACSHA512AlgorithmHandle = CreateHMACSHA512AlgorithmHandle();
         public static readonly BCryptAlgorithmHandle SP800108AlgorithmHandle = CreateSP800108AlgorithmHandle();
 
-        private static BCryptAlgorithmHandle CreateAESAlgorithmHandle() {
+        private static BCryptAlgorithmHandle CreateAESAlgorithmHandle()
+        {
             // create the AES instance
             BCryptAlgorithmHandle algHandle;
             int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_AES_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: 0);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid) {
+            if (status != 0 || algHandle == null || algHandle.IsInvalid)
+            {
                 throw new CryptographicException(status);
             }
 
             // change it to use CBC chaining; it already uses PKCS7 padding by default
-            fixed (char* pCbcMode = Constants.BCRYPT_CHAIN_MODE_CBC) {
-                status = UnsafeNativeMethods.BCryptSetProperty(algHandle, Constants.BCRYPT_CHAINING_MODE, (IntPtr)pCbcMode, (uint)((Constants.BCRYPT_CHAIN_MODE_CBC.Length + 1 /* trailing null */) * sizeof(char)), dwFlags: 0);
+            fixed (char* pCbcMode = Constants.BCRYPT_CHAIN_MODE_CBC)
+            {
+                status = UnsafeNativeMethods.BCryptSetProperty(algHandle, Constants.BCRYPT_CHAINING_MODE, (IntPtr) pCbcMode, (uint) ((Constants.BCRYPT_CHAIN_MODE_CBC.Length + 1 /* trailing null */)*sizeof (char)), dwFlags: 0);
             }
-            if (status != 0) {
+            if (status != 0)
+            {
                 throw new CryptographicException(status);
             }
 
             return algHandle;
         }
-        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle() {
+
+        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle()
+        {
             // create the HMACSHA-256 instance
             BCryptAlgorithmHandle algHandle;
             int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA256_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid) {
+            if (status != 0 || algHandle == null || algHandle.IsInvalid)
+            {
                 throw new CryptographicException(status);
             }
 
             return algHandle;
         }
 
-        private static BCryptAlgorithmHandle CreateHMACSHA512AlgorithmHandle() {
+        private static BCryptAlgorithmHandle CreateHMACSHA512AlgorithmHandle()
+        {
             // create the HMACSHA-512 instance
             BCryptAlgorithmHandle algHandle;
             int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA512_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid) {
+            if (status != 0 || algHandle == null || algHandle.IsInvalid)
+            {
                 throw new CryptographicException(status);
             }
 
             return algHandle;
         }
 
-        private static BCryptAlgorithmHandle CreateSP800108AlgorithmHandle() {
+        private static BCryptAlgorithmHandle CreateSP800108AlgorithmHandle()
+        {
             // create the SP800-108 instance
             BCryptAlgorithmHandle algHandle;
             int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SP800108_CTR_HMAC_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: 0);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid) {
+            if (status != 0 || algHandle == null || algHandle.IsInvalid)
+            {
                 throw new CryptographicException(status);
             }
 
             return algHandle;
         }
-
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
index 25fbecc1d2..3bc50731df 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
@@ -2,10 +2,12 @@
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375524(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
-    internal struct BCRYPT_KEY_DATA_BLOB_HEADER {
+    internal struct BCRYPT_KEY_DATA_BLOB_HEADER
+    {
         // from bcrypt.h
         private const uint BCRYPT_KEY_DATA_BLOB_MAGIC = 0x4d42444b; //Key Data Blob Magic (KDBM)
         private const uint BCRYPT_KEY_DATA_BLOB_VERSION1 = 0x1;
@@ -15,9 +17,10 @@ namespace Microsoft.AspNet.Security.DataProtection {
         public uint cbKeyData;
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void Initialize(ref BCRYPT_KEY_DATA_BLOB_HEADER pHeader) {
+        public static void Initialize(ref BCRYPT_KEY_DATA_BLOB_HEADER pHeader)
+        {
             pHeader.dwMagic = BCRYPT_KEY_DATA_BLOB_MAGIC;
             pHeader.dwVersion = BCRYPT_KEY_DATA_BLOB_VERSION1;
         }
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
index aa091e9c25..25bbe91cfa 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
@@ -1,11 +1,13 @@
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     // from bcrypt.h
     [Flags]
-    internal enum BCryptAlgorithmFlags {
+    internal enum BCryptAlgorithmFlags
+    {
         BCRYPT_ALG_HANDLE_HMAC_FLAG = 0x00000008,
         BCRYPT_CAPI_AES_FLAG = 0x00000010,
         BCRYPT_HASH_REUSABLE_FLAG = 0x00000020,
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
index 6346215a9a..f5a54fa9f8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
@@ -1,16 +1,20 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-    internal sealed class BCryptAlgorithmHandle : SafeHandleZeroOrMinusOneIsInvalid {
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal sealed class BCryptAlgorithmHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
         // Called by P/Invoke when returning SafeHandles
         private BCryptAlgorithmHandle()
-            : base(ownsHandle: true) {
+            : base(ownsHandle: true)
+        {
         }
 
         // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
-        protected override bool ReleaseHandle() {
+        protected override bool ReleaseHandle()
+        {
             return (UnsafeNativeMethods.BCryptCloseAlgorithmProvider(handle, dwFlags: 0) == 0);
         }
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
index 3ffbc5156f..0a73118bbb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
@@ -2,12 +2,14 @@
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
-    internal struct BCryptBuffer {
+    internal struct BCryptBuffer
+    {
         public uint cbBuffer; // Length of buffer, in bytes
         public BCryptKeyDerivationBufferType BufferType; // Buffer type
         public IntPtr pvBuffer; // Pointer to buffer
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
index 0e5336f496..32eed76657 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
@@ -2,10 +2,12 @@
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375370(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
-    internal unsafe struct BCryptBufferDesc {
+    internal unsafe struct BCryptBufferDesc
+    {
         private const int BCRYPTBUFFER_VERSION = 0;
 
         public uint ulVersion; // Version number
@@ -13,8 +15,9 @@ namespace Microsoft.AspNet.Security.DataProtection {
         public BCryptBuffer* pBuffers; // Pointer to array of buffers
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void Initialize(ref BCryptBufferDesc bufferDesc) {
+        public static void Initialize(ref BCryptBufferDesc bufferDesc)
+        {
             bufferDesc.ulVersion = BCRYPTBUFFER_VERSION;
         }
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
index 55a2af8300..dfc3d86d71 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
@@ -1,9 +1,11 @@
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     // from bcrypt.h
     [Flags]
-    internal enum BCryptEncryptFlags {
+    internal enum BCryptEncryptFlags
+    {
         BCRYPT_BLOCK_PADDING = 0x00000001,
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
index 250d7e0ee6..8fdce726b2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
@@ -1,10 +1,12 @@
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     // from bcrypt.h
     [Flags]
-    internal enum BCryptGenRandomFlags {
+    internal enum BCryptGenRandomFlags
+    {
         BCRYPT_RNG_USE_ENTROPY_IN_BUFFER = 0x00000001,
         BCRYPT_USE_SYSTEM_PREFERRED_RNG = 0x00000002,
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
index 317a5f4bf1..ab59352f9d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
@@ -1,16 +1,20 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-    internal sealed class BCryptHashHandle : SafeHandleZeroOrMinusOneIsInvalid {
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal sealed class BCryptHashHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
         // Called by P/Invoke when returning SafeHandles
         private BCryptHashHandle()
-            : base(ownsHandle: true) {
+            : base(ownsHandle: true)
+        {
         }
 
         // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
-        protected override bool ReleaseHandle() {
+        protected override bool ReleaseHandle()
+        {
             return (UnsafeNativeMethods.BCryptDestroyHash(handle) == 0);
         }
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
index 0fb2e84347..143c811529 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
@@ -1,8 +1,10 @@
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     // from bcrypt.h
-    internal enum BCryptKeyDerivationBufferType {
+    internal enum BCryptKeyDerivationBufferType
+    {
         KDF_HASH_ALGORITHM = 0x0,
         KDF_SECRET_PREPEND = 0x1,
         KDF_SECRET_APPEND = 0x2,
@@ -21,4 +23,4 @@ namespace Microsoft.AspNet.Security.DataProtection {
         KDF_SALT = 0xF,
         KDF_ITERATION_COUNT = 0x10,
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
index cd6e48fc88..16ab238e5a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
@@ -1,16 +1,20 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-    internal sealed class BCryptKeyHandle : SafeHandleZeroOrMinusOneIsInvalid {
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal sealed class BCryptKeyHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
         // Called by P/Invoke when returning SafeHandles
         private BCryptKeyHandle()
-            : base(ownsHandle: true) {
+            : base(ownsHandle: true)
+        {
         }
 
         // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
-        protected override bool ReleaseHandle() {
+        protected override bool ReleaseHandle()
+        {
             return (UnsafeNativeMethods.BCryptDestroyKey(handle) == 0);
         }
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
index 4ba8237436..3c28aaceec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
@@ -3,36 +3,43 @@ using System.Runtime.CompilerServices;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Util;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-    internal unsafe static class BCryptUtil {
-        
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal static unsafe class BCryptUtil
+    {
         // constant-time buffer comparison
         [MethodImpl(MethodImplOptions.NoOptimization)]
-        public static bool BuffersAreEqualSecure(byte* p1, byte* p2, uint count) {
+        public static bool BuffersAreEqualSecure(byte* p1, byte* p2, uint count)
+        {
             bool retVal = true;
-            while (count-- > 0) {
+            while (count-- > 0)
+            {
                 retVal &= (*(p1++) == *(p2++));
             }
             return retVal;
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static void CheckOverflowUnderflow(int input) {
-            var unused = checked((uint)input);
+        private static void CheckOverflowUnderflow(int input)
+        {
+            var unused = checked((uint) input);
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static void CheckOverflowUnderflow(uint input) {
-            var unused = checked((int)input);
+        private static void CheckOverflowUnderflow(uint input)
+        {
+            var unused = checked((int) input);
         }
 
         // helper function to wrap BCryptCreateHash
-        public static BCryptHashHandle CreateHash(BCryptAlgorithmHandle algorithmHandle, byte* key, int keyLengthInBytes) {
+        public static BCryptHashHandle CreateHash(BCryptAlgorithmHandle algorithmHandle, byte* key, int keyLengthInBytes)
+        {
             CheckOverflowUnderflow(keyLengthInBytes);
 
             BCryptHashHandle retVal;
-            int status = UnsafeNativeMethods.BCryptCreateHash(algorithmHandle, out retVal, IntPtr.Zero, 0, key, (uint)keyLengthInBytes, dwFlags: 0);
-            if (status != 0 || retVal == null || retVal.IsInvalid) {
+            int status = UnsafeNativeMethods.BCryptCreateHash(algorithmHandle, out retVal, IntPtr.Zero, 0, key, (uint) keyLengthInBytes, dwFlags: 0);
+            if (status != 0 || retVal == null || retVal.IsInvalid)
+            {
                 throw new CryptographicException(status);
             }
 
@@ -41,32 +48,36 @@ namespace Microsoft.AspNet.Security.DataProtection {
 
         // helper function to wrap BCryptEncrypt; returns number of bytes written to 'output'
         // assumes the output buffer is large enough to hold the ciphertext + any necessary padding
-        public static int DecryptWithPadding(BCryptKeyHandle keyHandle, byte* input, int inputLength, byte* iv, int ivLength, byte* output, int outputLength) {
+        public static int DecryptWithPadding(BCryptKeyHandle keyHandle, byte* input, int inputLength, byte* iv, int ivLength, byte* output, int outputLength)
+        {
             CheckOverflowUnderflow(inputLength);
             CheckOverflowUnderflow(ivLength);
             CheckOverflowUnderflow(outputLength);
 
             // BCryptEncrypt destroys the 'iv' parameter, so we need to pass a duplicate instead of the original
-            if (ivLength > Constants.MAX_STACKALLOC_BYTES) {
+            if (ivLength > Constants.MAX_STACKALLOC_BYTES)
+            {
                 throw new InvalidOperationException();
             }
             byte* pDuplicatedIV = stackalloc byte[ivLength];
-            BufferUtil.BlockCopy(from: (IntPtr)iv, to: (IntPtr)pDuplicatedIV, byteCount: ivLength);
+            BufferUtil.BlockCopy(from: (IntPtr) iv, to: (IntPtr) pDuplicatedIV, byteCount: ivLength);
 
             uint retVal;
-            int status = UnsafeNativeMethods.BCryptDecrypt(keyHandle, input, (uint)inputLength, IntPtr.Zero, pDuplicatedIV, (uint)ivLength, output, (uint)outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
-            if (status != 0) {
+            int status = UnsafeNativeMethods.BCryptDecrypt(keyHandle, input, (uint) inputLength, IntPtr.Zero, pDuplicatedIV, (uint) ivLength, output, (uint) outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            if (status != 0)
+            {
                 throw new CryptographicException(status);
             }
 
-            return checked((int)retVal);
+            return checked((int) retVal);
         }
 
         // helper function to wrap BCryptKeyDerivation using SP800-108-CTR-HMAC-SHA512
-        public static void DeriveKeysSP800108(BCryptAlgorithmHandle kdfAlgorithmHandle, BCryptKeyHandle keyHandle, string purpose, BCryptAlgorithmHandle encryptionAlgorithmHandle, out BCryptKeyHandle encryptionKeyHandle, BCryptAlgorithmHandle hashAlgorithmHandle, out BCryptHashHandle hmacHandle, out BCryptKeyHandle kdfKeyHandle) {
-            const int ENCRYPTION_KEY_SIZE_IN_BYTES = 256 / 8;
-            const int HMAC_KEY_SIZE_IN_BYTES = 256 / 8;
-            const int KDF_SUBKEY_SIZE_IN_BYTES = 512 / 8;
+        public static void DeriveKeysSP800108(BCryptAlgorithmHandle kdfAlgorithmHandle, BCryptKeyHandle keyHandle, string purpose, BCryptAlgorithmHandle encryptionAlgorithmHandle, out BCryptKeyHandle encryptionKeyHandle, BCryptAlgorithmHandle hashAlgorithmHandle, out BCryptHashHandle hmacHandle, out BCryptKeyHandle kdfKeyHandle)
+        {
+            const int ENCRYPTION_KEY_SIZE_IN_BYTES = 256/8;
+            const int HMAC_KEY_SIZE_IN_BYTES = 256/8;
+            const int KDF_SUBKEY_SIZE_IN_BYTES = 512/8;
             const int TOTAL_NUM_BYTES_TO_DERIVE = ENCRYPTION_KEY_SIZE_IN_BYTES + HMAC_KEY_SIZE_IN_BYTES + KDF_SUBKEY_SIZE_IN_BYTES;
 
             // keep our buffers on the stack while we're generating key material
@@ -75,21 +86,25 @@ namespace Microsoft.AspNet.Security.DataProtection {
             byte* pNewHmacKey = &pNewEncryptionKey[ENCRYPTION_KEY_SIZE_IN_BYTES];
             byte* pNewKdfSubkey = &pNewHmacKey[HMAC_KEY_SIZE_IN_BYTES];
 
-            try {
-                fixed (char* pszPrfAlgorithmName = Constants.BCRYPT_SHA512_ALGORITHM) {
+            try
+            {
+                fixed (char* pszPrfAlgorithmName = Constants.BCRYPT_SHA512_ALGORITHM)
+                {
                     // Create a buffer to hold the hash algorithm name, currently hardcoded to HMACSHA512
                     uint numBuffers = 1;
                     BCryptBuffer* pBCryptBuffers = stackalloc BCryptBuffer[2];
                     pBCryptBuffers[0].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
-                    pBCryptBuffers[0].pvBuffer = (IntPtr)pszPrfAlgorithmName;
-                    pBCryptBuffers[0].cbBuffer = (uint)((Constants.BCRYPT_SHA512_ALGORITHM.Length + 1) * sizeof(char)); // per http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx, need to include terminating null
-                    fixed (char* pszPurpose = (String.IsNullOrEmpty(purpose) ? (string)null : purpose)) {
+                    pBCryptBuffers[0].pvBuffer = (IntPtr) pszPrfAlgorithmName;
+                    pBCryptBuffers[0].cbBuffer = (uint) ((Constants.BCRYPT_SHA512_ALGORITHM.Length + 1)*sizeof (char)); // per http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx, need to include terminating null
+                    fixed (char* pszPurpose = (String.IsNullOrEmpty(purpose) ? (string) null : purpose))
+                    {
                         // Create a buffer to hold the purpose string if it is specified (we'll treat it as UTF-16LE)
-                        if (pszPurpose != null) {
+                        if (pszPurpose != null)
+                        {
                             numBuffers = 2;
                             pBCryptBuffers[1].BufferType = BCryptKeyDerivationBufferType.KDF_LABEL;
-                            pBCryptBuffers[1].pvBuffer = (IntPtr)pszPurpose;
-                            pBCryptBuffers[1].cbBuffer = checked((uint)(purpose.Length * sizeof(char)));
+                            pBCryptBuffers[1].pvBuffer = (IntPtr) pszPurpose;
+                            pBCryptBuffers[1].cbBuffer = checked((uint) (purpose.Length*sizeof (char)));
                         }
 
                         // .. and the header ..
@@ -100,7 +115,8 @@ namespace Microsoft.AspNet.Security.DataProtection {
 
                         uint numBytesDerived;
                         int status = UnsafeNativeMethods.BCryptKeyDerivation(keyHandle, &bufferDesc, pBuffer, TOTAL_NUM_BYTES_TO_DERIVE, out numBytesDerived, dwFlags: 0);
-                        if (status != 0 || numBytesDerived != TOTAL_NUM_BYTES_TO_DERIVE) {
+                        if (status != 0 || numBytesDerived != TOTAL_NUM_BYTES_TO_DERIVE)
+                        {
                             throw new CryptographicException(status);
                         }
                     }
@@ -111,16 +127,19 @@ namespace Microsoft.AspNet.Security.DataProtection {
                 hmacHandle = CreateHash(hashAlgorithmHandle, pNewHmacKey, HMAC_KEY_SIZE_IN_BYTES);
                 kdfKeyHandle = ImportKey(kdfAlgorithmHandle, pNewKdfSubkey, KDF_SUBKEY_SIZE_IN_BYTES);
             }
-            finally {
+            finally
+            {
                 BufferUtil.ZeroMemory(pBuffer, TOTAL_NUM_BYTES_TO_DERIVE);
             }
         }
 
         // helper function to wrap BCryptDuplicateHash
-        public static BCryptHashHandle DuplicateHash(BCryptHashHandle hashHandle) {
+        public static BCryptHashHandle DuplicateHash(BCryptHashHandle hashHandle)
+        {
             BCryptHashHandle retVal;
             int status = UnsafeNativeMethods.BCryptDuplicateHash(hashHandle, out retVal, IntPtr.Zero, 0, dwFlags: 0);
-            if (status != 0 || retVal == null || retVal.IsInvalid) {
+            if (status != 0 || retVal == null || retVal.IsInvalid)
+            {
                 throw new CryptographicException(status);
             }
 
@@ -129,93 +148,107 @@ namespace Microsoft.AspNet.Security.DataProtection {
 
         // helper function to wrap BCryptEncrypt; returns number of bytes written to 'output'
         // assumes the output buffer is large enough to hold the ciphertext + any necessary padding
-        public static int EncryptWithPadding(BCryptKeyHandle keyHandle, byte* input, int inputLength, byte* iv, int ivLength, byte* output, int outputLength) {
+        public static int EncryptWithPadding(BCryptKeyHandle keyHandle, byte* input, int inputLength, byte* iv, int ivLength, byte* output, int outputLength)
+        {
             CheckOverflowUnderflow(inputLength);
             CheckOverflowUnderflow(ivLength);
             CheckOverflowUnderflow(outputLength);
 
             // BCryptEncrypt destroys the 'iv' parameter, so we need to pass a duplicate instead of the original
-            if (ivLength > Constants.MAX_STACKALLOC_BYTES) {
+            if (ivLength > Constants.MAX_STACKALLOC_BYTES)
+            {
                 throw new InvalidOperationException();
             }
             byte* pDuplicatedIV = stackalloc byte[ivLength];
-            BufferUtil.BlockCopy(from: (IntPtr)iv, to: (IntPtr)pDuplicatedIV, byteCount: ivLength);
+            BufferUtil.BlockCopy(from: (IntPtr) iv, to: (IntPtr) pDuplicatedIV, byteCount: ivLength);
 
             uint retVal;
-            int status = UnsafeNativeMethods.BCryptEncrypt(keyHandle, input, (uint)inputLength, IntPtr.Zero, pDuplicatedIV, (uint)ivLength, output, (uint)outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
-            if (status != 0) {
+            int status = UnsafeNativeMethods.BCryptEncrypt(keyHandle, input, (uint) inputLength, IntPtr.Zero, pDuplicatedIV, (uint) ivLength, output, (uint) outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            if (status != 0)
+            {
                 throw new CryptographicException(status);
             }
 
-            return checked((int)retVal);
+            return checked((int) retVal);
         }
 
         // helper function that's similar to RNGCryptoServiceProvider, but works directly with pointers
-        public static void GenRandom(byte* buffer, int bufferBytes) {
+        public static void GenRandom(byte* buffer, int bufferBytes)
+        {
             CheckOverflowUnderflow(bufferBytes);
 
-            int status = UnsafeNativeMethods.BCryptGenRandom(IntPtr.Zero, buffer, (uint)bufferBytes, BCryptGenRandomFlags.BCRYPT_USE_SYSTEM_PREFERRED_RNG);
-            if (status != 0) {
+            int status = UnsafeNativeMethods.BCryptGenRandom(IntPtr.Zero, buffer, (uint) bufferBytes, BCryptGenRandomFlags.BCRYPT_USE_SYSTEM_PREFERRED_RNG);
+            if (status != 0)
+            {
                 throw new CryptographicException(status);
             }
         }
 
         // helper function that wraps BCryptHashData / BCryptFinishHash
-        public static void HashData(BCryptHashHandle hashHandle, byte* input, int inputBytes, byte* output, int outputBytes) {
+        public static void HashData(BCryptHashHandle hashHandle, byte* input, int inputBytes, byte* output, int outputBytes)
+        {
             CheckOverflowUnderflow(inputBytes);
             CheckOverflowUnderflow(outputBytes);
 
-            int status = UnsafeNativeMethods.BCryptHashData(hashHandle, input, (uint)inputBytes, dwFlags: 0);
-            if (status != 0) {
+            int status = UnsafeNativeMethods.BCryptHashData(hashHandle, input, (uint) inputBytes, dwFlags: 0);
+            if (status != 0)
+            {
                 throw new CryptographicException(status);
             }
 
-            status = UnsafeNativeMethods.BCryptFinishHash(hashHandle, output, (uint)outputBytes, dwFlags: 0);
-            if (status != 0) {
+            status = UnsafeNativeMethods.BCryptFinishHash(hashHandle, output, (uint) outputBytes, dwFlags: 0);
+            if (status != 0)
+            {
                 throw new CryptographicException(status);
             }
         }
 
         // helper function that wraps BCryptImportKey with a key data blob
-        public static BCryptKeyHandle ImportKey(BCryptAlgorithmHandle algHandle, byte* key, int keyBytes) {
+        public static BCryptKeyHandle ImportKey(BCryptAlgorithmHandle algHandle, byte* key, int keyBytes)
+        {
             CheckOverflowUnderflow(keyBytes);
 
             byte[] heapAllocatedKeyDataBlob = null;
-            int numBytesRequiredForKeyDataBlob = checked(keyBytes + sizeof(BCRYPT_KEY_DATA_BLOB_HEADER));
-            if (numBytesRequiredForKeyDataBlob > Constants.MAX_STACKALLOC_BYTES) {
+            int numBytesRequiredForKeyDataBlob = checked(keyBytes + sizeof (BCRYPT_KEY_DATA_BLOB_HEADER));
+            if (numBytesRequiredForKeyDataBlob > Constants.MAX_STACKALLOC_BYTES)
+            {
                 heapAllocatedKeyDataBlob = new byte[numBytesRequiredForKeyDataBlob]; // allocate on heap if we cannot allocate on stack
             }
 
             int status;
             BCryptKeyHandle retVal;
-            fixed (byte* pHeapAllocatedKeyDataBlob = heapAllocatedKeyDataBlob) {
+            fixed (byte* pHeapAllocatedKeyDataBlob = heapAllocatedKeyDataBlob)
+            {
                 // The header is first
-                BCRYPT_KEY_DATA_BLOB_HEADER* pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*)pHeapAllocatedKeyDataBlob;
-                if (pKeyDataBlobHeader == null) {
+                BCRYPT_KEY_DATA_BLOB_HEADER* pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*) pHeapAllocatedKeyDataBlob;
+                if (pKeyDataBlobHeader == null)
+                {
                     byte* temp = stackalloc byte[numBytesRequiredForKeyDataBlob]; // won't be released until frame pops
-                    pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*)temp;
+                    pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*) temp;
                 }
                 BCRYPT_KEY_DATA_BLOB_HEADER.Initialize(ref *pKeyDataBlobHeader);
-                pKeyDataBlobHeader->cbKeyData = (uint)keyBytes;
+                pKeyDataBlobHeader->cbKeyData = (uint) keyBytes;
 
                 // the raw material immediately follows the header
-                byte* pKeyDataRawMaterial = (byte*)(&pKeyDataBlobHeader[1]);
+                byte* pKeyDataRawMaterial = (byte*) (&pKeyDataBlobHeader[1]);
 
-                try {
-                    BufferUtil.BlockCopy(from: (IntPtr)key, to: (IntPtr)pKeyDataRawMaterial, byteCount: keyBytes);
-                    status = UnsafeNativeMethods.BCryptImportKey(algHandle, IntPtr.Zero, Constants.BCRYPT_KEY_DATA_BLOB, out retVal, IntPtr.Zero, 0, (byte*)pKeyDataBlobHeader, (uint)numBytesRequiredForKeyDataBlob, dwFlags: 0);
+                try
+                {
+                    BufferUtil.BlockCopy(from: (IntPtr) key, to: (IntPtr) pKeyDataRawMaterial, byteCount: keyBytes);
+                    status = UnsafeNativeMethods.BCryptImportKey(algHandle, IntPtr.Zero, Constants.BCRYPT_KEY_DATA_BLOB, out retVal, IntPtr.Zero, 0, (byte*) pKeyDataBlobHeader, (uint) numBytesRequiredForKeyDataBlob, dwFlags: 0);
                 }
-                finally {
+                finally
+                {
                     // zero out the key we just copied
                     BufferUtil.ZeroMemory(pKeyDataRawMaterial, keyBytes);
                 }
             }
 
-            if (status != 0 || retVal == null || retVal.IsInvalid) {
+            if (status != 0 || retVal == null || retVal.IsInvalid)
+            {
                 throw new CryptographicException(status);
             }
             return retVal;
         }
-
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
index c6ca8cbb7c..059590c7e5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
@@ -1,8 +1,10 @@
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     // from bcrypt.h
-    internal static class Constants {
+    internal static class Constants
+    {
         internal const int MAX_STACKALLOC_BYTES = 256; // greatest number of bytes that we'll ever allow to stackalloc in a single frame
 
         // BCrypt(Import/Export)Key BLOB types
@@ -80,4 +82,4 @@ namespace Microsoft.AspNet.Security.DataProtection {
         internal const string BCRYPT_CHAIN_MODE_CCM = "ChainingModeCCM";
         internal const string BCRYPT_CHAIN_MODE_GCM = "ChainingModeGCM";
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
index 1737c90f38..19e72c0c2f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
@@ -12,4 +12,4 @@ namespace System.Security.Cryptography {
         }
     }
 }
-#endif
+#endif
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
index 75320aee41..e90ce87080 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
@@ -4,19 +4,22 @@ using System.Reflection;
 using Microsoft.AspNet.Security.DataProtection.Resources;
 using Microsoft.AspNet.Security.DataProtection.Util;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-    public unsafe static class DataProtectionProvider {
-
-        const int MASTER_KEY_REQUIRED_LENGTH = 512 / 8;
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    public static unsafe class DataProtectionProvider
+    {
+        private const int MASTER_KEY_REQUIRED_LENGTH = 512/8;
 
         private static readonly byte[] MASTER_SUBKEY_GENERATOR = GetMasterSubkeyGenerator();
 
-        private static byte[] GetMasterSubkeyGenerator() {
-            TypeInfo typeInfo = typeof(DataProtectionProvider).GetTypeInfo();
+        private static byte[] GetMasterSubkeyGenerator()
+        {
+            TypeInfo typeInfo = typeof (DataProtectionProvider).GetTypeInfo();
 
-            byte[] retVal = new byte[sizeof(Guid) * 2];
-            fixed (byte* pRetVal = retVal) {
-                Guid* guids = (Guid*)pRetVal;
+            byte[] retVal = new byte[sizeof (Guid)*2];
+            fixed (byte* pRetVal = retVal)
+            {
+                Guid* guids = (Guid*) pRetVal;
                 guids[0] = typeInfo.GUID;
 #if NET45
                 guids[1] = typeInfo.Module.ModuleVersionId;
@@ -30,13 +33,16 @@ namespace Microsoft.AspNet.Security.DataProtection {
         /// <summary>
         /// Creates a new IDataProtectorFactory with a randomly-generated master key.
         /// </summary>
-        public static IDataProtectionProvider CreateNew() {
+        public static IDataProtectionProvider CreateNew()
+        {
             byte* masterKey = stackalloc byte[MASTER_KEY_REQUIRED_LENGTH];
-            try {
+            try
+            {
                 BCryptUtil.GenRandom(masterKey, MASTER_KEY_REQUIRED_LENGTH);
                 return CreateImpl(masterKey, MASTER_KEY_REQUIRED_LENGTH);
             }
-            finally {
+            finally
+            {
                 BufferUtil.ZeroMemory(masterKey, MASTER_KEY_REQUIRED_LENGTH);
             }
         }
@@ -44,34 +50,41 @@ namespace Microsoft.AspNet.Security.DataProtection {
         /// <summary>
         /// Creates a new IDataProtectorFactory with the provided master key.
         /// </summary>
-        public static IDataProtectionProvider CreateFromKey(byte[] masterKey) {
-            if (masterKey == null) {
+        public static IDataProtectionProvider CreateFromKey(byte[] masterKey)
+        {
+            if (masterKey == null)
+            {
                 throw new ArgumentNullException("masterKey");
             }
-            if (masterKey.Length < MASTER_KEY_REQUIRED_LENGTH) {
+            if (masterKey.Length < MASTER_KEY_REQUIRED_LENGTH)
+            {
                 string errorMessage = String.Format(CultureInfo.CurrentCulture, Res.DataProtectorFactory_MasterKeyTooShort, MASTER_KEY_REQUIRED_LENGTH);
                 throw new ArgumentOutOfRangeException("masterKey", errorMessage);
             }
 
-            fixed (byte* pMasterKey = masterKey) {
+            fixed (byte* pMasterKey = masterKey)
+            {
                 return CreateImpl(pMasterKey, masterKey.Length);
             }
         }
 
-        private static DataProtectionProviderImpl CreateImpl(byte* masterKey, int masterKeyLengthInBytes) {
+        private static DataProtectionProviderImpl CreateImpl(byte* masterKey, int masterKeyLengthInBytes)
+        {
             // We don't use the master key directly. We derive a master subkey via HMAC_{master_key}(MASTER_SUBKEY_GENERATOR).
             byte* masterSubkey = stackalloc byte[MASTER_KEY_REQUIRED_LENGTH];
-            try {
-                using (var hashHandle = BCryptUtil.CreateHash(Algorithms.HMACSHA512AlgorithmHandle, masterKey, masterKeyLengthInBytes)) {
+            try
+            {
+                using (var hashHandle = BCryptUtil.CreateHash(Algorithms.HMACSHA512AlgorithmHandle, masterKey, masterKeyLengthInBytes))
+                {
                     BCryptUtil.HashData(hashHandle, masterKey, masterKeyLengthInBytes, masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
                 }
                 BCryptKeyHandle kdfSubkeyHandle = BCryptUtil.ImportKey(Algorithms.SP800108AlgorithmHandle, masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
                 return new DataProtectionProviderImpl(kdfSubkeyHandle);
             }
-            finally {
+            finally
+            {
                 BufferUtil.ZeroMemory(masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
             }
         }
-
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
index f78cde3fc6..2165b21fed 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
@@ -1,15 +1,18 @@
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-    internal unsafe sealed class DataProtectionProviderImpl : IDataProtectionProvider {
-
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal sealed unsafe class DataProtectionProviderImpl : IDataProtectionProvider
+    {
         private readonly BCryptKeyHandle _kdfSubkeyHandle;
 
-        public DataProtectionProviderImpl(BCryptKeyHandle kdfSubkeyHandle) {
+        public DataProtectionProviderImpl(BCryptKeyHandle kdfSubkeyHandle)
+        {
             _kdfSubkeyHandle = kdfSubkeyHandle;
         }
 
-        public IDataProtector CreateProtector(string purpose) {
+        public IDataProtector CreateProtector(string purpose)
+        {
             BCryptKeyHandle newAesKeyHandle;
             BCryptHashHandle newHmacHashHandle;
             BCryptKeyHandle newKdfSubkeyHandle;
@@ -18,9 +21,9 @@ namespace Microsoft.AspNet.Security.DataProtection {
             return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newKdfSubkeyHandle);
         }
 
-        public void Dispose() {
+        public void Dispose()
+        {
             _kdfSubkeyHandle.Dispose();
         }
-
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
index 1aeacc31b8..d6489d56c3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
@@ -4,35 +4,40 @@ using System.Security.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Resources;
 using Microsoft.AspNet.Security.DataProtection.Util;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-    internal unsafe sealed class DataProtectorImpl : IDataProtector {
-
-        private const int AES_BLOCK_LENGTH_IN_BYTES = 128 / 8;
-        private const int MAC_LENGTH_IN_BYTES = 256 / 8;
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal sealed unsafe class DataProtectorImpl : IDataProtector
+    {
+        private const int AES_BLOCK_LENGTH_IN_BYTES = 128/8;
+        private const int MAC_LENGTH_IN_BYTES = 256/8;
 
         private readonly BCryptKeyHandle _aesKeyHandle;
         private readonly BCryptHashHandle _hmacHashHandle;
         private readonly BCryptKeyHandle _kdfSubkeyHandle;
 
-        public DataProtectorImpl(BCryptKeyHandle aesKeyHandle, BCryptHashHandle hmacHashHandle, BCryptKeyHandle kdfSubkeyHandle) {
+        public DataProtectorImpl(BCryptKeyHandle aesKeyHandle, BCryptHashHandle hmacHashHandle, BCryptKeyHandle kdfSubkeyHandle)
+        {
             _aesKeyHandle = aesKeyHandle;
             _hmacHashHandle = hmacHashHandle;
             _kdfSubkeyHandle = kdfSubkeyHandle;
         }
 
-        private static int CalculateTotalProtectedDataSize(int unprotectedDataSize) {
+        private static int CalculateTotalProtectedDataSize(int unprotectedDataSize)
+        {
             Debug.Assert(unprotectedDataSize >= 0);
 
             // Calculates 
-            int numFullBlocks = unprotectedDataSize / AES_BLOCK_LENGTH_IN_BYTES;
-            return checked(AES_BLOCK_LENGTH_IN_BYTES /* IV */ + (numFullBlocks + 1) * AES_BLOCK_LENGTH_IN_BYTES /* ciphertext w/ padding */ + MAC_LENGTH_IN_BYTES /* HMAC */);
+            int numFullBlocks = unprotectedDataSize/AES_BLOCK_LENGTH_IN_BYTES;
+            return checked(AES_BLOCK_LENGTH_IN_BYTES /* IV */+ (numFullBlocks + 1)*AES_BLOCK_LENGTH_IN_BYTES /* ciphertext w/ padding */+ MAC_LENGTH_IN_BYTES /* HMAC */);
         }
 
-        private static CryptographicException CreateGenericCryptographicException() {
+        private static CryptographicException CreateGenericCryptographicException()
+        {
             return new CryptographicException(Res.DataProtectorImpl_BadEncryptedData);
         }
 
-        public IDataProtector CreateSubProtector(string purpose) {
+        public IDataProtector CreateSubProtector(string purpose)
+        {
             BCryptKeyHandle newAesKeyHandle;
             BCryptHashHandle newHmacHashHandle;
             BCryptKeyHandle newKdfSubkeyHandle;
@@ -41,21 +46,25 @@ namespace Microsoft.AspNet.Security.DataProtection {
             return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newKdfSubkeyHandle);
         }
 
-        public void Dispose() {
+        public void Dispose()
+        {
             _aesKeyHandle.Dispose();
             _hmacHashHandle.Dispose();
             _kdfSubkeyHandle.Dispose();
         }
 
-        public byte[] Protect(byte[] unprotectedData) {
-            if (unprotectedData == null) {
+        public byte[] Protect(byte[] unprotectedData)
+        {
+            if (unprotectedData == null)
+            {
                 throw new ArgumentNullException("unprotectedData");
             }
 
             // When this method finishes, protectedData will contain { IV || ciphertext || HMAC(IV || ciphertext) }
             byte[] protectedData = new byte[CalculateTotalProtectedDataSize(unprotectedData.Length)];
 
-            fixed (byte* pProtectedData = protectedData) {
+            fixed (byte* pProtectedData = protectedData)
+            {
                 // first, generate a random IV for CBC mode encryption
                 byte* pIV = pProtectedData;
                 BCryptUtil.GenRandom(pIV, AES_BLOCK_LENGTH_IN_BYTES);
@@ -63,16 +72,19 @@ namespace Microsoft.AspNet.Security.DataProtection {
                 // then, encrypt the plaintext contents
                 byte* pCiphertext = &pIV[AES_BLOCK_LENGTH_IN_BYTES];
                 int expectedCiphertextLength = protectedData.Length - AES_BLOCK_LENGTH_IN_BYTES - MAC_LENGTH_IN_BYTES;
-                fixed (byte* pPlaintext = unprotectedData) {
+                fixed (byte* pPlaintext = unprotectedData)
+                {
                     int actualCiphertextLength = BCryptUtil.EncryptWithPadding(_aesKeyHandle, pPlaintext, unprotectedData.Length, pIV, AES_BLOCK_LENGTH_IN_BYTES, pCiphertext, expectedCiphertextLength);
-                    if (actualCiphertextLength != expectedCiphertextLength) {
+                    if (actualCiphertextLength != expectedCiphertextLength)
+                    {
                         throw new InvalidOperationException("Unexpected error while encrypting data.");
                     }
                 }
 
                 // finally, calculate an HMAC over { IV || ciphertext }
                 byte* pMac = &pCiphertext[expectedCiphertextLength];
-                using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle)) {
+                using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle))
+                {
                     // Use a cloned hash handle since IDataProtector instances could be singletons, but BCryptHashHandle instances contain
                     // state hence aren't thread-safe. Our own perf testing shows that duplicating existing hash handles is very fast.
                     BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_BLOCK_LENGTH_IN_BYTES + expectedCiphertextLength, pMac, MAC_LENGTH_IN_BYTES);
@@ -82,49 +94,60 @@ namespace Microsoft.AspNet.Security.DataProtection {
             return protectedData;
         }
 
-        public byte[] Unprotect(byte[] protectedData) {
-            if (protectedData == null) {
+        public byte[] Unprotect(byte[] protectedData)
+        {
+            if (protectedData == null)
+            {
                 throw new ArgumentNullException("protectedData");
             }
 
             byte[] retVal = null;
-            try {
+            try
+            {
                 retVal = UnprotectImpl(protectedData);
             }
-            catch {
+            catch
+            {
                 // swallow all exceptions; we'll homogenize
             }
 
-            if (retVal != null) {
+            if (retVal != null)
+            {
                 return retVal;
             }
-            else {
+            else
+            {
                 throw CreateGenericCryptographicException();
             }
         }
 
-        private byte[] UnprotectImpl(byte[] protectedData) {
+        private byte[] UnprotectImpl(byte[] protectedData)
+        {
             Debug.Assert(protectedData != null);
 
             // is the protected data even long enough to be valid?
-            if (protectedData.Length < AES_BLOCK_LENGTH_IN_BYTES /* IV */ + AES_BLOCK_LENGTH_IN_BYTES /* min ciphertext size = 1 block */ + MAC_LENGTH_IN_BYTES) {
+            if (protectedData.Length < AES_BLOCK_LENGTH_IN_BYTES /* IV */+ AES_BLOCK_LENGTH_IN_BYTES /* min ciphertext size = 1 block */+ MAC_LENGTH_IN_BYTES)
+            {
                 return null;
             }
 
-            fixed (byte* pProtectedData = protectedData) {
+            fixed (byte* pProtectedData = protectedData)
+            {
                 // calculate pointer offsets
                 byte* pIV = pProtectedData;
                 byte* pCiphertext = &pProtectedData[AES_BLOCK_LENGTH_IN_BYTES];
-                int ciphertextLength = protectedData.Length - AES_BLOCK_LENGTH_IN_BYTES /* IV */ - MAC_LENGTH_IN_BYTES /* MAC */;
+                int ciphertextLength = protectedData.Length - AES_BLOCK_LENGTH_IN_BYTES /* IV */- MAC_LENGTH_IN_BYTES /* MAC */;
                 byte* pSuppliedMac = &pCiphertext[ciphertextLength];
 
                 // first, ensure that the MAC is valid
                 byte* pCalculatedMac = stackalloc byte[MAC_LENGTH_IN_BYTES];
-                using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle)) {
+                using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle))
+                {
                     // see comments in Protect(byte[]) for why we duplicate the hash
                     BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_BLOCK_LENGTH_IN_BYTES + ciphertextLength, pCalculatedMac, MAC_LENGTH_IN_BYTES);
                 }
-                if (!BCryptUtil.BuffersAreEqualSecure(pSuppliedMac, pCalculatedMac, MAC_LENGTH_IN_BYTES)) {
+                if (!BCryptUtil.BuffersAreEqualSecure(pSuppliedMac, pCalculatedMac, MAC_LENGTH_IN_BYTES))
+                {
                     return null; // MAC check failed
                 }
 
@@ -132,13 +155,16 @@ namespace Microsoft.AspNet.Security.DataProtection {
                 // we don't know the actual plaintext length, but we know it must be strictly less than the ciphertext length
                 int plaintextBufferLength = ciphertextLength;
                 byte[] heapAllocatedPlaintext = null;
-                if (ciphertextLength > Constants.MAX_STACKALLOC_BYTES) {
+                if (ciphertextLength > Constants.MAX_STACKALLOC_BYTES)
+                {
                     heapAllocatedPlaintext = new byte[plaintextBufferLength];
                 }
 
-                fixed (byte* pHeapAllocatedPlaintext = heapAllocatedPlaintext) {
+                fixed (byte* pHeapAllocatedPlaintext = heapAllocatedPlaintext)
+                {
                     byte* pPlaintextBuffer = pHeapAllocatedPlaintext;
-                    if (pPlaintextBuffer == null) {
+                    if (pPlaintextBuffer == null)
+                    {
                         byte* temp = stackalloc byte[plaintextBufferLength]; // will be released when frame pops
                         pPlaintextBuffer = temp;
                     }
@@ -148,13 +174,13 @@ namespace Microsoft.AspNet.Security.DataProtection {
 
                     // truncate the return value to accomodate the plaintext size perfectly
                     byte[] retVal = new byte[actualPlaintextLength];
-                    fixed (byte* pRetVal = retVal) {
-                        BufferUtil.BlockCopy(from: (IntPtr)pPlaintextBuffer, to: (IntPtr)pRetVal, byteCount: actualPlaintextLength);
+                    fixed (byte* pRetVal = retVal)
+                    {
+                        BufferUtil.BlockCopy(from: (IntPtr) pPlaintextBuffer, to: (IntPtr) pRetVal, byteCount: actualPlaintextLength);
                     }
                     return retVal;
                 }
             }
         }
-
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
index 520359930e..99bc6e3285 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
@@ -1,7 +1,9 @@
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection {
-    public interface IDataProtectionProvider : IDisposable {
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    public interface IDataProtectionProvider : IDisposable
+    {
         /// <summary>
         /// Given a purpose, returns a new IDataProtector that has unique cryptographic keys tied to this purpose.
         /// </summary>
@@ -9,4 +11,4 @@ namespace Microsoft.AspNet.Security.DataProtection {
         /// <returns>An IDataProtector.</returns>
         IDataProtector CreateProtector(string purpose);
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
index c932d4522c..5577a3cbdb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
@@ -1,10 +1,12 @@
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
     /// <summary>
     /// Represents an object that can perform cryptographic operations.
     /// </summary>
-    public interface IDataProtector : IDisposable {
+    public interface IDataProtector : IDisposable
+    {
         /// <summary>
         /// Given a subpurpose, returns a new IDataProtector that has unique cryptographic keys tied <em>both</em> the purpose
         /// that was used to create this IDataProtector instance <em>and</em> the purpose that is provided as a parameter
@@ -30,4 +32,4 @@ namespace Microsoft.AspNet.Security.DataProtection {
         /// <remarks>Throws CryptographicException if the <em>protectedData</em> parameter has been tampered with.</remarks>
         byte[] Unprotect(byte[] protectedData);
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
index 38a4928ff0..d4b33b324e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
@@ -6,6 +6,7 @@ using System.Runtime.InteropServices;
 // General Information about an assembly is controlled through the following 
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
+
 [assembly: AssemblyTitle("Microsoft.AspNet.Security.DataProtection")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
@@ -14,17 +15,18 @@ using System.Runtime.InteropServices;
 // Setting ComVisible to false makes the types in this assembly not visible 
 // to COM components.  If you need to access a type in this assembly from 
 // COM, set the ComVisible attribute to true on that type.
+
 [assembly: ComVisible(false)]
 
 // The following GUID is for the ID of the typelib if this project is exposed to COM
-[assembly: Guid("130d9afa-6535-42bf-ba70-610b677d5acf")]
 
+[assembly: Guid("130d9afa-6535-42bf-ba70-610b677d5acf")]
 [assembly: AssemblyCompany("Microsoft Corporation")]
 [assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
-
 [assembly: NeutralResourcesLanguage("en-US")]
 
 // for OOB servicing
-[assembly: AssemblyMetadata("Serviceable", "True")]
+
+[assembly: AssemblyMetadata("Serviceable", "True")]
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
index 244f118df0..ea76877d13 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -16,4 +16,4 @@ namespace Microsoft.Win32.SafeHandles {
         }
     }
 }
-#endif
+#endif
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index 34689a9917..c34dd599d0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -6,12 +6,13 @@ using System.Security;
 using System.Text;
 using System.Threading.Tasks;
 
-namespace Microsoft.AspNet.Security.DataProtection {
+namespace Microsoft.AspNet.Security.DataProtection
+{
 #if NET45
     [SuppressUnmanagedCodeSecurity]
 #endif
-    internal unsafe static class UnsafeNativeMethods {
-
+    internal static unsafe class UnsafeNativeMethods
+    {
         private const string BCRYPT_LIB = "bcrypt.dll";
         private const string KERNEL32_LIB = "kernel32.dll";
 
@@ -156,4 +157,4 @@ namespace Microsoft.AspNet.Security.DataProtection {
             [In] IntPtr Destination,
             [In] UIntPtr /* SIZE_T */ Length);
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
index 36a781aa17..e982d35f9e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
@@ -1,24 +1,30 @@
 using System;
 using System.Runtime.CompilerServices;
 
-namespace Microsoft.AspNet.Security.DataProtection.Util {
-    internal unsafe static class BufferUtil {
+namespace Microsoft.AspNet.Security.DataProtection.Util
+{
+    internal static unsafe class BufferUtil
+    {
         private static readonly byte[] _emptyArray = new byte[0];
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void BlockCopy(IntPtr from, IntPtr to, int byteCount) {
-            BlockCopy(from, to, checked((uint)byteCount)); // will be checked before invoking the delegate
+        public static void BlockCopy(IntPtr from, IntPtr to, int byteCount)
+        {
+            BlockCopy(from, to, checked((uint) byteCount)); // will be checked before invoking the delegate
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void BlockCopy(IntPtr from, IntPtr to, uint byteCount) {
-            BlockCopySlow((byte*)from, (byte*)to, byteCount);
+        public static void BlockCopy(IntPtr from, IntPtr to, uint byteCount)
+        {
+            BlockCopySlow((byte*) from, (byte*) to, byteCount);
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static void BlockCopySlow(byte* from, byte* to, uint byteCount) {
+        private static void BlockCopySlow(byte* from, byte* to, uint byteCount)
+        {
             // slow, but works
-            while (byteCount-- != 0) {
+            while (byteCount-- != 0)
+            {
                 *(to++) = *(from++);
             }
         }
@@ -26,21 +32,26 @@ namespace Microsoft.AspNet.Security.DataProtection.Util {
         /// <summary>
         /// Creates a new managed byte[] from unmanaged memory.
         /// </summary>
-        public static byte[] ToManagedByteArray(byte* ptr, int byteCount) {
-            return ToManagedByteArray(ptr, checked((uint)byteCount));
+        public static byte[] ToManagedByteArray(byte* ptr, int byteCount)
+        {
+            return ToManagedByteArray(ptr, checked((uint) byteCount));
         }
 
         /// <summary>
         /// Creates a new managed byte[] from unmanaged memory.
         /// </summary>
-        public static byte[] ToManagedByteArray(byte* ptr, uint byteCount) {
-            if (byteCount == 0) {
+        public static byte[] ToManagedByteArray(byte* ptr, uint byteCount)
+        {
+            if (byteCount == 0)
+            {
                 return _emptyArray; // degenerate case
             }
-            else {
+            else
+            {
                 byte[] bytes = new byte[byteCount];
-                fixed (byte* pBytes = bytes) {
-                    BlockCopy(from: (IntPtr)ptr, to: (IntPtr)pBytes, byteCount: byteCount);
+                fixed (byte* pBytes = bytes)
+                {
+                    BlockCopy(from: (IntPtr) ptr, to: (IntPtr) pBytes, byteCount: byteCount);
                 }
                 return bytes;
             }
@@ -50,17 +61,18 @@ namespace Microsoft.AspNet.Security.DataProtection.Util {
         /// Clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void ZeroMemory(byte* buffer, int byteCount) {
-            ZeroMemory(buffer, checked((uint)byteCount));
+        public static void ZeroMemory(byte* buffer, int byteCount)
+        {
+            ZeroMemory(buffer, checked((uint) byteCount));
         }
 
         /// <summary>
         /// Clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void ZeroMemory(byte* buffer, uint byteCount) {
-            UnsafeNativeMethods.RtlZeroMemory((IntPtr)buffer, (UIntPtr)byteCount); // don't require 'checked': uint -> UIntPtr always guaranteed to succeed
+        public static void ZeroMemory(byte* buffer, uint byteCount)
+        {
+            UnsafeNativeMethods.RtlZeroMemory((IntPtr) buffer, (UIntPtr) byteCount); // don't require 'checked': uint -> UIntPtr always guaranteed to succeed
         }
-
     }
-}
+}
\ No newline at end of file

From 26fd4a5a18dd142164d7714820b00acbb939145d Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Tue, 28 Jan 2014 22:31:15 -0800
Subject: [PATCH 004/493] Updated build files.

---
 .gitignore | 27 +++++++++------------------
 build.cmd  |  7 +++----
 2 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/.gitignore b/.gitignore
index 5cf7c13c7e..2554a1fc23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,31 +1,22 @@
 [Oo]bj/
 [Bb]in/
-*.xap
+TestResults/
+.nuget/
+_ReSharper.*/
+packages/
+artifacts/
+PublishProfiles/
 *.user
-/TestResults
-*.vspscc
-*.vssscc
 *.suo
 *.cache
 *.docstates
 _ReSharper.*
-*.csproj.user
-*[Rr]e[Ss]harper.user
-_ReSharper.*/
-packages/*
-artifacts/*
-msbuild.log
-PublishProfiles/
+nuget.exe
+*net45.csproj
+*k10.csproj
 *.psess
 *.vsp
 *.pidb
 *.userprefs
 *DS_Store
 *.ncrunchsolution
-*.log
-*.vspx
-/.symbols
-nuget.exe
-build/
-*net45.csproj
-*k10.csproj
\ No newline at end of file
diff --git a/build.cmd b/build.cmd
index c3b2462019..d54931bc8f 100644
--- a/build.cmd
+++ b/build.cmd
@@ -7,10 +7,9 @@ md .nuget
 @powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://www.nuget.org/nuget.exe' -OutFile '.nuget\NuGet.exe'"
 
 :restore
-IF EXIST build goto run
+IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
-xcopy packages\KoreBuild\build build\ /Y
-.nuget\NuGet.exe install Sake -version 0.2 -o packages
+.nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
 :run
-packages\Sake.0.2\tools\Sake.exe -I build -f makefile.shade %*
+packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*

From 4bc8d9377790502186b3244414c960637635f926 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Sun, 2 Feb 2014 20:11:35 -0800
Subject: [PATCH 005/493] Updatng build.cmd to use cached NuGet.exe

---
 build.cmd | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/build.cmd b/build.cmd
index d54931bc8f..7045ee1f84 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,10 +1,18 @@
 @echo off
 cd %~dp0
 
-IF EXIST .nuget\NuGet.exe goto restore
+SETLOCAL
+SET CACHED_NUGET=%LocalAppData%\NuGet\NuGet.exe
+
+IF EXIST %CACHED_NUGET% goto copynuget
 echo Downloading latest version of NuGet.exe...
+IF NOT EXIST %LocalAppData%\NuGet md %LocalAppData%\NuGet
+@powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://www.nuget.org/nuget.exe' -OutFile '%CACHED_NUGET%'"
+
+:copynuget
+IF EXIST .nuget\nuget.exe goto restore
 md .nuget
-@powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://www.nuget.org/nuget.exe' -OutFile '.nuget\NuGet.exe'"
+copy %CACHED_NUGET% .nuget\nuget.exe > nul
 
 :restore
 IF EXIST packages\KoreBuild goto run

From 7aa23bfc05c4ff068b25e3a29fd4215ffbdc7a62 Mon Sep 17 00:00:00 2001
From: GrabYourPitchforks <levib@yahoo.com>
Date: Thu, 13 Feb 2014 17:42:04 -0800
Subject: [PATCH 006/493] Add DPAPI support to the DataProtection library.

---
 .../BCryptUtil.cs                             |  29 ++++
 .../DATA_BLOB.cs                              |  14 ++
 .../DataProtectionProvider.cs                 |  17 ++-
 .../DpapiDataProtectionProviderImpl.cs        |  26 ++++
 .../DpapiDataProtectorImpl.cs                 | 143 ++++++++++++++++++
 .../Resources/Res.Designer.cs                 |  14 +-
 .../Resources/Res.resx                        |   3 +
 .../UnsafeNativeMethods.cs                    |  27 ++++
 8 files changed, 266 insertions(+), 7 deletions(-)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
index 3c28aaceec..8d1cfc4884 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Util;
@@ -172,6 +173,34 @@ namespace Microsoft.AspNet.Security.DataProtection
             return checked((int) retVal);
         }
 
+        // helper function to take a key, apply a purpose, and generate a new subkey ("entropy") for DPAPI-specific scenarios
+        public static byte[] GenerateDpapiSubkey(byte[] previousKey, string purpose)
+        {
+            Debug.Assert(previousKey != null);
+            purpose = purpose ?? String.Empty; // cannot be null
+
+            // create the HMAC object
+            BCryptHashHandle hashHandle;
+            fixed (byte* pPreviousKey = previousKey)
+            {
+                hashHandle = CreateHash(Algorithms.HMACSHA256AlgorithmHandle, pPreviousKey, previousKey.Length);
+            }
+
+            // hash the purpose string, treating it as UTF-16LE
+            using (hashHandle)
+            {
+                byte[] retVal = new byte[256 / 8]; // fixed length output since we're hardcoded to HMACSHA256
+                fixed (byte* pRetVal = retVal)
+                {
+                    fixed (char* pPurpose = purpose)
+                    {
+                        HashData(hashHandle, (byte*)pPurpose, checked(purpose.Length * sizeof(char)), pRetVal, retVal.Length);
+                        return retVal;
+                    }
+                }
+            }
+        }
+
         // helper function that's similar to RNGCryptoServiceProvider, but works directly with pointers
         public static void GenRandom(byte* buffer, int bufferBytes)
         {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
new file mode 100644
index 0000000000..55bfc7ea8e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
@@ -0,0 +1,14 @@
+using System;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    // http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx
+    [StructLayout(LayoutKind.Sequential)]
+    internal unsafe struct DATA_BLOB
+    {
+        public uint cbData;
+        public byte* pbData;
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
index e90ce87080..91d48649d0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
@@ -11,10 +11,11 @@ namespace Microsoft.AspNet.Security.DataProtection
         private const int MASTER_KEY_REQUIRED_LENGTH = 512/8;
 
         private static readonly byte[] MASTER_SUBKEY_GENERATOR = GetMasterSubkeyGenerator();
+        private static readonly byte[] MASTER_DPAPI_ENTROPY = GetMasterSubkeyGenerator(isDpapi: true);
 
-        private static byte[] GetMasterSubkeyGenerator()
+        private static byte[] GetMasterSubkeyGenerator(bool isDpapi = false)
         {
-            TypeInfo typeInfo = typeof (DataProtectionProvider).GetTypeInfo();
+            TypeInfo typeInfo = ((isDpapi) ? typeof(DpapiDataProtectionProviderImpl) : typeof(DataProtectionProvider)).GetTypeInfo();
 
             byte[] retVal = new byte[sizeof (Guid)*2];
             fixed (byte* pRetVal = retVal)
@@ -31,7 +32,15 @@ namespace Microsoft.AspNet.Security.DataProtection
         }
 
         /// <summary>
-        /// Creates a new IDataProtectorFactory with a randomly-generated master key.
+        /// Creates a new IDataProtectionProvider backed by DPAPI.
+        /// </summary>
+        public static IDataProtectionProvider CreateFromDpapi()
+        {
+            return new DpapiDataProtectionProviderImpl(MASTER_DPAPI_ENTROPY);
+        }
+
+        /// <summary>
+        /// Creates a new IDataProtectionProvider with a randomly-generated master key.
         /// </summary>
         public static IDataProtectionProvider CreateNew()
         {
@@ -48,7 +57,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         }
 
         /// <summary>
-        /// Creates a new IDataProtectorFactory with the provided master key.
+        /// Creates a new IDataProtectionProvider with the provided master key.
         /// </summary>
         public static IDataProtectionProvider CreateFromKey(byte[] masterKey)
         {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
new file mode 100644
index 0000000000..fa37a07bae
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
@@ -0,0 +1,26 @@
+using System;
+using System.Diagnostics;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal sealed class DpapiDataProtectionProviderImpl : IDataProtectionProvider
+    {
+        private readonly byte[] _entropy;
+
+        public DpapiDataProtectionProviderImpl(byte[] entropy)
+        {
+            Debug.Assert(entropy != null);
+            _entropy = entropy;
+        }
+
+        public IDataProtector CreateProtector(string purpose)
+        {
+            return new DpapiDataProtectorImpl(BCryptUtil.GenerateDpapiSubkey(_entropy, purpose));
+        }
+
+        public void Dispose()
+        {
+            // no-op; no unmanaged resources to dispose
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
new file mode 100644
index 0000000000..5678e3a2f3
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
@@ -0,0 +1,143 @@
+using System;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.Resources;
+using Microsoft.AspNet.Security.DataProtection.Util;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal unsafe sealed class DpapiDataProtectorImpl : IDataProtector
+    {
+        // from dpapi.h
+        private const uint CRYPTPROTECT_UI_FORBIDDEN = 0x1;
+
+        // Used as the 'purposes' parameter to DPAPI operations
+        private readonly byte[] _entropy;
+
+        public DpapiDataProtectorImpl(byte[] entropy)
+        {
+            Debug.Assert(entropy != null);
+            _entropy = entropy;
+        }
+
+        private static CryptographicException CreateGenericCryptographicException(bool isErrorDueToProfileNotLoaded = false)
+        {
+            string message = (isErrorDueToProfileNotLoaded) ? Res.DpapiDataProtectorImpl_ProfileNotLoaded : Res.DataProtectorImpl_BadEncryptedData;
+            return new CryptographicException(message);
+        }
+
+        public IDataProtector CreateSubProtector(string purpose)
+        {
+            return new DpapiDataProtectorImpl(BCryptUtil.GenerateDpapiSubkey(_entropy, purpose));
+        }
+
+        public void Dispose()
+        {
+            // no-op; no unmanaged resources to dispose
+        }
+
+        public byte[] Protect(byte[] unprotectedData)
+        {
+            if (unprotectedData == null)
+            {
+                throw new ArgumentNullException("unprotectedData");
+            }
+
+            DATA_BLOB dataOut = default(DATA_BLOB);
+
+#if NET45
+            RuntimeHelpers.PrepareConstrainedRegions();
+#endif
+            try
+            {
+                bool success;
+                fixed (byte* pUnprotectedData = unprotectedData)
+                {
+                    fixed (byte* pEntropy = _entropy)
+                    {
+                        // no need for checked arithmetic here
+                        DATA_BLOB dataIn = new DATA_BLOB() { cbData = (uint)unprotectedData.Length, pbData = pUnprotectedData };
+                        DATA_BLOB optionalEntropy = new DATA_BLOB() { cbData = (uint)_entropy.Length, pbData = pEntropy };
+                        success = UnsafeNativeMethods.CryptProtectData(&dataIn, IntPtr.Zero, &optionalEntropy, IntPtr.Zero, IntPtr.Zero, CRYPTPROTECT_UI_FORBIDDEN, out dataOut);
+                    }
+                }
+
+                // Did a failure occur?
+                if (!success)
+                {
+                    int errorCode = Marshal.GetLastWin32Error();
+                    bool isErrorDueToProfileNotLoaded = ((errorCode & 0xffff) == 2 /* ERROR_FILE_NOT_FOUND */);
+                    throw CreateGenericCryptographicException(isErrorDueToProfileNotLoaded);
+                }
+
+                // OOMs may be marked as success but won't return a valid pointer
+                if (dataOut.pbData == null)
+                {
+                    throw new OutOfMemoryException();
+                }
+
+                return BufferUtil.ToManagedByteArray(dataOut.pbData, dataOut.cbData);
+            }
+            finally
+            {
+                // per MSDN, we need to use LocalFree (implemented by Marshal.FreeHGlobal) to clean up CAPI-allocated memory
+                if (dataOut.pbData != null)
+                {
+                    Marshal.FreeHGlobal((IntPtr)dataOut.pbData);
+                }
+            }
+        }
+
+        public byte[] Unprotect(byte[] protectedData)
+        {
+            if (protectedData == null)
+            {
+                throw new ArgumentNullException("protectedData");
+            }
+
+            DATA_BLOB dataOut = default(DATA_BLOB);
+
+#if NET45
+            RuntimeHelpers.PrepareConstrainedRegions();
+#endif
+            try
+            {
+                bool success;
+                fixed (byte* pProtectedData = protectedData)
+                {
+                    fixed (byte* pEntropy = _entropy)
+                    {
+                        // no need for checked arithmetic here
+                        DATA_BLOB dataIn = new DATA_BLOB() { cbData = (uint)protectedData.Length, pbData = pProtectedData };
+                        DATA_BLOB optionalEntropy = new DATA_BLOB() { cbData = (uint)_entropy.Length, pbData = pEntropy };
+                        success = UnsafeNativeMethods.CryptUnprotectData(&dataIn, IntPtr.Zero, &optionalEntropy, IntPtr.Zero, IntPtr.Zero, CRYPTPROTECT_UI_FORBIDDEN, out dataOut);
+                    }
+                }
+
+                // Did a failure occur?
+                if (!success)
+                {
+                    throw CreateGenericCryptographicException();
+                }
+
+                // OOMs may be marked as success but won't return a valid pointer
+                if (dataOut.pbData == null)
+                {
+                    throw new OutOfMemoryException();
+                }
+
+                return BufferUtil.ToManagedByteArray(dataOut.pbData, dataOut.cbData);
+            }
+            finally
+            {
+                // per MSDN, we need to use LocalFree (implemented by Marshal.FreeHGlobal) to clean up CAPI-allocated memory
+                if (dataOut.pbData != null)
+                {
+                    Marshal.FreeHGlobal((IntPtr)dataOut.pbData);
+                }
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs
index d62ce5ee40..45215fb506 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs
@@ -1,7 +1,7 @@
 //------------------------------------------------------------------------------
 // <auto-generated>
 //     This code was generated by a tool.
-//     Runtime Version:4.0.30319.34003
+//     Runtime Version:4.0.30319.34014
 //
 //     Changes to this file may cause incorrect behavior and will be lost if
 //     the code is regenerated.
@@ -12,7 +12,6 @@ namespace Microsoft.AspNet.Security.DataProtection.Resources {
     using System;
     using System.Reflection;
     
-    
     /// <summary>
     ///   A strongly-typed resource class, for looking up localized strings, etc.
     /// </summary>
@@ -40,7 +39,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Resources {
         internal static global::System.Resources.ResourceManager ResourceManager {
             get {
                 if (object.ReferenceEquals(resourceMan, null)) {
-                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Microsoft.AspNet.Security.DataProtection.Res.resources", typeof(Res).GetTypeInfo().Assembly);
+                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Microsoft.AspNet.Security.DataProtection.Res", typeof(Res).GetTypeInfo().Assembly);
                     resourceMan = temp;
                 }
                 return resourceMan;
@@ -78,5 +77,14 @@ namespace Microsoft.AspNet.Security.DataProtection.Resources {
                 return ResourceManager.GetString("DataProtectorImpl_BadEncryptedData", resourceCulture);
             }
         }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to Couldn&apos;t protect data. Perhaps the user profile isn&apos;t loaded?.
+        /// </summary>
+        internal static string DpapiDataProtectorImpl_ProfileNotLoaded {
+            get {
+                return ResourceManager.GetString("DpapiDataProtectorImpl_ProfileNotLoaded", resourceCulture);
+            }
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx
index f28f1d7003..d195f18d48 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx
@@ -123,4 +123,7 @@
   <data name="DataProtectorImpl_BadEncryptedData" xml:space="preserve">
     <value>The data to decrypt is invalid.</value>
   </data>
+  <data name="DpapiDataProtectorImpl_ProfileNotLoaded" xml:space="preserve">
+    <value>Couldn't protect data. Perhaps the user profile isn't loaded?</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index c34dd599d0..5e3cea28ec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -14,6 +14,7 @@ namespace Microsoft.AspNet.Security.DataProtection
     internal static unsafe class UnsafeNativeMethods
     {
         private const string BCRYPT_LIB = "bcrypt.dll";
+        private const string CRYPT32_LIB = "crypt32.dll";
         private const string KERNEL32_LIB = "kernel32.dll";
 
         /*
@@ -148,6 +149,32 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint cbInput,
             [In] uint dwFlags);
 
+        /*
+         * CRYPT32.DLL
+         */
+
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx
+        internal static extern bool CryptProtectData(
+            [In] DATA_BLOB* pDataIn,
+            [In] IntPtr szDataDescr,
+            [In] DATA_BLOB* pOptionalEntropy,
+            [In] IntPtr pvReserved,
+            [In] IntPtr pPromptStruct,
+            [In] uint dwFlags,
+            [Out] out DATA_BLOB pDataOut);
+
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380882(v=vs.85).aspx
+        internal static extern bool CryptUnprotectData(
+            [In] DATA_BLOB* pDataIn,
+            [In] IntPtr ppszDataDescr,
+            [In] DATA_BLOB* pOptionalEntropy,
+            [In] IntPtr pvReserved,
+            [In] IntPtr pPromptStruct,
+            [In] uint dwFlags,
+            [Out] out DATA_BLOB pDataOut);
+
         /*
          * KERNEL32.DLL
          */

From adf2adabc00e1ee00b733b7651ec2f45eb3f361d Mon Sep 17 00:00:00 2001
From: Levi Broderick <levib@yahoo.com>
Date: Thu, 6 Mar 2014 19:42:00 -0800
Subject: [PATCH 007/493] Add PBKDF2 support to the data protection library.

---
 .../Algorithms.cs                             | 20 +++---
 .../CryptRand.cs                              | 25 +++++++
 .../PBKDF2.cs                                 | 65 +++++++++++++++++++
 .../UnsafeNativeMethods.cs                    | 13 ++++
 4 files changed, 112 insertions(+), 11 deletions(-)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
index 58985150bb..0af410cea5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
@@ -33,11 +33,10 @@ namespace Microsoft.AspNet.Security.DataProtection
             return algHandle;
         }
 
-        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle()
+        internal static BCryptAlgorithmHandle CreateGenericHMACHandleFromPrimitiveProvider(string algorithmName)
         {
-            // create the HMACSHA-256 instance
             BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA256_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, algorithmName, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
             if (status != 0 || algHandle == null || algHandle.IsInvalid)
             {
                 throw new CryptographicException(status);
@@ -46,17 +45,16 @@ namespace Microsoft.AspNet.Security.DataProtection
             return algHandle;
         }
 
+        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle()
+        {
+            // create the HMACSHA-256 instance
+            return CreateGenericHMACHandleFromPrimitiveProvider(Constants.BCRYPT_SHA256_ALGORITHM);
+        }
+
         private static BCryptAlgorithmHandle CreateHMACSHA512AlgorithmHandle()
         {
             // create the HMACSHA-512 instance
-            BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA512_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return algHandle;
+            return CreateGenericHMACHandleFromPrimitiveProvider(Constants.BCRYPT_SHA512_ALGORITHM);
         }
 
         private static BCryptAlgorithmHandle CreateSP800108AlgorithmHandle()
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
new file mode 100644
index 0000000000..d6653ac611
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
@@ -0,0 +1,25 @@
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// Helper class to populate buffers with cryptographically random data.
+    /// </summary>
+    public static class CryptRand
+    {
+        /// <summary>
+        /// Populates a buffer with cryptographically random data.
+        /// </summary>
+        /// <param name="buffer">The buffer to populate.</param>
+        public static unsafe void FillBuffer(ArraySegment<byte> buffer)
+        {
+            // the ArraySegment<> ctor performs bounds checking
+            var unused = new ArraySegment<byte>(buffer.Array, buffer.Offset, buffer.Count);
+
+            fixed (byte* pBuffer = &buffer.Array[buffer.Offset])
+            {
+                BCryptUtil.GenRandom(pBuffer, buffer.Count);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
new file mode 100644
index 0000000000..f027571411
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
@@ -0,0 +1,65 @@
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// Helper class to derive keys from low-entropy passwords using the PBKDF2 algorithm.
+    /// </summary>
+    public static class PBKDF2
+    {
+        /// <summary>
+        /// Derives a key from a low-entropy password.
+        /// </summary>
+        /// <param name="algorithmName">The name of the PRF to use for key derivation.</param>
+        /// <param name="password">The low-entropy password from which to generate a key.</param>
+        /// <param name="salt">The salt used to randomize the key derivation.</param>
+        /// <param name="iterationCount">The number of iterations to perform.</param>
+        /// <param name="numBytesToDerive">The desired byte length of the derived key.</param>
+        /// <returns>A key derived from the provided password.</returns>
+        /// <remarks>For compatibility with the Rfc2898DeriveBytes class, specify "SHA1" for the <em>algorithmName</em> parameter.</remarks>
+        public unsafe static byte[] DeriveKey(string algorithmName, byte[] password, byte[] salt, ulong iterationCount, uint numBytesToDerive)
+        {
+            if (String.IsNullOrEmpty(algorithmName))
+            {
+                throw new ArgumentNullException("algorithmName");
+            }
+            if (password == null || password.Length == 0)
+            {
+                throw new ArgumentNullException("password");
+            }
+            if (salt == null || salt.Length == 0)
+            {
+                throw new ArgumentNullException("salt");
+            }
+            if (iterationCount <= 0)
+            {
+                throw new ArgumentOutOfRangeException("iterationCount");
+            }
+
+            byte[] derivedKey = new byte[numBytesToDerive];
+            int status;
+
+            using (BCryptAlgorithmHandle algHandle = Algorithms.CreateGenericHMACHandleFromPrimitiveProvider(algorithmName))
+            {
+                fixed (byte* pPassword = password)
+                fixed (byte* pSalt = salt)
+                fixed (byte* pDerivedKey = derivedKey)
+                {
+                    status = UnsafeNativeMethods.BCryptDeriveKeyPBKDF2(
+                        algHandle, pPassword, (uint)password.Length, pSalt, (uint)salt.Length, iterationCount,
+                        pDerivedKey, numBytesToDerive, dwFlags: 0);
+                }
+            }
+
+            if (status == 0 /* STATUS_SUCCESS */)
+            {
+                return derivedKey;
+            }
+            else
+            {
+                throw new CryptographicException(status);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index 5e3cea28ec..611d1d4084 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -52,6 +52,19 @@ namespace Microsoft.AspNet.Security.DataProtection
             [Out] out uint pcbResult,
             [In] BCryptEncryptFlags dwFlags);
 
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/dd433795(v=vs.85).aspx
+        internal static extern int BCryptDeriveKeyPBKDF2(
+            [In] BCryptAlgorithmHandle hPrf,
+            [In] byte* pbPassword,
+            [In] uint cbPassword,
+            [In] byte* pbSalt,
+            [In] uint cbSalt,
+            [In] ulong cIterations,
+            [In] byte* pbDerivedKey,
+            [In] uint cbDerivedKey,
+            [In] uint dwFlags);
+
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
         internal static extern int BCryptDestroyHash(

From 6748897083a1ce22c159b67f8053bf17c403708d Mon Sep 17 00:00:00 2001
From: Levi Broderick <levib@yahoo.com>
Date: Fri, 7 Mar 2014 14:46:19 -0800
Subject: [PATCH 008/493] Update DataProtection to use a K-generated .resx
 designer file instead of the VS-generated .resx designer file.

---
 .../DataProtectionProvider.cs                 |  1 -
 .../DataProtectorImpl.cs                      |  1 -
 .../DpapiDataProtectorImpl.cs                 |  1 -
 .../PBKDF2.cs                                 |  6 +-
 .../Properties/AssemblyInfo.cs                | 32 -------
 .../Properties/Res.Designer.cs                | 94 +++++++++++++++++++
 .../{Resources => }/Res.resx                  |  3 +
 .../Resources/Res.Designer.cs                 | 90 ------------------
 8 files changed, 100 insertions(+), 128 deletions(-)
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
 rename src/Microsoft.AspNet.Security.DataProtection/{Resources => }/Res.resx (97%)
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
index 91d48649d0..fc011d8c0a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
@@ -1,7 +1,6 @@
 using System;
 using System.Globalization;
 using System.Reflection;
-using Microsoft.AspNet.Security.DataProtection.Resources;
 using Microsoft.AspNet.Security.DataProtection.Util;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
index d6489d56c3..dec7c4c485 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
@@ -1,7 +1,6 @@
 using System;
 using System.Diagnostics;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Resources;
 using Microsoft.AspNet.Security.DataProtection.Util;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
index 5678e3a2f3..13e5319e1a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
@@ -3,7 +3,6 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Resources;
 using Microsoft.AspNet.Security.DataProtection.Util;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
index f027571411..c8824b37c1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
@@ -22,15 +22,15 @@ namespace Microsoft.AspNet.Security.DataProtection
         {
             if (String.IsNullOrEmpty(algorithmName))
             {
-                throw new ArgumentNullException("algorithmName");
+                throw new ArgumentException(Res.Common_NullOrEmpty, "algorithmName");
             }
             if (password == null || password.Length == 0)
             {
-                throw new ArgumentNullException("password");
+                throw new ArgumentException(Res.Common_NullOrEmpty, "password");
             }
             if (salt == null || salt.Length == 0)
             {
-                throw new ArgumentNullException("salt");
+                throw new ArgumentException(Res.Common_NullOrEmpty, "salt");
             }
             if (iterationCount <= 0)
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
deleted file mode 100644
index d4b33b324e..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
+++ /dev/null
@@ -1,32 +0,0 @@
-using System;
-using System.Reflection;
-using System.Resources;
-using System.Runtime.InteropServices;
-
-// General Information about an assembly is controlled through the following 
-// set of attributes. Change these attribute values to modify the information
-// associated with an assembly.
-
-[assembly: AssemblyTitle("Microsoft.AspNet.Security.DataProtection")]
-[assembly: AssemblyDescription("")]
-[assembly: AssemblyConfiguration("")]
-[assembly: AssemblyProduct("Microsoft.AspNet.Security.DataProtection")]
-
-// Setting ComVisible to false makes the types in this assembly not visible 
-// to COM components.  If you need to access a type in this assembly from 
-// COM, set the ComVisible attribute to true on that type.
-
-[assembly: ComVisible(false)]
-
-// The following GUID is for the ID of the typelib if this project is exposed to COM
-
-[assembly: Guid("130d9afa-6535-42bf-ba70-610b677d5acf")]
-[assembly: AssemblyCompany("Microsoft Corporation")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyTrademark("")]
-[assembly: AssemblyCulture("")]
-[assembly: NeutralResourcesLanguage("en-US")]
-
-// for OOB servicing
-
-[assembly: AssemblyMetadata("Serviceable", "True")]
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
new file mode 100644
index 0000000000..bac3e9fcff
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
@@ -0,0 +1,94 @@
+// <auto-generated />
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    using System.Globalization;
+    using System.Reflection;
+    using System.Resources;
+
+    internal static class Res
+    {
+        private static readonly ResourceManager _resourceManager
+            = new ResourceManager("Microsoft.AspNet.Security.DataProtection.Res", typeof(Res).GetTypeInfo().Assembly);
+
+        /// <summary>
+        /// Argument cannot be null or empty.
+        /// </summary>
+        internal static string Common_NullOrEmpty
+        {
+            get { return GetString("Common_NullOrEmpty"); }
+        }
+
+        /// <summary>
+        /// Argument cannot be null or empty.
+        /// </summary>
+        internal static string FormatCommon_NullOrEmpty()
+        {
+            return GetString("Common_NullOrEmpty");
+        }
+
+        /// <summary>
+        /// The master key is too short. It must be at least {0} bytes in length.
+        /// </summary>
+        internal static string DataProtectorFactory_MasterKeyTooShort
+        {
+            get { return GetString("DataProtectorFactory_MasterKeyTooShort"); }
+        }
+
+        /// <summary>
+        /// The master key is too short. It must be at least {0} bytes in length.
+        /// </summary>
+        internal static string FormatDataProtectorFactory_MasterKeyTooShort(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("DataProtectorFactory_MasterKeyTooShort"), p0);
+        }
+
+        /// <summary>
+        /// The data to decrypt is invalid.
+        /// </summary>
+        internal static string DataProtectorImpl_BadEncryptedData
+        {
+            get { return GetString("DataProtectorImpl_BadEncryptedData"); }
+        }
+
+        /// <summary>
+        /// The data to decrypt is invalid.
+        /// </summary>
+        internal static string FormatDataProtectorImpl_BadEncryptedData()
+        {
+            return GetString("DataProtectorImpl_BadEncryptedData");
+        }
+
+        /// <summary>
+        /// Couldn't protect data. Perhaps the user profile isn't loaded?
+        /// </summary>
+        internal static string DpapiDataProtectorImpl_ProfileNotLoaded
+        {
+            get { return GetString("DpapiDataProtectorImpl_ProfileNotLoaded"); }
+        }
+
+        /// <summary>
+        /// Couldn't protect data. Perhaps the user profile isn't loaded?
+        /// </summary>
+        internal static string FormatDpapiDataProtectorImpl_ProfileNotLoaded()
+        {
+            return GetString("DpapiDataProtectorImpl_ProfileNotLoaded");
+        }
+
+        private static string GetString(string name, params string[] formatterNames)
+        {
+            var value = _resourceManager.GetString(name);
+
+            System.Diagnostics.Debug.Assert(value != null);
+    
+            if (formatterNames != null)
+            {
+                for (var i = 0; i < formatterNames.Length; i++)
+                {
+                    value = value.Replace("{" + formatterNames[i] + "}", "{" + i + "}");
+                }
+            }
+
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx b/src/Microsoft.AspNet.Security.DataProtection/Res.resx
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx
rename to src/Microsoft.AspNet.Security.DataProtection/Res.resx
index d195f18d48..0a01c8908d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.resx
+++ b/src/Microsoft.AspNet.Security.DataProtection/Res.resx
@@ -117,6 +117,9 @@
   <resheader name="writer">
     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
+  <data name="Common_NullOrEmpty" xml:space="preserve">
+    <value>Argument cannot be null or empty.</value>
+  </data>
   <data name="DataProtectorFactory_MasterKeyTooShort" xml:space="preserve">
     <value>The master key is too short. It must be at least {0} bytes in length.</value>
   </data>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs
deleted file mode 100644
index 45215fb506..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/Resources/Res.Designer.cs
+++ /dev/null
@@ -1,90 +0,0 @@
-//------------------------------------------------------------------------------
-// <auto-generated>
-//     This code was generated by a tool.
-//     Runtime Version:4.0.30319.34014
-//
-//     Changes to this file may cause incorrect behavior and will be lost if
-//     the code is regenerated.
-// </auto-generated>
-//------------------------------------------------------------------------------
-
-namespace Microsoft.AspNet.Security.DataProtection.Resources {
-    using System;
-    using System.Reflection;
-    
-    /// <summary>
-    ///   A strongly-typed resource class, for looking up localized strings, etc.
-    /// </summary>
-    // This class was auto-generated by the StronglyTypedResourceBuilder
-    // class via a tool like ResGen or Visual Studio.
-    // To add or remove a member, edit your .ResX file then rerun ResGen
-    // with the /str option, or rebuild your VS project.
-    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
-    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
-    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
-    internal class Res {
-        
-        private static global::System.Resources.ResourceManager resourceMan;
-        
-        private static global::System.Globalization.CultureInfo resourceCulture;
-        
-        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
-        internal Res() {
-        }
-        
-        /// <summary>
-        ///   Returns the cached ResourceManager instance used by this class.
-        /// </summary>
-        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
-        internal static global::System.Resources.ResourceManager ResourceManager {
-            get {
-                if (object.ReferenceEquals(resourceMan, null)) {
-                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Microsoft.AspNet.Security.DataProtection.Res", typeof(Res).GetTypeInfo().Assembly);
-                    resourceMan = temp;
-                }
-                return resourceMan;
-            }
-        }
-        
-        /// <summary>
-        ///   Overrides the current thread's CurrentUICulture property for all
-        ///   resource lookups using this strongly typed resource class.
-        /// </summary>
-        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
-        internal static global::System.Globalization.CultureInfo Culture {
-            get {
-                return resourceCulture;
-            }
-            set {
-                resourceCulture = value;
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to The master key is too short. It must be at least {0} bytes in length..
-        /// </summary>
-        internal static string DataProtectorFactory_MasterKeyTooShort {
-            get {
-                return ResourceManager.GetString("DataProtectorFactory_MasterKeyTooShort", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to The data to decrypt is invalid..
-        /// </summary>
-        internal static string DataProtectorImpl_BadEncryptedData {
-            get {
-                return ResourceManager.GetString("DataProtectorImpl_BadEncryptedData", resourceCulture);
-            }
-        }
-        
-        /// <summary>
-        ///   Looks up a localized string similar to Couldn&apos;t protect data. Perhaps the user profile isn&apos;t loaded?.
-        /// </summary>
-        internal static string DpapiDataProtectorImpl_ProfileNotLoaded {
-            get {
-                return ResourceManager.GetString("DpapiDataProtectorImpl_ProfileNotLoaded", resourceCulture);
-            }
-        }
-    }
-}

From c111258938bb8a010fc3efe49e9773adb3fb14f5 Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Fri, 7 Mar 2014 01:53:03 -0800
Subject: [PATCH 009/493] Add required references for K to work

---
 .../project.json                                  | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index ea163de588..2029bd04dd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -1,8 +1,19 @@
 {
   "version": "0.1-alpha-*",
   "configurations": {
-    "net45" : {},
-    "k10" : {}
+    "net45": {},
+    "k10": {
+      "dependencies": {
+        "System.Diagnostics.Debug": "4.0.10.0",
+        "System.Diagnostics.Tools": "4.0.0.0",
+        "System.Globalization": "4.0.10.0",
+        "System.Linq": "4.0.0.0",
+        "System.Reflection": "4.0.10.0",
+        "System.Resources.ResourceManager": "4.0.0.0",
+        "System.Runtime": "4.0.20.0",
+        "System.Runtime.InteropServices": "4.0.10.0"
+      }
+    }
   },
   "compilationOptions": {
     "allowUnsafe": true

From ba58f29e315abbedd1dd6402c0854a12f6c18807 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 11 Mar 2014 11:43:13 -0700
Subject: [PATCH 010/493] Updating MyGet feed to unblock build

---
 NuGet.Config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index ab583b0ff7..9dc2833940 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2/" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
   <packageSourceCredentials>

From 730b16df3758adde118caa7dbde2c9b2eed1e31b Mon Sep 17 00:00:00 2001
From: Levi Broderick <levib@yahoo.com>
Date: Fri, 14 Mar 2014 14:34:20 -0700
Subject: [PATCH 011/493] CryptRand.FillBuffer shouldn't throw if the buffer is
 a zero-length array.

---
 src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
index d6653ac611..b4a233cbe6 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
@@ -16,9 +16,12 @@ namespace Microsoft.AspNet.Security.DataProtection
             // the ArraySegment<> ctor performs bounds checking
             var unused = new ArraySegment<byte>(buffer.Array, buffer.Offset, buffer.Count);
 
-            fixed (byte* pBuffer = &buffer.Array[buffer.Offset])
+            if (buffer.Count != 0)
             {
-                BCryptUtil.GenRandom(pBuffer, buffer.Count);
+                fixed (byte* pBuffer = &buffer.Array[buffer.Offset])
+                {
+                    BCryptUtil.GenRandom(pBuffer, buffer.Count);
+                }
             }
         }
     }

From e019e6732567a19811b8a0002df02d1228aa7069 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 28 Mar 2014 05:53:01 -0700
Subject: [PATCH 012/493] Updating CoreCLR package versions

---
 src/Microsoft.AspNet.Security.DataProtection/project.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 2029bd04dd..e1784c0b4e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -11,7 +11,7 @@
         "System.Reflection": "4.0.10.0",
         "System.Resources.ResourceManager": "4.0.0.0",
         "System.Runtime": "4.0.20.0",
-        "System.Runtime.InteropServices": "4.0.10.0"
+        "System.Runtime.InteropServices": "4.0.20.0"
       }
     }
   },

From 26fedbb999fc58354ef260b8f6c9b5235ffb80b4 Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Tue, 8 Apr 2014 01:42:21 -0700
Subject: [PATCH 013/493] Updated tooling

---
 DataProtection.sln                            | 27 ++++------
 ...osoft.AspNet.Security.DataProtection.kproj | 54 +++++++++++++++++++
 2 files changed, 64 insertions(+), 17 deletions(-)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj

diff --git a/DataProtection.sln b/DataProtection.sln
index e33ff9ff38..40e55727eb 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,34 +1,27 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 2013
-VisualStudioVersion = 12.0.21005.1
+VisualStudioVersion = 12.0.30327.0
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNet.Security.DataProtection.net45", "src\Microsoft.AspNet.Security.DataProtection\Microsoft.AspNet.Security.DataProtection.net45.csproj", "{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNet.Security.DataProtection.k10", "src\Microsoft.AspNet.Security.DataProtection\Microsoft.AspNet.Security.DataProtection.k10.csproj", "{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection", "src\Microsoft.AspNet.Security.DataProtection\Microsoft.AspNet.Security.DataProtection.kproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Any CPU = Debug|Any CPU
-		Release|Any CPU = Release|Any CPU
+		Debug|x86 = Debug|x86
+		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525}.Release|Any CPU.Build.0 = Release|Any CPU
-		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC}.Release|Any CPU.Build.0 = Release|Any CPU
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|x86.ActiveCfg = Debug|x86
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|x86.Build.0 = Debug|x86
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.ActiveCfg = Release|x86
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.Build.0 = Release|x86
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
-		{E646E4FE-167B-42EB-831B-BBC2AB07C3AC} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
-		{106E3A4A-BD7A-40DC-90D3-2E0683D1E525} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 	EndGlobalSection
 EndGlobal
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
new file mode 100644
index 0000000000..d68788f92f
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\ProjectK\Microsoft.Web.ProjectK.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>1e570cd4-6f12-44f4-961e-005ee2002bc2</ProjectGuid>
+    <OutputType>Library</OutputType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x86'" Label="Configuration">
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x86'" Label="Configuration">
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <ItemGroup>
+    <Content Include="Project.json" />
+    <Content Include="Res.resx" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Algorithms.cs" />
+    <Compile Include="BCryptAlgorithmFlags.cs" />
+    <Compile Include="BCryptAlgorithmHandle.cs" />
+    <Compile Include="BCryptBuffer.cs" />
+    <Compile Include="BCryptBufferDesc.cs" />
+    <Compile Include="BCryptEncryptFlags.cs" />
+    <Compile Include="BCryptGenRandomFlags.cs" />
+    <Compile Include="BCryptHashHandle.cs" />
+    <Compile Include="BCryptKeyDerivationBufferType.cs" />
+    <Compile Include="BCryptKeyHandle.cs" />
+    <Compile Include="BCryptUtil.cs" />
+    <Compile Include="BCRYPT_KEY_DATA_BLOB_HEADER.cs" />
+    <Compile Include="Constants.cs" />
+    <Compile Include="CryptographicException.cs" />
+    <Compile Include="CryptRand.cs" />
+    <Compile Include="DataProtectionProvider.cs" />
+    <Compile Include="DataProtectionProviderImpl.cs" />
+    <Compile Include="DataProtectorImpl.cs" />
+    <Compile Include="DATA_BLOB.cs" />
+    <Compile Include="DpapiDataProtectionProviderImpl.cs" />
+    <Compile Include="DpapiDataProtectorImpl.cs" />
+    <Compile Include="IDataProtectionProvider.cs" />
+    <Compile Include="IDataProtector.cs" />
+    <Compile Include="PBKDF2.cs" />
+    <Compile Include="Properties\Res.Designer.cs" />
+    <Compile Include="SafeHandleZeroOrMinusOneIsInvalid.cs" />
+    <Compile Include="UnsafeNativeMethods.cs" />
+    <Compile Include="Util\BufferUtil.cs" />
+  </ItemGroup>
+  <Import Project="$(VSToolsPath)\ProjectK\Microsoft.Web.ProjectK.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file

From 1959aa9e7fd01407a639c654ef38d7d36d9d961b Mon Sep 17 00:00:00 2001
From: GrabYourPitchforks <levib@yahoo.com>
Date: Tue, 15 Apr 2014 18:03:41 -0700
Subject: [PATCH 014/493] Merge from internal DataProtection repo.

---
 .../Algorithms.cs                             |  27 +--
 .../BCRYPT_KEY_DATA_BLOB_HEADER.cs            |   2 +-
 .../BCryptAlgorithmFlags.cs                   |   2 +-
 .../BCryptAlgorithmHandle.cs                  |   2 +-
 .../BCryptBuffer.cs                           |   2 +-
 .../BCryptBufferDesc.cs                       |   2 +-
 .../BCryptEncryptFlags.cs                     |   2 +-
 .../BCryptGenRandomFlags.cs                   |   2 +-
 .../BCryptHashHandle.cs                       |   2 +-
 .../BCryptKeyDerivationBufferType.cs          |   2 +-
 .../BCryptKeyHandle.cs                        |   2 +-
 .../BCryptUtil.cs                             | 147 +++++++-------
 .../Constants.cs                              |   2 +-
 .../CryptographicException.cs                 |  15 --
 .../DATA_BLOB.cs                              |   3 +-
 .../DataProtectionProvider.cs                 |  58 +++---
 .../DataProtectionProviderImpl.cs             |  18 +-
 .../DataProtectorImpl.cs                      |  68 ++++---
 .../DpapiDataProtectionProviderImpl.cs        |   8 +-
 .../DpapiDataProtectorImpl.cs                 |  30 ++-
 .../IDataProtectionProvider.cs                |   5 +-
 .../IDataProtector.cs                         |   2 +-
 ...osoft.AspNet.Security.DataProtection.kproj |   7 +-
 .../PBKDF2.cs                                 |  65 ------
 .../SP800_108Helper.cs                        | 190 ++++++++++++++++++
 .../SafeLibraryHandle.cs                      | 121 +++++++++++
 ...ssUnmanagedCodeSecurityAttribute - Copy.cs |  10 +
 .../UnsafeNativeMethods.cs                    |  37 ++--
 .../Util/BufferUtil.cs                        |  78 ++++---
 .../Util/ByteArrayExtensions.cs               |  23 +++
 .../Util/MemoryUtil.cs                        |  20 ++
 .../project.json                              |   5 +-
 32 files changed, 647 insertions(+), 312 deletions(-)
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
index 0af410cea5..a2e3589613 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
@@ -3,12 +3,11 @@ using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
-    internal static unsafe class Algorithms
+    internal unsafe static class Algorithms
     {
         public static readonly BCryptAlgorithmHandle AESAlgorithmHandle = CreateAESAlgorithmHandle();
         public static readonly BCryptAlgorithmHandle HMACSHA256AlgorithmHandle = CreateHMACSHA256AlgorithmHandle();
         public static readonly BCryptAlgorithmHandle HMACSHA512AlgorithmHandle = CreateHMACSHA512AlgorithmHandle();
-        public static readonly BCryptAlgorithmHandle SP800108AlgorithmHandle = CreateSP800108AlgorithmHandle();
 
         private static BCryptAlgorithmHandle CreateAESAlgorithmHandle()
         {
@@ -23,7 +22,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             // change it to use CBC chaining; it already uses PKCS7 padding by default
             fixed (char* pCbcMode = Constants.BCRYPT_CHAIN_MODE_CBC)
             {
-                status = UnsafeNativeMethods.BCryptSetProperty(algHandle, Constants.BCRYPT_CHAINING_MODE, (IntPtr) pCbcMode, (uint) ((Constants.BCRYPT_CHAIN_MODE_CBC.Length + 1 /* trailing null */)*sizeof (char)), dwFlags: 0);
+                status = UnsafeNativeMethods.BCryptSetProperty(algHandle, Constants.BCRYPT_CHAINING_MODE, (IntPtr)pCbcMode, (uint)((Constants.BCRYPT_CHAIN_MODE_CBC.Length + 1 /* trailing null */) * sizeof(char)), dwFlags: 0);
             }
             if (status != 0)
             {
@@ -32,11 +31,11 @@ namespace Microsoft.AspNet.Security.DataProtection
 
             return algHandle;
         }
-
-        internal static BCryptAlgorithmHandle CreateGenericHMACHandleFromPrimitiveProvider(string algorithmName)
+        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle()
         {
+            // create the HMACSHA-256 instance
             BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, algorithmName, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA256_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
             if (status != 0 || algHandle == null || algHandle.IsInvalid)
             {
                 throw new CryptographicException(status);
@@ -45,23 +44,11 @@ namespace Microsoft.AspNet.Security.DataProtection
             return algHandle;
         }
 
-        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle()
-        {
-            // create the HMACSHA-256 instance
-            return CreateGenericHMACHandleFromPrimitiveProvider(Constants.BCRYPT_SHA256_ALGORITHM);
-        }
-
         private static BCryptAlgorithmHandle CreateHMACSHA512AlgorithmHandle()
         {
             // create the HMACSHA-512 instance
-            return CreateGenericHMACHandleFromPrimitiveProvider(Constants.BCRYPT_SHA512_ALGORITHM);
-        }
-
-        private static BCryptAlgorithmHandle CreateSP800108AlgorithmHandle()
-        {
-            // create the SP800-108 instance
             BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SP800108_CTR_HMAC_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: 0);
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA512_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
             if (status != 0 || algHandle == null || algHandle.IsInvalid)
             {
                 throw new CryptographicException(status);
@@ -70,4 +57,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             return algHandle;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
index 3bc50731df..ffb5f32308 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
@@ -23,4 +23,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             pHeader.dwVersion = BCRYPT_KEY_DATA_BLOB_VERSION1;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
index 25bbe91cfa..a4c2e5b927 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
@@ -10,4 +10,4 @@ namespace Microsoft.AspNet.Security.DataProtection
         BCRYPT_CAPI_AES_FLAG = 0x00000010,
         BCRYPT_HASH_REUSABLE_FLAG = 0x00000020,
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
index f5a54fa9f8..0824fb3aab 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
@@ -17,4 +17,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             return (UnsafeNativeMethods.BCryptCloseAlgorithmProvider(handle, dwFlags: 0) == 0);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
index 0a73118bbb..20f3305c18 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
@@ -12,4 +12,4 @@ namespace Microsoft.AspNet.Security.DataProtection
         public BCryptKeyDerivationBufferType BufferType; // Buffer type
         public IntPtr pvBuffer; // Pointer to buffer
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
index 32eed76657..4ed446cb39 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
@@ -20,4 +20,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             bufferDesc.ulVersion = BCRYPTBUFFER_VERSION;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
index dfc3d86d71..491e2ab9bd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
@@ -8,4 +8,4 @@ namespace Microsoft.AspNet.Security.DataProtection
     {
         BCRYPT_BLOCK_PADDING = 0x00000001,
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
index 8fdce726b2..6c17410e5d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
@@ -9,4 +9,4 @@ namespace Microsoft.AspNet.Security.DataProtection
         BCRYPT_RNG_USE_ENTROPY_IN_BUFFER = 0x00000001,
         BCRYPT_USE_SYSTEM_PREFERRED_RNG = 0x00000002,
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
index ab59352f9d..c20e2e785f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
@@ -17,4 +17,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             return (UnsafeNativeMethods.BCryptDestroyHash(handle) == 0);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
index 143c811529..11fe12af50 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
@@ -23,4 +23,4 @@ namespace Microsoft.AspNet.Security.DataProtection
         KDF_SALT = 0xF,
         KDF_ITERATION_COUNT = 0x10,
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
index 16ab238e5a..491b807dd0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
@@ -17,4 +17,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             return (UnsafeNativeMethods.BCryptDestroyKey(handle) == 0);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
index 8d1cfc4884..0ec7d478f1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
@@ -1,13 +1,21 @@
 using System;
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography;
+using System.Text;
 using Microsoft.AspNet.Security.DataProtection.Util;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
-    internal static unsafe class BCryptUtil
+    internal unsafe static class BCryptUtil
     {
+        // from dpapi.h
+        const uint CRYPTPROTECTMEMORY_BLOCK_SIZE = 16;
+        const uint CRYPTPROTECTMEMORY_SAME_PROCESS = 0x00;
+
+        private static readonly UTF8Encoding _secureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
+
         // constant-time buffer comparison
         [MethodImpl(MethodImplOptions.NoOptimization)]
         public static bool BuffersAreEqualSecure(byte* p1, byte* p2, uint count)
@@ -23,22 +31,22 @@ namespace Microsoft.AspNet.Security.DataProtection
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void CheckOverflowUnderflow(int input)
         {
-            var unused = checked((uint) input);
+            var unused = checked((uint)input);
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void CheckOverflowUnderflow(uint input)
         {
-            var unused = checked((int) input);
+            var unused = checked((int)input);
         }
 
-        // helper function to wrap BCryptCreateHash
-        public static BCryptHashHandle CreateHash(BCryptAlgorithmHandle algorithmHandle, byte* key, int keyLengthInBytes)
+        // helper function to wrap BCryptCreateHash, passing in a key used for HMAC
+        public static BCryptHashHandle CreateHMACHandle(BCryptAlgorithmHandle algorithmHandle, byte* key, int keyLengthInBytes)
         {
             CheckOverflowUnderflow(keyLengthInBytes);
 
             BCryptHashHandle retVal;
-            int status = UnsafeNativeMethods.BCryptCreateHash(algorithmHandle, out retVal, IntPtr.Zero, 0, key, (uint) keyLengthInBytes, dwFlags: 0);
+            int status = UnsafeNativeMethods.BCryptCreateHash(algorithmHandle, out retVal, IntPtr.Zero, 0, key, (uint)keyLengthInBytes, dwFlags: 0);
             if (status != 0 || retVal == null || retVal.IsInvalid)
             {
                 throw new CryptographicException(status);
@@ -61,24 +69,24 @@ namespace Microsoft.AspNet.Security.DataProtection
                 throw new InvalidOperationException();
             }
             byte* pDuplicatedIV = stackalloc byte[ivLength];
-            BufferUtil.BlockCopy(from: (IntPtr) iv, to: (IntPtr) pDuplicatedIV, byteCount: ivLength);
+            BufferUtil.BlockCopy(from: iv, to: pDuplicatedIV, byteCount: ivLength);
 
             uint retVal;
-            int status = UnsafeNativeMethods.BCryptDecrypt(keyHandle, input, (uint) inputLength, IntPtr.Zero, pDuplicatedIV, (uint) ivLength, output, (uint) outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            int status = UnsafeNativeMethods.BCryptDecrypt(keyHandle, input, (uint)inputLength, IntPtr.Zero, pDuplicatedIV, (uint)ivLength, output, (uint)outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
             if (status != 0)
             {
                 throw new CryptographicException(status);
             }
 
-            return checked((int) retVal);
+            return checked((int)retVal);
         }
 
         // helper function to wrap BCryptKeyDerivation using SP800-108-CTR-HMAC-SHA512
-        public static void DeriveKeysSP800108(BCryptAlgorithmHandle kdfAlgorithmHandle, BCryptKeyHandle keyHandle, string purpose, BCryptAlgorithmHandle encryptionAlgorithmHandle, out BCryptKeyHandle encryptionKeyHandle, BCryptAlgorithmHandle hashAlgorithmHandle, out BCryptHashHandle hmacHandle, out BCryptKeyHandle kdfKeyHandle)
+        public static void DeriveKeysSP800108(byte[] protectedKdk, string purpose, BCryptAlgorithmHandle encryptionAlgorithmHandle, out BCryptKeyHandle encryptionKeyHandle, BCryptAlgorithmHandle hashAlgorithmHandle, out BCryptHashHandle hmacHandle, out byte[] kdfSubkey)
         {
-            const int ENCRYPTION_KEY_SIZE_IN_BYTES = 256/8;
-            const int HMAC_KEY_SIZE_IN_BYTES = 256/8;
-            const int KDF_SUBKEY_SIZE_IN_BYTES = 512/8;
+            const int ENCRYPTION_KEY_SIZE_IN_BYTES = 256 / 8;
+            const int HMAC_KEY_SIZE_IN_BYTES = 256 / 8;
+            const int KDF_SUBKEY_SIZE_IN_BYTES = 512 / 8;
             const int TOTAL_NUM_BYTES_TO_DERIVE = ENCRYPTION_KEY_SIZE_IN_BYTES + HMAC_KEY_SIZE_IN_BYTES + KDF_SUBKEY_SIZE_IN_BYTES;
 
             // keep our buffers on the stack while we're generating key material
@@ -87,50 +95,27 @@ namespace Microsoft.AspNet.Security.DataProtection
             byte* pNewHmacKey = &pNewEncryptionKey[ENCRYPTION_KEY_SIZE_IN_BYTES];
             byte* pNewKdfSubkey = &pNewHmacKey[HMAC_KEY_SIZE_IN_BYTES];
 
-            try
+            protectedKdk = (byte[])protectedKdk.Clone(); // CryptUnprotectMemory mutates its input, so we preserve the original
+            fixed (byte* pKdk = protectedKdk)
             {
-                fixed (char* pszPrfAlgorithmName = Constants.BCRYPT_SHA512_ALGORITHM)
+                try
                 {
-                    // Create a buffer to hold the hash algorithm name, currently hardcoded to HMACSHA512
-                    uint numBuffers = 1;
-                    BCryptBuffer* pBCryptBuffers = stackalloc BCryptBuffer[2];
-                    pBCryptBuffers[0].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
-                    pBCryptBuffers[0].pvBuffer = (IntPtr) pszPrfAlgorithmName;
-                    pBCryptBuffers[0].cbBuffer = (uint) ((Constants.BCRYPT_SHA512_ALGORITHM.Length + 1)*sizeof (char)); // per http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx, need to include terminating null
-                    fixed (char* pszPurpose = (String.IsNullOrEmpty(purpose) ? (string) null : purpose))
-                    {
-                        // Create a buffer to hold the purpose string if it is specified (we'll treat it as UTF-16LE)
-                        if (pszPurpose != null)
-                        {
-                            numBuffers = 2;
-                            pBCryptBuffers[1].BufferType = BCryptKeyDerivationBufferType.KDF_LABEL;
-                            pBCryptBuffers[1].pvBuffer = (IntPtr) pszPurpose;
-                            pBCryptBuffers[1].cbBuffer = checked((uint) (purpose.Length*sizeof (char)));
-                        }
+                    // Since the KDK is pinned, the GC won't move around the array containing the plaintext key before we
+                    // have the opportunity to clear its contents.
+                    UnprotectMemoryWithinThisProcess(pKdk, (uint)protectedKdk.Length);
 
-                        // .. and the header ..
-                        BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
-                        BCryptBufferDesc.Initialize(ref bufferDesc);
-                        bufferDesc.cBuffers = numBuffers;
-                        bufferDesc.pBuffers = pBCryptBuffers;
+                    byte[] purposeBytes = (!String.IsNullOrEmpty(purpose)) ? _secureUtf8Encoding.GetBytes(purpose) : null;
+                    SP800_108Helper.DeriveKeys(pKdk, protectedKdk.Length, purposeBytes, pBuffer, TOTAL_NUM_BYTES_TO_DERIVE);
 
-                        uint numBytesDerived;
-                        int status = UnsafeNativeMethods.BCryptKeyDerivation(keyHandle, &bufferDesc, pBuffer, TOTAL_NUM_BYTES_TO_DERIVE, out numBytesDerived, dwFlags: 0);
-                        if (status != 0 || numBytesDerived != TOTAL_NUM_BYTES_TO_DERIVE)
-                        {
-                            throw new CryptographicException(status);
-                        }
-                    }
+                    // Split into AES, HMAC, and KDF subkeys
+                    encryptionKeyHandle = ImportKey(encryptionAlgorithmHandle, pNewEncryptionKey, ENCRYPTION_KEY_SIZE_IN_BYTES);
+                    hmacHandle = CreateHMACHandle(hashAlgorithmHandle, pNewHmacKey, HMAC_KEY_SIZE_IN_BYTES);
+                    kdfSubkey = BufferUtil.ToProtectedManagedByteArray(pNewKdfSubkey, KDF_SUBKEY_SIZE_IN_BYTES);
+                }
+                finally
+                {
+                    BufferUtil.SecureZeroMemory(pKdk, protectedKdk.Length);
                 }
-
-                // At this point, we have all the bytes we need.
-                encryptionKeyHandle = ImportKey(encryptionAlgorithmHandle, pNewEncryptionKey, ENCRYPTION_KEY_SIZE_IN_BYTES);
-                hmacHandle = CreateHash(hashAlgorithmHandle, pNewHmacKey, HMAC_KEY_SIZE_IN_BYTES);
-                kdfKeyHandle = ImportKey(kdfAlgorithmHandle, pNewKdfSubkey, KDF_SUBKEY_SIZE_IN_BYTES);
-            }
-            finally
-            {
-                BufferUtil.ZeroMemory(pBuffer, TOTAL_NUM_BYTES_TO_DERIVE);
             }
         }
 
@@ -161,16 +146,16 @@ namespace Microsoft.AspNet.Security.DataProtection
                 throw new InvalidOperationException();
             }
             byte* pDuplicatedIV = stackalloc byte[ivLength];
-            BufferUtil.BlockCopy(from: (IntPtr) iv, to: (IntPtr) pDuplicatedIV, byteCount: ivLength);
+            BufferUtil.BlockCopy(from: iv, to: pDuplicatedIV, byteCount: ivLength);
 
             uint retVal;
-            int status = UnsafeNativeMethods.BCryptEncrypt(keyHandle, input, (uint) inputLength, IntPtr.Zero, pDuplicatedIV, (uint) ivLength, output, (uint) outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            int status = UnsafeNativeMethods.BCryptEncrypt(keyHandle, input, (uint)inputLength, IntPtr.Zero, pDuplicatedIV, (uint)ivLength, output, (uint)outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
             if (status != 0)
             {
                 throw new CryptographicException(status);
             }
 
-            return checked((int) retVal);
+            return checked((int)retVal);
         }
 
         // helper function to take a key, apply a purpose, and generate a new subkey ("entropy") for DPAPI-specific scenarios
@@ -183,7 +168,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             BCryptHashHandle hashHandle;
             fixed (byte* pPreviousKey = previousKey)
             {
-                hashHandle = CreateHash(Algorithms.HMACSHA256AlgorithmHandle, pPreviousKey, previousKey.Length);
+                hashHandle = CreateHMACHandle(Algorithms.HMACSHA256AlgorithmHandle, pPreviousKey, previousKey.Length);
             }
 
             // hash the purpose string, treating it as UTF-16LE
@@ -206,7 +191,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         {
             CheckOverflowUnderflow(bufferBytes);
 
-            int status = UnsafeNativeMethods.BCryptGenRandom(IntPtr.Zero, buffer, (uint) bufferBytes, BCryptGenRandomFlags.BCRYPT_USE_SYSTEM_PREFERRED_RNG);
+            int status = UnsafeNativeMethods.BCryptGenRandom(IntPtr.Zero, buffer, (uint)bufferBytes, BCryptGenRandomFlags.BCRYPT_USE_SYSTEM_PREFERRED_RNG);
             if (status != 0)
             {
                 throw new CryptographicException(status);
@@ -219,13 +204,13 @@ namespace Microsoft.AspNet.Security.DataProtection
             CheckOverflowUnderflow(inputBytes);
             CheckOverflowUnderflow(outputBytes);
 
-            int status = UnsafeNativeMethods.BCryptHashData(hashHandle, input, (uint) inputBytes, dwFlags: 0);
+            int status = UnsafeNativeMethods.BCryptHashData(hashHandle, input, (uint)inputBytes, dwFlags: 0);
             if (status != 0)
             {
                 throw new CryptographicException(status);
             }
 
-            status = UnsafeNativeMethods.BCryptFinishHash(hashHandle, output, (uint) outputBytes, dwFlags: 0);
+            status = UnsafeNativeMethods.BCryptFinishHash(hashHandle, output, (uint)outputBytes, dwFlags: 0);
             if (status != 0)
             {
                 throw new CryptographicException(status);
@@ -238,7 +223,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             CheckOverflowUnderflow(keyBytes);
 
             byte[] heapAllocatedKeyDataBlob = null;
-            int numBytesRequiredForKeyDataBlob = checked(keyBytes + sizeof (BCRYPT_KEY_DATA_BLOB_HEADER));
+            int numBytesRequiredForKeyDataBlob = checked(keyBytes + sizeof(BCRYPT_KEY_DATA_BLOB_HEADER));
             if (numBytesRequiredForKeyDataBlob > Constants.MAX_STACKALLOC_BYTES)
             {
                 heapAllocatedKeyDataBlob = new byte[numBytesRequiredForKeyDataBlob]; // allocate on heap if we cannot allocate on stack
@@ -248,28 +233,28 @@ namespace Microsoft.AspNet.Security.DataProtection
             BCryptKeyHandle retVal;
             fixed (byte* pHeapAllocatedKeyDataBlob = heapAllocatedKeyDataBlob)
             {
-                // The header is first
-                BCRYPT_KEY_DATA_BLOB_HEADER* pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*) pHeapAllocatedKeyDataBlob;
+                // The header is first; if it wasn't heap-allocated we can stack-allocate now
+                BCRYPT_KEY_DATA_BLOB_HEADER* pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*)pHeapAllocatedKeyDataBlob;
                 if (pKeyDataBlobHeader == null)
                 {
                     byte* temp = stackalloc byte[numBytesRequiredForKeyDataBlob]; // won't be released until frame pops
-                    pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*) temp;
+                    pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*)temp;
                 }
                 BCRYPT_KEY_DATA_BLOB_HEADER.Initialize(ref *pKeyDataBlobHeader);
-                pKeyDataBlobHeader->cbKeyData = (uint) keyBytes;
+                pKeyDataBlobHeader->cbKeyData = (uint)keyBytes;
 
                 // the raw material immediately follows the header
-                byte* pKeyDataRawMaterial = (byte*) (&pKeyDataBlobHeader[1]);
+                byte* pKeyDataRawMaterial = (byte*)(&pKeyDataBlobHeader[1]);
 
                 try
                 {
-                    BufferUtil.BlockCopy(from: (IntPtr) key, to: (IntPtr) pKeyDataRawMaterial, byteCount: keyBytes);
-                    status = UnsafeNativeMethods.BCryptImportKey(algHandle, IntPtr.Zero, Constants.BCRYPT_KEY_DATA_BLOB, out retVal, IntPtr.Zero, 0, (byte*) pKeyDataBlobHeader, (uint) numBytesRequiredForKeyDataBlob, dwFlags: 0);
+                    BufferUtil.BlockCopy(from: key, to: pKeyDataRawMaterial, byteCount: keyBytes);
+                    status = UnsafeNativeMethods.BCryptImportKey(algHandle, IntPtr.Zero, Constants.BCRYPT_KEY_DATA_BLOB, out retVal, IntPtr.Zero, 0, (byte*)pKeyDataBlobHeader, (uint)numBytesRequiredForKeyDataBlob, dwFlags: 0);
                 }
                 finally
                 {
                     // zero out the key we just copied
-                    BufferUtil.ZeroMemory(pKeyDataRawMaterial, keyBytes);
+                    BufferUtil.SecureZeroMemory(pKeyDataRawMaterial, keyBytes);
                 }
             }
 
@@ -279,5 +264,29 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
             return retVal;
         }
+
+        internal static void ProtectMemoryWithinThisProcess(byte* pBuffer, uint bufferLength)
+        {
+            Debug.Assert(pBuffer != null);
+            Debug.Assert(bufferLength % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0, "Input buffer size must be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE.");
+
+            bool success = UnsafeNativeMethods.CryptProtectMemory(pBuffer, bufferLength, CRYPTPROTECTMEMORY_SAME_PROCESS);
+            if (!success)
+            {
+                throw new CryptographicException(Marshal.GetLastWin32Error());
+            }
+        }
+
+        internal static void UnprotectMemoryWithinThisProcess(byte* pBuffer, uint bufferLength)
+        {
+            Debug.Assert(pBuffer != null);
+            Debug.Assert(bufferLength % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0, "Input buffer size must be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE.");
+
+            bool success = UnsafeNativeMethods.CryptUnprotectMemory(pBuffer, bufferLength, CRYPTPROTECTMEMORY_SAME_PROCESS);
+            if (!success)
+            {
+                throw new CryptographicException(Marshal.GetLastWin32Error());
+            }
+        }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
index 059590c7e5..1cba9e94bc 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
@@ -82,4 +82,4 @@ namespace Microsoft.AspNet.Security.DataProtection
         internal const string BCRYPT_CHAIN_MODE_CCM = "ChainingModeCCM";
         internal const string BCRYPT_CHAIN_MODE_GCM = "ChainingModeGCM";
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
deleted file mode 100644
index 19e72c0c2f..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptographicException.cs
+++ /dev/null
@@ -1,15 +0,0 @@
-using System;
-
-#if !NET45
-namespace System.Security.Cryptography {
-    internal sealed class CryptographicException : Exception {
-        internal CryptographicException(string message)
-            : base(message) {
-
-        }
-
-        internal CryptographicException(int unused) {
-        }
-    }
-}
-#endif
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
index 55bfc7ea8e..73a4cb5263 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
@@ -1,5 +1,4 @@
 using System;
-using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
 namespace Microsoft.AspNet.Security.DataProtection
@@ -11,4 +10,4 @@ namespace Microsoft.AspNet.Security.DataProtection
         public uint cbData;
         public byte* pbData;
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
index fc011d8c0a..2babfa5008 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
@@ -1,41 +1,38 @@
 using System;
 using System.Globalization;
-using System.Reflection;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection;
 using Microsoft.AspNet.Security.DataProtection.Util;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
-    public static unsafe class DataProtectionProvider
+    /// <summary>
+    /// Provides methods for creating IDataProtectionProvider instances.
+    /// </summary>
+    public unsafe static class DataProtectionProvider
     {
-        private const int MASTER_KEY_REQUIRED_LENGTH = 512/8;
+        const int MASTER_KEY_REQUIRED_LENGTH = 512 / 8;
 
-        private static readonly byte[] MASTER_SUBKEY_GENERATOR = GetMasterSubkeyGenerator();
-        private static readonly byte[] MASTER_DPAPI_ENTROPY = GetMasterSubkeyGenerator(isDpapi: true);
+        private static readonly byte[] MASTER_SUBKEY_GENERATOR = Encoding.ASCII.GetBytes("Microsoft.AspNet.Security.DataProtection");
 
-        private static byte[] GetMasterSubkeyGenerator(bool isDpapi = false)
+        /// <summary>
+        /// Creates a new IDataProtectionProvider backed by DPAPI, where the protected
+        /// payload can only be decrypted by the current user.
+        /// </summary>
+        public static IDataProtectionProvider CreateFromDpapi()
         {
-            TypeInfo typeInfo = ((isDpapi) ? typeof(DpapiDataProtectionProviderImpl) : typeof(DataProtectionProvider)).GetTypeInfo();
-
-            byte[] retVal = new byte[sizeof (Guid)*2];
-            fixed (byte* pRetVal = retVal)
-            {
-                Guid* guids = (Guid*) pRetVal;
-                guids[0] = typeInfo.GUID;
-#if NET45
-                guids[1] = typeInfo.Module.ModuleVersionId;
-#else
-                guids[1] = default(Guid);
-#endif
-            }
-            return retVal;
+            return CreateFromDpapi(protectToLocalMachine: false);
         }
 
         /// <summary>
         /// Creates a new IDataProtectionProvider backed by DPAPI.
         /// </summary>
-        public static IDataProtectionProvider CreateFromDpapi()
+        /// <param name="protectToLocalMachine">True if protected payloads can be decrypted by any user
+        /// on the local machine, false if protected payloads should only be able to decrypted by the
+        /// current user account.</param>
+        public static IDataProtectionProvider CreateFromDpapi(bool protectToLocalMachine)
         {
-            return new DpapiDataProtectionProviderImpl(MASTER_DPAPI_ENTROPY);
+            return new DpapiDataProtectionProviderImpl(MASTER_SUBKEY_GENERATOR, protectToLocalMachine);
         }
 
         /// <summary>
@@ -51,7 +48,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
             finally
             {
-                BufferUtil.ZeroMemory(masterKey, MASTER_KEY_REQUIRED_LENGTH);
+                BufferUtil.SecureZeroMemory(masterKey, MASTER_KEY_REQUIRED_LENGTH);
             }
         }
 
@@ -82,17 +79,20 @@ namespace Microsoft.AspNet.Security.DataProtection
             byte* masterSubkey = stackalloc byte[MASTER_KEY_REQUIRED_LENGTH];
             try
             {
-                using (var hashHandle = BCryptUtil.CreateHash(Algorithms.HMACSHA512AlgorithmHandle, masterKey, masterKeyLengthInBytes))
+                using (var hashHandle = BCryptUtil.CreateHMACHandle(Algorithms.HMACSHA512AlgorithmHandle, masterKey, masterKeyLengthInBytes))
                 {
-                    BCryptUtil.HashData(hashHandle, masterKey, masterKeyLengthInBytes, masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
+                    fixed (byte* pMasterSubkeyGenerator = MASTER_SUBKEY_GENERATOR)
+                    {
+                        BCryptUtil.HashData(hashHandle, pMasterSubkeyGenerator, MASTER_SUBKEY_GENERATOR.Length, masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
+                    }
                 }
-                BCryptKeyHandle kdfSubkeyHandle = BCryptUtil.ImportKey(Algorithms.SP800108AlgorithmHandle, masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
-                return new DataProtectionProviderImpl(kdfSubkeyHandle);
+                byte[] protectedKdk = BufferUtil.ToProtectedManagedByteArray(masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
+                return new DataProtectionProviderImpl(protectedKdk);
             }
             finally
             {
-                BufferUtil.ZeroMemory(masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
+                BufferUtil.SecureZeroMemory(masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
index 2165b21fed..97f0b7f895 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
@@ -2,28 +2,28 @@
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
-    internal sealed unsafe class DataProtectionProviderImpl : IDataProtectionProvider
+    internal unsafe sealed class DataProtectionProviderImpl : IDataProtectionProvider
     {
-        private readonly BCryptKeyHandle _kdfSubkeyHandle;
+        private readonly byte[] _protectedKdk;
 
-        public DataProtectionProviderImpl(BCryptKeyHandle kdfSubkeyHandle)
+        public DataProtectionProviderImpl(byte[] protectedKdk)
         {
-            _kdfSubkeyHandle = kdfSubkeyHandle;
+            _protectedKdk = protectedKdk;
         }
 
         public IDataProtector CreateProtector(string purpose)
         {
             BCryptKeyHandle newAesKeyHandle;
             BCryptHashHandle newHmacHashHandle;
-            BCryptKeyHandle newKdfSubkeyHandle;
+            byte[] newProtectedKdfSubkey;
 
-            BCryptUtil.DeriveKeysSP800108(Algorithms.SP800108AlgorithmHandle, _kdfSubkeyHandle, purpose, Algorithms.AESAlgorithmHandle, out newAesKeyHandle, Algorithms.HMACSHA256AlgorithmHandle, out newHmacHashHandle, out newKdfSubkeyHandle);
-            return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newKdfSubkeyHandle);
+            BCryptUtil.DeriveKeysSP800108(_protectedKdk, purpose, Algorithms.AESAlgorithmHandle, out newAesKeyHandle, Algorithms.HMACSHA256AlgorithmHandle, out newHmacHashHandle, out newProtectedKdfSubkey);
+            return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newProtectedKdfSubkey);
         }
 
         public void Dispose()
         {
-            _kdfSubkeyHandle.Dispose();
+            // no-op: we hold no protected resources
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
index dec7c4c485..111e3118b8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
@@ -5,29 +5,37 @@ using Microsoft.AspNet.Security.DataProtection.Util;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
-    internal sealed unsafe class DataProtectorImpl : IDataProtector
+    internal unsafe sealed class DataProtectorImpl : IDataProtector
     {
-        private const int AES_BLOCK_LENGTH_IN_BYTES = 128/8;
-        private const int MAC_LENGTH_IN_BYTES = 256/8;
+        private const int AES_BLOCK_LENGTH_IN_BYTES = 128 / 8;
+        private const int AES_IV_LENGTH_IN_BYTES = AES_BLOCK_LENGTH_IN_BYTES;
+        private const int MAC_LENGTH_IN_BYTES = 256 / 8;
 
         private readonly BCryptKeyHandle _aesKeyHandle;
         private readonly BCryptHashHandle _hmacHashHandle;
-        private readonly BCryptKeyHandle _kdfSubkeyHandle;
+        private readonly byte[] _protectedKdk;
 
-        public DataProtectorImpl(BCryptKeyHandle aesKeyHandle, BCryptHashHandle hmacHashHandle, BCryptKeyHandle kdfSubkeyHandle)
+        public DataProtectorImpl(BCryptKeyHandle aesKeyHandle, BCryptHashHandle hmacHashHandle, byte[] protectedKdk)
         {
             _aesKeyHandle = aesKeyHandle;
             _hmacHashHandle = hmacHashHandle;
-            _kdfSubkeyHandle = kdfSubkeyHandle;
+            _protectedKdk = protectedKdk;
         }
 
-        private static int CalculateTotalProtectedDataSize(int unprotectedDataSize)
+        private static int CalculateTotalProtectedDataSize(int unprotectedDataSizeInBytes)
         {
-            Debug.Assert(unprotectedDataSize >= 0);
+            Debug.Assert(unprotectedDataSizeInBytes >= 0);
 
-            // Calculates 
-            int numFullBlocks = unprotectedDataSize/AES_BLOCK_LENGTH_IN_BYTES;
-            return checked(AES_BLOCK_LENGTH_IN_BYTES /* IV */+ (numFullBlocks + 1)*AES_BLOCK_LENGTH_IN_BYTES /* ciphertext w/ padding */+ MAC_LENGTH_IN_BYTES /* HMAC */);
+            checked
+            {
+                // Padding always rounds the block count up, never down.
+                // If the input size is already a multiple of the block length, a block is added.
+                int numBlocks = 1 + unprotectedDataSizeInBytes / AES_BLOCK_LENGTH_IN_BYTES;
+                return
+                    AES_IV_LENGTH_IN_BYTES /* IV */
+                    + numBlocks * AES_BLOCK_LENGTH_IN_BYTES /* ciphertext with padding */
+                    + MAC_LENGTH_IN_BYTES /* MAC */;
+            }
         }
 
         private static CryptographicException CreateGenericCryptographicException()
@@ -39,17 +47,16 @@ namespace Microsoft.AspNet.Security.DataProtection
         {
             BCryptKeyHandle newAesKeyHandle;
             BCryptHashHandle newHmacHashHandle;
-            BCryptKeyHandle newKdfSubkeyHandle;
+            byte[] newProtectedKdfSubkey;
 
-            BCryptUtil.DeriveKeysSP800108(Algorithms.SP800108AlgorithmHandle, _kdfSubkeyHandle, purpose, Algorithms.AESAlgorithmHandle, out newAesKeyHandle, Algorithms.HMACSHA256AlgorithmHandle, out newHmacHashHandle, out newKdfSubkeyHandle);
-            return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newKdfSubkeyHandle);
+            BCryptUtil.DeriveKeysSP800108(_protectedKdk, purpose, Algorithms.AESAlgorithmHandle, out newAesKeyHandle, Algorithms.HMACSHA256AlgorithmHandle, out newHmacHashHandle, out newProtectedKdfSubkey);
+            return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newProtectedKdfSubkey);
         }
 
         public void Dispose()
         {
             _aesKeyHandle.Dispose();
             _hmacHashHandle.Dispose();
-            _kdfSubkeyHandle.Dispose();
         }
 
         public byte[] Protect(byte[] unprotectedData)
@@ -66,14 +73,14 @@ namespace Microsoft.AspNet.Security.DataProtection
             {
                 // first, generate a random IV for CBC mode encryption
                 byte* pIV = pProtectedData;
-                BCryptUtil.GenRandom(pIV, AES_BLOCK_LENGTH_IN_BYTES);
+                BCryptUtil.GenRandom(pIV, AES_IV_LENGTH_IN_BYTES);
 
                 // then, encrypt the plaintext contents
-                byte* pCiphertext = &pIV[AES_BLOCK_LENGTH_IN_BYTES];
-                int expectedCiphertextLength = protectedData.Length - AES_BLOCK_LENGTH_IN_BYTES - MAC_LENGTH_IN_BYTES;
-                fixed (byte* pPlaintext = unprotectedData)
+                byte* pCiphertext = &pIV[AES_IV_LENGTH_IN_BYTES];
+                int expectedCiphertextLength = protectedData.Length - AES_IV_LENGTH_IN_BYTES - MAC_LENGTH_IN_BYTES;
+                fixed (byte* pPlaintext = unprotectedData.AsFixed())
                 {
-                    int actualCiphertextLength = BCryptUtil.EncryptWithPadding(_aesKeyHandle, pPlaintext, unprotectedData.Length, pIV, AES_BLOCK_LENGTH_IN_BYTES, pCiphertext, expectedCiphertextLength);
+                    int actualCiphertextLength = BCryptUtil.EncryptWithPadding(_aesKeyHandle, pPlaintext, unprotectedData.Length, pIV, AES_IV_LENGTH_IN_BYTES, pCiphertext, expectedCiphertextLength);
                     if (actualCiphertextLength != expectedCiphertextLength)
                     {
                         throw new InvalidOperationException("Unexpected error while encrypting data.");
@@ -86,7 +93,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 {
                     // Use a cloned hash handle since IDataProtector instances could be singletons, but BCryptHashHandle instances contain
                     // state hence aren't thread-safe. Our own perf testing shows that duplicating existing hash handles is very fast.
-                    BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_BLOCK_LENGTH_IN_BYTES + expectedCiphertextLength, pMac, MAC_LENGTH_IN_BYTES);
+                    BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_IV_LENGTH_IN_BYTES + expectedCiphertextLength, pMac, MAC_LENGTH_IN_BYTES);
                 }
             }
 
@@ -125,7 +132,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             Debug.Assert(protectedData != null);
 
             // is the protected data even long enough to be valid?
-            if (protectedData.Length < AES_BLOCK_LENGTH_IN_BYTES /* IV */+ AES_BLOCK_LENGTH_IN_BYTES /* min ciphertext size = 1 block */+ MAC_LENGTH_IN_BYTES)
+            if (protectedData.Length < AES_IV_LENGTH_IN_BYTES /* IV */ + AES_BLOCK_LENGTH_IN_BYTES /* min ciphertext size = 1 block */ + MAC_LENGTH_IN_BYTES)
             {
                 return null;
             }
@@ -134,8 +141,8 @@ namespace Microsoft.AspNet.Security.DataProtection
             {
                 // calculate pointer offsets
                 byte* pIV = pProtectedData;
-                byte* pCiphertext = &pProtectedData[AES_BLOCK_LENGTH_IN_BYTES];
-                int ciphertextLength = protectedData.Length - AES_BLOCK_LENGTH_IN_BYTES /* IV */- MAC_LENGTH_IN_BYTES /* MAC */;
+                byte* pCiphertext = &pProtectedData[AES_IV_LENGTH_IN_BYTES];
+                int ciphertextLength = protectedData.Length - AES_IV_LENGTH_IN_BYTES /* IV */ - MAC_LENGTH_IN_BYTES /* MAC */;
                 byte* pSuppliedMac = &pCiphertext[ciphertextLength];
 
                 // first, ensure that the MAC is valid
@@ -143,7 +150,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle))
                 {
                     // see comments in Protect(byte[]) for why we duplicate the hash
-                    BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_BLOCK_LENGTH_IN_BYTES + ciphertextLength, pCalculatedMac, MAC_LENGTH_IN_BYTES);
+                    BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_IV_LENGTH_IN_BYTES + ciphertextLength, pCalculatedMac, MAC_LENGTH_IN_BYTES);
                 }
                 if (!BCryptUtil.BuffersAreEqualSecure(pSuppliedMac, pCalculatedMac, MAC_LENGTH_IN_BYTES))
                 {
@@ -168,18 +175,13 @@ namespace Microsoft.AspNet.Security.DataProtection
                         pPlaintextBuffer = temp;
                     }
 
-                    int actualPlaintextLength = BCryptUtil.DecryptWithPadding(_aesKeyHandle, pCiphertext, ciphertextLength, pIV, AES_BLOCK_LENGTH_IN_BYTES, pPlaintextBuffer, plaintextBufferLength);
+                    int actualPlaintextLength = BCryptUtil.DecryptWithPadding(_aesKeyHandle, pCiphertext, ciphertextLength, pIV, AES_IV_LENGTH_IN_BYTES, pPlaintextBuffer, plaintextBufferLength);
                     Debug.Assert(actualPlaintextLength >= 0 && actualPlaintextLength < ciphertextLength);
 
                     // truncate the return value to accomodate the plaintext size perfectly
-                    byte[] retVal = new byte[actualPlaintextLength];
-                    fixed (byte* pRetVal = retVal)
-                    {
-                        BufferUtil.BlockCopy(from: (IntPtr) pPlaintextBuffer, to: (IntPtr) pRetVal, byteCount: actualPlaintextLength);
-                    }
-                    return retVal;
+                    return BufferUtil.ToManagedByteArray(pPlaintextBuffer, actualPlaintextLength);
                 }
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
index fa37a07bae..679a5b094a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
@@ -6,16 +6,18 @@ namespace Microsoft.AspNet.Security.DataProtection
     internal sealed class DpapiDataProtectionProviderImpl : IDataProtectionProvider
     {
         private readonly byte[] _entropy;
+        private readonly bool _protectToLocalMachine;
 
-        public DpapiDataProtectionProviderImpl(byte[] entropy)
+        public DpapiDataProtectionProviderImpl(byte[] entropy, bool protectToLocalMachine)
         {
             Debug.Assert(entropy != null);
             _entropy = entropy;
+            _protectToLocalMachine = protectToLocalMachine;
         }
 
         public IDataProtector CreateProtector(string purpose)
         {
-            return new DpapiDataProtectorImpl(BCryptUtil.GenerateDpapiSubkey(_entropy, purpose));
+            return new DpapiDataProtectorImpl(BCryptUtil.GenerateDpapiSubkey(_entropy, purpose), _protectToLocalMachine);
         }
 
         public void Dispose()
@@ -23,4 +25,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             // no-op; no unmanaged resources to dispose
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
index 13e5319e1a..66be4205a2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
@@ -10,15 +10,19 @@ namespace Microsoft.AspNet.Security.DataProtection
     internal unsafe sealed class DpapiDataProtectorImpl : IDataProtector
     {
         // from dpapi.h
+        private const uint CRYPTPROTECT_LOCAL_MACHINE = 0x4;
         private const uint CRYPTPROTECT_UI_FORBIDDEN = 0x1;
 
         // Used as the 'purposes' parameter to DPAPI operations
         private readonly byte[] _entropy;
 
-        public DpapiDataProtectorImpl(byte[] entropy)
+        private readonly bool _protectToLocalMachine;
+
+        public DpapiDataProtectorImpl(byte[] entropy, bool protectToLocalMachine)
         {
             Debug.Assert(entropy != null);
             _entropy = entropy;
+            _protectToLocalMachine = protectToLocalMachine;
         }
 
         private static CryptographicException CreateGenericCryptographicException(bool isErrorDueToProfileNotLoaded = false)
@@ -29,7 +33,7 @@ namespace Microsoft.AspNet.Security.DataProtection
 
         public IDataProtector CreateSubProtector(string purpose)
         {
-            return new DpapiDataProtectorImpl(BCryptUtil.GenerateDpapiSubkey(_entropy, purpose));
+            return new DpapiDataProtectorImpl(BCryptUtil.GenerateDpapiSubkey(_entropy, purpose), _protectToLocalMachine);
         }
 
         public void Dispose()
@@ -37,6 +41,18 @@ namespace Microsoft.AspNet.Security.DataProtection
             // no-op; no unmanaged resources to dispose
         }
 
+        private uint GetCryptProtectUnprotectFlags()
+        {
+            if (_protectToLocalMachine)
+            {
+                return CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN;
+            }
+            else
+            {
+                return CRYPTPROTECT_UI_FORBIDDEN;
+            }
+        }
+
         public byte[] Protect(byte[] unprotectedData)
         {
             if (unprotectedData == null)
@@ -52,14 +68,14 @@ namespace Microsoft.AspNet.Security.DataProtection
             try
             {
                 bool success;
-                fixed (byte* pUnprotectedData = unprotectedData)
+                fixed (byte* pUnprotectedData = unprotectedData.AsFixed())
                 {
                     fixed (byte* pEntropy = _entropy)
                     {
                         // no need for checked arithmetic here
                         DATA_BLOB dataIn = new DATA_BLOB() { cbData = (uint)unprotectedData.Length, pbData = pUnprotectedData };
                         DATA_BLOB optionalEntropy = new DATA_BLOB() { cbData = (uint)_entropy.Length, pbData = pEntropy };
-                        success = UnsafeNativeMethods.CryptProtectData(&dataIn, IntPtr.Zero, &optionalEntropy, IntPtr.Zero, IntPtr.Zero, CRYPTPROTECT_UI_FORBIDDEN, out dataOut);
+                        success = UnsafeNativeMethods.CryptProtectData(&dataIn, IntPtr.Zero, &optionalEntropy, IntPtr.Zero, IntPtr.Zero, GetCryptProtectUnprotectFlags(), out dataOut);
                     }
                 }
 
@@ -104,14 +120,14 @@ namespace Microsoft.AspNet.Security.DataProtection
             try
             {
                 bool success;
-                fixed (byte* pProtectedData = protectedData)
+                fixed (byte* pProtectedData = protectedData.AsFixed())
                 {
                     fixed (byte* pEntropy = _entropy)
                     {
                         // no need for checked arithmetic here
                         DATA_BLOB dataIn = new DATA_BLOB() { cbData = (uint)protectedData.Length, pbData = pProtectedData };
                         DATA_BLOB optionalEntropy = new DATA_BLOB() { cbData = (uint)_entropy.Length, pbData = pEntropy };
-                        success = UnsafeNativeMethods.CryptUnprotectData(&dataIn, IntPtr.Zero, &optionalEntropy, IntPtr.Zero, IntPtr.Zero, CRYPTPROTECT_UI_FORBIDDEN, out dataOut);
+                        success = UnsafeNativeMethods.CryptUnprotectData(&dataIn, IntPtr.Zero, &optionalEntropy, IntPtr.Zero, IntPtr.Zero, GetCryptProtectUnprotectFlags(), out dataOut);
                     }
                 }
 
@@ -139,4 +155,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
index 99bc6e3285..eb529127b6 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
@@ -2,6 +2,9 @@
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
+    /// <summary>
+    /// A factory that can provide IDataProtector instances.
+    /// </summary>
     public interface IDataProtectionProvider : IDisposable
     {
         /// <summary>
@@ -11,4 +14,4 @@ namespace Microsoft.AspNet.Security.DataProtection
         /// <returns>An IDataProtector.</returns>
         IDataProtector CreateProtector(string purpose);
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
index 5577a3cbdb..f1f41dd81e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
@@ -32,4 +32,4 @@ namespace Microsoft.AspNet.Security.DataProtection
         /// <remarks>Throws CryptographicException if the <em>protectedData</em> parameter has been tampered with.</remarks>
         byte[] Unprotect(byte[] protectedData);
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
index d68788f92f..9b57d1f1b4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -23,6 +23,8 @@
   <ItemGroup>
     <Compile Include="Algorithms.cs" />
     <Compile Include="BCryptAlgorithmFlags.cs" />
+    <Compile Include="SuppressUnmanagedCodeSecurityAttribute - Copy.cs" />
+    <Compile Include="SafeLibraryHandle.cs" />
     <Compile Include="BCryptAlgorithmHandle.cs" />
     <Compile Include="BCryptBuffer.cs" />
     <Compile Include="BCryptBufferDesc.cs" />
@@ -34,7 +36,6 @@
     <Compile Include="BCryptUtil.cs" />
     <Compile Include="BCRYPT_KEY_DATA_BLOB_HEADER.cs" />
     <Compile Include="Constants.cs" />
-    <Compile Include="CryptographicException.cs" />
     <Compile Include="CryptRand.cs" />
     <Compile Include="DataProtectionProvider.cs" />
     <Compile Include="DataProtectionProviderImpl.cs" />
@@ -44,11 +45,13 @@
     <Compile Include="DpapiDataProtectorImpl.cs" />
     <Compile Include="IDataProtectionProvider.cs" />
     <Compile Include="IDataProtector.cs" />
-    <Compile Include="PBKDF2.cs" />
     <Compile Include="Properties\Res.Designer.cs" />
     <Compile Include="SafeHandleZeroOrMinusOneIsInvalid.cs" />
+    <Compile Include="SP800_108Helper.cs" />
     <Compile Include="UnsafeNativeMethods.cs" />
     <Compile Include="Util\BufferUtil.cs" />
+    <Compile Include="Util\ByteArrayExtensions.cs" />
+    <Compile Include="Util\MemoryUtil.cs" />
   </ItemGroup>
   <Import Project="$(VSToolsPath)\ProjectK\Microsoft.Web.ProjectK.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
deleted file mode 100644
index c8824b37c1..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
+++ /dev/null
@@ -1,65 +0,0 @@
-using System;
-using System.Security.Cryptography;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    /// <summary>
-    /// Helper class to derive keys from low-entropy passwords using the PBKDF2 algorithm.
-    /// </summary>
-    public static class PBKDF2
-    {
-        /// <summary>
-        /// Derives a key from a low-entropy password.
-        /// </summary>
-        /// <param name="algorithmName">The name of the PRF to use for key derivation.</param>
-        /// <param name="password">The low-entropy password from which to generate a key.</param>
-        /// <param name="salt">The salt used to randomize the key derivation.</param>
-        /// <param name="iterationCount">The number of iterations to perform.</param>
-        /// <param name="numBytesToDerive">The desired byte length of the derived key.</param>
-        /// <returns>A key derived from the provided password.</returns>
-        /// <remarks>For compatibility with the Rfc2898DeriveBytes class, specify "SHA1" for the <em>algorithmName</em> parameter.</remarks>
-        public unsafe static byte[] DeriveKey(string algorithmName, byte[] password, byte[] salt, ulong iterationCount, uint numBytesToDerive)
-        {
-            if (String.IsNullOrEmpty(algorithmName))
-            {
-                throw new ArgumentException(Res.Common_NullOrEmpty, "algorithmName");
-            }
-            if (password == null || password.Length == 0)
-            {
-                throw new ArgumentException(Res.Common_NullOrEmpty, "password");
-            }
-            if (salt == null || salt.Length == 0)
-            {
-                throw new ArgumentException(Res.Common_NullOrEmpty, "salt");
-            }
-            if (iterationCount <= 0)
-            {
-                throw new ArgumentOutOfRangeException("iterationCount");
-            }
-
-            byte[] derivedKey = new byte[numBytesToDerive];
-            int status;
-
-            using (BCryptAlgorithmHandle algHandle = Algorithms.CreateGenericHMACHandleFromPrimitiveProvider(algorithmName))
-            {
-                fixed (byte* pPassword = password)
-                fixed (byte* pSalt = salt)
-                fixed (byte* pDerivedKey = derivedKey)
-                {
-                    status = UnsafeNativeMethods.BCryptDeriveKeyPBKDF2(
-                        algHandle, pPassword, (uint)password.Length, pSalt, (uint)salt.Length, iterationCount,
-                        pDerivedKey, numBytesToDerive, dwFlags: 0);
-                }
-            }
-
-            if (status == 0 /* STATUS_SUCCESS */)
-            {
-                return derivedKey;
-            }
-            else
-            {
-                throw new CryptographicException(status);
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
new file mode 100644
index 0000000000..f08127f864
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
@@ -0,0 +1,190 @@
+using System;
+using System.Net;
+using System.Runtime.InteropServices;
+using System.Security;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.Util;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// Provides an implementation of the SP800-108-CTR-HMACSHA512 key derivation function.
+    /// This class assumes at least Windows 7 / Server 2008 R2.
+    /// </summary>
+    /// <remarks>
+    /// More info at http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf, Sec. 5.1.
+    /// </remarks>
+    internal unsafe static class SP800_108Helper
+    {
+        private const string BCRYPT_LIB = "bcrypt.dll";
+
+        [SuppressUnmanagedCodeSecurity]
+        [UnmanagedFunctionPointer(CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/hh448506(v=vs.85).aspx
+        private delegate int BCryptKeyDerivation(
+            [In] BCryptKeyHandle hKey,
+            [In] BCryptBufferDesc* pParameterList,
+            [In] byte* pbDerivedKey,
+            [In] uint cbDerivedKey,
+            [Out] out uint pcbResult,
+            [In] uint dwFlags);
+
+        private static readonly BCryptAlgorithmHandle SP800108AlgorithmHandle;
+        private delegate void DeriveKeysDelegate(byte* pKdk, int kdkByteLength, byte[] purpose, byte* pOutputBuffer, uint outputBufferByteLength);
+        private static DeriveKeysDelegate _thunk = CreateThunk(out SP800108AlgorithmHandle);
+
+        private static BCryptAlgorithmHandle CreateSP800108AlgorithmHandle()
+        {
+            // create the SP800-108 instance
+            BCryptAlgorithmHandle algHandle;
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SP800108_CTR_HMAC_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: 0);
+            if (status != 0 || algHandle == null || algHandle.IsInvalid)
+            {
+                throw new CryptographicException(status);
+            }
+
+            return algHandle;
+        }
+
+        private static DeriveKeysDelegate CreateThunk(out BCryptAlgorithmHandle sp800108AlgorithmHandle)
+        {
+            SafeLibraryHandle bcryptLibHandle = SafeLibraryHandle.Open(BCRYPT_LIB);
+            var win8Thunk = bcryptLibHandle.GetProcAddress<BCryptKeyDerivation>("BCryptKeyDerivation", throwIfNotFound: false);
+            if (win8Thunk != null)
+            {
+                // Permanently reference bcrypt.dll for the lifetime of the AppDomain.
+                // When the AD goes away the SafeLibraryHandle will automatically be released.
+                GCHandle.Alloc(bcryptLibHandle);
+                sp800108AlgorithmHandle = CreateSP800108AlgorithmHandle();
+                return win8Thunk.DeriveKeysWin8;
+            }
+            else
+            {
+                sp800108AlgorithmHandle = null;
+                return DeriveKeysWin7;
+            }
+        }
+
+        /// <summary>
+        /// Performs a key derivation using SP800-108-CTR-HMACSHA512.
+        /// </summary>
+        /// <param name="pKdk">Pointer to the key derivation key.</param>
+        /// <param name="kdkByteLength">Length (in bytes) of the key derivation key.</param>
+        /// <param name="purpose">Purpose to attach to the generated subkey. Corresponds to the 'Label' parameter
+        /// in the KDF. May be null.</param>
+        /// <param name="pOutputBuffer">Pointer to a buffer which will receive the subkey.</param>
+        /// <param name="outputBufferByteLength">Length (in bytes) of the output buffer.</param>
+        public static void DeriveKeys(byte* pKdk, int kdkByteLength, byte[] purpose, byte* pOutputBuffer, uint outputBufferByteLength)
+        {
+            _thunk(pKdk, kdkByteLength, purpose, pOutputBuffer, outputBufferByteLength);
+        }
+
+        // Wraps our own SP800-108 implementation around bcrypt.dll primitives.
+        private static void DeriveKeysWin7(byte* pKdk, int kdkByteLength, byte[] purpose, byte* pOutputBuffer, uint outputBufferByteLength)
+        {
+            const int TEMP_RESULT_OUTPUT_BYTES = 512 / 8; // hardcoded to HMACSHA512
+
+            // NOTE: pOutputBuffer and outputBufferByteLength are modified as data is copied from temporary buffers
+            // to the final output buffer.
+
+            // used to hold the output of the HMACSHA512 routine
+            byte* pTempResultBuffer = stackalloc byte[TEMP_RESULT_OUTPUT_BYTES];
+            int purposeLength = (purpose != null) ? purpose.Length : 0;
+
+            // this will be zero-inited
+            byte[] dataToBeHashed = new byte[checked(
+                sizeof(int) /* [i] */
+                + purposeLength /* Label */
+                + 1 /* 0x00 */
+                + 0 /* Context */
+                + sizeof(int) /* [L] */)];
+
+            fixed (byte* pDataToBeHashed = dataToBeHashed)
+            {
+                // Step 1: copy purpose into Label part of data to be hashed
+                if (purposeLength > 0)
+                {
+                    fixed (byte* pPurpose = purpose)
+                    {
+                        BufferUtil.BlockCopy(from: pPurpose, to: &pDataToBeHashed[sizeof(int)], byteCount: purposeLength);
+                    }
+                }
+
+                // Step 2: copy [L] into last part of data to be hashed, big-endian
+                uint numBitsToGenerate = checked(outputBufferByteLength * 8);
+                MemoryUtil.UnalignedWriteBigEndian(&pDataToBeHashed[dataToBeHashed.Length - sizeof(int)], numBitsToGenerate);
+
+                // Step 3: iterate until all desired bytes have been generated
+                for (int i = 1; outputBufferByteLength > 0; i++)
+                {
+                    // Step 3a: Copy [i] into the first part of data to be hashed, big-endian
+                    MemoryUtil.UnalignedWriteBigEndian(pDataToBeHashed, (uint)i);
+
+                    // Step 3b: Hash. Win7 doesn't allow reusing hash algorithm objects after the final hash
+                    // has been computed, so we need to create a new instance of the hash object for each
+                    // iteration. We don't bother with this optimization on Win8 since we call BCryptKeyDerivation
+                    // instead when on that OS.
+                    using (var hashHandle = BCryptUtil.CreateHMACHandle(Algorithms.HMACSHA512AlgorithmHandle, pKdk, kdkByteLength))
+                    {
+                        BCryptUtil.HashData(hashHandle, pDataToBeHashed, dataToBeHashed.Length, pTempResultBuffer, TEMP_RESULT_OUTPUT_BYTES);
+                    }
+
+                    // Step 3c: Copy bytes from the temporary buffer to the output buffer.
+                    uint numBytesToCopy = Math.Min(outputBufferByteLength, (uint)TEMP_RESULT_OUTPUT_BYTES);
+                    BufferUtil.BlockCopy(from: pTempResultBuffer, to: pOutputBuffer, byteCount: numBytesToCopy);
+                    pOutputBuffer += numBytesToCopy;
+                    outputBufferByteLength -= numBytesToCopy;
+                }
+            }
+        }
+
+        // Calls into the Win8 implementation (bcrypt.dll) for the SP800-108 KDF
+        private static void DeriveKeysWin8(this BCryptKeyDerivation fnKeyDerivation, byte* pKdk, int kdkByteLength, byte[] purpose, byte* pOutputBuffer, uint outputBufferByteLength)
+        {
+            // Create a buffer to hold the hash algorithm name
+            fixed (char* pszPrfAlgorithmName = Constants.BCRYPT_SHA512_ALGORITHM)
+            {
+                BCryptBuffer* pBCryptBuffers = stackalloc BCryptBuffer[2];
+
+                // The first buffer should contain the PRF algorithm name (hardcoded to HMACSHA512).
+                // Per http://msdn.microsoft.com/en-us/library/aa375368(v=vs.85).aspx, cbBuffer must include the terminating null char.
+                pBCryptBuffers[0].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
+                pBCryptBuffers[0].pvBuffer = (IntPtr)pszPrfAlgorithmName;
+                pBCryptBuffers[0].cbBuffer = (uint)((Constants.BCRYPT_SHA512_ALGORITHM.Length + 1) * sizeof(char));
+                uint numBuffers = 1;
+
+                fixed (byte* pPurpose = ((purpose != null && purpose.Length != 0) ? purpose : null))
+                {
+                    if (pPurpose != null)
+                    {
+                        // The second buffer will hold the purpose bytes if they're specified.
+                        pBCryptBuffers[1].BufferType = BCryptKeyDerivationBufferType.KDF_LABEL;
+                        pBCryptBuffers[1].pvBuffer = (IntPtr)pPurpose;
+                        pBCryptBuffers[1].cbBuffer = (uint)purpose.Length;
+                        numBuffers = 2;
+                    }
+
+                    // Add the header
+                    BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
+                    BCryptBufferDesc.Initialize(ref bufferDesc);
+                    bufferDesc.cBuffers = numBuffers;
+                    bufferDesc.pBuffers = pBCryptBuffers;
+
+                    // Finally, perform the calculation and validate that the actual number of bytes derived matches
+                    // the number that the caller requested.
+                    uint numBytesDerived;
+                    int status;
+                    using (BCryptKeyHandle kdkHandle = BCryptUtil.ImportKey(SP800108AlgorithmHandle, pKdk, kdkByteLength))
+                    {
+                        status = fnKeyDerivation(kdkHandle, &bufferDesc, pOutputBuffer, outputBufferByteLength, out numBytesDerived, dwFlags: 0);
+                    }
+                    if (status != 0 || numBytesDerived != outputBufferByteLength)
+                    {
+                        throw new CryptographicException(status);
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
new file mode 100644
index 0000000000..7d1a131676
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
@@ -0,0 +1,121 @@
+using System;
+using System.Diagnostics;
+using System.Reflection;
+using System.Runtime.InteropServices;
+using System.Security;
+
+#if NET45
+using System.Runtime.ConstrainedExecution;
+#endif
+
+namespace Microsoft.Win32.SafeHandles
+{
+    /// <summary>
+    /// Represents a handle to a Windows module (DLL).
+    /// </summary>
+    internal sealed class SafeLibraryHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
+        // Called by P/Invoke when returning SafeHandles
+        private SafeLibraryHandle()
+            : base(ownsHandle: true) { }
+
+        /// <summary>
+        /// Gets a delegate pointing to a given export from this library.
+        /// </summary>
+        public TDelegate GetProcAddress<TDelegate>(string lpProcName, bool throwIfNotFound = true) where TDelegate : class
+        {
+            Debug.Assert(typeof(TDelegate).GetTypeInfo().IsSubclassOf(typeof(Delegate)), "TDelegate must be a delegate type!");
+
+            IntPtr pfnProc = UnsafeNativeMethods.GetProcAddress(this, lpProcName);
+            if (pfnProc == IntPtr.Zero)
+            {
+                if (throwIfNotFound)
+                {
+                    UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
+                }
+                else
+                {
+                    return null;
+                }
+            }
+
+            return (TDelegate)(object)Marshal.GetDelegateForFunctionPointer(pfnProc, typeof(TDelegate));
+        }
+
+        /// <summary>
+        /// Forbids this library from being unloaded. The library will remain loaded until process termination,
+        /// regardless of how many times FreeLibrary is called.
+        /// </summary>
+        public void ForbidUnload()
+        {
+            // from winbase.h
+            const uint GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS = 0x00000004U;
+            const uint GET_MODULE_HANDLE_EX_FLAG_PIN = 0x00000001U;
+
+            IntPtr unused;
+            bool retVal = UnsafeNativeMethods.GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | GET_MODULE_HANDLE_EX_FLAG_PIN, this, out unused);
+            if (!retVal)
+            {
+                UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
+            }
+        }
+
+        /// <summary>
+        /// Opens a library. If 'filename' is not a fully-qualified path, the default search path is used.
+        /// </summary>
+        public static SafeLibraryHandle Open(string filename)
+        {
+            SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibrary(filename);
+            if (handle == null || handle.IsInvalid)
+            {
+                UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
+            }
+            return handle;
+        }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle()
+        {
+            return UnsafeNativeMethods.FreeLibrary(handle);
+        }
+
+        [SuppressUnmanagedCodeSecurity]
+        private static class UnsafeNativeMethods
+        {
+            private const string KERNEL32_LIB = "kernel32.dll";
+
+            // http://msdn.microsoft.com/en-us/library/ms683152(v=vs.85).aspx
+            [return: MarshalAs(UnmanagedType.Bool)]
+#if NET45
+            [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
+            internal static extern bool FreeLibrary(IntPtr hModule);
+
+            // http://msdn.microsoft.com/en-us/library/ms683200(v=vs.85).aspx
+            [return: MarshalAs(UnmanagedType.Bool)]
+            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+            internal static extern bool GetModuleHandleEx(
+                [In] uint dwFlags,
+                [In] SafeLibraryHandle lpModuleName, // can point to a location within the module if GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS is set
+                [Out] out IntPtr phModule);
+
+            // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
+            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
+            internal static extern IntPtr GetProcAddress(
+                [In] SafeLibraryHandle hModule,
+                [In, MarshalAs(UnmanagedType.LPStr)] string lpProcName);
+
+            // http://msdn.microsoft.com/en-us/library/ms684175(v=vs.85).aspx
+            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
+            internal static extern SafeLibraryHandle LoadLibrary(
+                [In, MarshalAs(UnmanagedType.LPWStr)]string lpFileName);
+
+            internal static void ThrowExceptionForLastWin32Error()
+            {
+                int hr = Marshal.GetHRForLastWin32Error();
+                Marshal.ThrowExceptionForHR(hr);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs b/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs
new file mode 100644
index 0000000000..18ed3b1c92
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs	
@@ -0,0 +1,10 @@
+using System;
+using System.Runtime.InteropServices;
+
+#if !NET45
+namespace System.Security
+{
+    [AttributeUsage(AttributeTargets.All, AllowMultiple = true, Inherited = false)]
+    internal sealed class SuppressUnmanagedCodeSecurityAttribute : Attribute { }
+}
+#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index 611d1d4084..88e8eb961a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -1,17 +1,11 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
-#if NET45
     [SuppressUnmanagedCodeSecurity]
-#endif
-    internal static unsafe class UnsafeNativeMethods
+    internal unsafe static class UnsafeNativeMethods
     {
         private const string BCRYPT_LIB = "bcrypt.dll";
         private const string CRYPT32_LIB = "crypt32.dll";
@@ -52,19 +46,6 @@ namespace Microsoft.AspNet.Security.DataProtection
             [Out] out uint pcbResult,
             [In] BCryptEncryptFlags dwFlags);
 
-        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/dd433795(v=vs.85).aspx
-        internal static extern int BCryptDeriveKeyPBKDF2(
-            [In] BCryptAlgorithmHandle hPrf,
-            [In] byte* pbPassword,
-            [In] uint cbPassword,
-            [In] byte* pbSalt,
-            [In] uint cbSalt,
-            [In] ulong cIterations,
-            [In] byte* pbDerivedKey,
-            [In] uint cbDerivedKey,
-            [In] uint dwFlags);
-
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
         internal static extern int BCryptDestroyHash(
@@ -177,6 +158,13 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint dwFlags,
             [Out] out DATA_BLOB pDataOut);
 
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380262(v=vs.85).aspx
+        internal static extern bool CryptProtectMemory(
+            [In] byte* pData,
+            [In] uint cbData,
+            [In] uint dwFlags);
+
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380882(v=vs.85).aspx
         internal static extern bool CryptUnprotectData(
@@ -188,6 +176,13 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint dwFlags,
             [Out] out DATA_BLOB pDataOut);
 
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380890(v=vs.85).aspx
+        internal static extern bool CryptUnprotectMemory(
+            [In] byte* pData,
+            [In] uint cbData,
+            [In] uint dwFlags);
+
         /*
          * KERNEL32.DLL
          */
@@ -197,4 +192,4 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] IntPtr Destination,
             [In] UIntPtr /* SIZE_T */ Length);
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
index e982d35f9e..443ead3f93 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
@@ -1,40 +1,67 @@
 using System;
 using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.Util
 {
-    internal static unsafe class BufferUtil
+    internal unsafe static class BufferUtil
     {
         private static readonly byte[] _emptyArray = new byte[0];
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void BlockCopy(IntPtr from, IntPtr to, int byteCount)
+        public static void BlockCopy(void* from, void* to, int byteCount)
         {
-            BlockCopy(from, to, checked((uint) byteCount)); // will be checked before invoking the delegate
+            BlockCopy(from, to, checked((uint)byteCount)); // will be checked before invoking the delegate
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void BlockCopy(IntPtr from, IntPtr to, uint byteCount)
+        public static void BlockCopy(void* from, void* to, uint byteCount)
         {
-            BlockCopySlow((byte*) from, (byte*) to, byteCount);
+            if (byteCount != 0)
+            {
+#if NET45
+                BlockCopySlow((byte*)from, (byte*)to, byteCount);
+#else
+                Buffer.MemoryCopy(source: from, destination: to, destinationSizeInBytes: byteCount, sourceBytesToCopy: byteCount);
+#endif
+            }
         }
 
+#if NET45
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static void BlockCopySlow(byte* from, byte* to, uint byteCount)
+        public static void BlockCopySlow(byte* from, byte* to, uint byteCount)
         {
-            // slow, but works
             while (byteCount-- != 0)
             {
                 *(to++) = *(from++);
             }
         }
+#endif
+
+        /// <summary>
+        /// Securely clears a memory buffer.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void SecureZeroMemory(byte* buffer, int byteCount)
+        {
+            SecureZeroMemory(buffer, checked((uint)byteCount));
+        }
+
+        /// <summary>
+        /// Securely clears a memory buffer.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void SecureZeroMemory(byte* buffer, uint byteCount)
+        {
+            UnsafeNativeMethods.RtlZeroMemory((IntPtr)buffer, (UIntPtr)byteCount);
+        }
 
         /// <summary>
         /// Creates a new managed byte[] from unmanaged memory.
         /// </summary>
         public static byte[] ToManagedByteArray(byte* ptr, int byteCount)
         {
-            return ToManagedByteArray(ptr, checked((uint) byteCount));
+            return ToManagedByteArray(ptr, checked((uint)byteCount));
         }
 
         /// <summary>
@@ -51,28 +78,33 @@ namespace Microsoft.AspNet.Security.DataProtection.Util
                 byte[] bytes = new byte[byteCount];
                 fixed (byte* pBytes = bytes)
                 {
-                    BlockCopy(from: (IntPtr) ptr, to: (IntPtr) pBytes, byteCount: byteCount);
+                    BlockCopy(from: ptr, to: pBytes, byteCount: byteCount);
                 }
                 return bytes;
             }
         }
 
         /// <summary>
-        /// Clears a memory buffer.
+        /// Creates a new managed byte[] from unmanaged memory. The returned value will be protected
+        /// by CryptProtectMemory.
         /// </summary>
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void ZeroMemory(byte* buffer, int byteCount)
+        public static byte[] ToProtectedManagedByteArray(byte* ptr, int byteCount)
         {
-            ZeroMemory(buffer, checked((uint) byteCount));
-        }
-
-        /// <summary>
-        /// Clears a memory buffer.
-        /// </summary>
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void ZeroMemory(byte* buffer, uint byteCount)
-        {
-            UnsafeNativeMethods.RtlZeroMemory((IntPtr) buffer, (UIntPtr) byteCount); // don't require 'checked': uint -> UIntPtr always guaranteed to succeed
+            byte[] bytes = new byte[byteCount];
+            fixed (byte* pBytes = bytes)
+            {
+                try
+                {
+                    BlockCopy(from: ptr, to: pBytes, byteCount: byteCount);
+                    BCryptUtil.ProtectMemoryWithinThisProcess(pBytes, (uint)byteCount);
+                }
+                catch
+                {
+                    SecureZeroMemory(pBytes, byteCount);
+                    throw;
+                }
+            }
+            return bytes;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
new file mode 100644
index 0000000000..f3bfe2b5fe
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
@@ -0,0 +1,23 @@
+using System;
+using System.Diagnostics;
+
+namespace Microsoft.AspNet.Security.DataProtection.Util
+{
+    /// <summary>
+    /// Defines helper methods for working with fixed expression blocks.
+    /// </summary>
+    internal static class ByteArrayExtensions
+    {
+        private static readonly byte[] _dummyBuffer = new byte[1];
+
+        // Since the 'fixed' keyword turns a zero-length array into a pointer, we need
+        // to make sure we're always providing a buffer of length >= 1 so that the
+        // p/invoke methods we pass the pointers to don't see a null pointer. Callers
+        // are still responsible for passing a proper length to the p/invoke routines.
+        public static byte[] AsFixed(this byte[] buffer)
+        {
+            Debug.Assert(buffer != null);
+            return (buffer.Length != 0) ? buffer : _dummyBuffer;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
new file mode 100644
index 0000000000..0d2b727507
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
@@ -0,0 +1,20 @@
+using System;
+using System.Runtime.CompilerServices;
+
+namespace Microsoft.AspNet.Security.DataProtection.Util
+{
+    internal unsafe static class MemoryUtil
+    {
+        /// <summary>
+        /// Writes an Int32 to a potentially unaligned memory address, big-endian.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void UnalignedWriteBigEndian(byte* address, uint value)
+        {
+            *(address++) = (byte)(value >> 24);
+            *(address++) = (byte)(value >> 16);
+            *(address++) = (byte)(value >> 8);
+            *(address) = (byte)value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index e1784c0b4e..ef495793cb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -11,7 +11,10 @@
         "System.Reflection": "4.0.10.0",
         "System.Resources.ResourceManager": "4.0.0.0",
         "System.Runtime": "4.0.20.0",
-        "System.Runtime.InteropServices": "4.0.20.0"
+        "System.Runtime.Extensions": "4.0.10.0",
+        "System.Runtime.InteropServices": "4.0.20.0",
+        "System.Security.Cryptography": "4.0.0.0",
+        "System.Text.Encoding.Extensions": "4.0.10.0"
       }
     }
   },

From 6bc6da1c7d709bc6cef8d27c4e7d2ad115929b22 Mon Sep 17 00:00:00 2001
From: Levi Broderick <levib@yahoo.com>
Date: Tue, 15 Apr 2014 22:10:09 -0700
Subject: [PATCH 015/493] Fix build break: inadvertently removed PBKDF2.cs and
 related functionality

---
 .../Algorithms.cs                             | 21 +++---
 .../PBKDF2.cs                                 | 65 +++++++++++++++++++
 .../UnsafeNativeMethods.cs                    | 13 ++++
 3 files changed, 88 insertions(+), 11 deletions(-)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
index a2e3589613..bd721c207c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
@@ -31,11 +31,11 @@ namespace Microsoft.AspNet.Security.DataProtection
 
             return algHandle;
         }
-        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle()
+
+        internal static BCryptAlgorithmHandle CreateGenericHMACHandleFromPrimitiveProvider(string algorithmName)
         {
-            // create the HMACSHA-256 instance
             BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA256_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
+            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, algorithmName, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
             if (status != 0 || algHandle == null || algHandle.IsInvalid)
             {
                 throw new CryptographicException(status);
@@ -44,17 +44,16 @@ namespace Microsoft.AspNet.Security.DataProtection
             return algHandle;
         }
 
+        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle()
+        {
+            // create the HMACSHA-256 instance
+            return CreateGenericHMACHandleFromPrimitiveProvider(Constants.BCRYPT_SHA256_ALGORITHM);
+        }
+
         private static BCryptAlgorithmHandle CreateHMACSHA512AlgorithmHandle()
         {
             // create the HMACSHA-512 instance
-            BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SHA512_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return algHandle;
+            return CreateGenericHMACHandleFromPrimitiveProvider(Constants.BCRYPT_SHA512_ALGORITHM);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
new file mode 100644
index 0000000000..c8824b37c1
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
@@ -0,0 +1,65 @@
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// Helper class to derive keys from low-entropy passwords using the PBKDF2 algorithm.
+    /// </summary>
+    public static class PBKDF2
+    {
+        /// <summary>
+        /// Derives a key from a low-entropy password.
+        /// </summary>
+        /// <param name="algorithmName">The name of the PRF to use for key derivation.</param>
+        /// <param name="password">The low-entropy password from which to generate a key.</param>
+        /// <param name="salt">The salt used to randomize the key derivation.</param>
+        /// <param name="iterationCount">The number of iterations to perform.</param>
+        /// <param name="numBytesToDerive">The desired byte length of the derived key.</param>
+        /// <returns>A key derived from the provided password.</returns>
+        /// <remarks>For compatibility with the Rfc2898DeriveBytes class, specify "SHA1" for the <em>algorithmName</em> parameter.</remarks>
+        public unsafe static byte[] DeriveKey(string algorithmName, byte[] password, byte[] salt, ulong iterationCount, uint numBytesToDerive)
+        {
+            if (String.IsNullOrEmpty(algorithmName))
+            {
+                throw new ArgumentException(Res.Common_NullOrEmpty, "algorithmName");
+            }
+            if (password == null || password.Length == 0)
+            {
+                throw new ArgumentException(Res.Common_NullOrEmpty, "password");
+            }
+            if (salt == null || salt.Length == 0)
+            {
+                throw new ArgumentException(Res.Common_NullOrEmpty, "salt");
+            }
+            if (iterationCount <= 0)
+            {
+                throw new ArgumentOutOfRangeException("iterationCount");
+            }
+
+            byte[] derivedKey = new byte[numBytesToDerive];
+            int status;
+
+            using (BCryptAlgorithmHandle algHandle = Algorithms.CreateGenericHMACHandleFromPrimitiveProvider(algorithmName))
+            {
+                fixed (byte* pPassword = password)
+                fixed (byte* pSalt = salt)
+                fixed (byte* pDerivedKey = derivedKey)
+                {
+                    status = UnsafeNativeMethods.BCryptDeriveKeyPBKDF2(
+                        algHandle, pPassword, (uint)password.Length, pSalt, (uint)salt.Length, iterationCount,
+                        pDerivedKey, numBytesToDerive, dwFlags: 0);
+                }
+            }
+
+            if (status == 0 /* STATUS_SUCCESS */)
+            {
+                return derivedKey;
+            }
+            else
+            {
+                throw new CryptographicException(status);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index 88e8eb961a..086de32397 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -46,6 +46,19 @@ namespace Microsoft.AspNet.Security.DataProtection
             [Out] out uint pcbResult,
             [In] BCryptEncryptFlags dwFlags);
 
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/dd433795(v=vs.85).aspx
+        internal static extern int BCryptDeriveKeyPBKDF2(
+            [In] BCryptAlgorithmHandle hPrf,
+            [In] byte* pbPassword,
+            [In] uint cbPassword,
+            [In] byte* pbSalt,
+            [In] uint cbSalt,
+            [In] ulong cIterations,
+            [In] byte* pbDerivedKey,
+            [In] uint cbDerivedKey,
+            [In] uint dwFlags);
+
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
         internal static extern int BCryptDestroyHash(

From 83663f789bbb6501e5aa4b6acb6bf8ed7b694be9 Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Tue, 29 Apr 2014 23:07:29 -0700
Subject: [PATCH 016/493] Added support for protected data style DPAPI - This
 won't work across core clr and desktop and mono but  that's ok for the moment
 because it unblocks things

---
 .../DataProtectionProvider.cs                 | 16 +++++
 ...osoft.AspNet.Security.DataProtection.kproj |  2 +
 .../ProtectedDataProtectionProvider.cs        | 72 +++++++++++++++++++
 .../project.json                              |  6 +-
 4 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
index 2babfa5008..b9a015c819 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
@@ -1,5 +1,8 @@
 using System;
 using System.Globalization;
+#if NET45
+using System.Security.Cryptography;
+#endif
 using System.Text;
 using Microsoft.AspNet.Security.DataProtection;
 using Microsoft.AspNet.Security.DataProtection.Util;
@@ -24,6 +27,19 @@ namespace Microsoft.AspNet.Security.DataProtection
             return CreateFromDpapi(protectToLocalMachine: false);
         }
 
+#if NET45
+        // These are for mono
+        public static IDataProtectionProvider CreateFromLegacyDpapi()
+        {
+            return CreateFromLegacyDpapi(DataProtectionScope.CurrentUser);
+        }
+
+        public static IDataProtectionProvider CreateFromLegacyDpapi(DataProtectionScope scope)
+        {
+            return new ProtectedDataProtectionProvider(scope);
+        }
+#endif
+
         /// <summary>
         /// Creates a new IDataProtectionProvider backed by DPAPI.
         /// </summary>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
index 9b57d1f1b4..3e3e702521 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -23,6 +23,8 @@
   <ItemGroup>
     <Compile Include="Algorithms.cs" />
     <Compile Include="BCryptAlgorithmFlags.cs" />
+    <Compile Include="ProtectedDataProtectionProvider.cs" />
+    <Compile Include="PBKDF2.cs" />
     <Compile Include="SuppressUnmanagedCodeSecurityAttribute - Copy.cs" />
     <Compile Include="SafeLibraryHandle.cs" />
     <Compile Include="BCryptAlgorithmHandle.cs" />
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
new file mode 100644
index 0000000000..d9444402f7
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
@@ -0,0 +1,72 @@
+#if NET45
+using System;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal class ProtectedDataProtectionProvider : IDataProtectionProvider
+    {
+        private readonly DataProtectionScope _scope;
+
+        public ProtectedDataProtectionProvider(DataProtectionScope scope)
+        {
+            _scope = scope;
+        }
+
+        public IDataProtector CreateProtector(string purpose)
+        {
+            return new ProtectedDataProtector(_scope, purpose);
+        }
+
+        public void Dispose()
+        {
+
+        }
+
+        private class ProtectedDataProtector : IDataProtector
+        {
+            private readonly DataProtectionScope _scope;
+            private readonly byte[] _entropy;
+
+            public ProtectedDataProtector(DataProtectionScope scope, string purpose)
+            {
+                _scope = scope;
+                _entropy = Encoding.UTF8.GetBytes(purpose);
+            }
+
+            private ProtectedDataProtector(DataProtectionScope scope, byte[] entropy)
+            {
+                _scope = scope;
+                _entropy = entropy;
+            }
+
+            public IDataProtector CreateSubProtector(string purpose)
+            {
+                var purposeBytes = Encoding.UTF8.GetBytes(purpose);
+                var subProtectorEntropy = new byte[_entropy.Length + purposeBytes.Length];
+
+                Buffer.BlockCopy(_entropy, 0, subProtectorEntropy, 0, _entropy.Length);
+                Buffer.BlockCopy(purposeBytes, 0, subProtectorEntropy, _entropy.Length, purposeBytes.Length);
+
+                return new ProtectedDataProtector(_scope, subProtectorEntropy);
+            }
+
+            public byte[] Protect(byte[] unprotectedData)
+            {
+                return ProtectedData.Protect(unprotectedData, _entropy, _scope);
+            }
+
+            public byte[] Unprotect(byte[] protectedData)
+            {
+                return ProtectedData.Unprotect(protectedData, _entropy, _scope);
+            }
+
+            public void Dispose()
+            {
+
+            }
+        }
+    }
+}
+#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index ef495793cb..e290f191b6 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -1,7 +1,11 @@
 {
   "version": "0.1-alpha-*",
   "configurations": {
-    "net45": {},
+    "net45": {
+        "dependencies": {
+            "System.Security": ""
+        }
+    },
     "k10": {
       "dependencies": {
         "System.Diagnostics.Debug": "4.0.10.0",

From 27d59cd80b65604d7f22a24411539f19a38f2c60 Mon Sep 17 00:00:00 2001
From: anpete <anpete@microsoft.com>
Date: Thu, 1 May 2014 17:36:30 -0700
Subject: [PATCH 017/493] Update file headers

---
 .../Algorithms.cs                             | 19 ++++++++++++++++++-
 .../BCRYPT_KEY_DATA_BLOB_HEADER.cs            | 19 ++++++++++++++++++-
 .../BCryptAlgorithmFlags.cs                   | 19 ++++++++++++++++++-
 .../BCryptAlgorithmHandle.cs                  | 19 ++++++++++++++++++-
 .../BCryptBuffer.cs                           | 19 ++++++++++++++++++-
 .../BCryptBufferDesc.cs                       | 19 ++++++++++++++++++-
 .../BCryptEncryptFlags.cs                     | 19 ++++++++++++++++++-
 .../BCryptGenRandomFlags.cs                   | 19 ++++++++++++++++++-
 .../BCryptHashHandle.cs                       | 19 ++++++++++++++++++-
 .../BCryptKeyDerivationBufferType.cs          | 19 ++++++++++++++++++-
 .../BCryptKeyHandle.cs                        | 19 ++++++++++++++++++-
 .../BCryptUtil.cs                             | 19 ++++++++++++++++++-
 .../Constants.cs                              | 19 ++++++++++++++++++-
 .../CryptRand.cs                              | 19 ++++++++++++++++++-
 .../DATA_BLOB.cs                              | 19 ++++++++++++++++++-
 .../DataProtectionProvider.cs                 | 19 ++++++++++++++++++-
 .../DataProtectionProviderImpl.cs             | 19 ++++++++++++++++++-
 .../DataProtectorImpl.cs                      | 19 ++++++++++++++++++-
 .../DpapiDataProtectionProviderImpl.cs        | 19 ++++++++++++++++++-
 .../DpapiDataProtectorImpl.cs                 | 19 ++++++++++++++++++-
 .../IDataProtectionProvider.cs                | 19 ++++++++++++++++++-
 .../IDataProtector.cs                         | 19 ++++++++++++++++++-
 .../PBKDF2.cs                                 | 19 ++++++++++++++++++-
 .../Properties/Res.Designer.cs                | 17 +++++++++++++++++
 .../ProtectedDataProtectionProvider.cs        | 19 ++++++++++++++++++-
 .../SP800_108Helper.cs                        | 19 ++++++++++++++++++-
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      | 19 ++++++++++++++++++-
 .../SafeLibraryHandle.cs                      | 19 ++++++++++++++++++-
 ...ssUnmanagedCodeSecurityAttribute - Copy.cs | 19 ++++++++++++++++++-
 .../UnsafeNativeMethods.cs                    | 19 ++++++++++++++++++-
 .../Util/BufferUtil.cs                        | 19 ++++++++++++++++++-
 .../Util/ByteArrayExtensions.cs               | 19 ++++++++++++++++++-
 .../Util/MemoryUtil.cs                        | 19 ++++++++++++++++++-
 33 files changed, 593 insertions(+), 32 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
index bd721c207c..1e0cd6fe2f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
index ffb5f32308..d89f9dbd09 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
index a4c2e5b927..57be75d8fa 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
index 0824fb3aab..1259dd0687 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using Microsoft.Win32.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
index 20f3305c18..a5fe6998ba 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
index 4ed446cb39..37f47ece40 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
index 491e2ab9bd..96881f7992 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
index 6c17410e5d..1501312836 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
index c20e2e785f..7e5857cf52 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using Microsoft.Win32.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
index 11fe12af50..720e4c007a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
index 491b807dd0..abab4a70a3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using Microsoft.Win32.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
index 0ec7d478f1..67da467a65 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
index 1cba9e94bc..e375faac95 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
index b4a233cbe6..c9a3b10d9b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
index 73a4cb5263..c98ca810d4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.InteropServices;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
index b9a015c819..e0bac89545 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Globalization;
 #if NET45
 using System.Security.Cryptography;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
index 97f0b7f895..09a39df78a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
index 111e3118b8..0c75701739 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Diagnostics;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Util;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
index 679a5b094a..ee0170f15a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Diagnostics;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
index 66be4205a2..ae23a6bdf7 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
index eb529127b6..65b073f666 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
index f1f41dd81e..41e67ce5d9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
index c8824b37c1..3afe833fa6 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
index bac3e9fcff..bfca0c9e8b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
@@ -1,3 +1,20 @@
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
 // <auto-generated />
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
index d9444402f7..a27eccba16 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
@@ -1,4 +1,21 @@
-#if NET45
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+#if NET45
 using System;
 using System.Security.Cryptography;
 using System.Text;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
index f08127f864..8dda20e80b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Net;
 using System.Runtime.InteropServices;
 using System.Security;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
index ea76877d13..477976c049 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.InteropServices;
 
 #if !NET45
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
index 7d1a131676..7f856ec509 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Diagnostics;
 using System.Reflection;
 using System.Runtime.InteropServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs b/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs
index 18ed3b1c92..357675482d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs	
+++ b/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs	
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.InteropServices;
 
 #if !NET45
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index 086de32397..a5902d3526 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.InteropServices;
 using System.Security;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
index 443ead3f93..72a006e4eb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.CompilerServices;
 using System.Security.Cryptography;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
index f3bfe2b5fe..1e1796dd99 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Diagnostics;
 
 namespace Microsoft.AspNet.Security.DataProtection.Util
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
index 0d2b727507..263ce1a340 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
@@ -1,4 +1,21 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
 using System.Runtime.CompilerServices;
 
 namespace Microsoft.AspNet.Security.DataProtection.Util

From c52529579bf11dca816c623c40cd9400f80b763a Mon Sep 17 00:00:00 2001
From: Louis DeJardin <louis.dejardin@gmail.com>
Date: Fri, 2 May 2014 14:45:21 -0700
Subject: [PATCH 018/493] Updating build scripts

---
 .gitignore   |  3 +++
 NuGet.Config |  2 +-
 build.cmd    |  3 +++
 build.sh     | 30 ++++++++++++++++++++++++++++++
 4 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 build.sh

diff --git a/.gitignore b/.gitignore
index 2554a1fc23..aba9c594d7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@ PublishProfiles/
 _ReSharper.*
 nuget.exe
 *net45.csproj
+*net451.csproj
 *k10.csproj
 *.psess
 *.vsp
@@ -20,3 +21,5 @@ nuget.exe
 *.userprefs
 *DS_Store
 *.ncrunchsolution
+*.*sdf
+*.ipch
\ No newline at end of file
diff --git a/NuGet.Config b/NuGet.Config
index 9dc2833940..a059188b09 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2/" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
   <packageSourceCredentials>
diff --git a/build.cmd b/build.cmd
index 7045ee1f84..2c32132fa3 100644
--- a/build.cmd
+++ b/build.cmd
@@ -18,6 +18,9 @@ copy %CACHED_NUGET% .nuget\nuget.exe > nul
 IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
+CALL packages\KoreBuild\build\kvm install -svr50 -x86
+CALL packages\KoreBuild\build\kvm install -svrc50 -x86
 
 :run
+CALL packages\KoreBuild\build\kvm use default -svr50 -x86
 packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
diff --git a/build.sh b/build.sh
new file mode 100644
index 0000000000..db1e0c3dde
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+if test `uname` = Darwin; then
+    cachedir=~/Library/Caches/KBuild
+else
+    if x$XDG_DATA_HOME = x; then
+	cachedir=$HOME/.local/share
+    else
+	cachedir=$XDG_DATA_HOME;
+    fi
+fi
+mkdir -p $cachedir
+
+url=https://www.nuget.org/nuget.exe
+
+if test ! -f $cachedir/nuget.exe; then
+    wget -o $cachedir/nuget.exe $url 2>/dev/null || curl -o $cachedir/nuget.exe --location $url /dev/null
+fi
+
+if test ! -e .nuget; then
+    mkdir .nuget
+    cp $cachedir/nuget.exe .nuget
+fi
+
+if test ! -d packages/KoreBuild; then
+    mono .nuget/nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
+    mono .nuget/nuget.exe install Sake -version 0.2 -o packages -ExcludeVersion
+fi
+
+mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"
\ No newline at end of file

From 3c034f92f7fdd0a8f4797a7ddb849646d39800ce Mon Sep 17 00:00:00 2001
From: Louis DeJardin <louis.dejardin@gmail.com>
Date: Fri, 2 May 2014 15:07:36 -0700
Subject: [PATCH 019/493] Updating build scripts

---
 build.cmd | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.cmd b/build.cmd
index 2c32132fa3..903d532df3 100644
--- a/build.cmd
+++ b/build.cmd
@@ -18,8 +18,8 @@ copy %CACHED_NUGET% .nuget\nuget.exe > nul
 IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
-CALL packages\KoreBuild\build\kvm install -svr50 -x86
-CALL packages\KoreBuild\build\kvm install -svrc50 -x86
+CALL packages\KoreBuild\build\kvm upgrade -svr50 -x86
+CALL packages\KoreBuild\build\kvm install default -svrc50 -x86
 
 :run
 CALL packages\KoreBuild\build\kvm use default -svr50 -x86

From 92163035b82f14dcf40413759a8fd942ccf8dd40 Mon Sep 17 00:00:00 2001
From: Eilon Lipton <elipton@microsoft.com>
Date: Thu, 8 May 2014 16:37:40 -0700
Subject: [PATCH 020/493] Create LICENSE.txt

---
 LICENSE.txt | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 LICENSE.txt

diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 0000000000..d85a1524ad
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,12 @@
+Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+these files except in compliance with the License. You may obtain a copy of the
+License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.

From b2a8c3db41088a8b58eb2f950ea3f586f106c974 Mon Sep 17 00:00:00 2001
From: Andrew Peters <anpete@microsoft.com>
Date: Thu, 8 May 2014 23:00:47 -0700
Subject: [PATCH 021/493] Updating copyright headers

---
 .../Algorithms.cs                              | 18 ++----------------
 .../BCRYPT_KEY_DATA_BLOB_HEADER.cs             | 18 ++----------------
 .../BCryptAlgorithmFlags.cs                    | 18 ++----------------
 .../BCryptAlgorithmHandle.cs                   | 18 ++----------------
 .../BCryptBuffer.cs                            | 18 ++----------------
 .../BCryptBufferDesc.cs                        | 18 ++----------------
 .../BCryptEncryptFlags.cs                      | 18 ++----------------
 .../BCryptGenRandomFlags.cs                    | 18 ++----------------
 .../BCryptHashHandle.cs                        | 18 ++----------------
 .../BCryptKeyDerivationBufferType.cs           | 18 ++----------------
 .../BCryptKeyHandle.cs                         | 18 ++----------------
 .../BCryptUtil.cs                              | 18 ++----------------
 .../Constants.cs                               | 18 ++----------------
 .../CryptRand.cs                               | 18 ++----------------
 .../DATA_BLOB.cs                               | 18 ++----------------
 .../DataProtectionProvider.cs                  | 18 ++----------------
 .../DataProtectionProviderImpl.cs              | 18 ++----------------
 .../DataProtectorImpl.cs                       | 18 ++----------------
 .../DpapiDataProtectionProviderImpl.cs         | 18 ++----------------
 .../DpapiDataProtectorImpl.cs                  | 18 ++----------------
 .../IDataProtectionProvider.cs                 | 18 ++----------------
 .../IDataProtector.cs                          | 18 ++----------------
 .../PBKDF2.cs                                  | 18 ++----------------
 .../Properties/Res.Designer.cs                 | 17 -----------------
 .../ProtectedDataProtectionProvider.cs         | 18 ++----------------
 .../SP800_108Helper.cs                         | 18 ++----------------
 .../SafeHandleZeroOrMinusOneIsInvalid.cs       | 18 ++----------------
 .../SafeLibraryHandle.cs                       | 18 ++----------------
 ...essUnmanagedCodeSecurityAttribute - Copy.cs | 18 ++----------------
 .../UnsafeNativeMethods.cs                     | 18 ++----------------
 .../Util/BufferUtil.cs                         | 18 ++----------------
 .../Util/ByteArrayExtensions.cs                | 18 ++----------------
 .../Util/MemoryUtil.cs                         | 18 ++----------------
 33 files changed, 64 insertions(+), 529 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
index 1e0cd6fe2f..f09f9709aa 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Security.Cryptography;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
index d89f9dbd09..67327aba4a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.CompilerServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
index 57be75d8fa..38b5818e18 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
index 1259dd0687..5d05d68027 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using Microsoft.Win32.SafeHandles;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
index a5fe6998ba..818a35360b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.CompilerServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
index 37f47ece40..e27c12df36 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.CompilerServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
index 96881f7992..a435271ff3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
index 1501312836..1e96354394 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
index 7e5857cf52..6144c3e3ec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using Microsoft.Win32.SafeHandles;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
index 720e4c007a..6cc9882dd9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
index abab4a70a3..55275b556a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using Microsoft.Win32.SafeHandles;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
index 67da467a65..ad60cc9ed0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Diagnostics;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
index e375faac95..0a681d188c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
index c9a3b10d9b..04bf2826c7 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
index c98ca810d4..ba198c6d8b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.InteropServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
index e0bac89545..3b612f6190 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Globalization;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
index 09a39df78a..45ffa2afd0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
index 0c75701739..778eb089b7 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Diagnostics;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
index ee0170f15a..fa6df2f6ad 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Diagnostics;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
index ae23a6bdf7..0d0ed33094 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Diagnostics;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
index 65b073f666..2b39b475f1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
index 41e67ce5d9..e873fbeed0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
index 3afe833fa6..c2f7c22b86 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Security.Cryptography;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
index bfca0c9e8b..bac3e9fcff 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
@@ -1,20 +1,3 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
-
 // <auto-generated />
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
index a27eccba16..bf34a8dcd8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if NET45
 using System;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
index 8dda20e80b..95ba77614c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Net;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
index 477976c049..1b8411a3a4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.InteropServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
index 7f856ec509..60422203be 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Diagnostics;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs b/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs
index 357675482d..44d277e244 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs	
+++ b/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs	
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.InteropServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index a5902d3526..5ca8c60069 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.InteropServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
index 72a006e4eb..bc56d1a15e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.CompilerServices;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
index 1e1796dd99..ebf1aa2462 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Diagnostics;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
index 263ce1a340..cd2e672c73 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
@@ -1,19 +1,5 @@
-// Copyright (c) Microsoft Open Technologies, Inc.
-// All Rights Reserved
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
-// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
-// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
-// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
-// NON-INFRINGEMENT.
-// See the Apache 2 License for the specific language governing
-// permissions and limitations under the License.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.CompilerServices;

From 466f0dce22951eff46f1afe8854e34441c6ab8d9 Mon Sep 17 00:00:00 2001
From: Glenn <glennc@microsoft.com>
Date: Mon, 12 May 2014 21:46:04 -0700
Subject: [PATCH 022/493] Create README.md

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000000..a8102a4eb3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,6 @@
+DataProtection
+==============
+
+Data Protection APIs 
+
+This project is part of ASP.NET vNext. You can find samples, documentation and getting started instructions for ASP.NET vNext at the [Home](https://github.com/aspnet/home) repo.

From b532586307b2a8404c50c74202cf75df27b518f3 Mon Sep 17 00:00:00 2001
From: Eilon Lipton <elipton@microsoft.com>
Date: Tue, 13 May 2014 01:02:10 -0700
Subject: [PATCH 023/493] Create CONTRIBUTING.md

---
 CONTRIBUTING.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 CONTRIBUTING.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000000..eac4268e4c
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,4 @@
+Contributing
+======
+
+Information on contributing to this repo is in the [Contributing Guide](https://github.com/aspnet/Home/blob/master/CONTRIBUTING.md) in the Home repo.

From fae42b596df88a6e9ae78ef39c4ae38b19776763 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Sun, 18 May 2014 20:13:54 -0700
Subject: [PATCH 024/493] Updating kproj file to match tooling changes

---
 .gitignore                                                  | 3 ++-
 .../Microsoft.AspNet.Security.DataProtection.kproj          | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index aba9c594d7..08e21e25bf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,4 +22,5 @@ nuget.exe
 *DS_Store
 *.ncrunchsolution
 *.*sdf
-*.ipch
\ No newline at end of file
+*.ipch
+*.sln.ide
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
index 3e3e702521..263e627514 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -1,10 +1,10 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\ProjectK\Microsoft.Web.ProjectK.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>1e570cd4-6f12-44f4-961e-005ee2002bc2</ProjectGuid>
     <OutputType>Library</OutputType>
@@ -55,5 +55,5 @@
     <Compile Include="Util\ByteArrayExtensions.cs" />
     <Compile Include="Util\MemoryUtil.cs" />
   </ItemGroup>
-  <Import Project="$(VSToolsPath)\ProjectK\Microsoft.Web.ProjectK.targets" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file

From 49196aaec32e4125f1d892863e738f54c84d758a Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Mon, 26 May 2014 02:47:54 -0700
Subject: [PATCH 025/493] Fixed project.json casing

---
 .../Microsoft.AspNet.Security.DataProtection.kproj          | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
index 263e627514..8fb3a1fc6a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
@@ -17,7 +17,7 @@
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
   <ItemGroup>
-    <Content Include="Project.json" />
+    <Content Include="project.json" />
     <Content Include="Res.resx" />
   </ItemGroup>
   <ItemGroup>
@@ -56,4 +56,4 @@
     <Compile Include="Util\MemoryUtil.cs" />
   </ItemGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
+</Project>

From 1bd9dd46e19489ce437b54c6d7ed5b579da7a12a Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 3 Jun 2014 10:14:14 -0700
Subject: [PATCH 026/493] Adding switch to build.cmd to skip KRE install

---
 build.cmd | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/build.cmd b/build.cmd
index 903d532df3..3aaf957583 100644
--- a/build.cmd
+++ b/build.cmd
@@ -18,6 +18,8 @@ copy %CACHED_NUGET% .nuget\nuget.exe > nul
 IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
+
+IF "%SKIP_KRE_INSTALL%"=="1" goto run
 CALL packages\KoreBuild\build\kvm upgrade -svr50 -x86
 CALL packages\KoreBuild\build\kvm install default -svrc50 -x86
 

From ae879573cac159e24b70914059891ccb1b12b8d2 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 10 Jun 2014 17:16:45 -0700
Subject: [PATCH 027/493] Updating build.sh based on KRuntime changes

---
 build.sh | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/build.sh b/build.sh
index db1e0c3dde..4323aefc48 100644
--- a/build.sh
+++ b/build.sh
@@ -3,10 +3,10 @@
 if test `uname` = Darwin; then
     cachedir=~/Library/Caches/KBuild
 else
-    if x$XDG_DATA_HOME = x; then
-	cachedir=$HOME/.local/share
+    if [ -z $XDG_DATA_HOME ]; then
+        cachedir=$HOME/.local/share
     else
-	cachedir=$XDG_DATA_HOME;
+        cachedir=$XDG_DATA_HOME;
     fi
 fi
 mkdir -p $cachedir
@@ -14,12 +14,12 @@ mkdir -p $cachedir
 url=https://www.nuget.org/nuget.exe
 
 if test ! -f $cachedir/nuget.exe; then
-    wget -o $cachedir/nuget.exe $url 2>/dev/null || curl -o $cachedir/nuget.exe --location $url /dev/null
+    wget -O $cachedir/nuget.exe $url 2>/dev/null || curl -o $cachedir/nuget.exe --location $url /dev/null
 fi
 
 if test ! -e .nuget; then
     mkdir .nuget
-    cp $cachedir/nuget.exe .nuget
+    cp $cachedir/nuget.exe .nuget/nuget.exe
 fi
 
 if test ! -d packages/KoreBuild; then
@@ -27,4 +27,12 @@ if test ! -d packages/KoreBuild; then
     mono .nuget/nuget.exe install Sake -version 0.2 -o packages -ExcludeVersion
 fi
 
-mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"
\ No newline at end of file
+if ! type k > /dev/null 2>&1; then
+    source setup/kvm.sh
+fi
+
+if ! type k > /dev/null 2>&1; then
+    kvm upgrade
+fi
+
+mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"

From fa27f771501d431d148b137e0e2a4a80ae37add5 Mon Sep 17 00:00:00 2001
From: Wei Wang <chengtian.wang@gmail.com>
Date: Wed, 18 Jun 2014 16:17:31 -0700
Subject: [PATCH 028/493] Change the default author in makefile.shade

---
 makefile.shade | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makefile.shade b/makefile.shade
index 6357ea2841..562494d144 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -1,7 +1,7 @@
 
 var VERSION='0.1'
 var FULL_VERSION='0.1'
-var AUTHORS='Microsoft'
+var AUTHORS='Microsoft Open Technologies, Inc.'
 
 use-standard-lifecycle
 k-standard-goals

From 9df90f615b860e46fc73677da831633a993c5768 Mon Sep 17 00:00:00 2001
From: Brice Lambson <bricelam@microsoft.com>
Date: Thu, 19 Jun 2014 10:39:40 -0700
Subject: [PATCH 029/493] Bump version to 1.0.0-*

---
 src/Microsoft.AspNet.Security.DataProtection/project.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index e290f191b6..0ce30c194a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "0.1-alpha-*",
+  "version": "1.0.0-*",
   "configurations": {
     "net45": {
         "dependencies": {

From 67398cf6491b11bd94b2cad10bec349bee69eb47 Mon Sep 17 00:00:00 2001
From: Brice Lambson <bricelam@microsoft.com>
Date: Fri, 20 Jun 2014 14:31:40 -0700
Subject: [PATCH 030/493] Updating release Nuget.config

---
 NuGet.Config | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index a059188b09..1ce6b9e257 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,13 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
-  <packageSourceCredentials>
-    <AspNetVNext>
-      <add key="Username" value="aspnetreadonly" />
-      <add key="ClearTextPassword" value="4d8a2d9c-7b80-4162-9978-47e918c9658c" />
-    </AspNetVNext>
-  </packageSourceCredentials>
-</configuration>
\ No newline at end of file
+</configuration>

From 491dafb7a7e800e3d5cd33eceb060f388a4646e2 Mon Sep 17 00:00:00 2001
From: Brice Lambson <bricelam@microsoft.com>
Date: Fri, 20 Jun 2014 14:31:41 -0700
Subject: [PATCH 031/493] Updating dev Nuget.config

---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index 1ce6b9e257..f41e9c631d 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 4e9a6b7678838c55d931841f92ebf7fc7b9eccda Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Sun, 13 Jul 2014 21:44:49 -0700
Subject: [PATCH 032/493] Renamed configurations to frameworks in project.json

---
 src/Microsoft.AspNet.Security.DataProtection/project.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 0ce30c194a..132311db8f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -1,6 +1,6 @@
-{
+{
   "version": "1.0.0-*",
-  "configurations": {
+  "frameworks": {
     "net45": {
         "dependencies": {
             "System.Security": ""
@@ -25,4 +25,4 @@
   "compilationOptions": {
     "allowUnsafe": true
   }
-}
\ No newline at end of file
+}

From 4ec0532087c033b0e6a8f045c4d80bb2a12bd33c Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 17 Jul 2014 08:39:43 -0700
Subject: [PATCH 033/493] Reacting to System.Security.Cryptography.Encryption
 package rename

---
 src/Microsoft.AspNet.Security.DataProtection/project.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 132311db8f..66ba19caba 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -17,7 +17,7 @@
         "System.Runtime": "4.0.20.0",
         "System.Runtime.Extensions": "4.0.10.0",
         "System.Runtime.InteropServices": "4.0.20.0",
-        "System.Security.Cryptography": "4.0.0.0",
+        "System.Security.Cryptography.Encryption": "4.0.0.0",
         "System.Text.Encoding.Extensions": "4.0.10.0"
       }
     }

From 4d5e4ff20fdc450a9229a2ce926b4edb2e2e6263 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 5 Aug 2014 15:48:51 -0700
Subject: [PATCH 034/493] Updating release Nuget.config

---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index f41e9c631d..1ce6b9e257 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 7ca4ba5d652bac3387417a8b5cd05afc1c1ecb4d Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 6 Aug 2014 12:30:35 -0700
Subject: [PATCH 035/493] Updating dev Nuget.config

---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index 1ce6b9e257..f41e9c631d 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From abfad7f643b4f821ab83ff8775a4b0d9fd705c69 Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Fri, 15 Aug 2014 07:44:31 -0700
Subject: [PATCH 036/493] Removed files from project file

---
 ...osoft.AspNet.Security.DataProtection.kproj | 41 +------------------
 1 file changed, 1 insertion(+), 40 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
index 8fb3a1fc6a..7b46ab4e41 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -16,44 +16,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <ItemGroup>
-    <Content Include="project.json" />
-    <Content Include="Res.resx" />
-  </ItemGroup>
-  <ItemGroup>
-    <Compile Include="Algorithms.cs" />
-    <Compile Include="BCryptAlgorithmFlags.cs" />
-    <Compile Include="ProtectedDataProtectionProvider.cs" />
-    <Compile Include="PBKDF2.cs" />
-    <Compile Include="SuppressUnmanagedCodeSecurityAttribute - Copy.cs" />
-    <Compile Include="SafeLibraryHandle.cs" />
-    <Compile Include="BCryptAlgorithmHandle.cs" />
-    <Compile Include="BCryptBuffer.cs" />
-    <Compile Include="BCryptBufferDesc.cs" />
-    <Compile Include="BCryptEncryptFlags.cs" />
-    <Compile Include="BCryptGenRandomFlags.cs" />
-    <Compile Include="BCryptHashHandle.cs" />
-    <Compile Include="BCryptKeyDerivationBufferType.cs" />
-    <Compile Include="BCryptKeyHandle.cs" />
-    <Compile Include="BCryptUtil.cs" />
-    <Compile Include="BCRYPT_KEY_DATA_BLOB_HEADER.cs" />
-    <Compile Include="Constants.cs" />
-    <Compile Include="CryptRand.cs" />
-    <Compile Include="DataProtectionProvider.cs" />
-    <Compile Include="DataProtectionProviderImpl.cs" />
-    <Compile Include="DataProtectorImpl.cs" />
-    <Compile Include="DATA_BLOB.cs" />
-    <Compile Include="DpapiDataProtectionProviderImpl.cs" />
-    <Compile Include="DpapiDataProtectorImpl.cs" />
-    <Compile Include="IDataProtectionProvider.cs" />
-    <Compile Include="IDataProtector.cs" />
-    <Compile Include="Properties\Res.Designer.cs" />
-    <Compile Include="SafeHandleZeroOrMinusOneIsInvalid.cs" />
-    <Compile Include="SP800_108Helper.cs" />
-    <Compile Include="UnsafeNativeMethods.cs" />
-    <Compile Include="Util\BufferUtil.cs" />
-    <Compile Include="Util\ByteArrayExtensions.cs" />
-    <Compile Include="Util\MemoryUtil.cs" />
-  </ItemGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+</Project>
\ No newline at end of file

From 23d28309601b5f5bf50998ef98f960c49cd055ba Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Fri, 15 Aug 2014 07:46:11 -0700
Subject: [PATCH 037/493] Updated solution file

---
 DataProtection.sln | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/DataProtection.sln b/DataProtection.sln
index 40e55727eb..97a36b45e9 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 2013
-VisualStudioVersion = 12.0.30327.0
+# Visual Studio 14
+VisualStudioVersion = 14.0.22013.1
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
@@ -13,10 +13,8 @@ Global
 		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|x86.ActiveCfg = Debug|x86
-		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|x86.Build.0 = Debug|x86
-		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.ActiveCfg = Release|x86
-		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.Build.0 = Release|x86
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.ActiveCfg = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

From 4588b1c898ae3fc9892a4dbaf85b5dd533a430c6 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 20 Aug 2014 22:47:47 -0700
Subject: [PATCH 038/493] Add preliminary PBKDF2 routines to unblock identity
 work. Win7 and Win8 optimizations will be committed as part of the larger
 DataProtection overhaul.

---
 .../CryptoUtil.cs                             |  35 ++++++
 .../KeyDerivation.cs                          |  38 +++++++
 .../KeyDerivationPrf.cs                       |  28 +++++
 .../PBKDF2/IPbkdf2Provider.cs                 |  15 +++
 .../PBKDF2/ManagedPbkdf2Provider.cs           | 102 ++++++++++++++++++
 .../PBKDF2/Pbkdf2Util.cs                      |  25 +++++
 .../project.json                              |   1 +
 7 files changed, 244 insertions(+)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
new file mode 100644
index 0000000000..29fabca02e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    internal unsafe static class CryptoUtil
+    {
+        // This isn't a typical Debug.Assert; the check is always performed, even in retail builds.
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void Assert(bool condition, string message)
+        {
+            if (!condition)
+            {
+                Fail(message);
+            }
+        }
+
+        // This isn't a typical Debug.Fail; an error always occurs, even in retail builds.
+        // This method doesn't return, but since the CLR doesn't allow specifying a 'never'
+        // return type, we mimic it by specifying our return type as Exception. That way
+        // callers can write 'throw Fail(...);' to make the C# compiler happy, as the
+        // throw keyword is implicitly of type O.
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        public static Exception Fail(string message)
+        {
+            Debug.Fail(message);
+            throw new CryptographicException("Assertion failed: " + message);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
new file mode 100644
index 0000000000..548e0e7f65
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    public static class KeyDerivation
+    {
+        public static byte[] Pbkdf2(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
+        {
+            // parameter checking
+            if (password == null)
+            {
+                throw new ArgumentNullException("password");
+            }
+            if (salt == null)
+            {
+                throw new ArgumentNullException("salt");
+            }
+            if (prf < KeyDerivationPrf.Sha1 || prf > KeyDerivationPrf.Sha512)
+            {
+                throw new ArgumentOutOfRangeException("prf");
+            }
+            if (iterationCount <= 0)
+            {
+                throw new ArgumentOutOfRangeException("iterationCount");
+            }
+            if (numBytesRequested <= 0)
+            {
+                throw new ArgumentOutOfRangeException("numBytesRequested");
+            }
+
+            return Pbkdf2Util.Pbkdf2Provider.DeriveKey(password, salt, prf, iterationCount, numBytesRequested);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
new file mode 100644
index 0000000000..600383eb7a
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    /// <summary>
+    /// Specifies the PRF which should be used for the key derivation algorithm.
+    /// </summary>
+    public enum KeyDerivationPrf
+    {
+        /// <summary>
+        /// SHA-1 (FIPS PUB 180-4)
+        /// </summary>
+        Sha1,
+
+        /// <summary>
+        /// SHA-256 (FIPS PUB 180-4)
+        /// </summary>
+        Sha256,
+
+        /// <summary>
+        /// SHA-512 (FIPS PUB 180-4)
+        /// </summary>
+        Sha512,
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
new file mode 100644
index 0000000000..a9e499b80e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2
+{
+    /// <summary>
+    /// Internal interface used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
+    /// </summary>
+    internal interface IPbkdf2Provider
+    {
+        byte[] DeriveKey(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
new file mode 100644
index 0000000000..3fc75f67fd
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
@@ -0,0 +1,102 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2
+{
+    /// <summary>
+    /// A PBKDF2 provider which utilizes the managed hash algorithm classes as PRFs.
+    /// This isn't the preferred provider since the implementation is slow, but it is provided as a fallback.
+    /// </summary>
+    internal sealed class ManagedPbkdf2Provider : IPbkdf2Provider
+    {
+        public byte[] DeriveKey(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
+        {
+            Debug.Assert(password != null);
+            Debug.Assert(salt != null);
+            Debug.Assert(iterationCount > 0);
+            Debug.Assert(numBytesRequested > 0);
+
+            // PBKDF2 is defined in NIST SP800-132, Sec. 5.3.
+            // http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
+
+            byte[] retVal = new byte[numBytesRequested];
+            int numBytesWritten = 0;
+            int numBytesRemaining = numBytesRequested;
+
+            // For each block index, U_0 := Salt || block_index
+            byte[] saltWithBlockIndex = new byte[checked(salt.Length + sizeof(uint))];
+            Buffer.BlockCopy(salt, 0, saltWithBlockIndex, 0, salt.Length);
+
+            using (var hashAlgorithm = PrfToManagedHmacAlgorithm(prf, password))
+            {
+                for (uint blockIndex = 1; numBytesRemaining > 0; blockIndex++)
+                {
+                    // write the block index out as big-endian
+                    saltWithBlockIndex[saltWithBlockIndex.Length - 4] = (byte)(blockIndex >> 24);
+                    saltWithBlockIndex[saltWithBlockIndex.Length - 3] = (byte)(blockIndex >> 16);
+                    saltWithBlockIndex[saltWithBlockIndex.Length - 2] = (byte)(blockIndex >> 8);
+                    saltWithBlockIndex[saltWithBlockIndex.Length - 1] = (byte)blockIndex;
+
+                    // U_1 = PRF(U_0) = PRF(Salt || block_index)
+                    // T_blockIndex = U_1
+                    byte[] U_iter = hashAlgorithm.ComputeHash(saltWithBlockIndex); // this is U_1
+                    byte[] T_blockIndex = U_iter;
+
+                    for (int iter = 1; iter < iterationCount; iter++)
+                    {
+                        U_iter = hashAlgorithm.ComputeHash(U_iter);
+                        XorBuffers(src: U_iter, dest: T_blockIndex);
+                        // At this point, the 'U_iter' variable actually contains U_{iter+1} (due to indexing differences).
+                    }
+
+                    // At this point, we're done iterating on this block, so copy the transformed block into retVal.
+                    int numBytesToCopy = Math.Min(numBytesRemaining, T_blockIndex.Length);
+                    Buffer.BlockCopy(T_blockIndex, 0, retVal, numBytesWritten, numBytesToCopy);
+                    numBytesWritten += numBytesToCopy;
+                    numBytesRemaining -= numBytesToCopy;
+                }
+            }
+
+            // retVal := T_1 || T_2 || ... || T_n, where T_n may be truncated to meet the desired output length
+            return retVal;
+        }
+
+        private static KeyedHashAlgorithm PrfToManagedHmacAlgorithm(KeyDerivationPrf prf, string password)
+        {
+            byte[] passwordBytes = Pbkdf2Util.SecureUtf8Encoding.GetBytes(password);
+            try
+            {
+                switch (prf)
+                {
+                    case KeyDerivationPrf.Sha1:
+                        return new HMACSHA1(passwordBytes);
+                    case KeyDerivationPrf.Sha256:
+                        return new HMACSHA256(passwordBytes);
+                    case KeyDerivationPrf.Sha512:
+                        return new HMACSHA512(passwordBytes);
+                    default:
+                        throw CryptoUtil.Fail("Unrecognized PRF.");
+                }
+            }
+            finally
+            {
+                // The HMAC ctor makes a duplicate of this key; we clear original buffer to limit exposure to the GC.
+                Array.Clear(passwordBytes, 0, passwordBytes.Length);
+            }
+        }
+
+        private static void XorBuffers(byte[] src, byte[] dest)
+        {
+            // Note: dest buffer is mutated.
+            Debug.Assert(src.Length == dest.Length);
+            for (int i = 0; i < src.Length; i++)
+            {
+                dest[i] ^= src[i];
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
new file mode 100644
index 0000000000..1af12b4bdc
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Text;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2
+{
+    /// <summary>
+    /// Internal base class used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
+    /// </summary>
+    internal static class Pbkdf2Util
+    {
+        public static readonly IPbkdf2Provider Pbkdf2Provider = GetPbkdf2Provider();
+        public static readonly UTF8Encoding SecureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: false);
+
+        private static IPbkdf2Provider GetPbkdf2Provider()
+        {
+            // In priority order, our three implementations are Win8, Win7, and "other".
+
+            // TODO: Provide Win7 & Win8 implementations when the new DataProtection stack is fully copied over.
+            return new ManagedPbkdf2Provider();
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 66ba19caba..b2e6788017 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -18,6 +18,7 @@
         "System.Runtime.Extensions": "4.0.10.0",
         "System.Runtime.InteropServices": "4.0.20.0",
         "System.Security.Cryptography.Encryption": "4.0.0.0",
+        "System.Security.Cryptography.Hashing.Algorithms": "4.0.0.0",
         "System.Text.Encoding.Extensions": "4.0.10.0"
       }
     }

From 990fe49df1832fc2b9a4333800f15aa235eecb94 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 20 Aug 2014 23:17:09 -0700
Subject: [PATCH 039/493] Remove old Win7-only PBKDF2 implementation.

---
 .../PBKDF2.cs                                 | 68 -------------------
 1 file changed, 68 deletions(-)
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
deleted file mode 100644
index c2f7c22b86..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2.cs
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Security.Cryptography;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    /// <summary>
-    /// Helper class to derive keys from low-entropy passwords using the PBKDF2 algorithm.
-    /// </summary>
-    public static class PBKDF2
-    {
-        /// <summary>
-        /// Derives a key from a low-entropy password.
-        /// </summary>
-        /// <param name="algorithmName">The name of the PRF to use for key derivation.</param>
-        /// <param name="password">The low-entropy password from which to generate a key.</param>
-        /// <param name="salt">The salt used to randomize the key derivation.</param>
-        /// <param name="iterationCount">The number of iterations to perform.</param>
-        /// <param name="numBytesToDerive">The desired byte length of the derived key.</param>
-        /// <returns>A key derived from the provided password.</returns>
-        /// <remarks>For compatibility with the Rfc2898DeriveBytes class, specify "SHA1" for the <em>algorithmName</em> parameter.</remarks>
-        public unsafe static byte[] DeriveKey(string algorithmName, byte[] password, byte[] salt, ulong iterationCount, uint numBytesToDerive)
-        {
-            if (String.IsNullOrEmpty(algorithmName))
-            {
-                throw new ArgumentException(Res.Common_NullOrEmpty, "algorithmName");
-            }
-            if (password == null || password.Length == 0)
-            {
-                throw new ArgumentException(Res.Common_NullOrEmpty, "password");
-            }
-            if (salt == null || salt.Length == 0)
-            {
-                throw new ArgumentException(Res.Common_NullOrEmpty, "salt");
-            }
-            if (iterationCount <= 0)
-            {
-                throw new ArgumentOutOfRangeException("iterationCount");
-            }
-
-            byte[] derivedKey = new byte[numBytesToDerive];
-            int status;
-
-            using (BCryptAlgorithmHandle algHandle = Algorithms.CreateGenericHMACHandleFromPrimitiveProvider(algorithmName))
-            {
-                fixed (byte* pPassword = password)
-                fixed (byte* pSalt = salt)
-                fixed (byte* pDerivedKey = derivedKey)
-                {
-                    status = UnsafeNativeMethods.BCryptDeriveKeyPBKDF2(
-                        algHandle, pPassword, (uint)password.Length, pSalt, (uint)salt.Length, iterationCount,
-                        pDerivedKey, numBytesToDerive, dwFlags: 0);
-                }
-            }
-
-            if (status == 0 /* STATUS_SUCCESS */)
-            {
-                return derivedKey;
-            }
-            else
-            {
-                throw new CryptographicException(status);
-            }
-        }
-    }
-}

From f7e3823bf11869358c224d44fa96f08b7b5e8ded Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Thu, 28 Aug 2014 22:43:50 -0700
Subject: [PATCH 040/493] Updated to use the new target framework in
 project.json

---
 src/Microsoft.AspNet.Security.DataProtection/project.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index b2e6788017..fee9e2a689 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -1,4 +1,4 @@
-{
+{
   "version": "1.0.0-*",
   "frameworks": {
     "net45": {
@@ -6,7 +6,7 @@
             "System.Security": ""
         }
     },
-    "k10": {
+    "aspnetcore50": {
       "dependencies": {
         "System.Diagnostics.Debug": "4.0.10.0",
         "System.Diagnostics.Tools": "4.0.0.0",

From b00e9d45c6ca4674e34c337416c81e4930516706 Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Fri, 5 Sep 2014 01:46:08 -0700
Subject: [PATCH 041/493] Updated build.cmd

---
 build.cmd | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.cmd b/build.cmd
index 3aaf957583..86ca5bbbf1 100644
--- a/build.cmd
+++ b/build.cmd
@@ -20,9 +20,9 @@ IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
 IF "%SKIP_KRE_INSTALL%"=="1" goto run
-CALL packages\KoreBuild\build\kvm upgrade -svr50 -x86
-CALL packages\KoreBuild\build\kvm install default -svrc50 -x86
+CALL packages\KoreBuild\build\kvm upgrade -runtime CLR -x86
+CALL packages\KoreBuild\build\kvm install default -runtime CoreCLR -x86
 
 :run
-CALL packages\KoreBuild\build\kvm use default -svr50 -x86
+CALL packages\KoreBuild\build\kvm use default -runtime CLR -x86
 packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*

From 94c689b4b966e1c9f675543f0d1e59855cc8beba Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 17 Sep 2014 09:56:20 -0700
Subject: [PATCH 042/493] Updating release NuGet.config

---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index f41e9c631d..1ce6b9e257 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 93a0a997842847f39c2daa8d84b0d2f861bfdfbd Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 17 Sep 2014 09:56:22 -0700
Subject: [PATCH 043/493] Updating dev NuGet.config

---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index 1ce6b9e257..f41e9c631d 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 47f0699235a0994d254d9fccd2fa28ee539042b5 Mon Sep 17 00:00:00 2001
From: jhawk42 <jhawk@microsoft.com>
Date: Thu, 24 Apr 2014 15:44:13 -0700
Subject: [PATCH 044/493] Win7PlusCoreSystem

---
 .../SafeLibraryHandle.cs                      | 34 ++++++++++++++++---
 .../UnsafeNativeMethods.cs                    | 15 +++++---
 2 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
index 60422203be..b1b7d6e0af 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
@@ -69,6 +69,7 @@ namespace Microsoft.Win32.SafeHandles
         public static SafeLibraryHandle Open(string filename)
         {
             SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibrary(filename);
+
             if (handle == null || handle.IsInvalid)
             {
                 UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
@@ -85,34 +86,59 @@ namespace Microsoft.Win32.SafeHandles
         [SuppressUnmanagedCodeSecurity]
         private static class UnsafeNativeMethods
         {
+#if ASPNETCORE50
+            private const string api_ms_win_core_libraryloader_LIB = "api-ms-win-core-libraryloader-l1-1-0.dll";
+#else
             private const string KERNEL32_LIB = "kernel32.dll";
-
+#endif
             // http://msdn.microsoft.com/en-us/library/ms683152(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if NET45
+#if ASPNETCORE50
+            [DllImport(api_ms_win_core_libraryloader_LIB, ExactSpelling = true, SetLastError = true)]
+#else
+            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
             [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
-            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
-            internal static extern bool FreeLibrary(IntPtr hModule);
+            public static extern bool FreeLibrary(IntPtr hModule);
+
 
             // http://msdn.microsoft.com/en-us/library/ms683200(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
+#if ASPNETCORE50
+            [DllImport(api_ms_win_core_libraryloader_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#else
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#endif
             internal static extern bool GetModuleHandleEx(
                 [In] uint dwFlags,
                 [In] SafeLibraryHandle lpModuleName, // can point to a location within the module if GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS is set
                 [Out] out IntPtr phModule);
 
+#if ASPNETCORE50
+            [DllImport(api_ms_win_core_libraryloader_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
+#else
             // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
+#endif
+
             internal static extern IntPtr GetProcAddress(
                 [In] SafeLibraryHandle hModule,
                 [In, MarshalAs(UnmanagedType.LPStr)] string lpProcName);
 
+#if ASPNETCORE50
+            [DllImport(api_ms_win_core_libraryloader_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
+            internal static extern SafeLibraryHandle LoadLibraryExW([In,MarshalAs(UnmanagedType.LPWStr)] string lpFileName, IntPtr hFile, uint dwFlags);
+
+            internal static SafeLibraryHandle LoadLibrary(string lpFileName)
+            {
+                return LoadLibraryExW(lpFileName, IntPtr.Zero, 0);
+            }
+#else
             // http://msdn.microsoft.com/en-us/library/ms684175(v=vs.85).aspx
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
             internal static extern SafeLibraryHandle LoadLibrary(
                 [In, MarshalAs(UnmanagedType.LPWStr)]string lpFileName);
+#endif
 
             internal static void ThrowExceptionForLastWin32Error()
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index 5ca8c60069..7b8081dc23 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -12,7 +12,11 @@ namespace Microsoft.AspNet.Security.DataProtection
     {
         private const string BCRYPT_LIB = "bcrypt.dll";
         private const string CRYPT32_LIB = "crypt32.dll";
+        private const string NTDLL_LIB = "ntdll.dll";
+        
+#if !ASPNETCORE50
         private const string KERNEL32_LIB = "kernel32.dll";
+#endif
 
         /*
          * BCRYPT.DLL
@@ -199,13 +203,16 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint cbData,
             [In] uint dwFlags);
 
-        /*
-         * KERNEL32.DLL
-         */
-
+#if ASPNETCORE50
+        [DllImport(NTDLL_LIB)]
+        internal static extern void RtlZeroMemory(
+            [In] IntPtr Destination,
+            [In] UIntPtr /* SIZE_T */ Length);
+#else
         [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi)]
         internal static extern void RtlZeroMemory(
             [In] IntPtr Destination,
             [In] UIntPtr /* SIZE_T */ Length);
+#endif
     }
 }

From 55922d91071fe798e27cd80405df30066f19544c Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Sun, 5 Oct 2014 04:31:21 -0700
Subject: [PATCH 045/493] Fixed references

---
 src/Microsoft.AspNet.Security.DataProtection/project.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index fee9e2a689..305c38f2f1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -2,8 +2,8 @@
   "version": "1.0.0-*",
   "frameworks": {
     "net45": {
-        "dependencies": {
-            "System.Security": ""
+        "frameworkAssemblies": {
+            "System.Security": "4.0.0.0"
         }
     },
     "aspnetcore50": {

From e1f5c0a4b1e30b02eb4a872b82b113df8b877a2c Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 10 Oct 2014 10:30:37 -0700
Subject: [PATCH 046/493] Reacting to CLR package versioning changes

---
 .../project.json                              | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 305c38f2f1..b12bf80f25 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -3,23 +3,23 @@
   "frameworks": {
     "net45": {
         "frameworkAssemblies": {
-            "System.Security": "4.0.0.0"
+            "System.Security": "4.0.0-beta-*"
         }
     },
     "aspnetcore50": {
       "dependencies": {
-        "System.Diagnostics.Debug": "4.0.10.0",
-        "System.Diagnostics.Tools": "4.0.0.0",
-        "System.Globalization": "4.0.10.0",
-        "System.Linq": "4.0.0.0",
-        "System.Reflection": "4.0.10.0",
-        "System.Resources.ResourceManager": "4.0.0.0",
-        "System.Runtime": "4.0.20.0",
-        "System.Runtime.Extensions": "4.0.10.0",
-        "System.Runtime.InteropServices": "4.0.20.0",
-        "System.Security.Cryptography.Encryption": "4.0.0.0",
-        "System.Security.Cryptography.Hashing.Algorithms": "4.0.0.0",
-        "System.Text.Encoding.Extensions": "4.0.10.0"
+        "System.Diagnostics.Debug": "4.0.10-beta-*",
+        "System.Diagnostics.Tools": "4.0.0-beta-*",
+        "System.Globalization": "4.0.10-beta-*",
+        "System.Linq": "4.0.0-beta-*",
+        "System.Reflection": "4.0.10-beta-*",
+        "System.Resources.ResourceManager": "4.0.0-beta-*",
+        "System.Runtime": "4.0.20-beta-*",
+        "System.Runtime.Extensions": "4.0.10-beta-*",
+        "System.Runtime.InteropServices": "4.0.20-beta-*",
+        "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+        "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
+        "System.Text.Encoding.Extensions": "4.0.10-beta-*"
       }
     }
   },

From 542d87d9d2204a592199faed84f491d28af4f3fc Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 10 Oct 2014 10:45:08 -0700
Subject: [PATCH 047/493] Removing version from framework assemblies node

---
 src/Microsoft.AspNet.Security.DataProtection/project.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index b12bf80f25..0c20fb3aee 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -3,7 +3,7 @@
   "frameworks": {
     "net45": {
         "frameworkAssemblies": {
-            "System.Security": "4.0.0-beta-*"
+            "System.Security": ""
         }
     },
     "aspnetcore50": {

From 769f21783a34c602006a9c06924a4ca2f796d6ff Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Sun, 28 Sep 2014 21:54:33 -0700
Subject: [PATCH 048/493] Implement new DataProtection pipeline.

---
 DataProtection.sln                            |  19 +-
 global.json                                   |   3 +
 .../BlobStorageXmlRepository.cs               | 142 ++++++
 .../BlobStorageXmlRepositoryOptions.cs        |  19 +
 .../CryptoUtil.cs                             |  35 ++
 ...AspNet.Security.DataProtection.Azure.kproj |  20 +
 .../NotNullAttribute.cs                       |  12 +
 .../project.json                              |  21 +
 .../DataProtectionProviderHelper.cs           |  49 ++
 .../DataProtector.cs                          |  72 +++
 .../DataProtectorHelper.cs                    |  49 ++
 .../IDataProtectionProviderFactory.cs         |  12 +
 .../IFactorySupportFunctions.cs               |  14 +
 ...ecurity.DataProtection.Compatibility.kproj |  20 +
 .../project.json                              |  17 +
 .../Algorithms.cs                             |  62 ---
 .../ArraySegmentExtensions.cs                 |  30 ++
 .../AuthenticatedEncryptorExtensions.cs       |  36 ++
 ...gCbcAuthenticatedEncryptorConfiguration.cs |  75 +++
 ...henticatedEncryptorConfigurationFactory.cs |  30 ++
 ...henticatedEncryptorConfigurationOptions.cs | 182 ++++++++
 ...nticatedEncryptorConfigurationXmlReader.cs |  70 +++
 ...gGcmAuthenticatedEncryptorConfiguration.cs |  70 +++
 ...henticatedEncryptorConfigurationFactory.cs |  30 ++
 ...henticatedEncryptorConfigurationOptions.cs | 124 +++++
 ...nticatedEncryptorConfigurationXmlReader.cs |  64 +++
 .../IAuthenticatedEncryptor.cs                |  36 ++
 .../IAuthenticatedEncryptor2.cs               |  12 +
 .../IAuthenticatedEncryptorConfiguration.cs   |  29 ++
 ...henticatedEncryptorConfigurationFactory.cs |  21 +
 ...nticatedEncryptorConfigurationXmlReader.cs |  21 +
 ...agedAuthenticatedEncryptorConfiguration.cs |  73 +++
 ...henticatedEncryptorConfigurationFactory.cs |  37 ++
 ...henticatedEncryptorConfigurationOptions.cs | 115 +++++
 ...nticatedEncryptorConfigurationXmlReader.cs |  68 +++
 .../BCRYPT_KEY_DATA_BLOB_HEADER.cs            |  29 --
 .../BCryptAlgorithmFlags.cs                   |  16 -
 .../BCryptAlgorithmHandle.cs                  |  23 -
 .../BCryptHashHandle.cs                       |  23 -
 .../BCryptUtil.cs                             | 295 ------------
 .../BitHelpers.cs                             |  45 ++
 .../BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs  |  38 ++
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs          |  46 ++
 .../{ => Cng}/BCryptBuffer.cs                 |   5 +-
 .../{ => Cng}/BCryptBufferDesc.cs             |   4 +-
 .../{ => Cng}/BCryptEncryptFlags.cs           |   5 +-
 .../{ => Cng}/BCryptGenRandomFlags.cs         |   4 +-
 .../Cng/BCryptGenRandomImpl.cs                |  21 +
 .../BCryptKeyDerivationBufferType.cs          |   4 +-
 .../Cng/BCryptUtil.cs                         |  24 +
 .../Cng/CachedAlgorithmHandles.cs             | 152 ++++++
 .../Cng/CbcAuthenticatedEncryptor.cs          | 437 ++++++++++++++++++
 .../Cng/CngAuthenticatedEncryptorBase.cs      |  85 ++++
 .../Cng/DpapiSecretSerializerHelper.cs        | 296 ++++++++++++
 .../Cng/GcmAuthenticatedEncryptor.cs          | 289 ++++++++++++
 .../Cng/IBCryptGenRandom.cs                   |  12 +
 .../Cng/NCryptEncryptFlags.cs                 |  17 +
 .../Cng/OSVersionUtil.cs                      |  70 +++
 .../Constants.cs                              |   8 +-
 .../CryptRand.cs                              |  31 --
 .../CryptoUtil.cs                             |  49 +-
 .../DATA_BLOB.cs                              |   2 +-
 .../DataProtectionOptions.cs                  |  12 +
 .../DataProtectionProvider.cs                 | 117 -----
 .../DataProtectionProviderImpl.cs             |  32 --
 .../DataProtectionServices.cs                 | 153 ++++++
 .../DataProtectorImpl.cs                      | 190 --------
 .../DefaultDataProtectionProvider.cs          |  44 ++
 .../Dpapi/DataProtectionScope.cs              |  30 ++
 .../Dpapi/DpapiDataProtectionProvider.cs      |  25 +
 .../Dpapi/DpapiDataProtector.cs               |  70 +++
 .../Dpapi/IProtectedData.cs                   |  15 +
 .../Dpapi/ProtectedDataImpl.cs                |  58 +++
 .../DpapiDataProtectionProviderImpl.cs        |  31 --
 .../DpapiDataProtectorImpl.cs                 | 161 -------
 .../EphemeralDataProtectionProvider.cs        |  96 ++++
 .../Error.cs                                  |  74 +++
 .../IDataProtectionProvider.cs                |  18 +-
 .../IDataProtector.cs                         |  33 +-
 .../ISecret.cs                                |  27 ++
 .../KeyDerivation.cs                          |   4 +-
 .../KeyDerivationPrf.cs                       |   2 +-
 .../KeyManagement/IKey.cs                     |  54 +++
 .../KeyManagement/IKeyManager.cs              |  54 +++
 .../KeyManagement/IKeyRing.cs                 |  17 +
 .../KeyManagement/IKeyRingProvider.cs         |  12 +
 .../KeyManagement/Key.cs                      |  63 +++
 .../KeyManagement/KeyExtensions.cs            |  15 +
 .../KeyManagement/KeyRing.cs                  |  97 ++++
 .../KeyRingBasedDataProtectionProvider.cs     |  22 +
 .../KeyRingBasedDataProtector.cs              | 302 ++++++++++++
 .../KeyManagement/KeyRingProvider.cs          | 205 ++++++++
 .../KeyManagement/XmlKeyManager.cs            | 256 ++++++++++
 .../Managed/HashAlgorithmExtensions.cs        |  18 +
 .../Managed/IManagedGenRandom.cs              |  12 +
 .../Managed/ManagedAuthenticatedEncryptor.cs  | 400 ++++++++++++++++
 .../Managed/ManagedGenRandomImpl.cs           |  25 +
 .../Managed/SymmetricAlgorithmExtensions.cs   |  18 +
 .../MemoryProtection.cs                       |  41 ++
 .../NotNullAttribute.cs                       |  12 +
 .../PBKDF2/IPbkdf2Provider.cs                 |   2 +-
 .../PBKDF2/ManagedPbkdf2Provider.cs           |   5 +-
 .../PBKDF2/Pbkdf2Util.cs                      |  21 +-
 .../PBKDF2/Win7Pbkdf2Provider.cs              | 100 ++++
 .../PBKDF2/Win8Pbkdf2Provider.cs              | 195 ++++++++
 .../Properties/AssemblyInfo.cs                |   8 +
 .../Properties/Res.Designer.cs                |  94 ----
 .../Properties/Resources.Designer.cs          | 222 +++++++++
 .../ProtectedDataProtectionProvider.cs        |  75 ---
 .../ProtectedMemoryBlob.cs                    | 212 +++++++++
 .../Repositories/FileSystemXmlRepository.cs   |  96 ++++
 .../Repositories/IXmlRepository.cs            |  33 ++
 .../{Res.resx => Resources.resx}              |  40 +-
 .../ISP800_108_CTR_HMACSHA512Provider.cs      |  12 +
 .../ManagedSP800_108_CTR_HMACSHA512.cs        |  57 +++
 .../SP800_108_CTR_HMACSHA512Extensions.cs     |  36 ++
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |  93 ++++
 .../Win7SP800_108_CTR_HMACSHA512Provider.cs   |  79 ++++
 .../Win8SP800_108_CTR_HMACSHA512Provider.cs   | 107 +++++
 .../SP800_108Helper.cs                        | 193 --------
 .../SafeHandles/BCryptAlgorithmHandle.cs      | 166 +++++++
 .../SafeHandles/BCryptHandle.cs               |  30 ++
 .../SafeHandles/BCryptHashHandle.cs           |  71 +++
 .../SafeHandles/BCryptKeyHandle.cs            |  33 ++
 .../SafeHandles/LocalAllocHandle.cs           |  26 ++
 .../NCryptDescriptorHandle.cs}                |  11 +-
 .../SafeHandles/SafeCertContextHandle.cs      |  30 ++
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |  21 +-
 .../{ => SafeHandles}/SafeLibraryHandle.cs    | 110 +++--
 .../SafeHandles/SafeNCryptKeyHandle.cs        |  28 ++
 .../SafeHandles/SecureLocalAllocHandle.cs     |  68 +++
 .../StringExtensions.cs                       |  26 ++
 ...ssUnmanagedCodeSecurityAttribute - Copy.cs |  13 -
 .../UnsafeBufferUtil.cs                       | 241 ++++++++++
 .../UnsafeNativeMethods.cs                    | 249 ++++++++--
 .../Util/BufferUtil.cs                        | 113 -----
 .../Util/ByteArrayExtensions.cs               |  26 --
 .../Util/MemoryUtil.cs                        |  23 -
 .../WeakReferenceHelpers.cs                   |  56 +++
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  37 ++
 .../DpapiNGProtectionDescriptorFlags.cs       |  16 +
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  48 ++
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  95 ++++
 .../XmlEncryption/DpapiXmlDecryptor.cs        |  48 ++
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  55 +++
 .../XmlEncryption/IXmlDecryptor.cs            |  21 +
 .../XmlEncryption/IXmlEncryptor.cs            |  21 +
 .../XmlEncryption/NullXmlDecryptor.cs         |  23 +
 .../XmlEncryption/NullXmlEncryptor.cs         |  32 ++
 .../project.json                              |  77 ++-
 .../Cng/CbcAuthenticatedEncryptorTests.cs     | 115 +++++
 .../Cng/GcmAuthenticatedEncryptorTests.cs     | 104 +++++
 .../Cng/SequentialGenRandom.cs                |  19 +
 ....AspNet.Security.DataProtection.Test.kproj |  29 ++
 .../project.json                              |  16 +
 155 files changed, 8583 insertions(+), 1728 deletions(-)
 create mode 100644 global.json
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Azure/CryptoUtil.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Azure/NotNullAttribute.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectionProviderHelper.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtector.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectorHelper.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Compatibility/IFactorySupportFunctions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/ArraySegmentExtensions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor2.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
 rename src/Microsoft.AspNet.Security.DataProtection/{ => Cng}/BCryptBuffer.cs (76%)
 rename src/Microsoft.AspNet.Security.DataProtection/{ => Cng}/BCryptBufferDesc.cs (86%)
 rename src/Microsoft.AspNet.Security.DataProtection/{ => Cng}/BCryptEncryptFlags.cs (62%)
 rename src/Microsoft.AspNet.Security.DataProtection/{ => Cng}/BCryptGenRandomFlags.cs (71%)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
 rename src/Microsoft.AspNet.Security.DataProtection/{ => Cng}/BCryptKeyDerivationBufferType.cs (85%)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/IBCryptGenRandom.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectionOptions.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Dpapi/DataProtectionScope.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Dpapi/IProtectedData.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Error.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/ISecret.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKey.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyManager.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRing.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRingProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/Key.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyExtensions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRing.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Managed/IManagedGenRandom.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedGenRandomImpl.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/NotNullAttribute.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Repositories/FileSystemXmlRepository.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Repositories/IXmlRepository.cs
 rename src/Microsoft.AspNet.Security.DataProtection/{Res.resx => Resources.resx} (75%)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs
 rename src/Microsoft.AspNet.Security.DataProtection/{BCryptKeyHandle.cs => SafeHandles/NCryptDescriptorHandle.cs} (52%)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs
 rename src/Microsoft.AspNet.Security.DataProtection/{ => SafeHandles}/SafeHandleZeroOrMinusOneIsInvalid.cs (62%)
 rename src/Microsoft.AspNet.Security.DataProtection/{ => SafeHandles}/SafeLibraryHandle.cs (61%)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlDecryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlEncryptor.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/Cng/SequentialGenRandom.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/project.json

diff --git a/DataProtection.sln b/DataProtection.sln
index 97a36b45e9..a516327b4a 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,12 +1,20 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 14
-VisualStudioVersion = 14.0.22013.1
+VisualStudioVersion = 14.0.22115.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection", "src\Microsoft.AspNet.Security.DataProtection\Microsoft.AspNet.Security.DataProtection.kproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
 EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection.Azure", "src\Microsoft.AspNet.Security.DataProtection.Azure\Microsoft.AspNet.Security.DataProtection.Azure.kproj", "{DF3671D7-A9B1-45F1-A195-0AD596001735}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection.Compatibility", "src\Microsoft.AspNet.Security.DataProtection.Compatibility\Microsoft.AspNet.Security.DataProtection.Compatibility.kproj", "{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection.Test", "test\Microsoft.AspNet.Security.DataProtection.Test\Microsoft.AspNet.Security.DataProtection.Test.kproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|x86 = Debug|x86
@@ -15,11 +23,20 @@ Global
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|x86.ActiveCfg = Debug|Any CPU
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.ActiveCfg = Release|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|x86.ActiveCfg = Release|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|x86.ActiveCfg = Release|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Release|x86.ActiveCfg = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{DF3671D7-A9B1-45F1-A195-0AD596001735} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 	EndGlobalSection
 EndGlobal
diff --git a/global.json b/global.json
new file mode 100644
index 0000000000..cad39504d4
--- /dev/null
+++ b/global.json
@@ -0,0 +1,3 @@
+{
+    "sources": [ "src" ]
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs b/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
new file mode 100644
index 0000000000..a08027f6a8
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
@@ -0,0 +1,142 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Net;
+using System.Runtime.ExceptionServices;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.Repositories;
+using Microsoft.Framework.OptionsModel;
+using Microsoft.WindowsAzure.Storage;
+using Microsoft.WindowsAzure.Storage.Blob;
+
+namespace Microsoft.AspNet.Security.DataProtection.Azure
+{
+    /// <summary>
+    /// An XML repository backed by Azure blob storage.
+    /// </summary>
+    public class BlobStorageXmlRepository : IXmlRepository
+    {
+        private const int MAX_NUM_UPDATE_ATTEMPTS = 10;
+
+        internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/dataProtection/2014/azure");
+        internal static readonly XName KeyRingElementName = XmlNamespace.GetName("keyRing");
+
+        public BlobStorageXmlRepository([NotNull] IOptionsAccessor<BlobStorageXmlRepositoryOptions> optionsAccessor)
+        {
+            Directory = optionsAccessor.Options.Directory;
+            CryptoUtil.Assert(Directory != null, "Directory != null");
+        }
+
+        protected CloudBlobDirectory Directory
+        {
+            get;
+            private set;
+        }
+
+        // IXmlRepository objects are supposed to be thread-safe, but CloudBlockBlob
+        // instances do not meet this criterion. We'll create them on-demand so that each
+        // thread can have its own instance that doesn't impact others.
+        private CloudBlockBlob GetKeyRingBlockBlobReference()
+        {
+            return Directory.GetBlockBlobReference("keyring.xml");
+        }
+
+        public virtual IReadOnlyCollection<XElement> GetAllElements()
+        {
+            var blobRef = GetKeyRingBlockBlobReference();
+            XDocument document = ReadDocumentFromStorage(blobRef);
+            return document?.Root.Elements().ToArray() ?? new XElement[0];
+        }
+
+        private XDocument ReadDocumentFromStorage(CloudBlockBlob blobRef)
+        {
+            // Try downloading from Azure storage
+            using (var memoryStream = new MemoryStream())
+            {
+                try
+                {
+                    blobRef.DownloadToStream(memoryStream);
+                }
+                catch (StorageException ex) if (ex.RequestInformation.HttpStatusCode == (int)HttpStatusCode.NotFound)
+                {
+                    // 404s are not a fatal error - empty keyring
+                    return null;
+                }
+
+                // Rewind the memory stream and read it into an XDocument
+                memoryStream.Position = 0;
+                XDocument document = XDocument.Load(memoryStream);
+
+                // Format checks
+                CryptoUtil.Assert(document.Root.Name == KeyRingElementName, "TODO: Unknown element.");
+                CryptoUtil.Assert((int)document.Root.Attribute("version") == 1, "TODO: Unknown version.");
+                return document;
+            }
+        }
+
+        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        {
+            ExceptionDispatchInfo lastException = null;
+
+            // To perform a transactional update of keyring.xml, we first need to get
+            // the original contents of the blob.
+            var blobRef = GetKeyRingBlockBlobReference();
+
+            for (int i = 0; i < MAX_NUM_UPDATE_ATTEMPTS; i++)
+            {
+                AccessCondition updateAccessCondition;
+                XDocument document = ReadDocumentFromStorage(blobRef);
+
+                // Inject the new element into the existing <keyRing> root.
+                if (document != null)
+                {
+                    document.Root.Add(element);
+
+                    // only update if the contents haven't changed (prevents overwrite)
+                    updateAccessCondition = AccessCondition.GenerateIfMatchCondition(blobRef.Properties.ETag);
+                }
+                else
+                {
+                    document = new XDocument(
+                        new XElement(KeyRingElementName,
+                            new XAttribute("version", 1),
+                            element));
+
+                    // only update if the file doesn't exist (prevents overwrite)
+                    updateAccessCondition = AccessCondition.GenerateIfNoneMatchCondition("*");
+                }
+
+                // Write the updated document back out
+                MemoryStream memoryStream = new MemoryStream();
+                document.Save(memoryStream);
+                try
+                {
+                    blobRef.UploadFromByteArray(memoryStream.GetBuffer(), 0, checked((int)memoryStream.Length), accessCondition: updateAccessCondition);
+                    return; // success!
+                }
+                catch (StorageException ex)
+                {
+                    switch ((HttpStatusCode)ex.RequestInformation.HttpStatusCode)
+                    {
+                        // If we couldn't update the blob due to a conflict on the server, try again.
+                        case HttpStatusCode.Conflict:
+                        case HttpStatusCode.PreconditionFailed:
+                            lastException = ExceptionDispatchInfo.Capture(ex);
+                            continue;
+
+                        default:
+                            throw;
+                    }
+                }
+            }
+
+            // If we got this far, too many conflicts occurred while trying to update the blob.
+            // Just bail.
+            lastException.Throw();
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs b/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
new file mode 100644
index 0000000000..b694ea5dd8
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.WindowsAzure.Storage.Blob;
+
+namespace Microsoft.AspNet.Security.DataProtection.Azure
+{
+    /// <summary>
+    /// Specifies options for configuring an Azure blob storage-based repository.
+    /// </summary>
+    public class BlobStorageXmlRepositoryOptions
+    {
+        /// <summary>
+        /// The blob storage directory where the key ring will be stored.
+        /// </summary>
+        public CloudBlobDirectory Directory { get; set; }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/CryptoUtil.cs b/src/Microsoft.AspNet.Security.DataProtection.Azure/CryptoUtil.cs
new file mode 100644
index 0000000000..b9fb8859f7
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/CryptoUtil.cs
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal static class CryptoUtil
+    {
+        // This isn't a typical Debug.Assert; the check is always performed, even in retail builds.
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void Assert(bool condition, string message)
+        {
+            if (!condition)
+            {
+                Fail(message);
+            }
+        }
+
+        // This isn't a typical Debug.Fail; an error always occurs, even in retail builds.
+        // This method doesn't return, but since the CLR doesn't allow specifying a 'never'
+        // return type, we mimic it by specifying our return type as Exception. That way
+        // callers can write 'throw Fail(...);' to make the C# compiler happy, as the
+        // throw keyword is implicitly of type O.
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        public static Exception Fail(string message)
+        {
+            Debug.Fail(message);
+            throw new CryptographicException("Assertion failed: " + message);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj b/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
new file mode 100644
index 0000000000..753c52ebda
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>DF3671D7-A9B1-45F1-A195-0AD596001735</ProjectGuid>
+    <OutputType>Library</OutputType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x86'" Label="Configuration">
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x86'" Label="Configuration">
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/NotNullAttribute.cs b/src/Microsoft.AspNet.Security.DataProtection.Azure/NotNullAttribute.cs
new file mode 100644
index 0000000000..00985c02f5
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/NotNullAttribute.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Azure
+{
+    [AttributeUsage(AttributeTargets.Parameter, AllowMultiple = false)]
+    internal sealed class NotNullAttribute : Attribute
+    {
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json b/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
new file mode 100644
index 0000000000..3d898a14be
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
@@ -0,0 +1,21 @@
+{
+    "version": "1.0.0-*",
+    "dependencies": {
+        "Microsoft.AspNet.Security.DataProtection": "1.0.0-*",
+        "Microsoft.Framework.OptionsModel": "1.0.0-*",
+        "WindowsAzure.Storage": "4.3.0"
+    },
+    "frameworkDependencies": {
+        "System.Xml.Linq": "4.0.0.0"
+    },
+    "frameworks": {
+        "net451": {
+        },
+        "aspnet50": {
+        }
+    },
+    "compilationOptions": {
+        "warningsAsErrors": true,
+        "languageVersion": "experimental"
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectionProviderHelper.cs b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectionProviderHelper.cs
new file mode 100644
index 0000000000..f05a11cf8e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectionProviderHelper.cs
@@ -0,0 +1,49 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Threading;
+
+namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+{
+    internal sealed class DataProtectionProviderHelper
+    {
+        private IDataProtectionProvider _dataProtectionProvider;
+
+        private DataProtectionProviderHelper() { } // can only be instantaited by self
+
+        public static IDataProtectionProvider GetDataProtectionProvider(ref DataProtectionProviderHelper helperRef, IFactorySupportFunctions supportFunctions)
+        {
+            // First, make sure that only one thread ever initializes the helper instance.
+            var helper = Volatile.Read(ref helperRef);
+            if (helper == null)
+            {
+                var newHelper = new DataProtectionProviderHelper();
+                helper = Interlocked.CompareExchange(ref helperRef, newHelper, null) ?? newHelper;
+            }
+
+            // Has the provider already been created?
+            var provider = Volatile.Read(ref helper._dataProtectionProvider);
+            if (provider == null)
+            {
+                // Since the helper is accessed by reference, all threads should agree on the one true helper
+                // instance, so this lock is global given a particular reference. This is an implementation
+                // of the double-check lock pattern.
+                lock (helper)
+                {
+                    provider = Volatile.Read(ref helper._dataProtectionProvider);
+                    if (provider == null)
+                    {
+                        provider = supportFunctions.CreateDataProtectionProvider();
+                        Volatile.Write(ref helper._dataProtectionProvider, provider);
+                    }
+                }
+            }
+
+            // And we're done!
+            Debug.Assert(provider != null);
+            return provider;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtector.cs
new file mode 100644
index 0000000000..af6c6872fa
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtector.cs
@@ -0,0 +1,72 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+{
+    public sealed class DataProtector<T> : DataProtector, IFactorySupportFunctions
+        where T : class, IDataProtectionProviderFactory, new()
+    {
+        private static DataProtectionProviderHelper _staticHelper;
+        private DataProtectorHelper _helper;
+
+        public DataProtector(string applicationName, string primaryPurpose, string[] specificPurposes)
+            : base(applicationName, primaryPurpose, specificPurposes)
+        {
+        }
+
+        protected override bool PrependHashedPurposeToPlaintext
+        {
+            get
+            {
+                return false;
+            }
+        }
+
+        private IDataProtector GetCachedDataProtector()
+        {
+            var dataProtectionProvider = DataProtectionProviderHelper.GetDataProtectionProvider(ref _staticHelper, this);
+            return DataProtectorHelper.GetDataProtector(ref _helper, dataProtectionProvider, this);
+        }
+
+        public override bool IsReprotectRequired(byte[] encryptedData)
+        {
+            return false;
+        }
+
+        protected override byte[] ProviderProtect(byte[] userData)
+        {
+            return GetCachedDataProtector().Protect(userData);
+        }
+
+        protected override byte[] ProviderUnprotect(byte[] encryptedData)
+        {
+            return GetCachedDataProtector().Unprotect(encryptedData);
+        }
+
+        IDataProtectionProvider IFactorySupportFunctions.CreateDataProtectionProvider()
+        {
+            IDataProtectionProviderFactory factory = Activator.CreateInstance<T>();
+            IDataProtectionProvider dataProtectionProvider = factory.CreateDataProtectionProvider();
+            Debug.Assert(dataProtectionProvider != null);
+            return dataProtectionProvider;
+        }
+
+        IDataProtector IFactorySupportFunctions.CreateDataProtector(IDataProtectionProvider dataProtectionProvider)
+        {
+            Debug.Assert(dataProtectionProvider != null);
+
+            IDataProtector dataProtector = dataProtectionProvider.CreateProtector(ApplicationName).CreateProtector(PrimaryPurpose);
+            foreach (string specificPurpose in SpecificPurposes)
+            {
+                dataProtector = dataProtector.CreateProtector(specificPurpose);
+            }
+
+            Debug.Assert(dataProtector != null);
+            return dataProtector;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectorHelper.cs b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectorHelper.cs
new file mode 100644
index 0000000000..03d3af7d41
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectorHelper.cs
@@ -0,0 +1,49 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Threading;
+
+namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+{
+    internal sealed class DataProtectorHelper
+    {
+        private IDataProtector _dataProtector;
+
+        private DataProtectorHelper() { } // can only be instantaited by self
+
+        public static IDataProtector GetDataProtector(ref DataProtectorHelper helperRef, IDataProtectionProvider protectionProvider, IFactorySupportFunctions supportFunctions)
+        {
+            // First, make sure that only one thread ever initializes the helper instance.
+            var helper = Volatile.Read(ref helperRef);
+            if (helper == null)
+            {
+                var newHelper = new DataProtectorHelper();
+                helper = Interlocked.CompareExchange(ref helperRef, newHelper, null) ?? newHelper;
+            }
+
+            // Has the protector already been created?
+            var protector = Volatile.Read(ref helper._dataProtector);
+            if (protector == null)
+            {
+                // Since the helper is accessed by reference, all threads should agree on the one true helper
+                // instance, so this lock is global given a particular reference. This is an implementation
+                // of the double-check lock pattern.
+                lock (helper)
+                {
+                    protector = Volatile.Read(ref helper._dataProtector);
+                    if (protector == null)
+                    {
+                        protector = supportFunctions.CreateDataProtector(protectionProvider);
+                        Volatile.Write(ref helper._dataProtector, protector);
+                    }
+                }
+            }
+
+            // And we're done!
+            Debug.Assert(protector != null);
+            return protector;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IDataProtectionProviderFactory.cs b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
new file mode 100644
index 0000000000..ddf3dbe191
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+{
+    public interface IDataProtectionProviderFactory
+    {
+        IDataProtectionProvider CreateDataProtectionProvider();
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IFactorySupportFunctions.cs b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IFactorySupportFunctions.cs
new file mode 100644
index 0000000000..a318be7460
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IFactorySupportFunctions.cs
@@ -0,0 +1,14 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+{
+    internal interface IFactorySupportFunctions
+    {
+        IDataProtectionProvider CreateDataProtectionProvider();
+
+        IDataProtector CreateDataProtector(IDataProtectionProvider dataProtectionProvider);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
new file mode 100644
index 0000000000..01ea1f2f00
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>C2FD9D02-AA0E-45FA-8561-EE357A94B73D</ProjectGuid>
+    <OutputType>Library</OutputType>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x86'" Label="Configuration">
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x86'" Label="Configuration">
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
new file mode 100644
index 0000000000..dae44c5f5c
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
@@ -0,0 +1,17 @@
+{
+    "version": "1.0.0-*",
+    "frameworks": {
+        "net451": {
+            "dependencies": {
+                "Microsoft.AspNet.Security.DataProtection": "1.0.0-*"
+            },
+            "frameworkAssemblies": {
+                "System.Security": "4.0.0.0"
+            }
+        }
+    },
+    "compilationOptions": {
+        "warningsAsErrors": true,
+        "languageVersion": "experimental"
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs b/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
deleted file mode 100644
index f09f9709aa..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/Algorithms.cs
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Security.Cryptography;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal unsafe static class Algorithms
-    {
-        public static readonly BCryptAlgorithmHandle AESAlgorithmHandle = CreateAESAlgorithmHandle();
-        public static readonly BCryptAlgorithmHandle HMACSHA256AlgorithmHandle = CreateHMACSHA256AlgorithmHandle();
-        public static readonly BCryptAlgorithmHandle HMACSHA512AlgorithmHandle = CreateHMACSHA512AlgorithmHandle();
-
-        private static BCryptAlgorithmHandle CreateAESAlgorithmHandle()
-        {
-            // create the AES instance
-            BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_AES_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: 0);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid)
-            {
-                throw new CryptographicException(status);
-            }
-
-            // change it to use CBC chaining; it already uses PKCS7 padding by default
-            fixed (char* pCbcMode = Constants.BCRYPT_CHAIN_MODE_CBC)
-            {
-                status = UnsafeNativeMethods.BCryptSetProperty(algHandle, Constants.BCRYPT_CHAINING_MODE, (IntPtr)pCbcMode, (uint)((Constants.BCRYPT_CHAIN_MODE_CBC.Length + 1 /* trailing null */) * sizeof(char)), dwFlags: 0);
-            }
-            if (status != 0)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return algHandle;
-        }
-
-        internal static BCryptAlgorithmHandle CreateGenericHMACHandleFromPrimitiveProvider(string algorithmName)
-        {
-            BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, algorithmName, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: BCryptAlgorithmFlags.BCRYPT_ALG_HANDLE_HMAC_FLAG);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return algHandle;
-        }
-
-        private static BCryptAlgorithmHandle CreateHMACSHA256AlgorithmHandle()
-        {
-            // create the HMACSHA-256 instance
-            return CreateGenericHMACHandleFromPrimitiveProvider(Constants.BCRYPT_SHA256_ALGORITHM);
-        }
-
-        private static BCryptAlgorithmHandle CreateHMACSHA512AlgorithmHandle()
-        {
-            // create the HMACSHA-512 instance
-            return CreateGenericHMACHandleFromPrimitiveProvider(Constants.BCRYPT_SHA512_ALGORITHM);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ArraySegmentExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/ArraySegmentExtensions.cs
new file mode 100644
index 0000000000..cadff82795
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/ArraySegmentExtensions.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal static class ArraySegmentExtensions
+    {
+        public static byte[] AsStandaloneArray(this ArraySegment<byte> arraySegment)
+        {
+            // Fast-track: Don't need to duplicate the array.
+            if (arraySegment.Offset == 0 && arraySegment.Count == arraySegment.Array.Length)
+            {
+                return arraySegment.Array;
+            }
+
+            byte[] retVal = new byte[arraySegment.Count];
+            Buffer.BlockCopy(arraySegment.Array, arraySegment.Offset, retVal, 0, retVal.Length);
+            return retVal;
+        }
+
+        public static void Validate<T>(this ArraySegment<T> arraySegment)
+        {
+            // Since ArraySegment<T> is a struct, it can be improperly initialized or torn.
+            // We call the ctor again to make sure the instance data is valid.
+            var unused = new ArraySegment<T>(arraySegment.Array, arraySegment.Offset, arraySegment.Count);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
new file mode 100644
index 0000000000..3bcd320cb8
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal static class AuthenticatedEncryptorExtensions
+    {
+        public static byte[] Encrypt(this IAuthenticatedEncryptor encryptor, ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+        {
+            // Can we call the optimized version?
+            IAuthenticatedEncryptor2 optimizedEncryptor = encryptor as IAuthenticatedEncryptor2;
+            if (optimizedEncryptor != null)
+            {
+                return optimizedEncryptor.Encrypt(plaintext, additionalAuthenticatedData, preBufferSize, postBufferSize);
+            }
+
+            // Fall back to the unoptimized version
+            if (preBufferSize == 0 && postBufferSize == 0)
+            {
+                // optimization: call through to inner encryptor with no modifications
+                return encryptor.Encrypt(plaintext, additionalAuthenticatedData);
+            }
+            else
+            {
+                byte[] temp = encryptor.Encrypt(plaintext, additionalAuthenticatedData);
+                byte[] retVal = new byte[checked(preBufferSize + temp.Length + postBufferSize)];
+                Buffer.BlockCopy(temp, 0, retVal, checked((int)preBufferSize), temp.Length);
+                return retVal;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..763c8f6e93
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,75 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal sealed class CngCbcAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
+    {
+        internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/2014/dataProtection/cng");
+        internal static readonly XName CbcEncryptorElementName = XmlNamespace.GetName("cbcEncryptor");
+        internal static readonly XName EncryptionElementName = XmlNamespace.GetName("encryption");
+        internal static readonly XName SecretElementName = XmlNamespace.GetName("secret");
+        internal static readonly XName ValidationElementName = XmlNamespace.GetName("validation");
+
+        private readonly CngCbcAuthenticatedEncryptorConfigurationOptions _options;
+        private readonly ISecret _secret;
+
+        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptorConfigurationOptions options, ISecret secret)
+        {
+            _options = options;
+            _secret = secret;
+        }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return _options.CreateAuthenticatedEncryptor(_secret);
+        }
+
+        private XElement EncryptSecret(IXmlEncryptor encryptor)
+        {
+            // First, create the inner <secret> element.
+            XElement secretElement;
+            byte[] plaintextSecret = new byte[_secret.Length];
+            try
+            {
+                _secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
+                secretElement = new XElement(SecretElementName, Convert.ToBase64String(plaintextSecret));
+            }
+            finally
+            {
+                Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
+            }
+
+            // Then encrypt it and wrap it in another <secret> element.
+            var encryptedSecretElement = encryptor.Encrypt(secretElement);
+            CryptoUtil.Assert(!String.IsNullOrEmpty((string)encryptedSecretElement.Attribute("decryptor")),
+                @"TODO: <secret> encryption was invalid.");
+
+            return new XElement(SecretElementName, encryptedSecretElement);
+        }
+
+        public XElement ToXml([NotNull] IXmlEncryptor xmlEncryptor)
+        {
+            // <cbcEncryptor reader="{TYPE}">
+            //   <encryption algorithm="{STRING}" provider="{STRING}" keyLength="{INT}" />
+            //   <validation algorithm="{STRING}" provider="{STRING}" />
+            //   <secret>...</secret>
+            // </cbcEncryptor>
+
+            return new XElement(CbcEncryptorElementName,
+                new XAttribute("reader", typeof(CngCbcAuthenticatedEncryptorConfigurationXmlReader).AssemblyQualifiedName),
+                new XElement(EncryptionElementName,
+                    new XAttribute("algorithm", _options.EncryptionAlgorithm),
+                    new XAttribute("provider", _options.EncryptionAlgorithmProvider ?? String.Empty),
+                    new XAttribute("keyLength", _options.EncryptionAlgorithmKeySize)),
+                new XElement(ValidationElementName,
+                    new XAttribute("algorithm", _options.HashAlgorithm),
+                    new XAttribute("provider", _options.HashAlgorithmProvider ?? String.Empty)),
+                EncryptSecret(xmlEncryptor));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
new file mode 100644
index 0000000000..375a7dc961
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.OptionsModel;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// A factory that is able to create a CNG-based IAuthenticatedEncryptor
+    /// using CBC encryption + HMAC validation.
+    /// </summary>
+    public unsafe sealed class CngCbcAuthenticatedEncryptorConfigurationFactory : IAuthenticatedEncryptorConfigurationFactory
+    {
+        private readonly CngCbcAuthenticatedEncryptorConfigurationOptions _options;
+
+        public CngCbcAuthenticatedEncryptorConfigurationFactory([NotNull] IOptionsAccessor<CngCbcAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
+        {
+            _options = optionsAccessor.Options.Clone();
+        }
+
+        public IAuthenticatedEncryptorConfiguration CreateNewConfiguration()
+        {
+            // generate a 512-bit secret randomly
+            const int KDK_SIZE_IN_BYTES = 512 / 8;
+            var secret = ProtectedMemoryBlob.Random(KDK_SIZE_IN_BYTES);
+            return new CngCbcAuthenticatedEncryptorConfiguration(_options, secret);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
new file mode 100644
index 0000000000..2765421512
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
@@ -0,0 +1,182 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Options for configuring an authenticated encryption mechanism which uses
+    /// Windows CNG algorithms in CBC encryption + HMAC validation modes.
+    /// </summary>
+    public sealed class CngCbcAuthenticatedEncryptorConfigurationOptions
+    {
+        /// <summary>
+        /// The name of the algorithm to use for symmetric encryption.
+        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support CBC-style encryption and must have a block size of 64 bits or greater.
+        /// The default value is 'AES'.
+        /// </remarks>
+        public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
+
+        /// <summary>
+        /// The name of the provider which contains the implementation of the symmetric encryption algorithm.
+        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is optional.
+        /// </summary>
+        /// <remarks>
+        /// The default value is null.
+        /// </remarks>
+        public string EncryptionAlgorithmProvider { get; set; } = null;
+
+        /// <summary>
+        /// The length (in bits) of the key that will be used for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The key length must be 128 bits or greater.
+        /// The default value is 256.
+        /// </remarks>
+        public int EncryptionAlgorithmKeySize { get; set; } = 256;
+
+        /// <summary>
+        /// The name of the algorithm to use for hashing data.
+        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support being opened in HMAC mode and must have a digest length
+        /// of 128 bits or greater.
+        /// The default value is 'SHA256'.
+        /// </remarks>
+        public string HashAlgorithm { get; set; } = Constants.BCRYPT_SHA256_ALGORITHM;
+
+        /// <summary>
+        /// The name of the provider which contains the implementation of the hash algorithm.
+        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is optional.
+        /// </summary>
+        /// <remarks>
+        /// The default value is null.
+        /// </remarks>
+        public string HashAlgorithmProvider { get; set; } = null;
+
+        /// <summary>
+        /// Makes a duplicate of this object, which allows the original object to remain mutable.
+        /// </summary>
+        internal CngCbcAuthenticatedEncryptorConfigurationOptions Clone()
+        {
+            return new CngCbcAuthenticatedEncryptorConfigurationOptions()
+            {
+                EncryptionAlgorithm = this.EncryptionAlgorithm,
+                EncryptionAlgorithmKeySize = this.EncryptionAlgorithmKeySize,
+                EncryptionAlgorithmProvider = this.EncryptionAlgorithmProvider,
+                HashAlgorithm = this.HashAlgorithm,
+                HashAlgorithmProvider = this.HashAlgorithmProvider
+            };
+        }
+
+        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptor([NotNull] ISecret secret)
+        {
+            // Create the encryption object
+            string encryptionAlgorithm = GetPropertyValueNotNullOrEmpty(EncryptionAlgorithm, nameof(EncryptionAlgorithm));
+            string encryptionAlgorithmProvider = GetPropertyValueNormalizeToNull(EncryptionAlgorithmProvider);
+            uint encryptionAlgorithmKeySizeInBits = GetKeySizeInBits(EncryptionAlgorithmKeySize);
+            BCryptAlgorithmHandle encryptionAlgorithmHandle = GetEncryptionAlgorithmHandleAndCheckKeySize(encryptionAlgorithm, encryptionAlgorithmProvider, encryptionAlgorithmKeySizeInBits);
+
+            // Create the validation object
+            string hashAlgorithm = GetPropertyValueNotNullOrEmpty(HashAlgorithm, nameof(HashAlgorithm));
+            string hashAlgorithmProvider = GetPropertyValueNormalizeToNull(HashAlgorithmProvider);
+            BCryptAlgorithmHandle hashAlgorithmHandle = GetHashAlgorithmHandle(hashAlgorithm, hashAlgorithmProvider);
+
+            // and we're good to go!
+            return new CbcAuthenticatedEncryptor(
+                keyDerivationKey: new ProtectedMemoryBlob(secret),
+                symmetricAlgorithmHandle: encryptionAlgorithmHandle,
+                symmetricAlgorithmKeySizeInBytes: encryptionAlgorithmKeySizeInBits / 8,
+                hmacAlgorithmHandle: hashAlgorithmHandle);
+        }
+
+        private static BCryptAlgorithmHandle GetEncryptionAlgorithmHandleAndCheckKeySize(string encryptionAlgorithm, string encryptionAlgorithmProvider, uint keyLengthInBits)
+        {
+            BCryptAlgorithmHandle algorithmHandle = null;
+
+            // Special-case cached providers
+            if (encryptionAlgorithmProvider == null)
+            {
+                if (encryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_CBC; }
+            }
+
+            // Look up the provider dynamically if we couldn't fetch a cached instance
+            if (algorithmHandle == null)
+            {
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(encryptionAlgorithm, encryptionAlgorithmProvider);
+                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_CBC);
+            }
+
+            // make sure we're using a block cipher with an appropriate block size
+            uint cipherBlockSizeInBytes = algorithmHandle.GetCipherBlockLength();
+            CryptoUtil.Assert(cipherBlockSizeInBytes >= CbcAuthenticatedEncryptor.SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES,
+                "cipherBlockSizeInBytes >= CbcAuthenticatedEncryptor.SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES");
+
+            // make sure the provided key length is valid
+            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength(keyLengthInBits);
+
+            // all good!
+            return algorithmHandle;
+        }
+
+        private static BCryptAlgorithmHandle GetHashAlgorithmHandle(string hashAlgorithm, string hashAlgorithmProvider)
+        {
+            BCryptAlgorithmHandle algorithmHandle = null;
+
+            // Special-case cached providers
+            if (hashAlgorithmProvider == null)
+            {
+                if (hashAlgorithm == Constants.BCRYPT_SHA1_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA1; }
+                else if (hashAlgorithm == Constants.BCRYPT_SHA256_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA256; }
+                else if (hashAlgorithm == Constants.BCRYPT_SHA512_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA512; }
+            }
+
+            // Look up the provider dynamically if we couldn't fetch a cached instance
+            if (algorithmHandle == null)
+            {
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(hashAlgorithm, hashAlgorithmProvider, hmac: true);
+            }
+
+            // Make sure we're using a hash algorithm. We require a minimum 128-bit digest.
+            uint digestSize = algorithmHandle.GetHashDigestLength();
+            CryptoUtil.Assert(digestSize >= CbcAuthenticatedEncryptor.HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES,
+                "digestSize >= CbcAuthenticatedEncryptor.HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES");
+
+            // all good!
+            return algorithmHandle;
+        }
+
+        private static uint GetKeySizeInBits(int value)
+        {
+            CryptoUtil.Assert(value >= 0, "value >= 0");
+            CryptoUtil.Assert(value % 8 == 0, "value % 8 == 0");
+            return (uint)value;
+        }
+
+        private static string GetPropertyValueNormalizeToNull(string value)
+        {
+            return (String.IsNullOrEmpty(value)) ? null : value;
+        }
+
+        private static string GetPropertyValueNotNullOrEmpty(string value, string propertyName)
+        {
+            if (String.IsNullOrEmpty(value))
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(propertyName);
+            }
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
new file mode 100644
index 0000000000..d37f854c42
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.Framework.DependencyInjection;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal sealed class CngCbcAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
+    {
+        private readonly IServiceProvider _serviceProvider;
+        private readonly ITypeActivator _typeActivator;
+
+        public CngCbcAuthenticatedEncryptorConfigurationXmlReader(
+            [NotNull] IServiceProvider serviceProvider,
+            [NotNull] ITypeActivator typeActivator)
+        {
+            _serviceProvider = serviceProvider;
+            _typeActivator = typeActivator;
+        }
+
+        public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
+        {
+            // <cbcEncryptor reader="{TYPE}">
+            //   <encryption algorithm="{STRING}" provider="{STRING}" keyLength="{INT}" />
+            //   <validation algorithm="{STRING}" provider="{STRING}" />
+            //   <secret>...</secret>
+            // </cbcEncryptor>
+
+            CryptoUtil.Assert(element.Name == CngCbcAuthenticatedEncryptorConfiguration.CbcEncryptorElementName,
+                @"TODO: Bad element.");
+
+            var options = new CngCbcAuthenticatedEncryptorConfigurationOptions();
+
+            // read <encryption> element
+            var encryptionElement = element.Element(CngCbcAuthenticatedEncryptorConfiguration.EncryptionElementName);
+            options.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
+            options.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider");
+            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+
+            // read <validation> element
+            var validationElement = element.Element(CngCbcAuthenticatedEncryptorConfiguration.ValidationElementName);
+            options.HashAlgorithm = (string)validationElement.Attribute("algorithm");
+            options.HashAlgorithmProvider = (string)validationElement.Attribute("provider");
+
+            // read the child of the <secret> element, then decrypt it
+            var encryptedSecretElement = element.Element(CngCbcAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
+            var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
+            var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
+            var secretElementDecryptor = (IXmlDecryptor)_typeActivator.CreateInstance(_serviceProvider, secretElementDecryptorType);
+            var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
+            CryptoUtil.Assert(decryptedSecretElement.Name == CngCbcAuthenticatedEncryptorConfiguration.SecretElementName,
+                @"TODO: Bad element.");
+
+            byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
+            try
+            {
+                var protectedMemoryBlob = new ProtectedMemoryBlob(decryptedSecretBytes);
+                return new CngCbcAuthenticatedEncryptorConfiguration(options, protectedMemoryBlob);
+            }
+            finally
+            {
+                Array.Clear(decryptedSecretBytes, 0, decryptedSecretBytes.Length);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..3007f2eb72
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal sealed class CngGcmAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
+    {
+        internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/2014/dataProtection/cng");
+        internal static readonly XName EncryptionElementName = XmlNamespace.GetName("encryption");
+        internal static readonly XName GcmEncryptorElementName = XmlNamespace.GetName("gcmEncryptor");
+        internal static readonly XName SecretElementName = XmlNamespace.GetName("secret");
+
+        private readonly CngGcmAuthenticatedEncryptorConfigurationOptions _options;
+        private readonly ISecret _secret;
+
+        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptorConfigurationOptions options, ISecret secret)
+        {
+            _options = options;
+            _secret = secret;
+        }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return _options.CreateAuthenticatedEncryptor(_secret);
+        }
+
+        private XElement EncryptSecret(IXmlEncryptor encryptor)
+        {
+            // First, create the inner <secret> element.
+            XElement secretElement;
+            byte[] plaintextSecret = new byte[_secret.Length];
+            try
+            {
+                _secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
+                secretElement = new XElement(SecretElementName, Convert.ToBase64String(plaintextSecret));
+            }
+            finally
+            {
+                Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
+            }
+
+            // Then encrypt it and wrap it in another <secret> element.
+            var encryptedSecretElement = encryptor.Encrypt(secretElement);
+            CryptoUtil.Assert(!String.IsNullOrEmpty((string)encryptedSecretElement.Attribute("decryptor")),
+                @"TODO: <secret> encryption was invalid.");
+
+            return new XElement(SecretElementName, encryptedSecretElement);
+        }
+
+        public XElement ToXml([NotNull] IXmlEncryptor xmlEncryptor)
+        {
+            // <cbcEncryptor reader="{TYPE}">
+            //   <encryption algorithm="{STRING}" provider="{STRING}" keyLength="{INT}" />
+            //   <secret>...</secret>
+            // </cbcEncryptor>
+
+            return new XElement(GcmEncryptorElementName,
+                new XAttribute("reader", typeof(CngGcmAuthenticatedEncryptorConfigurationXmlReader).AssemblyQualifiedName),
+                new XElement(EncryptionElementName,
+                    new XAttribute("algorithm", _options.EncryptionAlgorithm),
+                    new XAttribute("provider", _options.EncryptionAlgorithmProvider ?? String.Empty),
+                    new XAttribute("keyLength", _options.EncryptionAlgorithmKeySize)),
+                EncryptSecret(xmlEncryptor));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
new file mode 100644
index 0000000000..ac074377f8
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.OptionsModel;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// A factory that is able to create a CNG-based IAuthenticatedEncryptor
+    /// using CBC encryption + HMAC validation.
+    /// </summary>
+    public unsafe sealed class CngGcmAuthenticatedEncryptorConfigurationFactory : IAuthenticatedEncryptorConfigurationFactory
+    {
+        private readonly CngGcmAuthenticatedEncryptorConfigurationOptions _options;
+
+        public CngGcmAuthenticatedEncryptorConfigurationFactory([NotNull] IOptionsAccessor<CngGcmAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
+        {
+            _options = optionsAccessor.Options.Clone();
+        }
+
+        public IAuthenticatedEncryptorConfiguration CreateNewConfiguration()
+        {
+            // generate a 512-bit secret randomly
+            const int KDK_SIZE_IN_BYTES = 512 / 8;
+            var secret = ProtectedMemoryBlob.Random(KDK_SIZE_IN_BYTES);
+            return new CngGcmAuthenticatedEncryptorConfiguration(_options, secret);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
new file mode 100644
index 0000000000..33ad8e8eb5
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
@@ -0,0 +1,124 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Options for configuring an authenticated encryption mechanism which uses
+    /// Windows CNG encryption algorithms in Galois/Counter Mode.
+    /// </summary>
+    public sealed class CngGcmAuthenticatedEncryptorConfigurationOptions
+    {
+        /// <summary>
+        /// The name of the algorithm to use for symmetric encryption.
+        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support GCM-style encryption and must have a block size of exactly 128 bits.
+        /// The default value is 'AES'.
+        /// </remarks>
+        public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
+
+        /// <summary>
+        /// The name of the provider which contains the implementation of the symmetric encryption algorithm.
+        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is optional.
+        /// </summary>
+        /// <remarks>
+        /// The default value is null.
+        /// </remarks>
+        public string EncryptionAlgorithmProvider { get; set; } = null;
+
+        /// <summary>
+        /// The length (in bits) of the key that will be used for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The key length must be 128 bits or greater.
+        /// The default value is 256.
+        /// </remarks>
+        public int EncryptionAlgorithmKeySize { get; set; } = 256;
+
+        /// <summary>
+        /// Makes a duplicate of this object, which allows the original object to remain mutable.
+        /// </summary>
+        internal CngGcmAuthenticatedEncryptorConfigurationOptions Clone()
+        {
+            return new CngGcmAuthenticatedEncryptorConfigurationOptions()
+            {
+                EncryptionAlgorithm = this.EncryptionAlgorithm,
+                EncryptionAlgorithmKeySize = this.EncryptionAlgorithmKeySize,
+                EncryptionAlgorithmProvider = this.EncryptionAlgorithmProvider
+            };
+        }
+
+        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptor([NotNull] ISecret secret)
+        {
+            // Create the encryption object
+            string encryptionAlgorithm = GetPropertyValueNotNullOrEmpty(EncryptionAlgorithm, nameof(EncryptionAlgorithm));
+            string encryptionAlgorithmProvider = GetPropertyValueNormalizeToNull(EncryptionAlgorithmProvider);
+            uint encryptionAlgorithmKeySizeInBits = GetKeySizeInBits(EncryptionAlgorithmKeySize);
+            BCryptAlgorithmHandle encryptionAlgorithmHandle = GetEncryptionAlgorithmHandleAndCheckKeySize(encryptionAlgorithm, encryptionAlgorithmProvider, encryptionAlgorithmKeySizeInBits);
+
+            // and we're good to go!
+            return new GcmAuthenticatedEncryptor(
+                keyDerivationKey: new ProtectedMemoryBlob(secret),
+                symmetricAlgorithmHandle: encryptionAlgorithmHandle,
+                symmetricAlgorithmKeySizeInBytes: encryptionAlgorithmKeySizeInBits / 8);
+        }
+
+        private static BCryptAlgorithmHandle GetEncryptionAlgorithmHandleAndCheckKeySize(string encryptionAlgorithm, string encryptionAlgorithmProvider, uint keyLengthInBits)
+        {
+            BCryptAlgorithmHandle algorithmHandle = null;
+
+            // Special-case cached providers
+            if (encryptionAlgorithmProvider == null)
+            {
+                if (encryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_GCM; }
+            }
+
+            // Look up the provider dynamically if we couldn't fetch a cached instance
+            if (algorithmHandle == null)
+            {
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(encryptionAlgorithm, encryptionAlgorithmProvider);
+                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_GCM);
+            }
+
+            // make sure we're using a block cipher with an appropriate block size
+            uint cipherBlockSizeInBytes = algorithmHandle.GetCipherBlockLength();
+            CryptoUtil.Assert(cipherBlockSizeInBytes == 128 / 8, "cipherBlockSizeInBytes == 128 / 8");
+
+            // make sure the provided key length is valid
+            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength(keyLengthInBits);
+
+            // all good!
+            return algorithmHandle;
+        }
+
+        private static uint GetKeySizeInBits(int value)
+        {
+            CryptoUtil.Assert(value >= 0, "value >= 0");
+            CryptoUtil.Assert(value % 8 == 0, "value % 8 == 0");
+            return (uint)value;
+        }
+
+        private static string GetPropertyValueNormalizeToNull(string value)
+        {
+            return (String.IsNullOrEmpty(value)) ? null : value;
+        }
+
+        private static string GetPropertyValueNotNullOrEmpty(string value, string propertyName)
+        {
+            if (String.IsNullOrEmpty(value))
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(propertyName);
+            }
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
new file mode 100644
index 0000000000..e3fc4bad31
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -0,0 +1,64 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.Framework.DependencyInjection;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal sealed class CngGcmAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
+    {
+        private readonly IServiceProvider _serviceProvider;
+        private readonly ITypeActivator _typeActivator;
+
+        public CngGcmAuthenticatedEncryptorConfigurationXmlReader(
+            [NotNull] IServiceProvider serviceProvider,
+            [NotNull] ITypeActivator typeActivator)
+        {
+            _serviceProvider = serviceProvider;
+            _typeActivator = typeActivator;
+        }
+
+        public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
+        {
+            // <cbcEncryptor reader="{TYPE}">
+            //   <encryption algorithm="{STRING}" provider="{STRING}" keyLength="{INT}" />
+            //   <secret>...</secret>
+            // </cbcEncryptor>
+
+            CryptoUtil.Assert(element.Name == CngGcmAuthenticatedEncryptorConfiguration.GcmEncryptorElementName,
+                @"TODO: Bad element.");
+
+            var options = new CngGcmAuthenticatedEncryptorConfigurationOptions();
+
+            // read <encryption> element
+            var encryptionElement = element.Element(CngGcmAuthenticatedEncryptorConfiguration.EncryptionElementName);
+            options.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
+            options.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider");
+            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+
+            // read the child of the <secret> element, then decrypt it
+            var encryptedSecretElement = element.Element(CngGcmAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
+            var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
+            var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
+            var secretElementDecryptor = (IXmlDecryptor)_typeActivator.CreateInstance(_serviceProvider, secretElementDecryptorType);
+            var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
+            CryptoUtil.Assert(decryptedSecretElement.Name == CngGcmAuthenticatedEncryptorConfiguration.SecretElementName,
+                @"TODO: Bad element.");
+
+            byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
+            try
+            {
+                var protectedMemoryBlob = new ProtectedMemoryBlob(decryptedSecretBytes);
+                return new CngGcmAuthenticatedEncryptorConfiguration(options, protectedMemoryBlob);
+            }
+            finally
+            {
+                Array.Clear(decryptedSecretBytes, 0, decryptedSecretBytes.Length);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
new file mode 100644
index 0000000000..b897d668a0
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// The basic interface for providing an authenticated encryption and decryption routine.
+    /// </summary>
+    public interface IAuthenticatedEncryptor
+    {
+        /// <summary>
+        /// Validates the authentication tag of and decrypts a blob of encrypted data.
+        /// </summary>
+        /// <param name="ciphertext">The ciphertext (including authentication tag) to decrypt.</param>
+        /// <param name="additionalAuthenticatedData">Any ancillary data which was used during computation
+        /// of the authentication tag. The same AAD must have been specified in the corresponding
+        /// call to 'Encrypt'.</param>
+        /// <returns>The original plaintext data (if the authentication tag was validated and decryption succeeded).</returns>
+        /// <remarks>All cryptography-related exceptions should be homogenized to CryptographicException.</remarks>
+        byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData);
+
+        /// <summary>
+        /// Encrypts and tamper-proofs a piece of data.
+        /// </summary>
+        /// <param name="plaintext">The plaintext to encrypt. This input may be zero bytes in length.</param>
+        /// <param name="additionalAuthenticatedData">A piece of data which will not be included in
+        /// the returned ciphertext but which will still be covered by the authentication tag.
+        /// This input may be zero bytes in length. The same AAD must be specified in the corresponding
+        /// call to Decrypt.</param>
+        /// <returns>The ciphertext blob, including authentication tag.</returns>
+        /// <remarks>All cryptography-related exceptions should be homogenized to CryptographicException.</remarks>
+        byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor2.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor2.cs
new file mode 100644
index 0000000000..2e36143dc3
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor2.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal interface IAuthenticatedEncryptor2 : IAuthenticatedEncryptor
+    {
+        byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..0da7da4b5e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,29 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Represents a type that contains configuration information about an IAuthenticatedEncryptor
+    /// instance, including how to serialize it to XML.
+    /// </summary>
+    public interface IAuthenticatedEncryptorConfiguration
+    {
+        /// <summary>
+        /// Creates a new IAuthenticatedEncryptor instance based on the current configuration.
+        /// </summary>
+        /// <returns>An IAuthenticatedEncryptor instance.</returns>
+        IAuthenticatedEncryptor CreateEncryptorInstance();
+
+        /// <summary>
+        /// Exports the current configuration to XML, optionally encrypting secret key material.
+        /// </summary>
+        /// <param name="xmlEncryptor">The XML encryptor used to encrypt secret material.</param>
+        /// <returns>An XElement representing the current configuration object.</returns>
+        XElement ToXml(IXmlEncryptor xmlEncryptor);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
new file mode 100644
index 0000000000..843de1540c
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Represents a type that can create new authenticated encryption configuration objects.
+    /// </summary>
+    public interface IAuthenticatedEncryptorConfigurationFactory
+    {
+        /// <summary>
+        /// Creates a new configuration object with fresh secret key material.
+        /// </summary>
+        /// <returns>
+        /// An IAuthenticatedEncryptorConfiguration instance.
+        /// </returns>
+        IAuthenticatedEncryptorConfiguration CreateNewConfiguration();
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
new file mode 100644
index 0000000000..0d1fcc38fc
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Represents a type that can deserialize an XML-serialized IAuthenticatedEncryptorConfiguration.
+    /// </summary>
+    public interface IAuthenticatedEncryptorConfigurationXmlReader
+    {
+        /// <summary>
+        /// Deserializes an XML-serialized IAuthenticatedEncryptorConfiguration.
+        /// </summary>
+        /// <param name="element">The XML element to deserialize.</param>
+        /// <returns>The deserialized IAuthenticatedEncryptorConfiguration.</returns>
+        IAuthenticatedEncryptorConfiguration FromXml(XElement element);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..e636713040
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,73 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal sealed class ManagedAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
+    {
+        internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/2014/dataProtection/managed");
+        internal static readonly XName ManagedEncryptorElementName = XmlNamespace.GetName("managedEncryptor");
+        internal static readonly XName EncryptionElementName = XmlNamespace.GetName("encryption");
+        internal static readonly XName SecretElementName = XmlNamespace.GetName("secret");
+        internal static readonly XName ValidationElementName = XmlNamespace.GetName("validation");
+
+        private readonly ManagedAuthenticatedEncryptorConfigurationOptions _options;
+        private readonly ISecret _secret;
+
+        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptorConfigurationOptions options, ISecret secret)
+        {
+            _options = options;
+            _secret = secret;
+        }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return _options.CreateAuthenticatedEncryptor(_secret);
+        }
+
+        private XElement EncryptSecret(IXmlEncryptor encryptor)
+        {
+            // First, create the inner <secret> element.
+            XElement secretElement;
+            byte[] plaintextSecret = new byte[_secret.Length];
+            try
+            {
+                _secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
+                secretElement = new XElement(SecretElementName, Convert.ToBase64String(plaintextSecret));
+            }
+            finally
+            {
+                Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
+            }
+
+            // Then encrypt it and wrap it in another <secret> element.
+            var encryptedSecretElement = encryptor.Encrypt(secretElement);
+            CryptoUtil.Assert(!String.IsNullOrEmpty((string)encryptedSecretElement.Attribute("decryptor")),
+                @"TODO: <secret> encryption was invalid.");
+
+            return new XElement(SecretElementName, encryptedSecretElement);
+        }
+
+        public XElement ToXml([NotNull] IXmlEncryptor xmlEncryptor)
+        {
+            // <managedEncryptor reader="{TYPE}">
+            //   <encryption type="{TYPE}" keyLength="{INT}" />
+            //   <validation type="{TYPE}" />
+            //   <secret>...</secret>
+            // </managedEncryptor>
+
+            return new XElement(ManagedEncryptorElementName,
+                new XAttribute("reader", typeof(ManagedAuthenticatedEncryptorConfigurationXmlReader).AssemblyQualifiedName),
+                new XElement(EncryptionElementName,
+                    new XAttribute("type", _options.EncryptionAlgorithmType),
+                    new XAttribute("keyLength", _options.EncryptionAlgorithmKeySize)),
+                new XElement(ValidationElementName,
+                    new XAttribute("type", _options.ValidationAlgorithmType)),
+                EncryptSecret(xmlEncryptor));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
new file mode 100644
index 0000000000..41cb60213e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Managed;
+using Microsoft.Framework.OptionsModel;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    public sealed class ManagedAuthenticatedEncryptorConfigurationFactory : IAuthenticatedEncryptorConfigurationFactory
+    {
+        private readonly ManagedAuthenticatedEncryptorConfigurationOptions _options;
+
+        public ManagedAuthenticatedEncryptorConfigurationFactory([NotNull] IOptionsAccessor<ManagedAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
+        {
+            _options = optionsAccessor.Options.Clone();
+        }
+
+        public IAuthenticatedEncryptorConfiguration CreateNewConfiguration()
+        {
+            // generate a 512-bit secret randomly
+            const int KDK_SIZE_IN_BYTES = 512 / 8;
+            byte[] kdk = ManagedGenRandomImpl.Instance.GenRandom(KDK_SIZE_IN_BYTES);
+            ProtectedMemoryBlob secret;
+            try
+            {
+                secret = new ProtectedMemoryBlob(kdk);
+            }
+            finally
+            {
+                Array.Clear(kdk, 0, kdk.Length);
+            }
+
+            return new ManagedAuthenticatedEncryptorConfiguration(_options, secret);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
new file mode 100644
index 0000000000..0a9036886c
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
@@ -0,0 +1,115 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Reflection;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.Managed;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Options for configuring an authenticated encryption mechanism which uses
+    /// managed SymmetricAlgorithm and KeyedHashAlgorithm implementations.
+    /// </summary>
+    public sealed class ManagedAuthenticatedEncryptorConfigurationOptions
+    {
+        /// <summary>
+        /// The type of the algorithm to use for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support CBC-style encryption and PKCS#7 padding and must have a block size of 64 bits or greater.
+        /// The default algorithm is AES.
+        /// </remarks>
+        public Type EncryptionAlgorithmType { get; set; } = typeof(Aes);
+
+        /// <summary>
+        /// The length (in bits) of the key that will be used for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The key length must be 128 bits or greater.
+        /// The default value is 256.
+        /// </remarks>
+        public int EncryptionAlgorithmKeySize { get; set; } = 256;
+
+        /// <summary>
+        /// A factory for the algorithm to use for validation.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must have a digest length of 128 bits or greater.
+        /// The default algorithm is HMACSHA256.
+        /// </remarks>
+        public Type ValidationAlgorithmType { get; set; } = typeof(HMACSHA256);
+
+        /// <summary>
+        /// Makes a duplicate of this object, which allows the original object to remain mutable.
+        /// </summary>
+        internal ManagedAuthenticatedEncryptorConfigurationOptions Clone()
+        {
+            return new ManagedAuthenticatedEncryptorConfigurationOptions()
+            {
+                EncryptionAlgorithmType = this.EncryptionAlgorithmType,
+                EncryptionAlgorithmKeySize = this.EncryptionAlgorithmKeySize,
+                ValidationAlgorithmType = this.ValidationAlgorithmType
+            };
+        }
+
+        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptor([NotNull] ISecret secret)
+        {
+            // Create the encryption and validation object
+            Func<SymmetricAlgorithm> encryptorFactory = GetEncryptionAlgorithmFactory();
+            Func<KeyedHashAlgorithm> validatorFactory = GetValidationAlgorithmFactory();
+
+            // Check key size here
+            int keySizeInBits = EncryptionAlgorithmKeySize;
+            CryptoUtil.Assert(keySizeInBits % 8 == 0, "keySizeInBits % 8 == 0");
+            int keySizeInBytes = keySizeInBits / 8;
+
+            // We're good to go!
+            return new ManagedAuthenticatedEncryptor(
+                keyDerivationKey: new ProtectedMemoryBlob(secret),
+                symmetricAlgorithmFactory: encryptorFactory,
+                symmetricAlgorithmKeySizeInBytes: keySizeInBytes,
+                validationAlgorithmFactory: validatorFactory);
+        }
+
+        private Func<SymmetricAlgorithm> GetEncryptionAlgorithmFactory()
+        {
+            CryptoUtil.Assert(EncryptionAlgorithmType != null, "EncryptionAlgorithmType != null");
+            CryptoUtil.Assert(typeof(SymmetricAlgorithm).IsAssignableFrom(EncryptionAlgorithmType), "typeof(SymmetricAlgorithm).IsAssignableFrom(EncryptionAlgorithmType)");
+
+            if (EncryptionAlgorithmType == typeof(Aes))
+            {
+                // On Core CLR, there's no public concrete implementation of AES, so we'll special-case it here
+                return Aes.Create;
+            }
+            else
+            {
+                // Otherwise the algorithm must have a default ctor
+                return ((IActivator<SymmetricAlgorithm>)Activator.CreateInstance(typeof(AlgorithmActivator<>).MakeGenericType(EncryptionAlgorithmType))).Creator;
+            }
+        }
+
+        private Func<KeyedHashAlgorithm> GetValidationAlgorithmFactory()
+        {
+            CryptoUtil.Assert(ValidationAlgorithmType != null, "ValidationAlgorithmType != null");
+            CryptoUtil.Assert(typeof(KeyedHashAlgorithm).IsAssignableFrom(ValidationAlgorithmType), "typeof(KeyedHashAlgorithm).IsAssignableFrom(ValidationAlgorithmType)");
+
+            // The algorithm must have a default ctor
+            return ((IActivator<KeyedHashAlgorithm>)Activator.CreateInstance(typeof(AlgorithmActivator<>).MakeGenericType(ValidationAlgorithmType))).Creator;
+        }
+
+        private interface IActivator<out T>
+        {
+            Func<T> Creator { get; }
+        }
+
+        private class AlgorithmActivator<T> : IActivator<T> where T : new()
+        {
+            public Func<T> Creator { get; } = Activator.CreateInstance<T>;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
new file mode 100644
index 0000000000..cfa38ed3ea
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -0,0 +1,68 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.Framework.DependencyInjection;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal sealed class ManagedAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
+    {
+        private readonly IServiceProvider _serviceProvider;
+        private readonly ITypeActivator _typeActivator;
+
+        public ManagedAuthenticatedEncryptorConfigurationXmlReader(
+            [NotNull] IServiceProvider serviceProvider,
+            [NotNull] ITypeActivator typeActivator)
+        {
+            _serviceProvider = serviceProvider;
+            _typeActivator = typeActivator;
+        }
+
+        public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
+        {
+            // <managedEncryptor reader="{TYPE}">
+            //   <encryption type="{STRING}" keyLength="{INT}" />
+            //   <validation type="{STRING}" />
+            //   <secret>...</secret>
+            // </managedEncryptor>
+
+            CryptoUtil.Assert(element.Name == ManagedAuthenticatedEncryptorConfiguration.EncryptionElementName,
+                @"TODO: Bad element.");
+
+            var options = new ManagedAuthenticatedEncryptorConfigurationOptions();
+
+            // read <encryption> element
+            var encryptionElement = element.Element(ManagedAuthenticatedEncryptorConfiguration.EncryptionElementName);
+            options.EncryptionAlgorithmType = Type.GetType((string)encryptionElement.Attribute("type"), throwOnError: true);
+            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+
+            // read <validation> element
+            var validationElement = element.Element(ManagedAuthenticatedEncryptorConfiguration.ValidationElementName);
+            options.ValidationAlgorithmType = Type.GetType((string)validationElement.Attribute("type"), throwOnError: true);
+
+            // read the child of the <secret> element, then decrypt it
+            var encryptedSecretElement = element.Element(ManagedAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
+            var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
+            var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
+            var secretElementDecryptor = (IXmlDecryptor)_typeActivator.CreateInstance(_serviceProvider, secretElementDecryptorType);
+            var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
+            CryptoUtil.Assert(decryptedSecretElement.Name == ManagedAuthenticatedEncryptorConfiguration.SecretElementName,
+                @"TODO: Bad element.");
+
+            byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
+            try
+            {
+                var protectedMemoryBlob = new ProtectedMemoryBlob(decryptedSecretBytes);
+                return new ManagedAuthenticatedEncryptorConfiguration(options, protectedMemoryBlob);
+            }
+            finally
+            {
+                Array.Clear(decryptedSecretBytes, 0, decryptedSecretBytes.Length);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs b/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
deleted file mode 100644
index 67327aba4a..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/BCRYPT_KEY_DATA_BLOB_HEADER.cs
+++ /dev/null
@@ -1,29 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.CompilerServices;
-using System.Runtime.InteropServices;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375524(v=vs.85).aspx
-    [StructLayout(LayoutKind.Sequential)]
-    internal struct BCRYPT_KEY_DATA_BLOB_HEADER
-    {
-        // from bcrypt.h
-        private const uint BCRYPT_KEY_DATA_BLOB_MAGIC = 0x4d42444b; //Key Data Blob Magic (KDBM)
-        private const uint BCRYPT_KEY_DATA_BLOB_VERSION1 = 0x1;
-
-        public uint dwMagic;
-        public uint dwVersion;
-        public uint cbKeyData;
-
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void Initialize(ref BCRYPT_KEY_DATA_BLOB_HEADER pHeader)
-        {
-            pHeader.dwMagic = BCRYPT_KEY_DATA_BLOB_MAGIC;
-            pHeader.dwVersion = BCRYPT_KEY_DATA_BLOB_VERSION1;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
deleted file mode 100644
index 38b5818e18..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmFlags.cs
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    // from bcrypt.h
-    [Flags]
-    internal enum BCryptAlgorithmFlags
-    {
-        BCRYPT_ALG_HANDLE_HMAC_FLAG = 0x00000008,
-        BCRYPT_CAPI_AES_FLAG = 0x00000010,
-        BCRYPT_HASH_REUSABLE_FLAG = 0x00000020,
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
deleted file mode 100644
index 5d05d68027..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptAlgorithmHandle.cs
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.Win32.SafeHandles;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal sealed class BCryptAlgorithmHandle : SafeHandleZeroOrMinusOneIsInvalid
-    {
-        // Called by P/Invoke when returning SafeHandles
-        private BCryptAlgorithmHandle()
-            : base(ownsHandle: true)
-        {
-        }
-
-        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
-        protected override bool ReleaseHandle()
-        {
-            return (UnsafeNativeMethods.BCryptCloseAlgorithmProvider(handle, dwFlags: 0) == 0);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
deleted file mode 100644
index 6144c3e3ec..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptHashHandle.cs
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.Win32.SafeHandles;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal sealed class BCryptHashHandle : SafeHandleZeroOrMinusOneIsInvalid
-    {
-        // Called by P/Invoke when returning SafeHandles
-        private BCryptHashHandle()
-            : base(ownsHandle: true)
-        {
-        }
-
-        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
-        protected override bool ReleaseHandle()
-        {
-            return (UnsafeNativeMethods.BCryptDestroyHash(handle) == 0);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
deleted file mode 100644
index ad60cc9ed0..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptUtil.cs
+++ /dev/null
@@ -1,295 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-using System.Runtime.CompilerServices;
-using System.Runtime.InteropServices;
-using System.Security.Cryptography;
-using System.Text;
-using Microsoft.AspNet.Security.DataProtection.Util;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal unsafe static class BCryptUtil
-    {
-        // from dpapi.h
-        const uint CRYPTPROTECTMEMORY_BLOCK_SIZE = 16;
-        const uint CRYPTPROTECTMEMORY_SAME_PROCESS = 0x00;
-
-        private static readonly UTF8Encoding _secureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
-
-        // constant-time buffer comparison
-        [MethodImpl(MethodImplOptions.NoOptimization)]
-        public static bool BuffersAreEqualSecure(byte* p1, byte* p2, uint count)
-        {
-            bool retVal = true;
-            while (count-- > 0)
-            {
-                retVal &= (*(p1++) == *(p2++));
-            }
-            return retVal;
-        }
-
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static void CheckOverflowUnderflow(int input)
-        {
-            var unused = checked((uint)input);
-        }
-
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static void CheckOverflowUnderflow(uint input)
-        {
-            var unused = checked((int)input);
-        }
-
-        // helper function to wrap BCryptCreateHash, passing in a key used for HMAC
-        public static BCryptHashHandle CreateHMACHandle(BCryptAlgorithmHandle algorithmHandle, byte* key, int keyLengthInBytes)
-        {
-            CheckOverflowUnderflow(keyLengthInBytes);
-
-            BCryptHashHandle retVal;
-            int status = UnsafeNativeMethods.BCryptCreateHash(algorithmHandle, out retVal, IntPtr.Zero, 0, key, (uint)keyLengthInBytes, dwFlags: 0);
-            if (status != 0 || retVal == null || retVal.IsInvalid)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return retVal;
-        }
-
-        // helper function to wrap BCryptEncrypt; returns number of bytes written to 'output'
-        // assumes the output buffer is large enough to hold the ciphertext + any necessary padding
-        public static int DecryptWithPadding(BCryptKeyHandle keyHandle, byte* input, int inputLength, byte* iv, int ivLength, byte* output, int outputLength)
-        {
-            CheckOverflowUnderflow(inputLength);
-            CheckOverflowUnderflow(ivLength);
-            CheckOverflowUnderflow(outputLength);
-
-            // BCryptEncrypt destroys the 'iv' parameter, so we need to pass a duplicate instead of the original
-            if (ivLength > Constants.MAX_STACKALLOC_BYTES)
-            {
-                throw new InvalidOperationException();
-            }
-            byte* pDuplicatedIV = stackalloc byte[ivLength];
-            BufferUtil.BlockCopy(from: iv, to: pDuplicatedIV, byteCount: ivLength);
-
-            uint retVal;
-            int status = UnsafeNativeMethods.BCryptDecrypt(keyHandle, input, (uint)inputLength, IntPtr.Zero, pDuplicatedIV, (uint)ivLength, output, (uint)outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
-            if (status != 0)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return checked((int)retVal);
-        }
-
-        // helper function to wrap BCryptKeyDerivation using SP800-108-CTR-HMAC-SHA512
-        public static void DeriveKeysSP800108(byte[] protectedKdk, string purpose, BCryptAlgorithmHandle encryptionAlgorithmHandle, out BCryptKeyHandle encryptionKeyHandle, BCryptAlgorithmHandle hashAlgorithmHandle, out BCryptHashHandle hmacHandle, out byte[] kdfSubkey)
-        {
-            const int ENCRYPTION_KEY_SIZE_IN_BYTES = 256 / 8;
-            const int HMAC_KEY_SIZE_IN_BYTES = 256 / 8;
-            const int KDF_SUBKEY_SIZE_IN_BYTES = 512 / 8;
-            const int TOTAL_NUM_BYTES_TO_DERIVE = ENCRYPTION_KEY_SIZE_IN_BYTES + HMAC_KEY_SIZE_IN_BYTES + KDF_SUBKEY_SIZE_IN_BYTES;
-
-            // keep our buffers on the stack while we're generating key material
-            byte* pBuffer = stackalloc byte[TOTAL_NUM_BYTES_TO_DERIVE]; // will be freed with frame pops
-            byte* pNewEncryptionKey = pBuffer;
-            byte* pNewHmacKey = &pNewEncryptionKey[ENCRYPTION_KEY_SIZE_IN_BYTES];
-            byte* pNewKdfSubkey = &pNewHmacKey[HMAC_KEY_SIZE_IN_BYTES];
-
-            protectedKdk = (byte[])protectedKdk.Clone(); // CryptUnprotectMemory mutates its input, so we preserve the original
-            fixed (byte* pKdk = protectedKdk)
-            {
-                try
-                {
-                    // Since the KDK is pinned, the GC won't move around the array containing the plaintext key before we
-                    // have the opportunity to clear its contents.
-                    UnprotectMemoryWithinThisProcess(pKdk, (uint)protectedKdk.Length);
-
-                    byte[] purposeBytes = (!String.IsNullOrEmpty(purpose)) ? _secureUtf8Encoding.GetBytes(purpose) : null;
-                    SP800_108Helper.DeriveKeys(pKdk, protectedKdk.Length, purposeBytes, pBuffer, TOTAL_NUM_BYTES_TO_DERIVE);
-
-                    // Split into AES, HMAC, and KDF subkeys
-                    encryptionKeyHandle = ImportKey(encryptionAlgorithmHandle, pNewEncryptionKey, ENCRYPTION_KEY_SIZE_IN_BYTES);
-                    hmacHandle = CreateHMACHandle(hashAlgorithmHandle, pNewHmacKey, HMAC_KEY_SIZE_IN_BYTES);
-                    kdfSubkey = BufferUtil.ToProtectedManagedByteArray(pNewKdfSubkey, KDF_SUBKEY_SIZE_IN_BYTES);
-                }
-                finally
-                {
-                    BufferUtil.SecureZeroMemory(pKdk, protectedKdk.Length);
-                }
-            }
-        }
-
-        // helper function to wrap BCryptDuplicateHash
-        public static BCryptHashHandle DuplicateHash(BCryptHashHandle hashHandle)
-        {
-            BCryptHashHandle retVal;
-            int status = UnsafeNativeMethods.BCryptDuplicateHash(hashHandle, out retVal, IntPtr.Zero, 0, dwFlags: 0);
-            if (status != 0 || retVal == null || retVal.IsInvalid)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return retVal;
-        }
-
-        // helper function to wrap BCryptEncrypt; returns number of bytes written to 'output'
-        // assumes the output buffer is large enough to hold the ciphertext + any necessary padding
-        public static int EncryptWithPadding(BCryptKeyHandle keyHandle, byte* input, int inputLength, byte* iv, int ivLength, byte* output, int outputLength)
-        {
-            CheckOverflowUnderflow(inputLength);
-            CheckOverflowUnderflow(ivLength);
-            CheckOverflowUnderflow(outputLength);
-
-            // BCryptEncrypt destroys the 'iv' parameter, so we need to pass a duplicate instead of the original
-            if (ivLength > Constants.MAX_STACKALLOC_BYTES)
-            {
-                throw new InvalidOperationException();
-            }
-            byte* pDuplicatedIV = stackalloc byte[ivLength];
-            BufferUtil.BlockCopy(from: iv, to: pDuplicatedIV, byteCount: ivLength);
-
-            uint retVal;
-            int status = UnsafeNativeMethods.BCryptEncrypt(keyHandle, input, (uint)inputLength, IntPtr.Zero, pDuplicatedIV, (uint)ivLength, output, (uint)outputLength, out retVal, BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
-            if (status != 0)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return checked((int)retVal);
-        }
-
-        // helper function to take a key, apply a purpose, and generate a new subkey ("entropy") for DPAPI-specific scenarios
-        public static byte[] GenerateDpapiSubkey(byte[] previousKey, string purpose)
-        {
-            Debug.Assert(previousKey != null);
-            purpose = purpose ?? String.Empty; // cannot be null
-
-            // create the HMAC object
-            BCryptHashHandle hashHandle;
-            fixed (byte* pPreviousKey = previousKey)
-            {
-                hashHandle = CreateHMACHandle(Algorithms.HMACSHA256AlgorithmHandle, pPreviousKey, previousKey.Length);
-            }
-
-            // hash the purpose string, treating it as UTF-16LE
-            using (hashHandle)
-            {
-                byte[] retVal = new byte[256 / 8]; // fixed length output since we're hardcoded to HMACSHA256
-                fixed (byte* pRetVal = retVal)
-                {
-                    fixed (char* pPurpose = purpose)
-                    {
-                        HashData(hashHandle, (byte*)pPurpose, checked(purpose.Length * sizeof(char)), pRetVal, retVal.Length);
-                        return retVal;
-                    }
-                }
-            }
-        }
-
-        // helper function that's similar to RNGCryptoServiceProvider, but works directly with pointers
-        public static void GenRandom(byte* buffer, int bufferBytes)
-        {
-            CheckOverflowUnderflow(bufferBytes);
-
-            int status = UnsafeNativeMethods.BCryptGenRandom(IntPtr.Zero, buffer, (uint)bufferBytes, BCryptGenRandomFlags.BCRYPT_USE_SYSTEM_PREFERRED_RNG);
-            if (status != 0)
-            {
-                throw new CryptographicException(status);
-            }
-        }
-
-        // helper function that wraps BCryptHashData / BCryptFinishHash
-        public static void HashData(BCryptHashHandle hashHandle, byte* input, int inputBytes, byte* output, int outputBytes)
-        {
-            CheckOverflowUnderflow(inputBytes);
-            CheckOverflowUnderflow(outputBytes);
-
-            int status = UnsafeNativeMethods.BCryptHashData(hashHandle, input, (uint)inputBytes, dwFlags: 0);
-            if (status != 0)
-            {
-                throw new CryptographicException(status);
-            }
-
-            status = UnsafeNativeMethods.BCryptFinishHash(hashHandle, output, (uint)outputBytes, dwFlags: 0);
-            if (status != 0)
-            {
-                throw new CryptographicException(status);
-            }
-        }
-
-        // helper function that wraps BCryptImportKey with a key data blob
-        public static BCryptKeyHandle ImportKey(BCryptAlgorithmHandle algHandle, byte* key, int keyBytes)
-        {
-            CheckOverflowUnderflow(keyBytes);
-
-            byte[] heapAllocatedKeyDataBlob = null;
-            int numBytesRequiredForKeyDataBlob = checked(keyBytes + sizeof(BCRYPT_KEY_DATA_BLOB_HEADER));
-            if (numBytesRequiredForKeyDataBlob > Constants.MAX_STACKALLOC_BYTES)
-            {
-                heapAllocatedKeyDataBlob = new byte[numBytesRequiredForKeyDataBlob]; // allocate on heap if we cannot allocate on stack
-            }
-
-            int status;
-            BCryptKeyHandle retVal;
-            fixed (byte* pHeapAllocatedKeyDataBlob = heapAllocatedKeyDataBlob)
-            {
-                // The header is first; if it wasn't heap-allocated we can stack-allocate now
-                BCRYPT_KEY_DATA_BLOB_HEADER* pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*)pHeapAllocatedKeyDataBlob;
-                if (pKeyDataBlobHeader == null)
-                {
-                    byte* temp = stackalloc byte[numBytesRequiredForKeyDataBlob]; // won't be released until frame pops
-                    pKeyDataBlobHeader = (BCRYPT_KEY_DATA_BLOB_HEADER*)temp;
-                }
-                BCRYPT_KEY_DATA_BLOB_HEADER.Initialize(ref *pKeyDataBlobHeader);
-                pKeyDataBlobHeader->cbKeyData = (uint)keyBytes;
-
-                // the raw material immediately follows the header
-                byte* pKeyDataRawMaterial = (byte*)(&pKeyDataBlobHeader[1]);
-
-                try
-                {
-                    BufferUtil.BlockCopy(from: key, to: pKeyDataRawMaterial, byteCount: keyBytes);
-                    status = UnsafeNativeMethods.BCryptImportKey(algHandle, IntPtr.Zero, Constants.BCRYPT_KEY_DATA_BLOB, out retVal, IntPtr.Zero, 0, (byte*)pKeyDataBlobHeader, (uint)numBytesRequiredForKeyDataBlob, dwFlags: 0);
-                }
-                finally
-                {
-                    // zero out the key we just copied
-                    BufferUtil.SecureZeroMemory(pKeyDataRawMaterial, keyBytes);
-                }
-            }
-
-            if (status != 0 || retVal == null || retVal.IsInvalid)
-            {
-                throw new CryptographicException(status);
-            }
-            return retVal;
-        }
-
-        internal static void ProtectMemoryWithinThisProcess(byte* pBuffer, uint bufferLength)
-        {
-            Debug.Assert(pBuffer != null);
-            Debug.Assert(bufferLength % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0, "Input buffer size must be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE.");
-
-            bool success = UnsafeNativeMethods.CryptProtectMemory(pBuffer, bufferLength, CRYPTPROTECTMEMORY_SAME_PROCESS);
-            if (!success)
-            {
-                throw new CryptographicException(Marshal.GetLastWin32Error());
-            }
-        }
-
-        internal static void UnprotectMemoryWithinThisProcess(byte* pBuffer, uint bufferLength)
-        {
-            Debug.Assert(pBuffer != null);
-            Debug.Assert(bufferLength % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0, "Input buffer size must be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE.");
-
-            bool success = UnsafeNativeMethods.CryptUnprotectMemory(pBuffer, bufferLength, CRYPTPROTECTMEMORY_SAME_PROCESS);
-            if (!success)
-            {
-                throw new CryptographicException(Marshal.GetLastWin32Error());
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs b/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs
new file mode 100644
index 0000000000..379b5cdf5d
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs
@@ -0,0 +1,45 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal unsafe static class BitHelpers
+    {
+        /// <summary>
+        /// Writes an unsigned 32-bit value to a memory address, big-endian.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void WriteTo(void* ptr, uint value)
+        {
+            byte* bytePtr = (byte*)ptr;
+            bytePtr[0] = (byte)(value >> 24);
+            bytePtr[1] = (byte)(value >> 16);
+            bytePtr[2] = (byte)(value >> 8);
+            bytePtr[3] = (byte)(value);
+        }
+
+        /// <summary>
+        /// Writes a signed 32-bit value to a memory address, big-endian.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void WriteTo(byte[] buffer, ref int idx, int value)
+        {
+            WriteTo(buffer, ref idx, (uint)value);
+        }
+
+        /// <summary>
+        /// Writes a signed 32-bit value to a memory address, big-endian.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void WriteTo(byte[] buffer, ref int idx, uint value)
+        {
+            buffer[idx++] = (byte)(value >> 24);
+            buffer[idx++] = (byte)(value >> 16);
+            buffer[idx++] = (byte)(value >> 8);
+            buffer[idx++] = (byte)(value);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
new file mode 100644
index 0000000000..5909ddd9f9
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    // http://msdn.microsoft.com/en-us/library/windows/desktop/cc562981(v=vs.85).aspx
+    [StructLayout(LayoutKind.Sequential)]
+    internal unsafe struct BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO
+    {
+        public uint cbSize;
+        public uint dwInfoVersion;
+        public byte* pbNonce;
+        public uint cbNonce;
+        public byte* pbAuthData;
+        public uint cbAuthData;
+        public byte* pbTag;
+        public uint cbTag;
+        public byte* pbMacContext;
+        public uint cbMacContext;
+        public uint cbAAD;
+        public ulong cbData;
+        public uint dwFlags;
+
+        // corresponds to the BCRYPT_INIT_AUTH_MODE_INFO macro in bcrypt.h
+        public static void Init(out BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO info)
+        {
+            const uint BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_VERSION = 1;
+            info = new BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO
+            {
+                cbSize = (uint)sizeof(BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO),
+                dwInfoVersion = BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_VERSION
+            };
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
new file mode 100644
index 0000000000..1660bea5a4
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
@@ -0,0 +1,46 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375525(v=vs.85).aspx
+    [StructLayout(LayoutKind.Sequential)]
+    internal struct BCRYPT_KEY_LENGTHS_STRUCT
+    {
+        // MSDN says these fields represent the key length in bytes.
+        // It's wrong: these key lengths are all actually in bits.
+        private uint dwMinLength;
+        private uint dwMaxLength;
+        private uint dwIncrement;
+
+        public void EnsureValidKeyLength(uint keyLengthInBits)
+        {
+            if (!IsValidKeyLength(keyLengthInBits))
+            {
+                string message = String.Format(CultureInfo.CurrentCulture, Resources.BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength, keyLengthInBits, dwMinLength, dwMaxLength, dwIncrement);
+                throw new ArgumentException(message, "keyLengthInBits");
+            }
+            CryptoUtil.Assert(keyLengthInBits % 8 == 0, "keyLengthInBits % 8 == 0");
+        }
+
+        private bool IsValidKeyLength(uint keyLengthInBits)
+        {
+            // If the step size is zero, then the key length must be exactly the min or the max. Otherwise,
+            // key length must be between min and max (inclusive) and a whole number of increments away from min.
+            if (dwIncrement == 0)
+            {
+                return (keyLengthInBits == dwMinLength || keyLengthInBits == dwMaxLength);
+            }
+            else
+            {
+                return (dwMinLength <= keyLengthInBits)
+                    && (keyLengthInBits <= dwMaxLength)
+                    && ((keyLengthInBits - dwMinLength) % dwIncrement == 0);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs
similarity index 76%
rename from src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
rename to src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs
index 818a35360b..13d76f2f12 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBuffer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs
@@ -1,11 +1,10 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs
similarity index 86%
rename from src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
rename to src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs
index e27c12df36..477e9c4725 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs
@@ -1,11 +1,11 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375370(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs
similarity index 62%
rename from src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
rename to src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs
index a435271ff3..9d46755dec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs
@@ -1,11 +1,10 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
-    // from bcrypt.h
     [Flags]
     internal enum BCryptEncryptFlags
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs
similarity index 71%
rename from src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
rename to src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs
index 1e96354394..2fef69b319 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs
@@ -1,9 +1,9 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
     // from bcrypt.h
     [Flags]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
new file mode 100644
index 0000000000..6ce50391f1
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    internal unsafe sealed class BCryptGenRandomImpl : IBCryptGenRandom
+    {
+        public static readonly BCryptGenRandomImpl Instance = new BCryptGenRandomImpl();
+
+        private BCryptGenRandomImpl()
+        {
+        }
+
+        public void GenRandom(byte* pbBuffer, uint cbBuffer)
+        {
+            BCryptUtil.GenRandom(pbBuffer, cbBuffer);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs
similarity index 85%
rename from src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
rename to src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs
index 6cc9882dd9..db47ba9b67 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs
@@ -1,9 +1,9 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
     // from bcrypt.h
     internal enum BCryptKeyDerivationBufferType
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs
new file mode 100644
index 0000000000..5afd9e2512
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs
@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    internal unsafe static class BCryptUtil
+    {
+        // helper function that's similar to RNGCryptoServiceProvider, but works directly with pointers
+        public static void GenRandom(byte* pbBuffer, uint cbBuffer)
+        {
+            if (cbBuffer != 0)
+            {
+                int ntstatus = UnsafeNativeMethods.BCryptGenRandom(
+                    hAlgorithm: IntPtr.Zero,
+                    pbBuffer: pbBuffer,
+                    cbBuffer: cbBuffer,
+                    dwFlags: BCryptGenRandomFlags.BCRYPT_USE_SYSTEM_PREFERRED_RNG);
+                UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs
new file mode 100644
index 0000000000..ba6f5df025
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs
@@ -0,0 +1,152 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    /// <summary>
+    /// Provides cached CNG algorithm provider instances, as calling BCryptOpenAlgorithmProvider is expensive.
+    /// Callers should use caution never to dispose of the algorithm provider instances returned by this type.
+    /// </summary>
+    internal static class CachedAlgorithmHandles
+    {
+        private static CachedAlgorithmInfo _aesCbc = new CachedAlgorithmInfo(() => GetAesAlgorithm(chainingMode: Constants.BCRYPT_CHAIN_MODE_CBC));
+        private static CachedAlgorithmInfo _aesGcm = new CachedAlgorithmInfo(() => GetAesAlgorithm(chainingMode: Constants.BCRYPT_CHAIN_MODE_GCM));
+        private static CachedAlgorithmInfo _hmacSha1 = new CachedAlgorithmInfo(() => GetHmacAlgorithm(algorithm: Constants.BCRYPT_SHA1_ALGORITHM));
+        private static CachedAlgorithmInfo _hmacSha256 = new CachedAlgorithmInfo(() => GetHmacAlgorithm(algorithm: Constants.BCRYPT_SHA256_ALGORITHM));
+        private static CachedAlgorithmInfo _hmacSha512 = new CachedAlgorithmInfo(() => GetHmacAlgorithm(algorithm: Constants.BCRYPT_SHA512_ALGORITHM));
+        private static CachedAlgorithmInfo _pbkdf2 = new CachedAlgorithmInfo(GetPbkdf2Algorithm);
+        private static CachedAlgorithmInfo _sha1 = new CachedAlgorithmInfo(() => GetHashAlgorithm(algorithm: Constants.BCRYPT_SHA1_ALGORITHM));
+        private static CachedAlgorithmInfo _sha256 = new CachedAlgorithmInfo(() => GetHashAlgorithm(algorithm: Constants.BCRYPT_SHA256_ALGORITHM));
+        private static CachedAlgorithmInfo _sha512 = new CachedAlgorithmInfo(() => GetHashAlgorithm(algorithm: Constants.BCRYPT_SHA512_ALGORITHM));
+        private static CachedAlgorithmInfo _sp800_108_ctr_hmac = new CachedAlgorithmInfo(GetSP800_108_CTR_HMACAlgorithm);
+
+        public static BCryptAlgorithmHandle AES_CBC
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _aesCbc);
+            }
+        }
+
+        public static BCryptAlgorithmHandle AES_GCM
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _aesGcm);
+            }
+        }
+
+        public static BCryptAlgorithmHandle HMAC_SHA1
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha1);
+            }
+        }
+
+        public static BCryptAlgorithmHandle HMAC_SHA256
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha256);
+            }
+        }
+
+        public static BCryptAlgorithmHandle HMAC_SHA512
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha512);
+            }
+        }
+
+        // Only available on Win8+.
+        public static BCryptAlgorithmHandle PBKDF2
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _pbkdf2);
+            }
+        }
+
+        public static BCryptAlgorithmHandle SHA1
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha1);
+            }
+        }
+
+        public static BCryptAlgorithmHandle SHA256
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha256);
+            }
+        }
+
+        public static BCryptAlgorithmHandle SHA512
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha512);
+            }
+        }
+
+        public static BCryptAlgorithmHandle SP800_108_CTR_HMAC
+        {
+            get
+            {
+                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _sp800_108_ctr_hmac);
+            }
+        }
+
+        private static BCryptAlgorithmHandle GetAesAlgorithm(string chainingMode)
+        {
+            var algHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(Constants.BCRYPT_AES_ALGORITHM);
+            algHandle.SetChainingMode(chainingMode);
+            return algHandle;
+        }
+
+        private static BCryptAlgorithmHandle GetHashAlgorithm(string algorithm)
+        {
+            return BCryptAlgorithmHandle.OpenAlgorithmHandle(algorithm, hmac: false);
+        }
+
+        private static BCryptAlgorithmHandle GetHmacAlgorithm(string algorithm)
+        {
+            return BCryptAlgorithmHandle.OpenAlgorithmHandle(algorithm, hmac: true);
+        }
+
+        private static BCryptAlgorithmHandle GetPbkdf2Algorithm()
+        {
+            return BCryptAlgorithmHandle.OpenAlgorithmHandle(Constants.BCRYPT_PBKDF2_ALGORITHM, implementation: Constants.MS_PRIMITIVE_PROVIDER);
+        }
+
+        private static BCryptAlgorithmHandle GetSP800_108_CTR_HMACAlgorithm()
+        {
+            return BCryptAlgorithmHandle.OpenAlgorithmHandle(Constants.BCRYPT_SP800108_CTR_HMAC_ALGORITHM, implementation: Constants.MS_PRIMITIVE_PROVIDER);
+        }
+
+        // Warning: mutable struct!
+        private struct CachedAlgorithmInfo
+        {
+            private WeakReference<BCryptAlgorithmHandle> _algorithmHandle;
+            private readonly Func<BCryptAlgorithmHandle> _factory;
+
+            public CachedAlgorithmInfo(Func<BCryptAlgorithmHandle> factory)
+            {
+                _algorithmHandle = null;
+                _factory = factory;
+            }
+
+            public static BCryptAlgorithmHandle GetAlgorithmHandle(ref CachedAlgorithmInfo cachedAlgorithmInfo)
+            {
+                return WeakReferenceHelpers.GetSharedInstance(ref cachedAlgorithmInfo._algorithmHandle, cachedAlgorithmInfo._factory);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
new file mode 100644
index 0000000000..cc65448056
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -0,0 +1,437 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Security.DataProtection.SP800_108;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    // An encryptor which does Encrypt(CBC) + HMAC using the Windows CNG (BCrypt*) APIs.
+    // The payloads produced by this encryptor should be compatible with the payloads
+    // produced by the managed Encrypt(CBC) + HMAC encryptor.
+    internal unsafe sealed class CbcAuthenticatedEncryptor : CngAuthenticatedEncryptorBase
+    {
+        // Even when IVs are chosen randomly, CBC is susceptible to IV collisions within a single
+        // key. For a 64-bit block cipher (like 3DES), we'd expect a collision after 2^32 block
+        // encryption operations, which a high-traffic web server might perform in mere hours.
+        // AES and other 128-bit block ciphers are less susceptible to this due to the larger IV
+        // space, but unfortunately some organizations require older 64-bit block ciphers. To address
+        // the collision issue, we'll feed 128 bits of entropy to the KDF when performing subkey
+        // generation. This creates >= 192 bits total entropy for each operation, so we shouldn't
+        // expect a collision until >= 2^96 operations. Even 2^80 operations still maintains a <= 2^-32
+        // probability of collision, and this is acceptable for the expected KDK lifetime.
+        private const uint KEY_MODIFIER_SIZE_IN_BYTES = 128 / 8;
+
+        // Our analysis re: IV collision resistance only holds if we're working with block ciphers
+        // with a block length of 64 bits or greater.
+        internal const uint SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES = 64 / 8;
+
+        // Min security bar: authentication tag must have at least 128 bits of output.
+        internal const uint HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES = 128 / 8;
+
+        private readonly byte[] _contextHeader;
+        private readonly IBCryptGenRandom _genRandom;
+        private readonly BCryptAlgorithmHandle _hmacAlgorithmHandle;
+        private readonly uint _hmacAlgorithmDigestLengthInBytes;
+        private readonly uint _hmacAlgorithmSubkeyLengthInBytes;
+        private readonly ISP800_108_CTR_HMACSHA512Provider _sp800_108_ctr_hmac_provider;
+        private readonly BCryptAlgorithmHandle _symmetricAlgorithmHandle;
+        private readonly uint _symmetricAlgorithmBlockSizeInBytes;
+        private readonly uint _symmetricAlgorithmSubkeyLengthInBytes;
+
+        public CbcAuthenticatedEncryptor(ProtectedMemoryBlob keyDerivationKey, BCryptAlgorithmHandle symmetricAlgorithmHandle, uint symmetricAlgorithmKeySizeInBytes, BCryptAlgorithmHandle hmacAlgorithmHandle, IBCryptGenRandom genRandom = null)
+        {
+            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
+                "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
+
+            _genRandom = genRandom ?? BCryptGenRandomImpl.Instance;
+            _sp800_108_ctr_hmac_provider = SP800_108_CTR_HMACSHA512Util.CreateProvider(keyDerivationKey);
+            _symmetricAlgorithmHandle = symmetricAlgorithmHandle;
+            _symmetricAlgorithmBlockSizeInBytes = symmetricAlgorithmHandle.GetCipherBlockLength();
+            _symmetricAlgorithmSubkeyLengthInBytes = symmetricAlgorithmKeySizeInBytes;
+            _hmacAlgorithmHandle = hmacAlgorithmHandle;
+            _hmacAlgorithmDigestLengthInBytes = hmacAlgorithmHandle.GetHashDigestLength();
+            _hmacAlgorithmSubkeyLengthInBytes = _hmacAlgorithmDigestLengthInBytes; // for simplicity we'll generate HMAC subkeys with a length equal to the digest length
+
+            CryptoUtil.Assert(SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES <= _symmetricAlgorithmBlockSizeInBytes && _symmetricAlgorithmBlockSizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
+                "SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES <= _symmetricAlgorithmBlockSizeInBytes && _symmetricAlgorithmBlockSizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
+
+            CryptoUtil.Assert(HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES <= _hmacAlgorithmDigestLengthInBytes,
+                "HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES <= _hmacAlgorithmDigestLengthInBytes");
+
+            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= _hmacAlgorithmSubkeyLengthInBytes && _hmacAlgorithmSubkeyLengthInBytes <= Constants.MAX_STACKALLOC_BYTES,
+                "KEY_MODIFIER_SIZE_IN_BYTES <= _hmacAlgorithmSubkeyLengthInBytes && _hmacAlgorithmSubkeyLengthInBytes <= Constants.MAX_STACKALLOC_BYTES");
+
+            _contextHeader = CreateContextHeader();
+        }
+
+        private byte[] CreateContextHeader()
+        {
+            byte[] retVal = new byte[checked(
+                1 /* KDF alg */
+                + 1 /* chaining mode */
+                + sizeof(uint) /* sym alg key size */
+                + sizeof(uint) /* sym alg block size */
+                + sizeof(uint) /* hmac alg key size */
+                + sizeof(uint) /* hmac alg digest size */
+                + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
+                + _hmacAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
+
+            fixed (byte* pbRetVal = retVal)
+            {
+                byte* ptr = pbRetVal;
+
+                // First is the two-byte header
+                *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+                *(ptr++) = 0; // 0x00 = CBC encryption + HMAC authentication
+
+                // Next is information about the symmetric algorithm (key size followed by block size)
+                BitHelpers.WriteTo(ptr, _symmetricAlgorithmSubkeyLengthInBytes);
+                ptr += sizeof(uint);
+                BitHelpers.WriteTo(ptr, _symmetricAlgorithmBlockSizeInBytes);
+                ptr += sizeof(uint);
+
+                // Next is information about the HMAC algorithm (key size followed by digest size)
+                BitHelpers.WriteTo(ptr, _hmacAlgorithmSubkeyLengthInBytes);
+                ptr += sizeof(uint);
+                BitHelpers.WriteTo(ptr, _hmacAlgorithmDigestLengthInBytes);
+                ptr += sizeof(uint);
+
+                // See the design document for an explanation of the following code.
+                byte[] tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes];
+                fixed (byte* pbTempKeys = tempKeys)
+                {
+                    byte dummy;
+
+                    // Derive temporary keys for encryption + HMAC.
+                    using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
+                    {
+                        provider.DeriveKey(
+                            pbLabel: &dummy,
+                            cbLabel: 0,
+                            pbContext: &dummy,
+                            cbContext: 0,
+                            pbDerivedKey: pbTempKeys,
+                            cbDerivedKey: (uint)tempKeys.Length);
+                    }
+
+                    // At this point, tempKeys := { K_E || K_H }.
+                    byte* pbSymmetricEncryptionSubkey = pbTempKeys;
+                    byte* pbHmacSubkey = &pbTempKeys[_symmetricAlgorithmSubkeyLengthInBytes];
+
+                    // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
+                    using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+                    {
+                        fixed (byte* pbIV = new byte[_symmetricAlgorithmBlockSizeInBytes] /* will be zero-initialized */)
+                        {
+                            DoCbcEncrypt(
+                                symmetricKeyHandle: symmetricKeyHandle,
+                                pbIV: pbIV,
+                                pbInput: &dummy,
+                                cbInput: 0,
+                                pbOutput: ptr,
+                                cbOutput: _symmetricAlgorithmBlockSizeInBytes);
+                        }
+                    }
+                    ptr += _symmetricAlgorithmBlockSizeInBytes;
+
+                    // MAC a zero-length input string and copy the digest to the return buffer.
+                    using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+                    {
+                        hashHandle.HashData(
+                            pbInput: &dummy,
+                            cbInput: 0,
+                            pbHashDigest: ptr,
+                            cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+                    }
+
+                    ptr += _hmacAlgorithmDigestLengthInBytes;
+                    CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
+                }
+            }
+
+            // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || hmacAlgKeySize || hmacAlgDigestSize || E("") || MAC("") }.
+            return retVal;
+        }
+
+        protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
+        {
+            // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+            if (cbCiphertext < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes))
+            {
+                throw Error.CryptCommon_PayloadInvalid();
+            }
+
+            // Assumption: pbCipherText := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
+
+            uint cbEncryptedData = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes));
+
+            // Calculate offsets
+            byte* pbKeyModifier = pbCiphertext;
+            byte* pbIV = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+            byte* pbEncryptedData = &pbIV[_symmetricAlgorithmBlockSizeInBytes];
+            byte* pbActualHmac = &pbEncryptedData[cbEncryptedData];
+
+            // Use the KDF to recreate the symmetric encryption and HMAC subkeys
+            // We'll need a temporary buffer to hold them
+            uint cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
+            byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
+            try
+            {
+                _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+                    pbLabel: pbAdditionalAuthenticatedData,
+                    cbLabel: cbAdditionalAuthenticatedData,
+                    contextHeader: _contextHeader,
+                    pbContext: pbKeyModifier,
+                    cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+                    pbDerivedKey: pbTempSubkeys,
+                    cbDerivedKey: cbTempSubkeys);
+
+                // Calculate offsets
+                byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
+                byte* pbHmacSubkey = &pbTempSubkeys[_symmetricAlgorithmSubkeyLengthInBytes];
+
+                // First, perform an explicit integrity check over (iv | encryptedPayload) to ensure the
+                // data hasn't been tampered with. The integrity check is also implicitly performed over
+                // keyModifier since that value was provided to the KDF earlier.
+                using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+                {
+                    if (!ValidateHash(hashHandle, pbIV, _symmetricAlgorithmBlockSizeInBytes + cbEncryptedData, pbActualHmac))
+                    {
+                        throw Error.CryptCommon_PayloadInvalid();
+                    }
+                }
+
+                // If the integrity check succeeded, decrypt the payload.
+                using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+                {
+                    return DoCbcDecrypt(decryptionSubkeyHandle, pbIV, pbEncryptedData, cbEncryptedData);
+                }
+            }
+            finally
+            {
+                // Buffer contains sensitive key material; nuke.
+                UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
+            }
+        }
+
+        public override void Dispose()
+        {
+            _sp800_108_ctr_hmac_provider.Dispose();
+
+            // We don't want to dispose of the underlying algorithm instances because they
+            // might be reused.
+        }
+
+        // 'pbIV' must be a pointer to a buffer equal in length to the symmetric algorithm block size.
+        private byte[] DoCbcDecrypt(BCryptKeyHandle symmetricKeyHandle, byte* pbIV, byte* pbInput, uint cbInput)
+        {
+            // BCryptDecrypt mutates the provided IV; we need to clone it to prevent mutation of the original value
+            byte* pbClonedIV = stackalloc byte[checked((int)_symmetricAlgorithmBlockSizeInBytes)];
+            UnsafeBufferUtil.BlockCopy(from: pbIV, to: pbClonedIV, byteCount: _symmetricAlgorithmBlockSizeInBytes);
+
+            // First, figure out how large an output buffer we require.
+            // Ideally we'd be able to transform the last block ourselves and strip
+            // off the padding before creating the return value array, but we don't
+            // know the actual padding scheme being used under the covers (we can't
+            // assume PKCS#7). So unfortunately we're stuck with the temporary buffer.
+            // (Querying the output size won't mutate the IV.)
+            uint dwEstimatedDecryptedByteCount;
+            int ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+                hKey: symmetricKeyHandle,
+                pbInput: pbInput,
+                cbInput: cbInput,
+                pPaddingInfo: null,
+                pbIV: pbClonedIV,
+                cbIV: _symmetricAlgorithmBlockSizeInBytes,
+                pbOutput: null,
+                cbOutput: 0,
+                pcbResult: out dwEstimatedDecryptedByteCount,
+                dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+
+            byte[] decryptedPayload = new byte[dwEstimatedDecryptedByteCount];
+            uint dwActualDecryptedByteCount;
+            fixed (byte* pbDecryptedPayload = decryptedPayload)
+            {
+                byte dummy;
+
+                // Perform the actual decryption.
+                ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+                    hKey: symmetricKeyHandle,
+                    pbInput: pbInput,
+                    cbInput: cbInput,
+                    pPaddingInfo: null,
+                    pbIV: pbClonedIV,
+                    cbIV: _symmetricAlgorithmBlockSizeInBytes,
+                    pbOutput: (pbDecryptedPayload != null) ? pbDecryptedPayload : &dummy, // CLR won't pin zero-length arrays
+                    cbOutput: dwEstimatedDecryptedByteCount,
+                    pcbResult: out dwActualDecryptedByteCount,
+                    dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+                UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+            }
+
+            // Decryption finished!
+            CryptoUtil.Assert(dwActualDecryptedByteCount <= dwEstimatedDecryptedByteCount, "dwActualDecryptedByteCount <= dwEstimatedDecryptedByteCount");
+            if (dwActualDecryptedByteCount == dwEstimatedDecryptedByteCount)
+            {
+                // payload takes up the entire buffer
+                return decryptedPayload;
+            }
+            else
+            {
+                // payload takes up only a partial buffer
+                byte[] resizedDecryptedPayload = new byte[dwActualDecryptedByteCount];
+                Buffer.BlockCopy(decryptedPayload, 0, resizedDecryptedPayload, 0, resizedDecryptedPayload.Length);
+                return resizedDecryptedPayload;
+            }
+        }
+
+        // 'pbIV' must be a pointer to a buffer equal in length to the symmetric algorithm block size.
+        private void DoCbcEncrypt(BCryptKeyHandle symmetricKeyHandle, byte* pbIV, byte* pbInput, uint cbInput, byte* pbOutput, uint cbOutput)
+        {
+            // BCryptEncrypt mutates the provided IV; we need to clone it to prevent mutation of the original value
+            byte* pbClonedIV = stackalloc byte[checked((int)_symmetricAlgorithmBlockSizeInBytes)];
+            UnsafeBufferUtil.BlockCopy(from: pbIV, to: pbClonedIV, byteCount: _symmetricAlgorithmBlockSizeInBytes);
+
+            uint dwEncryptedBytes;
+            int ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+                hKey: symmetricKeyHandle,
+                pbInput: pbInput,
+                cbInput: cbInput,
+                pPaddingInfo: null,
+                pbIV: pbClonedIV,
+                cbIV: _symmetricAlgorithmBlockSizeInBytes,
+                pbOutput: pbOutput,
+                cbOutput: cbOutput,
+                pcbResult: out dwEncryptedBytes,
+                dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+
+            // Need to make sure we didn't underrun the buffer - means caller passed a bad value
+            CryptoUtil.Assert(dwEncryptedBytes == cbOutput, "dwEncryptedBytes == cbOutput");
+        }
+
+        protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
+        {
+            // This buffer will be used to hold the symmetric encryption and HMAC subkeys
+            // used in the generation of this payload.
+            uint cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
+            byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
+
+            try
+            {
+                // Randomly generate the key modifier and IV.
+                uint cbKeyModifierAndIV = checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes);
+                byte* pbKeyModifierAndIV = stackalloc byte[checked((int)cbKeyModifierAndIV)];
+                _genRandom.GenRandom(pbKeyModifierAndIV, cbKeyModifierAndIV);
+
+                // Calculate offsets
+                byte* pbKeyModifier = pbKeyModifierAndIV;
+                byte* pbIV = &pbKeyModifierAndIV[KEY_MODIFIER_SIZE_IN_BYTES];
+
+                // Use the KDF to generate a new symmetric encryption and HMAC subkey
+                _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+                    pbLabel: pbAdditionalAuthenticatedData,
+                    cbLabel: cbAdditionalAuthenticatedData,
+                    contextHeader: _contextHeader,
+                    pbContext: pbKeyModifier,
+                    cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+                    pbDerivedKey: pbTempSubkeys,
+                    cbDerivedKey: cbTempSubkeys);
+
+                // Calculate offsets
+                byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
+                byte* pbHmacSubkey = &pbTempSubkeys[_symmetricAlgorithmSubkeyLengthInBytes];
+
+                using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+                {
+                    // We can't assume PKCS#7 padding (maybe the underlying provided is using CTS),
+                    // so we need to query the padded output size before we can allocate the return value array.
+                    uint cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, cbPlaintext);
+
+                    // Allocate return value array and start copying some data
+                    byte[] retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext + _hmacAlgorithmDigestLengthInBytes + cbPostBuffer)];
+                    fixed (byte* pbRetVal = retVal)
+                    {
+                        // Calculate offsets
+                        byte* pbOutputKeyModifier = &pbRetVal[cbPreBuffer];
+                        byte* pbOutputIV = &pbOutputKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+                        byte* pbOutputCiphertext = &pbOutputIV[_symmetricAlgorithmBlockSizeInBytes];
+                        byte* pbOutputHmac = &pbOutputCiphertext[cbOutputCiphertext];
+
+                        UnsafeBufferUtil.BlockCopy(from: pbKeyModifierAndIV, to: pbOutputKeyModifier, byteCount: cbKeyModifierAndIV);
+
+                        // retVal will eventually contain { preBuffer | keyModifier | iv | encryptedData | HMAC(iv | encryptedData) | postBuffer }
+                        // At this point, retVal := { preBuffer | keyModifier | iv | _____ | _____ | postBuffer }
+
+                        DoCbcEncrypt(
+                            symmetricKeyHandle: symmetricKeyHandle,
+                            pbIV: pbIV,
+                            pbInput: pbPlaintext,
+                            cbInput: cbPlaintext,
+                            pbOutput: pbOutputCiphertext,
+                            cbOutput: cbOutputCiphertext);
+
+                        // At this point, retVal := { preBuffer | keyModifier | iv | encryptedData | _____ | postBuffer }
+
+                        // Compute the HMAC over the IV and the ciphertext (prevents IV tampering).
+                        // The HMAC is already implicitly computed over the key modifier since the key
+                        // modifier is used as input to the KDF.
+                        using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+                        {
+                            hashHandle.HashData(
+                                pbInput: pbOutputIV,
+                                cbInput: checked(_symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext),
+                                pbHashDigest: pbOutputHmac,
+                                cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+                        }
+
+                        // At this point, retVal := { preBuffer | keyModifier | iv | encryptedData | HMAC(iv | encryptedData) | postBuffer }
+                        // And we're done!
+                        return retVal;
+                    }
+                }
+            }
+            finally
+            {
+                // Buffer contains sensitive material; nuke it.
+                UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
+            }
+        }
+
+        private uint GetCbcEncryptedOutputSizeWithPadding(BCryptKeyHandle symmetricKeyHandle, byte* pbInput, uint cbInput)
+        {
+            // ok for this memory to remain uninitialized since nobody depends on it
+            byte* pbIV = stackalloc byte[checked((int)_symmetricAlgorithmBlockSizeInBytes)];
+
+            // Calling BCryptEncrypt with a null output pointer will cause it to return the total number
+            // of bytes required for the output buffer.
+            uint dwResult;
+            int ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+                hKey: symmetricKeyHandle,
+                pbInput: pbInput,
+                cbInput: cbInput,
+                pPaddingInfo: null,
+                pbIV: pbIV,
+                cbIV: _symmetricAlgorithmBlockSizeInBytes,
+                pbOutput: null,
+                cbOutput: 0,
+                pcbResult: out dwResult,
+                dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+
+            return dwResult;
+        }
+
+        // 'pbExpectedDigest' must point to a '_hmacAlgorithmDigestLengthInBytes'-length buffer
+        private bool ValidateHash(BCryptHashHandle hashHandle, byte* pbInput, uint cbInput, byte* pbExpectedDigest)
+        {
+            byte* pbActualDigest = stackalloc byte[checked((int)_hmacAlgorithmDigestLengthInBytes)];
+            hashHandle.HashData(pbInput, cbInput, pbActualDigest, _hmacAlgorithmDigestLengthInBytes);
+            return CryptoUtil.TimeConstantBuffersAreEqual(pbExpectedDigest, pbActualDigest, _hmacAlgorithmDigestLengthInBytes);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
new file mode 100644
index 0000000000..2e00fb1cb3
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
@@ -0,0 +1,85 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    internal unsafe abstract class CngAuthenticatedEncryptorBase : IAuthenticatedEncryptor, IDisposable
+    {
+        public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
+        {
+            // This wrapper simply converts ArraySegment<byte> to byte* and calls the impl method.
+
+            // Input validation
+            ciphertext.Validate();
+            additionalAuthenticatedData.Validate();
+
+            byte dummy; // used only if plaintext or AAD is empty, since otherwise 'fixed' returns null pointer
+            fixed (byte* pbCiphertextArray = ciphertext.Array)
+            {
+                fixed (byte* pbAdditionalAuthenticatedDataArray = additionalAuthenticatedData.Array)
+                {
+                    try
+                    {
+                        return DecryptImpl(
+                            pbCiphertext: (pbCiphertextArray != null) ? &pbCiphertextArray[ciphertext.Offset] : &dummy,
+                            cbCiphertext: (uint)ciphertext.Count,
+                            pbAdditionalAuthenticatedData: (pbAdditionalAuthenticatedDataArray != null) ? &pbAdditionalAuthenticatedDataArray[additionalAuthenticatedData.Offset] : &dummy,
+                            cbAdditionalAuthenticatedData: (uint)additionalAuthenticatedData.Count);
+                    }
+                    catch (Exception ex) if (!(ex is CryptographicException))
+                    {
+                        // Homogenize to CryptographicException.
+                        throw Error.CryptCommon_GenericError(ex);
+                    }
+                }
+            }
+        }
+
+        protected abstract byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData);
+
+        public abstract void Dispose();
+
+        public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData)
+        {
+            return Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+        }
+
+        public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+        {
+            // This wrapper simply converts ArraySegment<byte> to byte* and calls the impl method.
+
+            // Input validation
+            plaintext.Validate();
+            additionalAuthenticatedData.Validate();
+
+            byte dummy; // used only if plaintext or AAD is empty, since otherwise 'fixed' returns null pointer
+            fixed (byte* pbPlaintextArray = plaintext.Array)
+            {
+                fixed (byte* pbAdditionalAuthenticatedDataArray = additionalAuthenticatedData.Array)
+                {
+                    try
+                    {
+                        return EncryptImpl(
+                            pbPlaintext: (pbPlaintextArray != null) ? &pbPlaintextArray[plaintext.Offset] : &dummy,
+                            cbPlaintext: (uint)plaintext.Count,
+                            pbAdditionalAuthenticatedData: (pbAdditionalAuthenticatedDataArray != null) ? &pbAdditionalAuthenticatedDataArray[additionalAuthenticatedData.Offset] : &dummy,
+                            cbAdditionalAuthenticatedData: (uint)additionalAuthenticatedData.Count,
+                            cbPreBuffer: preBufferSize,
+                            cbPostBuffer: postBufferSize);
+                    }
+                    catch (Exception ex) if (!(ex is CryptographicException))
+                    {
+                        // Homogenize to CryptographicException.
+                        throw Error.CryptCommon_GenericError(ex);
+                    }
+                }
+            }
+        }
+
+        protected abstract byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
new file mode 100644
index 0000000000..6c0f368847
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -0,0 +1,296 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    internal unsafe static class DpapiSecretSerializerHelper
+    {
+        // from ncrypt.h
+        private const uint NCRYPT_SILENT_FLAG = 0x00000040;
+
+        // from dpapi.h
+        private const uint CRYPTPROTECT_UI_FORBIDDEN = 0x1;
+        private const uint CRYPTPROTECT_LOCAL_MACHINE = 0x4;
+
+        private static readonly byte[] _purpose = Encoding.UTF8.GetBytes("DPAPI-Protected Secret");
+
+        public static byte[] ProtectWithDpapi(ISecret secret)
+        {
+            Debug.Assert(secret != null);
+
+            byte[] plaintextSecret = new byte[secret.Length];
+            fixed (byte* pbPlaintextSecret = plaintextSecret)
+            {
+                try
+                {
+                    secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
+                    fixed (byte* pbPurpose = _purpose)
+                    {
+                        return ProtectWithDpapiImpl(pbPlaintextSecret, (uint)plaintextSecret.Length, pbPurpose, (uint)_purpose.Length);
+                    }
+                }
+                finally
+                {
+                    // To limit exposure to the GC.
+                    Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
+                }
+            }
+        }
+
+        internal static byte[] ProtectWithDpapiImpl(byte* pbSecret, uint cbSecret, byte* pbOptionalEntropy, uint cbOptionalEntropy, bool fLocalMachine = false)
+        {
+            byte dummy; // provides a valid memory address if the secret or entropy has zero length
+
+            DATA_BLOB dataIn = new DATA_BLOB()
+            {
+                cbData = cbSecret,
+                pbData = (pbSecret != null) ? pbSecret : &dummy
+            };
+            DATA_BLOB entropy = new DATA_BLOB()
+            {
+                cbData = cbOptionalEntropy,
+                pbData = (pbOptionalEntropy != null) ? pbOptionalEntropy : &dummy
+            };
+            DATA_BLOB dataOut = default(DATA_BLOB);
+
+#if !ASPNETCORE50
+            RuntimeHelpers.PrepareConstrainedRegions();
+#endif
+            try
+            {
+                bool success = UnsafeNativeMethods.CryptProtectData(
+                    pDataIn: &dataIn,
+                    szDataDescr: IntPtr.Zero,
+                    pOptionalEntropy: &entropy,
+                    pvReserved: IntPtr.Zero,
+                    pPromptStruct: IntPtr.Zero,
+                    dwFlags: CRYPTPROTECT_UI_FORBIDDEN | ((fLocalMachine) ? CRYPTPROTECT_LOCAL_MACHINE : 0),
+                    pDataOut: out dataOut);
+                if (!success)
+                {
+                    int errorCode = Marshal.GetLastWin32Error();
+                    throw new CryptographicException(errorCode);
+                }
+
+                int dataLength = checked((int)dataOut.cbData);
+                byte[] retVal = new byte[dataLength];
+                Marshal.Copy((IntPtr)dataOut.pbData, retVal, 0, dataLength);
+                return retVal;
+            }
+            finally
+            {
+                // Free memory so that we don't leak.
+                // FreeHGlobal actually calls LocalFree.
+                if (dataOut.pbData != null)
+                {
+                    Marshal.FreeHGlobal((IntPtr)dataOut.pbData);
+                }
+            }
+        }
+
+        public static byte[] ProtectWithDpapiNG(ISecret secret, NCryptDescriptorHandle protectionDescriptorHandle)
+        {
+            Debug.Assert(secret != null);
+            Debug.Assert(protectionDescriptorHandle != null);
+
+            byte[] plaintextSecret = new byte[secret.Length];
+            fixed (byte* pbPlaintextSecret = plaintextSecret)
+            {
+                try
+                {
+                    secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
+
+                    byte dummy; // used to provide a valid memory address if secret is zero-length
+                    return ProtectWithDpapiNGImpl(
+                        protectionDescriptorHandle: protectionDescriptorHandle,
+                        pbData: (pbPlaintextSecret != null) ? pbPlaintextSecret : &dummy,
+                        cbData: (uint)plaintextSecret.Length);
+                }
+                finally
+                {
+                    // Limits secret exposure to garbage collector.
+                    Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
+                }
+            }
+        }
+
+        private static byte[] ProtectWithDpapiNGImpl(NCryptDescriptorHandle protectionDescriptorHandle, byte* pbData, uint cbData)
+        {
+            Debug.Assert(protectionDescriptorHandle != null);
+            Debug.Assert(pbData != null);
+
+            // Perform the encryption operation, putting the protected data into LocalAlloc-allocated memory.
+            LocalAllocHandle protectedData;
+            uint cbProtectedData;
+            int ntstatus = UnsafeNativeMethods.NCryptProtectSecret(
+                hDescriptor: protectionDescriptorHandle,
+                dwFlags: NCRYPT_SILENT_FLAG,
+                pbData: pbData,
+                cbData: cbData,
+                pMemPara: IntPtr.Zero,
+                hWnd: IntPtr.Zero,
+                ppbProtectedBlob: out protectedData,
+                pcbProtectedBlob: out cbProtectedData);
+            UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
+            CryptoUtil.Assert(protectedData != null && !protectedData.IsInvalid, "protectedData != null && !protectedData.IsInvalid");
+
+            // Copy the data from LocalAlloc-allocated memory into a managed memory buffer.
+            using (protectedData)
+            {
+                byte[] retVal = new byte[cbProtectedData];
+                if (cbProtectedData > 0)
+                {
+                    fixed (byte* pbRetVal = retVal)
+                    {
+                        bool handleAcquired = false;
+#if !ASPNETCORE50
+                        RuntimeHelpers.PrepareConstrainedRegions();
+#endif
+                        try
+                        {
+                            protectedData.DangerousAddRef(ref handleAcquired);
+                            UnsafeBufferUtil.BlockCopy(from: (void*)protectedData.DangerousGetHandle(), to: pbRetVal, byteCount: cbProtectedData);
+                        }
+                        finally
+                        {
+                            if (handleAcquired)
+                            {
+                                protectedData.DangerousRelease();
+                            }
+                        }
+                    }
+                }
+                return retVal;
+            }
+        }
+
+        public static ProtectedMemoryBlob UnprotectWithDpapi(byte[] protectedSecret)
+        {
+            Debug.Assert(protectedSecret != null);
+
+            fixed (byte* pbProtectedSecret = protectedSecret)
+            {
+                fixed (byte* pbPurpose = _purpose)
+                {
+                    return UnprotectWithDpapiImpl(pbProtectedSecret, (uint)protectedSecret.Length, pbPurpose, (uint)_purpose.Length);
+                }
+            }
+        }
+
+        internal static ProtectedMemoryBlob UnprotectWithDpapiImpl(byte* pbProtectedData, uint cbProtectedData, byte* pbOptionalEntropy, uint cbOptionalEntropy)
+        {
+            byte dummy; // provides a valid memory address if the secret or entropy has zero length
+
+            DATA_BLOB dataIn = new DATA_BLOB()
+            {
+                cbData = cbProtectedData,
+                pbData = (pbProtectedData != null) ? pbProtectedData : &dummy
+            };
+            DATA_BLOB entropy = new DATA_BLOB()
+            {
+                cbData = cbOptionalEntropy,
+                pbData = (pbOptionalEntropy != null) ? pbOptionalEntropy : &dummy
+            };
+            DATA_BLOB dataOut = default(DATA_BLOB);
+
+#if !ASPNETCORE50
+            RuntimeHelpers.PrepareConstrainedRegions();
+#endif
+            try
+            {
+                bool success = UnsafeNativeMethods.CryptUnprotectData(
+                    pDataIn: &dataIn,
+                    ppszDataDescr: IntPtr.Zero,
+                    pOptionalEntropy: &entropy,
+                    pvReserved: IntPtr.Zero,
+                    pPromptStruct: IntPtr.Zero,
+                    dwFlags: CRYPTPROTECT_UI_FORBIDDEN,
+                    pDataOut: out dataOut);
+                if (!success)
+                {
+                    int errorCode = Marshal.GetLastWin32Error();
+                    throw new CryptographicException(errorCode);
+                }
+
+                return new ProtectedMemoryBlob(dataOut.pbData, checked((int)dataOut.cbData));
+            }
+            finally
+            {
+                // Zero and free memory so that we don't leak secrets.
+                // FreeHGlobal actually calls LocalFree.
+                if (dataOut.pbData != null)
+                {
+                    UnsafeBufferUtil.SecureZeroMemory(dataOut.pbData, dataOut.cbData);
+                    Marshal.FreeHGlobal((IntPtr)dataOut.pbData);
+                }
+            }
+        }
+
+        public static ProtectedMemoryBlob UnprotectWithDpapiNG(byte[] protectedData)
+        {
+            Debug.Assert(protectedData != null);
+
+            fixed (byte* pbProtectedData = protectedData)
+            {
+                byte dummy; // used to provide a valid memory address if protected data is zero-length
+                return UnprotectWithDpapiNGImpl(
+                    pbData: (pbProtectedData != null) ? pbProtectedData : &dummy,
+                    cbData: (uint)protectedData.Length);
+            }
+        }
+
+        private static ProtectedMemoryBlob UnprotectWithDpapiNGImpl(byte* pbData, uint cbData)
+        {
+            Debug.Assert(pbData != null);
+
+            // First, decrypt the payload into LocalAlloc-allocated memory.
+            LocalAllocHandle unencryptedPayloadHandle;
+            uint cbUnencryptedPayload;
+            int ntstatus = UnsafeNativeMethods.NCryptUnprotectSecret(
+                phDescriptor: IntPtr.Zero,
+                dwFlags: NCRYPT_SILENT_FLAG,
+                pbProtectedBlob: pbData,
+                cbProtectedBlob: cbData,
+                pMemPara: IntPtr.Zero,
+                hWnd: IntPtr.Zero,
+                ppbData: out unencryptedPayloadHandle,
+                pcbData: out cbUnencryptedPayload);
+            UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
+            CryptoUtil.Assert(unencryptedPayloadHandle != null && !unencryptedPayloadHandle.IsInvalid, "unencryptedPayloadHandle != null && !unencryptedPayloadHandle.IsInvalid");
+
+            // Copy the data from LocalAlloc-allocated memory into a CryptProtectMemory-protected buffer.
+            // There's a small window between NCryptUnprotectSecret returning and the call to PrepareConstrainedRegions
+            // below where the AppDomain could rudely unload. This won't leak memory (due to the SafeHandle), but it
+            // will cause the secret not to be zeroed out before the memory is freed. We won't worry about this since
+            // the window is extremely small and AppDomain unloads should not happen here in practice.
+            using (unencryptedPayloadHandle)
+            {
+                bool handleAcquired = false;
+#if !ASPNETCORE50
+                RuntimeHelpers.PrepareConstrainedRegions();
+#endif
+                try
+                {
+                    unencryptedPayloadHandle.DangerousAddRef(ref handleAcquired);
+                    return new ProtectedMemoryBlob((byte*)unencryptedPayloadHandle.DangerousGetHandle(), checked((int)cbUnencryptedPayload));
+                }
+                finally
+                {
+                    if (handleAcquired)
+                    {
+                        UnsafeBufferUtil.SecureZeroMemory((byte*)unencryptedPayloadHandle.DangerousGetHandle(), cbUnencryptedPayload);
+                        unencryptedPayloadHandle.DangerousRelease();
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
new file mode 100644
index 0000000000..9e404851cd
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -0,0 +1,289 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Security.DataProtection.SP800_108;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    // GCM is defined in NIST SP 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf).
+    // Heed closely the uniqueness requirements called out in Sec. 8: the probability that the GCM encryption
+    // routine is ever invoked on two or more distinct sets of input data with the same (key, IV) shall not
+    // exceed 2^-32. If we fix the key and use a random 96-bit IV for each invocation, this means that after
+    // 2^32 encryption operations the odds of reusing any (key, IV) pair is 2^-32 (see Sec. 8.3). This won't
+    // work for our use since a high-traffic web server can go through 2^32 requests in mere days. Instead,
+    // we'll use 224 bits of entropy for each operation, with 128 bits going to the KDF and 96 bits
+    // going to the IV. This means that we'll only hit the 2^-32 probability limit after 2^96 encryption
+    // operations, which will realistically never happen. (At the absurd rate of one encryption operation
+    // per nanosecond, it would still take 180 times the age of the universe to hit 2^96 operations.)
+    internal unsafe sealed class GcmAuthenticatedEncryptor : CngAuthenticatedEncryptorBase
+    {
+        // Having a key modifier ensures with overwhelming probability that no two encryption operations
+        // will ever derive the same (encryption subkey, MAC subkey) pair. This limits an attacker's
+        // ability to mount a key-dependent chosen ciphertext attack. See also the class-level comment
+        // for how this is used to overcome GCM's IV limitations.
+        private const uint KEY_MODIFIER_SIZE_IN_BYTES = 128 / 8;
+
+        private const uint NONCE_SIZE_IN_BYTES = 96 / 8; // GCM has a fixed 96-bit IV
+        private const uint TAG_SIZE_IN_BYTES = 128 / 8; // we're hardcoding a 128-bit authentication tag size
+
+        private readonly byte[] _contextHeader;
+        private readonly IBCryptGenRandom _genRandom;
+        private readonly ISP800_108_CTR_HMACSHA512Provider _sp800_108_ctr_hmac_provider;
+        private readonly BCryptAlgorithmHandle _symmetricAlgorithmHandle;
+        private readonly uint _symmetricAlgorithmSubkeyLengthInBytes;
+
+        public GcmAuthenticatedEncryptor(ProtectedMemoryBlob keyDerivationKey, BCryptAlgorithmHandle symmetricAlgorithmHandle, uint symmetricAlgorithmKeySizeInBytes, IBCryptGenRandom genRandom = null)
+        {
+            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
+                "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
+
+            _genRandom = genRandom ?? BCryptGenRandomImpl.Instance;
+            _sp800_108_ctr_hmac_provider = SP800_108_CTR_HMACSHA512Util.CreateProvider(keyDerivationKey);
+            _symmetricAlgorithmHandle = symmetricAlgorithmHandle;
+            _symmetricAlgorithmSubkeyLengthInBytes = symmetricAlgorithmKeySizeInBytes;
+            _contextHeader = CreateContextHeader();
+        }
+
+        private byte[] CreateContextHeader()
+        {
+            byte[] retVal = new byte[checked(
+                1 /* KDF alg */
+                + 1 /* chaining mode */
+                + sizeof(uint) /* sym alg key size */
+                + sizeof(uint) /* GCM nonce size */
+                + sizeof(uint) /* sym alg block size */
+                + sizeof(uint) /* GCM tag size */
+                + TAG_SIZE_IN_BYTES /* tag of GCM-encrypted empty string */)];
+
+            fixed (byte* pbRetVal = retVal)
+            {
+                byte* ptr = pbRetVal;
+
+                // First is the two-byte header
+                *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+                *(ptr++) = 1; // 0x01 = GCM encryption + authentication
+
+                // Next is information about the symmetric algorithm (key size, nonce size, block size, tag size)
+                BitHelpers.WriteTo(ptr, _symmetricAlgorithmSubkeyLengthInBytes);
+                ptr += sizeof(uint);
+                BitHelpers.WriteTo(ptr, NONCE_SIZE_IN_BYTES);
+                ptr += sizeof(uint);
+                BitHelpers.WriteTo(ptr, TAG_SIZE_IN_BYTES); // block size
+                ptr += sizeof(uint);
+                BitHelpers.WriteTo(ptr, TAG_SIZE_IN_BYTES);
+                ptr += sizeof(uint);
+
+                // See the design document for an explanation of the following code.
+                byte[] tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+                fixed (byte* pbTempKeys = tempKeys)
+                {
+                    byte dummy;
+
+                    // Derive temporary key for encryption.
+                    using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
+                    {
+                        provider.DeriveKey(
+                            pbLabel: &dummy,
+                            cbLabel: 0,
+                            pbContext: &dummy,
+                            cbContext: 0,
+                            pbDerivedKey: pbTempKeys,
+                            cbDerivedKey: (uint)tempKeys.Length);
+                    }
+
+                    // Encrypt a zero-length input string with an all-zero nonce and copy the tag to the return buffer.
+                    byte* pbNonce = stackalloc byte[(int)NONCE_SIZE_IN_BYTES];
+                    UnsafeBufferUtil.SecureZeroMemory(pbNonce, NONCE_SIZE_IN_BYTES);
+                    DoGcmEncrypt(
+                        pbKey: pbTempKeys,
+                        cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
+                        pbNonce: pbNonce,
+                        pbPlaintextData: &dummy,
+                        cbPlaintextData: 0,
+                        pbEncryptedData: &dummy,
+                        pbTag: ptr);
+                }
+
+                ptr += TAG_SIZE_IN_BYTES;
+                CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
+            }
+
+            // retVal := { version || chainingMode || symAlgKeySize || nonceSize || symAlgBlockSize || symAlgTagSize || TAG-of-E("") }.
+            return retVal;
+        }
+
+        protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
+        {
+            // Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
+            if (cbCiphertext < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
+            {
+                throw Error.CryptCommon_PayloadInvalid();
+            }
+
+            // Assumption: pbCipherText := { keyModifier || nonce || encryptedData || authenticationTag }
+
+            uint cbPlaintext = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
+
+            byte[] retVal = new byte[cbPlaintext];
+            fixed (byte* pbRetVal = retVal)
+            {
+                // Calculate offsets
+                byte* pbKeyModifier = pbCiphertext;
+                byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+                byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
+                byte* pbAuthTag = &pbEncryptedData[cbPlaintext];
+
+                // Use the KDF to recreate the symmetric block cipher key
+                // We'll need a temporary buffer to hold the symmetric encryption subkey
+                byte* pbSymmetricDecryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
+                try
+                {
+                    _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+                        pbLabel: pbAdditionalAuthenticatedData,
+                        cbLabel: cbAdditionalAuthenticatedData,
+                        contextHeader: _contextHeader,
+                        pbContext: pbKeyModifier,
+                        cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+                        pbDerivedKey: pbSymmetricDecryptionSubkey,
+                        cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
+
+                    // Perform the decryption operation
+
+                    using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+                    {
+                        byte dummy;
+                        byte* pbPlaintext = (pbRetVal != null) ? pbRetVal : &dummy; // CLR doesn't like pinning empty buffers
+
+                        BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authInfo;
+                        BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authInfo);
+                        authInfo.pbNonce = pbNonce;
+                        authInfo.cbNonce = NONCE_SIZE_IN_BYTES;
+                        authInfo.pbTag = pbAuthTag;
+                        authInfo.cbTag = TAG_SIZE_IN_BYTES;
+
+                        // The call to BCryptDecrypt will also validate the authentication tag
+                        uint cbDecryptedBytesWritten;
+                        int ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+                            hKey: decryptionSubkeyHandle,
+                            pbInput: pbEncryptedData,
+                            cbInput: cbPlaintext,
+                            pPaddingInfo: &authInfo,
+                            pbIV: null, // IV not used; nonce provided in pPaddingInfo
+                            cbIV: 0,
+                            pbOutput: pbPlaintext,
+                            cbOutput: cbPlaintext,
+                            pcbResult: out cbDecryptedBytesWritten,
+                            dwFlags: 0);
+                        UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+                        CryptoUtil.Assert(cbDecryptedBytesWritten == cbPlaintext, "cbDecryptedBytesWritten == cbPlaintext");
+
+                        // At this point, retVal := { decryptedPayload }
+                        // And we're done!
+                        return retVal;
+                    }
+                }
+                finally
+                {
+                    // The buffer contains key material, so nuke it.
+                    UnsafeBufferUtil.SecureZeroMemory(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
+                }
+            }
+        }
+
+        public override void Dispose()
+        {
+            _sp800_108_ctr_hmac_provider.Dispose();
+
+            // We don't want to dispose of the underlying algorithm instances because they
+            // might be reused.
+        }
+
+        // 'pbNonce' must point to a 96-bit buffer.
+        // 'pbTag' must point to a 128-bit buffer.
+        // 'pbEncryptedData' must point to a buffer the same length as 'pbPlaintextData'.
+        private void DoGcmEncrypt(byte* pbKey, uint cbKey, byte* pbNonce, byte* pbPlaintextData, uint cbPlaintextData, byte* pbEncryptedData, byte* pbTag)
+        {
+            BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authCipherInfo;
+            BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authCipherInfo);
+            authCipherInfo.pbNonce = pbNonce;
+            authCipherInfo.cbNonce = NONCE_SIZE_IN_BYTES;
+            authCipherInfo.pbTag = pbTag;
+            authCipherInfo.cbTag = TAG_SIZE_IN_BYTES;
+
+            using (var keyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbKey, cbKey))
+            {
+                uint cbResult;
+                int ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+                    hKey: keyHandle,
+                    pbInput: pbPlaintextData,
+                    cbInput: cbPlaintextData,
+                    pPaddingInfo: &authCipherInfo,
+                    pbIV: null,
+                    cbIV: 0,
+                    pbOutput: pbEncryptedData,
+                    cbOutput: cbPlaintextData,
+                    pcbResult: out cbResult,
+                    dwFlags: 0);
+                UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+                CryptoUtil.Assert(cbResult == cbPlaintextData, "cbResult == cbPlaintextData");
+            }
+        }
+
+        protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
+        {
+            // Allocate a buffer to hold the key modifier, nonce, encrypted data, and tag.
+            // In GCM, the encrypted output will be the same length as the plaintext input.
+            byte[] retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + cbPlaintext + TAG_SIZE_IN_BYTES + cbPostBuffer)];
+            fixed (byte* pbRetVal = retVal)
+            {
+                // Calculate offsets
+                byte* pbKeyModifier = &pbRetVal[cbPreBuffer];
+                byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+                byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
+                byte* pbAuthTag = &pbEncryptedData[cbPlaintext];
+
+                // Randomly generate the key modifier and nonce
+                _genRandom.GenRandom(pbKeyModifier, KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES);
+
+                // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
+
+                // Use the KDF to generate a new symmetric block cipher key
+                // We'll need a temporary buffer to hold the symmetric encryption subkey
+                byte* pbSymmetricEncryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
+                try
+                {
+                    _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+                        pbLabel: pbAdditionalAuthenticatedData,
+                        cbLabel: cbAdditionalAuthenticatedData,
+                        contextHeader: _contextHeader,
+                        pbContext: pbKeyModifier,
+                        cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+                        pbDerivedKey: pbSymmetricEncryptionSubkey,
+                        cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
+
+                    // Perform the encryption operation
+                    DoGcmEncrypt(
+                        pbKey: pbSymmetricEncryptionSubkey,
+                        cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
+                        pbNonce: pbNonce,
+                        pbPlaintextData: pbPlaintext,
+                        cbPlaintextData: cbPlaintext,
+                        pbEncryptedData: pbEncryptedData,
+                        pbTag: pbAuthTag);
+
+                    // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
+                    // And we're done!
+                    return retVal;
+                }
+                finally
+                {
+                    // The buffer contains key material, so nuke it.
+                    UnsafeBufferUtil.SecureZeroMemory(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
+                }
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/IBCryptGenRandom.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/IBCryptGenRandom.cs
new file mode 100644
index 0000000000..72497de9cd
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/IBCryptGenRandom.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    internal unsafe interface IBCryptGenRandom
+    {
+        void GenRandom(byte* pbBuffer, uint cbBuffer);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs
new file mode 100644
index 0000000000..b45b21809b
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs
@@ -0,0 +1,17 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    [Flags]
+    internal enum NCryptEncryptFlags
+    {
+        NCRYPT_NO_PADDING_FLAG = 0x00000001,
+        NCRYPT_PAD_PKCS1_FLAG = 0x00000002,
+        NCRYPT_PAD_OAEP_FLAG = 0x00000004,
+        NCRYPT_PAD_PSS_FLAG = 0x00000008,
+        NCRYPT_SILENT_FLAG = 0x00000040,
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs
new file mode 100644
index 0000000000..c42535428e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs
@@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.Cng
+{
+    internal static class OSVersionUtil
+    {
+        private static readonly OSVersion _osVersion = GetOSVersion();
+
+        private static OSVersion GetOSVersion()
+        {
+            const string BCRYPT_LIB = "bcrypt.dll";
+            SafeLibraryHandle bcryptLibHandle = null;
+            try
+            {
+                bcryptLibHandle = SafeLibraryHandle.Open(BCRYPT_LIB);
+            }
+            catch
+            {
+                // we'll handle the exceptional case later
+            }
+
+            if (bcryptLibHandle != null)
+            {
+                using (bcryptLibHandle)
+                {
+                    if (bcryptLibHandle.DoesProcExist("BCryptKeyDerivation"))
+                    {
+                        // We're running on Win8+.
+                        return OSVersion.Win8OrLater;
+                    }
+                    else
+                    {
+                        // We're running on Win7+.
+                        return OSVersion.Win7OrLater;
+                    }
+                }
+            }
+            else
+            {
+                // Not running on Win7+.
+                return OSVersion.NotWindows;
+            }
+        }
+
+        public static bool IsBCryptOnWin7OrLaterAvailable()
+        {
+            return (_osVersion >= OSVersion.Win7OrLater);
+        }
+
+        public static bool IsBCryptOnWin8OrLaterAvailable()
+        {
+            return (_osVersion >= OSVersion.Win8OrLater);
+        }
+
+        private enum OSVersion
+        {
+            NotWindows = 0,
+            Win7OrLater = 1,
+            Win8OrLater = 2
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
index 0a681d188c..8d40b3b7f1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
@@ -1,11 +1,11 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
-    // from bcrypt.h
+    // The majority of these are from bcrypt.h
     internal static class Constants
     {
         internal const int MAX_STACKALLOC_BYTES = 256; // greatest number of bytes that we'll ever allow to stackalloc in a single frame
@@ -15,11 +15,11 @@ namespace Microsoft.AspNet.Security.DataProtection
         internal const string BCRYPT_KEY_DATA_BLOB = "KeyDataBlob";
         internal const string BCRYPT_AES_WRAP_KEY_BLOB = "Rfc3565KeyWrapBlob";
 
-        // Microsoft built-in providers.
+        // Microsoft built-in providers
         internal const string MS_PRIMITIVE_PROVIDER = "Microsoft Primitive Provider";
         internal const string MS_PLATFORM_CRYPTO_PROVIDER = "Microsoft Platform Crypto Provider";
 
-        // Common algorithm identifiers.
+        // Common algorithm identifiers
         internal const string BCRYPT_RSA_ALGORITHM = "RSA";
         internal const string BCRYPT_RSA_SIGN_ALGORITHM = "RSA_SIGN";
         internal const string BCRYPT_DH_ALGORITHM = "DH";
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
deleted file mode 100644
index 04bf2826c7..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptRand.cs
+++ /dev/null
@@ -1,31 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    /// <summary>
-    /// Helper class to populate buffers with cryptographically random data.
-    /// </summary>
-    public static class CryptRand
-    {
-        /// <summary>
-        /// Populates a buffer with cryptographically random data.
-        /// </summary>
-        /// <param name="buffer">The buffer to populate.</param>
-        public static unsafe void FillBuffer(ArraySegment<byte> buffer)
-        {
-            // the ArraySegment<> ctor performs bounds checking
-            var unused = new ArraySegment<byte>(buffer.Array, buffer.Offset, buffer.Count);
-
-            if (buffer.Count != 0)
-            {
-                fixed (byte* pBuffer = &buffer.Array[buffer.Offset])
-                {
-                    BCryptUtil.GenRandom(pBuffer, buffer.Count);
-                }
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
index 29fabca02e..52e556fbcf 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
@@ -4,9 +4,14 @@
 using System;
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+#if !ASPNETCORE50
+using System.Runtime.ConstrainedExecution;
+#endif
+
+namespace Microsoft.AspNet.Security.DataProtection
 {
     internal unsafe static class CryptoUtil
     {
@@ -20,6 +25,13 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
             }
         }
 
+        // This isn't a typical Debug.Assert; the check is always performed, even in retail builds.
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void AssertSafeHandleIsValid(SafeHandle safeHandle)
+        {
+            Assert(safeHandle != null && !safeHandle.IsInvalid, "Safe handle is invalid.");
+        }
+
         // This isn't a typical Debug.Fail; an error always occurs, even in retail builds.
         // This method doesn't return, but since the CLR doesn't allow specifying a 'never'
         // return type, we mimic it by specifying our return type as Exception. That way
@@ -31,5 +43,40 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
             Debug.Fail(message);
             throw new CryptographicException("Assertion failed: " + message);
         }
+
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        public static T Fail<T>(string message) where T : class
+        {
+            throw Fail(message);
+        }
+
+        [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint count)
+        {
+            bool areEqual = true;
+            for (uint i = 0; i < count; i++)
+            {
+                areEqual &= (bufA[i] == bufB[i]);
+            }
+            return areEqual;
+        }
+
+        [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
+        public static bool TimeConstantBuffersAreEqual(byte[] bufA, int offsetA, int countA, byte[] bufB, int offsetB, int countB)
+        {
+            // Technically this is an early exit scenario, but it means that the caller did something bizarre.
+            // An error at the call site isn't usable for timing attacks.
+            Assert(countA == countB, "countA == countB");
+
+            bool areEqual = true;
+            for (int i = 0; i < countA; i++)
+            {
+                areEqual &= (bufA[offsetA + i] == bufB[offsetB + i]);
+            }
+            return areEqual;
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
index ba198c6d8b..16589279ed 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionOptions.cs
new file mode 100644
index 0000000000..9f2eefda56
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionOptions.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    public class DataProtectionOptions
+    {
+        public string ApplicationDiscriminator { get; set; }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
deleted file mode 100644
index 3b612f6190..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProvider.cs
+++ /dev/null
@@ -1,117 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Globalization;
-#if NET45
-using System.Security.Cryptography;
-#endif
-using System.Text;
-using Microsoft.AspNet.Security.DataProtection;
-using Microsoft.AspNet.Security.DataProtection.Util;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    /// <summary>
-    /// Provides methods for creating IDataProtectionProvider instances.
-    /// </summary>
-    public unsafe static class DataProtectionProvider
-    {
-        const int MASTER_KEY_REQUIRED_LENGTH = 512 / 8;
-
-        private static readonly byte[] MASTER_SUBKEY_GENERATOR = Encoding.ASCII.GetBytes("Microsoft.AspNet.Security.DataProtection");
-
-        /// <summary>
-        /// Creates a new IDataProtectionProvider backed by DPAPI, where the protected
-        /// payload can only be decrypted by the current user.
-        /// </summary>
-        public static IDataProtectionProvider CreateFromDpapi()
-        {
-            return CreateFromDpapi(protectToLocalMachine: false);
-        }
-
-#if NET45
-        // These are for mono
-        public static IDataProtectionProvider CreateFromLegacyDpapi()
-        {
-            return CreateFromLegacyDpapi(DataProtectionScope.CurrentUser);
-        }
-
-        public static IDataProtectionProvider CreateFromLegacyDpapi(DataProtectionScope scope)
-        {
-            return new ProtectedDataProtectionProvider(scope);
-        }
-#endif
-
-        /// <summary>
-        /// Creates a new IDataProtectionProvider backed by DPAPI.
-        /// </summary>
-        /// <param name="protectToLocalMachine">True if protected payloads can be decrypted by any user
-        /// on the local machine, false if protected payloads should only be able to decrypted by the
-        /// current user account.</param>
-        public static IDataProtectionProvider CreateFromDpapi(bool protectToLocalMachine)
-        {
-            return new DpapiDataProtectionProviderImpl(MASTER_SUBKEY_GENERATOR, protectToLocalMachine);
-        }
-
-        /// <summary>
-        /// Creates a new IDataProtectionProvider with a randomly-generated master key.
-        /// </summary>
-        public static IDataProtectionProvider CreateNew()
-        {
-            byte* masterKey = stackalloc byte[MASTER_KEY_REQUIRED_LENGTH];
-            try
-            {
-                BCryptUtil.GenRandom(masterKey, MASTER_KEY_REQUIRED_LENGTH);
-                return CreateImpl(masterKey, MASTER_KEY_REQUIRED_LENGTH);
-            }
-            finally
-            {
-                BufferUtil.SecureZeroMemory(masterKey, MASTER_KEY_REQUIRED_LENGTH);
-            }
-        }
-
-        /// <summary>
-        /// Creates a new IDataProtectionProvider with the provided master key.
-        /// </summary>
-        public static IDataProtectionProvider CreateFromKey(byte[] masterKey)
-        {
-            if (masterKey == null)
-            {
-                throw new ArgumentNullException("masterKey");
-            }
-            if (masterKey.Length < MASTER_KEY_REQUIRED_LENGTH)
-            {
-                string errorMessage = String.Format(CultureInfo.CurrentCulture, Res.DataProtectorFactory_MasterKeyTooShort, MASTER_KEY_REQUIRED_LENGTH);
-                throw new ArgumentOutOfRangeException("masterKey", errorMessage);
-            }
-
-            fixed (byte* pMasterKey = masterKey)
-            {
-                return CreateImpl(pMasterKey, masterKey.Length);
-            }
-        }
-
-        private static DataProtectionProviderImpl CreateImpl(byte* masterKey, int masterKeyLengthInBytes)
-        {
-            // We don't use the master key directly. We derive a master subkey via HMAC_{master_key}(MASTER_SUBKEY_GENERATOR).
-            byte* masterSubkey = stackalloc byte[MASTER_KEY_REQUIRED_LENGTH];
-            try
-            {
-                using (var hashHandle = BCryptUtil.CreateHMACHandle(Algorithms.HMACSHA512AlgorithmHandle, masterKey, masterKeyLengthInBytes))
-                {
-                    fixed (byte* pMasterSubkeyGenerator = MASTER_SUBKEY_GENERATOR)
-                    {
-                        BCryptUtil.HashData(hashHandle, pMasterSubkeyGenerator, MASTER_SUBKEY_GENERATOR.Length, masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
-                    }
-                }
-                byte[] protectedKdk = BufferUtil.ToProtectedManagedByteArray(masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
-                return new DataProtectionProviderImpl(protectedKdk);
-            }
-            finally
-            {
-                BufferUtil.SecureZeroMemory(masterSubkey, MASTER_KEY_REQUIRED_LENGTH);
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
deleted file mode 100644
index 45ffa2afd0..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionProviderImpl.cs
+++ /dev/null
@@ -1,32 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal unsafe sealed class DataProtectionProviderImpl : IDataProtectionProvider
-    {
-        private readonly byte[] _protectedKdk;
-
-        public DataProtectionProviderImpl(byte[] protectedKdk)
-        {
-            _protectedKdk = protectedKdk;
-        }
-
-        public IDataProtector CreateProtector(string purpose)
-        {
-            BCryptKeyHandle newAesKeyHandle;
-            BCryptHashHandle newHmacHashHandle;
-            byte[] newProtectedKdfSubkey;
-
-            BCryptUtil.DeriveKeysSP800108(_protectedKdk, purpose, Algorithms.AESAlgorithmHandle, out newAesKeyHandle, Algorithms.HMACSHA256AlgorithmHandle, out newHmacHashHandle, out newProtectedKdfSubkey);
-            return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newProtectedKdfSubkey);
-        }
-
-        public void Dispose()
-        {
-            // no-op: we hold no protected resources
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
new file mode 100644
index 0000000000..f24ae68036
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
@@ -0,0 +1,153 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.Dpapi;
+using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.AspNet.Security.DataProtection.Repositories;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.Framework.ConfigurationModel;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.OptionsModel;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    public static class DataProtectionServices
+    {
+        public static IEnumerable<IServiceDescriptor> GetDefaultServices()
+        {
+            return GetDefaultServices(new Configuration());
+        }
+
+        public static IEnumerable<IServiceDescriptor> GetDefaultServices(IConfiguration configuration)
+        {
+            var describe = new ServiceDescriber(configuration);
+
+            List<IServiceDescriptor> descriptors = new List<IServiceDescriptor>();
+            descriptors.AddRange(OptionsServices.GetDefaultServices(configuration));
+            descriptors.AddRange(OSVersionUtil.IsBCryptOnWin7OrLaterAvailable()
+                ? GetDefaultServicesWindows(describe)
+                : GetDefaultServicesNonWindows(describe));
+            return descriptors;
+        }
+
+        private static IEnumerable<IServiceDescriptor> GetDefaultServicesNonWindows(ServiceDescriber describe)
+        {
+            // If we're not running on Windows, we can't use CNG.
+
+            // TODO: Replace this with something else. Mono's implementation of the
+            // DPAPI routines don't provide authenticity.
+            return new[]
+            {
+                describe.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.CurrentUser))
+            };
+        }
+
+        private static IEnumerable<IServiceDescriptor> GetDefaultServicesWindows(ServiceDescriber describe)
+        {
+            List<ServiceDescriptor> descriptors = new List<ServiceDescriptor>();
+
+            // Are we running in Azure Web Sites?
+            DirectoryInfo azureWebSitesKeysFolder = TryGetKeysFolderForAzureWebSites();
+            if (azureWebSitesKeysFolder != null)
+            {
+                // We'll use a null protector at the moment until the
+                // cloud DPAPI service comes online.
+                descriptors.AddRange(new[]
+                {
+                    describe.Singleton<IXmlEncryptor,NullXmlEncryptor>(),
+                    describe.Instance<IXmlRepository>(new FileSystemXmlRepository(azureWebSitesKeysFolder))
+                });
+            }
+            else
+            {
+                // Are we running with the user profile loaded?
+                DirectoryInfo localAppDataKeysFolder = TryGetLocalAppDataKeysFolderForUser();
+                if (localAppDataKeysFolder != null)
+                {
+                    descriptors.AddRange(new[]
+                    {
+                        describe.Singleton<IXmlEncryptor, DpapiXmlEncryptor>(),
+                        describe.Instance<IXmlRepository>(new FileSystemXmlRepository(localAppDataKeysFolder))
+                    });
+                }
+                else
+                {
+                    // Are we running with no user profile (e.g., IIS service)?
+                    // Fall back to DPAPI for now.
+                    // TODO: We should use the IIS auto-gen reg keys as our repository.
+                    return new[] {
+                        describe.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.LocalMachine))
+                    };
+                }
+            }
+
+            // We use CNG CBC + HMAC by default.
+            descriptors.AddRange(new[]
+            {
+                describe.Singleton<IAuthenticatedEncryptorConfigurationFactory, CngCbcAuthenticatedEncryptorConfigurationFactory>(),
+                describe.Singleton<ITypeActivator, TypeActivator>(),
+                describe.Singleton<IKeyManager, XmlKeyManager>(),
+                describe.Singleton<IDataProtectionProvider, DefaultDataProtectionProvider>()
+            });
+
+            return descriptors;
+        }
+
+        private static DirectoryInfo TryGetKeysFolderForAzureWebSites()
+        {
+            // There are two environment variables we care about.
+            if (String.IsNullOrEmpty(Environment.GetEnvironmentVariable("WEBSITE_INSTANCE_ID")))
+            {
+                return null;
+            }
+
+            string homeEnvVar = Environment.GetEnvironmentVariable("HOME");
+            if (String.IsNullOrEmpty(homeEnvVar))
+            {
+                return null;
+            }
+
+            // TODO: Remove BETA moniker from below.
+            string fullPathToKeys = Path.Combine(homeEnvVar, "ASP.NET", "keys-BETA");
+            return new DirectoryInfo(fullPathToKeys);
+        }
+
+        private static DirectoryInfo TryGetLocalAppDataKeysFolderForUser()
+        {
+#if !ASPNETCORE50
+            // Environment.GetFolderPath returns null if the user profile isn't loaded.
+            string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+            if (folderPath != null)
+            {
+                // TODO: Remove BETA moniker from below.
+                return new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA"));
+            }
+            else
+            {
+                return null;
+            }
+#else
+            // On core CLR, we need to fall back to environment variables.
+            string folderPath = Environment.GetEnvironmentVariable("LOCALAPPDATA")
+                ?? Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "AppData", "Local");
+
+            // TODO: Remove BETA moniker from below.
+            DirectoryInfo retVal = new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA"));
+            try
+            {
+                retVal.Create(); // throws if we don't have access, e.g., user profile not loaded
+                return retVal;
+            } catch
+            {
+                return null;
+            }
+#endif
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
deleted file mode 100644
index 778eb089b7..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectorImpl.cs
+++ /dev/null
@@ -1,190 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Util;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal unsafe sealed class DataProtectorImpl : IDataProtector
-    {
-        private const int AES_BLOCK_LENGTH_IN_BYTES = 128 / 8;
-        private const int AES_IV_LENGTH_IN_BYTES = AES_BLOCK_LENGTH_IN_BYTES;
-        private const int MAC_LENGTH_IN_BYTES = 256 / 8;
-
-        private readonly BCryptKeyHandle _aesKeyHandle;
-        private readonly BCryptHashHandle _hmacHashHandle;
-        private readonly byte[] _protectedKdk;
-
-        public DataProtectorImpl(BCryptKeyHandle aesKeyHandle, BCryptHashHandle hmacHashHandle, byte[] protectedKdk)
-        {
-            _aesKeyHandle = aesKeyHandle;
-            _hmacHashHandle = hmacHashHandle;
-            _protectedKdk = protectedKdk;
-        }
-
-        private static int CalculateTotalProtectedDataSize(int unprotectedDataSizeInBytes)
-        {
-            Debug.Assert(unprotectedDataSizeInBytes >= 0);
-
-            checked
-            {
-                // Padding always rounds the block count up, never down.
-                // If the input size is already a multiple of the block length, a block is added.
-                int numBlocks = 1 + unprotectedDataSizeInBytes / AES_BLOCK_LENGTH_IN_BYTES;
-                return
-                    AES_IV_LENGTH_IN_BYTES /* IV */
-                    + numBlocks * AES_BLOCK_LENGTH_IN_BYTES /* ciphertext with padding */
-                    + MAC_LENGTH_IN_BYTES /* MAC */;
-            }
-        }
-
-        private static CryptographicException CreateGenericCryptographicException()
-        {
-            return new CryptographicException(Res.DataProtectorImpl_BadEncryptedData);
-        }
-
-        public IDataProtector CreateSubProtector(string purpose)
-        {
-            BCryptKeyHandle newAesKeyHandle;
-            BCryptHashHandle newHmacHashHandle;
-            byte[] newProtectedKdfSubkey;
-
-            BCryptUtil.DeriveKeysSP800108(_protectedKdk, purpose, Algorithms.AESAlgorithmHandle, out newAesKeyHandle, Algorithms.HMACSHA256AlgorithmHandle, out newHmacHashHandle, out newProtectedKdfSubkey);
-            return new DataProtectorImpl(newAesKeyHandle, newHmacHashHandle, newProtectedKdfSubkey);
-        }
-
-        public void Dispose()
-        {
-            _aesKeyHandle.Dispose();
-            _hmacHashHandle.Dispose();
-        }
-
-        public byte[] Protect(byte[] unprotectedData)
-        {
-            if (unprotectedData == null)
-            {
-                throw new ArgumentNullException("unprotectedData");
-            }
-
-            // When this method finishes, protectedData will contain { IV || ciphertext || HMAC(IV || ciphertext) }
-            byte[] protectedData = new byte[CalculateTotalProtectedDataSize(unprotectedData.Length)];
-
-            fixed (byte* pProtectedData = protectedData)
-            {
-                // first, generate a random IV for CBC mode encryption
-                byte* pIV = pProtectedData;
-                BCryptUtil.GenRandom(pIV, AES_IV_LENGTH_IN_BYTES);
-
-                // then, encrypt the plaintext contents
-                byte* pCiphertext = &pIV[AES_IV_LENGTH_IN_BYTES];
-                int expectedCiphertextLength = protectedData.Length - AES_IV_LENGTH_IN_BYTES - MAC_LENGTH_IN_BYTES;
-                fixed (byte* pPlaintext = unprotectedData.AsFixed())
-                {
-                    int actualCiphertextLength = BCryptUtil.EncryptWithPadding(_aesKeyHandle, pPlaintext, unprotectedData.Length, pIV, AES_IV_LENGTH_IN_BYTES, pCiphertext, expectedCiphertextLength);
-                    if (actualCiphertextLength != expectedCiphertextLength)
-                    {
-                        throw new InvalidOperationException("Unexpected error while encrypting data.");
-                    }
-                }
-
-                // finally, calculate an HMAC over { IV || ciphertext }
-                byte* pMac = &pCiphertext[expectedCiphertextLength];
-                using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle))
-                {
-                    // Use a cloned hash handle since IDataProtector instances could be singletons, but BCryptHashHandle instances contain
-                    // state hence aren't thread-safe. Our own perf testing shows that duplicating existing hash handles is very fast.
-                    BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_IV_LENGTH_IN_BYTES + expectedCiphertextLength, pMac, MAC_LENGTH_IN_BYTES);
-                }
-            }
-
-            return protectedData;
-        }
-
-        public byte[] Unprotect(byte[] protectedData)
-        {
-            if (protectedData == null)
-            {
-                throw new ArgumentNullException("protectedData");
-            }
-
-            byte[] retVal = null;
-            try
-            {
-                retVal = UnprotectImpl(protectedData);
-            }
-            catch
-            {
-                // swallow all exceptions; we'll homogenize
-            }
-
-            if (retVal != null)
-            {
-                return retVal;
-            }
-            else
-            {
-                throw CreateGenericCryptographicException();
-            }
-        }
-
-        private byte[] UnprotectImpl(byte[] protectedData)
-        {
-            Debug.Assert(protectedData != null);
-
-            // is the protected data even long enough to be valid?
-            if (protectedData.Length < AES_IV_LENGTH_IN_BYTES /* IV */ + AES_BLOCK_LENGTH_IN_BYTES /* min ciphertext size = 1 block */ + MAC_LENGTH_IN_BYTES)
-            {
-                return null;
-            }
-
-            fixed (byte* pProtectedData = protectedData)
-            {
-                // calculate pointer offsets
-                byte* pIV = pProtectedData;
-                byte* pCiphertext = &pProtectedData[AES_IV_LENGTH_IN_BYTES];
-                int ciphertextLength = protectedData.Length - AES_IV_LENGTH_IN_BYTES /* IV */ - MAC_LENGTH_IN_BYTES /* MAC */;
-                byte* pSuppliedMac = &pCiphertext[ciphertextLength];
-
-                // first, ensure that the MAC is valid
-                byte* pCalculatedMac = stackalloc byte[MAC_LENGTH_IN_BYTES];
-                using (var clonedHashHandle = BCryptUtil.DuplicateHash(_hmacHashHandle))
-                {
-                    // see comments in Protect(byte[]) for why we duplicate the hash
-                    BCryptUtil.HashData(clonedHashHandle, pProtectedData, AES_IV_LENGTH_IN_BYTES + ciphertextLength, pCalculatedMac, MAC_LENGTH_IN_BYTES);
-                }
-                if (!BCryptUtil.BuffersAreEqualSecure(pSuppliedMac, pCalculatedMac, MAC_LENGTH_IN_BYTES))
-                {
-                    return null; // MAC check failed
-                }
-
-                // next, perform the actual decryption
-                // we don't know the actual plaintext length, but we know it must be strictly less than the ciphertext length
-                int plaintextBufferLength = ciphertextLength;
-                byte[] heapAllocatedPlaintext = null;
-                if (ciphertextLength > Constants.MAX_STACKALLOC_BYTES)
-                {
-                    heapAllocatedPlaintext = new byte[plaintextBufferLength];
-                }
-
-                fixed (byte* pHeapAllocatedPlaintext = heapAllocatedPlaintext)
-                {
-                    byte* pPlaintextBuffer = pHeapAllocatedPlaintext;
-                    if (pPlaintextBuffer == null)
-                    {
-                        byte* temp = stackalloc byte[plaintextBufferLength]; // will be released when frame pops
-                        pPlaintextBuffer = temp;
-                    }
-
-                    int actualPlaintextLength = BCryptUtil.DecryptWithPadding(_aesKeyHandle, pCiphertext, ciphertextLength, pIV, AES_IV_LENGTH_IN_BYTES, pPlaintextBuffer, plaintextBufferLength);
-                    Debug.Assert(actualPlaintextLength >= 0 && actualPlaintextLength < ciphertextLength);
-
-                    // truncate the return value to accomodate the plaintext size perfectly
-                    return BufferUtil.ToManagedByteArray(pPlaintextBuffer, actualPlaintextLength);
-                }
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
new file mode 100644
index 0000000000..d933097799
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.DependencyInjection.Fallback;
+using Microsoft.Framework.OptionsModel;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    public class DefaultDataProtectionProvider : IDataProtectionProvider
+    {
+        private readonly IDataProtectionProvider _innerProvider;
+
+        public DefaultDataProtectionProvider()
+        {
+            // use DI defaults
+            var collection = new ServiceCollection();
+            var defaultServices = DataProtectionServices.GetDefaultServices();
+            collection.Add(defaultServices);
+            var serviceProvider = collection.BuildServiceProvider();
+
+            _innerProvider = (IDataProtectionProvider)serviceProvider.GetService(typeof(IDataProtectionProvider));
+            CryptoUtil.Assert(_innerProvider != null, "_innerProvider != null");
+        }
+
+        public DefaultDataProtectionProvider(
+            [NotNull] IOptionsAccessor<DataProtectionOptions> optionsAccessor,
+            [NotNull] IKeyManager keyManager)
+        {
+            KeyRingBasedDataProtectionProvider rootProvider = new KeyRingBasedDataProtectionProvider(new KeyRingProvider(keyManager));
+            var options = optionsAccessor.Options;
+            _innerProvider = (!String.IsNullOrEmpty(options.ApplicationDiscriminator))
+                ? (IDataProtectionProvider)rootProvider.CreateProtector(options.ApplicationDiscriminator)
+                : rootProvider;
+        }
+
+        public IDataProtector CreateProtector([NotNull] string purpose)
+        {
+            return _innerProvider.CreateProtector(purpose);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DataProtectionScope.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DataProtectionScope.cs
new file mode 100644
index 0000000000..7cf629b023
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DataProtectionScope.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+// We only define this type in core CLR since desktop CLR already contains it.
+#if ASPNETCORE50
+using System;
+
+namespace System.Security.Cryptography
+{
+    //
+    // Summary:
+    //     Specifies the scope of the data protection to be applied by the System.Security.Cryptography.ProtectedData.Protect(System.Byte[],System.Byte[],System.Security.Cryptography.DataProtectionScope)
+    //     method.
+    internal enum DataProtectionScope
+    {
+        //
+        // Summary:
+        //     The protected data is associated with the current user. Only threads running
+        //     under the current user context can unprotect the data.
+        CurrentUser,
+        //
+        // Summary:
+        //     The protected data is associated with the machine context. Any process running
+        //     on the computer can unprotect data. This enumeration value is usually used in
+        //     server-specific applications that run on a server where untrusted users are not
+        //     allowed access.
+        LocalMachine
+    }
+}
+#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
new file mode 100644
index 0000000000..5082e385b3
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection.Dpapi
+{
+    // Provides a temporary implementation of IDataProtectionProvider for non-Windows machines
+    // or for Windows machines where we can't depend on the user profile.
+    internal sealed class DpapiDataProtectionProvider : IDataProtectionProvider
+    {
+        private readonly DpapiDataProtector _innerProtector;
+
+        public DpapiDataProtectionProvider(DataProtectionScope scope)
+        {
+            _innerProtector = new DpapiDataProtector(new ProtectedDataImpl(), new byte[0], scope);
+        }
+
+        public IDataProtector CreateProtector([NotNull] string purpose)
+        {
+            return _innerProtector.CreateProtector(purpose);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
new file mode 100644
index 0000000000..0bc4cb073d
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
@@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Microsoft.AspNet.Security.DataProtection.Dpapi
+{
+    // Provides a temporary implementation of IDataProtector for non-Windows machines
+    // or for Windows machines where we can't depend on the user profile.
+    internal sealed class DpapiDataProtector : IDataProtector
+    {
+        private static readonly UTF8Encoding _secureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
+
+        private readonly byte[] _combinedPurposes;
+        private readonly DataProtectionScope _scope;
+        private readonly IProtectedData _shim;
+
+        internal DpapiDataProtector(IProtectedData shim, byte[] combinedPurposes, DataProtectionScope scope)
+        {
+            _combinedPurposes = combinedPurposes;
+            _scope = scope;
+            _shim = shim;
+        }
+
+        public IDataProtector CreateProtector([NotNull] string purpose)
+        {
+            // Appends the provided purpose to the existing list
+            using (var memoryStream = new MemoryStream())
+            {
+                memoryStream.Write(_combinedPurposes, 0, _combinedPurposes.Length);
+                using (var writer = new BinaryWriter(memoryStream, _secureUtf8Encoding, leaveOpen: true))
+                {
+                    writer.Write(purpose);
+                }
+                return new DpapiDataProtector(_shim, memoryStream.ToArray(), _scope);
+            }
+        }
+
+        public byte[] Protect([NotNull] byte[] unprotectedData)
+        {
+            try
+            {
+                return _shim.Protect(unprotectedData, _combinedPurposes, _scope)
+                    ?? CryptoUtil.Fail<byte[]>("Null return value.");
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // Homogenize to CryptographicException
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+
+        public byte[] Unprotect([NotNull] byte[] protectedData)
+        {
+            try
+            {
+                return _shim.Unprotect(protectedData, _combinedPurposes, _scope)
+                    ?? CryptoUtil.Fail<byte[]>("Null return value.");
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // Homogenize to CryptographicException
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/IProtectedData.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/IProtectedData.cs
new file mode 100644
index 0000000000..3cba943f3d
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/IProtectedData.cs
@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection.Dpapi
+{
+    internal interface IProtectedData
+    {
+        byte[] Protect(byte[] userData, byte[] optionalEntropy, DataProtectionScope scope);
+
+        byte[] Unprotect(byte[] encryptedData, byte[] optionalEntropy, DataProtectionScope scope);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs
new file mode 100644
index 0000000000..ab6d8ac06f
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+
+namespace Microsoft.AspNet.Security.DataProtection.Dpapi
+{
+    internal unsafe sealed class ProtectedDataImpl : IProtectedData
+    {
+        public byte[] Protect(byte[] userData, byte[] optionalEntropy, DataProtectionScope scope)
+        {
+#if ASPNETCORE50
+            fixed (byte* pbUserData = userData)
+            {
+                fixed (byte* pbOptionalEntropy = optionalEntropy)
+                {
+                    return DpapiSecretSerializerHelper.ProtectWithDpapiImpl(
+                        pbSecret: pbUserData,
+                        cbSecret: (userData != null) ? (uint)userData.Length : 0,
+                        pbOptionalEntropy: pbOptionalEntropy,
+                        cbOptionalEntropy: (optionalEntropy != null) ? (uint)optionalEntropy.Length : 0,
+                        fLocalMachine: (scope == DataProtectionScope.LocalMachine));
+                }
+            }
+#else
+            return ProtectedData.Protect(userData, optionalEntropy, scope);
+#endif
+        }
+
+        public byte[] Unprotect(byte[] encryptedData, byte[] optionalEntropy, DataProtectionScope scope)
+        {
+#if ASPNETCORE50
+            ProtectedMemoryBlob blob;
+            fixed (byte* pbEncryptedData = encryptedData)
+            {
+                fixed (byte* pbOptionalEntropy = optionalEntropy)
+                {
+                    blob = DpapiSecretSerializerHelper.UnprotectWithDpapiImpl(
+                        pbProtectedData: pbEncryptedData,
+                        cbProtectedData: (encryptedData != null) ? (uint)encryptedData.Length : 0,
+                        pbOptionalEntropy: pbOptionalEntropy,
+                        cbOptionalEntropy: (optionalEntropy != null) ? (uint)optionalEntropy.Length : 0);
+                }
+            }
+            using (blob)
+            {
+                byte[] retVal = new byte[blob.Length];
+                blob.WriteSecretIntoBuffer(new ArraySegment<byte>(retVal));
+                return retVal;
+            }
+#else
+            return ProtectedData.Unprotect(encryptedData, optionalEntropy, scope);
+#endif
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
deleted file mode 100644
index fa6df2f6ad..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectionProviderImpl.cs
+++ /dev/null
@@ -1,31 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal sealed class DpapiDataProtectionProviderImpl : IDataProtectionProvider
-    {
-        private readonly byte[] _entropy;
-        private readonly bool _protectToLocalMachine;
-
-        public DpapiDataProtectionProviderImpl(byte[] entropy, bool protectToLocalMachine)
-        {
-            Debug.Assert(entropy != null);
-            _entropy = entropy;
-            _protectToLocalMachine = protectToLocalMachine;
-        }
-
-        public IDataProtector CreateProtector(string purpose)
-        {
-            return new DpapiDataProtectorImpl(BCryptUtil.GenerateDpapiSubkey(_entropy, purpose), _protectToLocalMachine);
-        }
-
-        public void Dispose()
-        {
-            // no-op; no unmanaged resources to dispose
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
deleted file mode 100644
index 0d0ed33094..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/DpapiDataProtectorImpl.cs
+++ /dev/null
@@ -1,161 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-using System.Runtime.CompilerServices;
-using System.Runtime.InteropServices;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Util;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal unsafe sealed class DpapiDataProtectorImpl : IDataProtector
-    {
-        // from dpapi.h
-        private const uint CRYPTPROTECT_LOCAL_MACHINE = 0x4;
-        private const uint CRYPTPROTECT_UI_FORBIDDEN = 0x1;
-
-        // Used as the 'purposes' parameter to DPAPI operations
-        private readonly byte[] _entropy;
-
-        private readonly bool _protectToLocalMachine;
-
-        public DpapiDataProtectorImpl(byte[] entropy, bool protectToLocalMachine)
-        {
-            Debug.Assert(entropy != null);
-            _entropy = entropy;
-            _protectToLocalMachine = protectToLocalMachine;
-        }
-
-        private static CryptographicException CreateGenericCryptographicException(bool isErrorDueToProfileNotLoaded = false)
-        {
-            string message = (isErrorDueToProfileNotLoaded) ? Res.DpapiDataProtectorImpl_ProfileNotLoaded : Res.DataProtectorImpl_BadEncryptedData;
-            return new CryptographicException(message);
-        }
-
-        public IDataProtector CreateSubProtector(string purpose)
-        {
-            return new DpapiDataProtectorImpl(BCryptUtil.GenerateDpapiSubkey(_entropy, purpose), _protectToLocalMachine);
-        }
-
-        public void Dispose()
-        {
-            // no-op; no unmanaged resources to dispose
-        }
-
-        private uint GetCryptProtectUnprotectFlags()
-        {
-            if (_protectToLocalMachine)
-            {
-                return CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN;
-            }
-            else
-            {
-                return CRYPTPROTECT_UI_FORBIDDEN;
-            }
-        }
-
-        public byte[] Protect(byte[] unprotectedData)
-        {
-            if (unprotectedData == null)
-            {
-                throw new ArgumentNullException("unprotectedData");
-            }
-
-            DATA_BLOB dataOut = default(DATA_BLOB);
-
-#if NET45
-            RuntimeHelpers.PrepareConstrainedRegions();
-#endif
-            try
-            {
-                bool success;
-                fixed (byte* pUnprotectedData = unprotectedData.AsFixed())
-                {
-                    fixed (byte* pEntropy = _entropy)
-                    {
-                        // no need for checked arithmetic here
-                        DATA_BLOB dataIn = new DATA_BLOB() { cbData = (uint)unprotectedData.Length, pbData = pUnprotectedData };
-                        DATA_BLOB optionalEntropy = new DATA_BLOB() { cbData = (uint)_entropy.Length, pbData = pEntropy };
-                        success = UnsafeNativeMethods.CryptProtectData(&dataIn, IntPtr.Zero, &optionalEntropy, IntPtr.Zero, IntPtr.Zero, GetCryptProtectUnprotectFlags(), out dataOut);
-                    }
-                }
-
-                // Did a failure occur?
-                if (!success)
-                {
-                    int errorCode = Marshal.GetLastWin32Error();
-                    bool isErrorDueToProfileNotLoaded = ((errorCode & 0xffff) == 2 /* ERROR_FILE_NOT_FOUND */);
-                    throw CreateGenericCryptographicException(isErrorDueToProfileNotLoaded);
-                }
-
-                // OOMs may be marked as success but won't return a valid pointer
-                if (dataOut.pbData == null)
-                {
-                    throw new OutOfMemoryException();
-                }
-
-                return BufferUtil.ToManagedByteArray(dataOut.pbData, dataOut.cbData);
-            }
-            finally
-            {
-                // per MSDN, we need to use LocalFree (implemented by Marshal.FreeHGlobal) to clean up CAPI-allocated memory
-                if (dataOut.pbData != null)
-                {
-                    Marshal.FreeHGlobal((IntPtr)dataOut.pbData);
-                }
-            }
-        }
-
-        public byte[] Unprotect(byte[] protectedData)
-        {
-            if (protectedData == null)
-            {
-                throw new ArgumentNullException("protectedData");
-            }
-
-            DATA_BLOB dataOut = default(DATA_BLOB);
-
-#if NET45
-            RuntimeHelpers.PrepareConstrainedRegions();
-#endif
-            try
-            {
-                bool success;
-                fixed (byte* pProtectedData = protectedData.AsFixed())
-                {
-                    fixed (byte* pEntropy = _entropy)
-                    {
-                        // no need for checked arithmetic here
-                        DATA_BLOB dataIn = new DATA_BLOB() { cbData = (uint)protectedData.Length, pbData = pProtectedData };
-                        DATA_BLOB optionalEntropy = new DATA_BLOB() { cbData = (uint)_entropy.Length, pbData = pEntropy };
-                        success = UnsafeNativeMethods.CryptUnprotectData(&dataIn, IntPtr.Zero, &optionalEntropy, IntPtr.Zero, IntPtr.Zero, GetCryptProtectUnprotectFlags(), out dataOut);
-                    }
-                }
-
-                // Did a failure occur?
-                if (!success)
-                {
-                    throw CreateGenericCryptographicException();
-                }
-
-                // OOMs may be marked as success but won't return a valid pointer
-                if (dataOut.pbData == null)
-                {
-                    throw new OutOfMemoryException();
-                }
-
-                return BufferUtil.ToManagedByteArray(dataOut.pbData, dataOut.cbData);
-            }
-            finally
-            {
-                // per MSDN, we need to use LocalFree (implemented by Marshal.FreeHGlobal) to clean up CAPI-allocated memory
-                if (dataOut.pbData != null)
-                {
-                    Marshal.FreeHGlobal((IntPtr)dataOut.pbData);
-                }
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
new file mode 100644
index 0000000000..15e7ef1fbb
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
@@ -0,0 +1,96 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.Framework.OptionsModel;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// An IDataProtectionProvider that is transient.
+    /// </summary>
+    /// <remarks>
+    /// Payloads generated by a given EphemeralDataProtectionProvider instance can only
+    /// be deciphered by that same instance. Once the instance is lost, all ciphertexts
+    /// generated by that instance are permanently undecipherable.
+    /// </remarks>
+    public sealed class EphemeralDataProtectionProvider : IDataProtectionProvider
+    {
+        private readonly KeyRingBasedDataProtectionProvider _dataProtectionProvider;
+
+        public EphemeralDataProtectionProvider()
+        {
+            IKeyRingProvider keyringProvider;
+
+            if (OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+            {
+                // Fastest implementation: AES-GCM
+                keyringProvider = new CngEphemeralKeyRing();
+            }
+            else
+            {
+                // Slowest implementation: managed CBC + HMAC
+                keyringProvider = new ManagedEphemeralKeyRing();
+            }
+
+            _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider);
+        }
+
+        public IDataProtector CreateProtector([NotNull] string purpose)
+        {
+            // just forward to the underlying provider
+            return _dataProtectionProvider.CreateProtector(purpose);
+        }
+
+        private sealed class DefaultOptionsAccessor<T> : IOptionsAccessor<T> where T : class, new()
+        {
+            public T Options { get; } = new T();
+
+            public T GetNamedOptions(string name)
+            {
+                return Options;
+            }
+        }
+
+        // A special key ring that only understands one key id and which uses CNG.
+        private sealed class CngEphemeralKeyRing : IKeyRing, IKeyRingProvider
+        {
+            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new CngGcmAuthenticatedEncryptorConfigurationFactory(new DefaultOptionsAccessor<CngGcmAuthenticatedEncryptorConfigurationOptions>()).CreateNewConfiguration().CreateEncryptorInstance();
+
+            public Guid DefaultKeyId { get; } = default(Guid);
+
+            public IAuthenticatedEncryptor GetAuthenticatedEncryptorByKeyId(Guid keyId, out bool isRevoked)
+            {
+                isRevoked = false;
+                return (keyId == default(Guid)) ? DefaultAuthenticatedEncryptor : null;
+            }
+
+            public IKeyRing GetCurrentKeyRing()
+            {
+                return this;
+            }
+        }
+
+        // A special key ring that only understands one key id and which uses managed CBC + HMAC.
+        private sealed class ManagedEphemeralKeyRing : IKeyRing, IKeyRingProvider
+        {
+            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new ManagedAuthenticatedEncryptorConfigurationFactory(new DefaultOptionsAccessor<ManagedAuthenticatedEncryptorConfigurationOptions>()).CreateNewConfiguration().CreateEncryptorInstance();
+
+            public Guid DefaultKeyId { get; } = default(Guid);
+
+            public IAuthenticatedEncryptor GetAuthenticatedEncryptorByKeyId(Guid keyId, out bool isRevoked)
+            {
+                isRevoked = false;
+                return (keyId == default(Guid)) ? DefaultAuthenticatedEncryptor : null;
+            }
+
+            public IKeyRing GetCurrentKeyRing()
+            {
+                return this;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Error.cs b/src/Microsoft.AspNet.Security.DataProtection/Error.cs
new file mode 100644
index 0000000000..aa75abce2c
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Error.cs
@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal static class Error
+    {
+        public static CryptographicException BCryptAlgorithmHandle_ProviderNotFound(string algorithmId)
+        {
+            string message = String.Format(CultureInfo.CurrentCulture, Resources.BCryptAlgorithmHandle_ProviderNotFound, algorithmId);
+            return new CryptographicException(message);
+        }
+
+        public static ArgumentException Common_BufferIncorrectlySized(string parameterName, int actualSize, int expectedSize)
+        {
+            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_BufferIncorrectlySized, actualSize, expectedSize);
+            return new ArgumentException(message, parameterName);
+        }
+
+        public static CryptographicException CryptCommon_GenericError(Exception inner = null)
+        {
+            return new CryptographicException(Resources.CryptCommon_GenericError, inner);
+        }
+
+        public static CryptographicException CryptCommon_PayloadInvalid()
+        {
+            string message = Resources.CryptCommon_PayloadInvalid;
+            return new CryptographicException(message);
+        }
+
+        public static InvalidOperationException Common_PropertyCannotBeNullOrEmpty(string propertyName)
+        {
+            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyCannotBeNullOrEmpty, propertyName);
+            throw new InvalidOperationException(message);
+        }
+
+        public static CryptographicException Common_EncryptionFailed(Exception inner = null)
+        {
+            return new CryptographicException(Resources.Common_EncryptionFailed, inner);
+        }
+
+        public static CryptographicException Common_KeyNotFound(Guid id)
+        {
+            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_KeyNotFound, id);
+            return new CryptographicException(message);
+        }
+
+        public static CryptographicException Common_KeyRevoked(Guid id)
+        {
+            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_KeyRevoked, id);
+            return new CryptographicException(message);
+        }
+
+        public static CryptographicException Common_NotAValidProtectedPayload()
+        {
+            return new CryptographicException(Resources.Common_NotAValidProtectedPayload);
+        }
+
+        public static CryptographicException Common_PayloadProducedByNewerVersion()
+        {
+            return new CryptographicException(Resources.Common_PayloadProducedByNewerVersion);
+        }
+
+        public static CryptographicException DecryptionFailed(Exception inner)
+        {
+            return new CryptographicException(Resources.Common_DecryptionFailed, inner);
+        }
+
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
index 2b39b475f1..3403240824 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -6,15 +6,21 @@ using System;
 namespace Microsoft.AspNet.Security.DataProtection
 {
     /// <summary>
-    /// A factory that can provide IDataProtector instances.
+    /// An interface that can be used to create IDataProtector instances.
     /// </summary>
-    public interface IDataProtectionProvider : IDisposable
+    public interface IDataProtectionProvider
     {
         /// <summary>
-        /// Given a purpose, returns a new IDataProtector that has unique cryptographic keys tied to this purpose.
+        /// Creates an IDataProtector given a purpose.
         /// </summary>
-        /// <param name="purpose">The consumer of the IDataProtector.</param>
-        /// <returns>An IDataProtector.</returns>
+        /// <param name="purposes">
+        /// The purpose to be assigned to the newly-created IDataProtector.
+        /// This parameter must be unique for the intended use case; two different IDataProtector
+        /// instances created with two different 'purpose' strings will not be able
+        /// to understand each other's payloads. The 'purpose' parameter is not intended to be
+        /// kept secret.
+        /// </param>
+        /// <returns>An IDataProtector tied to the provided purpose.</returns>
         IDataProtector CreateProtector(string purpose);
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
index e873fbeed0..353a941710 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -6,33 +6,26 @@ using System;
 namespace Microsoft.AspNet.Security.DataProtection
 {
     /// <summary>
-    /// Represents an object that can perform cryptographic operations.
+    /// An interface that can provide data protection services.
     /// </summary>
-    public interface IDataProtector : IDisposable
+    public interface IDataProtector : IDataProtectionProvider
     {
         /// <summary>
-        /// Given a subpurpose, returns a new IDataProtector that has unique cryptographic keys tied <em>both</em> the purpose
-        /// that was used to create this IDataProtector instance <em>and</em> the purpose that is provided as a parameter
-        /// to this method.
+        /// Cryptographically protects a piece of plaintext data.
         /// </summary>
-        /// <param name="purpose">The sub-consumer of the IDataProtector.</param>
-        /// <returns>An IDataProtector.</returns>
-        IDataProtector CreateSubProtector(string purpose);
-
-        /// <summary>
-        /// Cryptographically protects some input data.
-        /// </summary>
-        /// <param name="unprotectedData">The data to be protected.</param>
-        /// <returns>An array containing cryptographically protected data.</returns>
-        /// <remarks>To retrieve the original data, call Unprotect on the protected data.</remarks>
+        /// <param name="unprotectedData">The plaintext data to protect.</param>
+        /// <returns>The protected form of the plaintext data.</returns>
         byte[] Protect(byte[] unprotectedData);
 
         /// <summary>
-        /// Retrieves the original data that was protected by a call to Protect.
+        /// Cryptographically unprotects a piece of protected data.
         /// </summary>
-        /// <param name="protectedData">The protected data to be decrypted.</param>
-        /// <returns>The original data.</returns>
-        /// <remarks>Throws CryptographicException if the <em>protectedData</em> parameter has been tampered with.</remarks>
+        /// <param name="protectedData">The protected data to unprotect.</param>
+        /// <returns>The plaintext form of the protected data.</returns>
+        /// <remarks>
+        /// Implementations should throw CryptographicException if the protected data is
+        /// invalid or malformed.
+        /// </remarks>
         byte[] Unprotect(byte[] protectedData);
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs b/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs
new file mode 100644
index 0000000000..8e73cc8cdd
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs
@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// Represents a secret value.
+    /// </summary>
+    public interface ISecret : IDisposable
+    {
+        /// <summary>
+        /// The length (in bytes) of the value.
+        /// </summary>
+        int Length { get; }
+
+        /// <summary>
+        /// Writes the secret value to the specified buffer.
+        /// </summary>
+        /// <param name="buffer">The buffer which should receive the secret value.</param>
+        /// <remarks>
+        /// The buffer size must exactly match the length of the secret value.
+        /// </remarks>
+        void WriteSecretIntoBuffer(ArraySegment<byte> buffer);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
index 548e0e7f65..79cb1e6370 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2;
+using Microsoft.AspNet.Security.DataProtection.PBKDF2;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Security.DataProtection
 {
     public static class KeyDerivation
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
index 600383eb7a..196aed9523 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Security.DataProtection
 {
     /// <summary>
     /// Specifies the PRF which should be used for the key derivation algorithm.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKey.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKey.cs
new file mode 100644
index 0000000000..088ae89e09
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKey.cs
@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// The basic interface for representing an authenticated encryption key.
+    /// </summary>
+    public interface IKey
+    {
+        /// <summary>
+        /// The date at which encryptions with this key can begin taking place.
+        /// </summary>
+        DateTimeOffset ActivationDate { get; }
+
+        /// <summary>
+        /// The date on which this key was created.
+        /// </summary>
+        DateTimeOffset CreationDate { get; }
+
+        /// <summary>
+        /// The date after which encryptions with this key may no longer take place.
+        /// </summary>
+        /// <remarks>
+        /// An expired key may still be used to decrypt existing payloads.
+        /// </remarks>
+        DateTimeOffset ExpirationDate { get; }
+
+        /// <summary>
+        /// Returns a value stating whether this key was revoked.
+        /// </summary>
+        /// <remarks>
+        /// A revoked key may still be used to decrypt existing payloads, but the payloads
+        /// must be treated as potentially unauthentic unless the application has some
+        /// other assurance that the payloads are authentic.
+        /// </remarks>
+        bool IsRevoked { get; }
+
+        /// <summary>
+        /// The id of the key.
+        /// </summary>
+        Guid KeyId { get; }
+
+        /// <summary>
+        /// Creates an IAuthenticatedEncryptor instance that can be used to encrypt data
+        /// to and decrypt data from this key.
+        /// </summary>
+        /// <returns>An IAuthenticatedEncryptor.</returns>
+        IAuthenticatedEncryptor CreateEncryptorInstance();
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyManager.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyManager.cs
new file mode 100644
index 0000000000..bbf9056e40
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyManager.cs
@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// The basic interface for performing key management operations.
+    /// </summary>
+    public interface IKeyManager
+    {
+        /// <summary>
+        /// Creates a new key with the specified activation and expiration dates.
+        /// </summary>
+        /// <param name="activationDate">The date on which encryptions to this key may begin.</param>
+        /// <param name="expirationDate">The date after which encryptions to this key may no longer take place.</param>
+        /// <returns>The newly-created IKey instance.</returns>
+        /// <remarks>
+        /// This method also persists the newly-created IKey instance to the underlying repository.
+        /// </remarks>
+        IKey CreateNewKey(DateTimeOffset activationDate, DateTimeOffset expirationDate);
+
+        /// <summary>
+        /// Fetches all keys from the underlying repository.
+        /// </summary>
+        /// <returns>The collection of all keys.</returns>
+        IReadOnlyCollection<IKey> GetAllKeys();
+
+        /// <summary>
+        /// Revokes a specific key.
+        /// </summary>
+        /// <param name="keyId">The id of the key to revoke.</param>
+        /// <param name="reason">An optional human-readable reason for revocation.</param>
+        /// <remarks>
+        /// This method will not mutate existing IKey instances. After calling this method,
+        /// all existing IKey instances should be discarded, and GetAllKeys should be called again.
+        /// </remarks>
+        void RevokeKey(Guid keyId, string reason = null);
+
+        /// <summary>
+        /// Revokes all keys created before a specified date.
+        /// </summary>
+        /// <param name="revocationDate">The revocation date. All keys with a creation date before
+        /// this value will be revoked.</param>
+        /// <param name="reason">An optional human-readable reason for revocation.</param>
+        /// <remarks>
+        /// This method will not mutate existing IKey instances. After calling this method,
+        /// all existing IKey instances should be discarded, and GetAllKeys should be called again.
+        /// </remarks>
+        void RevokeAllKeys(DateTimeOffset revocationDate, string reason = null);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRing.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRing.cs
new file mode 100644
index 0000000000..bae55be34e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRing.cs
@@ -0,0 +1,17 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    internal interface IKeyRing
+    {
+        IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; }
+
+        Guid DefaultKeyId { get; }
+
+        IAuthenticatedEncryptor GetAuthenticatedEncryptorByKeyId(Guid keyId, out bool isRevoked);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRingProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRingProvider.cs
new file mode 100644
index 0000000000..da8115033d
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRingProvider.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    internal interface IKeyRingProvider
+    {
+        IKeyRing GetCurrentKeyRing();
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/Key.cs
new file mode 100644
index 0000000000..a5ee6796a8
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/Key.cs
@@ -0,0 +1,63 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    internal sealed class Key : IKey
+    {
+        private readonly IAuthenticatedEncryptorConfiguration _encryptorConfiguration;
+
+        public Key(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IAuthenticatedEncryptorConfiguration encryptorConfiguration)
+        {
+            KeyId = keyId;
+            CreationDate = creationDate;
+            ActivationDate = activationDate;
+            ExpirationDate = expirationDate;
+
+            _encryptorConfiguration = encryptorConfiguration;
+        }
+
+        public DateTimeOffset ActivationDate
+        {
+            get;
+            private set;
+        }
+
+        public DateTimeOffset CreationDate
+        {
+            get;
+            private set;
+        }
+
+        public DateTimeOffset ExpirationDate
+        {
+            get;
+            private set;
+        }
+
+        public bool IsRevoked
+        {
+            get;
+            private set;
+        }
+
+        public Guid KeyId
+        {
+            get;
+            private set;
+        }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return _encryptorConfiguration.CreateEncryptorInstance();
+        }
+
+        internal void SetRevoked()
+        {
+            IsRevoked = true;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyExtensions.cs
new file mode 100644
index 0000000000..f1e9740c76
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyExtensions.cs
@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    internal static class KeyExtensions
+    {
+        public static bool IsExpired(this IKey key, DateTime utcNow)
+        {
+            return (key.ExpirationDate.UtcDateTime <= utcNow);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRing.cs
new file mode 100644
index 0000000000..5bd8773811
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRing.cs
@@ -0,0 +1,97 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    internal sealed class KeyRing : IKeyRing
+    {
+        private readonly AuthenticatedEncryptorHolder _defaultEncryptorHolder;
+        private readonly Dictionary<Guid, AuthenticatedEncryptorHolder> _keyToEncryptorMap;
+
+        public KeyRing(Guid defaultKeyId, IKey[] keys)
+        {
+            DefaultKeyId = defaultKeyId;
+            _keyToEncryptorMap = CreateEncryptorMap(defaultKeyId, keys, out _defaultEncryptorHolder);
+        }
+
+        public KeyRing(Guid defaultKeyId, KeyRing other)
+        {
+            DefaultKeyId = defaultKeyId;
+            _keyToEncryptorMap = other._keyToEncryptorMap;
+            _defaultEncryptorHolder = _keyToEncryptorMap[defaultKeyId];
+        }
+
+        public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor
+        {
+            get
+            {
+                bool unused;
+                return _defaultEncryptorHolder.GetEncryptorInstance(out unused);
+            }
+        }
+
+        public Guid DefaultKeyId { get; private set; }
+
+        private static Dictionary<Guid, AuthenticatedEncryptorHolder> CreateEncryptorMap(Guid defaultKeyId, IKey[] keys, out AuthenticatedEncryptorHolder defaultEncryptorHolder)
+        {
+            defaultEncryptorHolder = null;
+
+            var encryptorMap = new Dictionary<Guid, AuthenticatedEncryptorHolder>(keys.Length);
+            foreach (var key in keys)
+            {
+                var holder = new AuthenticatedEncryptorHolder(key);
+                encryptorMap.Add(key.KeyId, holder);
+                if (key.KeyId == defaultKeyId)
+                {
+                    defaultEncryptorHolder = holder;
+                }
+            }
+            return encryptorMap;
+        }
+
+        public IAuthenticatedEncryptor GetAuthenticatedEncryptorByKeyId(Guid keyId, out bool isRevoked)
+        {
+            isRevoked = false;
+            AuthenticatedEncryptorHolder holder;
+            _keyToEncryptorMap.TryGetValue(keyId, out holder);
+            return holder?.GetEncryptorInstance(out isRevoked);
+        }
+
+        private sealed class AuthenticatedEncryptorHolder
+        {
+            private readonly IKey _key;
+            private IAuthenticatedEncryptor _encryptor;
+
+            internal AuthenticatedEncryptorHolder(IKey key)
+            {
+                _key = key;
+            }
+
+            internal IAuthenticatedEncryptor GetEncryptorInstance(out bool isRevoked)
+            {
+                // simple double-check lock pattern
+                // we can't use LazyInitializer<T> because we don't have a simple value factory
+                IAuthenticatedEncryptor encryptor = Volatile.Read(ref _encryptor);
+                if (encryptor == null)
+                {
+                    lock (this)
+                    {
+                        encryptor = Volatile.Read(ref _encryptor);
+                        if (encryptor == null)
+                        {
+                            encryptor = _key.CreateEncryptorInstance();
+                            Volatile.Write(ref _encryptor, encryptor);
+                        }
+                    }
+                }
+                isRevoked = _key.IsRevoked;
+                return encryptor;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
new file mode 100644
index 0000000000..daf0873218
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    internal unsafe sealed class KeyRingBasedDataProtectionProvider : IDataProtectionProvider
+    {
+        private readonly IKeyRingProvider _keyringProvider;
+
+        public KeyRingBasedDataProtectionProvider(IKeyRingProvider keyringProvider)
+        {
+            _keyringProvider = keyringProvider;
+        }
+
+        public IDataProtector CreateProtector([NotNull] string purpose)
+        {
+            return new KeyRingBasedDataProtector(_keyringProvider, new[] { purpose });
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
new file mode 100644
index 0000000000..3b87e17147
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -0,0 +1,302 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+using System.Threading;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    internal unsafe sealed class KeyRingBasedDataProtector : IDataProtector
+    {
+        // This magic header identifies a v0 protected data blob.
+        // It's the high 28 bits of the SHA1 hash of "Microsoft.AspNet.Security.DataProtection.MultiplexingDataProtector" [US-ASCII].
+        // The last 4 bits are reserved for version information.
+        private const uint MAGIC_HEADER_V0 = 0xE123CF30;
+
+        private byte[] _additionalAuthenticatedDataTemplate;
+        private readonly IKeyRingProvider _keyringProvider;
+        private readonly string[] _purposes;
+
+        public KeyRingBasedDataProtector(IKeyRingProvider keyringProvider, string[] purposes)
+        {
+            _additionalAuthenticatedDataTemplate = GenerateAdditionalAuthenticatedDataTemplateFromPurposes(purposes);
+            _keyringProvider = keyringProvider;
+            _purposes = purposes;
+        }
+
+        private static byte[] ApplyEncryptorIdToAdditionalAuthenticatedDataTemplate(Guid encryptorId, byte[] additionalAuthenticatedDataTemplate)
+        {
+            CryptoUtil.Assert(additionalAuthenticatedDataTemplate.Length >= sizeof(uint) + sizeof(Guid), "additionalAuthenticatedDataTemplate.Length >= sizeof(uint) + sizeof(Guid)");
+
+            // Optimization: just return the original template if the GUID already matches.
+            fixed (byte* pbOriginal = additionalAuthenticatedDataTemplate)
+            {
+                if (Read32bitAlignedGuid(&pbOriginal[sizeof(uint)]) == encryptorId)
+                {
+                    return additionalAuthenticatedDataTemplate;
+                }
+            }
+
+            // Clone the template since the input is immutable, then inject the encryptor ID into the new template
+            byte[] cloned = (byte[])additionalAuthenticatedDataTemplate.Clone();
+            fixed (byte* pbCloned = cloned)
+            {
+                Write32bitAlignedGuid(&pbCloned[sizeof(uint)], encryptorId);
+            }
+            return cloned;
+        }
+
+        public IDataProtector CreateProtector([NotNull] string purpose)
+        {
+            // Append the incoming purpose to the end of the original array to form a hierarchy
+            string[] newPurposes = new string[_purposes.Length + 1];
+            Array.Copy(_purposes, 0, newPurposes, 0, _purposes.Length);
+            newPurposes[newPurposes.Length - 1] = purpose;
+
+            // Use the same keyring as the current instance
+            return new KeyRingBasedDataProtector(_keyringProvider, newPurposes);
+        }
+
+        private static byte[] GenerateAdditionalAuthenticatedDataTemplateFromPurposes(string[] purposes)
+        {
+            const int MEMORYSTREAM_DEFAULT_CAPACITY = 0x100; // matches MemoryStream.EnsureCapacity
+            var ms = new MemoryStream(MEMORYSTREAM_DEFAULT_CAPACITY);
+
+            // additionalAuthenticatedData := { magicHeader || encryptor-GUID || purposeCount || (purpose)* }
+            // purpose := { utf8ByteCount || utf8Text }
+            using (var writer = new PurposeBinaryWriter(ms))
+            {
+                writer.WriteBigEndian(MAGIC_HEADER_V0);
+                Debug.Assert(ms.Position == sizeof(uint));
+                writer.Seek(sizeof(Guid), SeekOrigin.Current); // skip over where the encryptor GUID will be stored; we'll fill it in later
+                if (purposes != null)
+                {
+                    writer.Write7BitEncodedInt(purposes.Length);
+                    foreach (var purpose in purposes)
+                    {
+                        if (String.IsNullOrEmpty(purpose))
+                        {
+                            writer.Write7BitEncodedInt(0); // blank purpose
+                        }
+                        else
+                        {
+                            writer.Write(purpose);
+                        }
+                    }
+                }
+                else
+                {
+                    writer.Write7BitEncodedInt(0); // empty purposes array
+                }
+            }
+
+            return ms.ToArray();
+        }
+
+        public byte[] Protect(byte[] unprotectedData)
+        {
+            // argument & state checking
+            if (unprotectedData == null)
+            {
+                throw new ArgumentNullException("unprotectedData");
+            }
+
+            // Perform the encryption operation using the current default encryptor.
+            var currentKeyRing = _keyringProvider.GetCurrentKeyRing();
+            var defaultKeyId = currentKeyRing.DefaultKeyId;
+            var defaultEncryptorInstance = currentKeyRing.DefaultAuthenticatedEncryptor;
+            CryptoUtil.Assert(defaultEncryptorInstance != null, "defaultEncryptorInstance != null");
+
+            // We'll need to apply the default encryptor ID to the template if it hasn't already been applied.
+            // If the default encryptor ID has been updated since the last call to Protect, also write back the updated template.
+            byte[] aadTemplate = Volatile.Read(ref _additionalAuthenticatedDataTemplate);
+            byte[] aadForInvocation = ApplyEncryptorIdToAdditionalAuthenticatedDataTemplate(defaultKeyId, aadTemplate);
+            if (aadTemplate != aadForInvocation)
+            {
+                Volatile.Write(ref _additionalAuthenticatedDataTemplate, aadForInvocation);
+            }
+
+            // We allocate a 20-byte pre-buffer so that we can inject the magic header and encryptor id into the return value.
+            byte[] retVal;
+            try
+            {
+                retVal = defaultEncryptorInstance.Encrypt(
+                    plaintext: new ArraySegment<byte>(unprotectedData),
+                    additionalAuthenticatedData: new ArraySegment<byte>(aadForInvocation),
+                    preBufferSize: (uint)(sizeof(uint) + sizeof(Guid)),
+                    postBufferSize: 0);
+                CryptoUtil.Assert(retVal != null && retVal.Length >= sizeof(uint) + sizeof(Guid), "retVal != null && retVal.Length >= sizeof(uint) + sizeof(Guid)");
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // homogenize all errors to CryptographicException
+                throw Error.Common_EncryptionFailed(ex);
+            }
+
+            // At this point: retVal := { 000..000 || encryptorSpecificProtectedPayload },
+            // where 000..000 is a placeholder for our magic header and encryptor ID.
+
+            // Write out the magic header and encryptor ID
+            fixed (byte* pbRetVal = retVal)
+            {
+                WriteBigEndianInteger(pbRetVal, MAGIC_HEADER_V0);
+                Write32bitAlignedGuid(&pbRetVal[sizeof(uint)], defaultKeyId);
+            }
+
+            // At this point, retVal := { magicHeader || encryptor-GUID || encryptorSpecificProtectedPayload }
+            // And we're done!
+            return retVal;
+        }
+
+        // Helper function to read a GUID from a 32-bit alignment; useful on ARM where unaligned reads
+        // can result in weird behaviors at runtime.
+        private static Guid Read32bitAlignedGuid(void* ptr)
+        {
+            Debug.Assert((long)ptr % 4 == 0);
+
+            Guid retVal;
+            ((int*)&retVal)[0] = ((int*)ptr)[0];
+            ((int*)&retVal)[1] = ((int*)ptr)[1];
+            ((int*)&retVal)[2] = ((int*)ptr)[2];
+            ((int*)&retVal)[3] = ((int*)ptr)[3];
+            return retVal;
+        }
+
+        private static uint ReadBigEndian32BitInteger(byte* ptr)
+        {
+            return ((uint)ptr[0] << 24)
+                | ((uint)ptr[1] << 16)
+                | ((uint)ptr[2] << 8)
+                | ((uint)ptr[3]);
+        }
+
+        private static bool TryGetVersionFromMagicHeader(uint magicHeader, out int version)
+        {
+            const uint MAGIC_HEADER_VERSION_MASK = 0xFU;
+            if ((magicHeader & ~MAGIC_HEADER_VERSION_MASK) == MAGIC_HEADER_V0)
+            {
+                version = (int)(magicHeader & MAGIC_HEADER_VERSION_MASK);
+                return true;
+            }
+            else
+            {
+                version = default(int);
+                return false;
+            }
+        }
+
+        public byte[] Unprotect(byte[] protectedData)
+        {
+            // argument & state checking
+            if (protectedData == null)
+            {
+                throw new ArgumentNullException("protectedData");
+            }
+            if (protectedData.Length < sizeof(uint) /* magic header */ + sizeof(Guid) /* key id */)
+            {
+                throw Error.Common_NotAValidProtectedPayload();
+            }
+
+            // Need to check that protectedData := { magicHeader || encryptor-GUID || encryptorSpecificProtectedPayload }
+
+            // Parse the payload version number and encryptor ID.
+            uint payloadMagicHeader;
+            Guid payloadEncryptorId;
+            fixed (byte* pbInput = protectedData)
+            {
+                payloadMagicHeader = ReadBigEndian32BitInteger(pbInput);
+                payloadEncryptorId = Read32bitAlignedGuid(&pbInput[sizeof(uint)]);
+            }
+
+            // Are the magic header and version information correct?
+            int payloadVersion;
+            if (!TryGetVersionFromMagicHeader(payloadMagicHeader, out payloadVersion))
+            {
+                throw Error.Common_NotAValidProtectedPayload();
+            }
+            else if (payloadVersion != 0)
+            {
+                throw Error.Common_PayloadProducedByNewerVersion();
+            }
+
+            // Find the correct encryptor in the keyring.
+            bool keyWasRevoked;
+            var requestedEncryptor = _keyringProvider.GetCurrentKeyRing().GetAuthenticatedEncryptorByKeyId(payloadEncryptorId, out keyWasRevoked);
+            if (requestedEncryptor == null)
+            {
+                throw Error.Common_KeyNotFound(payloadEncryptorId);
+            }
+            if (keyWasRevoked)
+            {
+                throw Error.Common_KeyRevoked(payloadEncryptorId);
+            }
+
+            // Perform the decryption operation.
+            ArraySegment<byte> ciphertext = new ArraySegment<byte>(protectedData, sizeof(uint) + sizeof(Guid), protectedData.Length - (sizeof(uint) + sizeof(Guid))); // chop off magic header + encryptor id
+            ArraySegment<byte> additionalAuthenticatedData = new ArraySegment<byte>(ApplyEncryptorIdToAdditionalAuthenticatedDataTemplate(payloadEncryptorId, Volatile.Read(ref _additionalAuthenticatedDataTemplate)));
+
+            try
+            {
+                // At this point, cipherText := { encryptorSpecificPayload },
+                // so all that's left is to invoke the decryption routine directly.
+                byte[] retVal = requestedEncryptor.Decrypt(ciphertext, additionalAuthenticatedData);
+                CryptoUtil.Assert(retVal != null, "retVal != null");
+                return retVal;
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // homogenize all failures to CryptographicException
+                throw Error.DecryptionFailed(ex);
+            }
+        }
+
+        // Helper function to write a GUID to a 32-bit alignment; useful on ARM where unaligned reads
+        // can result in weird behaviors at runtime.
+        private static void Write32bitAlignedGuid(void* ptr, Guid value)
+        {
+            Debug.Assert((long)ptr % 4 == 0);
+
+            ((int*)ptr)[0] = ((int*)&value)[0];
+            ((int*)ptr)[1] = ((int*)&value)[1];
+            ((int*)ptr)[2] = ((int*)&value)[2];
+            ((int*)ptr)[3] = ((int*)&value)[3];
+        }
+
+        private static void WriteBigEndianInteger(byte* ptr, uint value)
+        {
+            ptr[0] = (byte)(value >> 24);
+            ptr[1] = (byte)(value >> 16);
+            ptr[2] = (byte)(value >> 8);
+            ptr[3] = (byte)(value);
+        }
+
+        private sealed class PurposeBinaryWriter : BinaryWriter
+        {
+            // Strings should never contain invalid UTF16 chars, so we'll use a secure encoding.
+            private static readonly UTF8Encoding _secureEncoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
+            private static readonly byte[] _guidBuffer = new byte[sizeof(Guid)];
+
+            public PurposeBinaryWriter(MemoryStream stream) : base(stream, _secureEncoding, leaveOpen: true) { }
+
+            public new void Write7BitEncodedInt(int value)
+            {
+                base.Write7BitEncodedInt(value);
+            }
+
+            // Writes a big-endian 32-bit integer to the underlying stream.
+            public void WriteBigEndian(uint value)
+            {
+                var outStream = BaseStream; // property accessor also performs a flush
+                outStream.WriteByte((byte)(value >> 24));
+                outStream.WriteByte((byte)(value >> 16));
+                outStream.WriteByte((byte)(value >> 8));
+                outStream.WriteByte((byte)(value));
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
new file mode 100644
index 0000000000..37d576c063
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -0,0 +1,205 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Linq;
+using System.Threading;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    internal sealed class KeyRingProvider : IKeyRingProvider
+    {
+        // TODO: Should the below be 3 months?
+        private static readonly TimeSpan KEY_DEFAULT_LIFETIME = TimeSpan.FromDays(30 * 6); // how long should keys be active once created?
+        private static readonly TimeSpan KEYRING_REFRESH_PERIOD = TimeSpan.FromDays(1); // how often should we check for updates to the repository?
+        private static readonly TimeSpan KEY_EXPIRATION_BUFFER = TimeSpan.FromDays(7); // how close to key expiration should we generate a new key?
+        private static readonly TimeSpan MAX_SERVER_TO_SERVER_CLOCK_SKEW = TimeSpan.FromMinutes(10); // max skew we expect to see between servers using the key ring
+
+        private CachedKeyRing _cachedKeyRing;
+        private readonly object _cachedKeyRingLockObj = new object();
+        private readonly IKeyManager _keyManager;
+
+        public KeyRingProvider(IKeyManager keyManager)
+        {
+            _keyManager = keyManager;
+        }
+
+        private CachedKeyRing CreateCachedKeyRingInstanceUnderLock(DateTime utcNow, CachedKeyRing existingCachedKeyRing)
+        {
+            bool shouldCreateNewKeyWithDeferredActivation; // flag stating whether the default key will soon expire and doesn't have a suitable replacement
+
+            // Must we discard the cached keyring and refresh directly from the manager?
+            if (existingCachedKeyRing != null && existingCachedKeyRing.HardRefreshTimeUtc <= utcNow)
+            {
+                existingCachedKeyRing = null;
+            }
+
+            // Try to locate the current default key, using the cached keyring if we can.
+            IKey defaultKey;
+            if (existingCachedKeyRing != null)
+            {
+                defaultKey = FindDefaultKey(utcNow, existingCachedKeyRing.Keys, out shouldCreateNewKeyWithDeferredActivation);
+                if (defaultKey != null && !shouldCreateNewKeyWithDeferredActivation)
+                {
+                    return new CachedKeyRing
+                    {
+                        KeyRing = new KeyRing(defaultKey.KeyId, existingCachedKeyRing.KeyRing), // this overload allows us to use existing IAuthenticatedEncryptor instances
+                        Keys = existingCachedKeyRing.Keys,
+                        HardRefreshTimeUtc = existingCachedKeyRing.HardRefreshTimeUtc,
+                        SoftRefreshTimeUtc = MinDateTime(existingCachedKeyRing.HardRefreshTimeUtc, utcNow + KEYRING_REFRESH_PERIOD)
+                    };
+                }
+            }
+
+            // That didn't work, so refresh from the underlying key manager.
+            var allKeys = _keyManager.GetAllKeys().ToArray();
+            defaultKey = FindDefaultKey(utcNow, allKeys, out shouldCreateNewKeyWithDeferredActivation);
+
+            if (defaultKey != null && shouldCreateNewKeyWithDeferredActivation)
+            {
+                // If we need to create a new key with deferred activation, do so now.
+                _keyManager.CreateNewKey(activationDate: defaultKey.ExpirationDate, expirationDate: utcNow + KEY_DEFAULT_LIFETIME);
+                allKeys = _keyManager.GetAllKeys().ToArray();
+                defaultKey = FindDefaultKey(utcNow, allKeys);
+            }
+            else if (defaultKey == null)
+            {
+                // If there's no default key, create one now with immediate activation.
+                _keyManager.CreateNewKey(utcNow, utcNow + KEY_DEFAULT_LIFETIME);
+                allKeys = _keyManager.GetAllKeys().ToArray();
+                defaultKey = FindDefaultKey(utcNow, allKeys);
+            }
+
+            // We really should have a default key at this point.
+            CryptoUtil.Assert(defaultKey != null, "defaultKey != null");
+
+            var cachedKeyRingHardRefreshTime = GetNextHardRefreshTime(utcNow);
+            return new CachedKeyRing
+            {
+                KeyRing = new KeyRing(defaultKey.KeyId, allKeys),
+                Keys = allKeys,
+                HardRefreshTimeUtc = cachedKeyRingHardRefreshTime,
+                SoftRefreshTimeUtc = MinDateTime(defaultKey.ExpirationDate.UtcDateTime, cachedKeyRingHardRefreshTime)
+            };
+        }
+
+        private static IKey FindDefaultKey(DateTime utcNow, IKey[] allKeys)
+        {
+            bool unused;
+            return FindDefaultKey(utcNow, allKeys, out unused);
+        }
+
+        private static IKey FindDefaultKey(DateTime utcNow, IKey[] allKeys, out bool callerShouldGenerateNewKey)
+        {
+            callerShouldGenerateNewKey = false;
+
+            // Find the keys with the nearest past and future activation dates.
+            IKey keyWithNearestPastActivationDate = null;
+            IKey keyWithNearestFutureActivationDate = null;
+            foreach (var candidateKey in allKeys)
+            {
+                // Revoked keys are never eligible candidates to be the default key.
+                if (candidateKey.IsRevoked)
+                {
+                    continue;
+                }
+
+                if (candidateKey.ActivationDate.UtcDateTime <= utcNow)
+                {
+                    if (keyWithNearestPastActivationDate == null || keyWithNearestPastActivationDate.ActivationDate < candidateKey.ActivationDate)
+                    {
+                        keyWithNearestPastActivationDate = candidateKey;
+                    }
+                }
+                else
+                {
+                    if (keyWithNearestFutureActivationDate == null || keyWithNearestFutureActivationDate.ActivationDate > candidateKey.ActivationDate)
+                    {
+                        keyWithNearestFutureActivationDate = candidateKey;
+                    }
+                }
+            }
+
+            // If the most recently activated key hasn't yet expired, use it as the default key.
+            if (keyWithNearestPastActivationDate != null && !keyWithNearestPastActivationDate.IsExpired(utcNow))
+            {
+                // Additionally, if it's about to expire and there will be a gap in the keyring during which there
+                // is no valid default encryption key, the caller should generate a new key with deferred activation.
+                if (keyWithNearestPastActivationDate.ExpirationDate.UtcDateTime - utcNow <= KEY_EXPIRATION_BUFFER)
+                {
+                    if (keyWithNearestFutureActivationDate == null || keyWithNearestFutureActivationDate.ActivationDate > keyWithNearestPastActivationDate.ExpirationDate)
+                    {
+                        callerShouldGenerateNewKey = true;
+                    }
+                }
+
+                return keyWithNearestPastActivationDate;
+            }
+
+            // Failing that, is any key due for imminent activation? If so, use it as the default key.
+            // This allows us to account for clock skew when multiple servers touch the repository.
+            if (keyWithNearestFutureActivationDate != null
+                && (keyWithNearestFutureActivationDate.ActivationDate.UtcDateTime - utcNow) < MAX_SERVER_TO_SERVER_CLOCK_SKEW
+                && !keyWithNearestFutureActivationDate.IsExpired(utcNow) /* sanity check: expiration can't occur before activation */)
+            {
+                return keyWithNearestFutureActivationDate;
+            }
+
+            // Otherwise, there's no default key.
+            return null;
+        }
+
+        public IKeyRing GetCurrentKeyRing()
+        {
+            DateTime utcNow = DateTime.UtcNow;
+
+            // Can we return the cached keyring to the caller?
+            var existingCachedKeyRing = Volatile.Read(ref _cachedKeyRing);
+            if (existingCachedKeyRing != null && existingCachedKeyRing.SoftRefreshTimeUtc > utcNow)
+            {
+                return existingCachedKeyRing.KeyRing;
+            }
+
+            // The cached keyring hasn't been created or must be refreshed.
+            lock (_cachedKeyRingLockObj)
+            {
+                // Did somebody update the keyring while we were waiting for the lock?
+                existingCachedKeyRing = Volatile.Read(ref _cachedKeyRing);
+                if (existingCachedKeyRing != null && existingCachedKeyRing.SoftRefreshTimeUtc > utcNow)
+                {
+                    return existingCachedKeyRing.KeyRing;
+                }
+
+                // It's up to us to refresh the cached keyring.
+                var newCachedKeyRing = CreateCachedKeyRingInstanceUnderLock(utcNow, existingCachedKeyRing);
+                Volatile.Write(ref _cachedKeyRing, newCachedKeyRing);
+                return newCachedKeyRing.KeyRing;
+            }
+        }
+
+        private static DateTime GetNextHardRefreshTime(DateTime utcNow)
+        {
+            // We'll fudge the refresh period up to 20% so that multiple applications don't try to
+            // hit a single repository simultaneously. For instance, if the refresh period is 1 hour,
+            // we'll calculate the new refresh time as somewhere between 48 - 60 minutes from now.
+            var skewedRefreshPeriod = TimeSpan.FromTicks((long)(KEYRING_REFRESH_PERIOD.Ticks * ((new Random().NextDouble() / 5) + 0.8d)));
+            return utcNow + skewedRefreshPeriod;
+        }
+
+        private static DateTime MinDateTime(DateTime a, DateTime b)
+        {
+            Debug.Assert(a.Kind == DateTimeKind.Utc);
+            Debug.Assert(b.Kind == DateTimeKind.Utc);
+            return (a < b) ? a : b;
+        }
+
+        private sealed class CachedKeyRing
+        {
+            internal DateTime HardRefreshTimeUtc;
+            internal KeyRing KeyRing;
+            internal IKey[] Keys;
+            internal DateTime SoftRefreshTimeUtc;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
new file mode 100644
index 0000000000..d472869b48
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -0,0 +1,256 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Globalization;
+using System.Linq;
+using System.Reflection;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.Security.DataProtection.Repositories;
+using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.Framework.DependencyInjection;
+
+namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+{
+    public sealed class XmlKeyManager : IKeyManager
+    {
+        private const string KEY_MANAGEMENT_XML_NAMESPACE_STRING = "http://www.asp.net/dataProtection/2014";
+        internal static readonly XNamespace KeyManagementXmlNamespace = XNamespace.Get(KEY_MANAGEMENT_XML_NAMESPACE_STRING);
+
+        internal static readonly XName ActivationDateElementName = KeyManagementXmlNamespace.GetName("activationDate");
+        internal static readonly XName AuthenticatedEncryptorElementName = KeyManagementXmlNamespace.GetName("authenticatedEncryptor");
+        internal static readonly XName CreationDateElementName = KeyManagementXmlNamespace.GetName("creationDate");
+        internal static readonly XName ExpirationDateElementName = KeyManagementXmlNamespace.GetName("expirationDate");
+        internal static readonly XName IdAttributeName = XNamespace.None.GetName("id");
+        internal static readonly XName KeyElementName = KeyManagementXmlNamespace.GetName("key");
+        internal static readonly XName ReaderAttributeName = XNamespace.None.GetName("reader");
+        internal static readonly XName ReasonElementName = KeyManagementXmlNamespace.GetName("reason");
+        internal static readonly XName RevocationDateElementName = KeyManagementXmlNamespace.GetName("revocationDate");
+        internal static readonly XName RevocationElementName = KeyManagementXmlNamespace.GetName("revocation");
+        internal static readonly XName VersionAttributeName = XNamespace.None.GetName("version");
+
+        private readonly IAuthenticatedEncryptorConfigurationFactory _authenticatedEncryptorConfigurationFactory;
+        private readonly IServiceProvider _serviceProvider;
+        private readonly ITypeActivator _typeActivator;
+        private readonly IXmlRepository _xmlRepository;
+        private readonly IXmlEncryptor _xmlEncryptor;
+
+        public XmlKeyManager(
+            [NotNull] IServiceProvider serviceProvider,
+            [NotNull] IAuthenticatedEncryptorConfigurationFactory authenticatedEncryptorConfigurationFactory,
+            [NotNull] ITypeActivator typeActivator,
+            [NotNull] IXmlRepository xmlRepository,
+            [NotNull] IXmlEncryptor xmlEncryptor)
+        {
+            _serviceProvider = serviceProvider;
+            _authenticatedEncryptorConfigurationFactory = authenticatedEncryptorConfigurationFactory;
+            _typeActivator = typeActivator;
+            _xmlRepository = xmlRepository;
+            _xmlEncryptor = xmlEncryptor;
+        }
+
+        public IKey CreateNewKey(DateTimeOffset activationDate, DateTimeOffset expirationDate)
+        {
+            return CreateNewKey(Guid.NewGuid(), DateTimeOffset.UtcNow, activationDate, expirationDate);
+        }
+
+        private IKey CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate)
+        {
+            // <key id="{GUID}" version="1" xmlns="{XMLNS}">
+            //   <creationDate>...</creationDate>
+            //   <activationDate>...</activationDate>
+            //   <expirationDate>...</expirationDate>
+            //   <authenticatedEncryptor>
+            //     <... parser="{TYPE}" />
+            //   </authenticatedEncryptor>
+            // </xxx:key>
+
+            // Create the <xxx:authenticatedEncryptor /> element and make sure it's well-formed.
+            var encryptorConfiguration = _authenticatedEncryptorConfigurationFactory.CreateNewConfiguration();
+            var encryptorElementAsXml = encryptorConfiguration.ToXml(_xmlEncryptor);
+            CryptoUtil.Assert(!String.IsNullOrEmpty((string)encryptorElementAsXml.Attribute(ReaderAttributeName)), "!String.IsNullOrEmpty((string)encryptorElementAsXml.Attribute(ParserAttributeName))");
+
+            // Create the <xxx:key /> element.
+            var keyElement = new XElement(KeyElementName,
+                new XAttribute(IdAttributeName, keyId),
+                new XAttribute(VersionAttributeName, 1),
+                new XElement(CreationDateElementName, creationDate),
+                new XElement(ActivationDateElementName, activationDate),
+                new XElement(ExpirationDateElementName, expirationDate),
+                new XElement(AuthenticatedEncryptorElementName,
+                    encryptorElementAsXml));
+
+            // Persist it to the underlying repository
+            string friendlyName = String.Format(CultureInfo.InvariantCulture, "key-{0:D}", keyId);
+            _xmlRepository.StoreElement(keyElement, friendlyName);
+
+            // And we're done!
+            return new Key(
+                keyId: keyId,
+                creationDate: creationDate,
+                activationDate: activationDate,
+                expirationDate: expirationDate,
+                encryptorConfiguration: encryptorConfiguration);
+        }
+
+        public IReadOnlyCollection<IKey> GetAllKeys()
+        {
+            var allElements = _xmlRepository.GetAllElements();
+
+            Dictionary<Guid, Key> idToKeyMap = new Dictionary<Guid, Key>();
+            HashSet<Guid> revokedKeyIds = null;
+            DateTimeOffset? mostRecentMassRevocationDate = null;
+
+            foreach (var element in allElements)
+            {
+                if (element.Name == KeyElementName)
+                {
+                    var thisKey = ParseKeyElement(element);
+                    if (idToKeyMap.ContainsKey(thisKey.KeyId))
+                    {
+                        CryptoUtil.Fail("TODO: Duplicate key.");
+                    }
+                    idToKeyMap.Add(thisKey.KeyId, thisKey);
+                }
+                else if (element.Name == RevocationElementName)
+                {
+                    object revocationInfo = ParseRevocationElement(element);
+                    DateTimeOffset? revocationInfoAsDate = revocationInfo as DateTimeOffset?;
+                    if (revocationInfoAsDate != null)
+                    {
+                        // We're revoking all keys created on or after a specific date.
+                        if (!mostRecentMassRevocationDate.HasValue || mostRecentMassRevocationDate < revocationInfoAsDate)
+                        {
+                            // This new value is the most recent mass revocation date.
+                            mostRecentMassRevocationDate = revocationInfoAsDate;
+                        }
+                    }
+                    else
+                    {
+                        // We're revoking only a specific key
+                        if (revokedKeyIds == null)
+                        {
+                            revokedKeyIds = new HashSet<Guid>();
+                        }
+                        revokedKeyIds.Add((Guid)revocationInfo);
+                    }
+                }
+                else
+                {
+                    CryptoUtil.Fail("TODO: Unknown element.");
+                }
+            }
+
+            // Now process all revocations
+            if (revokedKeyIds != null || mostRecentMassRevocationDate.HasValue)
+            {
+                foreach (Key key in idToKeyMap.Values)
+                {
+                    if ((revokedKeyIds != null && revokedKeyIds.Contains(key.KeyId))
+                        || (mostRecentMassRevocationDate.HasValue && mostRecentMassRevocationDate >= key.CreationDate))
+                    {
+                        key.SetRevoked();
+                    }
+                }
+            }
+
+            // And we're done!
+            return idToKeyMap.Values.ToArray();
+        }
+
+        private Key ParseKeyElement(XElement keyElement)
+        {
+            Debug.Assert(keyElement.Name == KeyElementName);
+
+            int version = (int)keyElement.Attribute(VersionAttributeName);
+            CryptoUtil.Assert(version == 1, "TODO: version == 1");
+
+            XElement encryptorConfigurationAsXml = keyElement.Element(AuthenticatedEncryptorElementName).Elements().Single();
+            string encryptorConfigurationParserTypeName = (string)encryptorConfigurationAsXml.Attribute(ReaderAttributeName);
+            Type encryptorConfigurationParserType = Type.GetType(encryptorConfigurationParserTypeName, throwOnError: true);
+            CryptoUtil.Assert(typeof(IAuthenticatedEncryptorConfigurationXmlReader).IsAssignableFrom(encryptorConfigurationParserType),
+                "TODO: typeof(IAuthenticatedEncryptorConfigurationXmlReader).IsAssignableFrom(encryptorConfigurationParserType)");
+
+            var parser = (IAuthenticatedEncryptorConfigurationXmlReader)_typeActivator.CreateInstance(_serviceProvider, encryptorConfigurationParserType);
+            var encryptorConfiguration = parser.FromXml(encryptorConfigurationAsXml);
+
+            Guid keyId = (Guid)keyElement.Attribute(IdAttributeName);
+            DateTimeOffset creationDate = (DateTimeOffset)keyElement.Element(CreationDateElementName);
+            DateTimeOffset activationDate = (DateTimeOffset)keyElement.Element(ActivationDateElementName);
+            DateTimeOffset expirationDate = (DateTimeOffset)keyElement.Element(ExpirationDateElementName);
+
+            return new Key(
+                keyId: keyId,
+                creationDate: creationDate,
+                activationDate: activationDate,
+                expirationDate: expirationDate,
+                encryptorConfiguration: encryptorConfiguration);
+        }
+
+        // returns a Guid (for specific keys) or a DateTimeOffset (for all keys created on or before a specific date)
+        private object ParseRevocationElement(XElement revocationElement)
+        {
+            Debug.Assert(revocationElement.Name == RevocationElementName);
+
+            string keyIdAsString = revocationElement.Element(KeyElementName).Attribute(IdAttributeName).Value;
+            if (keyIdAsString == "*")
+            {
+                // all keys
+                return (DateTimeOffset)revocationElement.Element(RevocationDateElementName);
+            }
+            else
+            {
+                // only one key
+                return new Guid(keyIdAsString);
+            }
+        }
+
+        public void RevokeAllKeys(DateTimeOffset revocationDate, string reason = null)
+        {
+            // <revocation version="1" xmlns="{XMLNS}">
+            //   <revocationDate>...</revocationDate>
+            //   <key id="*" />
+            //   <reason>...</reason>
+            // </revocation>
+
+            var revocationElement = new XElement(RevocationElementName,
+                new XAttribute(VersionAttributeName, 1),
+                new XElement(RevocationDateElementName, revocationDate),
+                new XElement(KeyElementName,
+                    new XAttribute(IdAttributeName, "*")),
+                new XElement(ReasonElementName, reason));
+
+            // Persist it to the underlying repository
+            string friendlyName = String.Format(CultureInfo.InvariantCulture, "revocation-{0:X16}", (ulong)revocationDate.UtcTicks);
+            _xmlRepository.StoreElement(revocationElement, friendlyName);
+        }
+
+        public void RevokeKey(Guid keyId, string reason = null)
+        {
+            RevokeSingleKey(keyId, DateTimeOffset.UtcNow, reason);
+        }
+
+        private void RevokeSingleKey(Guid keyId, DateTimeOffset utcNow, string reason)
+        {
+            // <revocation version="1" xmlns="{XMLNS}">
+            //   <revocationDate>...</revocationDate>
+            //   <key id="{GUID}" />
+            //   <reason>...</reason>
+            // </revocation>
+
+            var revocationElement = new XElement(RevocationElementName,
+                new XAttribute(VersionAttributeName, 1),
+                new XElement(RevocationDateElementName, utcNow),
+                new XElement(KeyElementName,
+                    new XAttribute(IdAttributeName, keyId)),
+                new XElement(ReasonElementName, reason));
+
+            // Persist it to the underlying repository
+            string friendlyName = String.Format(CultureInfo.InvariantCulture, "revocation-{0:D}", keyId);
+            _xmlRepository.StoreElement(revocationElement, friendlyName);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
new file mode 100644
index 0000000000..eec421cfd8
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
@@ -0,0 +1,18 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection.Managed
+{
+    internal static class HashAlgorithmExtensions
+    {
+        public static int GetDigestSizeInBytes(this HashAlgorithm hashAlgorithm)
+        {
+            var hashSizeInBits = hashAlgorithm.HashSize;
+            CryptoUtil.Assert(hashSizeInBits >= 0 && hashSizeInBits % 8 == 0, "hashSizeInBits >= 0 && hashSizeInBits % 8 == 0");
+            return hashSizeInBits / 8;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/IManagedGenRandom.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/IManagedGenRandom.cs
new file mode 100644
index 0000000000..3028068dc7
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/IManagedGenRandom.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.Managed
+{
+    internal interface IManagedGenRandom
+    {
+        byte[] GenRandom(int numBytes);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
new file mode 100644
index 0000000000..09f431dbdc
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -0,0 +1,400 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.Security.DataProtection.SP800_108;
+
+namespace Microsoft.AspNet.Security.DataProtection.Managed
+{
+    // An encryptor which does Encrypt(CBC) + HMAC using SymmetricAlgorithm and HashAlgorithm.
+    // The payloads produced by this encryptor should be compatible with the payloads
+    // produced by the CNG-based Encrypt(CBC) + HMAC authenticated encryptor.
+    internal unsafe sealed class ManagedAuthenticatedEncryptor : IAuthenticatedEncryptor, IDisposable
+    {
+        // Even when IVs are chosen randomly, CBC is susceptible to IV collisions within a single
+        // key. For a 64-bit block cipher (like 3DES), we'd expect a collision after 2^32 block
+        // encryption operations, which a high-traffic web server might perform in mere hours.
+        // AES and other 128-bit block ciphers are less susceptible to this due to the larger IV
+        // space, but unfortunately some organizations require older 64-bit block ciphers. To address
+        // the collision issue, we'll feed 128 bits of entropy to the KDF when performing subkey
+        // generation. This creates >= 192 bits total entropy for each operation, so we shouldn't
+        // expect a collision until >= 2^96 operations. Even 2^80 operations still maintains a <= 2^-32
+        // probability of collision, and this is acceptable for the expected KDK lifetime.
+        private const int KEY_MODIFIER_SIZE_IN_BYTES = 128 / 8;
+
+        // Our analysis re: IV collision resistance only holds if we're working with block ciphers
+        // with a block length of 64 bits or greater.
+        internal const int SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES = 64 / 8;
+
+        // Min security bar: authentication tag must have at least 128 bits of output.
+        internal const int HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES = 128 / 8;
+
+        private static readonly Func<byte[], HashAlgorithm> _kdkPrfFactory = key => new HMACSHA512(key); // currently hardcoded to SHA512
+
+        private readonly byte[] _contextHeader;
+        private readonly IManagedGenRandom _genRandom;
+        private readonly ProtectedMemoryBlob _keyDerivationKey;
+        private readonly Func<SymmetricAlgorithm> _symmetricAlgorithmFactory;
+        private readonly int _symmetricAlgorithmBlockSizeInBytes;
+        private readonly int _symmetricAlgorithmSubkeyLengthInBytes;
+        private readonly int _validationAlgorithmDigestLengthInBytes;
+        private readonly int _validationAlgorithmSubkeyLengthInBytes;
+        private readonly Func<KeyedHashAlgorithm> _validationAlgorithmFactory;
+
+        public ManagedAuthenticatedEncryptor(ProtectedMemoryBlob keyDerivationKey, Func<SymmetricAlgorithm> symmetricAlgorithmFactory, int symmetricAlgorithmKeySizeInBytes, Func<KeyedHashAlgorithm> validationAlgorithmFactory, IManagedGenRandom genRandom = null)
+        {
+            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
+                "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
+
+            _genRandom = _genRandom ?? ManagedGenRandomImpl.Instance;
+            _keyDerivationKey = keyDerivationKey;
+
+            // Validate that the symmetric algorithm has the properties we require
+            using (var symmetricAlgorithm = symmetricAlgorithmFactory())
+            {
+                _symmetricAlgorithmFactory = symmetricAlgorithmFactory;
+                _symmetricAlgorithmBlockSizeInBytes = symmetricAlgorithm.GetBlockSizeInBytes();
+                _symmetricAlgorithmSubkeyLengthInBytes = symmetricAlgorithmKeySizeInBytes;
+            }
+
+            // Validate that the MAC algorithm has the properties we require
+            using (var validationAlgorithm = validationAlgorithmFactory())
+            {
+                _validationAlgorithmFactory = validationAlgorithmFactory;
+                _validationAlgorithmDigestLengthInBytes = validationAlgorithm.GetDigestSizeInBytes();
+                _validationAlgorithmSubkeyLengthInBytes = _validationAlgorithmDigestLengthInBytes; // for simplicity we'll generate MAC subkeys with a length equal to the digest length
+            }
+
+            CryptoUtil.Assert(SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES <= _symmetricAlgorithmBlockSizeInBytes && _symmetricAlgorithmBlockSizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
+                "SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES <= _symmetricAlgorithmBlockSizeInBytes && _symmetricAlgorithmBlockSizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
+
+            CryptoUtil.Assert(HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES <= _validationAlgorithmDigestLengthInBytes,
+                "HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES <= _validationAlgorithmDigestLengthInBytes");
+
+            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= _validationAlgorithmSubkeyLengthInBytes && _validationAlgorithmSubkeyLengthInBytes <= Constants.MAX_STACKALLOC_BYTES,
+                "KEY_MODIFIER_SIZE_IN_BYTES <= _validationAlgorithmSubkeyLengthInBytes && _validationAlgorithmSubkeyLengthInBytes <= Constants.MAX_STACKALLOC_BYTES");
+
+            _contextHeader = CreateContextHeader();
+        }
+
+        private byte[] CreateContextHeader()
+        {
+            var EMPTY_ARRAY = new byte[0];
+            var EMPTY_ARRAY_SEGMENT = new ArraySegment<byte>(EMPTY_ARRAY);
+
+            byte[] retVal = new byte[checked(
+                1 /* KDF alg */
+                + 1 /* chaining mode */
+                + sizeof(uint) /* sym alg key size */
+                + sizeof(uint) /* sym alg block size */
+                + sizeof(uint) /* hmac alg key size */
+                + sizeof(uint) /* hmac alg digest size */
+                + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
+                + _validationAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
+
+            int idx = 0;
+
+            // First is the two-byte header
+            retVal[idx++] = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+            retVal[idx++] = 0; // 0x00 = CBC encryption + HMAC authentication
+
+            // Next is information about the symmetric algorithm (key size followed by block size)
+            BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmSubkeyLengthInBytes);
+            BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmBlockSizeInBytes);
+
+            // Next is information about the keyed hash algorithm (key size followed by digest size)
+            BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmSubkeyLengthInBytes);
+            BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmDigestLengthInBytes);
+
+            // See the design document for an explanation of the following code.
+            byte[] tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _validationAlgorithmSubkeyLengthInBytes];
+            ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
+                kdk: EMPTY_ARRAY,
+                label: EMPTY_ARRAY_SEGMENT,
+                context: EMPTY_ARRAY_SEGMENT,
+                prfFactory: _kdkPrfFactory,
+                output: new ArraySegment<byte>(tempKeys));
+
+            // At this point, tempKeys := { K_E || K_H }.
+
+            // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
+            using (var symmetricAlg = CreateSymmetricAlgorithm())
+            {
+                using (var cryptoTransform = symmetricAlg.CreateEncryptor(
+                    rgbKey: new ArraySegment<byte>(tempKeys, 0, _symmetricAlgorithmSubkeyLengthInBytes).AsStandaloneArray(),
+                    rgbIV: new byte[_symmetricAlgorithmBlockSizeInBytes]))
+                {
+                    byte[] ciphertext = cryptoTransform.TransformFinalBlock(EMPTY_ARRAY, 0, 0);
+                    CryptoUtil.Assert(ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes, "ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes");
+                    Buffer.BlockCopy(ciphertext, 0, retVal, idx, ciphertext.Length);
+                }
+            }
+
+            idx += _symmetricAlgorithmBlockSizeInBytes;
+
+            // MAC a zero-length input string and copy the digest to the return buffer.
+            using (var hashAlg = CreateValidationAlgorithm(new ArraySegment<byte>(tempKeys, _symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes).AsStandaloneArray()))
+            {
+                byte[] digest = hashAlg.ComputeHash(EMPTY_ARRAY);
+                CryptoUtil.Assert(digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes, "digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes");
+                Buffer.BlockCopy(digest, 0, retVal, idx, digest.Length);
+            }
+
+            idx += _validationAlgorithmDigestLengthInBytes;
+            CryptoUtil.Assert(idx == retVal.Length, "idx == retVal.Length");
+
+            // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || macAlgKeySize || macAlgDigestSize || E("") || MAC("") }.
+            return retVal;
+        }
+
+        private SymmetricAlgorithm CreateSymmetricAlgorithm()
+        {
+            var retVal = _symmetricAlgorithmFactory();
+            CryptoUtil.Assert(retVal != null, "retVal != null");
+
+            retVal.Mode = CipherMode.CBC;
+            retVal.Padding = PaddingMode.PKCS7;
+            return retVal;
+        }
+
+        private KeyedHashAlgorithm CreateValidationAlgorithm(byte[] key)
+        {
+            var retVal = _validationAlgorithmFactory();
+            CryptoUtil.Assert(retVal != null, "retVal != null");
+
+            retVal.Key = key;
+            return retVal;
+        }
+
+        public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> additionalAuthenticatedData)
+        {
+            protectedPayload.Validate();
+            additionalAuthenticatedData.Validate();
+
+            // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+            if (protectedPayload.Count < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
+            {
+                throw Error.CryptCommon_PayloadInvalid();
+            }
+
+            // Assumption: protectedPayload := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
+
+            try
+            {
+                // Step 1: Extract the key modifier and IV from the payload.
+
+                int keyModifierOffset; // position in protectedPayload.Array where key modifier begins
+                int ivOffset; // position in protectedPayload.Array where key modifier ends / IV begins
+                int ciphertextOffset; // position in protectedPayload.Array where IV ends / ciphertext begins
+                int macOffset; // position in protectedPayload.Array where ciphertext ends / MAC begins
+                int eofOffset; // position in protectedPayload.Array where MAC ends
+
+                checked
+                {
+                    keyModifierOffset = protectedPayload.Offset;
+                    ivOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
+                    ciphertextOffset = ivOffset + _symmetricAlgorithmBlockSizeInBytes;
+                }
+
+                ArraySegment<byte> keyModifier = new ArraySegment<byte>(protectedPayload.Array, keyModifierOffset, ivOffset - keyModifierOffset);
+                byte[] iv = new byte[_symmetricAlgorithmBlockSizeInBytes];
+                Buffer.BlockCopy(protectedPayload.Array, ivOffset, iv, 0, iv.Length);
+
+                // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
+                // We pin all unencrypted keys to limit their exposure via GC relocation.
+
+                byte[] decryptedKdk = new byte[_keyDerivationKey.Length];
+                byte[] decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+                byte[] validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
+                byte[] derivedKeysBuffer = new byte[checked(decryptionSubkey.Length + validationSubkey.Length)];
+
+                fixed (byte* __unused__1 = decryptedKdk)
+                fixed (byte* __unused__2 = decryptionSubkey)
+                fixed (byte* __unused__3 = validationSubkey)
+                fixed (byte* __unused__4 = derivedKeysBuffer)
+                {
+                    try
+                    {
+                        _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
+                        DeriveKeysWithContextHeader(
+                            kdk: decryptedKdk,
+                            label: additionalAuthenticatedData,
+                            contextHeader: _contextHeader,
+                            context: keyModifier,
+                            prfFactory: _kdkPrfFactory,
+                            output: new ArraySegment<byte>(derivedKeysBuffer));
+
+                        Buffer.BlockCopy(derivedKeysBuffer, 0, decryptionSubkey, 0, decryptionSubkey.Length);
+                        Buffer.BlockCopy(derivedKeysBuffer, decryptionSubkey.Length, validationSubkey, 0, validationSubkey.Length);
+
+                        // Step 3: Calculate the correct MAC for this payload.
+                        // correctHash := MAC(IV || ciphertext)
+                        byte[] correctHash;
+
+                        using (var hashAlgorithm = CreateValidationAlgorithm(validationSubkey))
+                        {
+                            checked
+                            {
+                                eofOffset = protectedPayload.Offset + protectedPayload.Count;
+                                macOffset = eofOffset - _validationAlgorithmDigestLengthInBytes;
+                            }
+
+                            correctHash = hashAlgorithm.ComputeHash(protectedPayload.Array, ivOffset, macOffset - ivOffset);
+                        }
+
+                        // Step 4: Validate the MAC provided as part of the payload.
+
+                        if (!CryptoUtil.TimeConstantBuffersAreEqual(correctHash, 0, correctHash.Length, protectedPayload.Array, macOffset, eofOffset - macOffset))
+                        {
+                            throw Error.CryptCommon_PayloadInvalid(); // integrity check failure
+                        }
+
+                        // Step 5: Decipher the ciphertext and return it to the caller.
+
+                        using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
+                        using (var cryptoTransform = symmetricAlgorithm.CreateDecryptor(decryptionSubkey, iv))
+                        {
+                            var outputStream = new MemoryStream();
+                            using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
+                            {
+                                cryptoStream.Write(protectedPayload.Array, ciphertextOffset, macOffset - ciphertextOffset);
+                                cryptoStream.FlushFinalBlock();
+
+                                // At this point, outputStream := { plaintext }, and we're done!
+                                return outputStream.ToArray();
+                            }
+                        }
+                    }
+                    finally
+                    {
+                        // nuke since these contain secret material
+                        Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+                        Array.Clear(decryptionSubkey, 0, decryptionSubkey.Length);
+                        Array.Clear(validationSubkey, 0, validationSubkey.Length);
+                        Array.Clear(derivedKeysBuffer, 0, derivedKeysBuffer.Length);
+                    }
+                }
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // Homogenize all exceptions to CryptographicException.
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+
+        private static void DeriveKeysWithContextHeader(byte[] kdk, ArraySegment<byte> label, byte[] contextHeader, ArraySegment<byte> context, Func<byte[], HashAlgorithm> prfFactory, ArraySegment<byte> output)
+        {
+            byte[] combinedContext = new byte[checked(contextHeader.Length + context.Count)];
+            Buffer.BlockCopy(contextHeader, 0, combinedContext, 0, contextHeader.Length);
+            Buffer.BlockCopy(context.Array, context.Offset, combinedContext, contextHeader.Length, context.Count);
+            ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(kdk, label, new ArraySegment<byte>(combinedContext), prfFactory, output);
+        }
+
+        public void Dispose()
+        {
+            _keyDerivationKey.Dispose();
+        }
+
+        public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData)
+        {
+            plaintext.Validate();
+            additionalAuthenticatedData.Validate();
+
+            try
+            {
+                var outputStream = new MemoryStream();
+
+                // Step 1: Generate a random key modifier and IV for this operation.
+                // Both will be equal to the block size of the block cipher algorithm.
+
+                byte[] keyModifier = _genRandom.GenRandom(_symmetricAlgorithmSubkeyLengthInBytes);
+                byte[] iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
+
+                // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.
+
+                outputStream.Write(keyModifier, 0, keyModifier.Length);
+                outputStream.Write(iv, 0, iv.Length);
+
+                // At this point, outputStream := { keyModifier || IV }.
+
+                // Step 3: Decrypt the KDK, and use it to generate new encryption and HMAC keys.
+                // We pin all unencrypted keys to limit their exposure via GC relocation.
+
+                byte[] decryptedKdk = new byte[_keyDerivationKey.Length];
+                byte[] encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+                byte[] validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
+                byte[] derivedKeysBuffer = new byte[checked(encryptionSubkey.Length + validationSubkey.Length)];
+
+                fixed (byte* __unused__1 = decryptedKdk)
+                fixed (byte* __unused__2 = encryptionSubkey)
+                fixed (byte* __unused__3 = validationSubkey)
+                fixed (byte* __unused__4 = derivedKeysBuffer)
+                {
+                    try
+                    {
+                        _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
+                        DeriveKeysWithContextHeader(
+                            kdk: decryptedKdk,
+                            label: additionalAuthenticatedData,
+                            contextHeader: _contextHeader,
+                            context: new ArraySegment<byte>(keyModifier),
+                            prfFactory: _kdkPrfFactory,
+                            output: new ArraySegment<byte>(derivedKeysBuffer));
+
+                        Buffer.BlockCopy(derivedKeysBuffer, 0, encryptionSubkey, 0, encryptionSubkey.Length);
+                        Buffer.BlockCopy(derivedKeysBuffer, encryptionSubkey.Length, validationSubkey, 0, validationSubkey.Length);
+
+                        // Step 4: Perform the encryption operation.
+
+                        using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
+                        using (var cryptoTransform = symmetricAlgorithm.CreateEncryptor(encryptionSubkey, iv))
+                        using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
+                        {
+                            cryptoStream.Write(plaintext.Array, plaintext.Offset, plaintext.Count);
+                            cryptoStream.FlushFinalBlock();
+
+                            // At this point, outputStream := { keyModifier || IV || ciphertext }
+
+                            // Step 5: Calculate the digest over the IV and ciphertext.
+                            // We don't need to calculate the digest over the key modifier since that
+                            // value has already been mixed into the KDF used to generate the MAC key.
+
+                            using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkey))
+                            {
+#if !ASPNETCORE50
+                                // As an optimization, avoid duplicating the underlying buffer if we're on desktop CLR.
+                                byte[] underlyingBuffer = outputStream.GetBuffer();
+#else
+                                byte[] underlyingBuffer = outputStream.ToArray();
+#endif
+
+                                byte[] mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
+                                outputStream.Write(mac, 0, mac.Length);
+
+                                // At this point, outputStream := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) } 
+                                // And we're done!
+                                return outputStream.ToArray();
+                            }
+                        }
+                    }
+                    finally
+                    {
+                        // nuke since these contain secret material
+                        Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+                        Array.Clear(encryptionSubkey, 0, encryptionSubkey.Length);
+                        Array.Clear(validationSubkey, 0, validationSubkey.Length);
+                        Array.Clear(derivedKeysBuffer, 0, derivedKeysBuffer.Length);
+                    }
+                }
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // Homogenize all exceptions to CryptographicException.
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedGenRandomImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedGenRandomImpl.cs
new file mode 100644
index 0000000000..b89cc8e077
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedGenRandomImpl.cs
@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection.Managed
+{
+    internal unsafe sealed class ManagedGenRandomImpl : IManagedGenRandom
+    {
+        private static readonly RandomNumberGenerator _rng = RandomNumberGenerator.Create();
+        public static readonly ManagedGenRandomImpl Instance = new ManagedGenRandomImpl();
+
+        private ManagedGenRandomImpl()
+        {
+        }
+
+        public byte[] GenRandom(int numBytes)
+        {
+            byte[] bytes = new byte[numBytes];
+            _rng.GetBytes(bytes);
+            return bytes;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
new file mode 100644
index 0000000000..48c8860ee1
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
@@ -0,0 +1,18 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection.Managed
+{
+    internal static class SymmetricAlgorithmExtensions
+    {
+        public static int GetBlockSizeInBytes(this SymmetricAlgorithm symmetricAlgorithm)
+        {
+            var blockSizeInBits = symmetricAlgorithm.BlockSize;
+            CryptoUtil.Assert(blockSizeInBits >= 0 && blockSizeInBits % 8 == 0, "blockSizeInBits >= 0 && blockSizeInBits % 8 == 0");
+            return blockSizeInBits / 8;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs b/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
new file mode 100644
index 0000000000..0427ff6e62
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// Support for generating random data.
+    /// </summary>
+    internal unsafe static class MemoryProtection
+    {
+        // from dpapi.h
+        private const uint CRYPTPROTECTMEMORY_SAME_PROCESS = 0x00;
+
+        public static void CryptProtectMemory(SafeHandle pBuffer, uint byteCount)
+        {
+            if (!UnsafeNativeMethods.CryptProtectMemory(pBuffer, byteCount, CRYPTPROTECTMEMORY_SAME_PROCESS))
+            {
+                UnsafeNativeMethods.ThrowExceptionForLastCrypt32Error();
+            }
+        }
+
+        public static void CryptUnprotectMemory(byte* pBuffer, uint byteCount)
+        {
+            if (!UnsafeNativeMethods.CryptUnprotectMemory(pBuffer, byteCount, CRYPTPROTECTMEMORY_SAME_PROCESS))
+            {
+                UnsafeNativeMethods.ThrowExceptionForLastCrypt32Error();
+            }
+        }
+
+        public static void CryptUnprotectMemory(SafeHandle pBuffer, uint byteCount)
+        {
+            if (!UnsafeNativeMethods.CryptUnprotectMemory(pBuffer, byteCount, CRYPTPROTECTMEMORY_SAME_PROCESS))
+            {
+                UnsafeNativeMethods.ThrowExceptionForLastCrypt32Error();
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/NotNullAttribute.cs b/src/Microsoft.AspNet.Security.DataProtection/NotNullAttribute.cs
new file mode 100644
index 0000000000..f65a70a85d
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/NotNullAttribute.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    [AttributeUsage(AttributeTargets.Parameter, AllowMultiple = false)]
+    internal sealed class NotNullAttribute : Attribute
+    {
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
index a9e499b80e..6e353d48c8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2
+namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
 {
     /// <summary>
     /// Internal interface used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
index 3fc75f67fd..527bdc5119 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
@@ -4,8 +4,9 @@
 using System;
 using System.Diagnostics;
 using System.Security.Cryptography;
+using System.Text;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2
+namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the managed hash algorithm classes as PRFs.
@@ -67,7 +68,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2
 
         private static KeyedHashAlgorithm PrfToManagedHmacAlgorithm(KeyDerivationPrf prf, string password)
         {
-            byte[] passwordBytes = Pbkdf2Util.SecureUtf8Encoding.GetBytes(password);
+            byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
             try
             {
                 switch (prf)
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
index 1af12b4bdc..d33a3d71ca 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Text;
+using Microsoft.AspNet.Security.DataProtection.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2
+namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
 {
     /// <summary>
     /// Internal base class used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
@@ -12,14 +12,23 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng.PBKDF2
     internal static class Pbkdf2Util
     {
         public static readonly IPbkdf2Provider Pbkdf2Provider = GetPbkdf2Provider();
-        public static readonly UTF8Encoding SecureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: false);
 
         private static IPbkdf2Provider GetPbkdf2Provider()
         {
             // In priority order, our three implementations are Win8, Win7, and "other".
-
-            // TODO: Provide Win7 & Win8 implementations when the new DataProtection stack is fully copied over.
-            return new ManagedPbkdf2Provider();
+            if (OSVersionUtil.IsBCryptOnWin8OrLaterAvailable())
+            {
+                // fastest implementation
+                return new Win8Pbkdf2Provider();
+            } else if (OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+            {
+                // acceptable implementation
+                return new Win7Pbkdf2Provider();
+            } else
+            {
+                // slowest implementation
+                return new ManagedPbkdf2Provider();
+            }
         }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs
new file mode 100644
index 0000000000..62d1cef6d4
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs
@@ -0,0 +1,100 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+{
+    /// <summary>
+    /// A PBKDF2 provider which utilizes the Win7 API BCryptDeriveKeyPBKDF2.
+    /// </summary>
+    internal unsafe sealed class Win7Pbkdf2Provider : IPbkdf2Provider
+    {
+        public byte[] DeriveKey(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
+        {
+            Debug.Assert(password != null);
+            Debug.Assert(salt != null);
+            Debug.Assert(iterationCount > 0);
+            Debug.Assert(numBytesRequested > 0);
+
+            byte dummy; // CLR doesn't like pinning zero-length buffers, so this provides a valid memory address when working with zero-length buffers
+
+            // Don't dispose of this algorithm instance; it is cached and reused!
+            var algHandle = PrfToCachedCngAlgorithmInstance(prf);
+
+            // Convert password string to bytes.
+            // Allocate on the stack whenever we can to save allocations.
+            int cbPasswordBuffer = Encoding.UTF8.GetMaxByteCount(password.Length);
+            fixed (byte* pbHeapAllocatedPasswordBuffer = (cbPasswordBuffer > Constants.MAX_STACKALLOC_BYTES) ? new byte[cbPasswordBuffer] : null)
+            {
+                byte* pbPasswordBuffer = pbHeapAllocatedPasswordBuffer;
+                if (pbPasswordBuffer == null)
+                {
+                    if (cbPasswordBuffer == 0)
+                    {
+                        pbPasswordBuffer = &dummy;
+                    }
+                    else
+                    {
+                        byte* pbStackAllocPasswordBuffer = stackalloc byte[cbPasswordBuffer]; // will be released when the frame unwinds
+                        pbPasswordBuffer = pbStackAllocPasswordBuffer;
+                    }
+                }
+
+                try
+                {
+                    int cbPasswordBufferUsed; // we're not filling the entire buffer, just a partial buffer
+                    fixed (char* pszPassword = password)
+                    {
+                        cbPasswordBufferUsed = Encoding.UTF8.GetBytes(pszPassword, password.Length, pbPasswordBuffer, cbPasswordBuffer);
+                    }
+
+                    fixed (byte* pbHeapAllocatedSalt = salt)
+                    {
+                        byte* pbSalt = (pbHeapAllocatedSalt != null) ? pbHeapAllocatedSalt : &dummy;
+
+                        byte[] retVal = new byte[numBytesRequested];
+                        fixed (byte* pbRetVal = retVal)
+                        {
+                            int ntstatus = UnsafeNativeMethods.BCryptDeriveKeyPBKDF2(
+                                hPrf: algHandle,
+                                pbPassword: pbPasswordBuffer,
+                                cbPassword: (uint)cbPasswordBufferUsed,
+                                pbSalt: pbSalt,
+                                cbSalt: (uint)salt.Length,
+                                cIterations: (ulong)iterationCount,
+                                pbDerivedKey: pbRetVal,
+                                cbDerivedKey: (uint)retVal.Length,
+                                dwFlags: 0);
+                            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+                        }
+                        return retVal;
+                    }
+                }
+                finally
+                {
+                    UnsafeBufferUtil.SecureZeroMemory(pbPasswordBuffer, cbPasswordBuffer);
+                }
+            }
+        }
+
+        private static BCryptAlgorithmHandle PrfToCachedCngAlgorithmInstance(KeyDerivationPrf prf)
+        {
+            switch (prf)
+            {
+                case KeyDerivationPrf.Sha1:
+                    return CachedAlgorithmHandles.HMAC_SHA1;
+                case KeyDerivationPrf.Sha256:
+                    return CachedAlgorithmHandles.HMAC_SHA256;
+                case KeyDerivationPrf.Sha512:
+                    return CachedAlgorithmHandles.HMAC_SHA512;
+                default:
+                    throw CryptoUtil.Fail("Unrecognized PRF.");
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs
new file mode 100644
index 0000000000..02a33fb705
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs
@@ -0,0 +1,195 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+{
+    /// <summary>
+    /// A PBKDF2 provider which utilizes the Win8 API BCryptKeyDerivation.
+    /// </summary>
+    internal unsafe sealed class Win8Pbkdf2Provider : IPbkdf2Provider
+    {
+        public byte[] DeriveKey(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
+        {
+            Debug.Assert(password != null);
+            Debug.Assert(salt != null);
+            Debug.Assert(iterationCount > 0);
+            Debug.Assert(numBytesRequested > 0);
+
+            string algorithmName = PrfToCngAlgorithmId(prf);
+            fixed (byte* pbHeapAllocatedSalt = salt)
+            {
+                byte dummy; // CLR doesn't like pinning zero-length buffers, so this provides a valid memory address when working with zero-length buffers
+                byte* pbSalt = (pbHeapAllocatedSalt != null) ? pbHeapAllocatedSalt : &dummy;
+
+                byte[] retVal = new byte[numBytesRequested];
+                using (BCryptKeyHandle keyHandle = PasswordToPbkdfKeyHandle(password, CachedAlgorithmHandles.PBKDF2, prf))
+                {
+                    fixed (byte* pbRetVal = retVal)
+                    {
+                        Pbkdf2Win8ImplStep2(keyHandle, algorithmName, pbSalt, (uint)salt.Length, (ulong)iterationCount, pbRetVal, (uint)retVal.Length);
+                    }
+                    return retVal;
+                }
+            }
+        }
+
+        private static BCryptKeyHandle PasswordToPbkdfKeyHandle(string password, BCryptAlgorithmHandle pbkdf2AlgHandle, KeyDerivationPrf prf)
+        {
+            byte dummy; // CLR doesn't like pinning zero-length buffers, so this provides a valid memory address when working with zero-length buffers
+
+            // Convert password string to bytes.
+            // Allocate on the stack whenever we can to save allocations.
+            int cbPasswordBuffer = Encoding.UTF8.GetMaxByteCount(password.Length);
+            fixed (byte* pbHeapAllocatedPasswordBuffer = (cbPasswordBuffer > Constants.MAX_STACKALLOC_BYTES) ? new byte[cbPasswordBuffer] : null)
+            {
+                byte* pbPasswordBuffer = pbHeapAllocatedPasswordBuffer;
+                if (pbPasswordBuffer == null)
+                {
+                    if (cbPasswordBuffer == 0)
+                    {
+                        pbPasswordBuffer = &dummy;
+                    }
+                    else
+                    {
+                        byte* pbStackAllocPasswordBuffer = stackalloc byte[cbPasswordBuffer]; // will be released when the frame unwinds
+                        pbPasswordBuffer = pbStackAllocPasswordBuffer;
+                    }
+                }
+
+                try
+                {
+                    int cbPasswordBufferUsed; // we're not filling the entire buffer, just a partial buffer
+                    fixed (char* pszPassword = password)
+                    {
+                        cbPasswordBufferUsed = Encoding.UTF8.GetBytes(pszPassword, password.Length, pbPasswordBuffer, cbPasswordBuffer);
+                    }
+
+                    return PasswordToPbkdfKeyHandleStep2(pbkdf2AlgHandle, pbPasswordBuffer, (uint)cbPasswordBufferUsed, prf);
+                }
+                finally
+                {
+                    UnsafeBufferUtil.SecureZeroMemory(pbPasswordBuffer, cbPasswordBuffer);
+                }
+            }
+        }
+
+        private static BCryptKeyHandle PasswordToPbkdfKeyHandleStep2(BCryptAlgorithmHandle pbkdf2AlgHandle, byte* pbPassword, uint cbPassword, KeyDerivationPrf prf)
+        {
+            const uint PBKDF2_MAX_KEYLENGTH_IN_BYTES = 2048; // GetSupportedKeyLengths() on a Win8 box; value should never be lowered in any future version of Windows
+            if (cbPassword <= PBKDF2_MAX_KEYLENGTH_IN_BYTES)
+            {
+                // Common case: the password is small enough to be consumed directly by the PBKDF2 algorithm.
+                return pbkdf2AlgHandle.GenerateSymmetricKey(pbPassword, cbPassword);
+            }
+            else
+            {
+                // Rare case: password is very long; we must hash manually.
+                // PBKDF2 uses the PRFs in HMAC mode, and when the HMAC input key exceeds the hash function's
+                // block length the key is hashed and run back through the key initialization function.
+
+                BCryptAlgorithmHandle prfAlgorithmHandle; // cached; don't dispose
+                switch (prf)
+                {
+                    case KeyDerivationPrf.Sha1:
+                        prfAlgorithmHandle = CachedAlgorithmHandles.SHA1;
+                        break;
+                    case KeyDerivationPrf.Sha256:
+                        prfAlgorithmHandle = CachedAlgorithmHandles.SHA256;
+                        break;
+                    case KeyDerivationPrf.Sha512:
+                        prfAlgorithmHandle = CachedAlgorithmHandles.SHA512;
+                        break;
+                    default:
+                        throw CryptoUtil.Fail("Unrecognized PRF.");
+                }
+
+                // Final sanity check: don't hash the password if the HMAC key initialization function wouldn't have done it for us.
+                if (cbPassword <= prfAlgorithmHandle.GetHashBlockLength() /* in bytes */)
+                {
+                    return pbkdf2AlgHandle.GenerateSymmetricKey(pbPassword, cbPassword);
+                }
+
+                // Hash the password and use the hash as input to PBKDF2.
+                uint cbPasswordDigest = prfAlgorithmHandle.GetHashDigestLength();
+                CryptoUtil.Assert(cbPasswordDigest > 0, "cbPasswordDigest > 0");
+                fixed (byte* pbPasswordDigest = new byte[cbPasswordDigest])
+                {
+                    try
+                    {
+                        using (var hashHandle = prfAlgorithmHandle.CreateHash())
+                        {
+                            hashHandle.HashData(pbPassword, cbPassword, pbPasswordDigest, cbPasswordDigest);
+                        }
+                        return pbkdf2AlgHandle.GenerateSymmetricKey(pbPasswordDigest, cbPasswordDigest);
+                    }
+                    finally
+                    {
+                        UnsafeBufferUtil.SecureZeroMemory(pbPasswordDigest, cbPasswordDigest);
+                    }
+                }
+            }
+        }
+
+        private static void Pbkdf2Win8ImplStep2(BCryptKeyHandle pbkdf2KeyHandle, string hashAlgorithm, byte* pbSalt, uint cbSalt, ulong iterCount, byte* pbDerivedBytes, uint cbDerivedBytes)
+        {
+            // First, build the buffers necessary to pass (hash alg, salt, iter count) into the KDF
+            BCryptBuffer* pBuffers = stackalloc BCryptBuffer[3];
+
+            pBuffers[0].BufferType = BCryptKeyDerivationBufferType.KDF_ITERATION_COUNT;
+            pBuffers[0].pvBuffer = (IntPtr)(&iterCount);
+            pBuffers[0].cbBuffer = sizeof(ulong);
+
+            pBuffers[1].BufferType = BCryptKeyDerivationBufferType.KDF_SALT;
+            pBuffers[1].pvBuffer = (IntPtr)pbSalt;
+            pBuffers[1].cbBuffer = cbSalt;
+
+            fixed (char* pszHashAlgorithm = hashAlgorithm)
+            {
+                pBuffers[2].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
+                pBuffers[2].pvBuffer = (IntPtr)pszHashAlgorithm;
+                pBuffers[2].cbBuffer = hashAlgorithm.GetTotalByteLengthIncludingNullTerminator();
+
+                // Add the header which points to the buffers
+                BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
+                BCryptBufferDesc.Initialize(ref bufferDesc);
+                bufferDesc.cBuffers = 3;
+                bufferDesc.pBuffers = pBuffers;
+
+                // Finally, import the KDK into the KDF algorithm, then invoke the KDF
+                uint numBytesDerived;
+                int ntstatus = UnsafeNativeMethods.BCryptKeyDerivation(
+                        hKey: pbkdf2KeyHandle,
+                        pParameterList: &bufferDesc,
+                        pbDerivedKey: pbDerivedBytes,
+                        cbDerivedKey: cbDerivedBytes,
+                        pcbResult: out numBytesDerived,
+                        dwFlags: 0);
+                UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+
+                // Final sanity checks before returning control to caller.
+                CryptoUtil.Assert(numBytesDerived == cbDerivedBytes, "numBytesDerived == cbDerivedBytes");
+            }
+        }
+
+        private static string PrfToCngAlgorithmId(KeyDerivationPrf prf)
+        {
+            switch (prf)
+            {
+                case KeyDerivationPrf.Sha1:
+                    return Constants.BCRYPT_SHA1_ALGORITHM;
+                case KeyDerivationPrf.Sha256:
+                    return Constants.BCRYPT_SHA256_ALGORITHM;
+                case KeyDerivationPrf.Sha512:
+                    return Constants.BCRYPT_SHA512_ALGORITHM;
+                default:
+                    throw CryptoUtil.Fail("Unrecognized PRF.");
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..c81d7655be
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
@@ -0,0 +1,8 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+// for unit testing
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection.Test")]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
deleted file mode 100644
index bac3e9fcff..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/Res.Designer.cs
+++ /dev/null
@@ -1,94 +0,0 @@
-// <auto-generated />
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    using System.Globalization;
-    using System.Reflection;
-    using System.Resources;
-
-    internal static class Res
-    {
-        private static readonly ResourceManager _resourceManager
-            = new ResourceManager("Microsoft.AspNet.Security.DataProtection.Res", typeof(Res).GetTypeInfo().Assembly);
-
-        /// <summary>
-        /// Argument cannot be null or empty.
-        /// </summary>
-        internal static string Common_NullOrEmpty
-        {
-            get { return GetString("Common_NullOrEmpty"); }
-        }
-
-        /// <summary>
-        /// Argument cannot be null or empty.
-        /// </summary>
-        internal static string FormatCommon_NullOrEmpty()
-        {
-            return GetString("Common_NullOrEmpty");
-        }
-
-        /// <summary>
-        /// The master key is too short. It must be at least {0} bytes in length.
-        /// </summary>
-        internal static string DataProtectorFactory_MasterKeyTooShort
-        {
-            get { return GetString("DataProtectorFactory_MasterKeyTooShort"); }
-        }
-
-        /// <summary>
-        /// The master key is too short. It must be at least {0} bytes in length.
-        /// </summary>
-        internal static string FormatDataProtectorFactory_MasterKeyTooShort(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("DataProtectorFactory_MasterKeyTooShort"), p0);
-        }
-
-        /// <summary>
-        /// The data to decrypt is invalid.
-        /// </summary>
-        internal static string DataProtectorImpl_BadEncryptedData
-        {
-            get { return GetString("DataProtectorImpl_BadEncryptedData"); }
-        }
-
-        /// <summary>
-        /// The data to decrypt is invalid.
-        /// </summary>
-        internal static string FormatDataProtectorImpl_BadEncryptedData()
-        {
-            return GetString("DataProtectorImpl_BadEncryptedData");
-        }
-
-        /// <summary>
-        /// Couldn't protect data. Perhaps the user profile isn't loaded?
-        /// </summary>
-        internal static string DpapiDataProtectorImpl_ProfileNotLoaded
-        {
-            get { return GetString("DpapiDataProtectorImpl_ProfileNotLoaded"); }
-        }
-
-        /// <summary>
-        /// Couldn't protect data. Perhaps the user profile isn't loaded?
-        /// </summary>
-        internal static string FormatDpapiDataProtectorImpl_ProfileNotLoaded()
-        {
-            return GetString("DpapiDataProtectorImpl_ProfileNotLoaded");
-        }
-
-        private static string GetString(string name, params string[] formatterNames)
-        {
-            var value = _resourceManager.GetString(name);
-
-            System.Diagnostics.Debug.Assert(value != null);
-    
-            if (formatterNames != null)
-            {
-                for (var i = 0; i < formatterNames.Length; i++)
-                {
-                    value = value.Replace("{" + formatterNames[i] + "}", "{" + i + "}");
-                }
-            }
-
-            return value;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
new file mode 100644
index 0000000000..8d35437c5a
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
@@ -0,0 +1,222 @@
+// <auto-generated />
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    using System.Globalization;
+    using System.Reflection;
+    using System.Resources;
+
+    internal static class Resources
+    {
+        private static readonly ResourceManager _resourceManager
+            = new ResourceManager("Microsoft.AspNet.Security.DataProtection.Resources", typeof(Resources).GetTypeInfo().Assembly);
+
+        /// <summary>
+        /// A provider could not be found for algorithm '{0}'.
+        /// </summary>
+        internal static string BCryptAlgorithmHandle_ProviderNotFound
+        {
+            get { return GetString("BCryptAlgorithmHandle_ProviderNotFound"); }
+        }
+
+        /// <summary>
+        /// A provider could not be found for algorithm '{0}'.
+        /// </summary>
+        internal static string FormatBCryptAlgorithmHandle_ProviderNotFound(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("BCryptAlgorithmHandle_ProviderNotFound"), p0);
+        }
+
+        /// <summary>
+        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
+        /// </summary>
+        internal static string BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength
+        {
+            get { return GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"); }
+        }
+
+        /// <summary>
+        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
+        /// </summary>
+        internal static string FormatBCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength(object p0, object p1, object p2, object p3)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"), p0, p1, p2, p3);
+        }
+
+        /// <summary>
+        /// An error occurred during a cryptographic operation.
+        /// </summary>
+        internal static string CryptCommon_GenericError
+        {
+            get { return GetString("CryptCommon_GenericError"); }
+        }
+
+        /// <summary>
+        /// An error occurred during a cryptographic operation.
+        /// </summary>
+        internal static string FormatCryptCommon_GenericError()
+        {
+            return GetString("CryptCommon_GenericError");
+        }
+
+        /// <summary>
+        /// The provided buffer is of length {0} byte(s). It must instead be exactly {1} byte(s) in length.
+        /// </summary>
+        internal static string Common_BufferIncorrectlySized
+        {
+            get { return GetString("Common_BufferIncorrectlySized"); }
+        }
+
+        /// <summary>
+        /// The provided buffer is of length {0} byte(s). It must instead be exactly {1} byte(s) in length.
+        /// </summary>
+        internal static string FormatCommon_BufferIncorrectlySized(object p0, object p1)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("Common_BufferIncorrectlySized"), p0, p1);
+        }
+
+        /// <summary>
+        /// The payload was invalid.
+        /// </summary>
+        internal static string CryptCommon_PayloadInvalid
+        {
+            get { return GetString("CryptCommon_PayloadInvalid"); }
+        }
+
+        /// <summary>
+        /// The payload was invalid.
+        /// </summary>
+        internal static string FormatCryptCommon_PayloadInvalid()
+        {
+            return GetString("CryptCommon_PayloadInvalid");
+        }
+
+        /// <summary>
+        /// Property {0} cannot be null or empty.
+        /// </summary>
+        internal static string Common_PropertyCannotBeNullOrEmpty
+        {
+            get { return GetString("Common_PropertyCannotBeNullOrEmpty"); }
+        }
+
+        /// <summary>
+        /// Property {0} cannot be null or empty.
+        /// </summary>
+        internal static string FormatCommon_PropertyCannotBeNullOrEmpty(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("Common_PropertyCannotBeNullOrEmpty"), p0);
+        }
+
+        /// <summary>
+        /// The provided payload could not be decrypted. Refer to the inner exception for more information.
+        /// </summary>
+        internal static string Common_DecryptionFailed
+        {
+            get { return GetString("Common_DecryptionFailed"); }
+        }
+
+        /// <summary>
+        /// The provided payload could not be decrypted. Refer to the inner exception for more information.
+        /// </summary>
+        internal static string FormatCommon_DecryptionFailed()
+        {
+            return GetString("Common_DecryptionFailed");
+        }
+
+        /// <summary>
+        /// An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information.
+        /// </summary>
+        internal static string Common_EncryptionFailed
+        {
+            get { return GetString("Common_EncryptionFailed"); }
+        }
+
+        /// <summary>
+        /// An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information.
+        /// </summary>
+        internal static string FormatCommon_EncryptionFailed()
+        {
+            return GetString("Common_EncryptionFailed");
+        }
+
+        /// <summary>
+        /// The key {0:B} was not found in the keyring.
+        /// </summary>
+        internal static string Common_KeyNotFound
+        {
+            get { return GetString("Common_KeyNotFound"); }
+        }
+
+        /// <summary>
+        /// The key {0:B} was not found in the keyring.
+        /// </summary>
+        internal static string FormatCommon_KeyNotFound()
+        {
+            return GetString("Common_KeyNotFound");
+        }
+
+        /// <summary>
+        /// The key {0:B} has been revoked.
+        /// </summary>
+        internal static string Common_KeyRevoked
+        {
+            get { return GetString("Common_KeyRevoked"); }
+        }
+
+        /// <summary>
+        /// The key {0:B} has been revoked.
+        /// </summary>
+        internal static string FormatCommon_KeyRevoked()
+        {
+            return GetString("Common_KeyRevoked");
+        }
+
+        /// <summary>
+        /// The provided payload was not protected with this protection provider.
+        /// </summary>
+        internal static string Common_NotAValidProtectedPayload
+        {
+            get { return GetString("Common_NotAValidProtectedPayload"); }
+        }
+
+        /// <summary>
+        /// The provided payload was not protected with this protection provider.
+        /// </summary>
+        internal static string FormatCommon_NotAValidProtectedPayload()
+        {
+            return GetString("Common_NotAValidProtectedPayload");
+        }
+
+        /// <summary>
+        /// The protected payload cannot be decrypted because it was protected with a newer version of the protection provider.
+        /// </summary>
+        internal static string Common_PayloadProducedByNewerVersion
+        {
+            get { return GetString("Common_PayloadProducedByNewerVersion"); }
+        }
+
+        /// <summary>
+        /// The protected payload cannot be decrypted because it was protected with a newer version of the protection provider.
+        /// </summary>
+        internal static string FormatCommon_PayloadProducedByNewerVersion()
+        {
+            return GetString("Common_PayloadProducedByNewerVersion");
+        }
+
+        private static string GetString(string name, params string[] formatterNames)
+        {
+            var value = _resourceManager.GetString(name);
+
+            System.Diagnostics.Debug.Assert(value != null);
+
+            if (formatterNames != null)
+            {
+                for (var i = 0; i < formatterNames.Length; i++)
+                {
+                    value = value.Replace("{" + formatterNames[i] + "}", "{" + i + "}");
+                }
+            }
+
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
deleted file mode 100644
index bf34a8dcd8..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/ProtectedDataProtectionProvider.cs
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-#if NET45
-using System;
-using System.Security.Cryptography;
-using System.Text;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal class ProtectedDataProtectionProvider : IDataProtectionProvider
-    {
-        private readonly DataProtectionScope _scope;
-
-        public ProtectedDataProtectionProvider(DataProtectionScope scope)
-        {
-            _scope = scope;
-        }
-
-        public IDataProtector CreateProtector(string purpose)
-        {
-            return new ProtectedDataProtector(_scope, purpose);
-        }
-
-        public void Dispose()
-        {
-
-        }
-
-        private class ProtectedDataProtector : IDataProtector
-        {
-            private readonly DataProtectionScope _scope;
-            private readonly byte[] _entropy;
-
-            public ProtectedDataProtector(DataProtectionScope scope, string purpose)
-            {
-                _scope = scope;
-                _entropy = Encoding.UTF8.GetBytes(purpose);
-            }
-
-            private ProtectedDataProtector(DataProtectionScope scope, byte[] entropy)
-            {
-                _scope = scope;
-                _entropy = entropy;
-            }
-
-            public IDataProtector CreateSubProtector(string purpose)
-            {
-                var purposeBytes = Encoding.UTF8.GetBytes(purpose);
-                var subProtectorEntropy = new byte[_entropy.Length + purposeBytes.Length];
-
-                Buffer.BlockCopy(_entropy, 0, subProtectorEntropy, 0, _entropy.Length);
-                Buffer.BlockCopy(purposeBytes, 0, subProtectorEntropy, _entropy.Length, purposeBytes.Length);
-
-                return new ProtectedDataProtector(_scope, subProtectorEntropy);
-            }
-
-            public byte[] Protect(byte[] unprotectedData)
-            {
-                return ProtectedData.Protect(unprotectedData, _entropy, _scope);
-            }
-
-            public byte[] Unprotect(byte[] protectedData)
-            {
-                return ProtectedData.Unprotect(protectedData, _entropy, _scope);
-            }
-
-            public void Dispose()
-            {
-
-            }
-        }
-    }
-}
-#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs b/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs
new file mode 100644
index 0000000000..ce3b6dae7f
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs
@@ -0,0 +1,212 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    public unsafe sealed class ProtectedMemoryBlob : IDisposable, ISecret
+    {
+        // from wincrypt.h
+        private const uint CRYPTPROTECTMEMORY_BLOCK_SIZE = 16;
+
+        private readonly SecureLocalAllocHandle _encryptedMemoryHandle;
+        private readonly uint _plaintextLength;
+
+        public ProtectedMemoryBlob(ArraySegment<byte> plaintext)
+        {
+            plaintext.Validate();
+
+            _encryptedMemoryHandle = Protect(plaintext);
+            _plaintextLength = (uint)plaintext.Count;
+        }
+
+        public ProtectedMemoryBlob(byte[] plaintext)
+            : this(new ArraySegment<byte>(plaintext))
+        {
+        }
+
+        public ProtectedMemoryBlob(byte* plaintext, int plaintextLength)
+        {
+            if (plaintext == null)
+            {
+                throw new ArgumentNullException("plaintext");
+            }
+            if (plaintextLength < 0)
+            {
+                throw new ArgumentOutOfRangeException("plaintextLength");
+            }
+
+            _encryptedMemoryHandle = Protect(plaintext, (uint)plaintextLength);
+            _plaintextLength = (uint)plaintextLength;
+        }
+
+        public ProtectedMemoryBlob(ISecret secret)
+        {
+            if (secret == null)
+            {
+                throw new ArgumentNullException("secret");
+            }
+
+            ProtectedMemoryBlob other = secret as ProtectedMemoryBlob;
+            if (other != null)
+            {
+                // Fast-track: simple deep copy scenario.
+                this._encryptedMemoryHandle = other._encryptedMemoryHandle.Duplicate();
+                this._plaintextLength = other._plaintextLength;
+            }
+            else
+            {
+                // Copy the secret to a temporary managed buffer, then protect the buffer.
+                // We pin the temp buffer and zero it out when we're finished to limit exposure of the secret.
+                byte[] tempPlaintextBuffer = new byte[secret.Length];
+                fixed (byte* pbTempPlaintextBuffer = tempPlaintextBuffer)
+                {
+                    try
+                    {
+                        secret.WriteSecretIntoBuffer(new ArraySegment<byte>(tempPlaintextBuffer));
+                        _encryptedMemoryHandle = Protect(pbTempPlaintextBuffer, (uint)tempPlaintextBuffer.Length);
+                        _plaintextLength = (uint)tempPlaintextBuffer.Length;
+                    }
+                    finally
+                    {
+                        UnsafeBufferUtil.SecureZeroMemory(pbTempPlaintextBuffer, tempPlaintextBuffer.Length);
+                    }
+                }
+            }
+        }
+
+        public int Length
+        {
+            get
+            {
+                return (int)_plaintextLength; // ctor guarantees the length fits into a signed int
+            }
+        }
+
+        public void Dispose()
+        {
+            _encryptedMemoryHandle.Dispose();
+        }
+
+        private static SecureLocalAllocHandle Protect(ArraySegment<byte> plaintext)
+        {
+            fixed (byte* pbPlaintextArray = plaintext.Array)
+            {
+                return Protect(&pbPlaintextArray[plaintext.Offset], (uint)plaintext.Count);
+            }
+        }
+
+        private static SecureLocalAllocHandle Protect(byte* pbPlaintext, uint cbPlaintext)
+        {
+            // We need to make sure we're a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE.
+            uint numTotalBytesToAllocate = cbPlaintext;
+            uint numBytesPaddingRequired = CRYPTPROTECTMEMORY_BLOCK_SIZE - (numTotalBytesToAllocate % CRYPTPROTECTMEMORY_BLOCK_SIZE);
+            if (numBytesPaddingRequired == CRYPTPROTECTMEMORY_BLOCK_SIZE)
+            {
+                numBytesPaddingRequired = 0; // we're already a proper multiple of the block size
+            }
+            checked { numTotalBytesToAllocate += numBytesPaddingRequired; }
+            CryptoUtil.Assert(numTotalBytesToAllocate % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0, "numTotalBytesToAllocate % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0");
+
+            // Allocate and copy plaintext data; padding is uninitialized / undefined.
+            SecureLocalAllocHandle encryptedMemoryHandle = SecureLocalAllocHandle.Allocate((IntPtr)numTotalBytesToAllocate);
+            UnsafeBufferUtil.BlockCopy(from: pbPlaintext, to: encryptedMemoryHandle, byteCount: cbPlaintext);
+
+            // Finally, CryptProtectMemory the whole mess.
+            if (numTotalBytesToAllocate != 0)
+            {
+                MemoryProtection.CryptProtectMemory(encryptedMemoryHandle, byteCount: numTotalBytesToAllocate);
+            }
+            return encryptedMemoryHandle;
+        }
+
+        public static ProtectedMemoryBlob Random(int numBytes)
+        {
+            CryptoUtil.Assert(numBytes >= 0, "numBytes >= 0");
+
+            if (numBytes == 0)
+            {
+                byte dummy;
+                return new ProtectedMemoryBlob(&dummy, 0);
+            }
+            else
+            {
+                byte[] bytes = new byte[numBytes];
+                fixed (byte* pbBytes = bytes)
+                {
+                    try
+                    {
+                        BCryptUtil.GenRandom(pbBytes, (uint)numBytes);
+                        return new ProtectedMemoryBlob(pbBytes, numBytes);
+                    }
+                    finally
+                    {
+                        UnsafeBufferUtil.SecureZeroMemory(pbBytes, numBytes);
+                    }
+                }
+            }
+        }
+
+        private void UnprotectInto(byte* pbBuffer)
+        {
+            if (_plaintextLength % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0)
+            {
+                // Case 1: Secret length is an exact multiple of the block size. Copy directly to the buffer and decrypt there.
+                // We go through this code path even for empty plaintexts since we still want SafeHandle dispose semantics.
+                UnsafeBufferUtil.BlockCopy(from: _encryptedMemoryHandle, to: pbBuffer, byteCount: _plaintextLength);
+                MemoryProtection.CryptUnprotectMemory(pbBuffer, _plaintextLength);
+            }
+            else
+            {
+                // Case 2: Secret length is not a multiple of the block size. We'll need to duplicate the data and
+                // perform the decryption in the duplicate buffer, then copy the plaintext data over.
+                using (var duplicateHandle = _encryptedMemoryHandle.Duplicate())
+                {
+                    MemoryProtection.CryptUnprotectMemory(duplicateHandle, checked((uint)duplicateHandle.Length));
+                    UnsafeBufferUtil.BlockCopy(from: duplicateHandle, to: pbBuffer, byteCount: _plaintextLength);
+                }
+            }
+        }
+
+        public void WriteSecretIntoBuffer(ArraySegment<byte> buffer)
+        {
+            // Parameter checking
+            buffer.Validate();
+            if (buffer.Count != Length)
+            {
+                throw Error.Common_BufferIncorrectlySized("buffer", actualSize: buffer.Count, expectedSize: Length);
+            }
+
+            // only unprotect if the secret is zero-length, as CLR doesn't like pinning zero-length buffers
+            if (Length != 0)
+            {
+                fixed (byte* pbBufferArray = buffer.Array)
+                {
+                    UnprotectInto(&pbBufferArray[buffer.Offset]);
+                }
+            }
+        }
+
+        public void WriteSecretIntoBuffer(byte* buffer, int bufferLength)
+        {
+            if (buffer == null)
+            {
+                throw new ArgumentNullException("buffer");
+            }
+            if (bufferLength < 0)
+            {
+                throw new ArgumentOutOfRangeException("bufferLength");
+            }
+            if (bufferLength != Length)
+            {
+                throw Error.Common_BufferIncorrectlySized("bufferLength", actualSize: bufferLength, expectedSize: Length);
+            }
+
+            UnprotectInto(buffer);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.Security.DataProtection/Repositories/FileSystemXmlRepository.cs
new file mode 100644
index 0000000000..c09c085587
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -0,0 +1,96 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.IO;
+using System.Linq;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.Security.DataProtection.Repositories
+{
+    /// <summary>
+    /// An XML repository backed by a file system.
+    /// </summary>
+    public class FileSystemXmlRepository : IXmlRepository
+    {
+        public FileSystemXmlRepository([NotNull] DirectoryInfo directory)
+        {
+            Directory = directory;
+        }
+
+        protected DirectoryInfo Directory
+        {
+            get;
+            private set;
+        }
+
+        public virtual IReadOnlyCollection<XElement> GetAllElements()
+        {
+            // forces complete enumeration
+            return GetAllElementsImpl().ToArray();
+        }
+
+        private IEnumerable<XElement> GetAllElementsImpl()
+        {
+            Directory.Create(); // won't throw if the directory already exists
+
+            // Find all files matching the pattern "{guid}.xml"
+            foreach (var fileSystemInfo in Directory.EnumerateFileSystemInfos("*.xml", SearchOption.TopDirectoryOnly))
+            {
+                string simpleFilename = fileSystemInfo.Name;
+                if (simpleFilename.EndsWith(".xml", StringComparison.OrdinalIgnoreCase))
+                {
+                    simpleFilename = simpleFilename.Substring(0, simpleFilename.Length - ".xml".Length);
+                }
+
+                Guid unused;
+                if (Guid.TryParseExact(simpleFilename, "D" /* registry format */, out unused))
+                {
+                    XDocument document;
+                    using (var fileStream = File.OpenRead(fileSystemInfo.FullName))
+                    {
+                        document = XDocument.Load(fileStream);
+                    }
+
+                    // 'yield return' outside the preceding 'using' block so we don't hold files open longer than necessary
+                    yield return document.Root;
+                }
+            }
+        }
+
+        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        {
+            // We're going to ignore the friendly name for now and just use a GUID.
+            StoreElement(element, Guid.NewGuid());
+        }
+
+        private void StoreElement(XElement element, Guid id)
+        {
+            // We're first going to write the file to a temporary location. This way, another consumer
+            // won't try reading the file in the middle of us writing it. Additionally, if our process
+            // crashes mid-write, we won't end up with a corrupt .xml file.
+
+            Directory.Create(); // won't throw if the directory already exists
+            string tempFilename = Path.Combine(Directory.FullName, String.Format(CultureInfo.InvariantCulture, "{0:D}.tmp", id));
+            string finalFilename = Path.Combine(Directory.FullName, String.Format(CultureInfo.InvariantCulture, "{0:D}.xml", id));
+
+            try
+            {
+                using (var tempFileStream = File.OpenWrite(tempFilename))
+                {
+                    new XDocument(element).Save(tempFileStream);
+                }
+
+                // Once the file has been fully written, perform the rename.
+                // Renames are atomic operations on the file systems we support.
+                File.Move(tempFilename, finalFilename);
+            }
+            finally
+            {
+                File.Delete(tempFilename); // won't throw if the file doesn't exist
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Repositories/IXmlRepository.cs b/src/Microsoft.AspNet.Security.DataProtection/Repositories/IXmlRepository.cs
new file mode 100644
index 0000000000..572701d922
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Repositories/IXmlRepository.cs
@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.Security.DataProtection.Repositories
+{
+    /// <summary>
+    /// The basic interface for storing and retrieving XML elements.
+    /// </summary>
+    public interface IXmlRepository
+    {
+        /// <summary>
+        /// Gets all top-level XML elements in the repository.
+        /// </summary>
+        /// <remarks>
+        /// All top-level elements in the repository.
+        /// </remarks>
+        IReadOnlyCollection<XElement> GetAllElements();
+
+        /// <summary>
+        /// Adds a top-level XML element to the repository.
+        /// </summary>
+        /// <param name="element">The element to add.</param>
+        /// <param name="friendlyName">An optional name to be associated with the XML element.
+        /// For instance, if this repository stores XML files on disk, the friendly name may
+        /// be used as part of the file name. Repository implementations are not required to
+        /// observe this parameter even if it has been provided by the caller.</param>
+        void StoreElement(XElement element, string friendlyName);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Res.resx b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
similarity index 75%
rename from src/Microsoft.AspNet.Security.DataProtection/Res.resx
rename to src/Microsoft.AspNet.Security.DataProtection/Resources.resx
index 0a01c8908d..b03285c38d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Res.resx
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
@@ -117,16 +117,40 @@
   <resheader name="writer">
     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
-  <data name="Common_NullOrEmpty" xml:space="preserve">
-    <value>Argument cannot be null or empty.</value>
+  <data name="BCryptAlgorithmHandle_ProviderNotFound" xml:space="preserve">
+    <value>A provider could not be found for algorithm '{0}'.</value>
   </data>
-  <data name="DataProtectorFactory_MasterKeyTooShort" xml:space="preserve">
-    <value>The master key is too short. It must be at least {0} bytes in length.</value>
+  <data name="BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength" xml:space="preserve">
+    <value>The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).</value>
   </data>
-  <data name="DataProtectorImpl_BadEncryptedData" xml:space="preserve">
-    <value>The data to decrypt is invalid.</value>
+  <data name="CryptCommon_GenericError" xml:space="preserve">
+    <value>An error occurred during a cryptographic operation.</value>
   </data>
-  <data name="DpapiDataProtectorImpl_ProfileNotLoaded" xml:space="preserve">
-    <value>Couldn't protect data. Perhaps the user profile isn't loaded?</value>
+  <data name="Common_BufferIncorrectlySized" xml:space="preserve">
+    <value>The provided buffer is of length {0} byte(s). It must instead be exactly {1} byte(s) in length.</value>
+  </data>
+  <data name="CryptCommon_PayloadInvalid" xml:space="preserve">
+    <value>The payload was invalid.</value>
+  </data>
+  <data name="Common_PropertyCannotBeNullOrEmpty" xml:space="preserve">
+    <value>Property {0} cannot be null or empty.</value>
+  </data>
+  <data name="Common_DecryptionFailed" xml:space="preserve">
+    <value>The provided payload could not be decrypted. Refer to the inner exception for more information.</value>
+  </data>
+  <data name="Common_EncryptionFailed" xml:space="preserve">
+    <value>An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information.</value>
+  </data>
+  <data name="Common_KeyNotFound" xml:space="preserve">
+    <value>The key {0:B} was not found in the keyring.</value>
+  </data>
+  <data name="Common_KeyRevoked" xml:space="preserve">
+    <value>The key {0:B} has been revoked.</value>
+  </data>
+  <data name="Common_NotAValidProtectedPayload" xml:space="preserve">
+    <value>The provided payload was not protected with this protection provider.</value>
+  </data>
+  <data name="Common_PayloadProducedByNewerVersion" xml:space="preserve">
+    <value>The protected payload cannot be decrypted because it was protected with a newer version of the protection provider.</value>
   </data>
 </root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
new file mode 100644
index 0000000000..432549207e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+{
+    internal unsafe interface ISP800_108_CTR_HMACSHA512Provider : IDisposable
+    {
+        void DeriveKey(byte* pbLabel, uint cbLabel, byte* pbContext, uint cbContext, byte* pbDerivedKey, uint cbDerivedKey);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
new file mode 100644
index 0000000000..54c2891ad7
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -0,0 +1,57 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.Managed;
+
+namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+{
+    internal static class ManagedSP800_108_CTR_HMACSHA512
+    {
+        public static void DeriveKeys(byte[] kdk, ArraySegment<byte> label, ArraySegment<byte> context, Func<byte[], HashAlgorithm> prfFactory, ArraySegment<byte> output)
+        {
+            // make copies so we can mutate these local vars
+            int outputOffset = output.Offset;
+            int outputCount = output.Count;
+
+            using (HashAlgorithm prf = prfFactory(kdk))
+            {
+                // See SP800-108, Sec. 5.1 for the format of the input to the PRF routine.
+                byte[] prfInput = new byte[checked(sizeof(uint) /* [i]_2 */ + label.Count + 1 /* 0x00 */ + context.Count + sizeof(uint) /* [K]_2 */)];
+
+                // Copy [L]_2 to prfInput since it's stable over all iterations
+                uint outputSizeInBits = (uint)checked((int)outputCount * 8);
+                prfInput[prfInput.Length - 4] = (byte)(outputSizeInBits >> 24);
+                prfInput[prfInput.Length - 3] = (byte)(outputSizeInBits >> 16);
+                prfInput[prfInput.Length - 2] = (byte)(outputSizeInBits >> 8);
+                prfInput[prfInput.Length - 1] = (byte)(outputSizeInBits);
+
+                // Copy label and context to prfInput since they're stable over all iterations
+                Buffer.BlockCopy(label.Array, label.Offset, prfInput, sizeof(uint), label.Count);
+                Buffer.BlockCopy(context.Array, context.Offset, prfInput, sizeof(int) + label.Count + 1, context.Count);
+
+                int prfOutputSizeInBytes = prf.GetDigestSizeInBytes();
+                for (uint i = 1; outputCount > 0; i++)
+                {
+                    // Copy [i]_2 to prfInput since it mutates with each iteration
+                    prfInput[0] = (byte)(i >> 24);
+                    prfInput[1] = (byte)(i >> 16);
+                    prfInput[2] = (byte)(i >> 8);
+                    prfInput[3] = (byte)(i);
+
+                    // Run the PRF and copy the results to the output buffer
+                    byte[] prfOutput = prf.ComputeHash(prfInput);
+                    CryptoUtil.Assert(prfOutputSizeInBytes == prfOutput.Length, "prfOutputSizeInBytes == prfOutput.Length");
+                    int numBytesToCopyThisIteration = Math.Min(prfOutputSizeInBytes, outputCount);
+                    Buffer.BlockCopy(prfOutput, 0, output.Array, outputOffset, numBytesToCopyThisIteration);
+                    Array.Clear(prfOutput, 0, prfOutput.Length); // contains key material, so nuke it
+
+                    // adjust offsets
+                    outputOffset += numBytesToCopyThisIteration;
+                    outputCount -= numBytesToCopyThisIteration;
+                }
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
new file mode 100644
index 0000000000..11750100c5
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+{
+    internal unsafe static class SP800_108_CTR_HMACSHA512Extensions
+    {
+        public static void DeriveKeyWithContextHeader(this ISP800_108_CTR_HMACSHA512Provider provider, byte* pbLabel, uint cbLabel, byte[] contextHeader, byte* pbContext, uint cbContext, byte* pbDerivedKey, uint cbDerivedKey)
+        {
+            uint cbCombinedContext = checked((uint)contextHeader.Length + cbContext);
+
+            // Try allocating the combined context on the stack to avoid temporary managed objects; only fall back to heap if buffers are too large.
+            byte[] heapAllocatedCombinedContext = (cbCombinedContext > Constants.MAX_STACKALLOC_BYTES) ? new byte[cbCombinedContext] : null;
+            fixed (byte* pbHeapAllocatedCombinedContext = heapAllocatedCombinedContext)
+            {
+                byte* pbCombinedContext = pbHeapAllocatedCombinedContext;
+                if (pbCombinedContext == null)
+                {
+                    byte* pbStackAllocatedCombinedContext = stackalloc byte[(int)cbCombinedContext]; // will be released when frame pops
+                    pbCombinedContext = pbStackAllocatedCombinedContext;
+                }
+
+                fixed (byte* pbContextHeader = contextHeader)
+                {
+                    UnsafeBufferUtil.BlockCopy(from: pbContextHeader, to: pbCombinedContext, byteCount: contextHeader.Length);
+                }
+                UnsafeBufferUtil.BlockCopy(from: pbContext, to: &pbCombinedContext[contextHeader.Length], byteCount: cbContext);
+
+                // At this point, combinedContext := { contextHeader || context }
+                provider.DeriveKey(pbLabel, cbLabel, pbCombinedContext, cbCombinedContext, pbDerivedKey, cbDerivedKey);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
new file mode 100644
index 0000000000..e87017a8f1
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -0,0 +1,93 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+{
+    /// <summary>
+    /// Provides an implementation of the SP800-108-CTR-HMACSHA512 key derivation function.
+    /// This class assumes at least Windows 7 / Server 2008 R2.
+    /// </summary>
+    /// <remarks>
+    /// More info at http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf, Sec. 5.1.
+    /// </remarks>
+    internal unsafe static class SP800_108_CTR_HMACSHA512Util
+    {
+        private static readonly bool _isWin8OrLater = GetIsRunningWin8OrLater();
+
+        // Creates a provider with an empty key.
+        public static ISP800_108_CTR_HMACSHA512Provider CreateEmptyProvider()
+        {
+            byte dummy;
+            return CreateProvider(pbKdk: &dummy, cbKdk: 0);
+        }
+
+        // Creates a provider from the given key.
+        public static ISP800_108_CTR_HMACSHA512Provider CreateProvider(byte* pbKdk, uint cbKdk)
+        {
+            return (_isWin8OrLater)
+                ? (ISP800_108_CTR_HMACSHA512Provider)new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk)
+                : (ISP800_108_CTR_HMACSHA512Provider)new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
+        }
+
+        // Creates a provider from the given secret.
+        public static ISP800_108_CTR_HMACSHA512Provider CreateProvider(ProtectedMemoryBlob kdk)
+        {
+            uint secretLengthInBytes = checked((uint)kdk.Length);
+            if (secretLengthInBytes == 0)
+            {
+                return CreateEmptyProvider();
+            }
+            else
+            {
+                fixed (byte* pbPlaintextSecret = new byte[secretLengthInBytes])
+                {
+                    try
+                    {
+                        kdk.WriteSecretIntoBuffer(pbPlaintextSecret, checked((int)secretLengthInBytes));
+                        return CreateProvider(pbPlaintextSecret, secretLengthInBytes);
+                    }
+                    finally
+                    {
+                        UnsafeBufferUtil.SecureZeroMemory(pbPlaintextSecret, secretLengthInBytes);
+                    }
+                }
+            }
+        }
+
+        private static bool GetIsRunningWin8OrLater()
+        {
+            // In priority order, our three implementations are Win8, Win7, and "other".
+
+            const string BCRYPT_LIB = "bcrypt.dll";
+
+            SafeLibraryHandle bcryptLibHandle = null;
+            try
+            {
+                bcryptLibHandle = SafeLibraryHandle.Open(BCRYPT_LIB);
+            }
+            catch
+            {
+                // BCrypt not available? We'll fall back to managed code paths.
+            }
+
+            if (bcryptLibHandle != null)
+            {
+                using (bcryptLibHandle)
+                {
+                    if (bcryptLibHandle.DoesProcExist("BCryptKeyDerivation"))
+                    {
+                        // We're running on Win8+.
+                        return true;
+                    }
+                }
+            }
+
+            // Not running on Win8+
+            return false;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
new file mode 100644
index 0000000000..29157aeefc
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
@@ -0,0 +1,79 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+{
+    internal unsafe sealed class Win7SP800_108_CTR_HMACSHA512Provider : ISP800_108_CTR_HMACSHA512Provider
+    {
+        private readonly BCryptHashHandle _hashHandle;
+
+        public Win7SP800_108_CTR_HMACSHA512Provider(byte* pbKdk, uint cbKdk)
+        {
+            _hashHandle = CachedAlgorithmHandles.HMAC_SHA512.CreateHmac(pbKdk, cbKdk);
+        }
+
+        public void DeriveKey(byte* pbLabel, uint cbLabel, byte* pbContext, uint cbContext, byte* pbDerivedKey, uint cbDerivedKey)
+        {
+            const uint SHA512_DIGEST_SIZE_IN_BYTES = 512 / 8;
+            byte* pbHashDigest = stackalloc byte[(int)SHA512_DIGEST_SIZE_IN_BYTES];
+
+            // NOTE: pbDerivedKey and cbDerivedKey are modified as data is copied to the output buffer.
+
+            // this will be zero-inited
+            byte[] tempInputBuffer = new byte[checked(
+                sizeof(int) /* [i] */
+                + cbLabel /* Label */
+                + 1 /* 0x00 */
+                + cbContext /* Context */
+                + sizeof(int) /* [L] */)];
+
+            fixed (byte* pbTempInputBuffer = tempInputBuffer)
+            {
+                // Step 1: Calculate all necessary offsets into the temp input & output buffer.
+                byte* pbTempInputCounter = pbTempInputBuffer;
+                byte* pbTempInputLabel = &pbTempInputCounter[sizeof(int)];
+                byte* pbTempInputContext = &pbTempInputLabel[cbLabel + 1 /* 0x00 */];
+                byte* pbTempInputBitlengthIndicator = &pbTempInputContext[cbContext];
+
+                // Step 2: Copy Label and Context into the temp input buffer.
+                UnsafeBufferUtil.BlockCopy(from: pbLabel, to: pbTempInputLabel, byteCount: cbLabel);
+                UnsafeBufferUtil.BlockCopy(from: pbContext, to: pbTempInputContext, byteCount: cbContext);
+
+                // Step 3: copy [L] into last part of data to be hashed, big-endian
+                BitHelpers.WriteTo(pbTempInputBitlengthIndicator, checked(cbDerivedKey * 8));
+
+                // Step 4: iterate until all desired bytes have been generated
+                for (uint i = 1; cbDerivedKey > 0; i++)
+                {
+                    // Step 4a: Copy [i] into the first part of data to be hashed, big-endian
+                    BitHelpers.WriteTo(pbTempInputCounter, i);
+
+                    // Step 4b: Hash. Win7 doesn't allow reusing hash algorithm objects after the final hash
+                    // has been computed, so we'll just keep calling DuplicateHash on the original virgin
+                    // hash handle. This offers a slight performance increase over allocating a new hash
+                    // handle for each iteration. We don't need to mess with any of this on Win8 since on
+                    // that platform we use BCryptKeyDerivation directly, which offers superior performance.
+                    using (var hashHandle = _hashHandle.DuplicateHash())
+                    {
+                        hashHandle.HashData(pbTempInputBuffer, (uint)tempInputBuffer.Length, pbHashDigest, SHA512_DIGEST_SIZE_IN_BYTES);
+                    }
+
+                    // Step 4c: Copy bytes from the temporary buffer to the output buffer.
+                    uint numBytesToCopy = Math.Min(cbDerivedKey, SHA512_DIGEST_SIZE_IN_BYTES);
+                    UnsafeBufferUtil.BlockCopy(from: pbHashDigest, to: pbDerivedKey, byteCount: numBytesToCopy);
+                    pbDerivedKey += numBytesToCopy;
+                    cbDerivedKey -= numBytesToCopy;
+                }
+            }
+        }
+
+        public void Dispose()
+        {
+            _hashHandle.Dispose();
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
new file mode 100644
index 0000000000..2aa5d58b6b
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
@@ -0,0 +1,107 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+{
+    internal unsafe sealed class Win8SP800_108_CTR_HMACSHA512Provider : ISP800_108_CTR_HMACSHA512Provider
+    {
+        private readonly BCryptKeyHandle _keyHandle;
+
+        public Win8SP800_108_CTR_HMACSHA512Provider(byte* pbKdk, uint cbKdk)
+        {
+            _keyHandle = ImportKey(pbKdk, cbKdk);
+        }
+
+        public void DeriveKey(byte* pbLabel, uint cbLabel, byte* pbContext, uint cbContext, byte* pbDerivedKey, uint cbDerivedKey)
+        {
+            const int SHA512_ALG_CHAR_COUNT = 7;
+            char* pszHashAlgorithm = stackalloc char[SHA512_ALG_CHAR_COUNT /* includes terminating null */];
+            pszHashAlgorithm[0] = 'S';
+            pszHashAlgorithm[1] = 'H';
+            pszHashAlgorithm[2] = 'A';
+            pszHashAlgorithm[3] = '5';
+            pszHashAlgorithm[4] = '1';
+            pszHashAlgorithm[5] = '2';
+            pszHashAlgorithm[6] = (char)0;
+
+            // First, build the buffers necessary to pass (label, context, PRF algorithm) into the KDF
+            BCryptBuffer* pBuffers = stackalloc BCryptBuffer[3];
+
+            pBuffers[0].BufferType = BCryptKeyDerivationBufferType.KDF_LABEL;
+            pBuffers[0].pvBuffer = (IntPtr)pbLabel;
+            pBuffers[0].cbBuffer = cbLabel;
+
+            pBuffers[1].BufferType = BCryptKeyDerivationBufferType.KDF_CONTEXT;
+            pBuffers[1].pvBuffer = (IntPtr)pbContext;
+            pBuffers[1].cbBuffer = cbContext;
+
+            pBuffers[2].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
+            pBuffers[2].pvBuffer = (IntPtr)pszHashAlgorithm;
+            pBuffers[2].cbBuffer = checked(SHA512_ALG_CHAR_COUNT * sizeof(char));
+
+            // Add the header which points to the buffers
+            BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
+            BCryptBufferDesc.Initialize(ref bufferDesc);
+            bufferDesc.cBuffers = 3;
+            bufferDesc.pBuffers = pBuffers;
+
+            // Finally, invoke the KDF 
+            uint numBytesDerived;
+            int ntstatus = UnsafeNativeMethods.BCryptKeyDerivation(
+                hKey: _keyHandle,
+                pParameterList: &bufferDesc,
+                pbDerivedKey: pbDerivedKey,
+                cbDerivedKey: cbDerivedKey,
+                pcbResult: out numBytesDerived,
+                dwFlags: 0);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+
+            // Final sanity checks before returning control to caller.
+            CryptoUtil.Assert(numBytesDerived == cbDerivedKey, "numBytesDerived == cbDerivedKey");
+        }
+
+        public void Dispose()
+        {
+            _keyHandle.Dispose();
+        }
+
+        private static BCryptKeyHandle ImportKey(byte* pbKdk, uint cbKdk)
+        {
+            // The MS implementation of SP800_108_CTR_HMAC has a limit on the size of the key it can accept.
+            // If the incoming key is too long, we'll hash it using SHA512 to bring it back to a manageable
+            // length. This transform is appropriate since SP800_108_CTR_HMAC is just a glorified HMAC under
+            // the covers, and the HMAC algorithm allows hashing the key using the underlying PRF if the key
+            // is greater than the PRF's block length.
+
+            const uint SHA512_BLOCK_SIZE_IN_BYTES = 1024 / 8;
+            const uint SHA512_DIGEST_SIZE_IN_BYTES = 512 / 8;
+
+            if (cbKdk > SHA512_BLOCK_SIZE_IN_BYTES)
+            {
+                // Hash key.
+                byte* pbHashedKey = stackalloc byte[(int)SHA512_DIGEST_SIZE_IN_BYTES];
+                try
+                {
+                    using (var hashHandle = CachedAlgorithmHandles.SHA512.CreateHash())
+                    {
+                        hashHandle.HashData(pbKdk, cbKdk, pbHashedKey, SHA512_DIGEST_SIZE_IN_BYTES);
+                    }
+                    return CachedAlgorithmHandles.SP800_108_CTR_HMAC.GenerateSymmetricKey(pbKdk, cbKdk);
+                }
+                finally
+                {
+                    UnsafeBufferUtil.SecureZeroMemory(pbHashedKey, SHA512_DIGEST_SIZE_IN_BYTES);
+                }
+            }
+            else
+            {
+                // Use key directly.
+                return CachedAlgorithmHandles.SP800_108_CTR_HMAC.GenerateSymmetricKey(pbKdk, cbKdk);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
deleted file mode 100644
index 95ba77614c..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108Helper.cs
+++ /dev/null
@@ -1,193 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Net;
-using System.Runtime.InteropServices;
-using System.Security;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Util;
-using Microsoft.Win32.SafeHandles;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    /// <summary>
-    /// Provides an implementation of the SP800-108-CTR-HMACSHA512 key derivation function.
-    /// This class assumes at least Windows 7 / Server 2008 R2.
-    /// </summary>
-    /// <remarks>
-    /// More info at http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf, Sec. 5.1.
-    /// </remarks>
-    internal unsafe static class SP800_108Helper
-    {
-        private const string BCRYPT_LIB = "bcrypt.dll";
-
-        [SuppressUnmanagedCodeSecurity]
-        [UnmanagedFunctionPointer(CallingConvention.Winapi)]
-        // http://msdn.microsoft.com/en-us/library/hh448506(v=vs.85).aspx
-        private delegate int BCryptKeyDerivation(
-            [In] BCryptKeyHandle hKey,
-            [In] BCryptBufferDesc* pParameterList,
-            [In] byte* pbDerivedKey,
-            [In] uint cbDerivedKey,
-            [Out] out uint pcbResult,
-            [In] uint dwFlags);
-
-        private static readonly BCryptAlgorithmHandle SP800108AlgorithmHandle;
-        private delegate void DeriveKeysDelegate(byte* pKdk, int kdkByteLength, byte[] purpose, byte* pOutputBuffer, uint outputBufferByteLength);
-        private static DeriveKeysDelegate _thunk = CreateThunk(out SP800108AlgorithmHandle);
-
-        private static BCryptAlgorithmHandle CreateSP800108AlgorithmHandle()
-        {
-            // create the SP800-108 instance
-            BCryptAlgorithmHandle algHandle;
-            int status = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, Constants.BCRYPT_SP800108_CTR_HMAC_ALGORITHM, Constants.MS_PRIMITIVE_PROVIDER, dwFlags: 0);
-            if (status != 0 || algHandle == null || algHandle.IsInvalid)
-            {
-                throw new CryptographicException(status);
-            }
-
-            return algHandle;
-        }
-
-        private static DeriveKeysDelegate CreateThunk(out BCryptAlgorithmHandle sp800108AlgorithmHandle)
-        {
-            SafeLibraryHandle bcryptLibHandle = SafeLibraryHandle.Open(BCRYPT_LIB);
-            var win8Thunk = bcryptLibHandle.GetProcAddress<BCryptKeyDerivation>("BCryptKeyDerivation", throwIfNotFound: false);
-            if (win8Thunk != null)
-            {
-                // Permanently reference bcrypt.dll for the lifetime of the AppDomain.
-                // When the AD goes away the SafeLibraryHandle will automatically be released.
-                GCHandle.Alloc(bcryptLibHandle);
-                sp800108AlgorithmHandle = CreateSP800108AlgorithmHandle();
-                return win8Thunk.DeriveKeysWin8;
-            }
-            else
-            {
-                sp800108AlgorithmHandle = null;
-                return DeriveKeysWin7;
-            }
-        }
-
-        /// <summary>
-        /// Performs a key derivation using SP800-108-CTR-HMACSHA512.
-        /// </summary>
-        /// <param name="pKdk">Pointer to the key derivation key.</param>
-        /// <param name="kdkByteLength">Length (in bytes) of the key derivation key.</param>
-        /// <param name="purpose">Purpose to attach to the generated subkey. Corresponds to the 'Label' parameter
-        /// in the KDF. May be null.</param>
-        /// <param name="pOutputBuffer">Pointer to a buffer which will receive the subkey.</param>
-        /// <param name="outputBufferByteLength">Length (in bytes) of the output buffer.</param>
-        public static void DeriveKeys(byte* pKdk, int kdkByteLength, byte[] purpose, byte* pOutputBuffer, uint outputBufferByteLength)
-        {
-            _thunk(pKdk, kdkByteLength, purpose, pOutputBuffer, outputBufferByteLength);
-        }
-
-        // Wraps our own SP800-108 implementation around bcrypt.dll primitives.
-        private static void DeriveKeysWin7(byte* pKdk, int kdkByteLength, byte[] purpose, byte* pOutputBuffer, uint outputBufferByteLength)
-        {
-            const int TEMP_RESULT_OUTPUT_BYTES = 512 / 8; // hardcoded to HMACSHA512
-
-            // NOTE: pOutputBuffer and outputBufferByteLength are modified as data is copied from temporary buffers
-            // to the final output buffer.
-
-            // used to hold the output of the HMACSHA512 routine
-            byte* pTempResultBuffer = stackalloc byte[TEMP_RESULT_OUTPUT_BYTES];
-            int purposeLength = (purpose != null) ? purpose.Length : 0;
-
-            // this will be zero-inited
-            byte[] dataToBeHashed = new byte[checked(
-                sizeof(int) /* [i] */
-                + purposeLength /* Label */
-                + 1 /* 0x00 */
-                + 0 /* Context */
-                + sizeof(int) /* [L] */)];
-
-            fixed (byte* pDataToBeHashed = dataToBeHashed)
-            {
-                // Step 1: copy purpose into Label part of data to be hashed
-                if (purposeLength > 0)
-                {
-                    fixed (byte* pPurpose = purpose)
-                    {
-                        BufferUtil.BlockCopy(from: pPurpose, to: &pDataToBeHashed[sizeof(int)], byteCount: purposeLength);
-                    }
-                }
-
-                // Step 2: copy [L] into last part of data to be hashed, big-endian
-                uint numBitsToGenerate = checked(outputBufferByteLength * 8);
-                MemoryUtil.UnalignedWriteBigEndian(&pDataToBeHashed[dataToBeHashed.Length - sizeof(int)], numBitsToGenerate);
-
-                // Step 3: iterate until all desired bytes have been generated
-                for (int i = 1; outputBufferByteLength > 0; i++)
-                {
-                    // Step 3a: Copy [i] into the first part of data to be hashed, big-endian
-                    MemoryUtil.UnalignedWriteBigEndian(pDataToBeHashed, (uint)i);
-
-                    // Step 3b: Hash. Win7 doesn't allow reusing hash algorithm objects after the final hash
-                    // has been computed, so we need to create a new instance of the hash object for each
-                    // iteration. We don't bother with this optimization on Win8 since we call BCryptKeyDerivation
-                    // instead when on that OS.
-                    using (var hashHandle = BCryptUtil.CreateHMACHandle(Algorithms.HMACSHA512AlgorithmHandle, pKdk, kdkByteLength))
-                    {
-                        BCryptUtil.HashData(hashHandle, pDataToBeHashed, dataToBeHashed.Length, pTempResultBuffer, TEMP_RESULT_OUTPUT_BYTES);
-                    }
-
-                    // Step 3c: Copy bytes from the temporary buffer to the output buffer.
-                    uint numBytesToCopy = Math.Min(outputBufferByteLength, (uint)TEMP_RESULT_OUTPUT_BYTES);
-                    BufferUtil.BlockCopy(from: pTempResultBuffer, to: pOutputBuffer, byteCount: numBytesToCopy);
-                    pOutputBuffer += numBytesToCopy;
-                    outputBufferByteLength -= numBytesToCopy;
-                }
-            }
-        }
-
-        // Calls into the Win8 implementation (bcrypt.dll) for the SP800-108 KDF
-        private static void DeriveKeysWin8(this BCryptKeyDerivation fnKeyDerivation, byte* pKdk, int kdkByteLength, byte[] purpose, byte* pOutputBuffer, uint outputBufferByteLength)
-        {
-            // Create a buffer to hold the hash algorithm name
-            fixed (char* pszPrfAlgorithmName = Constants.BCRYPT_SHA512_ALGORITHM)
-            {
-                BCryptBuffer* pBCryptBuffers = stackalloc BCryptBuffer[2];
-
-                // The first buffer should contain the PRF algorithm name (hardcoded to HMACSHA512).
-                // Per http://msdn.microsoft.com/en-us/library/aa375368(v=vs.85).aspx, cbBuffer must include the terminating null char.
-                pBCryptBuffers[0].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
-                pBCryptBuffers[0].pvBuffer = (IntPtr)pszPrfAlgorithmName;
-                pBCryptBuffers[0].cbBuffer = (uint)((Constants.BCRYPT_SHA512_ALGORITHM.Length + 1) * sizeof(char));
-                uint numBuffers = 1;
-
-                fixed (byte* pPurpose = ((purpose != null && purpose.Length != 0) ? purpose : null))
-                {
-                    if (pPurpose != null)
-                    {
-                        // The second buffer will hold the purpose bytes if they're specified.
-                        pBCryptBuffers[1].BufferType = BCryptKeyDerivationBufferType.KDF_LABEL;
-                        pBCryptBuffers[1].pvBuffer = (IntPtr)pPurpose;
-                        pBCryptBuffers[1].cbBuffer = (uint)purpose.Length;
-                        numBuffers = 2;
-                    }
-
-                    // Add the header
-                    BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
-                    BCryptBufferDesc.Initialize(ref bufferDesc);
-                    bufferDesc.cBuffers = numBuffers;
-                    bufferDesc.pBuffers = pBCryptBuffers;
-
-                    // Finally, perform the calculation and validate that the actual number of bytes derived matches
-                    // the number that the caller requested.
-                    uint numBytesDerived;
-                    int status;
-                    using (BCryptKeyHandle kdkHandle = BCryptUtil.ImportKey(SP800108AlgorithmHandle, pKdk, kdkByteLength))
-                    {
-                        status = fnKeyDerivation(kdkHandle, &bufferDesc, pOutputBuffer, outputBufferByteLength, out numBytesDerived, dwFlags: 0);
-                    }
-                    if (status != 0 || numBytesDerived != outputBufferByteLength)
-                    {
-                        throw new CryptographicException(status);
-                    }
-                }
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
new file mode 100644
index 0000000000..2b72ae08d9
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
@@ -0,0 +1,166 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+{
+    internal unsafe sealed class BCryptAlgorithmHandle : BCryptHandle
+    {
+        // Called by P/Invoke when returning SafeHandles
+        private BCryptAlgorithmHandle() { }
+
+        /// <summary>
+        /// Creates an unkeyed hash handle from this hash algorithm.
+        /// </summary>
+        public BCryptHashHandle CreateHash()
+        {
+            return CreateHashImpl(null, 0);
+        }
+
+        private BCryptHashHandle CreateHashImpl(byte* pbKey, uint cbKey)
+        {
+            BCryptHashHandle retVal;
+            int ntstatus = UnsafeNativeMethods.BCryptCreateHash(this, out retVal, IntPtr.Zero, 0, pbKey, cbKey, dwFlags: 0);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+            CryptoUtil.AssertSafeHandleIsValid(retVal);
+
+            retVal.SetAlgorithmProviderHandle(this);
+            return retVal;
+        }
+
+        /// <summary>
+        /// Creates an HMAC hash handle from this hash algorithm.
+        /// </summary>
+        public BCryptHashHandle CreateHmac(byte* pbKey, uint cbKey)
+        {
+            Debug.Assert(pbKey != null);
+            Debug.Assert(cbKey != 0);
+
+            return CreateHashImpl(pbKey, cbKey);
+        }
+
+        /// <summary>
+        /// Imports a key into a symmetric encryption or KDF algorithm.
+        /// </summary>
+        public BCryptKeyHandle GenerateSymmetricKey(byte* pbSecret, uint cbSecret)
+        {
+            BCryptKeyHandle retVal;
+            int ntstatus = UnsafeNativeMethods.BCryptGenerateSymmetricKey(this, out retVal, IntPtr.Zero, 0, pbSecret, cbSecret, 0);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+            CryptoUtil.AssertSafeHandleIsValid(retVal);
+
+            retVal.SetAlgorithmProviderHandle(this);
+            return retVal;
+        }
+
+        /// <summary>
+        /// Gets the name of this BCrypt algorithm.
+        /// </summary>
+        public string GetAlgorithmName()
+        {
+            // First, calculate how many characters are in the name.
+            uint byteLengthOfNameWithTerminatingNull = GetProperty(Constants.BCRYPT_ALGORITHM_NAME, null, 0);
+            CryptoUtil.Assert(byteLengthOfNameWithTerminatingNull % sizeof(char) == 0 && byteLengthOfNameWithTerminatingNull > sizeof(char), "byteLengthOfNameWithTerminatingNull % sizeof(char) == 0 && byteLengthOfNameWithTerminatingNull > sizeof(char)");
+            uint numCharsWithoutNull = (byteLengthOfNameWithTerminatingNull - 1) / sizeof(char);
+
+            if (numCharsWithoutNull == 0)
+            {
+                return String.Empty; // degenerate case
+            }
+
+            // Allocate a string object and write directly into it (CLR team approves of this mechanism).
+            string retVal = new String((char)0, checked((int)numCharsWithoutNull));
+            uint numBytesCopied;
+            fixed (char* pRetVal = retVal)
+            {
+                numBytesCopied = GetProperty(Constants.BCRYPT_ALGORITHM_NAME, pRetVal, byteLengthOfNameWithTerminatingNull);
+            }
+            CryptoUtil.Assert(numBytesCopied == byteLengthOfNameWithTerminatingNull, "numBytesCopied == byteLengthOfNameWithTerminatingNull");
+            return retVal;
+        }
+
+        /// <summary>
+        /// Gets the cipher block length (in bytes) of this block cipher algorithm.
+        /// </summary>
+        public uint GetCipherBlockLength()
+        {
+            uint cipherBlockLength;
+            uint numBytesCopied = GetProperty(Constants.BCRYPT_BLOCK_LENGTH, &cipherBlockLength, sizeof(uint));
+            CryptoUtil.Assert(numBytesCopied == sizeof(uint), "numBytesCopied == sizeof(uint)");
+            return cipherBlockLength;
+        }
+
+        /// <summary>
+        /// Gets the hash block length (in bytes) of this hash algorithm.
+        /// </summary>
+        public uint GetHashBlockLength()
+        {
+            uint hashBlockLength;
+            uint numBytesCopied = GetProperty(Constants.BCRYPT_HASH_BLOCK_LENGTH, &hashBlockLength, sizeof(uint));
+            CryptoUtil.Assert(numBytesCopied == sizeof(uint), "numBytesCopied == sizeof(uint)");
+            return hashBlockLength;
+        }
+
+        /// <summary>
+        /// Gets the key lengths (in bits) supported by this algorithm.
+        /// </summary>
+        public BCRYPT_KEY_LENGTHS_STRUCT GetSupportedKeyLengths()
+        {
+            BCRYPT_KEY_LENGTHS_STRUCT supportedKeyLengths;
+            uint numBytesCopied = GetProperty(Constants.BCRYPT_KEY_LENGTHS, &supportedKeyLengths, (uint)sizeof(BCRYPT_KEY_LENGTHS_STRUCT));
+            CryptoUtil.Assert(numBytesCopied == sizeof(BCRYPT_KEY_LENGTHS_STRUCT), "numBytesCopied == sizeof(BCRYPT_KEY_LENGTHS_STRUCT)");
+            return supportedKeyLengths;
+        }
+
+        /// <summary>
+        /// Gets the digest length (in bytes) of this hash algorithm provider.
+        /// </summary>
+        public uint GetHashDigestLength()
+        {
+            uint digestLength;
+            uint numBytesCopied = GetProperty(Constants.BCRYPT_HASH_LENGTH, &digestLength, sizeof(uint));
+            CryptoUtil.Assert(numBytesCopied == sizeof(uint), "numBytesCopied == sizeof(uint)");
+            return digestLength;
+        }
+
+        public static BCryptAlgorithmHandle OpenAlgorithmHandle(string algorithmId, string implementation = null, bool hmac = false)
+        {
+            // from bcrypt.h
+            const uint BCRYPT_ALG_HANDLE_HMAC_FLAG = 0x00000008;
+
+            // from ntstatus.h
+            const int STATUS_NOT_FOUND = unchecked((int)0xC0000225);
+
+            BCryptAlgorithmHandle algHandle;
+            int ntstatus = UnsafeNativeMethods.BCryptOpenAlgorithmProvider(out algHandle, algorithmId, implementation, dwFlags: (hmac) ? BCRYPT_ALG_HANDLE_HMAC_FLAG : 0);
+
+            // error checking
+            if (ntstatus == STATUS_NOT_FOUND)
+            {
+                throw Error.BCryptAlgorithmHandle_ProviderNotFound(algorithmId);
+            }
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+            CryptoUtil.AssertSafeHandleIsValid(algHandle);
+
+            return algHandle;
+        }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle()
+        {
+            return (UnsafeNativeMethods.BCryptCloseAlgorithmProvider(handle, dwFlags: 0) == 0);
+        }
+
+        public void SetChainingMode(string chainingMode)
+        {
+            fixed (char* pszChainingMode = chainingMode ?? String.Empty)
+            {
+                SetProperty(Constants.BCRYPT_CHAINING_MODE, pszChainingMode, checked((uint)(chainingMode.Length + 1 /* null terminator */) * sizeof(char)));
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs
new file mode 100644
index 0000000000..a5001cb26f
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+{
+    internal unsafe abstract class BCryptHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
+        protected BCryptHandle()
+            : base(ownsHandle: true)
+        {
+        }
+
+        protected uint GetProperty(string pszProperty, void* pbOutput, uint cbOutput)
+        {
+            uint retVal;
+            int ntstatus = UnsafeNativeMethods.BCryptGetProperty(this, pszProperty, pbOutput, cbOutput, out retVal, dwFlags: 0);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+            return retVal;
+        }
+
+        protected void SetProperty(string pszProperty, void* pbInput, uint cbInput)
+        {
+            int ntstatus = UnsafeNativeMethods.BCryptSetProperty(this, pszProperty, pbInput, cbInput, dwFlags: 0);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs
new file mode 100644
index 0000000000..af30a1b3a0
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs
@@ -0,0 +1,71 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+{
+    internal unsafe sealed class BCryptHashHandle : BCryptHandle
+    {
+        private BCryptAlgorithmHandle _algProviderHandle;
+
+        // Called by P/Invoke when returning SafeHandles
+        private BCryptHashHandle() { }
+
+        /// <summary>
+        /// Duplicates this hash handle, including any existing hashed state.
+        /// </summary>
+        public BCryptHashHandle DuplicateHash()
+        {
+            BCryptHashHandle duplicateHandle;
+            int ntstatus = UnsafeNativeMethods.BCryptDuplicateHash(this, out duplicateHandle, IntPtr.Zero, 0, 0);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+            CryptoUtil.AssertSafeHandleIsValid(duplicateHandle);
+
+            duplicateHandle._algProviderHandle = this._algProviderHandle;
+            return duplicateHandle;
+        }
+
+        /// <summary>
+        /// Calculates the cryptographic hash over a set of input data.
+        /// </summary>
+        public void HashData(byte* pbInput, uint cbInput, byte* pbHashDigest, uint cbHashDigest)
+        {
+            int ntstatus;
+            if (cbInput > 0)
+            {
+                ntstatus = UnsafeNativeMethods.BCryptHashData(
+                    hHash: this,
+                    pbInput: pbInput,
+                    cbInput: cbInput,
+                    dwFlags: 0);
+                UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+            }
+
+            ntstatus = UnsafeNativeMethods.BCryptFinishHash(
+                hHash: this,
+                pbOutput: pbHashDigest,
+                cbOutput: cbHashDigest,
+                dwFlags: 0);
+            UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+        }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle()
+        {
+            return (UnsafeNativeMethods.BCryptDestroyHash(handle) == 0);
+        }
+
+        // We don't actually need to hold a reference to the algorithm handle, as the native CNG library
+        // already holds the reference for us. But once we create a hash from an algorithm provider, odds
+        // are good that we'll create another hash from the same algorithm provider at some point in the
+        // future. And since algorithm providers are expensive to create, we'll hold a strong reference
+        // to all known in-use providers. This way the cached algorithm provider handles utility class
+        // doesn't keep creating providers over and over.
+        internal void SetAlgorithmProviderHandle(BCryptAlgorithmHandle algProviderHandle)
+        {
+            _algProviderHandle = algProviderHandle;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs
new file mode 100644
index 0000000000..d03777d5da
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs
@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+{
+    internal sealed class BCryptKeyHandle : BCryptHandle
+    {
+        private BCryptAlgorithmHandle _algProviderHandle;
+
+        // Called by P/Invoke when returning SafeHandles
+        private BCryptKeyHandle() { }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle()
+        {
+            _algProviderHandle = null;
+            return (UnsafeNativeMethods.BCryptDestroyKey(handle) == 0);
+        }
+
+        // We don't actually need to hold a reference to the algorithm handle, as the native CNG library
+        // already holds the reference for us. But once we create a key from an algorithm provider, odds
+        // are good that we'll create another key from the same algorithm provider at some point in the
+        // future. And since algorithm providers are expensive to create, we'll hold a strong reference
+        // to all known in-use providers. This way the cached algorithm provider handles utility class
+        // doesn't keep creating providers over and over.
+        internal void SetAlgorithmProviderHandle(BCryptAlgorithmHandle algProviderHandle)
+        {
+            _algProviderHandle = algProviderHandle;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs
new file mode 100644
index 0000000000..a7add3bb9a
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs
@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+{
+    /// <summary>
+    /// Represents a handle returned by LocalAlloc.
+    /// </summary>
+    internal class LocalAllocHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
+        // Called by P/Invoke when returning SafeHandles
+        protected LocalAllocHandle()
+            : base(ownsHandle: true) { }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle()
+        {
+            Marshal.FreeHGlobal(handle); // actually calls LocalFree
+            return true;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs
similarity index 52%
rename from src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
rename to src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs
index 55275b556a..fff0f360f4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs
@@ -1,15 +1,14 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
 {
-    internal sealed class BCryptKeyHandle : SafeHandleZeroOrMinusOneIsInvalid
+    internal sealed class NCryptDescriptorHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
-        // Called by P/Invoke when returning SafeHandles
-        private BCryptKeyHandle()
+        private NCryptDescriptorHandle()
             : base(ownsHandle: true)
         {
         }
@@ -17,7 +16,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
         protected override bool ReleaseHandle()
         {
-            return (UnsafeNativeMethods.BCryptDestroyKey(handle) == 0);
+            return (UnsafeNativeMethods.NCryptCloseProtectionDescriptor(handle) == 0);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs
new file mode 100644
index 0000000000..c36caa7cdc
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+{
+    internal sealed class SafeCertContextHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
+        private SafeCertContextHandle()
+            : base(ownsHandle: true)
+        {
+        }
+
+        public static SafeCertContextHandle CreateDuplicateFrom(IntPtr existingHandle)
+        {
+            SafeCertContextHandle newHandle = UnsafeNativeMethods.CertDuplicateCertificateContext(existingHandle);
+            CryptoUtil.AssertSafeHandleIsValid(newHandle);
+            return newHandle;
+        }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle()
+        {
+            return UnsafeNativeMethods.CertFreeCertificateContext(handle);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
similarity index 62%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
rename to src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
index 1b8411a3a4..fe725ea4d2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -1,22 +1,27 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Runtime.InteropServices;
 
-#if !NET45
-namespace Microsoft.Win32.SafeHandles {
-    internal abstract class SafeHandleZeroOrMinusOneIsInvalid : SafeHandle {
+#if ASPNETCORE50
+namespace Microsoft.Win32.SafeHandles
+{
+    internal abstract class SafeHandleZeroOrMinusOneIsInvalid : SafeHandle
+    {
         // Called by P/Invoke when returning SafeHandles
         protected SafeHandleZeroOrMinusOneIsInvalid(bool ownsHandle)
-            : base(IntPtr.Zero, ownsHandle) {
+            : base(IntPtr.Zero, ownsHandle)
+        {
         }
 
-        public override bool IsInvalid {
-            get {
+        public override bool IsInvalid
+        {
+            get
+            {
                 return (handle == IntPtr.Zero || handle == (IntPtr)(-1));
             }
         }
     }
 }
-#endif
\ No newline at end of file
+#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
similarity index 61%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
rename to src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
index b1b7d6e0af..789edd4686 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -6,28 +6,38 @@ using System.Diagnostics;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Security;
+using Microsoft.Win32.SafeHandles;
 
-#if NET45
+#if !ASPNETCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.Win32.SafeHandles
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
 {
     /// <summary>
     /// Represents a handle to a Windows module (DLL).
     /// </summary>
-    internal sealed class SafeLibraryHandle : SafeHandleZeroOrMinusOneIsInvalid
+    internal unsafe sealed class SafeLibraryHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
         // Called by P/Invoke when returning SafeHandles
         private SafeLibraryHandle()
             : base(ownsHandle: true) { }
 
+        /// <summary>
+        /// Returns a value stating whether the library exports a given proc.
+        /// </summary>
+        public bool DoesProcExist(string lpProcName)
+        {
+            IntPtr pfnProc = UnsafeNativeMethods.GetProcAddress(this, lpProcName);
+            return (pfnProc != IntPtr.Zero);
+        }
+
         /// <summary>
         /// Gets a delegate pointing to a given export from this library.
         /// </summary>
         public TDelegate GetProcAddress<TDelegate>(string lpProcName, bool throwIfNotFound = true) where TDelegate : class
         {
-            Debug.Assert(typeof(TDelegate).GetTypeInfo().IsSubclassOf(typeof(Delegate)), "TDelegate must be a delegate type!");
+            Debug.Assert(typeof(Delegate).IsAssignableFrom(typeof(TDelegate)), "TDelegate must be a delegate type!");
 
             IntPtr pfnProc = UnsafeNativeMethods.GetProcAddress(this, lpProcName);
             if (pfnProc == IntPtr.Zero)
@@ -42,7 +52,11 @@ namespace Microsoft.Win32.SafeHandles
                 }
             }
 
+#if ASPNETCORE50
+            return Marshal.GetDelegateForFunctionPointer<TDelegate>(pfnProc);
+#else
             return (TDelegate)(object)Marshal.GetDelegateForFunctionPointer(pfnProc, typeof(TDelegate));
+#endif
         }
 
         /// <summary>
@@ -63,13 +77,48 @@ namespace Microsoft.Win32.SafeHandles
             }
         }
 
+        /// <summary>
+        /// Formats a message string using the resource table in the specified library.
+        /// </summary>
+        public string FormatMessage(int messageId)
+        {
+            // from winbase.h
+            const uint FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x00000100;
+            const uint FORMAT_MESSAGE_FROM_HMODULE = 0x00000800;
+            const uint FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000;
+            const uint FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200;
+
+            LocalAllocHandle messageHandle;
+            int numCharsOutput = UnsafeNativeMethods.FormatMessage(
+                dwFlags: FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
+                lpSource: this,
+                dwMessageId: (uint)messageId,
+                dwLanguageId: 0 /* ignore current culture */,
+                lpBuffer: out messageHandle,
+                nSize: 0 /* unused */,
+                Arguments: IntPtr.Zero /* unused */);
+
+            if (numCharsOutput != 0 && messageHandle != null && !messageHandle.IsInvalid)
+            {
+                // Successfully retrieved the message.
+                using (messageHandle)
+                {
+                    return new String((char*)messageHandle.DangerousGetHandle(), 0, numCharsOutput).Trim();
+                }
+            }
+            else
+            {
+                // Message not found - that's fine.
+                return null;
+            }
+        }
+
         /// <summary>
         /// Opens a library. If 'filename' is not a fully-qualified path, the default search path is used.
         /// </summary>
         public static SafeLibraryHandle Open(string filename)
         {
             SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibrary(filename);
-
             if (handle == null || handle.IsInvalid)
             {
                 UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
@@ -83,62 +132,51 @@ namespace Microsoft.Win32.SafeHandles
             return UnsafeNativeMethods.FreeLibrary(handle);
         }
 
+#if !ASPNETCORE50
         [SuppressUnmanagedCodeSecurity]
+#endif
         private static class UnsafeNativeMethods
         {
-#if ASPNETCORE50
-            private const string api_ms_win_core_libraryloader_LIB = "api-ms-win-core-libraryloader-l1-1-0.dll";
-#else
             private const string KERNEL32_LIB = "kernel32.dll";
-#endif
+
+            // http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx
+            [DllImport(KERNEL32_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
+            public static extern int FormatMessage(
+                [In] uint dwFlags,
+                [In] SafeLibraryHandle lpSource,
+                [In] uint dwMessageId,
+                [In] uint dwLanguageId,
+                [Out] out LocalAllocHandle lpBuffer,
+                [In] uint nSize,
+                [In] IntPtr Arguments
+            );
+
             // http://msdn.microsoft.com/en-us/library/ms683152(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if ASPNETCORE50
-            [DllImport(api_ms_win_core_libraryloader_LIB, ExactSpelling = true, SetLastError = true)]
-#else
-            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
+#if !ASPNETCORE50
             [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
-            public static extern bool FreeLibrary(IntPtr hModule);
-
+            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
+            internal static extern bool FreeLibrary(IntPtr hModule);
 
             // http://msdn.microsoft.com/en-us/library/ms683200(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if ASPNETCORE50
-            [DllImport(api_ms_win_core_libraryloader_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#else
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#endif
             internal static extern bool GetModuleHandleEx(
                 [In] uint dwFlags,
                 [In] SafeLibraryHandle lpModuleName, // can point to a location within the module if GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS is set
                 [Out] out IntPtr phModule);
 
-#if ASPNETCORE50
-            [DllImport(api_ms_win_core_libraryloader_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
-#else
             // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
-#endif
-
             internal static extern IntPtr GetProcAddress(
                 [In] SafeLibraryHandle hModule,
                 [In, MarshalAs(UnmanagedType.LPStr)] string lpProcName);
 
-#if ASPNETCORE50
-            [DllImport(api_ms_win_core_libraryloader_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
-            internal static extern SafeLibraryHandle LoadLibraryExW([In,MarshalAs(UnmanagedType.LPWStr)] string lpFileName, IntPtr hFile, uint dwFlags);
-
-            internal static SafeLibraryHandle LoadLibrary(string lpFileName)
-            {
-                return LoadLibraryExW(lpFileName, IntPtr.Zero, 0);
-            }
-#else
             // http://msdn.microsoft.com/en-us/library/ms684175(v=vs.85).aspx
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
             internal static extern SafeLibraryHandle LoadLibrary(
-                [In, MarshalAs(UnmanagedType.LPWStr)]string lpFileName);
-#endif
+                [In, MarshalAs(UnmanagedType.LPWStr)] string lpFileName);
 
             internal static void ThrowExceptionForLastWin32Error()
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs
new file mode 100644
index 0000000000..6b2bacaf6e
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
+#if ASPNETCORE50
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+{
+    /// <summary>
+    /// Represents a managed view over an NCRYPT_KEY_HANDLE.
+    /// </summary>
+    internal class SafeNCryptKeyHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
+        // Called by P/Invoke when returning SafeHandles
+        protected SafeNCryptKeyHandle()
+            : base(ownsHandle: true) { }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle()
+        {
+            // TODO: Replace me with a real implementation on CoreClr.
+            throw new NotImplementedException();
+        }
+    }
+}
+#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs
new file mode 100644
index 0000000000..34cca9d1e4
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs
@@ -0,0 +1,68 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+using System.Security;
+
+#if !ASPNETCORE50
+using System.Runtime.ConstrainedExecution;
+#endif
+
+namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+{
+    /// <summary>
+    /// Represents a handle returned by LocalAlloc.
+    /// The memory will be zeroed out before it's freed.
+    /// </summary>
+    internal unsafe sealed class SecureLocalAllocHandle : LocalAllocHandle
+    {
+        private readonly IntPtr _cb;
+
+        private SecureLocalAllocHandle(IntPtr cb)
+        {
+            _cb = cb;
+        }
+
+        public IntPtr Length
+        {
+            get
+            {
+                return _cb;
+            }
+        }
+
+        /// <summary>
+        /// Allocates some amount of memory using LocalAlloc.
+        /// </summary>
+        public static SecureLocalAllocHandle Allocate(IntPtr cb)
+        {
+            SecureLocalAllocHandle newHandle = new SecureLocalAllocHandle(cb);
+            newHandle.AllocateImpl(cb);
+            return newHandle;
+        }
+
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
+#endif
+        private void AllocateImpl(IntPtr cb)
+        {
+            handle = Marshal.AllocHGlobal(cb); // actually calls LocalAlloc
+        }
+
+        public SecureLocalAllocHandle Duplicate()
+        {
+            SecureLocalAllocHandle duplicateHandle = Allocate(_cb);
+            UnsafeBufferUtil.BlockCopy(from: this, to: duplicateHandle, length: _cb);
+            return duplicateHandle;
+        }
+
+        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
+        protected override bool ReleaseHandle()
+        {
+            UnsafeBufferUtil.SecureZeroMemory((byte*)handle, _cb); // compiler won't optimize this away
+            return base.ReleaseHandle();
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs
new file mode 100644
index 0000000000..f081611b3f
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs
@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal static class StringExtensions
+    {
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static uint GetTotalByteLengthIncludingNullTerminator(this string input)
+        {
+            if (input == null)
+            {
+                // degenerate case
+                return 0;
+            }
+            else
+            {
+                uint numChars = (uint)input.Length + 1U; // no overflow check necessary since Length is signed
+                return checked(numChars * sizeof(char));
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs b/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs
deleted file mode 100644
index 44d277e244..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/SuppressUnmanagedCodeSecurityAttribute - Copy.cs	
+++ /dev/null
@@ -1,13 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.InteropServices;
-
-#if !NET45
-namespace System.Security
-{
-    [AttributeUsage(AttributeTargets.All, AllowMultiple = true, Inherited = false)]
-    internal sealed class SuppressUnmanagedCodeSecurityAttribute : Attribute { }
-}
-#endif
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs
new file mode 100644
index 0000000000..ef6a69bdbc
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs
@@ -0,0 +1,241 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+using System.Threading;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+#if !ASPNETCORE50
+using System.Runtime.ConstrainedExecution;
+#endif
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal unsafe static class UnsafeBufferUtil
+    {
+        private static readonly byte[] _emptyArray = new byte[0];
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        public static void BlockCopy(void* from, void* to, int byteCount)
+        {
+            BlockCopy(from, to, checked((uint)byteCount)); // will be checked before invoking the delegate
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        public static void BlockCopy(void* from, void* to, uint byteCount)
+        {
+            if (byteCount != 0)
+            {
+                BlockCopyImpl((byte*)from, (byte*)to, byteCount);
+            }
+        }
+
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
+#endif
+        public static void BlockCopy(LocalAllocHandle from, void* to, uint byteCount)
+        {
+            bool refAdded = false;
+            try
+            {
+                from.DangerousAddRef(ref refAdded);
+                BlockCopy((void*)from.DangerousGetHandle(), to, byteCount);
+            }
+            finally
+            {
+                if (refAdded)
+                {
+                    from.DangerousRelease();
+                }
+            }
+        }
+
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
+#endif
+        public static void BlockCopy(byte* from, LocalAllocHandle to, uint byteCount)
+        {
+            bool refAdded = false;
+            try
+            {
+                to.DangerousAddRef(ref refAdded);
+                BlockCopy(from, (void*)to.DangerousGetHandle(), byteCount);
+            }
+            finally
+            {
+                if (refAdded)
+                {
+                    to.DangerousRelease();
+                }
+            }
+        }
+
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
+#endif
+        public static void BlockCopy(LocalAllocHandle from, LocalAllocHandle to, IntPtr length)
+        {
+            if (length == IntPtr.Zero)
+            {
+                return;
+            }
+
+            bool fromRefAdded = false;
+            bool toRefAdded = false;
+            try
+            {
+                from.DangerousAddRef(ref fromRefAdded);
+                to.DangerousAddRef(ref toRefAdded);
+                if (sizeof(IntPtr) == 4)
+                {
+                    BlockCopyImpl(from: (byte*)from.DangerousGetHandle(), to: (byte*)to.DangerousGetHandle(), byteCount: (uint)length.ToInt32());
+                } else
+                {
+                    BlockCopyImpl(from: (byte*)from.DangerousGetHandle(), to: (byte*)to.DangerousGetHandle(), byteCount: (ulong)length.ToInt64());
+                }
+            }
+            finally
+            {
+                if (fromRefAdded)
+                {
+                    from.DangerousRelease();
+                }
+                if (toRefAdded)
+                {
+                    to.DangerousRelease();
+                }
+            }
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static void BlockCopyImpl(byte* from, byte* to, uint byteCount)
+        {
+#if ASPNETCORE50
+            Buffer.MemoryCopy(from, to, (ulong)byteCount, (ulong)byteCount);
+#else
+            while (byteCount-- != 0) {
+                to[byteCount] = from[byteCount];
+            }
+#endif
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static void BlockCopyImpl(byte* from, byte* to, ulong byteCount)
+        {
+#if ASPNETCORE50
+            Buffer.MemoryCopy(from, to, byteCount, byteCount);
+#else
+            while (byteCount-- != 0) {
+                to[byteCount] = from[byteCount];
+            }
+#endif
+        }
+
+        /// <summary>
+        /// Securely clears a memory buffer.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        public static void SecureZeroMemory(byte* buffer, int byteCount)
+        {
+            SecureZeroMemory(buffer, checked((uint)byteCount));
+        }
+
+        /// <summary>
+        /// Securely clears a memory buffer.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        public static void SecureZeroMemory(byte* buffer, uint byteCount)
+        {
+            if (byteCount != 0)
+            {
+                do
+                {
+                    buffer[--byteCount] = 0;
+                } while (byteCount != 0);
+
+                // Volatile to make sure the zero-writes don't get optimized away
+                Volatile.Write(ref *buffer, 0);
+            }
+        }
+
+        /// <summary>
+        /// Securely clears a memory buffer.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        public static void SecureZeroMemory(byte* buffer, ulong byteCount)
+        {
+            if (byteCount != 0)
+            {
+                do
+                {
+                    buffer[--byteCount] = 0;
+                } while (byteCount != 0);
+
+                // Volatile to make sure the zero-writes don't get optimized away
+                Volatile.Write(ref *buffer, 0);
+            }
+        }
+
+        /// <summary>
+        /// Securely clears a memory buffer.
+        /// </summary>
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        public static void SecureZeroMemory(byte* buffer, IntPtr length)
+        {
+            if (sizeof(IntPtr) == 4)
+            {
+                SecureZeroMemory(buffer, (uint)length.ToInt32());
+            }
+            else
+            {
+                SecureZeroMemory(buffer, (ulong)length.ToInt64());
+            }
+        }
+
+        /// <summary>
+        /// Creates a new managed byte[] from unmanaged memory.
+        /// </summary>
+        public static byte[] ToManagedByteArray(byte* ptr, int byteCount)
+        {
+            return ToManagedByteArray(ptr, checked((uint)byteCount));
+        }
+
+        /// <summary>
+        /// Creates a new managed byte[] from unmanaged memory.
+        /// </summary>
+        public static byte[] ToManagedByteArray(byte* ptr, uint byteCount)
+        {
+            if (byteCount == 0)
+            {
+                return _emptyArray; // degenerate case
+            }
+            else
+            {
+                byte[] bytes = new byte[byteCount];
+                fixed (byte* pBytes = bytes)
+                {
+                    BlockCopy(from: ptr, to: pBytes, byteCount: byteCount);
+                }
+                return bytes;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index 7b8081dc23..c3721ed328 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -1,22 +1,35 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.Win32.SafeHandles;
+
+#if !ASPNETCORE50
+using System.Runtime.ConstrainedExecution;
+#endif
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
+#if !ASPNETCORE50
     [SuppressUnmanagedCodeSecurity]
+#endif
     internal unsafe static class UnsafeNativeMethods
     {
         private const string BCRYPT_LIB = "bcrypt.dll";
+        private static readonly SafeLibraryHandle _bcryptLibHandle = SafeLibraryHandle.Open(BCRYPT_LIB);
+
         private const string CRYPT32_LIB = "crypt32.dll";
-        private const string NTDLL_LIB = "ntdll.dll";
-        
-#if !ASPNETCORE50
-        private const string KERNEL32_LIB = "kernel32.dll";
-#endif
+        private static readonly SafeLibraryHandle _crypt32LibHandle = SafeLibraryHandle.Open(CRYPT32_LIB);
+
+        private const string NCRYPT_LIB = "ncrypt.dll";
+        private static readonly SafeLibraryHandle _ncryptLibHandle = SafeLibraryHandle.Open(NCRYPT_LIB);
 
         /*
          * BCRYPT.DLL
@@ -45,7 +58,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] BCryptKeyHandle hKey,
             [In] byte* pbInput,
             [In] uint cbInput,
-            [In] IntPtr pPaddingInfo,
+            [In] void* pPaddingInfo,
             [In] byte* pbIV,
             [In] uint cbIV,
             [In] byte* pbOutput,
@@ -67,11 +80,17 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
         internal static extern int BCryptDestroyHash(
             [In] IntPtr hHash);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375404(v=vs.85).aspx
         internal static extern int BCryptDestroyKey(
             [In] IntPtr hKey);
@@ -91,7 +110,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] BCryptKeyHandle hKey,
             [In] byte* pbInput,
             [In] uint cbInput,
-            [In] IntPtr pPaddingInfo,
+            [In] void* pPaddingInfo,
             [In] byte* pbIV,
             [In] uint cbIV,
             [In] byte* pbOutput,
@@ -107,6 +126,17 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint cbOutput,
             [In] uint dwFlags);
 
+        [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375453(v=vs.85).aspx
+        internal static extern int BCryptGenerateSymmetricKey(
+            [In] BCryptAlgorithmHandle hAlgorithm,
+            [Out] out BCryptKeyHandle phKey,
+            [In] IntPtr pbKeyObject,
+            [In] uint cbKeyObject,
+            [In] byte* pbSecret,
+            [In] uint cbSecret,
+            [In] uint dwFlags);
+
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375458(v=vs.85).aspx
         internal static extern int BCryptGenRandom(
@@ -116,22 +146,19 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] BCryptGenRandomFlags dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375468(v=vs.85).aspx
-        internal static extern int BCryptHashData(
-            [In] BCryptHashHandle hHash,
-            [In] byte* pbInput,
-            [In] uint cbInput,
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375464(v=vs.85).aspx
+        internal static extern int BCryptGetProperty(
+            [In] BCryptHandle hObject,
+            [In, MarshalAs(UnmanagedType.LPWStr)] string pszProperty,
+            [In] void* pbOutput,
+            [In] uint cbOutput,
+            [Out] out uint pcbResult,
             [In] uint dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375475(v=vs.85).aspx
-        internal static extern int BCryptImportKey(
-            [In] BCryptAlgorithmHandle hAlgorithm,
-            [In] IntPtr hImportKey, // unused
-            [In, MarshalAs(UnmanagedType.LPWStr)] string pszBlobType,
-            [Out] out BCryptKeyHandle phKey,
-            [In] IntPtr pbKeyObject, // unused
-            [In] uint cbKeyObject,
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375468(v=vs.85).aspx
+        internal static extern int BCryptHashData(
+            [In] BCryptHashHandle hHash,
             [In] byte* pbInput,
             [In] uint cbInput,
             [In] uint dwFlags);
@@ -152,14 +179,14 @@ namespace Microsoft.AspNet.Security.DataProtection
             [Out] out BCryptAlgorithmHandle phAlgorithm,
             [In, MarshalAs(UnmanagedType.LPWStr)] string pszAlgId,
             [In, MarshalAs(UnmanagedType.LPWStr)] string pszImplementation,
-            [In] BCryptAlgorithmFlags dwFlags);
+            [In] uint dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375504(v=vs.85).aspx
         internal static extern int BCryptSetProperty(
-            [In] SafeHandle hObject,
+            [In] BCryptHandle hObject,
             [In, MarshalAs(UnmanagedType.LPWStr)] string pszProperty,
-            [In] IntPtr pbInput,
+            [In] void* pbInput,
             [In] uint cbInput,
             [In] uint dwFlags);
 
@@ -167,6 +194,43 @@ namespace Microsoft.AspNet.Security.DataProtection
          * CRYPT32.DLL
          */
 
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376045(v=vs.85).aspx
+        internal static extern SafeCertContextHandle CertDuplicateCertificateContext(
+            [In] IntPtr pCertContext);
+
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#endif
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376075(v=vs.85).aspx
+        internal static extern bool CertFreeCertificateContext(
+            [In] IntPtr pCertContext);
+
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376079(v=vs.85).aspx
+        internal static extern bool CertGetCertificateContextProperty(
+            [In] SafeCertContextHandle pCertContext,
+            [In] uint dwPropId,
+            [In] void* pvData,
+            [In, Out] ref uint pcbData);
+
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379885(v=vs.85).aspx
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
+#endif
+        internal static extern bool CryptAcquireCertificatePrivateKey(
+            [In] SafeCertContextHandle pCert,
+            [In] uint dwFlags,
+            [In] void* pvParameters,
+            [Out] out SafeNCryptKeyHandle phCryptProvOrNCryptKey,
+            [Out] out uint pdwKeySpec,
+            [Out] out bool pfCallerFreeProvOrNCryptKey);
+
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx
         internal static extern bool CryptProtectData(
@@ -178,13 +242,6 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint dwFlags,
             [Out] out DATA_BLOB pDataOut);
 
-        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380262(v=vs.85).aspx
-        internal static extern bool CryptProtectMemory(
-            [In] byte* pData,
-            [In] uint cbData,
-            [In] uint dwFlags);
-
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380882(v=vs.85).aspx
         internal static extern bool CryptUnprotectData(
@@ -196,23 +253,131 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint dwFlags,
             [Out] out DATA_BLOB pDataOut);
 
+        /*
+       * CRYPT32.DLL
+       */
+
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380262(v=vs.85).aspx
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        public static extern bool CryptProtectMemory(
+            [In] SafeHandle pData,
+            [In] uint cbData,
+            [In] uint dwFlags);
+
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380890(v=vs.85).aspx
-        internal static extern bool CryptUnprotectMemory(
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        public static extern bool CryptUnprotectMemory(
             [In] byte* pData,
             [In] uint cbData,
             [In] uint dwFlags);
 
-#if ASPNETCORE50
-        [DllImport(NTDLL_LIB)]
-        internal static extern void RtlZeroMemory(
-            [In] IntPtr Destination,
-            [In] UIntPtr /* SIZE_T */ Length);
-#else
-        [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi)]
-        internal static extern void RtlZeroMemory(
-            [In] IntPtr Destination,
-            [In] UIntPtr /* SIZE_T */ Length);
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380890(v=vs.85).aspx
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        public static extern bool CryptUnprotectMemory(
+            [In] SafeHandle pData,
+            [In] uint cbData,
+            [In] uint dwFlags);
+
+        /*
+         * NCRYPT.DLL
+         */
+
+        [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+#if !ASPNETCORE50
+        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706799(v=vs.85).aspx
+        internal static extern int NCryptCloseProtectionDescriptor(
+            [In] IntPtr hDescriptor);
+
+        [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx
+        internal static extern int NCryptCreateProtectionDescriptor(
+            [In, MarshalAs(UnmanagedType.LPWStr)] string pwszDescriptorString,
+            [In] uint dwFlags,
+            [Out] out NCryptDescriptorHandle phDescriptor);
+
+        [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376249(v=vs.85).aspx
+        internal static extern int NCryptDecrypt(
+            [In] SafeNCryptKeyHandle hKey,
+            [In] byte* pbInput,
+            [In] uint cbInput,
+            [In] void* pPaddingInfo,
+            [In] byte* pbOutput,
+            [In] uint cbOutput,
+            [Out] out uint pcbResult,
+            [In] NCryptEncryptFlags dwFlags);
+
+        [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706802(v=vs.85).aspx
+        internal static extern int NCryptProtectSecret(
+            [In] NCryptDescriptorHandle hDescriptor,
+            [In] uint dwFlags,
+            [In] byte* pbData,
+            [In] uint cbData,
+            [In] IntPtr pMemPara,
+            [In] IntPtr hWnd,
+            [Out] out LocalAllocHandle ppbProtectedBlob,
+            [Out] out uint pcbProtectedBlob);
+
+        [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706811(v=vs.85).aspx
+        internal static extern int NCryptUnprotectSecret(
+            [In] IntPtr phDescriptor,
+            [In] uint dwFlags,
+            [In] byte* pbProtectedBlob,
+            [In] uint cbProtectedBlob,
+            [In] IntPtr pMemPara,
+            [In] IntPtr hWnd,
+            [Out] out LocalAllocHandle ppbData,
+            [Out] out uint pcbData);
+
+        /*
+         * HELPER FUNCTIONS
+         */
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        internal static void ThrowExceptionForBCryptStatus(int ntstatus)
+        {
+            // This wrapper method exists because 'throw' statements won't always be inlined.
+            if (ntstatus != 0)
+            {
+                ThrowExceptionForBCryptStatusImpl(ntstatus);
+            }
+        }
+
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        private static void ThrowExceptionForBCryptStatusImpl(int ntstatus)
+        {
+            string message = _bcryptLibHandle.FormatMessage(ntstatus);
+            throw new CryptographicException(message);
+        }
+
+        public static void ThrowExceptionForLastCrypt32Error()
+        {
+            int lastError = Marshal.GetLastWin32Error();
+            Debug.Assert(lastError != 0, "This method should only be called if there was an error.");
+
+            string message = _crypt32LibHandle.FormatMessage(lastError);
+            throw new CryptographicException(message);
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        internal static void ThrowExceptionForNCryptStatus(int ntstatus)
+        {
+            // This wrapper method exists because 'throw' statements won't always be inlined.
+            if (ntstatus != 0)
+            {
+                ThrowExceptionForNCryptStatusImpl(ntstatus);
+            }
+        }
+
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        private static void ThrowExceptionForNCryptStatusImpl(int ntstatus)
+        {
+            string message = _ncryptLibHandle.FormatMessage(ntstatus);
+            throw new CryptographicException(message);
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
deleted file mode 100644
index bc56d1a15e..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/BufferUtil.cs
+++ /dev/null
@@ -1,113 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.CompilerServices;
-using System.Security.Cryptography;
-
-namespace Microsoft.AspNet.Security.DataProtection.Util
-{
-    internal unsafe static class BufferUtil
-    {
-        private static readonly byte[] _emptyArray = new byte[0];
-
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void BlockCopy(void* from, void* to, int byteCount)
-        {
-            BlockCopy(from, to, checked((uint)byteCount)); // will be checked before invoking the delegate
-        }
-
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void BlockCopy(void* from, void* to, uint byteCount)
-        {
-            if (byteCount != 0)
-            {
-#if NET45
-                BlockCopySlow((byte*)from, (byte*)to, byteCount);
-#else
-                Buffer.MemoryCopy(source: from, destination: to, destinationSizeInBytes: byteCount, sourceBytesToCopy: byteCount);
-#endif
-            }
-        }
-
-#if NET45
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void BlockCopySlow(byte* from, byte* to, uint byteCount)
-        {
-            while (byteCount-- != 0)
-            {
-                *(to++) = *(from++);
-            }
-        }
-#endif
-
-        /// <summary>
-        /// Securely clears a memory buffer.
-        /// </summary>
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void SecureZeroMemory(byte* buffer, int byteCount)
-        {
-            SecureZeroMemory(buffer, checked((uint)byteCount));
-        }
-
-        /// <summary>
-        /// Securely clears a memory buffer.
-        /// </summary>
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void SecureZeroMemory(byte* buffer, uint byteCount)
-        {
-            UnsafeNativeMethods.RtlZeroMemory((IntPtr)buffer, (UIntPtr)byteCount);
-        }
-
-        /// <summary>
-        /// Creates a new managed byte[] from unmanaged memory.
-        /// </summary>
-        public static byte[] ToManagedByteArray(byte* ptr, int byteCount)
-        {
-            return ToManagedByteArray(ptr, checked((uint)byteCount));
-        }
-
-        /// <summary>
-        /// Creates a new managed byte[] from unmanaged memory.
-        /// </summary>
-        public static byte[] ToManagedByteArray(byte* ptr, uint byteCount)
-        {
-            if (byteCount == 0)
-            {
-                return _emptyArray; // degenerate case
-            }
-            else
-            {
-                byte[] bytes = new byte[byteCount];
-                fixed (byte* pBytes = bytes)
-                {
-                    BlockCopy(from: ptr, to: pBytes, byteCount: byteCount);
-                }
-                return bytes;
-            }
-        }
-
-        /// <summary>
-        /// Creates a new managed byte[] from unmanaged memory. The returned value will be protected
-        /// by CryptProtectMemory.
-        /// </summary>
-        public static byte[] ToProtectedManagedByteArray(byte* ptr, int byteCount)
-        {
-            byte[] bytes = new byte[byteCount];
-            fixed (byte* pBytes = bytes)
-            {
-                try
-                {
-                    BlockCopy(from: ptr, to: pBytes, byteCount: byteCount);
-                    BCryptUtil.ProtectMemoryWithinThisProcess(pBytes, (uint)byteCount);
-                }
-                catch
-                {
-                    SecureZeroMemory(pBytes, byteCount);
-                    throw;
-                }
-            }
-            return bytes;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
deleted file mode 100644
index ebf1aa2462..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/ByteArrayExtensions.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-
-namespace Microsoft.AspNet.Security.DataProtection.Util
-{
-    /// <summary>
-    /// Defines helper methods for working with fixed expression blocks.
-    /// </summary>
-    internal static class ByteArrayExtensions
-    {
-        private static readonly byte[] _dummyBuffer = new byte[1];
-
-        // Since the 'fixed' keyword turns a zero-length array into a pointer, we need
-        // to make sure we're always providing a buffer of length >= 1 so that the
-        // p/invoke methods we pass the pointers to don't see a null pointer. Callers
-        // are still responsible for passing a proper length to the p/invoke routines.
-        public static byte[] AsFixed(this byte[] buffer)
-        {
-            Debug.Assert(buffer != null);
-            return (buffer.Length != 0) ? buffer : _dummyBuffer;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
deleted file mode 100644
index cd2e672c73..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/Util/MemoryUtil.cs
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.CompilerServices;
-
-namespace Microsoft.AspNet.Security.DataProtection.Util
-{
-    internal unsafe static class MemoryUtil
-    {
-        /// <summary>
-        /// Writes an Int32 to a potentially unaligned memory address, big-endian.
-        /// </summary>
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void UnalignedWriteBigEndian(byte* address, uint value)
-        {
-            *(address++) = (byte)(value >> 24);
-            *(address++) = (byte)(value >> 16);
-            *(address++) = (byte)(value >> 8);
-            *(address) = (byte)value;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs b/src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs
new file mode 100644
index 0000000000..638fdc6231
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs
@@ -0,0 +1,56 @@
+using System;
+using System.Diagnostics;
+using System.Threading;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal static class WeakReferenceHelpers
+    {
+        public static T GetSharedInstance<T>(ref WeakReference<T> weakReference, Func<T> factory)
+            where T : class, IDisposable
+        {
+            // First, see if the WR already exists and points to a live object.
+            WeakReference<T> existingWeakRef = Volatile.Read(ref weakReference);
+            T newTarget = null;
+            WeakReference<T> newWeakRef = null;
+
+            while (true)
+            {
+                if (existingWeakRef != null)
+                {
+                    T existingTarget;
+                    if (weakReference.TryGetTarget(out existingTarget))
+                    {
+                        // If we created a new target on a previous iteration of the loop but we
+                        // weren't able to store the target into the desired location, dispose of it now.
+                        newTarget?.Dispose();
+                        return existingTarget;
+                    }
+                }
+
+                // If the existing WR didn't point anywhere useful and this is our
+                // first iteration through the loop, create the new target and WR now.
+                if (newTarget == null)
+                {
+                    newTarget = factory();
+                    Debug.Assert(newTarget != null);
+                    newWeakRef = new WeakReference<T>(newTarget);
+                }
+                Debug.Assert(newWeakRef != null);
+
+                // Try replacing the existing WR with our newly-created one.
+                WeakReference<T> currentWeakRef = Interlocked.CompareExchange(ref weakReference, newWeakRef, existingWeakRef);
+                if (ReferenceEquals(currentWeakRef, existingWeakRef))
+                {
+                    // success, 'weakReference' now points to our newly-created WR
+                    return newTarget;
+                }
+
+                // If we got to this point, somebody beat us to creating a new WR.
+                // We'll loop around and check it for validity.
+                Debug.Assert(currentWeakRef != null);
+                existingWeakRef = currentWeakRef;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
new file mode 100644
index 0000000000..e9a4388de3
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// A class that performs XML encryption using an X.509 certificate.
+    /// </summary>
+    /// <remarks>
+    /// This type currently requires Windows 8.1 (Windows Server 2012 R2) or higher.
+    /// </remarks>
+    public sealed class CertificateXmlEncryptor : IXmlEncryptor
+    {
+        private readonly DpapiNGXmlEncryptor _dpapiEncryptor;
+
+        public CertificateXmlEncryptor([NotNull] X509Certificate2 cert)
+        {
+            byte[] certAsBytes = cert.Export(X509ContentType.Cert);
+            string protectionDescriptor = "CERTIFICATE=CertBlob:" + Convert.ToBase64String(certAsBytes);
+            _dpapiEncryptor = new DpapiNGXmlEncryptor(protectionDescriptor, DpapiNGProtectionDescriptorFlags.None);
+        }
+
+        /// <summary>
+        /// Encrypts the specified XML element using an X.509 certificate.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
+        /// <returns>The encrypted form of the XML element.</returns>
+        public XElement Encrypt([NotNull] XElement plaintextElement)
+        {
+            return _dpapiEncryptor.Encrypt(plaintextElement);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
new file mode 100644
index 0000000000..410ce331c2
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    // from ncrypt.h and ncryptprotect.h
+    [Flags]
+    public enum DpapiNGProtectionDescriptorFlags
+    {
+        None = 0,
+        NamedDescriptor = 0x00000001,
+        MachineKey = 0x00000020,
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
new file mode 100644
index 0000000000..d0c2f8bade
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -0,0 +1,48 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// A class that can decrypt XML elements which were encrypted using Windows DPAPI:NG.
+    /// </summary>
+    internal unsafe sealed class DpapiNGXmlDecryptor : IXmlDecryptor
+    {
+        /// <summary>
+        /// Decrypts the specified XML element using Windows DPAPI:NG.
+        /// </summary>
+        /// <param name="encryptedElement">The encrypted XML element to decrypt. This element is unchanged by the method.</param>
+        /// <returns>The decrypted form of the XML element.</returns>
+        public XElement Decrypt([NotNull] XElement encryptedElement)
+        {
+            CryptoUtil.Assert(encryptedElement.Name == DpapiNGXmlEncryptor.DpapiNGEncryptedSecretElementName,
+                "TODO: Incorrect element.");
+
+            int version = (int)encryptedElement.Attribute("version");
+            CryptoUtil.Assert(version == 1, "TODO: Bad version.");
+
+            byte[] dpapiNGProtectedBytes = Convert.FromBase64String(encryptedElement.Value);
+            using (var secret = DpapiSecretSerializerHelper.UnprotectWithDpapiNG(dpapiNGProtectedBytes))
+            {
+                byte[] plaintextXmlBytes = new byte[secret.Length];
+                try
+                {
+                    secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextXmlBytes));
+                    using (var memoryStream = new MemoryStream(plaintextXmlBytes, writable: false))
+                    {
+                        return XElement.Load(memoryStream);
+                    }
+                }
+                finally
+                {
+                    Array.Clear(plaintextXmlBytes, 0, plaintextXmlBytes.Length);
+                }
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
new file mode 100644
index 0000000000..bb123d73b3
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -0,0 +1,95 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using System.IO;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+
+#if !ASPNETCORE50
+using System.Security.Principal;
+#endif
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// A class that can encrypt XML elements using Windows DPAPI:NG.
+    /// </summary>
+    public sealed class DpapiNGXmlEncryptor : IXmlEncryptor
+    {
+        internal static readonly XName DpapiNGEncryptedSecretElementName = XmlKeyManager.KeyManagementXmlNamespace.GetName("dpapiNGEncryptedSecret");
+
+        private readonly NCryptDescriptorHandle _protectionDescriptorHandle;
+
+        public DpapiNGXmlEncryptor()
+            : this(GetDefaultProtectionDescriptorString(), DpapiNGProtectionDescriptorFlags.None)
+        {
+        }
+
+        public DpapiNGXmlEncryptor(string protectionDescriptor, DpapiNGProtectionDescriptorFlags protectionDescriptorFlags = DpapiNGProtectionDescriptorFlags.None)
+        {
+            if (String.IsNullOrEmpty(protectionDescriptor))
+            {
+                throw new Exception("TODO: Null or empty.");
+            }
+
+            int ntstatus = UnsafeNativeMethods.NCryptCreateProtectionDescriptor(protectionDescriptor, (uint)protectionDescriptorFlags, out _protectionDescriptorHandle);
+            UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
+            CryptoUtil.AssertSafeHandleIsValid(_protectionDescriptorHandle);
+        }
+
+        /// <summary>
+        /// Encrypts the specified XML element using Windows DPAPI:NG.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
+        /// <returns>The encrypted form of the XML element.</returns>
+        public XElement Encrypt([NotNull] XElement plaintextElement)
+        {
+            // First, convert the XML element to a byte[] so that it can be encrypted.
+            ProtectedMemoryBlob secret;
+            using (var memoryStream = new MemoryStream())
+            {
+                plaintextElement.Save(memoryStream);
+
+#if !ASPNETCORE50
+                // If we're on full desktop CLR, utilize the underlying buffer directly as an optimization.
+                byte[] underlyingBuffer = memoryStream.GetBuffer();
+                secret = new ProtectedMemoryBlob(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
+                Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
+#else
+                // Otherwise, need to make a copy of the buffer.
+                byte[] clonedBuffer = memoryStream.ToArray();
+                secret = new ProtectedMemoryBlob(clonedBuffer);
+                Array.Clear(clonedBuffer, 0, clonedBuffer.Length);
+#endif
+            }
+
+            // <secret decryptor="{TYPE}">
+            //   ... base64 data ...
+            // </secret>
+            byte[] encryptedBytes = DpapiSecretSerializerHelper.ProtectWithDpapiNG(secret, _protectionDescriptorHandle);
+            return new XElement(DpapiNGEncryptedSecretElementName,
+                new XAttribute("decryptor", typeof(DpapiNGXmlDecryptor).AssemblyQualifiedName),
+                new XAttribute("version", 1),
+                Convert.ToBase64String(encryptedBytes));
+        }
+
+        private static string GetDefaultProtectionDescriptorString()
+        {
+#if !ASPNETCORE50
+            // Creates a SID=... protection descriptor string for the current user.
+            // Reminder: DPAPI:NG provides only encryption, not authentication.
+            using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
+            {
+                // use the SID to create an SDDL string
+                return String.Format(CultureInfo.InvariantCulture, "SID={0}", currentIdentity.User.Value);
+            }
+#else
+            throw new NotImplementedException("TODO: Doesn't yet work on Core CLR.");
+#endif
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
new file mode 100644
index 0000000000..e6376dbec0
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -0,0 +1,48 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// A class that can decrypt XML elements which were encrypted using Windows DPAPI.
+    /// </summary>
+    internal unsafe sealed class DpapiXmlDecryptor : IXmlDecryptor
+    {
+        /// <summary>
+        /// Decrypts the specified XML element using Windows DPAPI.
+        /// </summary>
+        /// <param name="encryptedElement">The encrypted XML element to decrypt. This element is unchanged by the method.</param>
+        /// <returns>The decrypted form of the XML element.</returns>
+        public XElement Decrypt([NotNull] XElement encryptedElement)
+        {
+            CryptoUtil.Assert(encryptedElement.Name == DpapiXmlEncryptor.DpapiEncryptedSecretElementName,
+                "TODO: Incorrect element.");
+
+            int version = (int)encryptedElement.Attribute("version");
+            CryptoUtil.Assert(version == 1, "TODO: Bad version.");
+
+            byte[] dpapiProtectedBytes = Convert.FromBase64String(encryptedElement.Value);
+            using (var secret = DpapiSecretSerializerHelper.UnprotectWithDpapi(dpapiProtectedBytes))
+            {
+                byte[] plaintextXmlBytes = new byte[secret.Length];
+                try
+                {
+                    secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextXmlBytes));
+                    using (var memoryStream = new MemoryStream(plaintextXmlBytes, writable: false))
+                    {
+                        return XElement.Load(memoryStream);
+                    }
+                }
+                finally
+                {
+                    Array.Clear(plaintextXmlBytes, 0, plaintextXmlBytes.Length);
+                }
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
new file mode 100644
index 0000000000..718758673f
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// A class that can encrypt XML elements using Windows DPAPI.
+    /// </summary>
+    public sealed class DpapiXmlEncryptor : IXmlEncryptor
+    {
+        internal static readonly XName DpapiEncryptedSecretElementName = XmlKeyManager.KeyManagementXmlNamespace.GetName("dpapiEncryptedSecret");
+
+        /// <summary>
+        /// Encrypts the specified XML element using Windows DPAPI.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
+        /// <returns>The encrypted form of the XML element.</returns>
+        public XElement Encrypt([NotNull] XElement plaintextElement)
+        {
+            // First, convert the XML element to a byte[] so that it can be encrypted.
+            ProtectedMemoryBlob secret;
+            using (var memoryStream = new MemoryStream())
+            {
+                plaintextElement.Save(memoryStream);
+
+#if !ASPNETCORE50
+                // If we're on full desktop CLR, utilize the underlying buffer directly as an optimization.
+                byte[] underlyingBuffer = memoryStream.GetBuffer();
+                secret = new ProtectedMemoryBlob(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
+                Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
+#else
+                // Otherwise, need to make a copy of the buffer.
+                byte[] clonedBuffer = memoryStream.ToArray();
+                secret = new ProtectedMemoryBlob(clonedBuffer);
+                Array.Clear(clonedBuffer, 0, clonedBuffer.Length);
+#endif
+            }
+
+            // <secret decryptor="{TYPE}">
+            //   ... base64 data ...
+            // </secret>
+            byte[] encryptedBytes = DpapiSecretSerializerHelper.ProtectWithDpapi(secret);
+            return new XElement(DpapiEncryptedSecretElementName,
+                new XAttribute("decryptor", typeof(DpapiXmlDecryptor).AssemblyQualifiedName),
+                new XAttribute("version", 1),
+                Convert.ToBase64String(encryptedBytes));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlDecryptor.cs
new file mode 100644
index 0000000000..7002cff30c
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlDecryptor.cs
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// The basic interface for decrypting an XML element.
+    /// </summary>
+    public interface IXmlDecryptor
+    {
+        /// <summary>
+        /// Decrypts the specified XML element.
+        /// </summary>
+        /// <param name="encryptedElement">The encrypted XML element to decrypt. This element is unchanged by the method.</param>
+        /// <returns>The decrypted form of the XML element.</returns>
+        XElement Decrypt(XElement encryptedElement);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlEncryptor.cs
new file mode 100644
index 0000000000..733f60739b
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlEncryptor.cs
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// The basic interface for encrypting an XML element.
+    /// </summary>
+    public interface IXmlEncryptor
+    {
+        /// <summary>
+        /// Encrypts the specified XML element.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
+        /// <returns>The encrypted form of the XML element.</returns>
+        XElement Encrypt(XElement plaintextElement);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
new file mode 100644
index 0000000000..f2dae82986
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -0,0 +1,23 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// A class that can decrypt XML elements which were encrypted using a null encryptor.
+    /// </summary>
+    internal unsafe sealed class NullXmlDecryptor : IXmlDecryptor
+    {
+        public XElement Decrypt([NotNull] XElement encryptedElement)
+        {
+            CryptoUtil.Assert(encryptedElement.Name == NullXmlEncryptor.NullEncryptedSecretElementName,
+                "TODO: Incorrect element.");
+
+            return encryptedElement.Elements().Single();
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlEncryptor.cs
new file mode 100644
index 0000000000..3a0c1f09ae
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -0,0 +1,32 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+
+namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// A class that performs null XML encryption (just returns the plaintext).
+    /// </summary>
+    public sealed class NullXmlEncryptor : IXmlEncryptor
+    {
+        internal static readonly XName NullEncryptedSecretElementName = XmlKeyManager.KeyManagementXmlNamespace.GetName("nullEncryptedSecret");
+
+        /// <summary>
+        /// Encrypts the specified XML element using a null encryptor.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
+        /// <returns>The null-encrypted form of the XML element.</returns>
+        public XElement Encrypt([NotNull] XElement plaintextElement)
+        {
+            // <nullEncryptedSecret decryptor="{TYPE}">
+            //   <plaintextElement />
+            // </nullEncryptedSecret>
+            return new XElement(NullEncryptedSecretElementName,
+                new XAttribute("decryptor", typeof(NullXmlDecryptor).AssemblyQualifiedName),
+                plaintextElement);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 0c20fb3aee..b7a1aad940 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -1,29 +1,58 @@
 {
-  "version": "1.0.0-*",
-  "frameworks": {
-    "net45": {
-        "frameworkAssemblies": {
-            "System.Security": ""
+    "version": "1.0.0-*",
+    "frameworks": {
+        "net451": {
+            "dependencies": {
+                "Microsoft.Framework.DependencyInjection": "1.0.0-*",
+                "Microsoft.Framework.OptionsModel": "1.0.0-*"
+            },
+            "frameworkAssemblies": { 
+                "System.Security": "4.0.0.0",
+                "System.Xml": "4.0.0.0",
+                "System.Xml.Linq": "4.0.0.0"
+            }
+        },
+        "aspnet50": {
+            "dependencies": {
+                "Microsoft.Framework.DependencyInjection": "1.0.0-*",
+                "Microsoft.Framework.OptionsModel": "1.0.0-*"
+            },
+            "frameworkAssemblies": { 
+                "System.Security": "4.0.0.0",
+                "System.Xml": "4.0.0.0",
+                "System.Xml.Linq": "4.0.0.0"
+            }
+        },
+        "aspnetcore50": {
+            "dependencies": {
+                "Microsoft.Framework.DependencyInjection": "1.0.0-*",
+                "Microsoft.Framework.OptionsModel": "1.0.0-*",
+                "System.Diagnostics.Debug": "4.0.10-beta-*",
+                "System.Diagnostics.Tools": "4.0.0-beta-*",
+                "System.Globalization": "4.0.10-beta-*",
+                "System.IO.FileSystem": "4.0.0-beta-*",
+                "System.Linq": "4.0.0-beta-*",
+                "System.Reflection": "4.0.10-beta-*",
+                "System.Reflection.TypeExtensions": "4.0.0-beta-*",
+                "System.Resources.ResourceManager": "4.0.0-beta-*",
+                "System.Runtime": "4.0.20-beta-*",
+                "System.Runtime.Extensions": "4.0.10-beta-*",
+                "System.Runtime.Handles": "4.0.0-beta-*",
+                "System.Runtime.InteropServices": "4.0.20-beta-*",
+                "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
+                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+                "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
+                "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
+                "System.Security.Cryptography.RandomNumberGenerator": "4.0.0-beta-*",
+                "System.Text.Encoding.Extensions": "4.0.10-beta-*",
+                "System.Threading": "4.0.0-beta-*",
+                "System.Xml.XDocument": "4.0.0-beta-*"
+            }
         }
     },
-    "aspnetcore50": {
-      "dependencies": {
-        "System.Diagnostics.Debug": "4.0.10-beta-*",
-        "System.Diagnostics.Tools": "4.0.0-beta-*",
-        "System.Globalization": "4.0.10-beta-*",
-        "System.Linq": "4.0.0-beta-*",
-        "System.Reflection": "4.0.10-beta-*",
-        "System.Resources.ResourceManager": "4.0.0-beta-*",
-        "System.Runtime": "4.0.20-beta-*",
-        "System.Runtime.Extensions": "4.0.10-beta-*",
-        "System.Runtime.InteropServices": "4.0.20-beta-*",
-        "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
-        "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
-        "System.Text.Encoding.Extensions": "4.0.10-beta-*"
-      }
+    "compilationOptions": {
+        "allowUnsafe": true,
+        "warningsAsErrors": true,
+        "languageVersion": "experimental"
     }
-  },
-  "compilationOptions": {
-    "allowUnsafe": true
-  }
 }
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
new file mode 100644
index 0000000000..bc2265436b
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -0,0 +1,115 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
+{
+    public unsafe class CbcAuthenticatedEncryptorTests
+    {
+        [Fact]
+        public void Encrypt_Decrypt_RoundTrips()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            CbcAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
+                symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
+                symmetricAlgorithmKeySizeInBytes: 256 / 8,
+                hmacAlgorithmHandle: CachedAlgorithmHandles.HMAC_SHA256);
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
+            ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
+
+            // Act
+            byte[] ciphertext = encryptor.Encrypt(plaintext, aad);
+            byte[] decipheredtext = encryptor.Decrypt(new ArraySegment<byte>(ciphertext), aad);
+
+            // Assert
+            Assert.Equal(plaintext, decipheredtext);
+        }
+
+        [Fact]
+        public void Encrypt_Decrypt_Tampering_Fails()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            CbcAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
+                symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
+                symmetricAlgorithmKeySizeInBytes: 256 / 8,
+                hmacAlgorithmHandle: CachedAlgorithmHandles.HMAC_SHA256);
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
+            ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
+            byte[] validCiphertext = encryptor.Encrypt(plaintext, aad);
+
+            // Act & assert - 1
+            // Ciphertext is too short to be a valid payload
+            byte[] invalidCiphertext_tooShort = new byte[10];
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_tooShort), aad);
+            });
+
+            // Act & assert - 2
+            // Ciphertext has been manipulated
+            byte[] invalidCiphertext_manipulated = (byte[])validCiphertext.Clone();
+            invalidCiphertext_manipulated[0] ^= 0x01;
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_manipulated), aad);
+            });
+
+            // Act & assert - 3
+            // Ciphertext is too long
+            byte[] invalidCiphertext_tooLong = validCiphertext.Concat(new byte[] { 0 }).ToArray();
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_tooLong), aad);
+            });
+
+            // Act & assert - 4
+            // AAD is incorrect
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(validCiphertext), new ArraySegment<byte>(Encoding.UTF8.GetBytes("different aad")));
+            });
+        }
+
+        [Fact]
+        public void Encrypt_KnownKey()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(Encoding.UTF8.GetBytes("master key"));
+            CbcAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
+                symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
+                symmetricAlgorithmKeySizeInBytes: 256 / 8,
+                hmacAlgorithmHandle: CachedAlgorithmHandles.HMAC_SHA256,
+                genRandom: new SequentialGenRandom());
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 }, 2, 3);
+            ArraySegment<byte> aad = new ArraySegment<byte>(new byte[] { 7, 6, 5, 4, 3, 2, 1, 0 }, 1, 4);
+
+            // Act
+            byte[] retVal = encryptor.Encrypt(
+                plaintext: plaintext,
+                additionalAuthenticatedData: aad,
+                preBufferSize: 3,
+                postBufferSize: 4);
+
+            // Assert
+
+            // retVal := 00 00 00 (preBuffer)
+            //         | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F (keyModifier)
+            //         | 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F (IV)
+            //         | B7 EA 3E 32 58 93 A3 06 03 89 C6 66 03 63 08 4B (encryptedData)
+            //         | 9D 8A 85 C7 0F BD 98 D8 7F 72 E7 72 3E B5 A6 26 (HMAC)
+            //         | 6C 38 77 F7 66 19 A2 C9 2C BB AD DA E7 62 00 00
+            //         | 00 00 00 00 (postBuffer)
+
+            string retValAsString = Convert.ToBase64String(retVal);
+            Assert.Equal("AAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh+36j4yWJOjBgOJxmYDYwhLnYqFxw+9mNh/cudyPrWmJmw4d/dmGaLJLLut2udiAAAAAAAA", retValAsString);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
new file mode 100644
index 0000000000..5663edd0e1
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -0,0 +1,104 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
+{
+    public unsafe class GcmAuthenticatedEncryptorTests
+    {
+        [Fact]
+        public void Encrypt_Decrypt_RoundTrips()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            GcmAuthenticatedEncryptor encryptor = new GcmAuthenticatedEncryptor(kdk, CachedAlgorithmHandles.AES_GCM, symmetricAlgorithmKeySizeInBytes: 256 / 8);
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
+            ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
+
+            // Act
+            byte[] ciphertext = encryptor.Encrypt(plaintext, aad);
+            byte[] decipheredtext = encryptor.Decrypt(new ArraySegment<byte>(ciphertext), aad);
+
+            // Assert
+            Assert.Equal(plaintext, decipheredtext);
+        }
+
+        [Fact]
+        public void Encrypt_Decrypt_Tampering_Fails()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            GcmAuthenticatedEncryptor encryptor = new GcmAuthenticatedEncryptor(kdk, CachedAlgorithmHandles.AES_GCM, symmetricAlgorithmKeySizeInBytes: 256 / 8);
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
+            ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
+            byte[] validCiphertext = encryptor.Encrypt(plaintext, aad);
+
+            // Act & assert - 1
+            // Ciphertext is too short to be a valid payload
+            byte[] invalidCiphertext_tooShort = new byte[10];
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_tooShort), aad);
+            });
+
+            // Act & assert - 2
+            // Ciphertext has been manipulated
+            byte[] invalidCiphertext_manipulated = (byte[])validCiphertext.Clone();
+            invalidCiphertext_manipulated[0] ^= 0x01;
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_manipulated), aad);
+            });
+
+            // Act & assert - 3
+            // Ciphertext is too long
+            byte[] invalidCiphertext_tooLong = validCiphertext.Concat(new byte[] { 0 }).ToArray();
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_tooLong), aad);
+            });
+
+            // Act & assert - 4
+            // AAD is incorrect
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(validCiphertext), new ArraySegment<byte>(Encoding.UTF8.GetBytes("different aad")));
+            });
+        }
+
+        [Fact]
+        public void Encrypt_KnownKey()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(Encoding.UTF8.GetBytes("master key"));
+            GcmAuthenticatedEncryptor encryptor = new GcmAuthenticatedEncryptor(kdk, CachedAlgorithmHandles.AES_GCM, symmetricAlgorithmKeySizeInBytes: 128 / 8, genRandom: new SequentialGenRandom());
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 }, 2, 3);
+            ArraySegment<byte> aad = new ArraySegment<byte>(new byte[] { 7, 6, 5, 4, 3, 2, 1, 0 }, 1, 4);
+
+            // Act
+            byte[] retVal = encryptor.Encrypt(
+                plaintext: plaintext,
+                additionalAuthenticatedData: aad,
+                preBufferSize: 3,
+                postBufferSize: 4);
+
+            // Assert
+
+            // retVal := 00 00 00 (preBuffer)
+            //         | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F (keyModifier)
+            //         | 10 11 12 13 14 15 16 17 18 19 1A 1B (nonce)
+            //         | 43 B6 91 (encryptedData)
+            //         | 8D 0D 66 D9 A1 D9 44 2D 5D 8E 41 DA 39 60 9C E8 (authTag)
+            //         | 00 00 00 00 (postBuffer)
+
+            string retValAsString = Convert.ToBase64String(retVal);
+            Assert.Equal("AAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaG0O2kY0NZtmh2UQtXY5B2jlgnOgAAAAA", retValAsString);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/SequentialGenRandom.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/SequentialGenRandom.cs
new file mode 100644
index 0000000000..f995199dbb
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/SequentialGenRandom.cs
@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
+{
+    internal unsafe class SequentialGenRandom : IBCryptGenRandom
+    {
+        public void GenRandom(byte* pbBuffer, uint cbBuffer)
+        {
+            for (uint i = 0; i < cbBuffer; i++)
+            {
+                pbBuffer[i] = (byte)i;
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
new file mode 100644
index 0000000000..34cf58a991
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>7a637185-2ba1-437d-9d4c-7cc4f94cf7bf</ProjectGuid>
+    <OutputType>Library</OutputType>
+  </PropertyGroup>
+  <PropertyGroup Condition="$(OutputType) == 'Console'">
+    <DebuggerFlavor>ConsoleDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="$(OutputType) == 'Web'">
+    <DebuggerFlavor>WebDebugger</DebuggerFlavor>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x86'" Label="Configuration">
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x86'" Label="Configuration">
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <ItemGroup>
+    <Folder Include="Properties\" />
+  </ItemGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/project.json b/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
new file mode 100644
index 0000000000..bad79b6949
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
@@ -0,0 +1,16 @@
+{
+    "dependencies": {
+        "Microsoft.AspNet.Security.DataProtection": "1.0.0-*",
+        "Moq": "4.2.1312.1622",
+        "Xunit.KRunner": "1.0.0-*"
+    },
+    "frameworks": {
+        "aspnet50": { }
+    },
+    "commands": {
+        "test": "Xunit.KRunner"
+    },
+    "compilationOptions": {
+        "allowUnsafe": true
+    }
+}

From 7d5a29a9fd9faf34dc9a4cd37572d3201a6020ef Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 10 Oct 2014 16:13:57 -0700
Subject: [PATCH 049/493] Cleaning up comments

---
 .../Cng/CbcAuthenticatedEncryptor.cs                          | 4 ++--
 .../Cng/GcmAuthenticatedEncryptor.cs                          | 4 ++--
 .../Managed/ManagedAuthenticatedEncryptor.cs                  | 4 ++--
 .../SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs              | 2 +-
 .../SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs         | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index cc65448056..819facee9f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -212,7 +212,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
             }
             finally
             {
-                // Buffer contains sensitive key material; nuke.
+                // Buffer contains sensitive key material; delete.
                 UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
             }
         }
@@ -397,7 +397,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
             }
             finally
             {
-                // Buffer contains sensitive material; nuke it.
+                // Buffer contains sensitive material; delete it.
                 UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
             }
         }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index 9e404851cd..e5e67cd31b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -187,7 +187,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                 }
                 finally
                 {
-                    // The buffer contains key material, so nuke it.
+                    // The buffer contains key material, so delete it.
                     UnsafeBufferUtil.SecureZeroMemory(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
                 }
             }
@@ -280,7 +280,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                 }
                 finally
                 {
-                    // The buffer contains key material, so nuke it.
+                    // The buffer contains key material, so delete it.
                     UnsafeBufferUtil.SecureZeroMemory(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
                 }
             }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 09f431dbdc..eedc30c5c5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -270,7 +270,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                     }
                     finally
                     {
-                        // nuke since these contain secret material
+                        // delete since these contain secret material
                         Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
                         Array.Clear(decryptionSubkey, 0, decryptionSubkey.Length);
                         Array.Clear(validationSubkey, 0, validationSubkey.Length);
@@ -382,7 +382,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                     }
                     finally
                     {
-                        // nuke since these contain secret material
+                        // delete since these contain secret material
                         Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
                         Array.Clear(encryptionSubkey, 0, encryptionSubkey.Length);
                         Array.Clear(validationSubkey, 0, validationSubkey.Length);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
index 54c2891ad7..38dbe359e1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -45,7 +45,7 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
                     CryptoUtil.Assert(prfOutputSizeInBytes == prfOutput.Length, "prfOutputSizeInBytes == prfOutput.Length");
                     int numBytesToCopyThisIteration = Math.Min(prfOutputSizeInBytes, outputCount);
                     Buffer.BlockCopy(prfOutput, 0, output.Array, outputOffset, numBytesToCopyThisIteration);
-                    Array.Clear(prfOutput, 0, prfOutput.Length); // contains key material, so nuke it
+                    Array.Clear(prfOutput, 0, prfOutput.Length); // contains key material, so delete it
 
                     // adjust offsets
                     outputOffset += numBytesToCopyThisIteration;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
index 29157aeefc..a163834603 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
@@ -53,7 +53,7 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
                     BitHelpers.WriteTo(pbTempInputCounter, i);
 
                     // Step 4b: Hash. Win7 doesn't allow reusing hash algorithm objects after the final hash
-                    // has been computed, so we'll just keep calling DuplicateHash on the original virgin
+                    // has been computed, so we'll just keep calling DuplicateHash on the original
                     // hash handle. This offers a slight performance increase over allocating a new hash
                     // handle for each iteration. We don't need to mess with any of this on Win8 since on
                     // that platform we use BCryptKeyDerivation directly, which offers superior performance.

From d9119f4c4703c8d12e082ac502070ca1e48ebe6f Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Fri, 10 Oct 2014 16:11:13 -0700
Subject: [PATCH 050/493] React to options rename

---
 .../BlobStorageXmlRepository.cs                                 | 2 +-
 .../CngCbcAuthenticatedEncryptorConfigurationFactory.cs         | 2 +-
 .../CngGcmAuthenticatedEncryptorConfigurationFactory.cs         | 2 +-
 .../ManagedAuthenticatedEncryptorConfigurationFactory.cs        | 2 +-
 .../DefaultDataProtectionProvider.cs                            | 2 +-
 .../EphemeralDataProtectionProvider.cs                          | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs b/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
index a08027f6a8..952b8ce28f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
@@ -25,7 +25,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Azure
         internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/dataProtection/2014/azure");
         internal static readonly XName KeyRingElementName = XmlNamespace.GetName("keyRing");
 
-        public BlobStorageXmlRepository([NotNull] IOptionsAccessor<BlobStorageXmlRepositoryOptions> optionsAccessor)
+        public BlobStorageXmlRepository([NotNull] IOptions<BlobStorageXmlRepositoryOptions> optionsAccessor)
         {
             Directory = optionsAccessor.Options.Directory;
             CryptoUtil.Assert(Directory != null, "Directory != null");
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
index 375a7dc961..22b254fe85 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
@@ -14,7 +14,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
     {
         private readonly CngCbcAuthenticatedEncryptorConfigurationOptions _options;
 
-        public CngCbcAuthenticatedEncryptorConfigurationFactory([NotNull] IOptionsAccessor<CngCbcAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
+        public CngCbcAuthenticatedEncryptorConfigurationFactory([NotNull] IOptions<CngCbcAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
         {
             _options = optionsAccessor.Options.Clone();
         }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
index ac074377f8..b184da69ab 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
@@ -14,7 +14,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
     {
         private readonly CngGcmAuthenticatedEncryptorConfigurationOptions _options;
 
-        public CngGcmAuthenticatedEncryptorConfigurationFactory([NotNull] IOptionsAccessor<CngGcmAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
+        public CngGcmAuthenticatedEncryptorConfigurationFactory([NotNull] IOptions<CngGcmAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
         {
             _options = optionsAccessor.Options.Clone();
         }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
index 41cb60213e..50fee4ab58 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
     {
         private readonly ManagedAuthenticatedEncryptorConfigurationOptions _options;
 
-        public ManagedAuthenticatedEncryptorConfigurationFactory([NotNull] IOptionsAccessor<ManagedAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
+        public ManagedAuthenticatedEncryptorConfigurationFactory([NotNull] IOptions<ManagedAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
         {
             _options = optionsAccessor.Options.Clone();
         }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
index d933097799..98ebba69dd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
@@ -26,7 +26,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         }
 
         public DefaultDataProtectionProvider(
-            [NotNull] IOptionsAccessor<DataProtectionOptions> optionsAccessor,
+            [NotNull] IOptions<DataProtectionOptions> optionsAccessor,
             [NotNull] IKeyManager keyManager)
         {
             KeyRingBasedDataProtectionProvider rootProvider = new KeyRingBasedDataProtectionProvider(new KeyRingProvider(keyManager));
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
index 15e7ef1fbb..0e454e9e56 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
@@ -45,7 +45,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             return _dataProtectionProvider.CreateProtector(purpose);
         }
 
-        private sealed class DefaultOptionsAccessor<T> : IOptionsAccessor<T> where T : class, new()
+        private sealed class DefaultOptionsAccessor<T> : IOptions<T> where T : class, new()
         {
             public T Options { get; } = new T();
 

From c3b76d14a36d999a06e127c4318c5c52bfc08e8c Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 14 Oct 2014 17:15:00 -0700
Subject: [PATCH 051/493] Make EphemeralDataProtectionProvider and
 ProtectedMemoryBlob work on non-Windows platforms.

---
 ...henticatedEncryptorConfigurationOptions.cs |  7 +-
 ...henticatedEncryptorConfigurationOptions.cs |  7 +-
 .../IInternalConfigurationOptions.cs          | 12 ++++
 ...henticatedEncryptorConfigurationOptions.cs |  7 +-
 .../EphemeralDataProtectionProvider.cs        | 30 ++-------
 .../ProtectedMemoryBlob.cs                    | 42 +++++++++---
 .../Cng/CbcAuthenticatedEncryptorTests.cs     |  2 +-
 .../Cng/GcmAuthenticatedEncryptorTests.cs     |  2 +-
 .../EphemeralDataProtectionProviderTests.cs   | 64 +++++++++++++++++++
 9 files changed, 136 insertions(+), 37 deletions(-)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/EphemeralDataProtectionProviderTests.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
index 2765421512..c9f6b4f8d0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
     /// Options for configuring an authenticated encryption mechanism which uses
     /// Windows CNG algorithms in CBC encryption + HMAC validation modes.
     /// </summary>
-    public sealed class CngCbcAuthenticatedEncryptorConfigurationOptions
+    public sealed class CngCbcAuthenticatedEncryptorConfigurationOptions : IInternalConfigurationOptions
     {
         /// <summary>
         /// The name of the algorithm to use for symmetric encryption.
@@ -178,5 +178,10 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
             }
             return value;
         }
+
+        IAuthenticatedEncryptor IInternalConfigurationOptions.CreateAuthenticatedEncryptor(ISecret secret)
+        {
+            return CreateAuthenticatedEncryptor(secret);
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
index 33ad8e8eb5..271a43eefe 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
     /// Options for configuring an authenticated encryption mechanism which uses
     /// Windows CNG encryption algorithms in Galois/Counter Mode.
     /// </summary>
-    public sealed class CngGcmAuthenticatedEncryptorConfigurationOptions
+    public sealed class CngGcmAuthenticatedEncryptorConfigurationOptions : IInternalConfigurationOptions
     {
         /// <summary>
         /// The name of the algorithm to use for symmetric encryption.
@@ -120,5 +120,10 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
             }
             return value;
         }
+
+        IAuthenticatedEncryptor IInternalConfigurationOptions.CreateAuthenticatedEncryptor(ISecret secret)
+        {
+            return CreateAuthenticatedEncryptor(secret);
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
new file mode 100644
index 0000000000..7b26d09838
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    internal interface IInternalConfigurationOptions
+    {
+        IAuthenticatedEncryptor CreateAuthenticatedEncryptor(ISecret secret);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
index 0a9036886c..9ebed10e96 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
     /// Options for configuring an authenticated encryption mechanism which uses
     /// managed SymmetricAlgorithm and KeyedHashAlgorithm implementations.
     /// </summary>
-    public sealed class ManagedAuthenticatedEncryptorConfigurationOptions
+    public sealed class ManagedAuthenticatedEncryptorConfigurationOptions : IInternalConfigurationOptions
     {
         /// <summary>
         /// The type of the algorithm to use for symmetric encryption.
@@ -102,6 +102,11 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
             return ((IActivator<KeyedHashAlgorithm>)Activator.CreateInstance(typeof(AlgorithmActivator<>).MakeGenericType(ValidationAlgorithmType))).Creator;
         }
 
+        IAuthenticatedEncryptor IInternalConfigurationOptions.CreateAuthenticatedEncryptor(ISecret secret)
+        {
+            return CreateAuthenticatedEncryptor(secret);
+        }
+
         private interface IActivator<out T>
         {
             Func<T> Creator { get; }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
index 15e7ef1fbb..a13c20c727 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
@@ -28,12 +28,12 @@ namespace Microsoft.AspNet.Security.DataProtection
             if (OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
             {
                 // Fastest implementation: AES-GCM
-                keyringProvider = new CngEphemeralKeyRing();
+                keyringProvider = new EphemeralKeyRing<CngGcmAuthenticatedEncryptorConfigurationOptions>();
             }
             else
             {
                 // Slowest implementation: managed CBC + HMAC
-                keyringProvider = new ManagedEphemeralKeyRing();
+                keyringProvider = new EphemeralKeyRing<ManagedAuthenticatedEncryptorConfigurationOptions>();
             }
 
             _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider);
@@ -55,29 +55,13 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
         }
 
-        // A special key ring that only understands one key id and which uses CNG.
-        private sealed class CngEphemeralKeyRing : IKeyRing, IKeyRingProvider
+        private sealed class EphemeralKeyRing<T> : IKeyRing, IKeyRingProvider
+            where T : IInternalConfigurationOptions, new()
         {
-            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new CngGcmAuthenticatedEncryptorConfigurationFactory(new DefaultOptionsAccessor<CngGcmAuthenticatedEncryptorConfigurationOptions>()).CreateNewConfiguration().CreateEncryptorInstance();
+            // Currently hardcoded to a 512-bit KDK.
+            private const int NUM_BYTES_IN_KDK = 512 / 8;
 
-            public Guid DefaultKeyId { get; } = default(Guid);
-
-            public IAuthenticatedEncryptor GetAuthenticatedEncryptorByKeyId(Guid keyId, out bool isRevoked)
-            {
-                isRevoked = false;
-                return (keyId == default(Guid)) ? DefaultAuthenticatedEncryptor : null;
-            }
-
-            public IKeyRing GetCurrentKeyRing()
-            {
-                return this;
-            }
-        }
-
-        // A special key ring that only understands one key id and which uses managed CBC + HMAC.
-        private sealed class ManagedEphemeralKeyRing : IKeyRing, IKeyRingProvider
-        {
-            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new ManagedAuthenticatedEncryptorConfigurationFactory(new DefaultOptionsAccessor<ManagedAuthenticatedEncryptorConfigurationOptions>()).CreateNewConfiguration().CreateEncryptorInstance();
+            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new T().CreateAuthenticatedEncryptor(ProtectedMemoryBlob.Random(NUM_BYTES_IN_KDK));
 
             public Guid DefaultKeyId { get; } = default(Guid);
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs b/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs
index ce3b6dae7f..f89af3bfdd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs
@@ -3,8 +3,8 @@
 
 using System;
 using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.Managed;
 using Microsoft.AspNet.Security.DataProtection.SafeHandles;
-using Microsoft.Win32.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
@@ -13,14 +13,14 @@ namespace Microsoft.AspNet.Security.DataProtection
         // from wincrypt.h
         private const uint CRYPTPROTECTMEMORY_BLOCK_SIZE = 16;
 
-        private readonly SecureLocalAllocHandle _encryptedMemoryHandle;
+        private readonly SecureLocalAllocHandle _localAllocHandle;
         private readonly uint _plaintextLength;
 
         public ProtectedMemoryBlob(ArraySegment<byte> plaintext)
         {
             plaintext.Validate();
 
-            _encryptedMemoryHandle = Protect(plaintext);
+            _localAllocHandle = Protect(plaintext);
             _plaintextLength = (uint)plaintext.Count;
         }
 
@@ -40,7 +40,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 throw new ArgumentOutOfRangeException("plaintextLength");
             }
 
-            _encryptedMemoryHandle = Protect(plaintext, (uint)plaintextLength);
+            _localAllocHandle = Protect(plaintext, (uint)plaintextLength);
             _plaintextLength = (uint)plaintextLength;
         }
 
@@ -55,7 +55,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             if (other != null)
             {
                 // Fast-track: simple deep copy scenario.
-                this._encryptedMemoryHandle = other._encryptedMemoryHandle.Duplicate();
+                this._localAllocHandle = other._localAllocHandle.Duplicate();
                 this._plaintextLength = other._plaintextLength;
             }
             else
@@ -68,7 +68,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                     try
                     {
                         secret.WriteSecretIntoBuffer(new ArraySegment<byte>(tempPlaintextBuffer));
-                        _encryptedMemoryHandle = Protect(pbTempPlaintextBuffer, (uint)tempPlaintextBuffer.Length);
+                        _localAllocHandle = Protect(pbTempPlaintextBuffer, (uint)tempPlaintextBuffer.Length);
                         _plaintextLength = (uint)tempPlaintextBuffer.Length;
                     }
                     finally
@@ -89,7 +89,7 @@ namespace Microsoft.AspNet.Security.DataProtection
 
         public void Dispose()
         {
-            _encryptedMemoryHandle.Dispose();
+            _localAllocHandle.Dispose();
         }
 
         private static SecureLocalAllocHandle Protect(ArraySegment<byte> plaintext)
@@ -102,6 +102,16 @@ namespace Microsoft.AspNet.Security.DataProtection
 
         private static SecureLocalAllocHandle Protect(byte* pbPlaintext, uint cbPlaintext)
         {
+            // If we're not running on a platform that supports CryptProtectMemory,
+            // shove the plaintext directly into a LocalAlloc handle. Ideally we'd
+            // mark this memory page as non-pageable, but this is fraught with peril.
+            if (!OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+            {
+                SecureLocalAllocHandle handle = SecureLocalAllocHandle.Allocate((IntPtr)checked((int)cbPlaintext));
+                UnsafeBufferUtil.BlockCopy(from: pbPlaintext, to: handle, byteCount: cbPlaintext);
+                return handle;
+            }
+
             // We need to make sure we're a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE.
             uint numTotalBytesToAllocate = cbPlaintext;
             uint numBytesPaddingRequired = CRYPTPROTECTMEMORY_BLOCK_SIZE - (numTotalBytesToAllocate % CRYPTPROTECTMEMORY_BLOCK_SIZE);
@@ -135,6 +145,12 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
             else
             {
+                // Don't use CNG if we're not on Windows.
+                if (!OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+                {
+                    return new ProtectedMemoryBlob(ManagedGenRandomImpl.Instance.GenRandom(numBytes));
+                }
+
                 byte[] bytes = new byte[numBytes];
                 fixed (byte* pbBytes = bytes)
                 {
@@ -153,18 +169,26 @@ namespace Microsoft.AspNet.Security.DataProtection
 
         private void UnprotectInto(byte* pbBuffer)
         {
+            // If we're not running on a platform that supports CryptProtectMemory,
+            // the handle contains plaintext bytes.
+            if (!OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+            {
+                UnsafeBufferUtil.BlockCopy(from: _localAllocHandle, to: pbBuffer, byteCount: _plaintextLength);
+                return;
+            }
+
             if (_plaintextLength % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0)
             {
                 // Case 1: Secret length is an exact multiple of the block size. Copy directly to the buffer and decrypt there.
                 // We go through this code path even for empty plaintexts since we still want SafeHandle dispose semantics.
-                UnsafeBufferUtil.BlockCopy(from: _encryptedMemoryHandle, to: pbBuffer, byteCount: _plaintextLength);
+                UnsafeBufferUtil.BlockCopy(from: _localAllocHandle, to: pbBuffer, byteCount: _plaintextLength);
                 MemoryProtection.CryptUnprotectMemory(pbBuffer, _plaintextLength);
             }
             else
             {
                 // Case 2: Secret length is not a multiple of the block size. We'll need to duplicate the data and
                 // perform the decryption in the duplicate buffer, then copy the plaintext data over.
-                using (var duplicateHandle = _encryptedMemoryHandle.Duplicate())
+                using (var duplicateHandle = _localAllocHandle.Duplicate())
                 {
                     MemoryProtection.CryptUnprotectMemory(duplicateHandle, checked((uint)duplicateHandle.Length));
                     UnsafeBufferUtil.BlockCopy(from: duplicateHandle, to: pbBuffer, byteCount: _plaintextLength);
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index bc2265436b..7e2027e78a 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -10,7 +10,7 @@ using Xunit;
 
 namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
 {
-    public unsafe class CbcAuthenticatedEncryptorTests
+    public class CbcAuthenticatedEncryptorTests
     {
         [Fact]
         public void Encrypt_Decrypt_RoundTrips()
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index 5663edd0e1..b1eae351d7 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -10,7 +10,7 @@ using Xunit;
 
 namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
 {
-    public unsafe class GcmAuthenticatedEncryptorTests
+    public class GcmAuthenticatedEncryptorTests
     {
         [Fact]
         public void Encrypt_Decrypt_RoundTrips()
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
new file mode 100644
index 0000000000..b580ebf97a
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
@@ -0,0 +1,64 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using System.Text;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test
+{
+    public class EphemeralDataProtectionProviderTests
+    {
+        [Fact]
+        public void DifferentProvider_SamePurpose_DoesNotRoundTripData()
+        {
+            // Arrange
+            var dataProtector1 = new EphemeralDataProtectionProvider().CreateProtector("purpose");
+            var dataProtector2 = new EphemeralDataProtectionProvider().CreateProtector("purpose");
+            byte[] bytes = Encoding.UTF8.GetBytes("Hello there!");
+
+            // Act & assert
+            // Each instance of the EphemeralDataProtectionProvider has its own unique KDK, so payloads can't be shared.
+            byte[] protectedBytes = dataProtector1.Protect(bytes);
+            Assert.ThrowsAny<CryptographicException>(() =>
+            {
+                byte[] unprotectedBytes = dataProtector2.Unprotect(protectedBytes);
+            });
+        }
+
+        [Fact]
+        public void SingleProvider_DifferentPurpose_DoesNotRoundTripData()
+        {
+            // Arrange
+            var dataProtectionProvider = new EphemeralDataProtectionProvider();
+            var dataProtector1 = dataProtectionProvider.CreateProtector("purpose");
+            var dataProtector2 = dataProtectionProvider.CreateProtector("different purpose");
+            byte[] bytes = Encoding.UTF8.GetBytes("Hello there!");
+
+            // Act & assert
+            byte[] protectedBytes = dataProtector1.Protect(bytes);
+            Assert.ThrowsAny<CryptographicException>(() =>
+            {
+                byte[] unprotectedBytes = dataProtector2.Unprotect(protectedBytes);
+            });
+        }
+
+        [Fact]
+        public void SingleProvider_SamePurpose_RoundTripsData()
+        {
+            // Arrange
+            var dataProtectionProvider = new EphemeralDataProtectionProvider();
+            var dataProtector1 = dataProtectionProvider.CreateProtector("purpose");
+            var dataProtector2 = dataProtectionProvider.CreateProtector("purpose"); // should be equivalent to the previous instance
+            byte[] bytes = Encoding.UTF8.GetBytes("Hello there!");
+
+            // Act
+            byte[] protectedBytes = dataProtector1.Protect(bytes);
+            byte[] unprotectedBytes = dataProtector2.Unprotect(protectedBytes);
+
+            // Assert
+            Assert.Equal(bytes, unprotectedBytes);
+        }
+    }
+}

From e2ad2f13862820831052e94d735c7d3401e4c066 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 14 Oct 2014 17:29:13 -0700
Subject: [PATCH 052/493] Remove dead code from
 EphemeralDataProtectionProvider.cs.

---
 .../EphemeralDataProtectionProvider.cs                | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
index a13c20c727..99bfe47d7a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
@@ -5,7 +5,6 @@ using System;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.KeyManagement;
-using Microsoft.Framework.OptionsModel;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
@@ -45,16 +44,6 @@ namespace Microsoft.AspNet.Security.DataProtection
             return _dataProtectionProvider.CreateProtector(purpose);
         }
 
-        private sealed class DefaultOptionsAccessor<T> : IOptionsAccessor<T> where T : class, new()
-        {
-            public T Options { get; } = new T();
-
-            public T GetNamedOptions(string name)
-            {
-                return Options;
-            }
-        }
-
         private sealed class EphemeralKeyRing<T> : IKeyRing, IKeyRingProvider
             where T : IInternalConfigurationOptions, new()
         {

From a0138735a8503c17f35db05a5cfb79e8b7185317 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 15 Oct 2014 11:02:31 -0700
Subject: [PATCH 053/493] Add string-based extension methods to IDataProtector.

---
 .../CryptoUtil.cs                             |   4 +
 .../DataProtectionExtensions.cs               |  59 ++++++++
 .../Dpapi/DpapiDataProtector.cs               |   5 +-
 .../KeyRingBasedDataProtector.cs              |   4 +-
 .../WebEncoders.cs                            | 133 ++++++++++++++++++
 .../DataProtectionExtensionsTests.cs          |  85 +++++++++++
 6 files changed, 283 insertions(+), 7 deletions(-)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/WebEncoders.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
index 52e556fbcf..823e7aa213 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
@@ -6,6 +6,7 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
+using System.Text;
 
 #if !ASPNETCORE50
 using System.Runtime.ConstrainedExecution;
@@ -15,6 +16,9 @@ namespace Microsoft.AspNet.Security.DataProtection
 {
     internal unsafe static class CryptoUtil
     {
+        // UTF8 encoding that fails on invalid chars
+        public static readonly UTF8Encoding SecureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
+
         // This isn't a typical Debug.Assert; the check is always performed, even in retail builds.
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         public static void Assert(bool condition, string message)
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
new file mode 100644
index 0000000000..cf7c9fa7cd
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
@@ -0,0 +1,59 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// Helpful extension methods for data protection APIs.
+    /// </summary>
+    public static class DataProtectionExtensions
+    {
+        /// <summary>
+        /// Cryptographically protects a piece of plaintext data.
+        /// </summary>
+        /// <param name="protector">The data protector to use for this operation.</param>
+        /// <param name="unprotectedData">The plaintext data to protect.</param>
+        /// <returns>The protected form of the plaintext data.</returns>
+        public static string Protect([NotNull] this IDataProtector protector, [NotNull] string unprotectedData)
+        {
+            try
+            {
+                byte[] unprotectedDataAsBytes = CryptoUtil.SecureUtf8Encoding.GetBytes(unprotectedData);
+                byte[] protectedDataAsBytes = protector.Protect(unprotectedDataAsBytes);
+                return WebEncoders.Base64UrlEncode(protectedDataAsBytes);
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // Homogenize exceptions to CryptographicException
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+
+        /// <summary>
+        /// Cryptographically unprotects a piece of protected data.
+        /// </summary>
+        /// <param name="protector">The data protector to use for this operation.</param>
+        /// <param name="protectedData">The protected data to unprotect.</param>
+        /// <returns>The plaintext form of the protected data.</returns>
+        /// <remarks>
+        /// This method will throw CryptographicException if the input is invalid or malformed.
+        /// </remarks>
+        public static string Unprotect([NotNull] this IDataProtector protector, [NotNull] string protectedData)
+        {
+            try
+            {
+                byte[] protectedDataAsBytes = WebEncoders.Base64UrlDecode(protectedData);
+                byte[] unprotectedDataAsBytes = protector.Unprotect(protectedDataAsBytes);
+                return CryptoUtil.SecureUtf8Encoding.GetString(unprotectedDataAsBytes);
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // Homogenize exceptions to CryptographicException
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
index 0bc4cb073d..172a1289cc 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
@@ -4,7 +4,6 @@
 using System;
 using System.IO;
 using System.Security.Cryptography;
-using System.Text;
 
 namespace Microsoft.AspNet.Security.DataProtection.Dpapi
 {
@@ -12,8 +11,6 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
     // or for Windows machines where we can't depend on the user profile.
     internal sealed class DpapiDataProtector : IDataProtector
     {
-        private static readonly UTF8Encoding _secureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
-
         private readonly byte[] _combinedPurposes;
         private readonly DataProtectionScope _scope;
         private readonly IProtectedData _shim;
@@ -31,7 +28,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
             using (var memoryStream = new MemoryStream())
             {
                 memoryStream.Write(_combinedPurposes, 0, _combinedPurposes.Length);
-                using (var writer = new BinaryWriter(memoryStream, _secureUtf8Encoding, leaveOpen: true))
+                using (var writer = new BinaryWriter(memoryStream, CryptoUtil.SecureUtf8Encoding, leaveOpen: true))
                 {
                     writer.Write(purpose);
                 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index 3b87e17147..cd5a78e5c1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -5,7 +5,6 @@ using System;
 using System.Diagnostics;
 using System.IO;
 using System.Security.Cryptography;
-using System.Text;
 using System.Threading;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 
@@ -278,10 +277,9 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
         private sealed class PurposeBinaryWriter : BinaryWriter
         {
             // Strings should never contain invalid UTF16 chars, so we'll use a secure encoding.
-            private static readonly UTF8Encoding _secureEncoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
             private static readonly byte[] _guidBuffer = new byte[sizeof(Guid)];
 
-            public PurposeBinaryWriter(MemoryStream stream) : base(stream, _secureEncoding, leaveOpen: true) { }
+            public PurposeBinaryWriter(MemoryStream stream) : base(stream, CryptoUtil.SecureUtf8Encoding, leaveOpen: true) { }
 
             public new void Write7BitEncodedInt(int value)
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/WebEncoders.cs b/src/Microsoft.AspNet.Security.DataProtection/WebEncoders.cs
new file mode 100644
index 0000000000..36db7b520a
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/WebEncoders.cs
@@ -0,0 +1,133 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    // Internal copy of HttpAbstractions functionality.
+    internal static class WebEncoders
+    {
+        /// <summary>
+        /// Decodes a base64url-encoded string.
+        /// </summary>
+        /// <param name="input">The base64url-encoded input to decode.</param>
+        /// <returns>The base64url-decoded form of the input.</returns>
+        /// <remarks>
+        /// The input must not contain any whitespace or padding characters.
+        /// Throws FormatException if the input is malformed.
+        /// </remarks>
+        public static byte[] Base64UrlDecode([NotNull] string input)
+        {
+            // Assumption: input is base64url encoded without padding and contains no whitespace.
+
+            // First, we need to add the padding characters back.
+            int numPaddingCharsToAdd = GetNumBase64PaddingCharsToAddForDecode(input.Length);
+            char[] completeBase64Array = new char[checked(input.Length + numPaddingCharsToAdd)];
+            Debug.Assert(completeBase64Array.Length % 4 == 0, "Invariant: Array length must be a multiple of 4.");
+            input.CopyTo(0, completeBase64Array, 0, input.Length);
+            for (int i = 1; i <= numPaddingCharsToAdd; i++)
+            {
+                completeBase64Array[completeBase64Array.Length - i] = '=';
+            }
+
+            // Next, fix up '-' -> '+' and '_' -> '/'
+            for (int i = 0; i < completeBase64Array.Length; i++)
+            {
+                char c = completeBase64Array[i];
+                if (c == '-')
+                {
+                    completeBase64Array[i] = '+';
+                }
+                else if (c == '_')
+                {
+                    completeBase64Array[i] = '/';
+                }
+            }
+
+            // Finally, decode.
+            // If the caller provided invalid base64 chars, they'll be caught here.
+            return Convert.FromBase64CharArray(completeBase64Array, 0, completeBase64Array.Length);
+        }
+
+        /// <summary>
+        /// Encodes an input using base64url encoding.
+        /// </summary>
+        /// <param name="input">The binary input to encode.</param>
+        /// <returns>The base64url-encoded form of the input.</returns>
+        public static string Base64UrlEncode([NotNull] byte[] input)
+        {
+            // Special-case empty input
+            if (input.Length == 0)
+            {
+                return String.Empty;
+            }
+
+            // We're going to use base64url encoding with no padding characters.
+            // See RFC 4648, Sec. 5.
+            char[] buffer = new char[GetNumBase64CharsRequiredForInput(input.Length)];
+            int numBase64Chars = Convert.ToBase64CharArray(input, 0, input.Length, buffer, 0);
+
+            // Fix up '+' -> '-' and '/' -> '_'
+            for (int i = 0; i < numBase64Chars; i++)
+            {
+                char ch = buffer[i];
+                if (ch == '+')
+                {
+                    buffer[i] = '-';
+                }
+                else if (ch == '/')
+                {
+                    buffer[i] = '_';
+                }
+                else if (ch == '=')
+                {
+                    // We've reached a padding character: truncate the string from this point
+                    return new String(buffer, 0, i);
+                }
+            }
+
+            // If we got this far, the buffer didn't contain any padding chars, so turn
+            // it directly into a string.
+            return new String(buffer, 0, numBase64Chars);
+        }
+
+        private static int GetNumBase64CharsRequiredForInput(int inputLength)
+        {
+            int numWholeOrPartialInputBlocks = checked(inputLength + 2) / 3;
+            return checked(numWholeOrPartialInputBlocks * 4);
+        }
+
+        private static int GetNumBase64PaddingCharsInString(string str)
+        {
+            // Assumption: input contains a well-formed base64 string with no whitespace.
+
+            // base64 guaranteed have 0 - 2 padding characters.
+            if (str[str.Length - 1] == '=')
+            {
+                if (str[str.Length - 2] == '=')
+                {
+                    return 2;
+                }
+                return 1;
+            }
+            return 0;
+        }
+
+        private static int GetNumBase64PaddingCharsToAddForDecode(int inputLength)
+        {
+            switch (inputLength % 4)
+            {
+                case 0:
+                    return 0;
+                case 2:
+                    return 2;
+                case 3:
+                    return 1;
+                default:
+                    throw new FormatException("TODO: Malformed input.");
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
new file mode 100644
index 0000000000..53fc15656c
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
@@ -0,0 +1,85 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using System.Text;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test
+{
+    public class DataProtectionExtensionsTests
+    {
+        [Fact]
+        public void Protect_InvalidUtf_Failure()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+
+            // Act & assert
+            var ex = Assert.Throws<CryptographicException>(() =>
+            {
+                DataProtectionExtensions.Protect(mockProtector.Object, "Hello\ud800");
+            });
+            Assert.IsAssignableFrom(typeof(EncoderFallbackException), ex.InnerException);
+        }
+
+        [Fact]
+        public void Protect_Success()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(p => p.Protect(new byte[] { 0x48, 0x65, 0x6c, 0x6c, 0x6f })).Returns(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 });
+
+            // Act
+            string retVal = DataProtectionExtensions.Protect(mockProtector.Object, "Hello");
+
+            // Assert
+            Assert.Equal("AQIDBAU", retVal);
+        }
+
+        [Fact]
+        public void Unprotect_InvalidBase64BeforeDecryption_Failure()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+
+            // Act & assert
+            var ex = Assert.Throws<CryptographicException>(() =>
+            {
+                DataProtectionExtensions.Unprotect(mockProtector.Object, "A");
+            });
+            Assert.IsAssignableFrom(typeof(FormatException), ex.InnerException);
+        }
+
+        [Fact]
+        public void Unprotect_InvalidUtfAfterDecryption_Failure()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(p => p.Unprotect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0xff });
+
+            // Act & assert
+            var ex = Assert.Throws<CryptographicException>(() =>
+            {
+                DataProtectionExtensions.Unprotect(mockProtector.Object, "AQIDBAU");
+            });
+            Assert.IsAssignableFrom(typeof(DecoderFallbackException), ex.InnerException);
+        }
+
+        [Fact]
+        public void Unprotect_Success()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(p => p.Unprotect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0x48, 0x65, 0x6c, 0x6c, 0x6f });
+
+            // Act
+            string retVal = DataProtectionExtensions.Unprotect(mockProtector.Object, "AQIDBAU");
+
+            // Assert
+            Assert.Equal("Hello", retVal);
+        }
+    }
+}

From 132802435b61e81194973daa8b30ec56172d793f Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 15 Oct 2014 12:22:01 -0700
Subject: [PATCH 054/493] Add time-limiting data protection capabilities.

---
 .../DataProtectionExtensions.cs               |  11 ++
 .../Error.cs                                  |   6 ++
 .../ITimeLimitedDataProtector.cs              |  45 ++++++++
 .../Properties/Resources.Designer.cs          |  16 +++
 .../Resources.resx                            |   3 +
 .../TimeLimitedDataProtector.cs               | 101 ++++++++++++++++++
 .../DataProtectionExtensionsTests.cs          |  28 +++++
 .../TimeLimitedDataProtectorTests.cs          |  87 +++++++++++++++
 8 files changed, 297 insertions(+)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/ITimeLimitedDataProtector.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/TimeLimitedDataProtectorTests.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
index cf7c9fa7cd..f46852c797 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
@@ -11,6 +11,17 @@ namespace Microsoft.AspNet.Security.DataProtection
     /// </summary>
     public static class DataProtectionExtensions
     {
+        /// <summary>
+        /// Creates a time-limited data protector based on an existing protector.
+        /// </summary>
+        /// <param name="protector">The existing protector from which to derive a time-limited protector.</param>
+        /// <returns>A time-limited data protector.</returns>
+        public static ITimeLimitedDataProtector AsTimeLimitedDataProtector([NotNull] this IDataProtector protector)
+        {
+            return (protector as ITimeLimitedDataProtector)
+                ?? new TimeLimitedDataProtector(protector.CreateProtector(TimeLimitedDataProtector.PurposeString));
+        }
+
         /// <summary>
         /// Cryptographically protects a piece of plaintext data.
         /// </summary>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Error.cs b/src/Microsoft.AspNet.Security.DataProtection/Error.cs
index aa75abce2c..8571a4074c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Error.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Error.cs
@@ -70,5 +70,11 @@ namespace Microsoft.AspNet.Security.DataProtection
             return new CryptographicException(Resources.Common_DecryptionFailed, inner);
         }
 
+        public static CryptographicException TimeLimitedDataProtector_PayloadExpired(ulong utcTicksExpiration)
+        {
+            DateTimeOffset expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero).ToLocalTime();
+            string message = String.Format(CultureInfo.CurrentCulture, Resources.TimeLimitedDataProtector_PayloadExpired, expiration);
+            return new CryptographicException(message);
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/ITimeLimitedDataProtector.cs
new file mode 100644
index 0000000000..f4770e410d
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/ITimeLimitedDataProtector.cs
@@ -0,0 +1,45 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    /// <summary>
+    /// An interface that can provide data protection services.
+    /// </summary>
+    public interface ITimeLimitedDataProtector : IDataProtector
+    {
+        /// <summary>
+        /// Creates an IDataProtector given a purpose.
+        /// </summary>
+        /// <param name="purposes">
+        /// The purpose to be assigned to the newly-created IDataProtector.
+        /// This parameter must be unique for the intended use case; two different IDataProtector
+        /// instances created with two different 'purpose' strings will not be able
+        /// to understand each other's payloads. The 'purpose' parameter is not intended to be
+        /// kept secret.
+        /// </param>
+        /// <returns>An IDataProtector tied to the provided purpose.</returns>
+        new ITimeLimitedDataProtector CreateProtector(string purpose);
+
+        /// <summary>
+        /// Cryptographically protects a piece of plaintext data and assigns an expiration date to the data.
+        /// </summary>
+        /// <param name="unprotectedData">The plaintext data to protect.</param>
+        /// <param name="expiration">The date after which the data can no longer be unprotected.</param>
+        /// <returns>The protected form of the plaintext data.</returns>
+        byte[] Protect(byte[] unprotectedData, DateTimeOffset expiration);
+
+        /// <summary>
+        /// Cryptographically unprotects a piece of protected data.
+        /// </summary>
+        /// <param name="protectedData">The protected data to unprotect.</param>
+        /// <param name="expiration">After unprotection, contains the expiration date of the protected data.</param>
+        /// <returns>The plaintext form of the protected data.</returns>
+        /// <remarks>
+        /// Implementations should throw CryptographicException if the protected data is invalid or malformed.
+        /// </remarks>
+        byte[] Unprotect(byte[] protectedData, out DateTimeOffset expiration);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
index 8d35437c5a..f1d2151ed5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
@@ -202,6 +202,22 @@ namespace Microsoft.AspNet.Security.DataProtection
             return GetString("Common_PayloadProducedByNewerVersion");
         }
 
+        /// <summary>
+        /// The payload expired at {0}.
+        /// </summary>
+        internal static string TimeLimitedDataProtector_PayloadExpired
+        {
+            get { return GetString("TimeLimitedDataProtector_PayloadExpired"); }
+        }
+
+        /// <summary>
+        /// The payload expired at {0}.
+        /// </summary>
+        internal static string FormatTimeLimitedDataProtector_PayloadExpired(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("TimeLimitedDataProtector_PayloadExpired"), p0);
+        }
+
         private static string GetString(string name, params string[] formatterNames)
         {
             var value = _resourceManager.GetString(name);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
index b03285c38d..8029969b2a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
@@ -153,4 +153,7 @@
   <data name="Common_PayloadProducedByNewerVersion" xml:space="preserve">
     <value>The protected payload cannot be decrypted because it was protected with a newer version of the protection provider.</value>
   </data>
+  <data name="TimeLimitedDataProtector_PayloadExpired" xml:space="preserve">
+    <value>The payload expired at {0}.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
new file mode 100644
index 0000000000..2bcf57dadd
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
@@ -0,0 +1,101 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal sealed class TimeLimitedDataProtector : ITimeLimitedDataProtector
+    {
+        internal const string PurposeString = "Microsoft.AspNet.Security.DataProtection.TimeLimitedDataProtector";
+
+        public TimeLimitedDataProtector(IDataProtector innerProtector)
+        {
+            InnerProtector = innerProtector;
+        }
+
+        internal IDataProtector InnerProtector
+        {
+            get;
+            private set;
+        }
+
+        public ITimeLimitedDataProtector CreateProtector([NotNull] string purpose)
+        {
+            return new TimeLimitedDataProtector(InnerProtector.CreateProtector(purpose));
+        }
+
+        public byte[] Protect([NotNull] byte[] unprotectedData)
+        {
+            return Protect(unprotectedData, DateTimeOffset.MaxValue);
+        }
+
+        public byte[] Protect([NotNull] byte[] unprotectedData, DateTimeOffset expiration)
+        {
+            // We prepend the expiration time (as a big-endian 64-bit UTC tick count) to the unprotected data.
+            ulong utcTicksExpiration = (ulong)expiration.UtcTicks;
+
+            byte[] unprotectedDataWithHeader = new byte[checked(8 + unprotectedData.Length)];
+            unprotectedDataWithHeader[0] = (byte)(utcTicksExpiration >> 56);
+            unprotectedDataWithHeader[1] = (byte)(utcTicksExpiration >> 48);
+            unprotectedDataWithHeader[2] = (byte)(utcTicksExpiration >> 40);
+            unprotectedDataWithHeader[3] = (byte)(utcTicksExpiration >> 32);
+            unprotectedDataWithHeader[4] = (byte)(utcTicksExpiration >> 24);
+            unprotectedDataWithHeader[5] = (byte)(utcTicksExpiration >> 16);
+            unprotectedDataWithHeader[6] = (byte)(utcTicksExpiration >> 8);
+            unprotectedDataWithHeader[7] = (byte)(utcTicksExpiration);
+            Buffer.BlockCopy(unprotectedData, 0, unprotectedDataWithHeader, 8, unprotectedData.Length);
+
+            return InnerProtector.Protect(unprotectedDataWithHeader);
+        }
+
+        public byte[] Unprotect([NotNull] byte[] protectedData)
+        {
+            DateTimeOffset unused;
+            return Unprotect(protectedData, out unused);
+        }
+
+        public byte[] Unprotect([NotNull] byte[] protectedData, out DateTimeOffset expiration)
+        {
+            try
+            {
+                byte[] unprotectedDataWithHeader = InnerProtector.Unprotect(protectedData);
+                CryptoUtil.Assert(unprotectedDataWithHeader.Length >= 8, "No header present.");
+
+                // Read expiration time back out of the payload
+                ulong utcTicksExpiration = (((ulong)unprotectedDataWithHeader[0]) << 56)
+                    | (((ulong)unprotectedDataWithHeader[1]) << 48)
+                    | (((ulong)unprotectedDataWithHeader[2]) << 40)
+                    | (((ulong)unprotectedDataWithHeader[3]) << 32)
+                    | (((ulong)unprotectedDataWithHeader[4]) << 24)
+                    | (((ulong)unprotectedDataWithHeader[5]) << 16)
+                    | (((ulong)unprotectedDataWithHeader[6]) << 8)
+                    | (ulong)unprotectedDataWithHeader[7];
+
+                // Are we expired?
+                DateTime utcNow = DateTime.UtcNow;
+                if ((ulong)utcNow.Ticks > utcTicksExpiration)
+                {
+                    throw Error.TimeLimitedDataProtector_PayloadExpired(utcTicksExpiration);
+                }
+
+                byte[] retVal = new byte[unprotectedDataWithHeader.Length - 8];
+                Buffer.BlockCopy(unprotectedDataWithHeader, 8, retVal, 0, retVal.Length);
+
+                expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero);
+                return retVal;
+            }
+            catch (Exception ex) if (!(ex is CryptographicException))
+            {
+                // Homogenize all failures to CryptographicException
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+
+        IDataProtector IDataProtectionProvider.CreateProtector([NotNull] string purpose)
+        {
+            return CreateProtector(purpose);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
index 53fc15656c..6993f4ab9b 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
@@ -11,6 +11,34 @@ namespace Microsoft.AspNet.Security.DataProtection.Test
 {
     public class DataProtectionExtensionsTests
     {
+        [Fact]
+        public void AsTimeLimitedProtector_ProtectorIsAlreadyTimeLimited_ReturnsThis()
+        {
+            // Arrange
+            var originalProtector = new Mock<ITimeLimitedDataProtector>().Object;
+
+            // Act
+            var retVal = originalProtector.AsTimeLimitedDataProtector();
+
+            // Assert
+            Assert.Same(originalProtector, retVal);
+        }
+
+        [Fact]
+        public void AsTimeLimitedProtector_ProtectorIsNotTimeLimited_CreatesNewProtector()
+        {
+            // Arrange
+            var innerProtector = new Mock<IDataProtector>().Object;
+            var outerProtectorMock = new Mock<IDataProtector>();
+            outerProtectorMock.Setup(o => o.CreateProtector("Microsoft.AspNet.Security.DataProtection.TimeLimitedDataProtector")).Returns(innerProtector);
+
+            // Act
+            var timeLimitedProtector = (TimeLimitedDataProtector)outerProtectorMock.Object.AsTimeLimitedDataProtector();
+
+            // Assert
+            Assert.Same(innerProtector, timeLimitedProtector.InnerProtector);
+        }
+
         [Fact]
         public void Protect_InvalidUtf_Failure()
         {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/TimeLimitedDataProtectorTests.cs
new file mode 100644
index 0000000000..671eb65aec
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/TimeLimitedDataProtectorTests.cs
@@ -0,0 +1,87 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test
+{
+    public class TimeLimitedDataProtectorTests
+    {
+        [Fact]
+        public void CreateProtector_And_Protect()
+        {
+            // Arrange
+            // 0x08c1220247e44000 is the representation of midnight 2000-01-01 UTC.
+            DateTimeOffset expiration = new DateTimeOffset(new DateTime(2000, 1, 1, 0, 0, 0, DateTimeKind.Utc));
+            Mock<IDataProtector> innerProtectorMock = new Mock<IDataProtector>();
+            innerProtectorMock.Setup(o => o.Protect(new byte[] { 0x08, 0xc1, 0x22, 0x02, 0x47, 0xe4, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0x10, 0x11 });
+            Mock<IDataProtector> outerProtectorMock = new Mock<IDataProtector>();
+            outerProtectorMock.Setup(p => p.CreateProtector("new purpose")).Returns(innerProtectorMock.Object);
+
+            // Act
+            var timeLimitedProtector = new TimeLimitedDataProtector(outerProtectorMock.Object);
+            var subProtector = timeLimitedProtector.CreateProtector("new purpose");
+            var protectedPayload = subProtector.Protect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 }, expiration);
+
+            // Assert
+            Assert.Equal(new byte[] { 0x10, 0x11 }, protectedPayload);
+        }
+
+        [Fact]
+        public void ExpiredData_Fails()
+        {
+            // Arrange
+            var timeLimitedProtector = CreateEphemeralTimeLimitedProtector();
+            var expiration = DateTimeOffset.UtcNow.AddYears(-1);
+
+            // Act & assert
+            var protectedData = timeLimitedProtector.Protect(new byte[] { 0x04, 0x08, 0x0c }, expiration);
+            Assert.Throws<CryptographicException>(() =>
+            {
+                timeLimitedProtector.Unprotect(protectedData);
+            });
+        }
+
+        [Fact]
+        public void GoodData_RoundTrips()
+        {
+            // Arrange
+            var timeLimitedProtector = CreateEphemeralTimeLimitedProtector();
+            var expectedExpiration = DateTimeOffset.UtcNow.AddYears(1);
+
+            // Act
+            var protectedData = timeLimitedProtector.Protect(new byte[] { 0x04, 0x08, 0x0c }, expectedExpiration);
+            DateTimeOffset actualExpiration;
+            var unprotectedData = timeLimitedProtector.Unprotect(protectedData, out actualExpiration);
+
+            // Assert
+            Assert.Equal(new byte[] { 0x04, 0x08, 0x0c }, unprotectedData);
+            Assert.Equal(expectedExpiration, actualExpiration);
+        }
+
+        [Fact]
+        public void Protect_NoExpiration_UsesDateTimeOffsetMaxValue()
+        {
+            // Should pass DateTimeOffset.MaxValue (utc ticks = 0x2bca2875f4373fff) if no expiration date specified
+
+            // Arrange
+            Mock<IDataProtector> innerProtectorMock = new Mock<IDataProtector>();
+            innerProtectorMock.Setup(o => o.Protect(new byte[] { 0x2b, 0xca, 0x28, 0x75, 0xf4, 0x37, 0x3f, 0xff,0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0x10, 0x11 });
+
+            // Act
+            var timeLimitedProtector = new TimeLimitedDataProtector(innerProtectorMock.Object);
+            var protectedPayload = timeLimitedProtector.Protect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 });
+
+            // Assert
+            Assert.Equal(new byte[] { 0x10, 0x11 }, protectedPayload);
+        }
+
+        private static TimeLimitedDataProtector CreateEphemeralTimeLimitedProtector()
+        {
+            return new TimeLimitedDataProtector(new EphemeralDataProtectionProvider().CreateProtector("purpose"));
+        }
+    }
+}

From 796acc0e348484421a8e7ccf621b3efd36d89c67 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 15 Oct 2014 14:04:43 -0700
Subject: [PATCH 055/493] Restore Win7 + Server Core support routines.

---
 .../SafeHandles/SafeLibraryHandle.cs          | 96 ++++++++++++-------
 .../UnsafeNativeMethods.cs                    | 18 ++--
 2 files changed, 66 insertions(+), 48 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
index 789edd4686..59202a0c5c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
@@ -21,7 +21,8 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
     {
         // Called by P/Invoke when returning SafeHandles
         private SafeLibraryHandle()
-            : base(ownsHandle: true) { }
+            : base(ownsHandle: true)
+        { }
 
         /// <summary>
         /// Returns a value stating whether the library exports a given proc.
@@ -32,33 +33,6 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
             return (pfnProc != IntPtr.Zero);
         }
 
-        /// <summary>
-        /// Gets a delegate pointing to a given export from this library.
-        /// </summary>
-        public TDelegate GetProcAddress<TDelegate>(string lpProcName, bool throwIfNotFound = true) where TDelegate : class
-        {
-            Debug.Assert(typeof(Delegate).IsAssignableFrom(typeof(TDelegate)), "TDelegate must be a delegate type!");
-
-            IntPtr pfnProc = UnsafeNativeMethods.GetProcAddress(this, lpProcName);
-            if (pfnProc == IntPtr.Zero)
-            {
-                if (throwIfNotFound)
-                {
-                    UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
-                }
-                else
-                {
-                    return null;
-                }
-            }
-
-#if ASPNETCORE50
-            return Marshal.GetDelegateForFunctionPointer<TDelegate>(pfnProc);
-#else
-            return (TDelegate)(object)Marshal.GetDelegateForFunctionPointer(pfnProc, typeof(TDelegate));
-#endif
-        }
-
         /// <summary>
         /// Forbids this library from being unloaded. The library will remain loaded until process termination,
         /// regardless of how many times FreeLibrary is called.
@@ -113,12 +87,35 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
             }
         }
 
+        /// <summary>
+        /// Gets a delegate pointing to a given export from this library.
+        /// </summary>
+        public TDelegate GetProcAddress<TDelegate>(string lpProcName, bool throwIfNotFound = true) where TDelegate : class
+        {
+            Debug.Assert(typeof(Delegate).IsAssignableFrom(typeof(TDelegate)), "TDelegate must be a delegate type!");
+
+            IntPtr pfnProc = UnsafeNativeMethods.GetProcAddress(this, lpProcName);
+            if (pfnProc == IntPtr.Zero)
+            {
+                if (throwIfNotFound)
+                {
+                    UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
+                }
+                else
+                {
+                    return null;
+                }
+            }
+
+            return Marshal.GetDelegateForFunctionPointer<TDelegate>(pfnProc);
+        }
+
         /// <summary>
         /// Opens a library. If 'filename' is not a fully-qualified path, the default search path is used.
         /// </summary>
         public static SafeLibraryHandle Open(string filename)
         {
-            SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibrary(filename);
+            SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibraryEx(filename, IntPtr.Zero, 0);
             if (handle == null || handle.IsInvalid)
             {
                 UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
@@ -137,10 +134,19 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
 #endif
         private static class UnsafeNativeMethods
         {
+#if ASPNETCORE50
+            private const string CORE_LIBRARY_LOADER_LIB = "api-ms-win-core-libraryloader-l1-1-0.dll";
+            private const string CORE_LOCALIZATION_LIB = "api-ms-win-core-localization-l1-2-0.dll";
+#else
             private const string KERNEL32_LIB = "kernel32.dll";
+#endif
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx
+#if ASPNETCORE50
+            [DllImport(CORE_LOCALIZATION_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
+#else
             [DllImport(KERNEL32_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
+#endif
             public static extern int FormatMessage(
                 [In] uint dwFlags,
                 [In] SafeLibraryHandle lpSource,
@@ -153,30 +159,46 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
 
             // http://msdn.microsoft.com/en-us/library/ms683152(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if !ASPNETCORE50
+#if ASPNETCORE50
+            [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
+#else
             [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
+#endif
             internal static extern bool FreeLibrary(IntPtr hModule);
 
             // http://msdn.microsoft.com/en-us/library/ms683200(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#if ASPNETCORE50
+            [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#else
+            [DllImport(KERNEL32_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#endif
             internal static extern bool GetModuleHandleEx(
                 [In] uint dwFlags,
                 [In] SafeLibraryHandle lpModuleName, // can point to a location within the module if GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS is set
                 [Out] out IntPtr phModule);
 
             // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
-            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true, BestFitMapping = false, ThrowOnUnmappableChar = true)]
+#if ASPNETCORE50
+            [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#else
+            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#endif
             internal static extern IntPtr GetProcAddress(
                 [In] SafeLibraryHandle hModule,
                 [In, MarshalAs(UnmanagedType.LPStr)] string lpProcName);
 
-            // http://msdn.microsoft.com/en-us/library/ms684175(v=vs.85).aspx
-            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
-            internal static extern SafeLibraryHandle LoadLibrary(
-                [In, MarshalAs(UnmanagedType.LPWStr)] string lpFileName);
+            // http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx
+#if ASPNETCORE50
+            [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#else
+            [DllImport(KERNEL32_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#endif
+            internal static extern SafeLibraryHandle LoadLibraryEx(
+                [In, MarshalAs(UnmanagedType.LPWStr)] string lpFileName,
+                [In] IntPtr hFile,
+                [In] uint dwFlags);
 
             internal static void ThrowExceptionForLastWin32Error()
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
index c3721ed328..372578fa84 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
@@ -242,6 +242,13 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint dwFlags,
             [Out] out DATA_BLOB pDataOut);
 
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380262(v=vs.85).aspx
+        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        public static extern bool CryptProtectMemory(
+            [In] SafeHandle pData,
+            [In] uint cbData,
+            [In] uint dwFlags);
+
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380882(v=vs.85).aspx
         internal static extern bool CryptUnprotectData(
@@ -253,17 +260,6 @@ namespace Microsoft.AspNet.Security.DataProtection
             [In] uint dwFlags,
             [Out] out DATA_BLOB pDataOut);
 
-        /*
-       * CRYPT32.DLL
-       */
-
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380262(v=vs.85).aspx
-        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-        public static extern bool CryptProtectMemory(
-            [In] SafeHandle pData,
-            [In] uint cbData,
-            [In] uint dwFlags);
-
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380890(v=vs.85).aspx
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
         public static extern bool CryptUnprotectMemory(

From cd33cbfc8fc3945b531bc3cd1e25f53a0dc89baf Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Thu, 16 Oct 2014 10:32:16 -0700
Subject: [PATCH 056/493] Add unit tests for CngAuthenticatedEncryptorBase,
 PBKDF2, and SP800_108-CTR-HMACSHA512.

---
 .../Managed/ManagedAuthenticatedEncryptor.cs  |  12 +-
 .../ManagedSP800_108_CTR_HMACSHA512.cs        |   8 ++
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |  48 ++------
 .../Win8SP800_108_CTR_HMACSHA512Provider.cs   |   2 +-
 .../SafeHandles/BCryptAlgorithmHandle.cs      |   2 -
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs | 109 ++++++++++++++++++
 ....AspNet.Security.DataProtection.Test.kproj |   3 -
 .../PBKDF2/Pbkdf2Tests.cs                     |  66 +++++++++++
 .../Properties/AssemblyInfo.cs                |   8 ++
 .../SP800_108/SP800_108Tests.cs               |  90 +++++++++++++++
 10 files changed, 293 insertions(+), 55 deletions(-)
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/Properties/AssemblyInfo.cs
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index eedc30c5c5..8965539a29 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -219,7 +219,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                     try
                     {
                         _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
-                        DeriveKeysWithContextHeader(
+                        ManagedSP800_108_CTR_HMACSHA512.DeriveKeysWithContextHeader(
                             kdk: decryptedKdk,
                             label: additionalAuthenticatedData,
                             contextHeader: _contextHeader,
@@ -285,14 +285,6 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
             }
         }
 
-        private static void DeriveKeysWithContextHeader(byte[] kdk, ArraySegment<byte> label, byte[] contextHeader, ArraySegment<byte> context, Func<byte[], HashAlgorithm> prfFactory, ArraySegment<byte> output)
-        {
-            byte[] combinedContext = new byte[checked(contextHeader.Length + context.Count)];
-            Buffer.BlockCopy(contextHeader, 0, combinedContext, 0, contextHeader.Length);
-            Buffer.BlockCopy(context.Array, context.Offset, combinedContext, contextHeader.Length, context.Count);
-            ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(kdk, label, new ArraySegment<byte>(combinedContext), prfFactory, output);
-        }
-
         public void Dispose()
         {
             _keyDerivationKey.Dispose();
@@ -336,7 +328,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                     try
                     {
                         _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
-                        DeriveKeysWithContextHeader(
+                        ManagedSP800_108_CTR_HMACSHA512.DeriveKeysWithContextHeader(
                             kdk: decryptedKdk,
                             label: additionalAuthenticatedData,
                             contextHeader: _contextHeader,
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
index 38dbe359e1..1ffa2e21f8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -53,5 +53,13 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
                 }
             }
         }
+
+        public static void DeriveKeysWithContextHeader(byte[] kdk, ArraySegment<byte> label, byte[] contextHeader, ArraySegment<byte> context, Func<byte[], HashAlgorithm> prfFactory, ArraySegment<byte> output)
+        {
+            byte[] combinedContext = new byte[checked(contextHeader.Length + context.Count)];
+            Buffer.BlockCopy(contextHeader, 0, combinedContext, 0, contextHeader.Length);
+            Buffer.BlockCopy(context.Array, context.Offset, combinedContext, contextHeader.Length, context.Count);
+            DeriveKeys(kdk, label, new ArraySegment<byte>(combinedContext), prfFactory, output);
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index e87017a8f1..1f6787eb84 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -2,8 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
-using Microsoft.Win32.SafeHandles;
+using Microsoft.AspNet.Security.DataProtection.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
@@ -16,8 +15,6 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
     /// </remarks>
     internal unsafe static class SP800_108_CTR_HMACSHA512Util
     {
-        private static readonly bool _isWin8OrLater = GetIsRunningWin8OrLater();
-
         // Creates a provider with an empty key.
         public static ISP800_108_CTR_HMACSHA512Provider CreateEmptyProvider()
         {
@@ -28,9 +25,14 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
         // Creates a provider from the given key.
         public static ISP800_108_CTR_HMACSHA512Provider CreateProvider(byte* pbKdk, uint cbKdk)
         {
-            return (_isWin8OrLater)
-                ? (ISP800_108_CTR_HMACSHA512Provider)new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk)
-                : (ISP800_108_CTR_HMACSHA512Provider)new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
+            if (OSVersionUtil.IsBCryptOnWin8OrLaterAvailable())
+            {
+                return new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
+            }
+            else
+            {
+                return new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
+            }
         }
 
         // Creates a provider from the given secret.
@@ -57,37 +59,5 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
                 }
             }
         }
-
-        private static bool GetIsRunningWin8OrLater()
-        {
-            // In priority order, our three implementations are Win8, Win7, and "other".
-
-            const string BCRYPT_LIB = "bcrypt.dll";
-
-            SafeLibraryHandle bcryptLibHandle = null;
-            try
-            {
-                bcryptLibHandle = SafeLibraryHandle.Open(BCRYPT_LIB);
-            }
-            catch
-            {
-                // BCrypt not available? We'll fall back to managed code paths.
-            }
-
-            if (bcryptLibHandle != null)
-            {
-                using (bcryptLibHandle)
-                {
-                    if (bcryptLibHandle.DoesProcExist("BCryptKeyDerivation"))
-                    {
-                        // We're running on Win8+.
-                        return true;
-                    }
-                }
-            }
-
-            // Not running on Win8+
-            return false;
-        }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
index 2aa5d58b6b..30af954f1e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
@@ -90,7 +90,7 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
                     {
                         hashHandle.HashData(pbKdk, cbKdk, pbHashedKey, SHA512_DIGEST_SIZE_IN_BYTES);
                     }
-                    return CachedAlgorithmHandles.SP800_108_CTR_HMAC.GenerateSymmetricKey(pbKdk, cbKdk);
+                    return CachedAlgorithmHandles.SP800_108_CTR_HMAC.GenerateSymmetricKey(pbHashedKey, SHA512_DIGEST_SIZE_IN_BYTES);
                 }
                 finally
                 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
index 2b72ae08d9..f8fe267f88 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
@@ -38,8 +38,6 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
         public BCryptHashHandle CreateHmac(byte* pbKey, uint cbKey)
         {
             Debug.Assert(pbKey != null);
-            Debug.Assert(cbKey != 0);
-
             return CreateHashImpl(pbKey, cbKey);
         }
 
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
new file mode 100644
index 0000000000..603186a009
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -0,0 +1,109 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection.Cng;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
+{
+    public unsafe class CngAuthenticatedEncryptorBaseTests
+    {
+        [Fact]
+        public void Decrypt_ForwardsArraySegment()
+        {
+            // Arrange
+            var ciphertext = new ArraySegment<byte>(new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04 }, 3, 2);
+            var aad = new ArraySegment<byte>(new byte[] { 0x10, 0x11, 0x12, 0x13, 0x14 }, 1, 4);
+
+            var encryptorMock = new Mock<MockableEncryptor>();
+            encryptorMock
+                .Setup(o => o.DecryptHook(It.IsAny<IntPtr>(), 2, It.IsAny<IntPtr>(), 4))
+                .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
+                {
+                    // ensure that pointers started at the right place
+                    Assert.Equal((byte)0x03, *(byte*)pbCiphertext);
+                    Assert.Equal((byte)0x11, *(byte*)pbAdditionalAuthenticatedData);
+                    return new byte[] { 0x20, 0x21, 0x22 };
+                });
+
+            // Act
+            var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
+
+            // Assert
+            Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
+        }
+
+        [Fact]
+        public void Decrypt_HandlesEmptyAADPointerFixup()
+        {
+            // Arrange
+            var ciphertext = new ArraySegment<byte>(new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04 }, 3, 2);
+            var aad = new ArraySegment<byte>(new byte[0]);
+
+            var encryptorMock = new Mock<MockableEncryptor>();
+            encryptorMock
+                .Setup(o => o.DecryptHook(It.IsAny<IntPtr>(), 2, It.IsAny<IntPtr>(), 0))
+                .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
+                {
+                    // ensure that pointers started at the right place
+                    Assert.Equal((byte)0x03, *(byte*)pbCiphertext);
+                    Assert.NotEqual(IntPtr.Zero, pbAdditionalAuthenticatedData); // CNG will complain if this pointer is zero
+                    return new byte[] { 0x20, 0x21, 0x22 };
+                });
+
+            // Act
+            var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
+
+            // Assert
+            Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
+        }
+
+        [Fact]
+        public void Decrypt_HandlesEmptyCiphertextPointerFixup()
+        {
+            // Arrange
+            var ciphertext = new ArraySegment<byte>(new byte[0]);
+            var aad = new ArraySegment<byte>(new byte[] { 0x10, 0x11, 0x12, 0x13, 0x14 }, 1, 4);
+
+            var encryptorMock = new Mock<MockableEncryptor>();
+            encryptorMock
+                .Setup(o => o.DecryptHook(It.IsAny<IntPtr>(), 0, It.IsAny<IntPtr>(), 4))
+                .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
+                {
+                    // ensure that pointers started at the right place
+                    Assert.NotEqual(IntPtr.Zero, pbCiphertext); // CNG will complain if this pointer is zero
+                    Assert.Equal((byte)0x11, *(byte*)pbAdditionalAuthenticatedData);
+                    return new byte[] { 0x20, 0x21, 0x22 };
+                });
+
+            // Act
+            var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
+
+            // Assert
+            Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
+        }
+
+        internal abstract class MockableEncryptor : CngAuthenticatedEncryptorBase
+        {
+            public override void Dispose()
+            {
+            }
+
+            public abstract byte[] DecryptHook(IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData);
+
+            protected override sealed unsafe byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
+            {
+                return DecryptHook((IntPtr)pbCiphertext, cbCiphertext, (IntPtr)pbAdditionalAuthenticatedData, cbAdditionalAuthenticatedData);
+            }
+
+            public abstract byte[] EncryptHook(IntPtr pbPlaintext, uint cbPlaintext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer);
+
+            protected override sealed unsafe byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
+            {
+                return EncryptHook((IntPtr)pbPlaintext, cbPlaintext, (IntPtr)pbAdditionalAuthenticatedData, cbAdditionalAuthenticatedData, cbPreBuffer, cbPostBuffer);
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
index 34cf58a991..ea86cb2e90 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
@@ -22,8 +22,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <ItemGroup>
-    <Folder Include="Properties\" />
-  </ItemGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
new file mode 100644
index 0000000000..501f759a89
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
@@ -0,0 +1,66 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection.PBKDF2;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
+{
+    public class Pbkdf2Tests
+    {
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF. We only use 5 iterations so
+        // that our unit tests are fast.
+        [Theory]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
+        public void RunTest_Normal(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
+        {
+            // Arrange
+            byte[] salt = new byte[256];
+            for (int i = 0; i < salt.Length; i++)
+            {
+                salt[i] = (byte)i;
+            }
+
+            // Act & assert - fully managed, Win7, and Win8
+            TestProvider<ManagedPbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedValueAsBase64);
+            TestProvider<Win7Pbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedValueAsBase64);
+            TestProvider<Win8Pbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedValueAsBase64);
+        }
+
+        [Fact]
+        public void RunTest_WithLongPassword()
+        {
+            // Arrange
+            string password = new String('x', 50000); // 50,000 char password
+            byte[] salt = Encoding.UTF8.GetBytes("salt");
+            const string expectedDerivedKeyBase64 = "Sc+V/c3fiZq5Z5qH3iavAiojTsW97FAp2eBNmCQAwCNzA8hfhFFYyQLIMK65qPnBFHOHXQPwAxNQNhaEAH9hzfiaNBSRJpF9V4rpl02d5ZpI6cZbsQFF7TJW7XJzQVpYoPDgJlg0xVmYLhn1E9qMtUVUuXsBjOOdd7K1M+ZI00c=";
+            const KeyDerivationPrf prf = KeyDerivationPrf.Sha256;
+            const int iterationCount = 5;
+            const int numBytesRequested = 128;
+
+            // Act & assert - fully managed, Win7, and Win8
+            TestProvider<ManagedPbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedDerivedKeyBase64);
+            TestProvider<Win7Pbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedDerivedKeyBase64);
+            TestProvider<Win8Pbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedDerivedKeyBase64);
+        }
+
+        private static void TestProvider<TProvider>(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedDerivedKeyAsBase64)
+            where TProvider : IPbkdf2Provider, new()
+        {
+            byte[] derivedKey = new TProvider().DeriveKey(password, salt, prf, iterationCount, numBytesRequested);
+            Assert.Equal(numBytesRequested, derivedKey.Length);
+            Assert.Equal(expectedDerivedKeyAsBase64, Convert.ToBase64String(derivedKey));
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..3f8188a594
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Properties/AssemblyInfo.cs
@@ -0,0 +1,8 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+// for unit testing
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs
new file mode 100644
index 0000000000..9feb26b816
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs
@@ -0,0 +1,90 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection.SP800_108;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test.SP800_108
+{
+    public unsafe class SP800_108Tests
+    {
+        private delegate ISP800_108_CTR_HMACSHA512Provider ProviderFactory(byte* pbKdk, uint cbKdk);
+
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
+        [Theory]
+        [InlineData(512 / 8 - 1, "V47WmHzPSkdC2vkLAomIjCzZlDOAetll3yJLcSvon7LJFjJpEN+KnSNp+gIpeydKMsENkflbrIZ/3s6GkEaH")]
+        [InlineData(512 / 8 + 0, "mVaFM4deXLl610CmnCteNzxgbM/VkmKznAlPauHcDBn0le06uOjAKLHx0LfoU2/Ttq9nd78Y6Nk6wArmdwJgJg==")]
+        [InlineData(512 / 8 + 1, "GaHPeqdUxriFpjRtkYQYWr5/iqneD/+hPhVJQt4rXblxSpB1UUqGqL00DMU/FJkX0iMCfqUjQXtXyfks+p++Ev4=")]
+        public void DeriveKeyWithContextHeader_Normal(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        {
+            // Arrange
+            byte[] kdk = Encoding.UTF8.GetBytes("kdk");
+            byte[] label = Encoding.UTF8.GetBytes("label");
+            byte[] contextHeader = Encoding.UTF8.GetBytes("contextHeader");
+            byte[] context = Encoding.UTF8.GetBytes("context");
+
+            // Act & assert - managed, Win7, Win8
+            TestManagedKeyDerivation(kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+            TestCngKeyDerivation((pbKdk, cbKdk) => new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk), kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+            TestCngKeyDerivation((pbKdk, cbKdk) => new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk), kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+        }
+
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
+        [Theory]
+        [InlineData(512 / 8 - 1, "rt2hM6kkQ8hAXmkHx0TU4o3Q+S7fie6b3S1LAq107k++P9v8uSYA2G+WX3pJf9ZkpYrTKD7WUIoLkgA1R9lk")]
+        [InlineData(512 / 8 + 0, "RKiXmHSrWq5gkiRSyNZWNJrMR0jDyYHJMt9odOayRAE5wLSX2caINpQmfzTH7voJQi3tbn5MmD//dcspghfBiw==")]
+        [InlineData(512 / 8 + 1, "KedXO0zAIZ3AfnPqY1NnXxpC3HDHIxefG4bwD3g6nWYEc5+q7pjbam71Yqj0zgHMNC9Z7BX3wS1/tajFocRWZUk=")]
+        public void DeriveKeyWithContextHeader_LongKey(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        {
+            // Arrange
+            byte[] kdk = new byte[50000]; // CNG can't normally handle a 50,000 byte KDK, but we coerce it into working :)
+            for (int i = 0; i < kdk.Length; i++)
+            {
+                kdk[i] = (byte)i;
+            }
+
+            byte[] label = Encoding.UTF8.GetBytes("label");
+            byte[] contextHeader = Encoding.UTF8.GetBytes("contextHeader");
+            byte[] context = Encoding.UTF8.GetBytes("context");
+
+            // Act & assert - managed, Win7, Win8
+            TestManagedKeyDerivation(kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+            TestCngKeyDerivation((pbKdk, cbKdk) => new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk), kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+            TestCngKeyDerivation((pbKdk, cbKdk) => new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk), kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+        }
+
+        private static void TestCngKeyDerivation(ProviderFactory factory, byte[] kdk, byte[] label, byte[] contextHeader, byte[] context, int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        {
+            byte[] derivedSubkey = new byte[numDerivedBytes];
+
+            fixed (byte* pbKdk = kdk)
+            fixed (byte* pbLabel = label)
+            fixed (byte* pbContext = context)
+            fixed (byte* pbDerivedSubkey = derivedSubkey)
+            {
+                ISP800_108_CTR_HMACSHA512Provider provider = factory(pbKdk, (uint)kdk.Length);
+                provider.DeriveKeyWithContextHeader(pbLabel, (uint)label.Length, contextHeader, pbContext, (uint)context.Length, pbDerivedSubkey, (uint)derivedSubkey.Length);
+            }
+
+            Assert.Equal(expectedDerivedSubkeyAsBase64, Convert.ToBase64String(derivedSubkey));
+        }
+
+        private static void TestManagedKeyDerivation(byte[] kdk, byte[] label, byte[] contextHeader, byte[] context, int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        {
+            var labelSegment = new ArraySegment<byte>(new byte[label.Length + 10], 3, label.Length);
+            Buffer.BlockCopy(label, 0, labelSegment.Array, labelSegment.Offset, labelSegment.Count);
+            var contextSegment = new ArraySegment<byte>(new byte[context.Length + 10], 5, context.Length);
+            Buffer.BlockCopy(context, 0, contextSegment.Array, contextSegment.Offset, contextSegment.Count);
+            var derivedSubkeySegment = new ArraySegment<byte>(new byte[numDerivedBytes + 10], 4, numDerivedBytes);
+
+            ManagedSP800_108_CTR_HMACSHA512.DeriveKeysWithContextHeader(kdk, labelSegment, contextHeader, contextSegment,
+                bytes => new HMACSHA512(bytes), derivedSubkeySegment);
+            Assert.Equal(expectedDerivedSubkeyAsBase64, Convert.ToBase64String(derivedSubkeySegment.AsStandaloneArray()));
+        }
+    }
+}

From fd677047f4cd277dce78939d150591376712e3c2 Mon Sep 17 00:00:00 2001
From: Stephen Halter <halter73@gmail.com>
Date: Thu, 16 Oct 2014 17:34:19 -0700
Subject: [PATCH 057/493] Change GetService call to GetRequiredService

Remove the assertion that the returned service is not null, since the
GetRequiredService extension method will throw instead of ever
returning null.
---
 .../DefaultDataProtectionProvider.cs                           | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
index 98ebba69dd..f733d8b161 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
@@ -21,8 +21,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             collection.Add(defaultServices);
             var serviceProvider = collection.BuildServiceProvider();
 
-            _innerProvider = (IDataProtectionProvider)serviceProvider.GetService(typeof(IDataProtectionProvider));
-            CryptoUtil.Assert(_innerProvider != null, "_innerProvider != null");
+            _innerProvider = serviceProvider.GetRequiredService<IDataProtectionProvider>();
         }
 
         public DefaultDataProtectionProvider(

From 8fc3607a6854affbd6b69cde63f6d14d390b3369 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Fri, 17 Oct 2014 11:31:51 -0700
Subject: [PATCH 058/493] Fix Win7 vs Win8 detection logic for
 SP800-108-CTR-HMACSHA512.

---
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index 1f6787eb84..7eb8d4070d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -27,11 +27,11 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
         {
             if (OSVersionUtil.IsBCryptOnWin8OrLaterAvailable())
             {
-                return new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
+                return new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
             }
             else
             {
-                return new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
+                return new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
             }
         }
 

From ca95189a3baae38848b92dbec6fcfa948907eb6f Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Mon, 20 Oct 2014 13:43:03 -0700
Subject: [PATCH 059/493] Allow DpapiNGXmlEncryptor to get the current
 identity's SID on CoreCLR.

---
 .../XmlEncryption/DpapiNGXmlEncryptor.cs                 | 9 +--------
 .../project.json                                         | 1 +
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index bb123d73b3..b6930aa488 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -4,15 +4,12 @@
 using System;
 using System.Globalization;
 using System.IO;
+using System.Security.Principal;
 using System.Xml.Linq;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.KeyManagement;
 using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
-#if !ASPNETCORE50
-using System.Security.Principal;
-#endif
-
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
 {
     /// <summary>
@@ -79,7 +76,6 @@ namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
 
         private static string GetDefaultProtectionDescriptorString()
         {
-#if !ASPNETCORE50
             // Creates a SID=... protection descriptor string for the current user.
             // Reminder: DPAPI:NG provides only encryption, not authentication.
             using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
@@ -87,9 +83,6 @@ namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
                 // use the SID to create an SDDL string
                 return String.Format(CultureInfo.InvariantCulture, "SID={0}", currentIdentity.User.Value);
             }
-#else
-            throw new NotImplementedException("TODO: Doesn't yet work on Core CLR.");
-#endif
         }
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index b7a1aad940..a6382d436f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -44,6 +44,7 @@
                 "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
                 "System.Security.Cryptography.RandomNumberGenerator": "4.0.0-beta-*",
+                "System.Security.Principal.Windows": "4.0.0-beta-*",
                 "System.Text.Encoding.Extensions": "4.0.10-beta-*",
                 "System.Threading": "4.0.0-beta-*",
                 "System.Xml.XDocument": "4.0.0-beta-*"

From 76b76ba099ba5ad932adb9b6ef4d19bf99a61593 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Mon, 20 Oct 2014 14:12:04 -0700
Subject: [PATCH 060/493] DataProtectionServices should use keys stored in HKLM
 auto-gen registry when running on IIS without user profile.

---
 .../Cng/DpapiSecretSerializerHelper.cs        |   4 +-
 .../DataProtectionServices.cs                 |  29 +++--
 .../Repositories/RegistryXmlRepository.cs     | 117 ++++++++++++++++++
 .../XmlEncryption/DpapiXmlEncryptor.cs        |   9 +-
 .../project.json                              |   1 +
 5 files changed, 150 insertions(+), 10 deletions(-)
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/Repositories/RegistryXmlRepository.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index 6c0f368847..9f1dbb2a6e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -22,7 +22,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
 
         private static readonly byte[] _purpose = Encoding.UTF8.GetBytes("DPAPI-Protected Secret");
 
-        public static byte[] ProtectWithDpapi(ISecret secret)
+        public static byte[] ProtectWithDpapi(ISecret secret, bool protectToLocalMachine = false)
         {
             Debug.Assert(secret != null);
 
@@ -34,7 +34,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                     secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
                     fixed (byte* pbPurpose = _purpose)
                     {
-                        return ProtectWithDpapiImpl(pbPlaintextSecret, (uint)plaintextSecret.Length, pbPurpose, (uint)_purpose.Length);
+                        return ProtectWithDpapiImpl(pbPlaintextSecret, (uint)plaintextSecret.Length, pbPurpose, (uint)_purpose.Length, fLocalMachine: protectToLocalMachine);
                     }
                 }
                 finally
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
index f24ae68036..cc3d2d7731 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
@@ -72,18 +72,33 @@ namespace Microsoft.AspNet.Security.DataProtection
                 {
                     descriptors.AddRange(new[]
                     {
-                        describe.Singleton<IXmlEncryptor, DpapiXmlEncryptor>(),
+                        describe.Instance<IXmlEncryptor>(new DpapiXmlEncryptor(protectToLocalMachine: false)),
                         describe.Instance<IXmlRepository>(new FileSystemXmlRepository(localAppDataKeysFolder))
                     });
                 }
                 else
                 {
-                    // Are we running with no user profile (e.g., IIS service)?
-                    // Fall back to DPAPI for now.
-                    // TODO: We should use the IIS auto-gen reg keys as our repository.
-                    return new[] {
-                        describe.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.LocalMachine))
-                    };
+                    // If we've reached this point, we have no user profile loaded.
+
+                    RegistryXmlRepository hklmRegXmlRepository = RegistryXmlRepository.GetDefaultRepositoryForHKLMRegistry();
+                    if (hklmRegXmlRepository != null)
+                    {
+                        // Have WAS and IIS created an auto-gen key folder in the HKLM registry for us?
+                        // If so, use it as the repository, and use DPAPI as the key protection mechanism.
+                        // We use same-machine DPAPI since we already know no user profile is loaded.
+                        descriptors.AddRange(new[]
+                        {
+                            describe.Instance<IXmlEncryptor>(new DpapiXmlEncryptor(protectToLocalMachine: true)),
+                            describe.Instance<IXmlRepository>(hklmRegXmlRepository)
+                        });
+                    }
+                    else
+                    {
+                        // Fall back to DPAPI for now
+                        return new[] {
+                            describe.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.LocalMachine))
+                        };
+                    }
                 }
             }
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.Security.DataProtection/Repositories/RegistryXmlRepository.cs
new file mode 100644
index 0000000000..6ebbed369b
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -0,0 +1,117 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.IO;
+using System.Linq;
+using System.Security.Principal;
+using System.Xml.Linq;
+using Microsoft.Win32;
+
+namespace Microsoft.AspNet.Security.DataProtection.Repositories
+{
+    /// <summary>
+    /// An XML repository backed by the Windows registry.
+    /// </summary>
+    public class RegistryXmlRepository : IXmlRepository
+    {
+        public RegistryXmlRepository([NotNull] RegistryKey registryKey)
+        {
+            RegistryKey = registryKey;
+        }
+
+        protected RegistryKey RegistryKey
+        {
+            get;
+            private set;
+        }
+
+        public virtual IReadOnlyCollection<XElement> GetAllElements()
+        {
+            // forces complete enumeration
+            return GetAllElementsImpl().ToArray();
+        }
+
+        private IEnumerable<XElement> GetAllElementsImpl()
+        {
+            string[] allValueNames = RegistryKey.GetValueNames();
+            foreach (var valueName in allValueNames)
+            {
+                string thisValue = RegistryKey.GetValue(valueName) as string;
+                if (!String.IsNullOrEmpty(thisValue))
+                {
+                    XDocument document;
+                    using (var textReader = new StringReader(thisValue))
+                    {
+                        document = XDocument.Load(textReader);
+                    }
+
+                    // 'yield return' outside the preceding 'using' block so we can release the reader
+                    yield return document.Root;
+                }
+            }
+        }
+
+        internal static RegistryXmlRepository GetDefaultRepositoryForHKLMRegistry()
+        {
+            try
+            {
+                // Try reading the auto-generated machine key from HKLM
+                using (var hklmBaseKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry32))
+                {
+                    // TODO: Do we need to change the version number below?
+                    string aspnetAutoGenKeysBaseKeyName = String.Format(CultureInfo.InvariantCulture, @"SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{0}", WindowsIdentity.GetCurrent().User.Value);
+                    var aspnetBaseKey = hklmBaseKey.OpenSubKey(aspnetAutoGenKeysBaseKeyName, writable: true);
+                    if (aspnetBaseKey == null)
+                    {
+                        return null; // couldn't find the auto-generated machine key
+                    }
+
+                    using (aspnetBaseKey) {
+                        // TODO: Remove the ".BETA" moniker.
+                        var dataProtectionKey = aspnetBaseKey.OpenSubKey("DataProtection.BETA", writable: true);
+                        if (dataProtectionKey == null)
+                        {
+                            // TODO: Remove the ".BETA" moniker from here, also.
+                            dataProtectionKey = aspnetBaseKey.CreateSubKey("DataProtection.BETA");
+                        }
+
+                        // Once we've opened the HKLM reg key, return a repository which wraps it.
+                        return new RegistryXmlRepository(dataProtectionKey);
+                    }
+                }
+            }
+            catch
+            {
+                // swallow all errors; they're not fatal
+                return null;
+            }
+        }
+
+        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        {
+            // We're going to ignore the friendly name for now and just use a GUID.
+            StoreElement(element, Guid.NewGuid());
+        }
+
+        private void StoreElement(XElement element, Guid id)
+        {
+            // First, serialize the XElement to a string.
+            string serializedString;
+            using (var writer = new StringWriter())
+            {
+                new XDocument(element).Save(writer);
+                serializedString = writer.ToString();
+            }
+
+            // Technically calls to RegSetValue* and RegGetValue* are atomic, so we don't have to worry about
+            // another thread trying to read this value while we're writing it. There's still a small risk of
+            // data corruption if power is lost while the registry file is being flushed to the file system,
+            // but the window for that should be small enough that we shouldn't have to worry about it.
+            string idAsString = id.ToString("D");
+            RegistryKey.SetValue(idAsString, serializedString, RegistryValueKind.String);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 718758673f..6f33ed7ebf 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -16,6 +16,13 @@ namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
     {
         internal static readonly XName DpapiEncryptedSecretElementName = XmlKeyManager.KeyManagementXmlNamespace.GetName("dpapiEncryptedSecret");
 
+        private readonly bool _protectToLocalMachine;
+
+        public DpapiXmlEncryptor(bool protectToLocalMachine)
+        {
+            _protectToLocalMachine = protectToLocalMachine;
+        }
+
         /// <summary>
         /// Encrypts the specified XML element using Windows DPAPI.
         /// </summary>
@@ -45,7 +52,7 @@ namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
             // <secret decryptor="{TYPE}">
             //   ... base64 data ...
             // </secret>
-            byte[] encryptedBytes = DpapiSecretSerializerHelper.ProtectWithDpapi(secret);
+            byte[] encryptedBytes = DpapiSecretSerializerHelper.ProtectWithDpapi(secret, protectToLocalMachine: _protectToLocalMachine);
             return new XElement(DpapiEncryptedSecretElementName,
                 new XAttribute("decryptor", typeof(DpapiXmlDecryptor).AssemblyQualifiedName),
                 new XAttribute("version", 1),
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index a6382d436f..51b85a98a0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -27,6 +27,7 @@
             "dependencies": {
                 "Microsoft.Framework.DependencyInjection": "1.0.0-*",
                 "Microsoft.Framework.OptionsModel": "1.0.0-*",
+                "Microsoft.Win32.Registry": "4.0.0-beta-*",
                 "System.Diagnostics.Debug": "4.0.10-beta-*",
                 "System.Diagnostics.Tools": "4.0.0-beta-*",
                 "System.Globalization": "4.0.10-beta-*",

From 5f157d697692b4c80adee83c9e3319e8256e46ee Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 21 Oct 2014 12:41:35 -0700
Subject: [PATCH 061/493] Updating build.sh to work on Mono

---
 build.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.sh b/build.sh
index 4323aefc48..c7873ef58e 100644
--- a/build.sh
+++ b/build.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 if test `uname` = Darwin; then
     cachedir=~/Library/Caches/KBuild
@@ -28,7 +28,7 @@ if test ! -d packages/KoreBuild; then
 fi
 
 if ! type k > /dev/null 2>&1; then
-    source setup/kvm.sh
+    source packages/KoreBuild/build/kvm.sh
 fi
 
 if ! type k > /dev/null 2>&1; then

From 6e557dc19321618548e6fa56965981fa66ab65d4 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 21 Oct 2014 15:30:35 -0700
Subject: [PATCH 062/493] Fix ManagedAuthenticatedEncryptor not round-tripping
 payloads correctly.

---
 .../Managed/ManagedAuthenticatedEncryptor.cs  |   4 +-
 .../ManagedAuthenticatedEncryptorTests.cs     | 111 ++++++++++++++++++
 .../{Cng => }/SequentialGenRandom.cs          |  19 ++-
 3 files changed, 129 insertions(+), 5 deletions(-)
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
 rename test/Microsoft.AspNet.Security.DataProtection.Test/{Cng => }/SequentialGenRandom.cs (51%)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 8965539a29..6d43753665 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -49,7 +49,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
             CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
                 "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
 
-            _genRandom = _genRandom ?? ManagedGenRandomImpl.Instance;
+            _genRandom = genRandom ?? ManagedGenRandomImpl.Instance;
             _keyDerivationKey = keyDerivationKey;
 
             // Validate that the symmetric algorithm has the properties we require
@@ -302,7 +302,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                 // Step 1: Generate a random key modifier and IV for this operation.
                 // Both will be equal to the block size of the block cipher algorithm.
 
-                byte[] keyModifier = _genRandom.GenRandom(_symmetricAlgorithmSubkeyLengthInBytes);
+                byte[] keyModifier = _genRandom.GenRandom(KEY_MODIFIER_SIZE_IN_BYTES);
                 byte[] iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
 
                 // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
new file mode 100644
index 0000000000..bed597f852
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -0,0 +1,111 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.AspNet.Security.DataProtection.Managed;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test.Managed
+{
+    public class ManagedAuthenticatedEncryptorTests
+    {
+        [Fact]
+        public void Encrypt_Decrypt_RoundTrips()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            ManagedAuthenticatedEncryptor encryptor = new ManagedAuthenticatedEncryptor(kdk,
+                symmetricAlgorithmFactory: Aes.Create,
+                symmetricAlgorithmKeySizeInBytes: 256 / 8,
+                validationAlgorithmFactory: () => new HMACSHA256());
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
+            ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
+
+            // Act
+            byte[] ciphertext = encryptor.Encrypt(plaintext, aad);
+            byte[] decipheredtext = encryptor.Decrypt(new ArraySegment<byte>(ciphertext), aad);
+
+            // Assert
+            Assert.Equal(plaintext, decipheredtext);
+        }
+
+        [Fact]
+        public void Encrypt_Decrypt_Tampering_Fails()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            ManagedAuthenticatedEncryptor encryptor = new ManagedAuthenticatedEncryptor(kdk,
+                symmetricAlgorithmFactory: Aes.Create,
+                symmetricAlgorithmKeySizeInBytes: 256 / 8,
+                validationAlgorithmFactory: () => new HMACSHA256());
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
+            ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
+            byte[] validCiphertext = encryptor.Encrypt(plaintext, aad);
+
+            // Act & assert - 1
+            // Ciphertext is too short to be a valid payload
+            byte[] invalidCiphertext_tooShort = new byte[10];
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_tooShort), aad);
+            });
+
+            // Act & assert - 2
+            // Ciphertext has been manipulated
+            byte[] invalidCiphertext_manipulated = (byte[])validCiphertext.Clone();
+            invalidCiphertext_manipulated[0] ^= 0x01;
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_manipulated), aad);
+            });
+
+            // Act & assert - 3
+            // Ciphertext is too long
+            byte[] invalidCiphertext_tooLong = validCiphertext.Concat(new byte[] { 0 }).ToArray();
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(invalidCiphertext_tooLong), aad);
+            });
+
+            // Act & assert - 4
+            // AAD is incorrect
+            Assert.Throws<CryptographicException>(() =>
+            {
+                encryptor.Decrypt(new ArraySegment<byte>(validCiphertext), new ArraySegment<byte>(Encoding.UTF8.GetBytes("different aad")));
+            });
+        }
+
+        [Fact]
+        public void Encrypt_KnownKey()
+        {
+            // Arrange
+            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(Encoding.UTF8.GetBytes("master key"));
+            ManagedAuthenticatedEncryptor encryptor = new ManagedAuthenticatedEncryptor(kdk,
+                symmetricAlgorithmFactory: Aes.Create,
+                symmetricAlgorithmKeySizeInBytes: 256 / 8,
+                validationAlgorithmFactory: () => new HMACSHA256(),
+                genRandom: new SequentialGenRandom());
+            ArraySegment<byte> plaintext = new ArraySegment<byte>(new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 }, 2, 3);
+            ArraySegment<byte> aad = new ArraySegment<byte>(new byte[] { 7, 6, 5, 4, 3, 2, 1, 0 }, 1, 4);
+
+            // Act
+            byte[] retVal = encryptor.Encrypt(
+                plaintext: plaintext,
+                additionalAuthenticatedData: aad);
+
+            // Assert
+
+            // retVal := 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F (keyModifier)
+            //         | 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F (IV)
+            //         | B7 EA 3E 32 58 93 A3 06 03 89 C6 66 03 63 08 4B (encryptedData)
+            //         | 9D 8A 85 C7 0F BD 98 D8 7F 72 E7 72 3E B5 A6 26 (HMAC)
+            //         | 6C 38 77 F7 66 19 A2 C9 2C BB AD DA E7 62 00 00
+
+            string retValAsString = Convert.ToBase64String(retVal);
+            Assert.Equal("AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh+36j4yWJOjBgOJxmYDYwhLnYqFxw+9mNh/cudyPrWmJmw4d/dmGaLJLLut2udiAAA=", retValAsString);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/SequentialGenRandom.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/SequentialGenRandom.cs
similarity index 51%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/Cng/SequentialGenRandom.cs
rename to test/Microsoft.AspNet.Security.DataProtection.Test/SequentialGenRandom.cs
index f995199dbb..59dcb6e9cb 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/SequentialGenRandom.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/SequentialGenRandom.cs
@@ -3,16 +3,29 @@
 
 using System;
 using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Security.DataProtection.Managed;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
+namespace Microsoft.AspNet.Security.DataProtection.Test
 {
-    internal unsafe class SequentialGenRandom : IBCryptGenRandom
+    internal unsafe class SequentialGenRandom : IBCryptGenRandom, IManagedGenRandom
     {
+        private byte _value;
+
+        public byte[] GenRandom(int numBytes)
+        {
+            byte[] bytes = new byte[numBytes];
+            for (int i = 0; i < bytes.Length; i++)
+            {
+                bytes[i] = _value++;
+            }
+            return bytes;
+        }
+
         public void GenRandom(byte* pbBuffer, uint cbBuffer)
         {
             for (uint i = 0; i < cbBuffer; i++)
             {
-                pbBuffer[i] = (byte)i;
+                pbBuffer[i] = _value++;
             }
         }
     }

From bd529b3b5ba1920ead8cd1f707e449feffd2332d Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 22 Oct 2014 11:45:39 -0700
Subject: [PATCH 063/493] Fix ManagedAuthenticatedEncryptor not round-tripping
 payloads properly.

---
 .../Managed/ManagedAuthenticatedEncryptor.cs                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 8965539a29..6d43753665 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -49,7 +49,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
             CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
                 "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
 
-            _genRandom = _genRandom ?? ManagedGenRandomImpl.Instance;
+            _genRandom = genRandom ?? ManagedGenRandomImpl.Instance;
             _keyDerivationKey = keyDerivationKey;
 
             // Validate that the symmetric algorithm has the properties we require
@@ -302,7 +302,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                 // Step 1: Generate a random key modifier and IV for this operation.
                 // Both will be equal to the block size of the block cipher algorithm.
 
-                byte[] keyModifier = _genRandom.GenRandom(_symmetricAlgorithmSubkeyLengthInBytes);
+                byte[] keyModifier = _genRandom.GenRandom(KEY_MODIFIER_SIZE_IN_BYTES);
                 byte[] iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
 
                 // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.

From f38e258f89e04fcb2be0441aa15d953001155e65 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 24 Oct 2014 08:24:39 -0700
Subject: [PATCH 064/493] Removing unused references from project.json

---
 .../project.json                              | 10 +----
 .../project.json                              | 40 +++++--------------
 2 files changed, 12 insertions(+), 38 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json b/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
index 3d898a14be..a68098e722 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
@@ -2,17 +2,11 @@
     "version": "1.0.0-*",
     "dependencies": {
         "Microsoft.AspNet.Security.DataProtection": "1.0.0-*",
-        "Microsoft.Framework.OptionsModel": "1.0.0-*",
         "WindowsAzure.Storage": "4.3.0"
     },
-    "frameworkDependencies": {
-        "System.Xml.Linq": "4.0.0.0"
-    },
     "frameworks": {
-        "net451": {
-        },
-        "aspnet50": {
-        }
+        "net451": {},
+        "aspnet50": {}
     },
     "compilationOptions": {
         "warningsAsErrors": true,
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 51b85a98a0..311e3c1b3f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -1,53 +1,33 @@
 {
     "version": "1.0.0-*",
+    "dependencies": {
+        "Microsoft.Framework.DependencyInjection": "1.0.0-*",
+        "Microsoft.Framework.OptionsModel": "1.0.0-*"
+    },
     "frameworks": {
         "net451": {
-            "dependencies": {
-                "Microsoft.Framework.DependencyInjection": "1.0.0-*",
-                "Microsoft.Framework.OptionsModel": "1.0.0-*"
-            },
             "frameworkAssemblies": { 
-                "System.Security": "4.0.0.0",
-                "System.Xml": "4.0.0.0",
-                "System.Xml.Linq": "4.0.0.0"
+                "System.Security": "",
+                "System.Xml": "",
+                "System.Xml.Linq": ""
             }
         },
         "aspnet50": {
-            "dependencies": {
-                "Microsoft.Framework.DependencyInjection": "1.0.0-*",
-                "Microsoft.Framework.OptionsModel": "1.0.0-*"
-            },
             "frameworkAssemblies": { 
-                "System.Security": "4.0.0.0",
-                "System.Xml": "4.0.0.0",
-                "System.Xml.Linq": "4.0.0.0"
+                "System.Security": "",
+                "System.Xml": "",
+                "System.Xml.Linq": ""
             }
         },
         "aspnetcore50": {
             "dependencies": {
-                "Microsoft.Framework.DependencyInjection": "1.0.0-*",
-                "Microsoft.Framework.OptionsModel": "1.0.0-*",
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
-                "System.Diagnostics.Debug": "4.0.10-beta-*",
-                "System.Diagnostics.Tools": "4.0.0-beta-*",
-                "System.Globalization": "4.0.10-beta-*",
-                "System.IO.FileSystem": "4.0.0-beta-*",
-                "System.Linq": "4.0.0-beta-*",
-                "System.Reflection": "4.0.10-beta-*",
-                "System.Reflection.TypeExtensions": "4.0.0-beta-*",
-                "System.Resources.ResourceManager": "4.0.0-beta-*",
-                "System.Runtime": "4.0.20-beta-*",
-                "System.Runtime.Extensions": "4.0.10-beta-*",
-                "System.Runtime.Handles": "4.0.0-beta-*",
-                "System.Runtime.InteropServices": "4.0.20-beta-*",
                 "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
-                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
                 "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
                 "System.Security.Cryptography.RandomNumberGenerator": "4.0.0-beta-*",
                 "System.Security.Principal.Windows": "4.0.0-beta-*",
                 "System.Text.Encoding.Extensions": "4.0.10-beta-*",
-                "System.Threading": "4.0.0-beta-*",
                 "System.Xml.XDocument": "4.0.0-beta-*"
             }
         }

From 6797dfea48edf6b50e0a6cc188fa33e16615c24c Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Mon, 27 Oct 2014 12:55:59 -0700
Subject: [PATCH 065/493] Fix %APPDATA% detection logic.

---
 .../DataProtectionServices.cs                                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
index cc3d2d7731..5ba4a766b1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
@@ -138,7 +138,7 @@ namespace Microsoft.AspNet.Security.DataProtection
 #if !ASPNETCORE50
             // Environment.GetFolderPath returns null if the user profile isn't loaded.
             string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
-            if (folderPath != null)
+            if (!String.IsNullOrEmpty(folderPath))
             {
                 // TODO: Remove BETA moniker from below.
                 return new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA"));

From fc4213b1f836a0bab8a9aa74c3cbcc9151fb27f2 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Mon, 27 Oct 2014 16:16:16 -0700
Subject: [PATCH 066/493] Reliability: Don't compile against 'experimental'
 language features. This will help prevent Roslyn changes from breaking us.

---
 .../project.json                                               | 3 +--
 .../project.json                                               | 3 +--
 src/Microsoft.AspNet.Security.DataProtection/project.json      | 3 +--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json b/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
index a68098e722..af9195cea8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
@@ -9,7 +9,6 @@
         "aspnet50": {}
     },
     "compilationOptions": {
-        "warningsAsErrors": true,
-        "languageVersion": "experimental"
+        "warningsAsErrors": true
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
index dae44c5f5c..2da692ac97 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
@@ -11,7 +11,6 @@
         }
     },
     "compilationOptions": {
-        "warningsAsErrors": true,
-        "languageVersion": "experimental"
+        "warningsAsErrors": true
     }
 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 311e3c1b3f..bac82e263b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -34,7 +34,6 @@
     },
     "compilationOptions": {
         "allowUnsafe": true,
-        "warningsAsErrors": true,
-        "languageVersion": "experimental"
+        "warningsAsErrors": true
     }
 }

From 1768bfd25fa3369b3a662a37d79d0389ae984131 Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Fri, 31 Oct 2014 03:00:59 -0700
Subject: [PATCH 067/493] Added package descriptions

---
 src/Microsoft.AspNet.Security.DataProtection.Azure/project.json  | 1 +
 .../project.json                                                 | 1 +
 src/Microsoft.AspNet.Security.DataProtection/project.json        | 1 +
 3 files changed, 3 insertions(+)

diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json b/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
index 3d898a14be..7c99d8ce4a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
@@ -1,5 +1,6 @@
 {
     "version": "1.0.0-*",
+    "description": "ASP.NET 5 blob storage repository for DataProtection.",
     "dependencies": {
         "Microsoft.AspNet.Security.DataProtection": "1.0.0-*",
         "Microsoft.Framework.OptionsModel": "1.0.0-*",
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
index dae44c5f5c..f001bca3bf 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
@@ -1,5 +1,6 @@
 {
     "version": "1.0.0-*",
+    "description": "A component to allow the ASP.NET 5 DataProtection stack to work with the ASP.NET 4.x <machineKey> element.",
     "frameworks": {
         "net451": {
             "dependencies": {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 51b85a98a0..e9f98000fa 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -1,5 +1,6 @@
 {
     "version": "1.0.0-*",
+    "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
     "frameworks": {
         "net451": {
             "dependencies": {

From cce11ad2aebd9a1cfa52c992d19f13d278410e55 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 5 Nov 2014 14:48:56 -0800
Subject: [PATCH 068/493] Update .kproj files to follow modern conventions

---
 ...AspNet.Security.DataProtection.Azure.kproj | 18 +++++---------
 ...ecurity.DataProtection.Compatibility.kproj | 18 +++++---------
 ...osoft.AspNet.Security.DataProtection.kproj | 18 +++++---------
 ....AspNet.Security.DataProtection.Test.kproj | 24 +++++--------------
 4 files changed, 24 insertions(+), 54 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj b/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
index 753c52ebda..3277304679 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
@@ -1,20 +1,14 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>DF3671D7-A9B1-45F1-A195-0AD596001735</ProjectGuid>
-    <OutputType>Library</OutputType>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x86'" Label="Configuration">
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x86'" Label="Configuration">
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
+</Project>
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
index 01ea1f2f00..79690e9bea 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
@@ -1,20 +1,14 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>C2FD9D02-AA0E-45FA-8561-EE357A94B73D</ProjectGuid>
-    <OutputType>Library</OutputType>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x86'" Label="Configuration">
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x86'" Label="Configuration">
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
+</Project>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
index 7b46ab4e41..70300fe12b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -1,20 +1,14 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>1e570cd4-6f12-44f4-961e-005ee2002bc2</ProjectGuid>
-    <OutputType>Library</OutputType>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x86'" Label="Configuration">
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x86'" Label="Configuration">
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
+</Project>
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
index ea86cb2e90..7da1469334 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
@@ -1,26 +1,14 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="__ToolsVersion__" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">12.0</VisualStudioVersion>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>7a637185-2ba1-437d-9d4c-7cc4f94cf7bf</ProjectGuid>
-    <OutputType>Library</OutputType>
-  </PropertyGroup>
-  <PropertyGroup Condition="$(OutputType) == 'Console'">
-    <DebuggerFlavor>ConsoleDebugger</DebuggerFlavor>
-  </PropertyGroup>
-  <PropertyGroup Condition="$(OutputType) == 'Web'">
-    <DebuggerFlavor>WebDebugger</DebuggerFlavor>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x86'" Label="Configuration">
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x86'" Label="Configuration">
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
+</Project>

From 71d283a4c0d517453eeba6c21688e547c59ac255 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 6 Nov 2014 10:11:44 -0800
Subject: [PATCH 069/493] Updating to release NuGet.config

---
 NuGet.Config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index f41e9c631d..2d3b0cb857 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 641c4528e93546288b3da61ed0dadfd22eed72e2 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 6 Nov 2014 10:11:44 -0800
Subject: [PATCH 070/493] Updating to release NuGet.config

---
 NuGet.Config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index f41e9c631d..2d3b0cb857 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From f3e9381f165f6defd0384dfe78af64ccb3d03af0 Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Mon, 24 Nov 2014 16:40:13 -0800
Subject: [PATCH 071/493] GetServices -> AddDataProtection

---
 ...aProtectionServiceCollectionExtensions.cs} | 22 ++++++-------------
 .../DefaultDataProtectionProvider.cs          |  5 +----
 2 files changed, 8 insertions(+), 19 deletions(-)
 rename src/Microsoft.AspNet.Security.DataProtection/{DataProtectionServices.cs => DataProtectionServiceCollectionExtensions.cs} (90%)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
similarity index 90%
rename from src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
rename to src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 5ba4a766b1..d1e0f56124 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Security.DataProtection;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.Dpapi;
@@ -12,28 +13,19 @@ using Microsoft.AspNet.Security.DataProtection.KeyManagement;
 using Microsoft.AspNet.Security.DataProtection.Repositories;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 using Microsoft.Framework.ConfigurationModel;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.OptionsModel;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.Framework.DependencyInjection
 {
-    public static class DataProtectionServices
+    public static class DataProtectionServiceCollectionExtensions
     {
-        public static IEnumerable<IServiceDescriptor> GetDefaultServices()
-        {
-            return GetDefaultServices(new Configuration());
-        }
-
-        public static IEnumerable<IServiceDescriptor> GetDefaultServices(IConfiguration configuration)
+        public static IServiceCollection AddDataProtection(this IServiceCollection services, IConfiguration configuration = null)
         {
+            services.AddOptions(configuration);
             var describe = new ServiceDescriber(configuration);
-
-            List<IServiceDescriptor> descriptors = new List<IServiceDescriptor>();
-            descriptors.AddRange(OptionsServices.GetDefaultServices(configuration));
-            descriptors.AddRange(OSVersionUtil.IsBCryptOnWin7OrLaterAvailable()
+            services.TryAdd(OSVersionUtil.IsBCryptOnWin7OrLaterAvailable()
                 ? GetDefaultServicesWindows(describe)
                 : GetDefaultServicesNonWindows(describe));
-            return descriptors;
+            return services;
         }
 
         private static IEnumerable<IServiceDescriptor> GetDefaultServicesNonWindows(ServiceDescriber describe)
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
index f733d8b161..9f5ed3e54d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
@@ -16,10 +16,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         public DefaultDataProtectionProvider()
         {
             // use DI defaults
-            var collection = new ServiceCollection();
-            var defaultServices = DataProtectionServices.GetDefaultServices();
-            collection.Add(defaultServices);
-            var serviceProvider = collection.BuildServiceProvider();
+            var serviceProvider = new ServiceCollection().AddDataProtection().BuildServiceProvider();
 
             _innerProvider = serviceProvider.GetRequiredService<IDataProtectionProvider>();
         }

From 0c841f934ec514ef29e2056726af1fdff5fd2126 Mon Sep 17 00:00:00 2001
From: Victor Hurdugaci <victor.hurdugaci@microsoft.com>
Date: Tue, 25 Nov 2014 10:36:04 -0800
Subject: [PATCH 072/493] Add schema version to kproj files

---
 .../Microsoft.AspNet.Security.DataProtection.Azure.kproj       | 3 +++
 ...icrosoft.AspNet.Security.DataProtection.Compatibility.kproj | 3 +++
 .../Microsoft.AspNet.Security.DataProtection.kproj             | 3 +++
 .../Microsoft.AspNet.Security.DataProtection.Test.kproj        | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj b/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
index 3277304679..60874ae6e1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
@@ -10,5 +10,8 @@
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
index 79690e9bea..1be00812a1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
@@ -10,5 +10,8 @@
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
index 70300fe12b..876b528aad 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -10,5 +10,8 @@
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
index 7da1469334..b92a332f71 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
@@ -10,5 +10,8 @@
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>

From 641cb38d5d5d27f6944aff070b3a731924ccd084 Mon Sep 17 00:00:00 2001
From: Suhas Joshi <suhasbjoshi@hotmail.com>
Date: Mon, 8 Dec 2014 15:12:36 -0800
Subject: [PATCH 073/493] Updating to release NuGet.config

---
 NuGet.Config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index f41e9c631d..2d3b0cb857 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From ae6698a92434ea94c1dca8300e685cadb99a6a11 Mon Sep 17 00:00:00 2001
From: Suhas Joshi <suhasbjoshi@hotmail.com>
Date: Mon, 8 Dec 2014 15:24:14 -0800
Subject: [PATCH 074/493] Updating to dev NuGet.config

---
 NuGet.Config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index 2d3b0cb857..f41e9c631d 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 8136affef9c14c3861decc914c164238986e4de9 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 16 Dec 2014 10:21:48 -0800
Subject: [PATCH 075/493] Updating exception filters to use when instead of if

---
 .../BlobStorageXmlRepository.cs                               | 2 +-
 .../Cng/CngAuthenticatedEncryptorBase.cs                      | 4 ++--
 .../DataProtectionExtensions.cs                               | 4 ++--
 .../Dpapi/DpapiDataProtector.cs                               | 4 ++--
 .../KeyManagement/KeyRingBasedDataProtector.cs                | 4 ++--
 .../Managed/ManagedAuthenticatedEncryptor.cs                  | 4 ++--
 .../TimeLimitedDataProtector.cs                               | 2 +-
 src/Microsoft.AspNet.Security.DataProtection/project.json     | 1 +
 8 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs b/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
index 952b8ce28f..8e728836da 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
@@ -61,7 +61,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Azure
                 {
                     blobRef.DownloadToStream(memoryStream);
                 }
-                catch (StorageException ex) if (ex.RequestInformation.HttpStatusCode == (int)HttpStatusCode.NotFound)
+                catch (StorageException ex) when (ex.RequestInformation.HttpStatusCode == (int)HttpStatusCode.NotFound)
                 {
                     // 404s are not a fatal error - empty keyring
                     return null;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
index 2e00fb1cb3..37450636a3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
@@ -30,7 +30,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                             pbAdditionalAuthenticatedData: (pbAdditionalAuthenticatedDataArray != null) ? &pbAdditionalAuthenticatedDataArray[additionalAuthenticatedData.Offset] : &dummy,
                             cbAdditionalAuthenticatedData: (uint)additionalAuthenticatedData.Count);
                     }
-                    catch (Exception ex) if (!(ex is CryptographicException))
+                    catch (Exception ex) when (!(ex is CryptographicException))
                     {
                         // Homogenize to CryptographicException.
                         throw Error.CryptCommon_GenericError(ex);
@@ -71,7 +71,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                             cbPreBuffer: preBufferSize,
                             cbPostBuffer: postBufferSize);
                     }
-                    catch (Exception ex) if (!(ex is CryptographicException))
+                    catch (Exception ex) when (!(ex is CryptographicException))
                     {
                         // Homogenize to CryptographicException.
                         throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
index f46852c797..dbfd3a1918 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
@@ -36,7 +36,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 byte[] protectedDataAsBytes = protector.Protect(unprotectedDataAsBytes);
                 return WebEncoders.Base64UrlEncode(protectedDataAsBytes);
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // Homogenize exceptions to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
@@ -60,7 +60,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 byte[] unprotectedDataAsBytes = protector.Unprotect(protectedDataAsBytes);
                 return CryptoUtil.SecureUtf8Encoding.GetString(unprotectedDataAsBytes);
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // Homogenize exceptions to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
index 172a1289cc..cf734290cc 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
@@ -43,7 +43,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
                 return _shim.Protect(unprotectedData, _combinedPurposes, _scope)
                     ?? CryptoUtil.Fail<byte[]>("Null return value.");
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // Homogenize to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
@@ -57,7 +57,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
                 return _shim.Unprotect(protectedData, _combinedPurposes, _scope)
                     ?? CryptoUtil.Fail<byte[]>("Null return value.");
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // Homogenize to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index cd5a78e5c1..e5891f2d02 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -131,7 +131,7 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
                     postBufferSize: 0);
                 CryptoUtil.Assert(retVal != null && retVal.Length >= sizeof(uint) + sizeof(Guid), "retVal != null && retVal.Length >= sizeof(uint) + sizeof(Guid)");
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // homogenize all errors to CryptographicException
                 throw Error.Common_EncryptionFailed(ex);
@@ -247,7 +247,7 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
                 CryptoUtil.Assert(retVal != null, "retVal != null");
                 return retVal;
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // homogenize all failures to CryptographicException
                 throw Error.DecryptionFailed(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 6d43753665..d384a5ff4a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -278,7 +278,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                     }
                 }
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // Homogenize all exceptions to CryptographicException.
                 throw Error.CryptCommon_GenericError(ex);
@@ -382,7 +382,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                     }
                 }
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // Homogenize all exceptions to CryptographicException.
                 throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
index 2bcf57dadd..09bab47aa8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
@@ -86,7 +86,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero);
                 return retVal;
             }
-            catch (Exception ex) if (!(ex is CryptographicException))
+            catch (Exception ex) when (!(ex is CryptographicException))
             {
                 // Homogenize all failures to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 8d8bcd50a1..13c7159bec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -23,6 +23,7 @@
         "aspnetcore50": {
             "dependencies": {
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
+                "System.IO": "4.0.10-beta-*",
                 "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
                 "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",

From 47c870c8718bdca73d3d49212f2d1f1c1e961719 Mon Sep 17 00:00:00 2001
From: Brennan <brecon@microsoft.com>
Date: Mon, 15 Dec 2014 15:22:36 -0800
Subject: [PATCH 076/493] Update tests to use official xunit

---
 .../project.json                                              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/project.json b/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
index bad79b6949..af25e55bfe 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
@@ -2,13 +2,13 @@
     "dependencies": {
         "Microsoft.AspNet.Security.DataProtection": "1.0.0-*",
         "Moq": "4.2.1312.1622",
-        "Xunit.KRunner": "1.0.0-*"
+        "xunit.runner.kre": "1.0.0-*"
     },
     "frameworks": {
         "aspnet50": { }
     },
     "commands": {
-        "test": "Xunit.KRunner"
+        "test": "xunit.runner.kre"
     },
     "compilationOptions": {
         "allowUnsafe": true

From e9c4a8c9de1b93e192830a0a0d84730a0395cc7e Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Thu, 18 Dec 2014 12:05:20 -0800
Subject: [PATCH 077/493] Conditionally run CNG tests only on supported
 platforms.

---
 .../Cng/CbcAuthenticatedEncryptorTests.cs     | 10 +-
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs | 10 +-
 .../Cng/GcmAuthenticatedEncryptorTests.cs     | 10 +-
 ...alRunTestOnlyIfBcryptAvailableAttribute.cs | 58 ++++++++++++
 .../PBKDF2/Pbkdf2Tests.cs                     | 85 +++++++++++++++--
 .../SP800_108/SP800_108Tests.cs               | 91 ++++++++++++++++++-
 .../project.json                              |  1 +
 7 files changed, 245 insertions(+), 20 deletions(-)
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs

diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index 7e2027e78a..c7c1acee95 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -6,13 +6,15 @@ using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
 namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
 {
     public class CbcAuthenticatedEncryptorTests
     {
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Encrypt_Decrypt_RoundTrips()
         {
             // Arrange
@@ -32,7 +34,8 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
             Assert.Equal(plaintext, decipheredtext);
         }
 
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Encrypt_Decrypt_Tampering_Fails()
         {
             // Arrange
@@ -78,7 +81,8 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
             });
         }
 
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Encrypt_KnownKey()
         {
             // Arrange
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
index 603186a009..1ccabfc429 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Testing.xunit;
 using Moq;
 using Xunit;
 
@@ -10,7 +11,8 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
 {
     public unsafe class CngAuthenticatedEncryptorBaseTests
     {
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Decrypt_ForwardsArraySegment()
         {
             // Arrange
@@ -35,7 +37,8 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
             Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
         }
 
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Decrypt_HandlesEmptyAADPointerFixup()
         {
             // Arrange
@@ -60,7 +63,8 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
             Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
         }
 
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Decrypt_HandlesEmptyCiphertextPointerFixup()
         {
             // Arrange
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index b1eae351d7..681de03f38 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -6,13 +6,15 @@ using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
 namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
 {
     public class GcmAuthenticatedEncryptorTests
     {
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Encrypt_Decrypt_RoundTrips()
         {
             // Arrange
@@ -29,7 +31,8 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
             Assert.Equal(plaintext, decipheredtext);
         }
 
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Encrypt_Decrypt_Tampering_Fails()
         {
             // Arrange
@@ -72,7 +75,8 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
             });
         }
 
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
         public void Encrypt_KnownKey()
         {
             // Arrange
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
new file mode 100644
index 0000000000..eb6cc86e0e
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Testing.xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test
+{
+    public class ConditionalRunTestOnlyIfBcryptAvailableAttribute : Attribute, ITestCondition
+    {
+        private static readonly SafeLibraryHandle _bcryptLibHandle = GetBcryptLibHandle();
+
+        private readonly string _requiredExportFunction;
+
+        public ConditionalRunTestOnlyIfBcryptAvailableAttribute(string requiredExportFunction = null)
+        {
+            _requiredExportFunction = requiredExportFunction;
+        }
+
+        public bool IsMet
+        {
+            get
+            {
+                if (_bcryptLibHandle == null)
+                {
+                    return false; // no bcrypt.dll available
+                }
+
+                return (_requiredExportFunction == null || _bcryptLibHandle.DoesProcExist(_requiredExportFunction));
+            }
+        }
+
+        public string SkipReason
+        {
+            get
+            {
+                return (_bcryptLibHandle != null)
+                    ? String.Format(CultureInfo.InvariantCulture, "Export {0} not found in bcrypt.dll", _requiredExportFunction)
+                    : "bcrypt.dll not found on this platform.";
+            }
+        }
+
+        private static SafeLibraryHandle GetBcryptLibHandle()
+        {
+            try
+            {
+                return SafeLibraryHandle.Open("bcrypt.dll");
+            }
+            catch
+            {
+                // If we're not on an OS with BCRYPT.DLL, just bail.
+                return null;
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
index 501f759a89..6fed8294d7 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Text;
 using Microsoft.AspNet.Security.DataProtection.PBKDF2;
+using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
 namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
@@ -23,7 +24,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
         [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
         [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
         [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
-        public void RunTest_Normal(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
+        public void RunTest_Normal_Managed(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
         {
             // Arrange
             byte[] salt = new byte[256];
@@ -32,14 +33,86 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
                 salt[i] = (byte)i;
             }
 
-            // Act & assert - fully managed, Win7, and Win8
+            // Act & assert
             TestProvider<ManagedPbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedValueAsBase64);
+        }
+
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF. We only use 5 iterations so
+        // that our unit tests are fast.
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptDeriveKeyPBKDF2")]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
+        public void RunTest_Normal_Win7(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
+        {
+            // Arrange
+            byte[] salt = new byte[256];
+            for (int i = 0; i < salt.Length; i++)
+            {
+                salt[i] = (byte)i;
+            }
+
+            // Act & assert
             TestProvider<Win7Pbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedValueAsBase64);
+        }
+
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF. We only use 5 iterations so
+        // that our unit tests are fast.
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptKeyDerivation")]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
+        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
+        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
+        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
+        public void RunTest_Normal_Win8(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
+        {
+            // Arrange
+            byte[] salt = new byte[256];
+            for (int i = 0; i < salt.Length; i++)
+            {
+                salt[i] = (byte)i;
+            }
+
+            // Act & assert
             TestProvider<Win8Pbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedValueAsBase64);
         }
 
         [Fact]
-        public void RunTest_WithLongPassword()
+        public void RunTest_WithLongPassword_Managed()
+        {
+            RunTest_WithLongPassword_Impl<ManagedPbkdf2Provider>();
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptDeriveKeyPBKDF2")]
+        public void RunTest_WithLongPassword_Win7()
+        {
+            RunTest_WithLongPassword_Impl<Win7Pbkdf2Provider>();
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptKeyDerivation")]
+        public void RunTest_WithLongPassword_Win8()
+        {
+            RunTest_WithLongPassword_Impl<Win8Pbkdf2Provider>();
+        }
+
+        private static void RunTest_WithLongPassword_Impl<TProvider>()
+            where TProvider : IPbkdf2Provider, new()
         {
             // Arrange
             string password = new String('x', 50000); // 50,000 char password
@@ -49,10 +122,8 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
             const int iterationCount = 5;
             const int numBytesRequested = 128;
 
-            // Act & assert - fully managed, Win7, and Win8
-            TestProvider<ManagedPbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedDerivedKeyBase64);
-            TestProvider<Win7Pbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedDerivedKeyBase64);
-            TestProvider<Win8Pbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedDerivedKeyBase64);
+            // Act & assert
+            TestProvider<TProvider>(password, salt, prf, iterationCount, numBytesRequested, expectedDerivedKeyBase64);
         }
 
         private static void TestProvider<TProvider>(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedDerivedKeyAsBase64)
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs
index 9feb26b816..2705296ed1 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.Security.DataProtection.SP800_108;
+using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
 namespace Microsoft.AspNet.Security.DataProtection.Test.SP800_108
@@ -19,7 +20,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.SP800_108
         [InlineData(512 / 8 - 1, "V47WmHzPSkdC2vkLAomIjCzZlDOAetll3yJLcSvon7LJFjJpEN+KnSNp+gIpeydKMsENkflbrIZ/3s6GkEaH")]
         [InlineData(512 / 8 + 0, "mVaFM4deXLl610CmnCteNzxgbM/VkmKznAlPauHcDBn0le06uOjAKLHx0LfoU2/Ttq9nd78Y6Nk6wArmdwJgJg==")]
         [InlineData(512 / 8 + 1, "GaHPeqdUxriFpjRtkYQYWr5/iqneD/+hPhVJQt4rXblxSpB1UUqGqL00DMU/FJkX0iMCfqUjQXtXyfks+p++Ev4=")]
-        public void DeriveKeyWithContextHeader_Normal(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        public void DeriveKeyWithContextHeader_Normal_Managed(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
         {
             // Arrange
             byte[] kdk = Encoding.UTF8.GetBytes("kdk");
@@ -27,9 +28,45 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.SP800_108
             byte[] contextHeader = Encoding.UTF8.GetBytes("contextHeader");
             byte[] context = Encoding.UTF8.GetBytes("context");
 
-            // Act & assert - managed, Win7, Win8
+            // Act & assert
             TestManagedKeyDerivation(kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+        }
+
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [InlineData(512 / 8 - 1, "V47WmHzPSkdC2vkLAomIjCzZlDOAetll3yJLcSvon7LJFjJpEN+KnSNp+gIpeydKMsENkflbrIZ/3s6GkEaH")]
+        [InlineData(512 / 8 + 0, "mVaFM4deXLl610CmnCteNzxgbM/VkmKznAlPauHcDBn0le06uOjAKLHx0LfoU2/Ttq9nd78Y6Nk6wArmdwJgJg==")]
+        [InlineData(512 / 8 + 1, "GaHPeqdUxriFpjRtkYQYWr5/iqneD/+hPhVJQt4rXblxSpB1UUqGqL00DMU/FJkX0iMCfqUjQXtXyfks+p++Ev4=")]
+        public void DeriveKeyWithContextHeader_Normal_Win7(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        {
+            // Arrange
+            byte[] kdk = Encoding.UTF8.GetBytes("kdk");
+            byte[] label = Encoding.UTF8.GetBytes("label");
+            byte[] contextHeader = Encoding.UTF8.GetBytes("contextHeader");
+            byte[] context = Encoding.UTF8.GetBytes("context");
+
+            // Act & assert
             TestCngKeyDerivation((pbKdk, cbKdk) => new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk), kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+        }
+
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptKeyDerivation")]
+        [InlineData(512 / 8 - 1, "V47WmHzPSkdC2vkLAomIjCzZlDOAetll3yJLcSvon7LJFjJpEN+KnSNp+gIpeydKMsENkflbrIZ/3s6GkEaH")]
+        [InlineData(512 / 8 + 0, "mVaFM4deXLl610CmnCteNzxgbM/VkmKznAlPauHcDBn0le06uOjAKLHx0LfoU2/Ttq9nd78Y6Nk6wArmdwJgJg==")]
+        [InlineData(512 / 8 + 1, "GaHPeqdUxriFpjRtkYQYWr5/iqneD/+hPhVJQt4rXblxSpB1UUqGqL00DMU/FJkX0iMCfqUjQXtXyfks+p++Ev4=")]
+        public void DeriveKeyWithContextHeader_Normal_Win8(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        {
+            // Arrange
+            byte[] kdk = Encoding.UTF8.GetBytes("kdk");
+            byte[] label = Encoding.UTF8.GetBytes("label");
+            byte[] contextHeader = Encoding.UTF8.GetBytes("contextHeader");
+            byte[] context = Encoding.UTF8.GetBytes("context");
+
+            // Act & assert
             TestCngKeyDerivation((pbKdk, cbKdk) => new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk), kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
         }
 
@@ -39,7 +76,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.SP800_108
         [InlineData(512 / 8 - 1, "rt2hM6kkQ8hAXmkHx0TU4o3Q+S7fie6b3S1LAq107k++P9v8uSYA2G+WX3pJf9ZkpYrTKD7WUIoLkgA1R9lk")]
         [InlineData(512 / 8 + 0, "RKiXmHSrWq5gkiRSyNZWNJrMR0jDyYHJMt9odOayRAE5wLSX2caINpQmfzTH7voJQi3tbn5MmD//dcspghfBiw==")]
         [InlineData(512 / 8 + 1, "KedXO0zAIZ3AfnPqY1NnXxpC3HDHIxefG4bwD3g6nWYEc5+q7pjbam71Yqj0zgHMNC9Z7BX3wS1/tajFocRWZUk=")]
-        public void DeriveKeyWithContextHeader_LongKey(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        public void DeriveKeyWithContextHeader_LongKey_Managed(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
         {
             // Arrange
             byte[] kdk = new byte[50000]; // CNG can't normally handle a 50,000 byte KDK, but we coerce it into working :)
@@ -52,9 +89,55 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.SP800_108
             byte[] contextHeader = Encoding.UTF8.GetBytes("contextHeader");
             byte[] context = Encoding.UTF8.GetBytes("context");
 
-            // Act & assert - managed, Win7, Win8
+            // Act & assert
             TestManagedKeyDerivation(kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+        }
+
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [InlineData(512 / 8 - 1, "rt2hM6kkQ8hAXmkHx0TU4o3Q+S7fie6b3S1LAq107k++P9v8uSYA2G+WX3pJf9ZkpYrTKD7WUIoLkgA1R9lk")]
+        [InlineData(512 / 8 + 0, "RKiXmHSrWq5gkiRSyNZWNJrMR0jDyYHJMt9odOayRAE5wLSX2caINpQmfzTH7voJQi3tbn5MmD//dcspghfBiw==")]
+        [InlineData(512 / 8 + 1, "KedXO0zAIZ3AfnPqY1NnXxpC3HDHIxefG4bwD3g6nWYEc5+q7pjbam71Yqj0zgHMNC9Z7BX3wS1/tajFocRWZUk=")]
+        public void DeriveKeyWithContextHeader_LongKey_Win7(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        {
+            // Arrange
+            byte[] kdk = new byte[50000]; // CNG can't normally handle a 50,000 byte KDK, but we coerce it into working :)
+            for (int i = 0; i < kdk.Length; i++)
+            {
+                kdk[i] = (byte)i;
+            }
+
+            byte[] label = Encoding.UTF8.GetBytes("label");
+            byte[] contextHeader = Encoding.UTF8.GetBytes("contextHeader");
+            byte[] context = Encoding.UTF8.GetBytes("context");
+
+            // Act & assert
             TestCngKeyDerivation((pbKdk, cbKdk) => new Win7SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk), kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
+        }
+
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptKeyDerivation")]
+        [InlineData(512 / 8 - 1, "rt2hM6kkQ8hAXmkHx0TU4o3Q+S7fie6b3S1LAq107k++P9v8uSYA2G+WX3pJf9ZkpYrTKD7WUIoLkgA1R9lk")]
+        [InlineData(512 / 8 + 0, "RKiXmHSrWq5gkiRSyNZWNJrMR0jDyYHJMt9odOayRAE5wLSX2caINpQmfzTH7voJQi3tbn5MmD//dcspghfBiw==")]
+        [InlineData(512 / 8 + 1, "KedXO0zAIZ3AfnPqY1NnXxpC3HDHIxefG4bwD3g6nWYEc5+q7pjbam71Yqj0zgHMNC9Z7BX3wS1/tajFocRWZUk=")]
+        public void DeriveKeyWithContextHeader_LongKey_Win8(int numDerivedBytes, string expectedDerivedSubkeyAsBase64)
+        {
+            // Arrange
+            byte[] kdk = new byte[50000]; // CNG can't normally handle a 50,000 byte KDK, but we coerce it into working :)
+            for (int i = 0; i < kdk.Length; i++)
+            {
+                kdk[i] = (byte)i;
+            }
+
+            byte[] label = Encoding.UTF8.GetBytes("label");
+            byte[] contextHeader = Encoding.UTF8.GetBytes("contextHeader");
+            byte[] context = Encoding.UTF8.GetBytes("context");
+
+            // Act & assert
             TestCngKeyDerivation((pbKdk, cbKdk) => new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk), kdk, label, contextHeader, context, numDerivedBytes, expectedDerivedSubkeyAsBase64);
         }
 
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/project.json b/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
index af25e55bfe..2ee987c400 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
@@ -1,6 +1,7 @@
 {
     "dependencies": {
         "Microsoft.AspNet.Security.DataProtection": "1.0.0-*",
+        "Microsoft.AspNet.Testing": "1.0.0-*",
         "Moq": "4.2.1312.1622",
         "xunit.runner.kre": "1.0.0-*"
     },

From d5143f5004f6ef9e6780b37c368848010d8dce9f Mon Sep 17 00:00:00 2001
From: Aligned <logankd@users.noreply.github.com>
Date: Mon, 12 Jan 2015 15:13:17 -0600
Subject: [PATCH 078/493] Change ASP.NET vNext to ASP.Net 5

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a8102a4eb3..8599b75f90 100644
--- a/README.md
+++ b/README.md
@@ -3,4 +3,4 @@ DataProtection
 
 Data Protection APIs 
 
-This project is part of ASP.NET vNext. You can find samples, documentation and getting started instructions for ASP.NET vNext at the [Home](https://github.com/aspnet/home) repo.
+This project is part of ASP.NET 5. You can find samples, documentation and getting started instructions for ASP.NET 5 at the [Home](https://github.com/aspnet/home) repo.

From 1d49807eeee58e4014733803d7c230d0f692fd15 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 20 Jan 2015 01:30:29 -0800
Subject: [PATCH 079/493] Updating build.cmd and build.sh to use dotnetsdk

---
 build.cmd | 6 +++---
 build.sh  | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/build.cmd b/build.cmd
index 86ca5bbbf1..c8041fdd9d 100644
--- a/build.cmd
+++ b/build.cmd
@@ -20,9 +20,9 @@ IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
 IF "%SKIP_KRE_INSTALL%"=="1" goto run
-CALL packages\KoreBuild\build\kvm upgrade -runtime CLR -x86
-CALL packages\KoreBuild\build\kvm install default -runtime CoreCLR -x86
+CALL packages\KoreBuild\build\dotnetsdk upgrade -runtime CLR -x86
+CALL packages\KoreBuild\build\dotnetsdk install default -runtime CoreCLR -x86
 
 :run
-CALL packages\KoreBuild\build\kvm use default -runtime CLR -x86
+CALL packages\KoreBuild\build\dotnetsdk use default -runtime CLR -x86
 packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
diff --git a/build.sh b/build.sh
index c7873ef58e..3f3c731c04 100644
--- a/build.sh
+++ b/build.sh
@@ -28,11 +28,11 @@ if test ! -d packages/KoreBuild; then
 fi
 
 if ! type k > /dev/null 2>&1; then
-    source packages/KoreBuild/build/kvm.sh
+    source setup/dotnetsdk.sh
 fi
 
 if ! type k > /dev/null 2>&1; then
-    kvm upgrade
+    dotnetsdk upgrade
 fi
 
 mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"

From 962b8f38f85ce1dae54a1e11e3da0c42865cdc26 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 20 Jan 2015 01:35:33 -0800
Subject: [PATCH 080/493] Updating build.cmd and build.sh to use dotnetsdk

---
 build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index 3f3c731c04..350d7e389a 100644
--- a/build.sh
+++ b/build.sh
@@ -28,7 +28,7 @@ if test ! -d packages/KoreBuild; then
 fi
 
 if ! type k > /dev/null 2>&1; then
-    source setup/dotnetsdk.sh
+    source packages/KoreBuild/build/dotnetsdk.sh
 fi
 
 if ! type k > /dev/null 2>&1; then

From 04e7bca8bfcac58003f5e770e0687f5d4e573809 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 20 Jan 2015 13:49:29 -0800
Subject: [PATCH 081/493] Normalize .kproj files BOM and line endings

---
 .../Microsoft.AspNet.Security.DataProtection.Azure.kproj        | 2 +-
 ...Microsoft.AspNet.Security.DataProtection.Compatibility.kproj | 2 +-
 .../Microsoft.AspNet.Security.DataProtection.kproj              | 2 +-
 .../Microsoft.AspNet.Security.DataProtection.Test.kproj         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj b/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
index 60874ae6e1..0279cb8079 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
index 1be00812a1..24ce7cf3b8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
index 876b528aad..885bbdd20e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
+++ b/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
index b92a332f71..66ecc0ff24 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup>
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>

From 0873c6710f34579ff28197834ec9fd85a9da4bf8 Mon Sep 17 00:00:00 2001
From: Suhas Joshi <suhasbjoshi@hotmail.com>
Date: Tue, 20 Jan 2015 17:19:02 -0800
Subject: [PATCH 082/493] Updating NuGet.config

---
 NuGet.Config | 1 -
 1 file changed, 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index 2d3b0cb857..53454b2000 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 3f67e10dbea406932512aae8c93ddb76e5da8fe1 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 20 Jan 2015 18:09:35 -0800
Subject: [PATCH 083/493] Updating to release NuGet.config

---
 NuGet.Config | 1 +
 1 file changed, 1 insertion(+)

diff --git a/NuGet.Config b/NuGet.Config
index 53454b2000..2d3b0cb857 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 9f0883321064223a67750da8068758b7c5e03c42 Mon Sep 17 00:00:00 2001
From: Wei Wang <chengtian.wang@gmail.com>
Date: Tue, 20 Jan 2015 18:12:55 -0800
Subject: [PATCH 084/493] Rename SKIP_KRE_INSTALL to SKIP_DOTNET_INSTALL

---
 build.cmd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.cmd b/build.cmd
index c8041fdd9d..220a1ff561 100644
--- a/build.cmd
+++ b/build.cmd
@@ -19,7 +19,7 @@ IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
-IF "%SKIP_KRE_INSTALL%"=="1" goto run
+IF "%SKIP_DOTNET_INSTALL%"=="1" goto run
 CALL packages\KoreBuild\build\dotnetsdk upgrade -runtime CLR -x86
 CALL packages\KoreBuild\build\dotnetsdk install default -runtime CoreCLR -x86
 

From b5f1eff89e9be8a9b0769f3f6351b2d3fa65a51b Mon Sep 17 00:00:00 2001
From: Suhas Joshi <suhasbjoshi@hotmail.com>
Date: Wed, 21 Jan 2015 15:45:10 -0800
Subject: [PATCH 085/493] Updating to release NuGet.config

---
 NuGet.Config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index f41e9c631d..2d3b0cb857 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet.org" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>

From 2435a2468db4707462c463491f574c7de735cb12 Mon Sep 17 00:00:00 2001
From: Wei Wang <chengtian.wang@gmail.com>
Date: Wed, 28 Jan 2015 17:09:19 -0800
Subject: [PATCH 086/493] Update build.cmd and build.sh to use kvm

---
 build.cmd | 6 +++---
 build.sh  | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/build.cmd b/build.cmd
index 220a1ff561..5885abe388 100644
--- a/build.cmd
+++ b/build.cmd
@@ -20,9 +20,9 @@ IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
 IF "%SKIP_DOTNET_INSTALL%"=="1" goto run
-CALL packages\KoreBuild\build\dotnetsdk upgrade -runtime CLR -x86
-CALL packages\KoreBuild\build\dotnetsdk install default -runtime CoreCLR -x86
+CALL packages\KoreBuild\build\kvm upgrade -runtime CLR -x86
+CALL packages\KoreBuild\build\kvm install default -runtime CoreCLR -x86
 
 :run
-CALL packages\KoreBuild\build\dotnetsdk use default -runtime CLR -x86
+CALL packages\KoreBuild\build\kvm use default -runtime CLR -x86
 packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
diff --git a/build.sh b/build.sh
index 350d7e389a..c7873ef58e 100644
--- a/build.sh
+++ b/build.sh
@@ -28,11 +28,11 @@ if test ! -d packages/KoreBuild; then
 fi
 
 if ! type k > /dev/null 2>&1; then
-    source packages/KoreBuild/build/dotnetsdk.sh
+    source packages/KoreBuild/build/kvm.sh
 fi
 
 if ! type k > /dev/null 2>&1; then
-    dotnetsdk upgrade
+    kvm upgrade
 fi
 
 mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"

From de6cbb05df7d0de3d7626ab6d0ff4c87a013f6d6 Mon Sep 17 00:00:00 2001
From: Wei Wang <chengtian.wang@gmail.com>
Date: Wed, 28 Jan 2015 17:09:43 -0800
Subject: [PATCH 087/493] Change SKIP_DOTNET_INSTALL to SKIP_KRE_INSTALL

---
 build.cmd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.cmd b/build.cmd
index 5885abe388..86ca5bbbf1 100644
--- a/build.cmd
+++ b/build.cmd
@@ -19,7 +19,7 @@ IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
-IF "%SKIP_DOTNET_INSTALL%"=="1" goto run
+IF "%SKIP_KRE_INSTALL%"=="1" goto run
 CALL packages\KoreBuild\build\kvm upgrade -runtime CLR -x86
 CALL packages\KoreBuild\build\kvm install default -runtime CoreCLR -x86
 

From 20cdbcd7115d9932b2d3138a48ef41d86aa5449e Mon Sep 17 00:00:00 2001
From: Wei Wang <chengtian.wang@gmail.com>
Date: Mon, 16 Feb 2015 12:07:04 -0800
Subject: [PATCH 088/493] Add project.lock.json to .gitignore

---
 .gitignore | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 08e21e25bf..ac82da7568 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,4 +23,5 @@ nuget.exe
 *.ncrunchsolution
 *.*sdf
 *.ipch
-*.sln.ide
\ No newline at end of file
+*.sln.ide
+project.lock.json

From 71a2712c5ac4a5d4f3983036ce8b25fbbb82c7f8 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 19 Feb 2015 10:15:18 -0800
Subject: [PATCH 089/493] Reacting to XDocument verson change

---
 src/Microsoft.AspNet.Security.DataProtection/project.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 13c7159bec..971c304e51 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -30,7 +30,7 @@
                 "System.Security.Cryptography.RandomNumberGenerator": "4.0.0-beta-*",
                 "System.Security.Principal.Windows": "4.0.0-beta-*",
                 "System.Text.Encoding.Extensions": "4.0.10-beta-*",
-                "System.Xml.XDocument": "4.0.0-beta-*"
+                "System.Xml.XDocument": "4.0.10-beta-*"
             }
         }
     },

From 8ec6dc3712a5eb8863eff6b9baa94354ab7e9db7 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Fri, 20 Feb 2015 11:36:12 -0800
Subject: [PATCH 090/493] Code cleanup Rename IAuthenticatedEncryptor2 ->
 IOptimizedAuthenticatedEncryptor Rename ProtectedMemoryBlob -> Secret Add
 some missing doc comments explaining

---
 .../AuthenticatedEncryptorExtensions.cs       |  2 +-
 ...henticatedEncryptorConfigurationFactory.cs |  2 +-
 ...henticatedEncryptorConfigurationOptions.cs |  2 +-
 ...nticatedEncryptorConfigurationXmlReader.cs |  4 +-
 ...henticatedEncryptorConfigurationFactory.cs |  2 +-
 ...henticatedEncryptorConfigurationOptions.cs |  2 +-
 ...nticatedEncryptorConfigurationXmlReader.cs |  4 +-
 .../IAuthenticatedEncryptor2.cs               | 12 ---
 .../IOptimizedAuthenticatedEncryptor.cs       | 35 ++++++++
 ...henticatedEncryptorConfigurationFactory.cs |  4 +-
 ...henticatedEncryptorConfigurationOptions.cs |  2 +-
 ...nticatedEncryptorConfigurationXmlReader.cs |  4 +-
 .../BitHelpers.cs                             | 14 ++++
 .../Cng/CbcAuthenticatedEncryptor.cs          | 17 ++--
 .../Cng/CngAuthenticatedEncryptorBase.cs      | 10 ++-
 .../Cng/DpapiSecretSerializerHelper.cs        | 12 +--
 .../Cng/GcmAuthenticatedEncryptor.cs          | 14 ++--
 .../CryptoUtil.cs                             |  2 +
 .../DataProtectionExtensions.cs               |  4 +-
 .../Dpapi/DpapiDataProtector.cs               |  4 +-
 .../Dpapi/ProtectedDataImpl.cs                |  2 +-
 .../EphemeralDataProtectionProvider.cs        |  2 +-
 .../ExceptionExtensions.cs                    | 20 +++++
 .../ISecret.cs                                |  2 +-
 .../KeyRingBasedDataProtector.cs              |  4 +-
 .../KeyManagement/XmlKeyManager.cs            |  4 +-
 .../Managed/ManagedAuthenticatedEncryptor.cs  |  8 +-
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |  2 +-
 .../{ProtectedMemoryBlob.cs => Secret.cs}     | 80 ++++++++++++++-----
 .../TimeLimitedDataProtector.cs               |  2 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  7 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  6 +-
 .../Cng/CbcAuthenticatedEncryptorTests.cs     |  6 +-
 .../Cng/GcmAuthenticatedEncryptorTests.cs     |  6 +-
 .../ManagedAuthenticatedEncryptorTests.cs     |  6 +-
 35 files changed, 200 insertions(+), 109 deletions(-)
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor2.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/ExceptionExtensions.cs
 rename src/Microsoft.AspNet.Security.DataProtection/{ProtectedMemoryBlob.cs => Secret.cs} (76%)

diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
index 3bcd320cb8..6a2808e70d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
         public static byte[] Encrypt(this IAuthenticatedEncryptor encryptor, ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
         {
             // Can we call the optimized version?
-            IAuthenticatedEncryptor2 optimizedEncryptor = encryptor as IAuthenticatedEncryptor2;
+            IOptimizedAuthenticatedEncryptor optimizedEncryptor = encryptor as IOptimizedAuthenticatedEncryptor;
             if (optimizedEncryptor != null)
             {
                 return optimizedEncryptor.Encrypt(plaintext, additionalAuthenticatedData, preBufferSize, postBufferSize);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
index 22b254fe85..711330a151 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
@@ -23,7 +23,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
         {
             // generate a 512-bit secret randomly
             const int KDK_SIZE_IN_BYTES = 512 / 8;
-            var secret = ProtectedMemoryBlob.Random(KDK_SIZE_IN_BYTES);
+            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
             return new CngCbcAuthenticatedEncryptorConfiguration(_options, secret);
         }
     }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
index c9f6b4f8d0..9db38c5070 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
@@ -96,7 +96,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 
             // and we're good to go!
             return new CbcAuthenticatedEncryptor(
-                keyDerivationKey: new ProtectedMemoryBlob(secret),
+                keyDerivationKey: new Secret(secret),
                 symmetricAlgorithmHandle: encryptionAlgorithmHandle,
                 symmetricAlgorithmKeySizeInBytes: encryptionAlgorithmKeySizeInBits / 8,
                 hmacAlgorithmHandle: hashAlgorithmHandle);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
index d37f854c42..e47a6cd4f1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -58,8 +58,8 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
             byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
             try
             {
-                var protectedMemoryBlob = new ProtectedMemoryBlob(decryptedSecretBytes);
-                return new CngCbcAuthenticatedEncryptorConfiguration(options, protectedMemoryBlob);
+                var secret = new Secret(decryptedSecretBytes);
+                return new CngCbcAuthenticatedEncryptorConfiguration(options, secret);
             }
             finally
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
index b184da69ab..996da69abc 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
@@ -23,7 +23,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
         {
             // generate a 512-bit secret randomly
             const int KDK_SIZE_IN_BYTES = 512 / 8;
-            var secret = ProtectedMemoryBlob.Random(KDK_SIZE_IN_BYTES);
+            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
             return new CngGcmAuthenticatedEncryptorConfiguration(_options, secret);
         }
     }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
index 271a43eefe..d8cd278490 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
@@ -67,7 +67,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 
             // and we're good to go!
             return new GcmAuthenticatedEncryptor(
-                keyDerivationKey: new ProtectedMemoryBlob(secret),
+                keyDerivationKey: new Secret(secret),
                 symmetricAlgorithmHandle: encryptionAlgorithmHandle,
                 symmetricAlgorithmKeySizeInBytes: encryptionAlgorithmKeySizeInBits / 8);
         }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
index e3fc4bad31..d826c54b3e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -52,8 +52,8 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
             byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
             try
             {
-                var protectedMemoryBlob = new ProtectedMemoryBlob(decryptedSecretBytes);
-                return new CngGcmAuthenticatedEncryptorConfiguration(options, protectedMemoryBlob);
+                var secret = new Secret(decryptedSecretBytes);
+                return new CngGcmAuthenticatedEncryptorConfiguration(options, secret);
             }
             finally
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor2.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor2.cs
deleted file mode 100644
index 2e36143dc3..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor2.cs
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
-{
-    internal interface IAuthenticatedEncryptor2 : IAuthenticatedEncryptor
-    {
-        byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize);
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
new file mode 100644
index 0000000000..aa8d7c72fb
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// An optimized encryptor that can avoid buffer allocations in common code paths.
+    /// </summary>
+    internal interface IOptimizedAuthenticatedEncryptor : IAuthenticatedEncryptor
+    {
+        /// <summary>
+        /// Encrypts and tamper-proofs a piece of data.
+        /// </summary>
+        /// <param name="plaintext">The plaintext to encrypt. This input may be zero bytes in length.</param>
+        /// <param name="additionalAuthenticatedData">A piece of data which will not be included in
+        /// the returned ciphertext but which will still be covered by the authentication tag.
+        /// This input may be zero bytes in length. The same AAD must be specified in the corresponding
+        /// call to Decrypt.</param>
+        /// <param name="preBufferSize">The number of bytes to include before the ciphertext in the return value.</param>
+        /// <param name="postBufferSize">The number of bytes to include after the ciphertext in the return value.</param>
+        /// <returns>
+        /// A buffer containing the ciphertext and authentication tag.
+        /// If a non-zero pre-buffer or post-buffer size is specified, the returned buffer will contain appropriate padding
+        /// on either side of the ciphertext and authentication tag. For instance, if a pre-buffer size of 4 and a post-buffer
+        /// size of 7 are specified, and if the ciphertext and tag are a combined 48 bytes, then the returned buffer will
+        /// be a total 59 bytes in length. The first four bytes will be undefined, the next 48 bytes will contain the
+        /// ciphertext and tag, and the last seven bytes will be undefined. The intent is that the caller can overwrite the
+        /// pre-buffer or post-buffer with a header or footer without needing to allocate an additional buffer object.
+        /// </returns>
+        /// <remarks>All cryptography-related exceptions should be homogenized to CryptographicException.</remarks>
+        byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
index 50fee4ab58..e64ddf6c07 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
@@ -21,10 +21,10 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
             // generate a 512-bit secret randomly
             const int KDK_SIZE_IN_BYTES = 512 / 8;
             byte[] kdk = ManagedGenRandomImpl.Instance.GenRandom(KDK_SIZE_IN_BYTES);
-            ProtectedMemoryBlob secret;
+            Secret secret;
             try
             {
-                secret = new ProtectedMemoryBlob(kdk);
+                secret = new Secret(kdk);
             }
             finally
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
index 9ebed10e96..673f0e2646 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
@@ -70,7 +70,7 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 
             // We're good to go!
             return new ManagedAuthenticatedEncryptor(
-                keyDerivationKey: new ProtectedMemoryBlob(secret),
+                keyDerivationKey: new Secret(secret),
                 symmetricAlgorithmFactory: encryptorFactory,
                 symmetricAlgorithmKeySizeInBytes: keySizeInBytes,
                 validationAlgorithmFactory: validatorFactory);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
index cfa38ed3ea..bdfbdccdc2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -56,8 +56,8 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
             byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
             try
             {
-                var protectedMemoryBlob = new ProtectedMemoryBlob(decryptedSecretBytes);
-                return new ManagedAuthenticatedEncryptorConfiguration(options, protectedMemoryBlob);
+                var secret = new Secret(decryptedSecretBytes);
+                return new ManagedAuthenticatedEncryptorConfiguration(options, secret);
             }
             finally
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs b/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs
index 379b5cdf5d..3e60ca7ca1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs
@@ -21,6 +21,20 @@ namespace Microsoft.AspNet.Security.DataProtection
             bytePtr[3] = (byte)(value);
         }
 
+        /// <summary>
+        /// Writes an unsigned 32-bit value to a memory address, big-endian.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static void WriteTo(ref byte* ptr, uint value)
+        {
+            byte* pTemp = ptr;
+            pTemp[0] = (byte)(value >> 24);
+            pTemp[1] = (byte)(value >> 16);
+            pTemp[2] = (byte)(value >> 8);
+            pTemp[3] = (byte)(value);
+            ptr = &pTemp[4];
+        }
+
         /// <summary>
         /// Writes a signed 32-bit value to a memory address, big-endian.
         /// </summary>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index 819facee9f..9c7567a4da 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.SP800_108;
 
@@ -41,7 +40,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
         private readonly uint _symmetricAlgorithmBlockSizeInBytes;
         private readonly uint _symmetricAlgorithmSubkeyLengthInBytes;
 
-        public CbcAuthenticatedEncryptor(ProtectedMemoryBlob keyDerivationKey, BCryptAlgorithmHandle symmetricAlgorithmHandle, uint symmetricAlgorithmKeySizeInBytes, BCryptAlgorithmHandle hmacAlgorithmHandle, IBCryptGenRandom genRandom = null)
+        public CbcAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHandle symmetricAlgorithmHandle, uint symmetricAlgorithmKeySizeInBytes, BCryptAlgorithmHandle hmacAlgorithmHandle, IBCryptGenRandom genRandom = null)
         {
             CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
                 "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
@@ -88,16 +87,12 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                 *(ptr++) = 0; // 0x00 = CBC encryption + HMAC authentication
 
                 // Next is information about the symmetric algorithm (key size followed by block size)
-                BitHelpers.WriteTo(ptr, _symmetricAlgorithmSubkeyLengthInBytes);
-                ptr += sizeof(uint);
-                BitHelpers.WriteTo(ptr, _symmetricAlgorithmBlockSizeInBytes);
-                ptr += sizeof(uint);
+                BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
+                BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmBlockSizeInBytes);
 
                 // Next is information about the HMAC algorithm (key size followed by digest size)
-                BitHelpers.WriteTo(ptr, _hmacAlgorithmSubkeyLengthInBytes);
-                ptr += sizeof(uint);
-                BitHelpers.WriteTo(ptr, _hmacAlgorithmDigestLengthInBytes);
-                ptr += sizeof(uint);
+                BitHelpers.WriteTo(ref ptr, _hmacAlgorithmSubkeyLengthInBytes);
+                BitHelpers.WriteTo(ref ptr, _hmacAlgorithmDigestLengthInBytes);
 
                 // See the design document for an explanation of the following code.
                 byte[] tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes];
@@ -348,7 +343,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
 
                 using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
                 {
-                    // We can't assume PKCS#7 padding (maybe the underlying provided is using CTS),
+                    // We can't assume PKCS#7 padding (maybe the underlying provider is really using CTS),
                     // so we need to query the padded output size before we can allocate the return value array.
                     uint cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, cbPlaintext);
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
index 37450636a3..48f76f0937 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
@@ -2,12 +2,14 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
-    internal unsafe abstract class CngAuthenticatedEncryptorBase : IAuthenticatedEncryptor, IDisposable
+    /// <summary>
+    /// Base class used for all CNG-related authentication encryption operations.
+    /// </summary>
+    internal unsafe abstract class CngAuthenticatedEncryptorBase : IOptimizedAuthenticatedEncryptor, IDisposable
     {
         public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
         {
@@ -30,7 +32,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                             pbAdditionalAuthenticatedData: (pbAdditionalAuthenticatedDataArray != null) ? &pbAdditionalAuthenticatedDataArray[additionalAuthenticatedData.Offset] : &dummy,
                             cbAdditionalAuthenticatedData: (uint)additionalAuthenticatedData.Count);
                     }
-                    catch (Exception ex) when (!(ex is CryptographicException))
+                    catch (Exception ex) when (ex.RequiresHomogenization())
                     {
                         // Homogenize to CryptographicException.
                         throw Error.CryptCommon_GenericError(ex);
@@ -71,7 +73,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                             cbPreBuffer: preBufferSize,
                             cbPostBuffer: postBufferSize);
                     }
-                    catch (Exception ex) when (!(ex is CryptographicException))
+                    catch (Exception ex) when (ex.RequiresHomogenization())
                     {
                         // Homogenize to CryptographicException.
                         throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index 9f1dbb2a6e..e5762f1190 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -172,7 +172,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
             }
         }
 
-        public static ProtectedMemoryBlob UnprotectWithDpapi(byte[] protectedSecret)
+        public static Secret UnprotectWithDpapi(byte[] protectedSecret)
         {
             Debug.Assert(protectedSecret != null);
 
@@ -185,7 +185,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
             }
         }
 
-        internal static ProtectedMemoryBlob UnprotectWithDpapiImpl(byte* pbProtectedData, uint cbProtectedData, byte* pbOptionalEntropy, uint cbOptionalEntropy)
+        internal static Secret UnprotectWithDpapiImpl(byte* pbProtectedData, uint cbProtectedData, byte* pbOptionalEntropy, uint cbOptionalEntropy)
         {
             byte dummy; // provides a valid memory address if the secret or entropy has zero length
 
@@ -220,7 +220,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                     throw new CryptographicException(errorCode);
                 }
 
-                return new ProtectedMemoryBlob(dataOut.pbData, checked((int)dataOut.cbData));
+                return new Secret(dataOut.pbData, checked((int)dataOut.cbData));
             }
             finally
             {
@@ -234,7 +234,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
             }
         }
 
-        public static ProtectedMemoryBlob UnprotectWithDpapiNG(byte[] protectedData)
+        public static Secret UnprotectWithDpapiNG(byte[] protectedData)
         {
             Debug.Assert(protectedData != null);
 
@@ -247,7 +247,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
             }
         }
 
-        private static ProtectedMemoryBlob UnprotectWithDpapiNGImpl(byte* pbData, uint cbData)
+        private static Secret UnprotectWithDpapiNGImpl(byte* pbData, uint cbData)
         {
             Debug.Assert(pbData != null);
 
@@ -280,7 +280,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                 try
                 {
                     unencryptedPayloadHandle.DangerousAddRef(ref handleAcquired);
-                    return new ProtectedMemoryBlob((byte*)unencryptedPayloadHandle.DangerousGetHandle(), checked((int)cbUnencryptedPayload));
+                    return new Secret((byte*)unencryptedPayloadHandle.DangerousGetHandle(), checked((int)cbUnencryptedPayload));
                 }
                 finally
                 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index e5e67cd31b..d6b99f69c0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -35,7 +35,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
         private readonly BCryptAlgorithmHandle _symmetricAlgorithmHandle;
         private readonly uint _symmetricAlgorithmSubkeyLengthInBytes;
 
-        public GcmAuthenticatedEncryptor(ProtectedMemoryBlob keyDerivationKey, BCryptAlgorithmHandle symmetricAlgorithmHandle, uint symmetricAlgorithmKeySizeInBytes, IBCryptGenRandom genRandom = null)
+        public GcmAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHandle symmetricAlgorithmHandle, uint symmetricAlgorithmKeySizeInBytes, IBCryptGenRandom genRandom = null)
         {
             CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
                 "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
@@ -67,14 +67,10 @@ namespace Microsoft.AspNet.Security.DataProtection.Cng
                 *(ptr++) = 1; // 0x01 = GCM encryption + authentication
 
                 // Next is information about the symmetric algorithm (key size, nonce size, block size, tag size)
-                BitHelpers.WriteTo(ptr, _symmetricAlgorithmSubkeyLengthInBytes);
-                ptr += sizeof(uint);
-                BitHelpers.WriteTo(ptr, NONCE_SIZE_IN_BYTES);
-                ptr += sizeof(uint);
-                BitHelpers.WriteTo(ptr, TAG_SIZE_IN_BYTES); // block size
-                ptr += sizeof(uint);
-                BitHelpers.WriteTo(ptr, TAG_SIZE_IN_BYTES);
-                ptr += sizeof(uint);
+                BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
+                BitHelpers.WriteTo(ref ptr, NONCE_SIZE_IN_BYTES);
+                BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES); // block size = tag size
+                BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES);
 
                 // See the design document for an explanation of the following code.
                 byte[] tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
index 823e7aa213..e71807fdee 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
@@ -48,6 +48,8 @@ namespace Microsoft.AspNet.Security.DataProtection
             throw new CryptographicException("Assertion failed: " + message);
         }
 
+        // Allows callers to write "var x = Method() ?? Fail<T>(message);" as a convenience to guard
+        // against a method returning null unexpectedly.
         [MethodImpl(MethodImplOptions.NoInlining)]
         public static T Fail<T>(string message) where T : class
         {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
index dbfd3a1918..14f22b52b1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
@@ -36,7 +36,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 byte[] protectedDataAsBytes = protector.Protect(unprotectedDataAsBytes);
                 return WebEncoders.Base64UrlEncode(protectedDataAsBytes);
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // Homogenize exceptions to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
@@ -60,7 +60,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 byte[] unprotectedDataAsBytes = protector.Unprotect(protectedDataAsBytes);
                 return CryptoUtil.SecureUtf8Encoding.GetString(unprotectedDataAsBytes);
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // Homogenize exceptions to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
index cf734290cc..a4b400e5e0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
@@ -43,7 +43,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
                 return _shim.Protect(unprotectedData, _combinedPurposes, _scope)
                     ?? CryptoUtil.Fail<byte[]>("Null return value.");
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // Homogenize to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
@@ -57,7 +57,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
                 return _shim.Unprotect(protectedData, _combinedPurposes, _scope)
                     ?? CryptoUtil.Fail<byte[]>("Null return value.");
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // Homogenize to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs
index ab6d8ac06f..cd5e579f66 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs
@@ -32,7 +32,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
         public byte[] Unprotect(byte[] encryptedData, byte[] optionalEntropy, DataProtectionScope scope)
         {
 #if ASPNETCORE50
-            ProtectedMemoryBlob blob;
+            Secret blob;
             fixed (byte* pbEncryptedData = encryptedData)
             {
                 fixed (byte* pbOptionalEntropy = optionalEntropy)
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
index 99bfe47d7a..8b87083b2c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
@@ -50,7 +50,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             // Currently hardcoded to a 512-bit KDK.
             private const int NUM_BYTES_IN_KDK = 512 / 8;
 
-            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new T().CreateAuthenticatedEncryptor(ProtectedMemoryBlob.Random(NUM_BYTES_IN_KDK));
+            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new T().CreateAuthenticatedEncryptor(Secret.Random(NUM_BYTES_IN_KDK));
 
             public Guid DefaultKeyId { get; } = default(Guid);
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ExceptionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/ExceptionExtensions.cs
new file mode 100644
index 0000000000..9335f3fc01
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/ExceptionExtensions.cs
@@ -0,0 +1,20 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal static class ExceptionExtensions
+    {
+        /// <summary>
+        /// Determines whether an exception must be homogenized by being wrapped inside a
+        /// CryptographicException before being rethrown.
+        /// </summary>
+        public static bool RequiresHomogenization(this Exception ex)
+        {
+            return !(ex is CryptographicException);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs b/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs
index 8e73cc8cdd..0d787f9381 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNet.Security.DataProtection
     public interface ISecret : IDisposable
     {
         /// <summary>
-        /// The length (in bytes) of the value.
+        /// The length (in bytes) of the secret value.
         /// </summary>
         int Length { get; }
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index e5891f2d02..ecb87dad75 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -131,7 +131,7 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
                     postBufferSize: 0);
                 CryptoUtil.Assert(retVal != null && retVal.Length >= sizeof(uint) + sizeof(Guid), "retVal != null && retVal.Length >= sizeof(uint) + sizeof(Guid)");
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // homogenize all errors to CryptographicException
                 throw Error.Common_EncryptionFailed(ex);
@@ -247,7 +247,7 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
                 CryptoUtil.Assert(retVal != null, "retVal != null");
                 return retVal;
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // homogenize all failures to CryptographicException
                 throw Error.DecryptionFailed(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
index d472869b48..27dff11346 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -111,7 +111,7 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
                     var thisKey = ParseKeyElement(element);
                     if (idToKeyMap.ContainsKey(thisKey.KeyId))
                     {
-                        CryptoUtil.Fail("TODO: Duplicate key.");
+                        throw CryptoUtil.Fail("TODO: Duplicate key.");
                     }
                     idToKeyMap.Add(thisKey.KeyId, thisKey);
                 }
@@ -140,7 +140,7 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
                 }
                 else
                 {
-                    CryptoUtil.Fail("TODO: Unknown element.");
+                    throw CryptoUtil.Fail("TODO: Unknown element.");
                 }
             }
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index d384a5ff4a..f10003ece2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -36,7 +36,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
 
         private readonly byte[] _contextHeader;
         private readonly IManagedGenRandom _genRandom;
-        private readonly ProtectedMemoryBlob _keyDerivationKey;
+        private readonly Secret _keyDerivationKey;
         private readonly Func<SymmetricAlgorithm> _symmetricAlgorithmFactory;
         private readonly int _symmetricAlgorithmBlockSizeInBytes;
         private readonly int _symmetricAlgorithmSubkeyLengthInBytes;
@@ -44,7 +44,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
         private readonly int _validationAlgorithmSubkeyLengthInBytes;
         private readonly Func<KeyedHashAlgorithm> _validationAlgorithmFactory;
 
-        public ManagedAuthenticatedEncryptor(ProtectedMemoryBlob keyDerivationKey, Func<SymmetricAlgorithm> symmetricAlgorithmFactory, int symmetricAlgorithmKeySizeInBytes, Func<KeyedHashAlgorithm> validationAlgorithmFactory, IManagedGenRandom genRandom = null)
+        public ManagedAuthenticatedEncryptor(Secret keyDerivationKey, Func<SymmetricAlgorithm> symmetricAlgorithmFactory, int symmetricAlgorithmKeySizeInBytes, Func<KeyedHashAlgorithm> validationAlgorithmFactory, IManagedGenRandom genRandom = null)
         {
             CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
                 "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
@@ -278,7 +278,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                     }
                 }
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // Homogenize all exceptions to CryptographicException.
                 throw Error.CryptCommon_GenericError(ex);
@@ -382,7 +382,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Managed
                     }
                 }
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // Homogenize all exceptions to CryptographicException.
                 throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index 7eb8d4070d..7778e03013 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -36,7 +36,7 @@ namespace Microsoft.AspNet.Security.DataProtection.SP800_108
         }
 
         // Creates a provider from the given secret.
-        public static ISP800_108_CTR_HMACSHA512Provider CreateProvider(ProtectedMemoryBlob kdk)
+        public static ISP800_108_CTR_HMACSHA512Provider CreateProvider(Secret kdk)
         {
             uint secretLengthInBytes = checked((uint)kdk.Length);
             if (secretLengthInBytes == 0)
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs b/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
similarity index 76%
rename from src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs
rename to src/Microsoft.AspNet.Security.DataProtection/Secret.cs
index f89af3bfdd..ddb8acdab1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ProtectedMemoryBlob.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
@@ -8,7 +8,10 @@ using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
-    public unsafe sealed class ProtectedMemoryBlob : IDisposable, ISecret
+    /// <summary>
+    /// Represents a secret value stored in memory.
+    /// </summary>
+    public unsafe sealed class Secret : IDisposable, ISecret
     {
         // from wincrypt.h
         private const uint CRYPTPROTECTMEMORY_BLOCK_SIZE = 16;
@@ -16,42 +19,57 @@ namespace Microsoft.AspNet.Security.DataProtection
         private readonly SecureLocalAllocHandle _localAllocHandle;
         private readonly uint _plaintextLength;
 
-        public ProtectedMemoryBlob(ArraySegment<byte> plaintext)
+        /// <summary>
+        /// Creates a new Secret from the provided input value, where the input value
+        /// is specified as an array segment.
+        /// </summary>
+        public Secret(ArraySegment<byte> value)
         {
-            plaintext.Validate();
+            value.Validate();
 
-            _localAllocHandle = Protect(plaintext);
-            _plaintextLength = (uint)plaintext.Count;
+            _localAllocHandle = Protect(value);
+            _plaintextLength = (uint)value.Count;
         }
 
-        public ProtectedMemoryBlob(byte[] plaintext)
-            : this(new ArraySegment<byte>(plaintext))
+        /// <summary>
+        /// Creates a new Secret from the provided input value, where the input value
+        /// is specified as an array.
+        /// </summary>
+        public Secret(byte[] value)
+            : this(new ArraySegment<byte>(value))
         {
         }
 
-        public ProtectedMemoryBlob(byte* plaintext, int plaintextLength)
+        /// <summary>
+        /// Creates a new Secret from the provided input value, where the input value
+        /// is specified as a pointer to unmanaged memory.
+        /// </summary>
+        public Secret(byte* secret, int secretLength)
         {
-            if (plaintext == null)
+            if (secret == null)
             {
-                throw new ArgumentNullException("plaintext");
+                throw new ArgumentNullException("secret");
             }
-            if (plaintextLength < 0)
+            if (secretLength < 0)
             {
-                throw new ArgumentOutOfRangeException("plaintextLength");
+                throw new ArgumentOutOfRangeException("secretLength");
             }
 
-            _localAllocHandle = Protect(plaintext, (uint)plaintextLength);
-            _plaintextLength = (uint)plaintextLength;
+            _localAllocHandle = Protect(secret, (uint)secretLength);
+            _plaintextLength = (uint)secretLength;
         }
 
-        public ProtectedMemoryBlob(ISecret secret)
+        /// <summary>
+        /// Creates a new Secret from another secret object.
+        /// </summary>
+        public Secret(ISecret secret)
         {
             if (secret == null)
             {
                 throw new ArgumentNullException("secret");
             }
 
-            ProtectedMemoryBlob other = secret as ProtectedMemoryBlob;
+            Secret other = secret as Secret;
             if (other != null)
             {
                 // Fast-track: simple deep copy scenario.
@@ -79,6 +97,9 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
         }
 
+        /// <summary>
+        /// The length (in bytes) of the secret value.
+        /// </summary>
         public int Length
         {
             get
@@ -87,6 +108,9 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
         }
 
+        /// <summary>
+        /// Wipes the secret from memory.
+        /// </summary>
         public void Dispose()
         {
             _localAllocHandle.Dispose();
@@ -134,21 +158,25 @@ namespace Microsoft.AspNet.Security.DataProtection
             return encryptedMemoryHandle;
         }
 
-        public static ProtectedMemoryBlob Random(int numBytes)
+        /// <summary>
+        /// Returns a Secret comprised entirely of random bytes retrieved from
+        /// a cryptographically secure RNG.
+        /// </summary>
+        public static Secret Random(int numBytes)
         {
             CryptoUtil.Assert(numBytes >= 0, "numBytes >= 0");
 
             if (numBytes == 0)
             {
                 byte dummy;
-                return new ProtectedMemoryBlob(&dummy, 0);
+                return new Secret(&dummy, 0);
             }
             else
             {
                 // Don't use CNG if we're not on Windows.
                 if (!OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
                 {
-                    return new ProtectedMemoryBlob(ManagedGenRandomImpl.Instance.GenRandom(numBytes));
+                    return new Secret(ManagedGenRandomImpl.Instance.GenRandom(numBytes));
                 }
 
                 byte[] bytes = new byte[numBytes];
@@ -157,7 +185,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                     try
                     {
                         BCryptUtil.GenRandom(pbBytes, (uint)numBytes);
-                        return new ProtectedMemoryBlob(pbBytes, numBytes);
+                        return new Secret(pbBytes, numBytes);
                     }
                     finally
                     {
@@ -196,6 +224,12 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
         }
 
+        /// <summary>
+        /// Writes the secret value to the specified buffer.
+        /// </summary>
+        /// <remarks>
+        /// The buffer size must exactly match the length of the secret value.
+        /// </remarks>
         public void WriteSecretIntoBuffer(ArraySegment<byte> buffer)
         {
             // Parameter checking
@@ -215,6 +249,12 @@ namespace Microsoft.AspNet.Security.DataProtection
             }
         }
 
+        /// <summary>
+        /// Writes the secret value to the specified buffer.
+        /// </summary>
+        /// <remarks>
+        /// The 'bufferLength' parameter must exactly match the length of the secret value.
+        /// </remarks>
         public void WriteSecretIntoBuffer(byte* buffer, int bufferLength)
         {
             if (buffer == null)
diff --git a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
index 09bab47aa8..bf42b34c45 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
@@ -86,7 +86,7 @@ namespace Microsoft.AspNet.Security.DataProtection
                 expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero);
                 return retVal;
             }
-            catch (Exception ex) when (!(ex is CryptographicException))
+            catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // Homogenize all failures to CryptographicException
                 throw Error.CryptCommon_GenericError(ex);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index b6930aa488..25526f61dd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -46,20 +46,19 @@ namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
         public XElement Encrypt([NotNull] XElement plaintextElement)
         {
             // First, convert the XML element to a byte[] so that it can be encrypted.
-            ProtectedMemoryBlob secret;
+            Secret secret;
             using (var memoryStream = new MemoryStream())
             {
                 plaintextElement.Save(memoryStream);
-
 #if !ASPNETCORE50
                 // If we're on full desktop CLR, utilize the underlying buffer directly as an optimization.
                 byte[] underlyingBuffer = memoryStream.GetBuffer();
-                secret = new ProtectedMemoryBlob(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
+                secret = new Secret(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
                 Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
 #else
                 // Otherwise, need to make a copy of the buffer.
                 byte[] clonedBuffer = memoryStream.ToArray();
-                secret = new ProtectedMemoryBlob(clonedBuffer);
+                secret = new Secret(clonedBuffer);
                 Array.Clear(clonedBuffer, 0, clonedBuffer.Length);
 #endif
             }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 6f33ed7ebf..553cda733e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -31,7 +31,7 @@ namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
         public XElement Encrypt([NotNull] XElement plaintextElement)
         {
             // First, convert the XML element to a byte[] so that it can be encrypted.
-            ProtectedMemoryBlob secret;
+            Secret secret;
             using (var memoryStream = new MemoryStream())
             {
                 plaintextElement.Save(memoryStream);
@@ -39,12 +39,12 @@ namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
 #if !ASPNETCORE50
                 // If we're on full desktop CLR, utilize the underlying buffer directly as an optimization.
                 byte[] underlyingBuffer = memoryStream.GetBuffer();
-                secret = new ProtectedMemoryBlob(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
+                secret = new Secret(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
                 Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
 #else
                 // Otherwise, need to make a copy of the buffer.
                 byte[] clonedBuffer = memoryStream.ToArray();
-                secret = new ProtectedMemoryBlob(clonedBuffer);
+                secret = new Secret(clonedBuffer);
                 Array.Clear(clonedBuffer, 0, clonedBuffer.Length);
 #endif
             }
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index c7c1acee95..34fa81a08c 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -18,7 +18,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
         public void Encrypt_Decrypt_RoundTrips()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            Secret kdk = new Secret(new byte[512 / 8]);
             CbcAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
                 symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
                 symmetricAlgorithmKeySizeInBytes: 256 / 8,
@@ -39,7 +39,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
         public void Encrypt_Decrypt_Tampering_Fails()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            Secret kdk = new Secret(new byte[512 / 8]);
             CbcAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
                 symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
                 symmetricAlgorithmKeySizeInBytes: 256 / 8,
@@ -86,7 +86,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
         public void Encrypt_KnownKey()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(Encoding.UTF8.GetBytes("master key"));
+            Secret kdk = new Secret(Encoding.UTF8.GetBytes("master key"));
             CbcAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
                 symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
                 symmetricAlgorithmKeySizeInBytes: 256 / 8,
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index 681de03f38..fb73ec6c61 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -18,7 +18,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
         public void Encrypt_Decrypt_RoundTrips()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            Secret kdk = new Secret(new byte[512 / 8]);
             GcmAuthenticatedEncryptor encryptor = new GcmAuthenticatedEncryptor(kdk, CachedAlgorithmHandles.AES_GCM, symmetricAlgorithmKeySizeInBytes: 256 / 8);
             ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
             ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
@@ -36,7 +36,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
         public void Encrypt_Decrypt_Tampering_Fails()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            Secret kdk = new Secret(new byte[512 / 8]);
             GcmAuthenticatedEncryptor encryptor = new GcmAuthenticatedEncryptor(kdk, CachedAlgorithmHandles.AES_GCM, symmetricAlgorithmKeySizeInBytes: 256 / 8);
             ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
             ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
@@ -80,7 +80,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
         public void Encrypt_KnownKey()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(Encoding.UTF8.GetBytes("master key"));
+            Secret kdk = new Secret(Encoding.UTF8.GetBytes("master key"));
             GcmAuthenticatedEncryptor encryptor = new GcmAuthenticatedEncryptor(kdk, CachedAlgorithmHandles.AES_GCM, symmetricAlgorithmKeySizeInBytes: 128 / 8, genRandom: new SequentialGenRandom());
             ArraySegment<byte> plaintext = new ArraySegment<byte>(new byte[] { 0, 1, 2, 3, 4, 5, 6, 7 }, 2, 3);
             ArraySegment<byte> aad = new ArraySegment<byte>(new byte[] { 7, 6, 5, 4, 3, 2, 1, 0 }, 1, 4);
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
index bed597f852..345bb439f4 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -16,7 +16,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Managed
         public void Encrypt_Decrypt_RoundTrips()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            Secret kdk = new Secret(new byte[512 / 8]);
             ManagedAuthenticatedEncryptor encryptor = new ManagedAuthenticatedEncryptor(kdk,
                 symmetricAlgorithmFactory: Aes.Create,
                 symmetricAlgorithmKeySizeInBytes: 256 / 8,
@@ -36,7 +36,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Managed
         public void Encrypt_Decrypt_Tampering_Fails()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(new byte[512 / 8]);
+            Secret kdk = new Secret(new byte[512 / 8]);
             ManagedAuthenticatedEncryptor encryptor = new ManagedAuthenticatedEncryptor(kdk,
                 symmetricAlgorithmFactory: Aes.Create,
                 symmetricAlgorithmKeySizeInBytes: 256 / 8,
@@ -82,7 +82,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.Managed
         public void Encrypt_KnownKey()
         {
             // Arrange
-            ProtectedMemoryBlob kdk = new ProtectedMemoryBlob(Encoding.UTF8.GetBytes("master key"));
+            Secret kdk = new Secret(Encoding.UTF8.GetBytes("master key"));
             ManagedAuthenticatedEncryptor encryptor = new ManagedAuthenticatedEncryptor(kdk,
                 symmetricAlgorithmFactory: Aes.Create,
                 symmetricAlgorithmKeySizeInBytes: 256 / 8,

From 6637cb264f9fc40f0830c64b50894176faefc45b Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Fri, 20 Feb 2015 15:43:01 -0800
Subject: [PATCH 091/493] Split KeyDerivation into its own project Move shared
 crypto code to a common project

---
 DataProtection.sln                            |  53 +++++++-
 .../BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs  |   2 +-
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs          |   3 +-
 .../Cng/BCryptBuffer.cs                       |   2 +-
 .../Cng/BCryptBufferDesc.cs                   |   2 +-
 .../Cng/BCryptEncryptFlags.cs                 |   2 +-
 .../Cng/BCryptGenRandomFlags.cs               |   2 +-
 .../Cng/BCryptKeyDerivationBufferType.cs      |   2 +-
 .../Cng/BCryptUtil.cs                         |   2 +-
 .../Cng/CachedAlgorithmHandles.cs             |   4 +-
 .../Cng/NCryptEncryptFlags.cs                 |   2 +-
 .../Cng/OSVersionUtil.cs                      |   8 +-
 .../Constants.cs                              |   2 +-
 .../CryptoUtil.cs                             |   6 +-
 .../DATA_BLOB.cs                              |   2 +-
 ...crosoft.AspNet.Cryptography.Internal.kproj |  17 +++
 .../Properties/AssemblyInfo.cs                |  14 ++
 .../Properties/Resources.Designer.cs          |  62 +++++++++
 .../Resources.resx                            | 126 ++++++++++++++++++
 .../SafeHandles/BCryptAlgorithmHandle.cs      |  11 +-
 .../SafeHandles/BCryptHandle.cs               |   2 +-
 .../SafeHandles/BCryptHashHandle.cs           |   2 +-
 .../SafeHandles/BCryptKeyHandle.cs            |   2 +-
 .../SafeHandles/LocalAllocHandle.cs           |   2 +-
 .../SafeHandles/NCryptDescriptorHandle.cs     |   2 +-
 .../SafeHandles/SafeCertContextHandle.cs      |   2 +-
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |   0
 .../SafeHandles/SafeLibraryHandle.cs          |  10 +-
 .../SafeHandles/SafeNCryptKeyHandle.cs        |   2 +-
 .../SafeHandles/SecureLocalAllocHandle.cs     |   2 +-
 .../UnsafeBufferUtil.cs                       |   4 +-
 .../UnsafeNativeMethods.cs                    |  25 ++--
 .../WeakReferenceHelpers.cs                   |   7 +-
 .../project.json                              |  26 ++++
 .../KeyDerivation.cs                          |  14 +-
 .../KeyDerivationPrf.cs                       |   2 +-
 ...ft.AspNet.Cryptography.KeyDerivation.kproj |  17 +++
 .../PBKDF2/IPbkdf2Provider.cs                 |   2 +-
 .../PBKDF2/ManagedPbkdf2Provider.cs           |   2 +-
 .../PBKDF2/Pbkdf2Util.cs                      |   4 +-
 .../PBKDF2/Win7Pbkdf2Provider.cs              |   6 +-
 .../PBKDF2/Win8Pbkdf2Provider.cs              |  28 +++-
 .../Properties/AssemblyInfo.cs                |   7 +
 .../project.json                              |  21 +++
 .../AuthenticatedEncryptorExtensions.cs       |   1 -
 ...gCbcAuthenticatedEncryptorConfiguration.cs |   1 +
 ...henticatedEncryptorConfigurationOptions.cs |   4 +-
 ...nticatedEncryptorConfigurationXmlReader.cs |   1 +
 ...gGcmAuthenticatedEncryptorConfiguration.cs |   1 +
 ...henticatedEncryptorConfigurationOptions.cs |   4 +-
 ...nticatedEncryptorConfigurationXmlReader.cs |   1 +
 ...agedAuthenticatedEncryptorConfiguration.cs |   1 +
 ...henticatedEncryptorConfigurationOptions.cs |   1 +
 ...nticatedEncryptorConfigurationXmlReader.cs |   1 +
 .../Cng/BCryptGenRandomImpl.cs                |   1 +
 .../Cng/CbcAuthenticatedEncryptor.cs          |   4 +-
 .../Cng/DpapiSecretSerializerHelper.cs        |   3 +-
 .../Cng/GcmAuthenticatedEncryptor.cs          |   5 +-
 .../DataProtectionExtensions.cs               |   5 +-
 ...taProtectionServiceCollectionExtensions.cs |   2 +-
 .../Dpapi/DpapiDataProtector.cs               |   3 +-
 .../EncodingUtil.cs                           |  14 ++
 .../EphemeralDataProtectionProvider.cs        |   1 +
 .../Error.cs                                  |   6 -
 .../KeyRingBasedDataProtector.cs              |   4 +-
 .../KeyManagement/KeyRingProvider.cs          |   1 +
 .../KeyManagement/XmlKeyManager.cs            |   1 +
 .../Managed/HashAlgorithmExtensions.cs        |   1 +
 .../Managed/ManagedAuthenticatedEncryptor.cs  |   1 +
 .../Managed/SymmetricAlgorithmExtensions.cs   |   1 +
 .../MemoryProtection.cs                       |   1 +
 .../Properties/Resources.Designer.cs          |  32 -----
 .../Resources.resx                            |   6 -
 .../ManagedSP800_108_CTR_HMACSHA512.cs        |   1 +
 .../SP800_108_CTR_HMACSHA512Extensions.cs     |   1 +
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |   3 +-
 .../Win7SP800_108_CTR_HMACSHA512Provider.cs   |   5 +-
 .../Win8SP800_108_CTR_HMACSHA512Provider.cs   |   5 +-
 .../Secret.cs                                 |   5 +-
 .../StringExtensions.cs                       |  26 ----
 .../TimeLimitedDataProtector.cs               |   1 +
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |   1 +
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |   3 +-
 .../XmlEncryption/DpapiXmlDecryptor.cs        |   1 +
 .../XmlEncryption/NullXmlDecryptor.cs         |   1 +
 .../project.json                              |   2 +
 ...alRunTestOnlyIfBcryptAvailableAttribute.cs |  58 ++++++++
 ...pNet.Cryptography.KeyDerivation.Test.kproj |  17 +++
 .../Pbkdf2Tests.cs                            |   7 +-
 .../Properties/AssemblyInfo.cs                |   8 ++
 .../project.json                              |  18 +++
 .../Cng/CbcAuthenticatedEncryptorTests.cs     |   1 +
 .../Cng/GcmAuthenticatedEncryptorTests.cs     |   1 +
 ...alRunTestOnlyIfBcryptAvailableAttribute.cs |   2 +-
 94 files changed, 616 insertions(+), 174 deletions(-)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/BCryptBuffer.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/BCryptBufferDesc.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/BCryptEncryptFlags.cs (84%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/BCryptGenRandomFlags.cs (87%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/BCryptKeyDerivationBufferType.cs (93%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/BCryptUtil.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/CachedAlgorithmHandles.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/NCryptEncryptFlags.cs (89%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Cng/OSVersionUtil.cs (87%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/Constants.cs (99%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/CryptoUtil.cs (92%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/DATA_BLOB.cs (90%)
 create mode 100644 src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj
 create mode 100644 src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
 create mode 100644 src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
 create mode 100644 src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/BCryptAlgorithmHandle.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/BCryptHandle.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/BCryptHashHandle.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/BCryptKeyHandle.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/LocalAllocHandle.cs (93%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/NCryptDescriptorHandle.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/SafeCertContextHandle.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs (100%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/SafeLibraryHandle.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/SafeNCryptKeyHandle.cs (93%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/SafeHandles/SecureLocalAllocHandle.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/UnsafeBufferUtil.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/UnsafeNativeMethods.cs (93%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.Internal}/WeakReferenceHelpers.cs (90%)
 create mode 100644 src/Microsoft.AspNet.Cryptography.Internal/project.json
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.KeyDerivation}/KeyDerivation.cs (65%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.KeyDerivation}/KeyDerivationPrf.cs (92%)
 create mode 100644 src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.KeyDerivation}/PBKDF2/IPbkdf2Provider.cs (89%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.KeyDerivation}/PBKDF2/ManagedPbkdf2Provider.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.KeyDerivation}/PBKDF2/Pbkdf2Util.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.KeyDerivation}/PBKDF2/Win7Pbkdf2Provider.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.Cryptography.KeyDerivation}/PBKDF2/Win8Pbkdf2Provider.cs (88%)
 create mode 100644 src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
 create mode 100644 src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
 create mode 100644 src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs
 delete mode 100644 src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj
 rename test/{Microsoft.AspNet.Security.DataProtection.Test/PBKDF2 => Microsoft.AspNet.Cryptography.KeyDerivation.Test}/Pbkdf2Tests.cs (97%)
 create mode 100644 test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json

diff --git a/DataProtection.sln b/DataProtection.sln
index a516327b4a..3437c905a7 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 14
-VisualStudioVersion = 14.0.22115.0
+VisualStudioVersion = 14.0.22609.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
@@ -15,20 +15,68 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-9
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection.Test", "test\Microsoft.AspNet.Security.DataProtection.Test\Microsoft.AspNet.Security.DataProtection.Test.kproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
 EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal", "src\Microsoft.AspNet.Cryptography.Internal\Microsoft.AspNet.Cryptography.Internal.kproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation", "src\Microsoft.AspNet.Cryptography.KeyDerivation\Microsoft.AspNet.Cryptography.KeyDerivation.kproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNet.Cryptography.KeyDerivation.Test\Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
 		Debug|x86 = Debug|x86
+		Release|Any CPU = Release|Any CPU
 		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|Any CPU.Build.0 = Release|Any CPU
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.ActiveCfg = Release|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|Any CPU.Build.0 = Release|Any CPU
 		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|x86.ActiveCfg = Release|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|Any CPU.Build.0 = Release|Any CPU
 		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|x86.ActiveCfg = Release|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Release|Any CPU.Build.0 = Release|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Release|x86.ActiveCfg = Release|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Debug|x86.Build.0 = Debug|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Release|x86.ActiveCfg = Release|Any CPU
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E}.Release|x86.Build.0 = Release|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Debug|x86.Build.0 = Debug|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Release|Any CPU.Build.0 = Release|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Release|x86.ActiveCfg = Release|Any CPU
+		{421F0383-34B1-402D-807B-A94542513ABA}.Release|x86.Build.0 = Release|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Debug|x86.Build.0 = Debug|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|Any CPU.Build.0 = Release|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|x86.ActiveCfg = Release|Any CPU
+		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -38,5 +86,8 @@ Global
 		{DF3671D7-A9B1-45F1-A195-0AD596001735} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{E2779976-A28C-4365-A4BB-4AD854FAF23E} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{421F0383-34B1-402D-807B-A94542513ABA} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{42C97F52-8D56-46BD-A712-4F22BED157A7} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 	EndGlobalSection
 EndGlobal
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
index 5909ddd9f9..ec1d410922 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/cc562981(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
index 1660bea5a4..31d7d468fc 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
@@ -4,8 +4,9 @@
 using System;
 using System.Globalization;
 using System.Runtime.InteropServices;
+using Microsoft.AspNet.Cryptography.Internal;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375525(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
index 13d76f2f12..f7ce3c86e9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBuffer.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
index 477e9c4725..a23edac263 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375370(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
similarity index 84%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
index 9d46755dec..61cee2f864 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     [Flags]
     internal enum BCryptEncryptFlags
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
similarity index 87%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
index 2fef69b319..f3cb337d48 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // from bcrypt.h
     [Flags]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
index db47ba9b67..6fcf2cf9b5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     // from bcrypt.h
     internal enum BCryptKeyDerivationBufferType
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
index 5afd9e2512..3256965416 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     internal unsafe static class BCryptUtil
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
index ba6f5df025..78a6bef2f5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CachedAlgorithmHandles.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     /// <summary>
     /// Provides cached CNG algorithm provider instances, as calling BCryptOpenAlgorithmProvider is expensive.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
similarity index 89%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
index b45b21809b..5ddc695ab9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/NCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     [Flags]
     internal enum NCryptEncryptFlags
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
similarity index 87%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
index c42535428e..aace9f7b33 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/OSVersionUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
@@ -2,13 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Diagnostics;
-using System.Runtime.CompilerServices;
-using System.Runtime.InteropServices;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.Cryptography.Cng
 {
     internal static class OSVersionUtil
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs b/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
similarity index 99%
rename from src/Microsoft.AspNet.Security.DataProtection/Constants.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
index 8d40b3b7f1..135ea56ec5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Constants.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     // The majority of these are from bcrypt.h
     internal static class Constants
diff --git a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
index e71807fdee..1b2932789f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
@@ -6,19 +6,15 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
-using System.Text;
 
 #if !ASPNETCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     internal unsafe static class CryptoUtil
     {
-        // UTF8 encoding that fails on invalid chars
-        public static readonly UTF8Encoding SecureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
-
         // This isn't a typical Debug.Assert; the check is always performed, even in retail builds.
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         public static void Assert(bool condition, string message)
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs b/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
similarity index 90%
rename from src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
index 16589279ed..132b420e57 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DATA_BLOB.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj b/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj
new file mode 100644
index 0000000000..37f5345c21
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>E2779976-A28C-4365-A4BB-4AD854FAF23E</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..3f612d6db3
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -0,0 +1,14 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// we only ever p/invoke into DLLs known to be in the System32 folder
+[assembly: DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
+
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection.Test")]
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
new file mode 100644
index 0000000000..a33deb5f8a
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
@@ -0,0 +1,62 @@
+// <auto-generated />
+namespace Microsoft.AspNet.Cryptography.Internal
+{
+    using System.Globalization;
+    using System.Reflection;
+    using System.Resources;
+
+    internal static class Resources
+    {
+        private static readonly ResourceManager _resourceManager
+            = new ResourceManager("Microsoft.AspNet.Cryptography.Internal.Resources", typeof(Resources).GetTypeInfo().Assembly);
+
+        /// <summary>
+        /// A provider could not be found for algorithm '{0}'.
+        /// </summary>
+        internal static string BCryptAlgorithmHandle_ProviderNotFound
+        {
+            get { return GetString("BCryptAlgorithmHandle_ProviderNotFound"); }
+        }
+
+        /// <summary>
+        /// A provider could not be found for algorithm '{0}'.
+        /// </summary>
+        internal static string FormatBCryptAlgorithmHandle_ProviderNotFound(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("BCryptAlgorithmHandle_ProviderNotFound"), p0);
+        }
+
+        /// <summary>
+        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
+        /// </summary>
+        internal static string BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength
+        {
+            get { return GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"); }
+        }
+
+        /// <summary>
+        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
+        /// </summary>
+        internal static string FormatBCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength(object p0, object p1, object p2, object p3)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"), p0, p1, p2, p3);
+        }
+
+        private static string GetString(string name, params string[] formatterNames)
+        {
+            var value = _resourceManager.GetString(name);
+
+            System.Diagnostics.Debug.Assert(value != null);
+
+            if (formatterNames != null)
+            {
+                for (var i = 0; i < formatterNames.Length; i++)
+                {
+                    value = value.Replace("{" + formatterNames[i] + "}", "{" + i + "}");
+                }
+            }
+
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx b/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
new file mode 100644
index 0000000000..351535df12
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="BCryptAlgorithmHandle_ProviderNotFound" xml:space="preserve">
+    <value>A provider could not be found for algorithm '{0}'.</value>
+  </data>
+  <data name="BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength" xml:space="preserve">
+    <value>The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
index f8fe267f88..8f89eba6bb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
@@ -3,10 +3,12 @@
 
 using System;
 using System.Diagnostics;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.Win32.SafeHandles;
+using System.Globalization;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.Internal;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal unsafe sealed class BCryptAlgorithmHandle : BCryptHandle
     {
@@ -139,7 +141,8 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
             // error checking
             if (ntstatus == STATUS_NOT_FOUND)
             {
-                throw Error.BCryptAlgorithmHandle_ProviderNotFound(algorithmId);
+                string message = String.Format(CultureInfo.CurrentCulture, Resources.BCryptAlgorithmHandle_ProviderNotFound, algorithmId);
+                throw new CryptographicException(message);
             }
             UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
             CryptoUtil.AssertSafeHandleIsValid(algHandle);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
index a5001cb26f..65a6b97cb1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal unsafe abstract class BCryptHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
index af30a1b3a0..9760d30440 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptHashHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal unsafe sealed class BCryptHashHandle : BCryptHandle
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
index d03777d5da..088f7a0994 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal sealed class BCryptKeyHandle : BCryptHandle
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
index a7add3bb9a..305f1ba34b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/LocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.InteropServices;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle returned by LocalAlloc.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
index fff0f360f4..f2782aa2fa 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/NCryptDescriptorHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal sealed class NCryptDescriptorHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
index c36caa7cdc..dbfc561884 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeCertContextHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.CompilerServices;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     internal sealed class SafeCertContextHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
similarity index 100%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index 59202a0c5c..9c53390775 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -2,8 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Diagnostics;
-using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Security;
 using Microsoft.Win32.SafeHandles;
@@ -12,7 +10,7 @@ using Microsoft.Win32.SafeHandles;
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle to a Windows module (DLL).
@@ -92,8 +90,6 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
         /// </summary>
         public TDelegate GetProcAddress<TDelegate>(string lpProcName, bool throwIfNotFound = true) where TDelegate : class
         {
-            Debug.Assert(typeof(Delegate).IsAssignableFrom(typeof(TDelegate)), "TDelegate must be a delegate type!");
-
             IntPtr pfnProc = UnsafeNativeMethods.GetProcAddress(this, lpProcName);
             if (pfnProc == IntPtr.Zero)
             {
@@ -115,7 +111,9 @@ namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
         /// </summary>
         public static SafeLibraryHandle Open(string filename)
         {
-            SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibraryEx(filename, IntPtr.Zero, 0);
+            const uint LOAD_LIBRARY_SEARCH_SYSTEM32 = 0x00000800U; // from libloaderapi.h
+
+            SafeLibraryHandle handle = UnsafeNativeMethods.LoadLibraryEx(filename, IntPtr.Zero, LOAD_LIBRARY_SEARCH_SYSTEM32);
             if (handle == null || handle.IsInvalid)
             {
                 UnsafeNativeMethods.ThrowExceptionForLastWin32Error();
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
index 6b2bacaf6e..a2a325d560 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SafeNCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
@@ -6,7 +6,7 @@ using System.Runtime.InteropServices;
 using Microsoft.Win32.SafeHandles;
 
 #if ASPNETCORE50
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a managed view over an NCRYPT_KEY_HANDLE.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index 34cca9d1e4..a4ce4b3dcc 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -10,7 +10,7 @@ using System.Security;
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection.SafeHandles
+namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle returned by LocalAlloc.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
index ef6a69bdbc..7bb265b4ec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -4,13 +4,13 @@
 using System;
 using System.Runtime.CompilerServices;
 using System.Threading;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
 #if !ASPNETCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     internal unsafe static class UnsafeBufferUtil
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
index 372578fa84..a7bfe972e3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -7,15 +7,16 @@ using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using System.Threading;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.Win32.SafeHandles;
 
 #if !ASPNETCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
 #if !ASPNETCORE50
     [SuppressUnmanagedCodeSecurity]
@@ -23,13 +24,19 @@ namespace Microsoft.AspNet.Security.DataProtection
     internal unsafe static class UnsafeNativeMethods
     {
         private const string BCRYPT_LIB = "bcrypt.dll";
-        private static readonly SafeLibraryHandle _bcryptLibHandle = SafeLibraryHandle.Open(BCRYPT_LIB);
+        private static readonly Lazy<SafeLibraryHandle> _lazyBCryptLibHandle = GetLazyLibraryHandle(BCRYPT_LIB);
 
         private const string CRYPT32_LIB = "crypt32.dll";
-        private static readonly SafeLibraryHandle _crypt32LibHandle = SafeLibraryHandle.Open(CRYPT32_LIB);
+        private static readonly Lazy<SafeLibraryHandle> _lazyCrypt32LibHandle = GetLazyLibraryHandle(CRYPT32_LIB);
 
         private const string NCRYPT_LIB = "ncrypt.dll";
-        private static readonly SafeLibraryHandle _ncryptLibHandle = SafeLibraryHandle.Open(NCRYPT_LIB);
+        private static readonly Lazy<SafeLibraryHandle> _lazyNCryptLibHandle = GetLazyLibraryHandle(NCRYPT_LIB);
+
+        private static Lazy<SafeLibraryHandle> GetLazyLibraryHandle(string libraryName)
+        {
+            // We don't need to worry about race conditions: SafeLibraryHandle will clean up after itself
+            return new Lazy<SafeLibraryHandle>(() => SafeLibraryHandle.Open(libraryName), LazyThreadSafetyMode.PublicationOnly);
+        }
 
         /*
          * BCRYPT.DLL
@@ -346,7 +353,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         [MethodImpl(MethodImplOptions.NoInlining)]
         private static void ThrowExceptionForBCryptStatusImpl(int ntstatus)
         {
-            string message = _bcryptLibHandle.FormatMessage(ntstatus);
+            string message = _lazyBCryptLibHandle.Value.FormatMessage(ntstatus);
             throw new CryptographicException(message);
         }
 
@@ -355,7 +362,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             int lastError = Marshal.GetLastWin32Error();
             Debug.Assert(lastError != 0, "This method should only be called if there was an error.");
 
-            string message = _crypt32LibHandle.FormatMessage(lastError);
+            string message = _lazyCrypt32LibHandle.Value.FormatMessage(lastError);
             throw new CryptographicException(message);
         }
 
@@ -372,7 +379,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         [MethodImpl(MethodImplOptions.NoInlining)]
         private static void ThrowExceptionForNCryptStatusImpl(int ntstatus)
         {
-            string message = _ncryptLibHandle.FormatMessage(ntstatus);
+            string message = _lazyNCryptLibHandle.Value.FormatMessage(ntstatus);
             throw new CryptographicException(message);
         }
     }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs b/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
similarity index 90%
rename from src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs
rename to src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
index 638fdc6231..8aaf9c73bb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/WeakReferenceHelpers.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
@@ -1,8 +1,11 @@
-using System;
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
 using System.Diagnostics;
 using System.Threading;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography
 {
     internal static class WeakReferenceHelpers
     {
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
new file mode 100644
index 0000000000..da2f2d3a77
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -0,0 +1,26 @@
+{
+    "version": "1.0.0-*",
+    "description": "Infrastructure for ASP.NET 5 cryptographic packages. Developers should not reference this package.",
+    "dependencies": {
+    },
+    "frameworks": {
+        "net451": { },
+        "aspnet50": { },
+        "aspnetcore50": {
+            "dependencies": {
+                "System.Diagnostics.Debug": "4.0.10-beta-*",
+                "System.Globalization": "4.0.10-beta-*",
+                "System.Resources.ResourceManager": "4.0.0-beta-*",
+                "System.Runtime": "4.0.20-beta-*",
+                "System.Runtime.Handles": "4.0.0-beta-*",
+                "System.Runtime.InteropServices": "4.0.20-beta-*",
+                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+                "System.Threading": "4.0.10-beta-*"
+            }
+        }
+    },
+    "compilationOptions": {
+        "allowUnsafe": true,
+        "warningsAsErrors": true
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
similarity index 65%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
index 79cb1e6370..8e2a4db593 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivation.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.PBKDF2;
+using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
     public static class KeyDerivation
     {
@@ -13,23 +13,23 @@ namespace Microsoft.AspNet.Security.DataProtection
             // parameter checking
             if (password == null)
             {
-                throw new ArgumentNullException("password");
+                throw new ArgumentNullException(nameof(password));
             }
             if (salt == null)
             {
-                throw new ArgumentNullException("salt");
+                throw new ArgumentNullException(nameof(salt));
             }
             if (prf < KeyDerivationPrf.Sha1 || prf > KeyDerivationPrf.Sha512)
             {
-                throw new ArgumentOutOfRangeException("prf");
+                throw new ArgumentOutOfRangeException(nameof(prf));
             }
             if (iterationCount <= 0)
             {
-                throw new ArgumentOutOfRangeException("iterationCount");
+                throw new ArgumentOutOfRangeException(nameof(iterationCount));
             }
             if (numBytesRequested <= 0)
             {
-                throw new ArgumentOutOfRangeException("numBytesRequested");
+                throw new ArgumentOutOfRangeException(nameof(numBytesRequested));
             }
 
             return Pbkdf2Util.Pbkdf2Provider.DeriveKey(password, salt, prf, iterationCount, numBytesRequested);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
index 196aed9523..0f8556eb10 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyDerivationPrf.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
     /// <summary>
     /// Specifies the PRF which should be used for the key derivation algorithm.
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj
new file mode 100644
index 0000000000..122f0410ea
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>421F0383-34B1-402D-807B-A94542513ABA</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
similarity index 89%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
index 6e353d48c8..c19837c871 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/IPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// Internal interface used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
index 527bdc5119..cc6f7d17ec 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/ManagedPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
@@ -6,7 +6,7 @@ using System.Diagnostics;
 using System.Security.Cryptography;
 using System.Text;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the managed hash algorithm classes as PRFs.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
index d33a3d71ca..3e0d1a0c3a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Pbkdf2Util.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Cryptography.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// Internal base class used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
index 62d1cef6d4..629f568fcb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win7Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
@@ -4,10 +4,10 @@
 using System;
 using System.Diagnostics;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the Win7 API BCryptDeriveKeyPBKDF2.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
similarity index 88%
rename from src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
index 02a33fb705..d2ff0ce174 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/PBKDF2/Win8Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
@@ -3,11 +3,12 @@
 
 using System;
 using System.Diagnostics;
+using System.Runtime.CompilerServices;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the Win8 API BCryptKeyDerivation.
@@ -32,13 +33,28 @@ namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
                 {
                     fixed (byte* pbRetVal = retVal)
                     {
-                        Pbkdf2Win8ImplStep2(keyHandle, algorithmName, pbSalt, (uint)salt.Length, (ulong)iterationCount, pbRetVal, (uint)retVal.Length);
+                        DeriveKeyCore(keyHandle, algorithmName, pbSalt, (uint)salt.Length, (ulong)iterationCount, pbRetVal, (uint)retVal.Length);
                     }
                     return retVal;
                 }
             }
         }
 
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static uint GetTotalByteLengthIncludingNullTerminator(string input)
+        {
+            if (input == null)
+            {
+                // degenerate case
+                return 0;
+            }
+            else
+            {
+                uint numChars = (uint)input.Length + 1U; // no overflow check necessary since Length is signed
+                return checked(numChars * sizeof(char));
+            }
+        }
+
         private static BCryptKeyHandle PasswordToPbkdfKeyHandle(string password, BCryptAlgorithmHandle pbkdf2AlgHandle, KeyDerivationPrf prf)
         {
             byte dummy; // CLR doesn't like pinning zero-length buffers, so this provides a valid memory address when working with zero-length buffers
@@ -136,7 +152,7 @@ namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
             }
         }
 
-        private static void Pbkdf2Win8ImplStep2(BCryptKeyHandle pbkdf2KeyHandle, string hashAlgorithm, byte* pbSalt, uint cbSalt, ulong iterCount, byte* pbDerivedBytes, uint cbDerivedBytes)
+        private static void DeriveKeyCore(BCryptKeyHandle pbkdf2KeyHandle, string hashAlgorithm, byte* pbSalt, uint cbSalt, ulong iterCount, byte* pbDerivedBytes, uint cbDerivedBytes)
         {
             // First, build the buffers necessary to pass (hash alg, salt, iter count) into the KDF
             BCryptBuffer* pBuffers = stackalloc BCryptBuffer[3];
@@ -153,7 +169,7 @@ namespace Microsoft.AspNet.Security.DataProtection.PBKDF2
             {
                 pBuffers[2].BufferType = BCryptKeyDerivationBufferType.KDF_HASH_ALGORITHM;
                 pBuffers[2].pvBuffer = (IntPtr)pszHashAlgorithm;
-                pBuffers[2].cbBuffer = hashAlgorithm.GetTotalByteLengthIncludingNullTerminator();
+                pBuffers[2].cbBuffer = GetTotalByteLengthIncludingNullTerminator(hashAlgorithm);
 
                 // Add the header which points to the buffers
                 BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..1810781789
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -0,0 +1,7 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
new file mode 100644
index 0000000000..6582d52581
--- /dev/null
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -0,0 +1,21 @@
+{
+    "version": "1.0.0-*",
+    "description": "ASP.NET 5 utilities for key derivation.",
+    "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*"
+    },
+    "frameworks": {
+        "net451": { },
+        "aspnet50": { },
+        "aspnetcore50": {
+            "dependencies": {
+                "System.Runtime.Extensions": "4.0.10-beta-*",
+                "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*"
+            }
+        }
+    },
+    "compilationOptions": {
+        "allowUnsafe": true,
+        "warningsAsErrors": true
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
index 6a2808e70d..6c61f43316 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -3,7 +3,6 @@
 
 using System;
 using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
index 763c8f6e93..a8767fdc0f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
index 9db38c5070..171d0ce3cd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
@@ -2,8 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
index e47a6cd4f1..f673cd2ff9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
index 3007f2eb72..5070ad7728 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
index d8cd278490..2b3cca4ae8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
@@ -2,8 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
index d826c54b3e..64d9ca4280 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
index e636713040..ac7a984083 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
index 673f0e2646..0d58cfbfc9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Reflection;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Managed;
 
 namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
index bdfbdccdc2..15410c8f42 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
index 6ce50391f1..9919cc2644 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index 9c7567a4da..f44143cdfa 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -2,7 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index e5762f1190..ee641fccab 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -7,7 +7,8 @@ using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index d6b99f69c0..802f8feab9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -2,8 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.Security.DataProtection.Cng
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
index 14f22b52b1..1e84b49be4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
@@ -32,7 +31,7 @@ namespace Microsoft.AspNet.Security.DataProtection
         {
             try
             {
-                byte[] unprotectedDataAsBytes = CryptoUtil.SecureUtf8Encoding.GetBytes(unprotectedData);
+                byte[] unprotectedDataAsBytes = EncodingUtil.SecureUtf8Encoding.GetBytes(unprotectedData);
                 byte[] protectedDataAsBytes = protector.Protect(unprotectedDataAsBytes);
                 return WebEncoders.Base64UrlEncode(protectedDataAsBytes);
             }
@@ -58,7 +57,7 @@ namespace Microsoft.AspNet.Security.DataProtection
             {
                 byte[] protectedDataAsBytes = WebEncoders.Base64UrlDecode(protectedData);
                 byte[] unprotectedDataAsBytes = protector.Unprotect(protectedDataAsBytes);
-                return CryptoUtil.SecureUtf8Encoding.GetString(unprotectedDataAsBytes);
+                return EncodingUtil.SecureUtf8Encoding.GetString(unprotectedDataAsBytes);
             }
             catch (Exception ex) when (ex.RequiresHomogenization())
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
index d1e0f56124..71d14b4a64 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -5,9 +5,9 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Security.DataProtection;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.Dpapi;
 using Microsoft.AspNet.Security.DataProtection.KeyManagement;
 using Microsoft.AspNet.Security.DataProtection.Repositories;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
index a4b400e5e0..9689d11c45 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.Dpapi
 {
@@ -28,7 +29,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Dpapi
             using (var memoryStream = new MemoryStream())
             {
                 memoryStream.Write(_combinedPurposes, 0, _combinedPurposes.Length);
-                using (var writer = new BinaryWriter(memoryStream, CryptoUtil.SecureUtf8Encoding, leaveOpen: true))
+                using (var writer = new BinaryWriter(memoryStream, EncodingUtil.SecureUtf8Encoding, leaveOpen: true))
                 {
                     writer.Write(purpose);
                 }
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs b/src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs
new file mode 100644
index 0000000000..84a8822900
--- /dev/null
+++ b/src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs
@@ -0,0 +1,14 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Text;
+
+namespace Microsoft.AspNet.Security.DataProtection
+{
+    internal unsafe static class EncodingUtil
+    {
+        // UTF8 encoding that fails on invalid chars
+        public static readonly UTF8Encoding SecureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
+    }
+}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
index 8b87083b2c..179d3f15a2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.KeyManagement;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Error.cs b/src/Microsoft.AspNet.Security.DataProtection/Error.cs
index 8571a4074c..74fa5221d2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Error.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Error.cs
@@ -9,12 +9,6 @@ namespace Microsoft.AspNet.Security.DataProtection
 {
     internal static class Error
     {
-        public static CryptographicException BCryptAlgorithmHandle_ProviderNotFound(string algorithmId)
-        {
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.BCryptAlgorithmHandle_ProviderNotFound, algorithmId);
-            return new CryptographicException(message);
-        }
-
         public static ArgumentException Common_BufferIncorrectlySized(string parameterName, int actualSize, int expectedSize)
         {
             string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_BufferIncorrectlySized, actualSize, expectedSize);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index ecb87dad75..97841ca503 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -4,8 +4,8 @@
 using System;
 using System.Diagnostics;
 using System.IO;
-using System.Security.Cryptography;
 using System.Threading;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
@@ -279,7 +279,7 @@ namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
             // Strings should never contain invalid UTF16 chars, so we'll use a secure encoding.
             private static readonly byte[] _guidBuffer = new byte[sizeof(Guid)];
 
-            public PurposeBinaryWriter(MemoryStream stream) : base(stream, CryptoUtil.SecureUtf8Encoding, leaveOpen: true) { }
+            public PurposeBinaryWriter(MemoryStream stream) : base(stream, EncodingUtil.SecureUtf8Encoding, leaveOpen: true) { }
 
             public new void Write7BitEncodedInt(int value)
             {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
index 37d576c063..a4efcce090 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -5,6 +5,7 @@ using System;
 using System.Diagnostics;
 using System.Linq;
 using System.Threading;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
index 27dff11346..ef8a95a5db 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -8,6 +8,7 @@ using System.Globalization;
 using System.Linq;
 using System.Reflection;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Security.DataProtection.Repositories;
 using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
index eec421cfd8..e88b3cdffb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.Managed
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index f10003ece2..ba53330486 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Security.DataProtection.SP800_108;
 
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
index 48c8860ee1..197f9fe3ac 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.Managed
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs b/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
index 0427ff6e62..b6aa7680ed 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Runtime.InteropServices;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
index f1d2151ed5..35f9a8dc33 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
@@ -10,38 +10,6 @@ namespace Microsoft.AspNet.Security.DataProtection
         private static readonly ResourceManager _resourceManager
             = new ResourceManager("Microsoft.AspNet.Security.DataProtection.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
-        /// <summary>
-        /// A provider could not be found for algorithm '{0}'.
-        /// </summary>
-        internal static string BCryptAlgorithmHandle_ProviderNotFound
-        {
-            get { return GetString("BCryptAlgorithmHandle_ProviderNotFound"); }
-        }
-
-        /// <summary>
-        /// A provider could not be found for algorithm '{0}'.
-        /// </summary>
-        internal static string FormatBCryptAlgorithmHandle_ProviderNotFound(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("BCryptAlgorithmHandle_ProviderNotFound"), p0);
-        }
-
-        /// <summary>
-        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
-        /// </summary>
-        internal static string BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength
-        {
-            get { return GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"); }
-        }
-
-        /// <summary>
-        /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
-        /// </summary>
-        internal static string FormatBCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength(object p0, object p1, object p2, object p3)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"), p0, p1, p2, p3);
-        }
-
         /// <summary>
         /// An error occurred during a cryptographic operation.
         /// </summary>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
index 8029969b2a..044df24e82 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
@@ -117,12 +117,6 @@
   <resheader name="writer">
     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
-  <data name="BCryptAlgorithmHandle_ProviderNotFound" xml:space="preserve">
-    <value>A provider could not be found for algorithm '{0}'.</value>
-  </data>
-  <data name="BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength" xml:space="preserve">
-    <value>The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).</value>
-  </data>
   <data name="CryptCommon_GenericError" xml:space="preserve">
     <value>An error occurred during a cryptographic operation.</value>
   </data>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
index 1ffa2e21f8..a31317918b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Managed;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
index 11750100c5..eee810f44c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index 7778e03013..903b6f095c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -2,7 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
index a163834603..119bd1ec73 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
@@ -2,8 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
index 30af954f1e..34c506756a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
@@ -2,8 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.SP800_108
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Secret.cs b/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
index ddb8acdab1..06905c39c1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
@@ -2,9 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.Managed;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs
deleted file mode 100644
index f081611b3f..0000000000
--- a/src/Microsoft.AspNet.Security.DataProtection/StringExtensions.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.CompilerServices;
-
-namespace Microsoft.AspNet.Security.DataProtection
-{
-    internal static class StringExtensions
-    {
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static uint GetTotalByteLengthIncludingNullTerminator(this string input)
-        {
-            if (input == null)
-            {
-                // degenerate case
-                return 0;
-            }
-            else
-            {
-                uint numChars = (uint)input.Length + 1U; // no overflow check necessary since Length is signed
-                return checked(numChars * sizeof(char));
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
index bf42b34c45..a3542d71bb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index d0c2f8bade..5b08a6e1fb 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index 25526f61dd..acbd0c3f79 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -6,9 +6,10 @@ using System.Globalization;
 using System.IO;
 using System.Security.Principal;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Security.DataProtection.KeyManagement;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
 
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index e6376dbec0..cef503b7e2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.IO;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index f2dae82986..efceec02ae 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.Security.DataProtection/project.json
index 971c304e51..a0e70f0a0a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/project.json
+++ b/src/Microsoft.AspNet.Security.DataProtection/project.json
@@ -2,6 +2,7 @@
     "version": "1.0.0-*",
     "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
     "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.Framework.DependencyInjection": "1.0.0-*",
         "Microsoft.Framework.OptionsModel": "1.0.0-*"
     },
@@ -24,6 +25,7 @@
             "dependencies": {
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
                 "System.IO": "4.0.10-beta-*",
+                "System.Reflection.TypeExtensions": "4.0.0-beta-*",
                 "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
                 "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
new file mode 100644
index 0000000000..e435d081dc
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNet.Testing.xunit;
+
+namespace Microsoft.AspNet.Cryptography
+{
+    public class ConditionalRunTestOnlyIfBcryptAvailableAttribute : Attribute, ITestCondition
+    {
+        private static readonly SafeLibraryHandle _bcryptLibHandle = GetBCryptLibHandle();
+
+        private readonly string _requiredExportFunction;
+
+        public ConditionalRunTestOnlyIfBcryptAvailableAttribute(string requiredExportFunction = null)
+        {
+            _requiredExportFunction = requiredExportFunction;
+        }
+
+        public bool IsMet
+        {
+            get
+            {
+                if (_bcryptLibHandle == null)
+                {
+                    return false; // no bcrypt.dll available
+                }
+
+                return (_requiredExportFunction == null || _bcryptLibHandle.DoesProcExist(_requiredExportFunction));
+            }
+        }
+
+        public string SkipReason
+        {
+            get
+            {
+                return (_bcryptLibHandle != null)
+                    ? String.Format(CultureInfo.InvariantCulture, "Export {0} not found in bcrypt.dll", _requiredExportFunction)
+                    : "bcrypt.dll not found on this platform.";
+            }
+        }
+
+        private static SafeLibraryHandle GetBCryptLibHandle()
+        {
+            try
+            {
+                return SafeLibraryHandle.Open("bcrypt.dll");
+            }
+            catch
+            {
+                // If we're not on an OS with BCRYPT.DLL, just bail.
+                return null;
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj
new file mode 100644
index 0000000000..02588fc1d9
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>42c97f52-8d56-46bd-a712-4f22bed157a7</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
similarity index 97%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
rename to test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
index 6fed8294d7..6fc684797d 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/PBKDF2/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.PBKDF2;
+using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
+namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
     public class Pbkdf2Tests
     {
@@ -40,8 +40,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test.PBKDF2
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF. We only use 5 iterations so
         // that our unit tests are fast.
-        [ConditionalTheory]
-        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptDeriveKeyPBKDF2")]
+        [Theory]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..3f8188a594
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
@@ -0,0 +1,8 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+// for unit testing
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
new file mode 100644
index 0000000000..ebed517c17
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -0,0 +1,18 @@
+{
+    "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+        "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
+        "Microsoft.AspNet.Testing": "1.0.0-*",
+        "Moq": "4.2.1312.1622",
+        "xunit.runner.kre": "1.0.0-*"
+    },
+    "frameworks": {
+        "aspnet50": { }
+    },
+    "commands": {
+        "test": "xunit.runner.kre"
+    },
+    "compilationOptions": {
+        "allowUnsafe": true
+    }
+}
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index 34fa81a08c..4e2b8b4373 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index fb73ec6c61..e9ab3f545f 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Security.DataProtection.Cng;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
index eb6cc86e0e..168ae7075a 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Globalization;
-using Microsoft.AspNet.Security.DataProtection.SafeHandles;
+using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Testing.xunit;
 
 namespace Microsoft.AspNet.Security.DataProtection.Test

From ab18f52e987d301a5ba433cd025e690e00b5cdf9 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 24 Feb 2015 17:48:29 -0800
Subject: [PATCH 092/493] Add CreateProtector convenience extension method

---
 .../DataProtectionExtensions.cs               | 33 +++++++++++++++++
 .../Properties/Resources.Designer.cs          | 16 ++++++++
 .../Resources.resx                            |  3 ++
 .../DataProtectionExtensionsTests.cs          | 37 +++++++++++++++++++
 .../ExceptionHelpers.cs                       | 20 ++++++++++
 5 files changed, 109 insertions(+)
 create mode 100644 test/Microsoft.AspNet.Security.DataProtection.Test/ExceptionHelpers.cs

diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
index 1e84b49be4..5178eb7bc1 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
@@ -2,6 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Diagnostics;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.Security.DataProtection
 {
@@ -21,6 +23,37 @@ namespace Microsoft.AspNet.Security.DataProtection
                 ?? new TimeLimitedDataProtector(protector.CreateProtector(TimeLimitedDataProtector.PurposeString));
         }
 
+        /// <summary>
+        /// Creates an IDataProtector given an array of purposes.
+        /// </summary>
+        /// <param name="provider">The provider from which to generate the purpose chain.</param>
+        /// <param name="purposes">
+        /// This is a convenience method used for chaining several purposes together
+        /// in a single call to CreateProtector. See the documentation of
+        /// IDataProtectionProvider.CreateProtector for more information.
+        /// </param>
+        /// <returns>An IDataProtector tied to the provided purpose chain.</returns>
+        public static IDataProtector CreateProtector([NotNull] this IDataProtectionProvider provider, params string[] purposes)
+        {
+            if (purposes == null || purposes.Length == 0)
+            {
+                throw new ArgumentException(Resources.DataProtectionExtensions_NullPurposesArray, nameof(purposes));
+            }
+
+            IDataProtectionProvider retVal = provider;
+            foreach (string purpose in purposes)
+            {
+                if (String.IsNullOrEmpty(purpose))
+                {
+                    throw new ArgumentException(Resources.DataProtectionExtensions_NullPurposesArray, nameof(purposes));
+                }
+                retVal = retVal.CreateProtector(purpose) ?? CryptoUtil.Fail<IDataProtector>("CreateProtector returned null.");
+            }
+
+            Debug.Assert(retVal is IDataProtector); // CreateProtector is supposed to return an instance of this interface
+            return (IDataProtector)retVal;
+        }
+
         /// <summary>
         /// Cryptographically protects a piece of plaintext data.
         /// </summary>
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
index 35f9a8dc33..ae6746ee91 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
@@ -186,6 +186,22 @@ namespace Microsoft.AspNet.Security.DataProtection
             return string.Format(CultureInfo.CurrentCulture, GetString("TimeLimitedDataProtector_PayloadExpired"), p0);
         }
 
+        /// <summary>
+        /// The purposes array cannot be null or empty and cannot contain null or empty elements.
+        /// </summary>
+        internal static string DataProtectionExtensions_NullPurposesArray
+        {
+            get { return GetString("DataProtectionExtensions_NullPurposesArray"); }
+        }
+
+        /// <summary>
+        /// The purposes array cannot be null or empty and cannot contain null or empty elements.
+        /// </summary>
+        internal static string FormatDataProtectionExtensions_NullPurposesArray()
+        {
+            return GetString("DataProtectionExtensions_NullPurposesArray");
+        }
+
         private static string GetString(string name, params string[] formatterNames)
         {
             var value = _resourceManager.GetString(name);
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
index 044df24e82..3db16f062c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNet.Security.DataProtection/Resources.resx
@@ -150,4 +150,7 @@
   <data name="TimeLimitedDataProtector_PayloadExpired" xml:space="preserve">
     <value>The payload expired at {0}.</value>
   </data>
+  <data name="DataProtectionExtensions_NullPurposesArray" xml:space="preserve">
+    <value>The purposes array cannot be null or empty and cannot contain null or empty elements.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
index 6993f4ab9b..bccbafeb38 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
@@ -39,6 +39,43 @@ namespace Microsoft.AspNet.Security.DataProtection.Test
             Assert.Same(innerProtector, timeLimitedProtector.InnerProtector);
         }
 
+        [Theory]
+        [InlineData(new object[] { null })]
+        [InlineData(new object[] { new string[0] })]
+        [InlineData(new object[] { new string[] { null } })]
+        [InlineData(new object[] { new string[] { "the next value is bad", "" } })]
+        public void CreateProtector_Chained_FailureCases(string[] purposes)
+        {
+            // Arrange
+            var mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(o => o.CreateProtector(It.IsAny<string>())).Returns(mockProtector.Object);
+            var provider = mockProtector.Object;
+
+            // Act & assert
+            var ex = Assert.Throws<ArgumentException>(() => provider.CreateProtector(purposes));
+            ex.AssertMessage("purposes", Resources.DataProtectionExtensions_NullPurposesArray);
+        }
+
+        [Fact]
+        public void CreateProtector_Chained_SuccessCase()
+        {
+            // Arrange
+            var finalExpectedProtector = new Mock<IDataProtector>().Object;
+
+            var thirdMock = new Mock<IDataProtector>();
+            thirdMock.Setup(o => o.CreateProtector("third")).Returns(finalExpectedProtector);
+            var secondMock = new Mock<IDataProtector>();
+            secondMock.Setup(o => o.CreateProtector("second")).Returns(thirdMock.Object);
+            var firstMock = new Mock<IDataProtector>();
+            firstMock.Setup(o => o.CreateProtector("first")).Returns(secondMock.Object);
+
+            // Act
+            var retVal = firstMock.Object.CreateProtector("first", "second", "third");
+
+            // Assert
+            Assert.Same(finalExpectedProtector, retVal);
+        }
+
         [Fact]
         public void Protect_InvalidUtf_Failure()
         {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/ExceptionHelpers.cs b/test/Microsoft.AspNet.Security.DataProtection.Test/ExceptionHelpers.cs
new file mode 100644
index 0000000000..e4394cbc9b
--- /dev/null
+++ b/test/Microsoft.AspNet.Security.DataProtection.Test/ExceptionHelpers.cs
@@ -0,0 +1,20 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.Security.DataProtection.Test
+{
+    internal static class ExceptionHelpers
+    {
+        public static void AssertMessage(this ArgumentException exception, string parameterName, string message)
+        {
+            Assert.Equal(parameterName, exception.ParamName);
+
+            // We'll let ArgumentException handle the message formatting for us and treat it as our control value
+            var controlException = new ArgumentException(message, parameterName);
+            Assert.Equal(controlException.Message, exception.Message);
+        }
+    }
+}

From 544c83812c1697db5257fbe40ff2598ac9cf923c Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 24 Feb 2015 18:17:07 -0800
Subject: [PATCH 093/493] Add unit tests for WeakReferenceHelpers Doc comment
 cleanup on IOptimizedAuthenticatedEncryptor

---
 DataProtection.sln                            | 11 +++
 .../Properties/AssemblyInfo.cs                |  1 +
 .../IOptimizedAuthenticatedEncryptor.cs       | 27 +++---
 ...ft.AspNet.Cryptography.Internal.Test.kproj | 17 ++++
 .../Properties/AssemblyInfo.cs                |  8 ++
 .../WeakReferenceHelpersTests.cs              | 87 +++++++++++++++++++
 .../project.json                              | 13 +++
 7 files changed, 154 insertions(+), 10 deletions(-)
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.kproj
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/project.json

diff --git a/DataProtection.sln b/DataProtection.sln
index 3437c905a7..5d906c25f6 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -21,6 +21,8 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptograp
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNet.Cryptography.KeyDerivation.Test\Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
 EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal.Test", "test\Microsoft.AspNet.Cryptography.Internal.Test\Microsoft.AspNet.Cryptography.Internal.Test.kproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -77,6 +79,14 @@ Global
 		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|Any CPU.Build.0 = Release|Any CPU
 		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|x86.ActiveCfg = Release|Any CPU
 		{42C97F52-8D56-46BD-A712-4F22BED157A7}.Release|x86.Build.0 = Release|Any CPU
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Debug|x86.Build.0 = Debug|Any CPU
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Release|Any CPU.Build.0 = Release|Any CPU
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Release|x86.ActiveCfg = Release|Any CPU
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -89,5 +99,6 @@ Global
 		{E2779976-A28C-4365-A4BB-4AD854FAF23E} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{421F0383-34B1-402D-807B-A94542513ABA} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{42C97F52-8D56-46BD-A712-4F22BED157A7} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{37053D5F-5B61-47CE-8B72-298CE007FFB0} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 	EndGlobalSection
 EndGlobal
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index 3f612d6db3..65c143563c 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -8,6 +8,7 @@ using System.Runtime.InteropServices;
 // we only ever p/invoke into DLLs known to be in the System32 folder
 [assembly: DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
 
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.Internal.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection")]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
index aa8d7c72fb..6535cb146b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
@@ -18,18 +18,25 @@ namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
         /// the returned ciphertext but which will still be covered by the authentication tag.
         /// This input may be zero bytes in length. The same AAD must be specified in the corresponding
         /// call to Decrypt.</param>
-        /// <param name="preBufferSize">The number of bytes to include before the ciphertext in the return value.</param>
-        /// <param name="postBufferSize">The number of bytes to include after the ciphertext in the return value.</param>
+        /// <param name="preBufferSize">The number of bytes to pad before the ciphertext in the output.</param>
+        /// <param name="postBufferSize">The number of bytes to pad after the ciphertext in the output.</param>
         /// <returns>
-        /// A buffer containing the ciphertext and authentication tag.
-        /// If a non-zero pre-buffer or post-buffer size is specified, the returned buffer will contain appropriate padding
-        /// on either side of the ciphertext and authentication tag. For instance, if a pre-buffer size of 4 and a post-buffer
-        /// size of 7 are specified, and if the ciphertext and tag are a combined 48 bytes, then the returned buffer will
-        /// be a total 59 bytes in length. The first four bytes will be undefined, the next 48 bytes will contain the
-        /// ciphertext and tag, and the last seven bytes will be undefined. The intent is that the caller can overwrite the
-        /// pre-buffer or post-buffer with a header or footer without needing to allocate an additional buffer object.
+        /// The ciphertext blob, including authentication tag. The ciphertext blob will be surrounded by
+        /// the number of padding bytes requested. For instance, if the given (plaintext, AAD) input results
+        /// in a (ciphertext, auth tag) output of 0x0102030405, and if 'preBufferSize' is 3 and
+        /// 'postBufferSize' is 5, then the return value will be 0xYYYYYY0102030405ZZZZZZZZZZ, where bytes
+        /// YY and ZZ are undefined.
         /// </returns>
-        /// <remarks>All cryptography-related exceptions should be homogenized to CryptographicException.</remarks>
+        /// <remarks>
+        /// This method allows for a slight performance improvement over IAuthenticatedEncryptor.Encrypt
+        /// in the case where the caller needs to prepend or append some data to the resulting ciphertext.
+        /// For instance, if the caller needs to append a 32-bit header to the resulting ciphertext, then
+        /// he can specify 4 for 'preBufferSize' and overwrite the first 32 bits of the buffer returned
+        /// by this function. This saves the caller from having to allocate a new buffer to hold the final
+        /// transformed result.
+        /// 
+        /// All cryptography-related exceptions should be homogenized to CryptographicException.
+        /// </remarks>
         byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize);
     }
 }
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.kproj b/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.kproj
new file mode 100644
index 0000000000..bf71fe331c
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>37053d5f-5b61-47ce-8b72-298ce007ffb0</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..3f8188a594
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
@@ -0,0 +1,8 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+// for unit testing
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
new file mode 100644
index 0000000000..9b34dacd6d
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
@@ -0,0 +1,87 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.Cryptography
+{
+    public class WeakReferenceHelpersTests
+    {
+        [Fact]
+        public void GetSharedInstance_ExistingWeakRefHasBeenGCed_CreatesNew()
+        {
+            // Arrange
+            WeakReference<MyDisposable> wrOriginal = new WeakReference<MyDisposable>(null);
+            WeakReference<MyDisposable> wr = wrOriginal;
+            MyDisposable newInstance = new MyDisposable();
+
+            // Act
+            var retVal = WeakReferenceHelpers.GetSharedInstance(ref wr, () => newInstance);
+
+            // Assert
+            MyDisposable target;
+            Assert.NotNull(wr);
+            Assert.NotSame(wrOriginal, wr);
+            Assert.True(wr.TryGetTarget(out target));
+            Assert.Same(newInstance, target);
+            Assert.Same(newInstance, retVal);
+            Assert.False(newInstance.HasBeenDisposed);
+        }
+
+        [Fact]
+        public void GetSharedInstance_ExistingWeakRefIsNull_CreatesNew()
+        {
+            // Arrange
+            WeakReference<MyDisposable> wr = null;
+            MyDisposable newInstance = new MyDisposable();
+
+            // Act
+            var retVal = WeakReferenceHelpers.GetSharedInstance(ref wr, () => newInstance);
+
+            // Assert
+            MyDisposable target;
+            Assert.NotNull(wr);
+            Assert.True(wr.TryGetTarget(out target));
+            Assert.Same(newInstance, target);
+            Assert.Same(newInstance, retVal);
+            Assert.False(newInstance.HasBeenDisposed);
+        }
+
+        [Fact]
+        public void GetSharedInstance_ExistingWeakRefIsNull_AnotherThreadCreatesInstanceWhileOurFactoryRuns_ReturnsExistingInstanceAndDisposesNewInstance()
+        {
+            // Arrange
+            WeakReference<MyDisposable> wr = null;
+            MyDisposable instanceThatWillBeCreatedFirst = new MyDisposable();
+            MyDisposable instanceThatWillBeCreatedSecond = new MyDisposable();
+
+            // Act
+            var retVal = WeakReferenceHelpers.GetSharedInstance(ref wr, () =>
+            {
+                // mimic another thread creating the instance while our factory is being invoked
+                WeakReferenceHelpers.GetSharedInstance(ref wr, () => instanceThatWillBeCreatedFirst);
+                return instanceThatWillBeCreatedSecond;
+            });
+
+            // Assert
+            MyDisposable target;
+            Assert.NotNull(wr);
+            Assert.True(wr.TryGetTarget(out target));
+            Assert.Same(instanceThatWillBeCreatedFirst, target);
+            Assert.Same(instanceThatWillBeCreatedFirst, retVal);
+            Assert.False(instanceThatWillBeCreatedFirst.HasBeenDisposed);
+            Assert.True(instanceThatWillBeCreatedSecond.HasBeenDisposed);
+        }
+
+        private sealed class MyDisposable : IDisposable
+        {
+            public bool HasBeenDisposed { get; private set; }
+
+            public void Dispose()
+            {
+                HasBeenDisposed = true;
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
new file mode 100644
index 0000000000..8f1a47255e
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -0,0 +1,13 @@
+{
+    "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+        "Microsoft.AspNet.Testing": "1.0.0-*",
+        "xunit.runner.kre": "1.0.0-*"
+    },
+    "frameworks": {
+        "aspnet50": { }
+    },
+    "commands": {
+        "test": "xunit.runner.kre"
+    }
+}

From e2ca9fc6520d8189a398881e1b5bc394b2e76031 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 25 Feb 2015 16:41:17 -0800
Subject: [PATCH 094/493] Rename to Microsoft.AspNet.DataProtection from
 Microsoft.AspNet.Security.DataProtection

---
 DataProtection.sln                                   |  8 ++++----
 .../Properties/AssemblyInfo.cs                       |  4 ++--
 .../BlobStorageXmlRepository.cs                      |  4 ++--
 .../BlobStorageXmlRepositoryOptions.cs               |  2 +-
 .../CryptoUtil.cs                                    |  2 +-
 .../Microsoft.AspNet.DataProtection.Azure.kproj}     |  0
 .../NotNullAttribute.cs                              |  2 +-
 .../project.json                                     |  2 +-
 .../DataProtectionProviderHelper.cs                  |  2 +-
 .../DataProtector.cs                                 |  2 +-
 .../DataProtectorHelper.cs                           |  2 +-
 .../IDataProtectionProviderFactory.cs                |  2 +-
 .../IFactorySupportFunctions.cs                      |  2 +-
 ...rosoft.AspNet.DataProtection.Compatibility.kproj} |  0
 .../project.json                                     |  2 +-
 .../ArraySegmentExtensions.cs                        |  2 +-
 .../AuthenticatedEncryptorExtensions.cs              |  4 ++--
 .../CngCbcAuthenticatedEncryptorConfiguration.cs     |  4 ++--
 ...gCbcAuthenticatedEncryptorConfigurationFactory.cs |  2 +-
 ...gCbcAuthenticatedEncryptorConfigurationOptions.cs |  4 ++--
 ...bcAuthenticatedEncryptorConfigurationXmlReader.cs |  4 ++--
 .../CngGcmAuthenticatedEncryptorConfiguration.cs     |  4 ++--
 ...gGcmAuthenticatedEncryptorConfigurationFactory.cs |  2 +-
 ...gGcmAuthenticatedEncryptorConfigurationOptions.cs |  4 ++--
 ...cmAuthenticatedEncryptorConfigurationXmlReader.cs |  4 ++--
 .../IAuthenticatedEncryptor.cs                       |  2 +-
 .../IAuthenticatedEncryptorConfiguration.cs          |  4 ++--
 .../IAuthenticatedEncryptorConfigurationFactory.cs   |  2 +-
 .../IAuthenticatedEncryptorConfigurationXmlReader.cs |  2 +-
 .../IInternalConfigurationOptions.cs                 |  2 +-
 .../IOptimizedAuthenticatedEncryptor.cs              |  2 +-
 .../ManagedAuthenticatedEncryptorConfiguration.cs    |  4 ++--
 ...agedAuthenticatedEncryptorConfigurationFactory.cs |  4 ++--
 ...agedAuthenticatedEncryptorConfigurationOptions.cs |  4 ++--
 ...edAuthenticatedEncryptorConfigurationXmlReader.cs |  4 ++--
 .../BitHelpers.cs                                    |  2 +-
 .../Cng/BCryptGenRandomImpl.cs                       |  2 +-
 .../Cng/CbcAuthenticatedEncryptor.cs                 |  4 ++--
 .../Cng/CngAuthenticatedEncryptorBase.cs             |  4 ++--
 .../Cng/DpapiSecretSerializerHelper.cs               |  2 +-
 .../Cng/GcmAuthenticatedEncryptor.cs                 |  4 ++--
 .../Cng/IBCryptGenRandom.cs                          |  2 +-
 .../DataProtectionExtensions.cs                      |  2 +-
 .../DataProtectionOptions.cs                         |  2 +-
 .../DataProtectionServiceCollectionExtensions.cs     | 12 ++++++------
 .../DefaultDataProtectionProvider.cs                 |  4 ++--
 .../Dpapi/DataProtectionScope.cs                     |  0
 .../Dpapi/DpapiDataProtectionProvider.cs             |  2 +-
 .../Dpapi/DpapiDataProtector.cs                      |  2 +-
 .../Dpapi/IProtectedData.cs                          |  2 +-
 .../Dpapi/ProtectedDataImpl.cs                       |  4 ++--
 .../EncodingUtil.cs                                  |  2 +-
 .../EphemeralDataProtectionProvider.cs               |  8 ++++----
 .../Error.cs                                         |  2 +-
 .../ExceptionExtensions.cs                           |  2 +-
 .../IDataProtectionProvider.cs                       |  2 +-
 .../IDataProtector.cs                                |  2 +-
 .../ISecret.cs                                       |  2 +-
 .../ITimeLimitedDataProtector.cs                     |  2 +-
 .../KeyManagement/IKey.cs                            |  4 ++--
 .../KeyManagement/IKeyManager.cs                     |  2 +-
 .../KeyManagement/IKeyRing.cs                        |  4 ++--
 .../KeyManagement/IKeyRingProvider.cs                |  2 +-
 .../KeyManagement/Key.cs                             |  4 ++--
 .../KeyManagement/KeyExtensions.cs                   |  2 +-
 .../KeyManagement/KeyRing.cs                         |  4 ++--
 .../KeyRingBasedDataProtectionProvider.cs            |  2 +-
 .../KeyManagement/KeyRingBasedDataProtector.cs       | 12 +++++++-----
 .../KeyManagement/KeyRingProvider.cs                 |  2 +-
 .../KeyManagement/XmlKeyManager.cs                   |  8 ++++----
 .../Managed/HashAlgorithmExtensions.cs               |  2 +-
 .../Managed/IManagedGenRandom.cs                     |  2 +-
 .../Managed/ManagedAuthenticatedEncryptor.cs         |  6 +++---
 .../Managed/ManagedGenRandomImpl.cs                  |  2 +-
 .../Managed/SymmetricAlgorithmExtensions.cs          |  2 +-
 .../MemoryProtection.cs                              |  2 +-
 .../Microsoft.AspNet.DataProtection.kproj}           |  0
 .../NotNullAttribute.cs                              |  2 +-
 .../Properties/AssemblyInfo.cs                       |  2 +-
 .../Properties/Resources.Designer.cs                 |  4 ++--
 .../Repositories/FileSystemXmlRepository.cs          |  2 +-
 .../Repositories/IXmlRepository.cs                   |  2 +-
 .../Repositories/RegistryXmlRepository.cs            |  2 +-
 .../Resources.resx                                   |  0
 .../SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs   |  2 +-
 .../SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs     |  4 ++--
 .../SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs  |  2 +-
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs        |  2 +-
 .../Win7SP800_108_CTR_HMACSHA512Provider.cs          |  2 +-
 .../Win8SP800_108_CTR_HMACSHA512Provider.cs          |  2 +-
 .../Secret.cs                                        |  4 ++--
 .../TimeLimitedDataProtector.cs                      |  4 ++--
 .../WebEncoders.cs                                   |  2 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs         |  2 +-
 .../DpapiNGProtectionDescriptorFlags.cs              |  2 +-
 .../XmlEncryption/DpapiNGXmlDecryptor.cs             |  4 ++--
 .../XmlEncryption/DpapiNGXmlEncryptor.cs             |  6 +++---
 .../XmlEncryption/DpapiXmlDecryptor.cs               |  4 ++--
 .../XmlEncryption/DpapiXmlEncryptor.cs               |  6 +++---
 .../XmlEncryption/IXmlDecryptor.cs                   |  2 +-
 .../XmlEncryption/IXmlEncryptor.cs                   |  2 +-
 .../XmlEncryption/NullXmlDecryptor.cs                |  2 +-
 .../XmlEncryption/NullXmlEncryptor.cs                |  4 ++--
 .../project.json                                     |  0
 .../Cng/CbcAuthenticatedEncryptorTests.cs            |  4 ++--
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs        |  4 ++--
 .../Cng/GcmAuthenticatedEncryptorTests.cs            |  4 ++--
 ...nditionalRunTestOnlyIfBcryptAvailableAttribute.cs |  2 +-
 .../DataProtectionExtensionsTests.cs                 |  4 ++--
 .../EphemeralDataProtectionProviderTests.cs          |  2 +-
 .../ExceptionHelpers.cs                              |  2 +-
 .../Managed/ManagedAuthenticatedEncryptorTests.cs    |  4 ++--
 .../Microsoft.AspNet.DataProtection.Test.kproj}      |  0
 .../Properties/AssemblyInfo.cs                       |  0
 .../SP800_108/SP800_108Tests.cs                      |  4 ++--
 .../SequentialGenRandom.cs                           |  6 +++---
 .../TimeLimitedDataProtectorTests.cs                 |  2 +-
 .../project.json                                     |  2 +-
 118 files changed, 174 insertions(+), 172 deletions(-)
 rename src/{Microsoft.AspNet.Security.DataProtection.Azure => Microsoft.AspNet.DataProtection.Azure}/BlobStorageXmlRepository.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Azure => Microsoft.AspNet.DataProtection.Azure}/BlobStorageXmlRepositoryOptions.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Azure => Microsoft.AspNet.DataProtection.Azure}/CryptoUtil.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj => Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.kproj} (100%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection.Azure}/NotNullAttribute.cs (87%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Azure => Microsoft.AspNet.DataProtection.Azure}/project.json (83%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Compatibility => Microsoft.AspNet.DataProtection.Compatibility}/DataProtectionProviderHelper.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Compatibility => Microsoft.AspNet.DataProtection.Compatibility}/DataProtector.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Compatibility => Microsoft.AspNet.DataProtection.Compatibility}/DataProtectorHelper.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Compatibility => Microsoft.AspNet.DataProtection.Compatibility}/IDataProtectionProviderFactory.cs (83%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Compatibility => Microsoft.AspNet.DataProtection.Compatibility}/IFactorySupportFunctions.cs (86%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj => Microsoft.AspNet.DataProtection.Compatibility/Microsoft.AspNet.DataProtection.Compatibility.kproj} (100%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Compatibility => Microsoft.AspNet.DataProtection.Compatibility}/project.json (85%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/ArraySegmentExtensions.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs (92%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/IAuthenticatedEncryptor.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs (89%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs (90%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/IInternalConfigurationOptions.cs (82%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs (90%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/BitHelpers.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Cng/BCryptGenRandomImpl.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Cng/CbcAuthenticatedEncryptor.cs (99%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Cng/CngAuthenticatedEncryptorBase.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Cng/DpapiSecretSerializerHelper.cs (99%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Cng/GcmAuthenticatedEncryptor.cs (99%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Cng/IBCryptGenRandom.cs (85%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/DataProtectionExtensions.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/DataProtectionOptions.cs (86%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/DataProtectionServiceCollectionExtensions.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/DefaultDataProtectionProvider.cs (93%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Dpapi/DataProtectionScope.cs (100%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Dpapi/DpapiDataProtectionProvider.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Dpapi/DpapiDataProtector.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Dpapi/IProtectedData.cs (89%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Dpapi/ProtectedDataImpl.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/EncodingUtil.cs (90%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/EphemeralDataProtectionProvider.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Error.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/ExceptionExtensions.cs (92%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/IDataProtectionProvider.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/IDataProtector.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/ISecret.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/ITimeLimitedDataProtector.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/IKey.cs (92%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/IKeyManager.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/IKeyRing.cs (76%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/IKeyRingProvider.cs (82%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/Key.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/KeyExtensions.cs (86%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/KeyRing.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/KeyRingBasedDataProtectionProvider.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/KeyRingBasedDataProtector.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/KeyRingProvider.cs (99%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/KeyManagement/XmlKeyManager.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Managed/HashAlgorithmExtensions.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Managed/IManagedGenRandom.cs (83%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Managed/ManagedAuthenticatedEncryptor.cs (99%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Managed/ManagedGenRandomImpl.cs (92%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Managed/SymmetricAlgorithmExtensions.cs (92%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/MemoryProtection.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj => Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.kproj} (100%)
 rename src/{Microsoft.AspNet.Security.DataProtection.Azure => Microsoft.AspNet.DataProtection}/NotNullAttribute.cs (85%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Properties/AssemblyInfo.cs (76%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Properties/Resources.Designer.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Repositories/FileSystemXmlRepository.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Repositories/IXmlRepository.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Repositories/RegistryXmlRepository.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Resources.resx (100%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs (87%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs (96%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/SP800_108/SP800_108_CTR_HMACSHA512Util.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/Secret.cs (99%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/TimeLimitedDataProtector.cs (97%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/WebEncoders.cs (98%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/CertificateXmlEncryptor.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs (86%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/DpapiNGXmlDecryptor.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/DpapiNGXmlEncryptor.cs (95%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/DpapiXmlDecryptor.cs (94%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/DpapiXmlEncryptor.cs (93%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/IXmlDecryptor.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/IXmlEncryptor.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/NullXmlDecryptor.cs (92%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/XmlEncryption/NullXmlEncryptor.cs (91%)
 rename src/{Microsoft.AspNet.Security.DataProtection => Microsoft.AspNet.DataProtection}/project.json (100%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/Cng/CbcAuthenticatedEncryptorTests.cs (97%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/Cng/CngAuthenticatedEncryptorBaseTests.cs (97%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/Cng/GcmAuthenticatedEncryptorTests.cs (97%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs (96%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/DataProtectionExtensionsTests.cs (97%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/EphemeralDataProtectionProviderTests.cs (97%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/ExceptionHelpers.cs (92%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/Managed/ManagedAuthenticatedEncryptorTests.cs (97%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj => Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.kproj} (100%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/Properties/AssemblyInfo.cs (100%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/SP800_108/SP800_108Tests.cs (98%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/SequentialGenRandom.cs (82%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/TimeLimitedDataProtectorTests.cs (98%)
 rename test/{Microsoft.AspNet.Security.DataProtection.Test => Microsoft.AspNet.DataProtection.Test}/project.json (83%)

diff --git a/DataProtection.sln b/DataProtection.sln
index 5d906c25f6..f632e6dc89 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -5,15 +5,15 @@ VisualStudioVersion = 14.0.22609.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection", "src\Microsoft.AspNet.Security.DataProtection\Microsoft.AspNet.Security.DataProtection.kproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection", "src\Microsoft.AspNet.DataProtection\Microsoft.AspNet.DataProtection.kproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection.Azure", "src\Microsoft.AspNet.Security.DataProtection.Azure\Microsoft.AspNet.Security.DataProtection.Azure.kproj", "{DF3671D7-A9B1-45F1-A195-0AD596001735}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Azure", "src\Microsoft.AspNet.DataProtection.Azure\Microsoft.AspNet.DataProtection.Azure.kproj", "{DF3671D7-A9B1-45F1-A195-0AD596001735}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection.Compatibility", "src\Microsoft.AspNet.Security.DataProtection.Compatibility\Microsoft.AspNet.Security.DataProtection.Compatibility.kproj", "{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Compatibility", "src\Microsoft.AspNet.DataProtection.Compatibility\Microsoft.AspNet.DataProtection.Compatibility.kproj", "{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Security.DataProtection.Test", "test\Microsoft.AspNet.Security.DataProtection.Test\Microsoft.AspNet.Security.DataProtection.Test.kproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test", "test\Microsoft.AspNet.DataProtection.Test\Microsoft.AspNet.DataProtection.Test.kproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal", "src\Microsoft.AspNet.Cryptography.Internal\Microsoft.AspNet.Cryptography.Internal.kproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
 EndProject
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index 65c143563c..b903a20b6f 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -11,5 +11,5 @@ using System.Runtime.InteropServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.Internal.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs b/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
rename to src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
index 8e728836da..df31596d09 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
@@ -8,12 +8,12 @@ using System.Linq;
 using System.Net;
 using System.Runtime.ExceptionServices;
 using System.Xml.Linq;
-using Microsoft.AspNet.Security.DataProtection.Repositories;
+using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.Framework.OptionsModel;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Blob;
 
-namespace Microsoft.AspNet.Security.DataProtection.Azure
+namespace Microsoft.AspNet.DataProtection.Azure
 {
     /// <summary>
     /// An XML repository backed by Azure blob storage.
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs b/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
rename to src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
index b694ea5dd8..cd3d44a57e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.WindowsAzure.Storage.Blob;
 
-namespace Microsoft.AspNet.Security.DataProtection.Azure
+namespace Microsoft.AspNet.DataProtection.Azure
 {
     /// <summary>
     /// Specifies options for configuring an Azure blob storage-based repository.
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/CryptoUtil.cs b/src/Microsoft.AspNet.DataProtection.Azure/CryptoUtil.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection.Azure/CryptoUtil.cs
rename to src/Microsoft.AspNet.DataProtection.Azure/CryptoUtil.cs
index b9fb8859f7..b666b6f5cd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.DataProtection.Azure/CryptoUtil.cs
@@ -6,7 +6,7 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     internal static class CryptoUtil
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj b/src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.kproj
similarity index 100%
rename from src/Microsoft.AspNet.Security.DataProtection.Azure/Microsoft.AspNet.Security.DataProtection.Azure.kproj
rename to src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.kproj
diff --git a/src/Microsoft.AspNet.Security.DataProtection/NotNullAttribute.cs b/src/Microsoft.AspNet.DataProtection.Azure/NotNullAttribute.cs
similarity index 87%
rename from src/Microsoft.AspNet.Security.DataProtection/NotNullAttribute.cs
rename to src/Microsoft.AspNet.DataProtection.Azure/NotNullAttribute.cs
index f65a70a85d..05b991841e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/NotNullAttribute.cs
+++ b/src/Microsoft.AspNet.DataProtection.Azure/NotNullAttribute.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection.Azure
 {
     [AttributeUsage(AttributeTargets.Parameter, AllowMultiple = false)]
     internal sealed class NotNullAttribute : Attribute
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json b/src/Microsoft.AspNet.DataProtection.Azure/project.json
similarity index 83%
rename from src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
rename to src/Microsoft.AspNet.DataProtection.Azure/project.json
index 63a8283b23..79272abe27 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Azure/project.json
@@ -2,7 +2,7 @@
     "version": "1.0.0-*",
     "description": "ASP.NET 5 blob storage repository for DataProtection.",
     "dependencies": {
-        "Microsoft.AspNet.Security.DataProtection": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "WindowsAzure.Storage": "4.3.0"
     },
     "frameworks": {
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectionProviderHelper.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectionProviderHelper.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectionProviderHelper.cs
rename to src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectionProviderHelper.cs
index f05a11cf8e..0237a782a0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectionProviderHelper.cs
+++ b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectionProviderHelper.cs
@@ -5,7 +5,7 @@ using System;
 using System.Diagnostics;
 using System.Threading;
 
-namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+namespace Microsoft.AspNet.DataProtection.Compatibility
 {
     internal sealed class DataProtectionProviderHelper
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtector.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtector.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtector.cs
rename to src/Microsoft.AspNet.DataProtection.Compatibility/DataProtector.cs
index af6c6872fa..b05407d92f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtector.cs
@@ -5,7 +5,7 @@ using System;
 using System.Diagnostics;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+namespace Microsoft.AspNet.DataProtection.Compatibility
 {
     public sealed class DataProtector<T> : DataProtector, IFactorySupportFunctions
         where T : class, IDataProtectionProviderFactory, new()
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectorHelper.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectorHelper.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectorHelper.cs
rename to src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectorHelper.cs
index 03d3af7d41..62e756a442 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/DataProtectorHelper.cs
+++ b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectorHelper.cs
@@ -5,7 +5,7 @@ using System;
 using System.Diagnostics;
 using System.Threading;
 
-namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+namespace Microsoft.AspNet.DataProtection.Compatibility
 {
     internal sealed class DataProtectorHelper
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IDataProtectionProviderFactory.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
similarity index 83%
rename from src/Microsoft.AspNet.Security.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
rename to src/Microsoft.AspNet.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
index ddf3dbe191..f470d7827a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+namespace Microsoft.AspNet.DataProtection.Compatibility
 {
     public interface IDataProtectionProviderFactory
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IFactorySupportFunctions.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/IFactorySupportFunctions.cs
similarity index 86%
rename from src/Microsoft.AspNet.Security.DataProtection.Compatibility/IFactorySupportFunctions.cs
rename to src/Microsoft.AspNet.DataProtection.Compatibility/IFactorySupportFunctions.cs
index a318be7460..1adc41e58f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/IFactorySupportFunctions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Compatibility/IFactorySupportFunctions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Compatibility
+namespace Microsoft.AspNet.DataProtection.Compatibility
 {
     internal interface IFactorySupportFunctions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj b/src/Microsoft.AspNet.DataProtection.Compatibility/Microsoft.AspNet.DataProtection.Compatibility.kproj
similarity index 100%
rename from src/Microsoft.AspNet.Security.DataProtection.Compatibility/Microsoft.AspNet.Security.DataProtection.Compatibility.kproj
rename to src/Microsoft.AspNet.DataProtection.Compatibility/Microsoft.AspNet.DataProtection.Compatibility.kproj
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json b/src/Microsoft.AspNet.DataProtection.Compatibility/project.json
similarity index 85%
rename from src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
rename to src/Microsoft.AspNet.DataProtection.Compatibility/project.json
index ba4ec8e396..519529f83f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Compatibility/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Compatibility/project.json
@@ -4,7 +4,7 @@
     "frameworks": {
         "net451": {
             "dependencies": {
-                "Microsoft.AspNet.Security.DataProtection": "1.0.0-*"
+                "Microsoft.AspNet.DataProtection": "1.0.0-*"
             },
             "frameworkAssemblies": {
                 "System.Security": "4.0.0.0"
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ArraySegmentExtensions.cs b/src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/ArraySegmentExtensions.cs
rename to src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs
index cadff82795..e5a2a13946 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ArraySegmentExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     internal static class ArraySegmentExtensions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
index 6c61f43316..3941cb2e5f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     internal static class AuthenticatedEncryptorExtensions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
index a8767fdc0f..dc4b3b7a89 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -4,9 +4,9 @@
 using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     internal sealed class CngCbcAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
index 711330a151..a82760350f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Framework.OptionsModel;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// A factory that is able to create a CNG-based IAuthenticatedEncryptor
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
index 171d0ce3cd..b403c37203 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
@@ -5,9 +5,9 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Options for configuring an authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
index f673cd2ff9..575f9da317 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -5,10 +5,10 @@ using System;
 using System.Linq;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     internal sealed class CngCbcAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
index 5070ad7728..2224bfa71d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -4,9 +4,9 @@
 using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     internal sealed class CngGcmAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
index 996da69abc..6c87153d04 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Framework.OptionsModel;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// A factory that is able to create a CNG-based IAuthenticatedEncryptor
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
index 2b3cca4ae8..bd455d36c9 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
@@ -5,9 +5,9 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Options for configuring an authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
index 64d9ca4280..a8abe60a34 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -5,10 +5,10 @@ using System;
 using System.Linq;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     internal sealed class CngGcmAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
index b897d668a0..7d49777013 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// The basic interface for providing an authenticated encryption and decryption routine.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
similarity index 89%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
index 0da7da4b5e..6d4b3f518a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Represents a type that contains configuration information about an IAuthenticatedEncryptor
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
similarity index 90%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
index 843de1540c..e25bacbcc8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Represents a type that can create new authenticated encryption configuration objects.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
index 0d1fcc38fc..7a211fc8cd 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Represents a type that can deserialize an XML-serialized IAuthenticatedEncryptorConfiguration.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
similarity index 82%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
index 7b26d09838..6ae9384f03 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     internal interface IInternalConfigurationOptions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
index 6535cb146b..368b570596 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// An optimized encryptor that can avoid buffer allocations in common code paths.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
index ac7a984083..8e0295711b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -4,9 +4,9 @@
 using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     internal sealed class ManagedAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
similarity index 90%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
index e64ddf6c07..e977694d1d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Managed;
+using Microsoft.AspNet.DataProtection.Managed;
 using Microsoft.Framework.OptionsModel;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     public sealed class ManagedAuthenticatedEncryptorConfigurationFactory : IAuthenticatedEncryptorConfigurationFactory
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
index 0d58cfbfc9..4495f0ec94 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
@@ -5,9 +5,9 @@ using System;
 using System.Reflection;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Managed;
+using Microsoft.AspNet.DataProtection.Managed;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Options for configuring an authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
index 15410c8f42..d199a7e621 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -5,10 +5,10 @@ using System;
 using System.Linq;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
-namespace Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     internal sealed class ManagedAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs b/src/Microsoft.AspNet.DataProtection/BitHelpers.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs
rename to src/Microsoft.AspNet.DataProtection/BitHelpers.cs
index 3e60ca7ca1..b9f1e3dc27 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/BitHelpers.cs
+++ b/src/Microsoft.AspNet.DataProtection/BitHelpers.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.CompilerServices;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     internal unsafe static class BitHelpers
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
rename to src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs
index 9919cc2644..24ebf57106 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/BCryptGenRandomImpl.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.AspNet.Cryptography.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     internal unsafe sealed class BCryptGenRandomImpl : IBCryptGenRandom
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
similarity index 99%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index f44143cdfa..2a27d5633b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -5,9 +5,9 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.Security.DataProtection.SP800_108;
+using Microsoft.AspNet.DataProtection.SP800_108;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     // An encryptor which does Encrypt(CBC) + HMAC using the Windows CNG (BCrypt*) APIs.
     // The payloads produced by this encryptor should be compatible with the payloads
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
rename to src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
index 48f76f0937..592c5dbf2d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     /// <summary>
     /// Base class used for all CNG-related authentication encryption operations.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
similarity index 99%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
rename to src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index ee641fccab..44c0a8b692 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -10,7 +10,7 @@ using System.Text;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     internal unsafe static class DpapiSecretSerializerHelper
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
similarity index 99%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index 802f8feab9..a7998c0885 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -5,9 +5,9 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.Security.DataProtection.SP800_108;
+using Microsoft.AspNet.DataProtection.SP800_108;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     // GCM is defined in NIST SP 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf).
     // Heed closely the uniqueness requirements called out in Sec. 8: the probability that the GCM encryption
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Cng/IBCryptGenRandom.cs b/src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs
similarity index 85%
rename from src/Microsoft.AspNet.Security.DataProtection/Cng/IBCryptGenRandom.cs
rename to src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs
index 72497de9cd..735d92fdb3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Cng/IBCryptGenRandom.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     internal unsafe interface IBCryptGenRandom
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
rename to src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
index 5178eb7bc1..38397f0c68 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
@@ -5,7 +5,7 @@ using System;
 using System.Diagnostics;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
     /// Helpful extension methods for data protection APIs.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionOptions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
similarity index 86%
rename from src/Microsoft.AspNet.Security.DataProtection/DataProtectionOptions.cs
rename to src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
index 9f2eefda56..ccd32586f8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     public class DataProtectionOptions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
rename to src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 71d14b4a64..8010230161 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -6,12 +6,12 @@ using System.Collections.Generic;
 using System.IO;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Security.DataProtection;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.Security.DataProtection.Dpapi;
-using Microsoft.AspNet.Security.DataProtection.KeyManagement;
-using Microsoft.AspNet.Security.DataProtection.Repositories;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.Dpapi;
+using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Framework.ConfigurationModel;
 
 namespace Microsoft.Framework.DependencyInjection
diff --git a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
rename to src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
index 9f5ed3e54d..75925fe216 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/DefaultDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
@@ -2,12 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.Framework.DependencyInjection;
 using Microsoft.Framework.DependencyInjection.Fallback;
 using Microsoft.Framework.OptionsModel;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     public class DefaultDataProtectionProvider : IDataProtectionProvider
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DataProtectionScope.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs
similarity index 100%
rename from src/Microsoft.AspNet.Security.DataProtection/Dpapi/DataProtectionScope.cs
rename to src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
rename to src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
index 5082e385b3..e3c3dad792 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.Dpapi
+namespace Microsoft.AspNet.DataProtection.Dpapi
 {
     // Provides a temporary implementation of IDataProtectionProvider for non-Windows machines
     // or for Windows machines where we can't depend on the user profile.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtector.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
rename to src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtector.cs
index 9689d11c45..df1c6d54a7 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/DpapiDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtector.cs
@@ -6,7 +6,7 @@ using System.IO;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.Dpapi
+namespace Microsoft.AspNet.DataProtection.Dpapi
 {
     // Provides a temporary implementation of IDataProtector for non-Windows machines
     // or for Windows machines where we can't depend on the user profile.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/IProtectedData.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/IProtectedData.cs
similarity index 89%
rename from src/Microsoft.AspNet.Security.DataProtection/Dpapi/IProtectedData.cs
rename to src/Microsoft.AspNet.DataProtection/Dpapi/IProtectedData.cs
index 3cba943f3d..a12de6c77a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/IProtectedData.cs
+++ b/src/Microsoft.AspNet.DataProtection/Dpapi/IProtectedData.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.Dpapi
+namespace Microsoft.AspNet.DataProtection.Dpapi
 {
     internal interface IProtectedData
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs
rename to src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
index cd5e579f66..709cda218a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Dpapi/ProtectedDataImpl.cs
+++ b/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.Dpapi
+namespace Microsoft.AspNet.DataProtection.Dpapi
 {
     internal unsafe sealed class ProtectedDataImpl : IProtectedData
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs b/src/Microsoft.AspNet.DataProtection/EncodingUtil.cs
similarity index 90%
rename from src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs
rename to src/Microsoft.AspNet.DataProtection/EncodingUtil.cs
index 84a8822900..0966289874 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/EncodingUtil.cs
+++ b/src/Microsoft.AspNet.DataProtection/EncodingUtil.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Text;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     internal unsafe static class EncodingUtil
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
rename to src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index 179d3f15a2..d5c323bcd5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -3,11 +3,11 @@
 
 using System;
 using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.KeyManagement;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
     /// An IDataProtectionProvider that is transient.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Error.cs b/src/Microsoft.AspNet.DataProtection/Error.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/Error.cs
rename to src/Microsoft.AspNet.DataProtection/Error.cs
index 74fa5221d2..309625bbb7 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Error.cs
+++ b/src/Microsoft.AspNet.DataProtection/Error.cs
@@ -5,7 +5,7 @@ using System;
 using System.Globalization;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     internal static class Error
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ExceptionExtensions.cs b/src/Microsoft.AspNet.DataProtection/ExceptionExtensions.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/ExceptionExtensions.cs
rename to src/Microsoft.AspNet.DataProtection/ExceptionExtensions.cs
index 9335f3fc01..126a7bda3f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ExceptionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/ExceptionExtensions.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     internal static class ExceptionExtensions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/IDataProtectionProvider.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
rename to src/Microsoft.AspNet.DataProtection/IDataProtectionProvider.cs
index 3403240824..7c44fea90a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/IDataProtectionProvider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
     /// An interface that can be used to create IDataProtector instances.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs b/src/Microsoft.AspNet.DataProtection/IDataProtector.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
rename to src/Microsoft.AspNet.DataProtection/IDataProtector.cs
index 353a941710..28a0d571b3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/IDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/IDataProtector.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
     /// An interface that can provide data protection services.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs b/src/Microsoft.AspNet.DataProtection/ISecret.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/ISecret.cs
rename to src/Microsoft.AspNet.DataProtection/ISecret.cs
index 0d787f9381..d1e67cfa51 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ISecret.cs
+++ b/src/Microsoft.AspNet.DataProtection/ISecret.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
     /// Represents a secret value.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/ITimeLimitedDataProtector.cs
rename to src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
index f4770e410d..acada25c6e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/ITimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
     /// An interface that can provide data protection services.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKey.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKey.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
index 088ae89e09..5356351d7b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKey.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic interface for representing an authenticated encryption key.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyManager.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
index bbf9056e40..9f64f7f9d2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Collections.Generic;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic interface for performing key management operations.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
similarity index 76%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRing.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
index bae55be34e..b71aaedd1e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal interface IKeyRing
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
similarity index 82%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRingProvider.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
index da8115033d..fd3836c58a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/IKeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal interface IKeyRingProvider
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/Key.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
index a5ee6796a8..5366536ced 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/Key.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal sealed class Key : IKey
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyExtensions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
similarity index 86%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyExtensions.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
index f1e9740c76..bed820e872 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal static class KeyExtensions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRing.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
index 5bd8773811..6a15e227ac 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
@@ -4,9 +4,9 @@
 using System;
 using System.Collections.Generic;
 using System.Threading;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal sealed class KeyRing : IKeyRing
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index daf0873218..0837c0dc2d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal unsafe sealed class KeyRingBasedDataProtectionProvider : IDataProtectionProvider
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index 97841ca503..e7bac85c14 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -6,16 +6,18 @@ using System.Diagnostics;
 using System.IO;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal unsafe sealed class KeyRingBasedDataProtector : IDataProtector
     {
         // This magic header identifies a v0 protected data blob.
-        // It's the high 28 bits of the SHA1 hash of "Microsoft.AspNet.Security.DataProtection.MultiplexingDataProtector" [US-ASCII].
-        // The last 4 bits are reserved for version information.
-        private const uint MAGIC_HEADER_V0 = 0xE123CF30;
+        // It's the high 28 bits of the SHA1 hash of "Microsoft.AspNet.DataProtection.MultiplexingDataProtector" [US-ASCII].
+        // The last nibble reserved for version information.
+        // There's also the nice property that "F0 C9" can never appear in a well-formed UTF8 sequence, so attempts to
+        // treat a protected payload as a UTF8-encoded string will fail, and devs can catch the mistake early.
+        private const uint MAGIC_HEADER_V0 = 0x09F0C9F0;
 
         private byte[] _additionalAuthenticatedDataTemplate;
         private readonly IKeyRingProvider _keyringProvider;
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
similarity index 99%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index a4efcce090..ce37200737 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -7,7 +7,7 @@ using System.Linq;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal sealed class KeyRingProvider : IKeyRingProvider
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index ef8a95a5db..2eebe38f43 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -9,12 +9,12 @@ using System.Linq;
 using System.Reflection;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.Security.DataProtection.Repositories;
-using Microsoft.AspNet.Security.DataProtection.XmlEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
 
-namespace Microsoft.AspNet.Security.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     public sealed class XmlKeyManager : IKeyManager
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
rename to src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs
index e88b3cdffb..c1717e659f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/HashAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs
@@ -5,7 +5,7 @@ using System;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.Managed
+namespace Microsoft.AspNet.DataProtection.Managed
 {
     internal static class HashAlgorithmExtensions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/IManagedGenRandom.cs b/src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs
similarity index 83%
rename from src/Microsoft.AspNet.Security.DataProtection/Managed/IManagedGenRandom.cs
rename to src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs
index 3028068dc7..d707876d10 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/IManagedGenRandom.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Managed
+namespace Microsoft.AspNet.DataProtection.Managed
 {
     internal interface IManagedGenRandom
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
similarity index 99%
rename from src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index ba53330486..c39738341f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -5,10 +5,10 @@ using System;
 using System.IO;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.Security.DataProtection.SP800_108;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.SP800_108;
 
-namespace Microsoft.AspNet.Security.DataProtection.Managed
+namespace Microsoft.AspNet.DataProtection.Managed
 {
     // An encryptor which does Encrypt(CBC) + HMAC using SymmetricAlgorithm and HashAlgorithm.
     // The payloads produced by this encryptor should be compatible with the payloads
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedGenRandomImpl.cs b/src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedGenRandomImpl.cs
rename to src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs
index b89cc8e077..f3de3db91e 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/ManagedGenRandomImpl.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.Managed
+namespace Microsoft.AspNet.DataProtection.Managed
 {
     internal unsafe sealed class ManagedGenRandomImpl : IManagedGenRandom
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
rename to src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
index 197f9fe3ac..9542d06ce0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
@@ -5,7 +5,7 @@ using System;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.Managed
+namespace Microsoft.AspNet.DataProtection.Managed
 {
     internal static class SymmetricAlgorithmExtensions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs b/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
rename to src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
index b6aa7680ed..2be0be5db0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/MemoryProtection.cs
+++ b/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.InteropServices;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
     /// Support for generating random data.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj b/src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.kproj
similarity index 100%
rename from src/Microsoft.AspNet.Security.DataProtection/Microsoft.AspNet.Security.DataProtection.kproj
rename to src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.kproj
diff --git a/src/Microsoft.AspNet.Security.DataProtection.Azure/NotNullAttribute.cs b/src/Microsoft.AspNet.DataProtection/NotNullAttribute.cs
similarity index 85%
rename from src/Microsoft.AspNet.Security.DataProtection.Azure/NotNullAttribute.cs
rename to src/Microsoft.AspNet.DataProtection/NotNullAttribute.cs
index 00985c02f5..5896ea15d8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection.Azure/NotNullAttribute.cs
+++ b/src/Microsoft.AspNet.DataProtection/NotNullAttribute.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.Azure
+namespace Microsoft.AspNet.DataProtection
 {
     [AttributeUsage(AttributeTargets.Parameter, AllowMultiple = false)]
     internal sealed class NotNullAttribute : Attribute
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
similarity index 76%
rename from src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
index c81d7655be..c262afe4c7 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
@@ -5,4 +5,4 @@ using System;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Security.DataProtection.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
rename to src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
index ae6746ee91..563030c9b4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
@@ -1,5 +1,5 @@
 // <auto-generated />
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     using System.Globalization;
     using System.Reflection;
@@ -8,7 +8,7 @@ namespace Microsoft.AspNet.Security.DataProtection
     internal static class Resources
     {
         private static readonly ResourceManager _resourceManager
-            = new ResourceManager("Microsoft.AspNet.Security.DataProtection.Resources", typeof(Resources).GetTypeInfo().Assembly);
+            = new ResourceManager("Microsoft.AspNet.DataProtection.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
         /// <summary>
         /// An error occurred during a cryptographic operation.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/Repositories/FileSystemXmlRepository.cs
rename to src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index c09c085587..a5e219e50b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -8,7 +8,7 @@ using System.IO;
 using System.Linq;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.Security.DataProtection.Repositories
+namespace Microsoft.AspNet.DataProtection.Repositories
 {
     /// <summary>
     /// An XML repository backed by a file system.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Repositories/IXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/Repositories/IXmlRepository.cs
rename to src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
index 572701d922..e5e649594c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Repositories/IXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
@@ -5,7 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.Security.DataProtection.Repositories
+namespace Microsoft.AspNet.DataProtection.Repositories
 {
     /// <summary>
     /// The basic interface for storing and retrieving XML elements.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/Repositories/RegistryXmlRepository.cs
rename to src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index 6ebbed369b..e670282c7b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -10,7 +10,7 @@ using System.Security.Principal;
 using System.Xml.Linq;
 using Microsoft.Win32;
 
-namespace Microsoft.AspNet.Security.DataProtection.Repositories
+namespace Microsoft.AspNet.DataProtection.Repositories
 {
     /// <summary>
     /// An XML repository backed by the Windows registry.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Resources.resx b/src/Microsoft.AspNet.DataProtection/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNet.Security.DataProtection/Resources.resx
rename to src/Microsoft.AspNet.DataProtection/Resources.resx
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
similarity index 87%
rename from src/Microsoft.AspNet.Security.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
rename to src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
index 432549207e..dd8089732a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+namespace Microsoft.AspNet.DataProtection.SP800_108
 {
     internal unsafe interface ISP800_108_CTR_HMACSHA512Provider : IDisposable
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
similarity index 96%
rename from src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
rename to src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
index a31317918b..89f6b5c987 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -4,9 +4,9 @@
 using System;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Managed;
+using Microsoft.AspNet.DataProtection.Managed;
 
-namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+namespace Microsoft.AspNet.DataProtection.SP800_108
 {
     internal static class ManagedSP800_108_CTR_HMACSHA512
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
rename to src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
index eee810f44c..a9dc0a4846 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+namespace Microsoft.AspNet.DataProtection.SP800_108
 {
     internal unsafe static class SP800_108_CTR_HMACSHA512Extensions
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
rename to src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index 903b6f095c..9105d95fc3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -5,7 +5,7 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+namespace Microsoft.AspNet.DataProtection.SP800_108
 {
     /// <summary>
     /// Provides an implementation of the SP800-108-CTR-HMACSHA512 key derivation function.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
rename to src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
index 119bd1ec73..a31935286a 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
@@ -6,7 +6,7 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+namespace Microsoft.AspNet.DataProtection.SP800_108
 {
     internal unsafe sealed class Win7SP800_108_CTR_HMACSHA512Provider : ISP800_108_CTR_HMACSHA512Provider
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
rename to src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
index 34c506756a..68d8a935e8 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
@@ -6,7 +6,7 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Security.DataProtection.SP800_108
+namespace Microsoft.AspNet.DataProtection.SP800_108
 {
     internal unsafe sealed class Win8SP800_108_CTR_HMACSHA512Provider : ISP800_108_CTR_HMACSHA512Provider
     {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/Secret.cs b/src/Microsoft.AspNet.DataProtection/Secret.cs
similarity index 99%
rename from src/Microsoft.AspNet.Security.DataProtection/Secret.cs
rename to src/Microsoft.AspNet.DataProtection/Secret.cs
index 06905c39c1..6f04529c52 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNet.DataProtection/Secret.cs
@@ -5,9 +5,9 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.Security.DataProtection.Managed;
+using Microsoft.AspNet.DataProtection.Managed;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
     /// Represents a secret value stored in memory.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
similarity index 97%
rename from src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
rename to src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
index a3542d71bb..a1c4ef1454 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
@@ -5,11 +5,11 @@ using System;
 using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     internal sealed class TimeLimitedDataProtector : ITimeLimitedDataProtector
     {
-        internal const string PurposeString = "Microsoft.AspNet.Security.DataProtection.TimeLimitedDataProtector";
+        internal const string PurposeString = "Microsoft.AspNet.DataProtection.TimeLimitedDataProtector";
 
         public TimeLimitedDataProtector(IDataProtector innerProtector)
         {
diff --git a/src/Microsoft.AspNet.Security.DataProtection/WebEncoders.cs b/src/Microsoft.AspNet.DataProtection/WebEncoders.cs
similarity index 98%
rename from src/Microsoft.AspNet.Security.DataProtection/WebEncoders.cs
rename to src/Microsoft.AspNet.DataProtection/WebEncoders.cs
index 36db7b520a..c963b0c4b4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/WebEncoders.cs
+++ b/src/Microsoft.AspNet.DataProtection/WebEncoders.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Diagnostics;
 
-namespace Microsoft.AspNet.Security.DataProtection
+namespace Microsoft.AspNet.DataProtection
 {
     // Internal copy of HttpAbstractions functionality.
     internal static class WebEncoders
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index e9a4388de3..39f6d3e1a5 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -5,7 +5,7 @@ using System;
 using System.Security.Cryptography.X509Certificates;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that performs XML encryption using an X.509 certificate.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
similarity index 86%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
index 410ce331c2..dd7d0938d2 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     // from ncrypt.h and ncryptprotect.h
     [Flags]
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index 5b08a6e1fb..debd74b5a0 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -5,9 +5,9 @@ using System;
 using System.IO;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that can decrypt XML elements which were encrypted using Windows DPAPI:NG.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
similarity index 95%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index acbd0c3f79..9c2f856f4f 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -8,10 +8,10 @@ using System.Security.Principal;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.KeyManagement;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that can encrypt XML elements using Windows DPAPI:NG.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
similarity index 94%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index cef503b7e2..c55a6ba47d 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -5,9 +5,9 @@ using System;
 using System.IO;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that can decrypt XML elements which were encrypted using Windows DPAPI.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
similarity index 93%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 553cda733e..22916e2d24 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -4,10 +4,10 @@
 using System;
 using System.IO;
 using System.Xml.Linq;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.KeyManagement;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that can encrypt XML elements using Windows DPAPI.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlDecryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
index 7002cff30c..3b7f2a516c 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// The basic interface for decrypting an XML element.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
index 733f60739b..019c32d7f4 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/IXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// The basic interface for encrypting an XML element.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
similarity index 92%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index efceec02ae..e5b8b1ab5b 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -6,7 +6,7 @@ using System.Linq;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that can decrypt XML elements which were encrypted using a null encryptor.
diff --git a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
similarity index 91%
rename from src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlEncryptor.cs
rename to src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
index 3a0c1f09ae..170f4eb6e3 100644
--- a/src/Microsoft.AspNet.Security.DataProtection/XmlEncryption/NullXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.Security.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.KeyManagement;
 
-namespace Microsoft.AspNet.Security.DataProtection.XmlEncryption
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that performs null XML encryption (just returns the plaintext).
diff --git a/src/Microsoft.AspNet.Security.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
similarity index 100%
rename from src/Microsoft.AspNet.Security.DataProtection/project.json
rename to src/Microsoft.AspNet.DataProtection/project.json
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
similarity index 97%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
rename to test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index 4e2b8b4373..85a80c25af 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -6,11 +6,11 @@ using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
+namespace Microsoft.AspNet.DataProtection.Test.Cng
 {
     public class CbcAuthenticatedEncryptorTests
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
similarity index 97%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
rename to test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
index 1ccabfc429..1aa5a8afb7 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -2,12 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.Testing.xunit;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
+namespace Microsoft.AspNet.DataProtection.Test.Cng
 {
     public unsafe class CngAuthenticatedEncryptorBaseTests
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
similarity index 97%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
rename to test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index e9ab3f545f..b5d1b757ad 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -6,11 +6,11 @@ using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Security.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test.Cng
+namespace Microsoft.AspNet.DataProtection.Test.Cng
 {
     public class GcmAuthenticatedEncryptorTests
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs b/test/Microsoft.AspNet.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
similarity index 96%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
rename to test/Microsoft.AspNet.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
index 168ae7075a..99e1762625 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
@@ -6,7 +6,7 @@ using System.Globalization;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.Testing.xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection.Test
 {
     public class ConditionalRunTestOnlyIfBcryptAvailableAttribute : Attribute, ITestCondition
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
similarity index 97%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
rename to test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
index bccbafeb38..c7f50b17cb 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
@@ -7,7 +7,7 @@ using System.Text;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection.Test
 {
     public class DataProtectionExtensionsTests
     {
@@ -30,7 +30,7 @@ namespace Microsoft.AspNet.Security.DataProtection.Test
             // Arrange
             var innerProtector = new Mock<IDataProtector>().Object;
             var outerProtectorMock = new Mock<IDataProtector>();
-            outerProtectorMock.Setup(o => o.CreateProtector("Microsoft.AspNet.Security.DataProtection.TimeLimitedDataProtector")).Returns(innerProtector);
+            outerProtectorMock.Setup(o => o.CreateProtector("Microsoft.AspNet.DataProtection.TimeLimitedDataProtector")).Returns(innerProtector);
 
             // Act
             var timeLimitedProtector = (TimeLimitedDataProtector)outerProtectorMock.Object.AsTimeLimitedDataProtector();
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
similarity index 97%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
rename to test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
index b580ebf97a..17e86f2279 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using System.Text;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection.Test
 {
     public class EphemeralDataProtectionProviderTests
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/ExceptionHelpers.cs b/test/Microsoft.AspNet.DataProtection.Test/ExceptionHelpers.cs
similarity index 92%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/ExceptionHelpers.cs
rename to test/Microsoft.AspNet.DataProtection.Test/ExceptionHelpers.cs
index e4394cbc9b..a05290105c 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/ExceptionHelpers.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/ExceptionHelpers.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection.Test
 {
     internal static class ExceptionHelpers
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
similarity index 97%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
rename to test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
index 345bb439f4..812e9bf653 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -5,10 +5,10 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.Managed;
+using Microsoft.AspNet.DataProtection.Managed;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test.Managed
+namespace Microsoft.AspNet.DataProtection.Test.Managed
 {
     public class ManagedAuthenticatedEncryptorTests
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj b/test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.kproj
similarity index 100%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/Microsoft.AspNet.Security.DataProtection.Test.kproj
rename to test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.kproj
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/Properties/AssemblyInfo.cs
rename to test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs b/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
similarity index 98%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs
rename to test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
index 2705296ed1..69ac3097bf 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/SP800_108/SP800_108Tests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
@@ -4,11 +4,11 @@
 using System;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.Security.DataProtection.SP800_108;
+using Microsoft.AspNet.DataProtection.SP800_108;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test.SP800_108
+namespace Microsoft.AspNet.DataProtection.Test.SP800_108
 {
     public unsafe class SP800_108Tests
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/SequentialGenRandom.cs b/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
similarity index 82%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/SequentialGenRandom.cs
rename to test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
index 59dcb6e9cb..fd449f19c7 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/SequentialGenRandom.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Security.DataProtection.Cng;
-using Microsoft.AspNet.Security.DataProtection.Managed;
+using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Managed;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection.Test
 {
     internal unsafe class SequentialGenRandom : IBCryptGenRandom, IManagedGenRandom
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs
similarity index 98%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/TimeLimitedDataProtectorTests.cs
rename to test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs
index 671eb65aec..459ced47ee 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/TimeLimitedDataProtectorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.Security.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection.Test
 {
     public class TimeLimitedDataProtectorTests
     {
diff --git a/test/Microsoft.AspNet.Security.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
similarity index 83%
rename from test/Microsoft.AspNet.Security.DataProtection.Test/project.json
rename to test/Microsoft.AspNet.DataProtection.Test/project.json
index 2ee987c400..cc8993067d 100644
--- a/test/Microsoft.AspNet.Security.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -1,6 +1,6 @@
 {
     "dependencies": {
-        "Microsoft.AspNet.Security.DataProtection": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "Moq": "4.2.1312.1622",
         "xunit.runner.kre": "1.0.0-*"

From e4db4b1189f89e6737da7975581ddd4cf2a10d46 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Thu, 26 Feb 2015 10:35:40 -0800
Subject: [PATCH 095/493] Temporarily store keys in different folder to resolve
 issues caused by package renaming

---
 .../DataProtectionServiceCollectionExtensions.cs            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 8010230161..f2be8533fe 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -121,7 +121,7 @@ namespace Microsoft.Framework.DependencyInjection
             }
 
             // TODO: Remove BETA moniker from below.
-            string fullPathToKeys = Path.Combine(homeEnvVar, "ASP.NET", "keys-BETA");
+            string fullPathToKeys = Path.Combine(homeEnvVar, "ASP.NET", "keys-BETA6");
             return new DirectoryInfo(fullPathToKeys);
         }
 
@@ -133,7 +133,7 @@ namespace Microsoft.Framework.DependencyInjection
             if (!String.IsNullOrEmpty(folderPath))
             {
                 // TODO: Remove BETA moniker from below.
-                return new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA"));
+                return new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA6"));
             }
             else
             {
@@ -145,7 +145,7 @@ namespace Microsoft.Framework.DependencyInjection
                 ?? Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "AppData", "Local");
 
             // TODO: Remove BETA moniker from below.
-            DirectoryInfo retVal = new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA"));
+            DirectoryInfo retVal = new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA6"));
             try
             {
                 retVal.Create(); // throws if we don't have access, e.g., user profile not loaded

From bf0f94ce20a02c9238b4aeada536f82b54dff3f2 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Thu, 26 Feb 2015 23:46:02 -0800
Subject: [PATCH 096/493] Store reg keys in a different folder to mitigate
 impact of renaming changes

---
 .../Repositories/RegistryXmlRepository.cs                     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index e670282c7b..a25fc6a3d4 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -71,11 +71,11 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
                     using (aspnetBaseKey) {
                         // TODO: Remove the ".BETA" moniker.
-                        var dataProtectionKey = aspnetBaseKey.OpenSubKey("DataProtection.BETA", writable: true);
+                        var dataProtectionKey = aspnetBaseKey.OpenSubKey("DataProtection.BETA6", writable: true);
                         if (dataProtectionKey == null)
                         {
                             // TODO: Remove the ".BETA" moniker from here, also.
-                            dataProtectionKey = aspnetBaseKey.CreateSubKey("DataProtection.BETA");
+                            dataProtectionKey = aspnetBaseKey.CreateSubKey("DataProtection.BETA6");
                         }
 
                         // Once we've opened the HKLM reg key, return a repository which wraps it.

From 32ff156923eb790f430fc87c6e7c9dab0fac4c16 Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Wed, 4 Mar 2015 16:35:33 -0800
Subject: [PATCH 097/493] React to DI changes, AddDataProtection no longer
 takes Config

---
 ...taProtectionServiceCollectionExtensions.cs | 38 +++++++++----------
 .../DefaultDataProtectionProvider.cs          |  1 -
 2 files changed, 18 insertions(+), 21 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index f2be8533fe..76df9b201c 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -12,23 +12,21 @@ using Microsoft.AspNet.DataProtection.Dpapi;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.ConfigurationModel;
 
 namespace Microsoft.Framework.DependencyInjection
 {
     public static class DataProtectionServiceCollectionExtensions
     {
-        public static IServiceCollection AddDataProtection(this IServiceCollection services, IConfiguration configuration = null)
+        public static IServiceCollection AddDataProtection(this IServiceCollection services)
         {
-            services.AddOptions(configuration);
-            var describe = new ServiceDescriber(configuration);
+            services.AddOptions();
             services.TryAdd(OSVersionUtil.IsBCryptOnWin7OrLaterAvailable()
-                ? GetDefaultServicesWindows(describe)
-                : GetDefaultServicesNonWindows(describe));
+                ? GetDefaultServicesWindows()
+                : GetDefaultServicesNonWindows());
             return services;
         }
 
-        private static IEnumerable<IServiceDescriptor> GetDefaultServicesNonWindows(ServiceDescriber describe)
+        private static IEnumerable<ServiceDescriptor> GetDefaultServicesNonWindows()
         {
             // If we're not running on Windows, we can't use CNG.
 
@@ -36,11 +34,11 @@ namespace Microsoft.Framework.DependencyInjection
             // DPAPI routines don't provide authenticity.
             return new[]
             {
-                describe.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.CurrentUser))
+                ServiceDescriptor.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.CurrentUser))
             };
         }
 
-        private static IEnumerable<IServiceDescriptor> GetDefaultServicesWindows(ServiceDescriber describe)
+        private static IEnumerable<ServiceDescriptor> GetDefaultServicesWindows()
         {
             List<ServiceDescriptor> descriptors = new List<ServiceDescriptor>();
 
@@ -52,8 +50,8 @@ namespace Microsoft.Framework.DependencyInjection
                 // cloud DPAPI service comes online.
                 descriptors.AddRange(new[]
                 {
-                    describe.Singleton<IXmlEncryptor,NullXmlEncryptor>(),
-                    describe.Instance<IXmlRepository>(new FileSystemXmlRepository(azureWebSitesKeysFolder))
+                    ServiceDescriptor.Singleton<IXmlEncryptor,NullXmlEncryptor>(),
+                    ServiceDescriptor.Instance<IXmlRepository>(new FileSystemXmlRepository(azureWebSitesKeysFolder))
                 });
             }
             else
@@ -64,8 +62,8 @@ namespace Microsoft.Framework.DependencyInjection
                 {
                     descriptors.AddRange(new[]
                     {
-                        describe.Instance<IXmlEncryptor>(new DpapiXmlEncryptor(protectToLocalMachine: false)),
-                        describe.Instance<IXmlRepository>(new FileSystemXmlRepository(localAppDataKeysFolder))
+                        ServiceDescriptor.Instance<IXmlEncryptor>(new DpapiXmlEncryptor(protectToLocalMachine: false)),
+                        ServiceDescriptor.Instance<IXmlRepository>(new FileSystemXmlRepository(localAppDataKeysFolder))
                     });
                 }
                 else
@@ -80,15 +78,15 @@ namespace Microsoft.Framework.DependencyInjection
                         // We use same-machine DPAPI since we already know no user profile is loaded.
                         descriptors.AddRange(new[]
                         {
-                            describe.Instance<IXmlEncryptor>(new DpapiXmlEncryptor(protectToLocalMachine: true)),
-                            describe.Instance<IXmlRepository>(hklmRegXmlRepository)
+                            ServiceDescriptor.Instance<IXmlEncryptor>(new DpapiXmlEncryptor(protectToLocalMachine: true)),
+                            ServiceDescriptor.Instance<IXmlRepository>(hklmRegXmlRepository)
                         });
                     }
                     else
                     {
                         // Fall back to DPAPI for now
                         return new[] {
-                            describe.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.LocalMachine))
+                            ServiceDescriptor.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.LocalMachine))
                         };
                     }
                 }
@@ -97,10 +95,10 @@ namespace Microsoft.Framework.DependencyInjection
             // We use CNG CBC + HMAC by default.
             descriptors.AddRange(new[]
             {
-                describe.Singleton<IAuthenticatedEncryptorConfigurationFactory, CngCbcAuthenticatedEncryptorConfigurationFactory>(),
-                describe.Singleton<ITypeActivator, TypeActivator>(),
-                describe.Singleton<IKeyManager, XmlKeyManager>(),
-                describe.Singleton<IDataProtectionProvider, DefaultDataProtectionProvider>()
+                ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfigurationFactory, CngCbcAuthenticatedEncryptorConfigurationFactory>(),
+                ServiceDescriptor.Singleton<ITypeActivator, TypeActivator>(),
+                ServiceDescriptor.Singleton<IKeyManager, XmlKeyManager>(),
+                ServiceDescriptor.Singleton<IDataProtectionProvider, DefaultDataProtectionProvider>()
             });
 
             return descriptors;
diff --git a/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
index 75925fe216..1aa439e917 100644
--- a/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
@@ -4,7 +4,6 @@
 using System;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.DependencyInjection.Fallback;
 using Microsoft.Framework.OptionsModel;
 
 namespace Microsoft.AspNet.DataProtection

From 88eb10dcfe46a2036fa57f96214ad1244efcb4a2 Mon Sep 17 00:00:00 2001
From: Brennan <brecon@microsoft.com>
Date: Thu, 5 Mar 2015 14:21:35 -0800
Subject: [PATCH 098/493] DI API changes

---
 .../CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs  | 7 ++-----
 .../CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs  | 7 ++-----
 .../ManagedAuthenticatedEncryptorConfigurationXmlReader.cs | 7 ++-----
 .../DataProtectionServiceCollectionExtensions.cs           | 1 -
 .../KeyManagement/XmlKeyManager.cs                         | 5 +----
 5 files changed, 7 insertions(+), 20 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
index 575f9da317..c799c3823c 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -13,14 +13,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
     internal sealed class CngCbcAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
     {
         private readonly IServiceProvider _serviceProvider;
-        private readonly ITypeActivator _typeActivator;
 
         public CngCbcAuthenticatedEncryptorConfigurationXmlReader(
-            [NotNull] IServiceProvider serviceProvider,
-            [NotNull] ITypeActivator typeActivator)
+            [NotNull] IServiceProvider serviceProvider)
         {
             _serviceProvider = serviceProvider;
-            _typeActivator = typeActivator;
         }
 
         public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
@@ -51,7 +48,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             var encryptedSecretElement = element.Element(CngCbcAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
             var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
             var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
-            var secretElementDecryptor = (IXmlDecryptor)_typeActivator.CreateInstance(_serviceProvider, secretElementDecryptorType);
+            var secretElementDecryptor = (IXmlDecryptor)ActivatorUtilities.CreateInstance(_serviceProvider, secretElementDecryptorType);
             var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
             CryptoUtil.Assert(decryptedSecretElement.Name == CngCbcAuthenticatedEncryptorConfiguration.SecretElementName,
                 @"TODO: Bad element.");
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
index a8abe60a34..de6a1bc707 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -13,14 +13,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
     internal sealed class CngGcmAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
     {
         private readonly IServiceProvider _serviceProvider;
-        private readonly ITypeActivator _typeActivator;
 
         public CngGcmAuthenticatedEncryptorConfigurationXmlReader(
-            [NotNull] IServiceProvider serviceProvider,
-            [NotNull] ITypeActivator typeActivator)
+            [NotNull] IServiceProvider serviceProvider)
         {
             _serviceProvider = serviceProvider;
-            _typeActivator = typeActivator;
         }
 
         public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
@@ -45,7 +42,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             var encryptedSecretElement = element.Element(CngGcmAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
             var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
             var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
-            var secretElementDecryptor = (IXmlDecryptor)_typeActivator.CreateInstance(_serviceProvider, secretElementDecryptorType);
+            var secretElementDecryptor = (IXmlDecryptor)ActivatorUtilities.CreateInstance(_serviceProvider, secretElementDecryptorType);
             var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
             CryptoUtil.Assert(decryptedSecretElement.Name == CngGcmAuthenticatedEncryptorConfiguration.SecretElementName,
                 @"TODO: Bad element.");
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
index d199a7e621..b9b8821a40 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
@@ -13,14 +13,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
     internal sealed class ManagedAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
     {
         private readonly IServiceProvider _serviceProvider;
-        private readonly ITypeActivator _typeActivator;
 
         public ManagedAuthenticatedEncryptorConfigurationXmlReader(
-            [NotNull] IServiceProvider serviceProvider,
-            [NotNull] ITypeActivator typeActivator)
+            [NotNull] IServiceProvider serviceProvider)
         {
             _serviceProvider = serviceProvider;
-            _typeActivator = typeActivator;
         }
 
         public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
@@ -49,7 +46,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             var encryptedSecretElement = element.Element(ManagedAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
             var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
             var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
-            var secretElementDecryptor = (IXmlDecryptor)_typeActivator.CreateInstance(_serviceProvider, secretElementDecryptorType);
+            var secretElementDecryptor = (IXmlDecryptor)ActivatorUtilities.CreateInstance(_serviceProvider, secretElementDecryptorType);
             var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
             CryptoUtil.Assert(decryptedSecretElement.Name == ManagedAuthenticatedEncryptorConfiguration.SecretElementName,
                 @"TODO: Bad element.");
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 76df9b201c..384e4bbc2e 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -96,7 +96,6 @@ namespace Microsoft.Framework.DependencyInjection
             descriptors.AddRange(new[]
             {
                 ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfigurationFactory, CngCbcAuthenticatedEncryptorConfigurationFactory>(),
-                ServiceDescriptor.Singleton<ITypeActivator, TypeActivator>(),
                 ServiceDescriptor.Singleton<IKeyManager, XmlKeyManager>(),
                 ServiceDescriptor.Singleton<IDataProtectionProvider, DefaultDataProtectionProvider>()
             });
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index 2eebe38f43..e31cd5353a 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -35,20 +35,17 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
         private readonly IAuthenticatedEncryptorConfigurationFactory _authenticatedEncryptorConfigurationFactory;
         private readonly IServiceProvider _serviceProvider;
-        private readonly ITypeActivator _typeActivator;
         private readonly IXmlRepository _xmlRepository;
         private readonly IXmlEncryptor _xmlEncryptor;
 
         public XmlKeyManager(
             [NotNull] IServiceProvider serviceProvider,
             [NotNull] IAuthenticatedEncryptorConfigurationFactory authenticatedEncryptorConfigurationFactory,
-            [NotNull] ITypeActivator typeActivator,
             [NotNull] IXmlRepository xmlRepository,
             [NotNull] IXmlEncryptor xmlEncryptor)
         {
             _serviceProvider = serviceProvider;
             _authenticatedEncryptorConfigurationFactory = authenticatedEncryptorConfigurationFactory;
-            _typeActivator = typeActivator;
             _xmlRepository = xmlRepository;
             _xmlEncryptor = xmlEncryptor;
         }
@@ -175,7 +172,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             CryptoUtil.Assert(typeof(IAuthenticatedEncryptorConfigurationXmlReader).IsAssignableFrom(encryptorConfigurationParserType),
                 "TODO: typeof(IAuthenticatedEncryptorConfigurationXmlReader).IsAssignableFrom(encryptorConfigurationParserType)");
 
-            var parser = (IAuthenticatedEncryptorConfigurationXmlReader)_typeActivator.CreateInstance(_serviceProvider, encryptorConfigurationParserType);
+            var parser = (IAuthenticatedEncryptorConfigurationXmlReader)ActivatorUtilities.CreateInstance(_serviceProvider, encryptorConfigurationParserType);
             var encryptorConfiguration = parser.FromXml(encryptorConfigurationAsXml);
 
             Guid keyId = (Guid)keyElement.Attribute(IdAttributeName);

From cb5e7d82f9b604cd94696af0954b221307a71d68 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Sun, 8 Mar 2015 12:48:15 -0700
Subject: [PATCH 099/493] Update aspnet50/aspnetcore50 => dnx451/dnxcore50.

---
 .../CryptoUtil.cs                             |  4 ++--
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |  2 +-
 .../SafeHandles/SafeLibraryHandle.cs          | 16 ++++++-------
 .../SafeHandles/SafeNCryptKeyHandle.cs        |  2 +-
 .../SafeHandles/SecureLocalAllocHandle.cs     |  4 ++--
 .../UnsafeBufferUtil.cs                       | 24 +++++++++----------
 .../UnsafeNativeMethods.cs                    | 16 ++++++-------
 .../project.json                              |  6 ++---
 .../project.json                              |  6 ++---
 .../project.json                              |  4 ++--
 .../Cng/DpapiSecretSerializerHelper.cs        |  8 +++----
 ...taProtectionServiceCollectionExtensions.cs |  2 +-
 .../Dpapi/DataProtectionScope.cs              |  2 +-
 .../Dpapi/ProtectedDataImpl.cs                |  4 ++--
 .../Managed/ManagedAuthenticatedEncryptor.cs  |  2 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  2 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  2 +-
 .../project.json                              |  6 ++---
 .../project.json                              |  4 ++--
 .../project.json                              |  4 ++--
 .../project.json                              |  4 ++--
 21 files changed, 62 insertions(+), 62 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
index 1b2932789f..14e047c0c2 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
@@ -7,7 +7,7 @@ using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 
-#if !ASPNETCORE50
+#if !DNXCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -53,7 +53,7 @@ namespace Microsoft.AspNet.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint count)
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
index fe725ea4d2..2f7ff5cee7 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-#if ASPNETCORE50
+#if DNXCORE50
 namespace Microsoft.Win32.SafeHandles
 {
     internal abstract class SafeHandleZeroOrMinusOneIsInvalid : SafeHandle
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index 9c53390775..f13924ebb1 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -6,7 +6,7 @@ using System.Runtime.InteropServices;
 using System.Security;
 using Microsoft.Win32.SafeHandles;
 
-#if !ASPNETCORE50
+#if !DNXCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -127,12 +127,12 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
             return UnsafeNativeMethods.FreeLibrary(handle);
         }
 
-#if !ASPNETCORE50
+#if !DNXCORE50
         [SuppressUnmanagedCodeSecurity]
 #endif
         private static class UnsafeNativeMethods
         {
-#if ASPNETCORE50
+#if DNXCORE50
             private const string CORE_LIBRARY_LOADER_LIB = "api-ms-win-core-libraryloader-l1-1-0.dll";
             private const string CORE_LOCALIZATION_LIB = "api-ms-win-core-localization-l1-2-0.dll";
 #else
@@ -140,7 +140,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
 #endif
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx
-#if ASPNETCORE50
+#if DNXCORE50
             [DllImport(CORE_LOCALIZATION_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
@@ -157,7 +157,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
 
             // http://msdn.microsoft.com/en-us/library/ms683152(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if ASPNETCORE50
+#if DNXCORE50
             [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
 #else
             [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
@@ -167,7 +167,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
 
             // http://msdn.microsoft.com/en-us/library/ms683200(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if ASPNETCORE50
+#if DNXCORE50
             [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
@@ -178,7 +178,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
                 [Out] out IntPtr phModule);
 
             // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
-#if ASPNETCORE50
+#if DNXCORE50
             [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
@@ -188,7 +188,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
                 [In, MarshalAs(UnmanagedType.LPStr)] string lpProcName);
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx
-#if ASPNETCORE50
+#if DNXCORE50
             [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
index a2a325d560..8898809059 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.InteropServices;
 using Microsoft.Win32.SafeHandles;
 
-#if ASPNETCORE50
+#if DNXCORE50
 namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
     /// <summary>
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index a4ce4b3dcc..67d2072815 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -6,7 +6,7 @@ using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security;
 
-#if !ASPNETCORE50
+#if !DNXCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -43,7 +43,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
             return newHandle;
         }
 
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         private void AllocateImpl(IntPtr cb)
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
index 7bb265b4ec..2949371fb9 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -6,7 +6,7 @@ using System.Runtime.CompilerServices;
 using System.Threading;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 
-#if !ASPNETCORE50
+#if !DNXCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -17,7 +17,7 @@ namespace Microsoft.AspNet.Cryptography
         private static readonly byte[] _emptyArray = new byte[0];
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void BlockCopy(void* from, void* to, int byteCount)
@@ -26,7 +26,7 @@ namespace Microsoft.AspNet.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void BlockCopy(void* from, void* to, uint byteCount)
@@ -37,7 +37,7 @@ namespace Microsoft.AspNet.Cryptography
             }
         }
 
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(LocalAllocHandle from, void* to, uint byteCount)
@@ -57,7 +57,7 @@ namespace Microsoft.AspNet.Cryptography
             }
         }
 
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(byte* from, LocalAllocHandle to, uint byteCount)
@@ -77,7 +77,7 @@ namespace Microsoft.AspNet.Cryptography
             }
         }
 
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(LocalAllocHandle from, LocalAllocHandle to, IntPtr length)
@@ -117,7 +117,7 @@ namespace Microsoft.AspNet.Cryptography
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void BlockCopyImpl(byte* from, byte* to, uint byteCount)
         {
-#if ASPNETCORE50
+#if DNXCORE50
             Buffer.MemoryCopy(from, to, (ulong)byteCount, (ulong)byteCount);
 #else
             while (byteCount-- != 0) {
@@ -129,7 +129,7 @@ namespace Microsoft.AspNet.Cryptography
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void BlockCopyImpl(byte* from, byte* to, ulong byteCount)
         {
-#if ASPNETCORE50
+#if DNXCORE50
             Buffer.MemoryCopy(from, to, byteCount, byteCount);
 #else
             while (byteCount-- != 0) {
@@ -142,7 +142,7 @@ namespace Microsoft.AspNet.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, int byteCount)
@@ -154,7 +154,7 @@ namespace Microsoft.AspNet.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, uint byteCount)
@@ -175,7 +175,7 @@ namespace Microsoft.AspNet.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, ulong byteCount)
@@ -195,7 +195,7 @@ namespace Microsoft.AspNet.Cryptography
         /// <summary>
         /// Securely clears a memory buffer.
         /// </summary>
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, IntPtr length)
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
index a7bfe972e3..07769f8dd4 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -12,13 +12,13 @@ using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.Win32.SafeHandles;
 
-#if !ASPNETCORE50
+#if !DNXCORE50
 using System.Runtime.ConstrainedExecution;
 #endif
 
 namespace Microsoft.AspNet.Cryptography
 {
-#if !ASPNETCORE50
+#if !DNXCORE50
     [SuppressUnmanagedCodeSecurity]
 #endif
     internal unsafe static class UnsafeNativeMethods
@@ -87,7 +87,7 @@ namespace Microsoft.AspNet.Cryptography
             [In] uint dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
@@ -95,7 +95,7 @@ namespace Microsoft.AspNet.Cryptography
             [In] IntPtr hHash);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375404(v=vs.85).aspx
@@ -202,7 +202,7 @@ namespace Microsoft.AspNet.Cryptography
          */
 
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376045(v=vs.85).aspx
@@ -210,7 +210,7 @@ namespace Microsoft.AspNet.Cryptography
             [In] IntPtr pCertContext);
 
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376075(v=vs.85).aspx
@@ -227,7 +227,7 @@ namespace Microsoft.AspNet.Cryptography
 
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379885(v=vs.85).aspx
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         internal static extern bool CryptAcquireCertificatePrivateKey(
@@ -286,7 +286,7 @@ namespace Microsoft.AspNet.Cryptography
          */
 
         [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !ASPNETCORE50
+#if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706799(v=vs.85).aspx
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
index da2f2d3a77..846a48ecec 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -1,12 +1,12 @@
-{
+{
     "version": "1.0.0-*",
     "description": "Infrastructure for ASP.NET 5 cryptographic packages. Developers should not reference this package.",
     "dependencies": {
     },
     "frameworks": {
         "net451": { },
-        "aspnet50": { },
-        "aspnetcore50": {
+        "dnx451": { },
+        "dnxcore50": {
             "dependencies": {
                 "System.Diagnostics.Debug": "4.0.10-beta-*",
                 "System.Globalization": "4.0.10-beta-*",
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 6582d52581..dfcd7bc5d1 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -1,4 +1,4 @@
-{
+{
     "version": "1.0.0-*",
     "description": "ASP.NET 5 utilities for key derivation.",
     "dependencies": {
@@ -6,8 +6,8 @@
     },
     "frameworks": {
         "net451": { },
-        "aspnet50": { },
-        "aspnetcore50": {
+        "dnx451": { },
+        "dnxcore50": {
             "dependencies": {
                 "System.Runtime.Extensions": "4.0.10-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*"
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/project.json b/src/Microsoft.AspNet.DataProtection.Azure/project.json
index 79272abe27..7962450b74 100644
--- a/src/Microsoft.AspNet.DataProtection.Azure/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Azure/project.json
@@ -1,4 +1,4 @@
-{
+{
     "version": "1.0.0-*",
     "description": "ASP.NET 5 blob storage repository for DataProtection.",
     "dependencies": {
@@ -7,7 +7,7 @@
     },
     "frameworks": {
         "net451": {},
-        "aspnet50": {}
+        "dnx451": {}
     },
     "compilationOptions": {
         "warningsAsErrors": true
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index 44c0a8b692..13b583c4bf 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -62,7 +62,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             };
             DATA_BLOB dataOut = default(DATA_BLOB);
 
-#if !ASPNETCORE50
+#if !DNXCORE50
             RuntimeHelpers.PrepareConstrainedRegions();
 #endif
             try
@@ -152,7 +152,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
                     fixed (byte* pbRetVal = retVal)
                     {
                         bool handleAcquired = false;
-#if !ASPNETCORE50
+#if !DNXCORE50
                         RuntimeHelpers.PrepareConstrainedRegions();
 #endif
                         try
@@ -202,7 +202,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             };
             DATA_BLOB dataOut = default(DATA_BLOB);
 
-#if !ASPNETCORE50
+#if !DNXCORE50
             RuntimeHelpers.PrepareConstrainedRegions();
 #endif
             try
@@ -275,7 +275,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             using (unencryptedPayloadHandle)
             {
                 bool handleAcquired = false;
-#if !ASPNETCORE50
+#if !DNXCORE50
                 RuntimeHelpers.PrepareConstrainedRegions();
 #endif
                 try
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 384e4bbc2e..14832f8d5d 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -124,7 +124,7 @@ namespace Microsoft.Framework.DependencyInjection
 
         private static DirectoryInfo TryGetLocalAppDataKeysFolderForUser()
         {
-#if !ASPNETCORE50
+#if !DNXCORE50
             // Environment.GetFolderPath returns null if the user profile isn't loaded.
             string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
             if (!String.IsNullOrEmpty(folderPath))
diff --git a/src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs
index 7cf629b023..e55496e2af 100644
--- a/src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs
+++ b/src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 // We only define this type in core CLR since desktop CLR already contains it.
-#if ASPNETCORE50
+#if DNXCORE50
 using System;
 
 namespace System.Security.Cryptography
diff --git a/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
index 709cda218a..74929a0d4d 100644
--- a/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
+++ b/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNet.DataProtection.Dpapi
     {
         public byte[] Protect(byte[] userData, byte[] optionalEntropy, DataProtectionScope scope)
         {
-#if ASPNETCORE50
+#if DNXCORE50
             fixed (byte* pbUserData = userData)
             {
                 fixed (byte* pbOptionalEntropy = optionalEntropy)
@@ -31,7 +31,7 @@ namespace Microsoft.AspNet.DataProtection.Dpapi
 
         public byte[] Unprotect(byte[] encryptedData, byte[] optionalEntropy, DataProtectionScope scope)
         {
-#if ASPNETCORE50
+#if DNXCORE50
             Secret blob;
             fixed (byte* pbEncryptedData = encryptedData)
             {
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index c39738341f..687f5002a6 100644
--- a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -357,7 +357,7 @@ namespace Microsoft.AspNet.DataProtection.Managed
 
                             using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkey))
                             {
-#if !ASPNETCORE50
+#if !DNXCORE50
                                 // As an optimization, avoid duplicating the underlying buffer if we're on desktop CLR.
                                 byte[] underlyingBuffer = outputStream.GetBuffer();
 #else
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index 9c2f856f4f..498df42350 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -51,7 +51,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             using (var memoryStream = new MemoryStream())
             {
                 plaintextElement.Save(memoryStream);
-#if !ASPNETCORE50
+#if !DNXCORE50
                 // If we're on full desktop CLR, utilize the underlying buffer directly as an optimization.
                 byte[] underlyingBuffer = memoryStream.GetBuffer();
                 secret = new Secret(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 22916e2d24..121384d7bc 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -36,7 +36,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             {
                 plaintextElement.Save(memoryStream);
 
-#if !ASPNETCORE50
+#if !DNXCORE50
                 // If we're on full desktop CLR, utilize the underlying buffer directly as an optimization.
                 byte[] underlyingBuffer = memoryStream.GetBuffer();
                 secret = new Secret(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index a0e70f0a0a..6162dc84ac 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -1,4 +1,4 @@
-{
+{
     "version": "1.0.0-*",
     "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
     "dependencies": {
@@ -14,14 +14,14 @@
                 "System.Xml.Linq": ""
             }
         },
-        "aspnet50": {
+        "dnx451": {
             "frameworkAssemblies": { 
                 "System.Security": "",
                 "System.Xml": "",
                 "System.Xml.Linq": ""
             }
         },
-        "aspnetcore50": {
+        "dnxcore50": {
             "dependencies": {
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
                 "System.IO": "4.0.10-beta-*",
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index 8f1a47255e..eb24602f48 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -1,11 +1,11 @@
-{
+{
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "xunit.runner.kre": "1.0.0-*"
     },
     "frameworks": {
-        "aspnet50": { }
+        "dnx451": { }
     },
     "commands": {
         "test": "xunit.runner.kre"
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index ebed517c17..d94820a8be 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -1,4 +1,4 @@
-{
+{
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
@@ -7,7 +7,7 @@
         "xunit.runner.kre": "1.0.0-*"
     },
     "frameworks": {
-        "aspnet50": { }
+        "dnx451": { }
     },
     "commands": {
         "test": "xunit.runner.kre"
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index cc8993067d..e8be8937c0 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -1,4 +1,4 @@
-{
+{
     "dependencies": {
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",
@@ -6,7 +6,7 @@
         "xunit.runner.kre": "1.0.0-*"
     },
     "frameworks": {
-        "aspnet50": { }
+        "dnx451": { }
     },
     "commands": {
         "test": "xunit.runner.kre"

From 2697cf0d80e6123118510e23a61a5e825a7029e5 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Sun, 8 Mar 2015 12:48:16 -0700
Subject: [PATCH 100/493] Update K_BUILD_VERSION/kre/KRE/.k =>
 DNX_BUILD_VERSION/dnx/DNX/.dnx.

---
 build.cmd | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.cmd b/build.cmd
index 86ca5bbbf1..49ba0692de 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,4 +1,4 @@
-@echo off
+@echo off
 cd %~dp0
 
 SETLOCAL
@@ -19,7 +19,7 @@ IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
-IF "%SKIP_KRE_INSTALL%"=="1" goto run
+IF "%SKIP_DNX_INSTALL%"=="1" goto run
 CALL packages\KoreBuild\build\kvm upgrade -runtime CLR -x86
 CALL packages\KoreBuild\build\kvm install default -runtime CoreCLR -x86
 

From 00d6e37d6c80e099d86f295d8d46900918aab1d1 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Sun, 8 Mar 2015 12:48:17 -0700
Subject: [PATCH 101/493] Update kvm/KVM/Kvm => dnvm/DNVM/Dnvm.

---
 build.cmd | 6 +++---
 build.sh  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/build.cmd b/build.cmd
index 49ba0692de..77be0a6627 100644
--- a/build.cmd
+++ b/build.cmd
@@ -20,9 +20,9 @@ IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
 IF "%SKIP_DNX_INSTALL%"=="1" goto run
-CALL packages\KoreBuild\build\kvm upgrade -runtime CLR -x86
-CALL packages\KoreBuild\build\kvm install default -runtime CoreCLR -x86
+CALL packages\KoreBuild\build\dnvm upgrade -runtime CLR -x86
+CALL packages\KoreBuild\build\dnvm install default -runtime CoreCLR -x86
 
 :run
-CALL packages\KoreBuild\build\kvm use default -runtime CLR -x86
+CALL packages\KoreBuild\build\dnvm use default -runtime CLR -x86
 packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
diff --git a/build.sh b/build.sh
index c7873ef58e..74cb3421e6 100644
--- a/build.sh
+++ b/build.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 
 if test `uname` = Darwin; then
     cachedir=~/Library/Caches/KBuild
@@ -28,11 +28,11 @@ if test ! -d packages/KoreBuild; then
 fi
 
 if ! type k > /dev/null 2>&1; then
-    source packages/KoreBuild/build/kvm.sh
+    source packages/KoreBuild/build/dnvm.sh
 fi
 
 if ! type k > /dev/null 2>&1; then
-    kvm upgrade
+    dnvm upgrade
 fi
 
 mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"

From 87a89457bd914f06931108489a5a8f5e29469e97 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Sun, 8 Mar 2015 12:48:17 -0700
Subject: [PATCH 102/493] Update build.sh to use dnvm correctly.

---
 build.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index 74cb3421e6..a9ce06d087 100644
--- a/build.sh
+++ b/build.sh
@@ -27,7 +27,7 @@ if test ! -d packages/KoreBuild; then
     mono .nuget/nuget.exe install Sake -version 0.2 -o packages -ExcludeVersion
 fi
 
-if ! type k > /dev/null 2>&1; then
+if ! type dnvm > /dev/null 2>&1; then
     source packages/KoreBuild/build/dnvm.sh
 fi
 
@@ -36,3 +36,4 @@ if ! type k > /dev/null 2>&1; then
 fi
 
 mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"
+

From 8f0b9a56b8b980695c5d828f668c8c9b149bbd1e Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Mon, 9 Mar 2015 12:52:23 -0700
Subject: [PATCH 103/493] Remove BOM from project.json, *.cmd, *.sh and *.shade
 files.

---
 build.cmd                                                       | 2 +-
 build.sh                                                        | 2 +-
 src/Microsoft.AspNet.Cryptography.Internal/project.json         | 2 +-
 src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json    | 2 +-
 src/Microsoft.AspNet.DataProtection.Azure/project.json          | 2 +-
 src/Microsoft.AspNet.DataProtection/project.json                | 2 +-
 test/Microsoft.AspNet.Cryptography.Internal.Test/project.json   | 2 +-
 .../project.json                                                | 2 +-
 test/Microsoft.AspNet.DataProtection.Test/project.json          | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/build.cmd b/build.cmd
index 77be0a6627..68a732c182 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,4 +1,4 @@
-@echo off
+@echo off
 cd %~dp0
 
 SETLOCAL
diff --git a/build.sh b/build.sh
index a9ce06d087..ec3263114a 100644
--- a/build.sh
+++ b/build.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 
 if test `uname` = Darwin; then
     cachedir=~/Library/Caches/KBuild
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
index 846a48ecec..e43b76eba3 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -1,4 +1,4 @@
-{
+{
     "version": "1.0.0-*",
     "description": "Infrastructure for ASP.NET 5 cryptographic packages. Developers should not reference this package.",
     "dependencies": {
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index dfcd7bc5d1..14dfb3d55a 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -1,4 +1,4 @@
-{
+{
     "version": "1.0.0-*",
     "description": "ASP.NET 5 utilities for key derivation.",
     "dependencies": {
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/project.json b/src/Microsoft.AspNet.DataProtection.Azure/project.json
index 7962450b74..159333396b 100644
--- a/src/Microsoft.AspNet.DataProtection.Azure/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Azure/project.json
@@ -1,4 +1,4 @@
-{
+{
     "version": "1.0.0-*",
     "description": "ASP.NET 5 blob storage repository for DataProtection.",
     "dependencies": {
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 6162dc84ac..eb11984e4d 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -1,4 +1,4 @@
-{
+{
     "version": "1.0.0-*",
     "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
     "dependencies": {
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index eb24602f48..6f59035881 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -1,4 +1,4 @@
-{
+{
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index d94820a8be..90dcd88b09 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -1,4 +1,4 @@
-{
+{
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index e8be8937c0..2de96e4f7b 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -1,4 +1,4 @@
-{
+{
     "dependencies": {
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",

From 04008af4796580d99c09ee773b2b1086d133da9c Mon Sep 17 00:00:00 2001
From: Praburaj <praburaj.t@microsoft.com>
Date: Mon, 9 Mar 2015 20:37:28 -0700
Subject: [PATCH 104/493] Renaming Nuget.org feed key name to Nuget.

fixes https://github.com/aspnet/Universe/issues/174
---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index f41e9c631d..da57d47267 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -2,6 +2,6 @@
 <configuration>
   <packageSources>
     <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
-    <add key="NuGet.org" value="https://nuget.org/api/v2/" />
+    <add key="NuGet" value="https://nuget.org/api/v2/" />
   </packageSources>
-</configuration>
+</configuration>
\ No newline at end of file

From e8cc1106d88710ce643104bb7aa6aebd4e7ceb3b Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 10 Mar 2015 22:17:31 -0700
Subject: [PATCH 105/493] Significant refactorings throughout the data
 protection stack - Move IDataProtectionProvider, IDataProtector, and
 extension methods to their own package - Simplify the APIs for registering
 and configuring the system - Default implementation now auto-detects
 capabilities of OS - Use EncryptedXml for X.509 certificate-based encryption
 - Add ability to escrow secret material upon key creation - Use centralized
 system policy for default algorithm selection - Simplify System.Web
 compatibility layer - Add unit tests, logging, and doc comments throughout
 solution

---
 DataProtection.sln                            |  64 +-
 makefile.shade                                |  38 +
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs          |  11 +-
 .../Cng/BCryptUtil.cs                         |   7 +-
 .../Cng/CachedAlgorithmHandles.cs             |  81 +-
 .../Cng/OSVersionUtil.cs                      |   4 +-
 .../CryptoUtil.cs                             |  20 +
 .../Properties/AssemblyInfo.cs                |   1 +
 .../Properties/Resources.Designer.cs          |  32 +
 .../Resources.resx                            |   6 +
 .../SafeHandles/BCryptAlgorithmHandle.cs      |   9 +-
 .../SafeHandles/NCryptDescriptorHandle.cs     |  22 +-
 .../SafeHandles/SafeCertContextHandle.cs      |  30 -
 .../SafeHandles/SafeNCryptKeyHandle.cs        |  28 -
 .../SafeHandles/SecureLocalAllocHandle.cs     |   2 -
 .../UnsafeBufferUtil.cs                       |  51 +-
 .../UnsafeNativeMethods.cs                    |  67 +-
 .../KeyDerivation.cs                          |  16 +
 .../PBKDF2/Pbkdf2Util.cs                      |   4 +-
 .../BlobStorageXmlRepository.cs               |   3 +-
 .../NotNullAttribute.cs                       |  12 -
 .../project.json                              |   1 +
 .../DataProtectionProviderHelper.cs           |  49 --
 .../DataProtector.cs                          |  72 --
 .../DataProtectorHelper.cs                    |  49 --
 .../IFactorySupportFunctions.cs               |  14 -
 .../CryptoUtil.cs                             |  33 +
 .../DataProtectionExtensions.cs               | 124 +++
 .../Error.cs                                  |  23 +
 .../IApplicationDiscriminator.cs              |  19 +
 .../IDataProtectionProvider.cs                |  29 +
 .../IDataProtector.cs                         |  15 +-
 ...ft.AspNet.DataProtection.Interfaces.kproj} |   2 +-
 .../Properties/AssemblyInfo.cs}               |  10 +-
 .../Properties/Resources.Designer.cs          |  78 ++
 .../Resources.resx                            | 129 +++
 .../WebEncoders.cs                            |   6 +-
 .../project.json                              |  25 +
 .../EncodingUtil.cs                           |   2 +-
 .../ExceptionExtensions.cs                    |   0
 ...crosoft.AspNet.DataProtection.Shared.kproj |  17 +
 .../project.json                              |  20 +
 .../CompatibilityDataProtector.cs             |  82 ++
 .../DataProtectionStartup.cs                  |  94 +++
 ...soft.AspNet.DataProtection.SystemWeb.kproj |  17 +
 .../Properties/Resources.Designer.cs          |  62 ++
 .../Resources.resx                            | 126 +++
 .../project.json                              |   7 +-
 .../web.config.transform                      |  14 +
 .../ActivatorExtensions.cs                    |  86 ++
 .../ApplyPolicyAttribute.cs                   |  13 +
 .../AlgorithmAssert.cs                        |  55 ++
 .../AuthenticatedEncryptionOptions.cs         | 200 +++++
 .../AuthenticatedEncryptorExtensions.cs       |  22 +-
 ...> CngCbcAuthenticatedEncryptionOptions.cs} | 157 ++--
 ...gCbcAuthenticatedEncryptorConfiguration.cs |  76 --
 ...henticatedEncryptorConfigurationFactory.cs |  30 -
 ...nticatedEncryptorConfigurationXmlReader.cs |  68 --
 .../CngGcmAuthenticatedEncryptionOptions.cs   | 123 +++
 ...gGcmAuthenticatedEncryptorConfiguration.cs |  71 --
 ...henticatedEncryptorConfigurationFactory.cs |  30 -
 ...henticatedEncryptorConfigurationOptions.cs | 131 ---
 ...nticatedEncryptorConfigurationXmlReader.cs |  62 --
 .../AuthenticatedEncryptorConfiguration.cs    |  34 +
 .../AuthenticatedEncryptorDescriptor.cs       |  54 ++
 ...nticatedEncryptorDescriptorDeserializer.cs |  44 ++
 ...gCbcAuthenticatedEncryptorConfiguration.cs |  35 +
 .../CngCbcAuthenticatedEncryptorDescriptor.cs |  64 ++
 ...nticatedEncryptorDescriptorDeserializer.cs |  44 ++
 ...gGcmAuthenticatedEncryptorConfiguration.cs |  35 +
 .../CngGcmAuthenticatedEncryptorDescriptor.cs |  55 ++
 ...nticatedEncryptorDescriptorDeserializer.cs |  39 +
 .../IAuthenticatedEncryptorConfiguration.cs   |  21 +
 .../IAuthenticatedEncryptorDescriptor.cs      |  41 +
 ...nticatedEncryptorDescriptorDeserializer.cs |  22 +
 ...rnalAuthenticatedEncryptorConfiguration.cs |  24 +
 ...agedAuthenticatedEncryptorConfiguration.cs |  36 +
 ...ManagedAuthenticatedEncryptorDescriptor.cs |  87 ++
 ...nticatedEncryptorDescriptorDeserializer.cs |  73 ++
 .../ConfigurationModel/SecretExtensions.cs    |  63 ++
 .../ConfigurationModel/XmlExtensions.cs       |  26 +
 .../XmlSerializedDescriptorInfo.cs            |  48 ++
 .../EncryptionAlgorithm.cs                    |  54 ++
 .../IAuthenticatedEncryptorConfiguration.cs   |  29 -
 ...henticatedEncryptorConfigurationFactory.cs |  21 -
 ...nticatedEncryptorConfigurationXmlReader.cs |  21 -
 ...IInternalAuthenticatedEncryptionOptions.cs |  25 +
 .../IInternalConfigurationOptions.cs          |  12 -
 .../ManagedAuthenticatedEncryptionOptions.cs  | 162 ++++
 ...agedAuthenticatedEncryptorConfiguration.cs |  74 --
 ...henticatedEncryptorConfigurationFactory.cs |  37 -
 ...henticatedEncryptorConfigurationOptions.cs | 121 ---
 ...nticatedEncryptorConfigurationXmlReader.cs |  66 --
 .../ValidationAlgorithm.cs                    |  24 +
 .../Cng/CbcAuthenticatedEncryptor.cs          |  23 +-
 .../Cng/DpapiSecretSerializerHelper.cs        |  81 +-
 .../Cng/GcmAuthenticatedEncryptor.cs          |   8 +-
 .../DataProtectionConfiguration.cs            | 372 +++++++++
 .../DataProtectionExtensions.cs               |  79 +-
 .../DataProtectionOptions.cs                  |  13 +
 .../DataProtectionProvider.cs                 |  89 +++
 ...taProtectionServiceCollectionExtensions.cs | 159 +---
 .../DataProtectionServiceDescriptors.cs       | 187 +++++
 .../DataProtectionServices.cs                 | 108 +++
 .../DefaultDataProtectionProvider.cs          |  39 -
 .../Dpapi/DataProtectionScope.cs              |  30 -
 .../Dpapi/DpapiDataProtectionProvider.cs      |  25 -
 .../Dpapi/DpapiDataProtector.cs               |  68 --
 .../Dpapi/IProtectedData.cs                   |  15 -
 .../Dpapi/ProtectedDataImpl.cs                |  58 --
 .../EphemeralDataProtectionProvider.cs        |  42 +-
 src/Microsoft.AspNet.DataProtection/Error.cs  |  46 +-
 .../IActivator.cs                             |  20 +
 .../IDataProtectionProvider.cs                |  26 -
 .../IPersistedDataProtector.cs                |  36 +
 .../ITimeLimitedDataProtector.cs              |   4 +-
 .../KeyManagement/CacheableKeyRing.cs         |  40 +
 .../KeyManagement/DefaultKeyResolution.cs     |  21 +
 .../KeyManagement/DefaultKeyResolver.cs       | 135 ++++
 .../KeyManagement/DefaultKeyServices.cs       |  58 ++
 .../ICacheableKeyRingProvider.cs}             |   6 +-
 .../KeyManagement/IDefaultKeyResolver.cs      |  19 +
 .../KeyManagement/IDefaultKeyServices.cs      |  27 +
 .../KeyManagement/IInternalXmlKeyManager.cs   |  14 +
 .../KeyManagement/IKey.cs                     |   4 +-
 .../KeyManagement/IKeyEscrowSink.cs           |  27 +
 .../KeyManagement/IKeyManager.cs              |  35 +-
 .../KeyManagement/IKeyRing.cs                 |  19 +
 .../KeyManagement/Key.cs                      |  42 +-
 .../KeyEscrowServiceProviderExtensions.cs     |  42 +
 .../KeyManagement/KeyExtensions.cs            |   4 +-
 .../KeyManagement/KeyLifetimeOptions.cs       | 106 +++
 .../KeyManagement/KeyRing.cs                  |  54 +-
 .../KeyRingBasedDataProtectionProvider.cs     |  16 +-
 .../KeyRingBasedDataProtector.cs              | 427 ++++++----
 .../KeyManagement/KeyRingProvider.cs          | 265 +++----
 .../KeyManagement/XmlKeyManager.cs            | 524 ++++++++----
 .../LoggingExtensions.cs                      |  86 ++
 .../LoggingServiceProviderExtensions.cs       |  26 +
 .../Managed/ManagedAuthenticatedEncryptor.cs  |  22 +-
 .../MemoryProtection.cs                       |   2 +-
 .../Properties/AssemblyInfo.cs                |   1 +
 .../Properties/Resources.Designer.cs          | 220 +++++-
 .../RegistryPolicyResolver.cs                 | 149 ++++
 .../Repositories/EphemeralXmlRepository.cs    |  59 ++
 .../Repositories/FileSystemXmlRepository.cs   | 173 +++-
 .../Repositories/IXmlRepository.cs            |   4 +
 .../Repositories/RegistryXmlRepository.cs     | 141 ++--
 .../Resources.resx                            |  49 +-
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |   2 +-
 src/Microsoft.AspNet.DataProtection/Secret.cs |  43 +-
 .../TimeLimitedDataProtector.cs               |  54 +-
 .../TypeExtensions.cs                         |  30 +
 .../XmlConstants.cs                           |  39 +
 .../XmlEncryption/CertificateResolver.cs      |  50 ++
 .../XmlEncryption/CertificateXmlEncryptor.cs  | 161 +++-
 .../DpapiNGProtectionDescriptorFlags.cs       |  21 +-
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  84 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      | 129 +--
 .../XmlEncryption/DpapiXmlDecryptor.cs        |  74 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs        | 110 ++-
 .../EncryptedXmlDecryptor.core50.cs           |  43 +
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  74 ++
 .../XmlEncryption/EncryptedXmlInfo.cs         |  47 ++
 .../XmlEncryption/ICertificateResolver.cs     |  26 +
 .../IInternalCertificateXmlEncryptor.cs       |  21 +
 .../IInternalEncryptedXmlDecryptor.cs         |  20 +
 .../XmlEncryption/IXmlDecryptor.cs            |  11 +-
 .../XmlEncryption/IXmlEncryptor.cs            |  20 +-
 .../XmlEncryption/NullXmlDecryptor.cs         |  21 +-
 .../XmlEncryption/NullXmlEncryptor.cs         |  56 +-
 .../XmlEncryption/XmlEncryptionExtensions.cs  | 201 +++++
 .../XmlExtensions.cs                          |  30 +
 .../project.json                              |  14 +-
 ...PT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs |  36 +
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs    |  58 ++
 .../Cng/BCryptUtilTests.cs                    |  61 ++
 .../Cng/CachedAlgorithmHandlesTests.cs        | 189 +++++
 .../CryptoUtilTests.cs                        |  54 ++
 .../SecureLocalAllocHandleTests.cs            |  31 +
 .../UnsafeBufferUtilTests.cs                  | 162 ++++
 .../project.json                              |   4 +
 ...alRunTestOnlyIfBcryptAvailableAttribute.cs |  58 --
 .../Pbkdf2Tests.cs                            |  10 +-
 .../project.json                              |   1 +
 .../DataProtectionExtensionsTests.cs          | 179 +++++
 ...spNet.DataProtection.Interfaces.Test.kproj |  17 +
 .../project.json                              |  19 +
 ...onalRunTestOnlyWindows8OrLaterAttribute.cs |  16 +
 .../ConditionalRunTestOnlyWindowsAttribute.cs |  16 +
 .../ExceptionAssert2.cs                       |  37 +
 ...ft.AspNet.DataProtection.Test.Shared.kproj |  17 +
 .../project.json                              |  17 +
 .../ActivatorTests.cs                         | 116 +++
 .../AnonymousImpersonation.cs                 |  87 ++
 ...tedEncryptorDescriptorDeserializerTests.cs |  40 +
 .../AuthenticatedEncryptorDescriptorTests.cs  | 161 ++++
 ...uthenticatedEncryptorConfigurationTests.cs |  40 +
 ...tedEncryptorDescriptorDeserializerTests.cs |  47 ++
 ...bcAuthenticatedEncryptorDescriptorTests.cs |  69 ++
 ...uthenticatedEncryptorConfigurationTests.cs |  40 +
 ...tedEncryptorDescriptorDeserializerTests.cs |  44 ++
 ...cmAuthenticatedEncryptorDescriptorTests.cs |  64 ++
 ...uthenticatedEncryptorConfigurationTests.cs |  40 +
 ...tedEncryptorDescriptorDeserializerTests.cs |  81 ++
 ...edAuthenticatedEncryptorDescriptorTests.cs | 115 +++
 .../Cng/CbcAuthenticatedEncryptorTests.cs     |  10 +-
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs |  10 +-
 .../Cng/GcmAuthenticatedEncryptorTests.cs     |  10 +-
 ...alRunTestOnlyIfBcryptAvailableAttribute.cs |  58 --
 .../DataProtectionExtensionsTests.cs          | 112 +--
 .../EphemeralDataProtectionProviderTests.cs   |   2 +-
 .../ExceptionHelpers.cs                       |  20 -
 .../KeyManagement/CacheableKeyRingTests.cs    |  60 ++
 .../KeyManagement/DefaultKeyResolverTests.cs  | 165 ++++
 ...KeyEscrowServiceProviderExtensionsTests.cs |  90 +++
 .../KeyRingBasedDataProtectorTests.cs         | 486 ++++++++++++
 .../KeyManagement/KeyRingProviderTests.cs     | 397 ++++++++++
 .../KeyManagement/KeyRingTests.cs             | 108 +++
 .../KeyManagement/XmlKeyManagerTests.cs       | 747 ++++++++++++++++++
 .../ManagedAuthenticatedEncryptorTests.cs     |   3 +-
 .../MockExtensions.cs                         |  63 ++
 .../RegistryPolicyResolverTests.cs            | 282 +++++++
 .../EphemeralXmlRepositoryTests.cs            |  39 +
 .../FileSystemXmlRepositoryTests.cs           | 166 ++++
 .../RegistryXmlRepositoryTests.cs             | 166 ++++
 .../SP800_108/SP800_108Tests.cs               |  12 +-
 .../SecretAssert.cs                           |  45 ++
 .../SecretTests.cs                            | 269 +++++++
 .../SequentialGenRandom.cs                    |   2 +-
 .../StringLoggerFactory.cs                    |  78 ++
 .../TimeLimitedDataProtectorTests.cs          |   2 +-
 .../XmlAssert.cs                              | 151 ++++
 .../CertificateXmlEncryptionTests.cs          |  60 ++
 .../DpapiNGXmlEncryptionTests.cs              |  33 +
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |  55 ++
 .../XmlEncryption/NullXmlEncryptionTests.cs   |  39 +
 .../XmlEncryptionExtensionsTests.cs           | 234 ++++++
 .../project.json                              |   2 +
 239 files changed, 12770 insertions(+), 3100 deletions(-)
 delete mode 100644 src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
 delete mode 100644 src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Azure/NotNullAttribute.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectionProviderHelper.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Compatibility/DataProtector.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectorHelper.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Compatibility/IFactorySupportFunctions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Interfaces/CryptoUtil.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Interfaces/Error.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Interfaces/IApplicationDiscriminator.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtectionProvider.cs
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNet.DataProtection.Interfaces}/IDataProtector.cs (68%)
 rename src/{Microsoft.AspNet.DataProtection.Compatibility/Microsoft.AspNet.DataProtection.Compatibility.kproj => Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.kproj} (94%)
 rename src/{Microsoft.AspNet.DataProtection.Compatibility/IDataProtectionProviderFactory.cs => Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs} (51%)
 create mode 100644 src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNet.DataProtection.Interfaces}/WebEncoders.cs (95%)
 create mode 100644 src/Microsoft.AspNet.DataProtection.Interfaces/project.json
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNet.DataProtection.Shared}/EncodingUtil.cs (91%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNet.DataProtection.Shared}/ExceptionExtensions.cs (100%)
 create mode 100644 src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.kproj
 create mode 100644 src/Microsoft.AspNet.DataProtection.Shared/project.json
 create mode 100644 src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.kproj
 create mode 100644 src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/Resources.Designer.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.SystemWeb/Resources.resx
 rename src/{Microsoft.AspNet.DataProtection.Compatibility => Microsoft.AspNet.DataProtection.SystemWeb}/project.json (58%)
 create mode 100644 src/Microsoft.AspNet.DataProtection.SystemWeb/web.config.transform
 create mode 100644 src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
 rename src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/{CngCbcAuthenticatedEncryptorConfigurationOptions.cs => CngCbcAuthenticatedEncryptionOptions.cs} (53%)
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtector.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/Dpapi/IProtectedData.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/IActivator.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/IDataProtectionProvider.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
 rename src/Microsoft.AspNet.DataProtection/{NotNullAttribute.cs => KeyManagement/ICacheableKeyRingProvider.cs} (56%)
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/KeyLifetimeOptions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/TypeExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlConstants.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/XmlExtensions.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
 create mode 100644 test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
 delete mode 100644 test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.kproj
 create mode 100644 test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.kproj
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
 delete mode 100644 test/Microsoft.AspNet.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
 delete mode 100644 test/Microsoft.AspNet.DataProtection.Test/ExceptionHelpers.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs

diff --git a/DataProtection.sln b/DataProtection.sln
index f632e6dc89..2151e23bba 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -9,8 +9,6 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtec
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Azure", "src\Microsoft.AspNet.DataProtection.Azure\Microsoft.AspNet.DataProtection.Azure.kproj", "{DF3671D7-A9B1-45F1-A195-0AD596001735}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Compatibility", "src\Microsoft.AspNet.DataProtection.Compatibility\Microsoft.AspNet.DataProtection.Compatibility.kproj", "{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test", "test\Microsoft.AspNet.DataProtection.Test\Microsoft.AspNet.DataProtection.Test.kproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
@@ -23,6 +21,16 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptograp
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal.Test", "test\Microsoft.AspNet.Cryptography.Internal.Test\Microsoft.AspNet.Cryptography.Internal.Test.kproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
 EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Interfaces", "src\Microsoft.AspNet.DataProtection.Interfaces\Microsoft.AspNet.DataProtection.Interfaces.kproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Interfaces.Test", "test\Microsoft.AspNet.DataProtection.Interfaces.Test\Microsoft.AspNet.DataProtection.Interfaces.Test.kproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test.Shared", "test\Microsoft.AspNet.DataProtection.Test.Shared\Microsoft.AspNet.DataProtection.Test.Shared.kproj", "{4F14BA2A-4F04-4676-8586-EC380977EE2E}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Shared", "src\Microsoft.AspNet.DataProtection.Shared\Microsoft.AspNet.DataProtection.Shared.kproj", "{3277BB22-033F-4010-8131-A515B910CAAD}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.SystemWeb", "src\Microsoft.AspNet.DataProtection.SystemWeb\Microsoft.AspNet.DataProtection.SystemWeb.kproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -43,12 +51,6 @@ Global
 		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|Any CPU.Build.0 = Release|Any CPU
 		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|x86.ActiveCfg = Release|Any CPU
-		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|Any CPU.Build.0 = Release|Any CPU
-		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D}.Release|x86.ActiveCfg = Release|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|x86.ActiveCfg = Debug|Any CPU
@@ -87,6 +89,46 @@ Global
 		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Release|Any CPU.Build.0 = Release|Any CPU
 		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Release|x86.ActiveCfg = Release|Any CPU
 		{37053D5F-5B61-47CE-8B72-298CE007FFB0}.Release|x86.Build.0 = Release|Any CPU
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2}.Debug|x86.Build.0 = Debug|Any CPU
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2}.Release|x86.ActiveCfg = Release|Any CPU
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2}.Release|x86.Build.0 = Release|Any CPU
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Debug|x86.Build.0 = Debug|Any CPU
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Release|Any CPU.Build.0 = Release|Any CPU
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Release|x86.ActiveCfg = Release|Any CPU
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Release|x86.Build.0 = Release|Any CPU
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Debug|x86.Build.0 = Debug|Any CPU
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Release|x86.ActiveCfg = Release|Any CPU
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Release|x86.Build.0 = Release|Any CPU
+		{3277BB22-033F-4010-8131-A515B910CAAD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3277BB22-033F-4010-8131-A515B910CAAD}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3277BB22-033F-4010-8131-A515B910CAAD}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{3277BB22-033F-4010-8131-A515B910CAAD}.Debug|x86.Build.0 = Debug|Any CPU
+		{3277BB22-033F-4010-8131-A515B910CAAD}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3277BB22-033F-4010-8131-A515B910CAAD}.Release|Any CPU.Build.0 = Release|Any CPU
+		{3277BB22-033F-4010-8131-A515B910CAAD}.Release|x86.ActiveCfg = Release|Any CPU
+		{3277BB22-033F-4010-8131-A515B910CAAD}.Release|x86.Build.0 = Release|Any CPU
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Debug|x86.Build.0 = Debug|Any CPU
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Release|x86.ActiveCfg = Release|Any CPU
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -94,11 +136,15 @@ Global
 	GlobalSection(NestedProjects) = preSolution
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{DF3671D7-A9B1-45F1-A195-0AD596001735} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
-		{C2FD9D02-AA0E-45FA-8561-EE357A94B73D} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{E2779976-A28C-4365-A4BB-4AD854FAF23E} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{421F0383-34B1-402D-807B-A94542513ABA} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{42C97F52-8D56-46BD-A712-4F22BED157A7} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{37053D5F-5B61-47CE-8B72-298CE007FFB0} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{4B115BDE-B253-46A6-97BF-A8B37B344FF2} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{FF650A69-DEE4-4B36-9E30-264EE7CFB478} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{4F14BA2A-4F04-4676-8586-EC380977EE2E} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{3277BB22-033F-4010-8131-A515B910CAAD} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 	EndGlobalSection
 EndGlobal
diff --git a/makefile.shade b/makefile.shade
index 562494d144..bc16f4545f 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -1,3 +1,5 @@
+use assembly='WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
+use namespace='System.IO.Packaging'
 
 var VERSION='0.1'
 var FULL_VERSION='0.1'
@@ -5,3 +7,39 @@ var AUTHORS='Microsoft Open Technologies, Inc.'
 
 use-standard-lifecycle
 k-standard-goals
+
+#nupkg-patch target='compile'
+    @{
+        var packagePaths = Files.Include("artifacts/build/**/Microsoft.AspNet.DataProtection.SystemWeb.*.nupkg")
+            .Exclude("**/*.symbols.nupkg");
+        foreach (var packagePath in packagePaths)
+        {
+            using (var package = Package.Open(packagePath, FileMode.Open, FileAccess.ReadWrite))
+            {
+                CreatePartFromFile(
+                    package,
+                    @"src\Microsoft.AspNet.DataProtection.SystemWeb\web.config.transform",
+                    @"content\web.config.transform");
+            }
+        }
+    }
+
+functions
+    @{
+        PackagePart CreatePartFromFile(
+            Package destination,
+            string sourceFileName,
+            string partUriString)
+        {
+            var partUri = PackUriHelper.CreatePartUri(new Uri(partUriString, UriKind.Relative));
+            var packagePart = destination.CreatePart(partUri, "application/octet", CompressionOption.Maximum);
+
+            using (var sourceStream = File.OpenRead(sourceFileName))
+            using (var stream = packagePart.GetStream())
+            {
+                sourceStream.CopyTo(stream);
+            }
+
+            return packagePart;
+        }
+    }
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
index 31d7d468fc..ec2bbd8cc1 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Globalization;
 using System.Runtime.InteropServices;
 using Microsoft.AspNet.Cryptography.Internal;
 
@@ -14,16 +13,16 @@ namespace Microsoft.AspNet.Cryptography.Cng
     {
         // MSDN says these fields represent the key length in bytes.
         // It's wrong: these key lengths are all actually in bits.
-        private uint dwMinLength;
-        private uint dwMaxLength;
-        private uint dwIncrement;
+        internal uint dwMinLength;
+        internal uint dwMaxLength;
+        internal uint dwIncrement;
 
         public void EnsureValidKeyLength(uint keyLengthInBits)
         {
             if (!IsValidKeyLength(keyLengthInBits))
             {
-                string message = String.Format(CultureInfo.CurrentCulture, Resources.BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength, keyLengthInBits, dwMinLength, dwMaxLength, dwIncrement);
-                throw new ArgumentException(message, "keyLengthInBits");
+                string message = Resources.FormatBCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength(keyLengthInBits, dwMinLength, dwMaxLength, dwIncrement);
+                throw new ArgumentOutOfRangeException(nameof(keyLengthInBits), message);
             }
             CryptoUtil.Assert(keyLengthInBits % 8 == 0, "keyLengthInBits % 8 == 0");
         }
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
index 3256965416..aeca87fbe5 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
@@ -5,9 +5,14 @@ using System;
 
 namespace Microsoft.AspNet.Cryptography.Cng
 {
+    /// <summary>
+    /// Wraps utility BCRYPT APIs that don't work directly with handles.
+    /// </summary>
     internal unsafe static class BCryptUtil
     {
-        // helper function that's similar to RNGCryptoServiceProvider, but works directly with pointers
+        /// <summary>
+        /// Fills a buffer with cryptographically secure random data.
+        /// </summary>
         public static void GenRandom(byte* pbBuffer, uint cbBuffer)
         {
             if (cbBuffer != 0)
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
index 78a6bef2f5..f1231ffa6f 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
@@ -23,86 +23,27 @@ namespace Microsoft.AspNet.Cryptography.Cng
         private static CachedAlgorithmInfo _sha512 = new CachedAlgorithmInfo(() => GetHashAlgorithm(algorithm: Constants.BCRYPT_SHA512_ALGORITHM));
         private static CachedAlgorithmInfo _sp800_108_ctr_hmac = new CachedAlgorithmInfo(GetSP800_108_CTR_HMACAlgorithm);
 
-        public static BCryptAlgorithmHandle AES_CBC
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _aesCbc);
-            }
-        }
+        public static BCryptAlgorithmHandle AES_CBC => CachedAlgorithmInfo.GetAlgorithmHandle(ref _aesCbc);
 
-        public static BCryptAlgorithmHandle AES_GCM
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _aesGcm);
-            }
-        }
+        public static BCryptAlgorithmHandle AES_GCM => CachedAlgorithmInfo.GetAlgorithmHandle(ref _aesGcm);
 
-        public static BCryptAlgorithmHandle HMAC_SHA1
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha1);
-            }
-        }
+        public static BCryptAlgorithmHandle HMAC_SHA1 => CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha1);
 
-        public static BCryptAlgorithmHandle HMAC_SHA256
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha256);
-            }
-        }
+        public static BCryptAlgorithmHandle HMAC_SHA256 => CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha256);
 
-        public static BCryptAlgorithmHandle HMAC_SHA512
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha512);
-            }
-        }
+        public static BCryptAlgorithmHandle HMAC_SHA512 => CachedAlgorithmInfo.GetAlgorithmHandle(ref _hmacSha512);
 
         // Only available on Win8+.
-        public static BCryptAlgorithmHandle PBKDF2
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _pbkdf2);
-            }
-        }
+        public static BCryptAlgorithmHandle PBKDF2 => CachedAlgorithmInfo.GetAlgorithmHandle(ref _pbkdf2);
 
-        public static BCryptAlgorithmHandle SHA1
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha1);
-            }
-        }
+        public static BCryptAlgorithmHandle SHA1 => CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha1);
 
-        public static BCryptAlgorithmHandle SHA256
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha256);
-            }
-        }
+        public static BCryptAlgorithmHandle SHA256 => CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha256);
 
-        public static BCryptAlgorithmHandle SHA512
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha512);
-            }
-        }
+        public static BCryptAlgorithmHandle SHA512 => CachedAlgorithmInfo.GetAlgorithmHandle(ref _sha512);
 
-        public static BCryptAlgorithmHandle SP800_108_CTR_HMAC
-        {
-            get
-            {
-                return CachedAlgorithmInfo.GetAlgorithmHandle(ref _sp800_108_ctr_hmac);
-            }
-        }
+        // Only available on Win8+.
+        public static BCryptAlgorithmHandle SP800_108_CTR_HMAC => CachedAlgorithmInfo.GetAlgorithmHandle(ref _sp800_108_ctr_hmac);
 
         private static BCryptAlgorithmHandle GetAesAlgorithm(string chainingMode)
         {
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
index aace9f7b33..541302a0c9 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
@@ -46,12 +46,12 @@ namespace Microsoft.AspNet.Cryptography.Cng
             }
         }
 
-        public static bool IsBCryptOnWin7OrLaterAvailable()
+        public static bool IsWindows()
         {
             return (_osVersion >= OSVersion.Win7OrLater);
         }
 
-        public static bool IsBCryptOnWin8OrLaterAvailable()
+        public static bool IsWindows8OrLater()
         {
             return (_osVersion >= OSVersion.Win8OrLater);
         }
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
index 14e047c0c2..1b402a834e 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
@@ -6,6 +6,8 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.Internal;
 
 #if !DNXCORE50
 using System.Runtime.ConstrainedExecution;
@@ -32,6 +34,24 @@ namespace Microsoft.AspNet.Cryptography
             Assert(safeHandle != null && !safeHandle.IsInvalid, "Safe handle is invalid.");
         }
 
+        // Asserts that the current platform is Windows; throws PlatformNotSupportedException otherwise.
+        public static void AssertPlatformIsWindows()
+        {
+            if (!OSVersionUtil.IsWindows())
+            {
+                throw new PlatformNotSupportedException(Resources.Platform_Windows7Required);
+            }
+        }
+
+        // Asserts that the current platform is Windows 8 or above; throws PlatformNotSupportedException otherwise.
+        public static void AssertPlatformIsWindows8OrLater()
+        {
+            if (!OSVersionUtil.IsWindows8OrLater())
+            {
+                throw new PlatformNotSupportedException(Resources.Platform_Windows8Required);
+            }
+        }
+
         // This isn't a typical Debug.Fail; an error always occurs, even in retail builds.
         // This method doesn't return, but since the CLR doesn't allow specifying a 'never'
         // return type, we mimic it by specifying our return type as Exception. That way
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index b903a20b6f..51cf267319 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -12,4 +12,5 @@ using System.Runtime.InteropServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Interfaces.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
index a33deb5f8a..3732eae0dc 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
@@ -42,6 +42,38 @@ namespace Microsoft.AspNet.Cryptography.Internal
             return string.Format(CultureInfo.CurrentCulture, GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"), p0, p1, p2, p3);
         }
 
+        /// <summary>
+        /// This operation requires Windows 7 / Windows Server 2008 R2 or later.
+        /// </summary>
+        internal static string Platform_Windows7Required
+        {
+            get { return GetString("Platform_Windows7Required"); }
+        }
+
+        /// <summary>
+        /// This operation requires Windows 7 / Windows Server 2008 R2 or later.
+        /// </summary>
+        internal static string FormatPlatform_Windows7Required()
+        {
+            return GetString("Platform_Windows7Required");
+        }
+
+        /// <summary>
+        /// This operation requires Windows 8 / Windows Server 2012 or later.
+        /// </summary>
+        internal static string Platform_Windows8Required
+        {
+            get { return GetString("Platform_Windows8Required"); }
+        }
+
+        /// <summary>
+        /// This operation requires Windows 8 / Windows Server 2012 or later.
+        /// </summary>
+        internal static string FormatPlatform_Windows8Required()
+        {
+            return GetString("Platform_Windows8Required");
+        }
+
         private static string GetString(string name, params string[] formatterNames)
         {
             var value = _resourceManager.GetString(name);
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx b/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
index 351535df12..125f619abb 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
@@ -123,4 +123,10 @@
   <data name="BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength" xml:space="preserve">
     <value>The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).</value>
   </data>
+  <data name="Platform_Windows7Required" xml:space="preserve">
+    <value>This operation requires Windows 7 / Windows Server 2008 R2 or later.</value>
+  </data>
+  <data name="Platform_Windows8Required" xml:space="preserve">
+    <value>This operation requires Windows 8 / Windows Server 2012 or later.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
index 8f89eba6bb..76cd840558 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
@@ -10,6 +10,9 @@ using Microsoft.AspNet.Cryptography.Internal;
 
 namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
+    /// <summary>
+    /// Represents a handle to a BCrypt algorithm provider from which keys and hashes can be created.
+    /// </summary>
     internal unsafe sealed class BCryptAlgorithmHandle : BCryptHandle
     {
         // Called by P/Invoke when returning SafeHandles
@@ -20,10 +23,10 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
         /// </summary>
         public BCryptHashHandle CreateHash()
         {
-            return CreateHashImpl(null, 0);
+            return CreateHashCore(null, 0);
         }
 
-        private BCryptHashHandle CreateHashImpl(byte* pbKey, uint cbKey)
+        private BCryptHashHandle CreateHashCore(byte* pbKey, uint cbKey)
         {
             BCryptHashHandle retVal;
             int ntstatus = UnsafeNativeMethods.BCryptCreateHash(this, out retVal, IntPtr.Zero, 0, pbKey, cbKey, dwFlags: 0);
@@ -40,7 +43,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
         public BCryptHashHandle CreateHmac(byte* pbKey, uint cbKey)
         {
             Debug.Assert(pbKey != null);
-            return CreateHashImpl(pbKey, cbKey);
+            return CreateHashCore(pbKey, cbKey);
         }
 
         /// <summary>
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
index f2782aa2fa..f5d227cc1d 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
@@ -6,13 +6,33 @@ using Microsoft.Win32.SafeHandles;
 
 namespace Microsoft.AspNet.Cryptography.SafeHandles
 {
-    internal sealed class NCryptDescriptorHandle : SafeHandleZeroOrMinusOneIsInvalid
+    internal unsafe sealed class NCryptDescriptorHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
         private NCryptDescriptorHandle()
             : base(ownsHandle: true)
         {
         }
 
+        public string GetProtectionDescriptorRuleString()
+        {
+            // from ncryptprotect.h
+            const int NCRYPT_PROTECTION_INFO_TYPE_DESCRIPTOR_STRING = 0x00000001;
+
+            LocalAllocHandle ruleStringHandle;
+            int ntstatus = UnsafeNativeMethods.NCryptGetProtectionDescriptorInfo(
+                hDescriptor: this,
+                pMemPara: IntPtr.Zero,
+                dwInfoType: NCRYPT_PROTECTION_INFO_TYPE_DESCRIPTOR_STRING,
+                ppvInfo: out ruleStringHandle);
+            UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
+            CryptoUtil.AssertSafeHandleIsValid(ruleStringHandle);
+
+            using (ruleStringHandle)
+            {
+                return new String((char*)ruleStringHandle.DangerousGetHandle());
+            }
+        }
+
         // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
         protected override bool ReleaseHandle()
         {
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
deleted file mode 100644
index dbfc561884..0000000000
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeCertContextHandle.cs
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.CompilerServices;
-using Microsoft.Win32.SafeHandles;
-
-namespace Microsoft.AspNet.Cryptography.SafeHandles
-{
-    internal sealed class SafeCertContextHandle : SafeHandleZeroOrMinusOneIsInvalid
-    {
-        private SafeCertContextHandle()
-            : base(ownsHandle: true)
-        {
-        }
-
-        public static SafeCertContextHandle CreateDuplicateFrom(IntPtr existingHandle)
-        {
-            SafeCertContextHandle newHandle = UnsafeNativeMethods.CertDuplicateCertificateContext(existingHandle);
-            CryptoUtil.AssertSafeHandleIsValid(newHandle);
-            return newHandle;
-        }
-
-        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
-        protected override bool ReleaseHandle()
-        {
-            return UnsafeNativeMethods.CertFreeCertificateContext(handle);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
deleted file mode 100644
index 8898809059..0000000000
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeNCryptKeyHandle.cs
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.InteropServices;
-using Microsoft.Win32.SafeHandles;
-
-#if DNXCORE50
-namespace Microsoft.AspNet.Cryptography.SafeHandles
-{
-    /// <summary>
-    /// Represents a managed view over an NCRYPT_KEY_HANDLE.
-    /// </summary>
-    internal class SafeNCryptKeyHandle : SafeHandleZeroOrMinusOneIsInvalid
-    {
-        // Called by P/Invoke when returning SafeHandles
-        protected SafeNCryptKeyHandle()
-            : base(ownsHandle: true) { }
-
-        // Do not provide a finalizer - SafeHandle's critical finalizer will call ReleaseHandle for you.
-        protected override bool ReleaseHandle()
-        {
-            // TODO: Replace me with a real implementation on CoreClr.
-            throw new NotImplementedException();
-        }
-    }
-}
-#endif
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index 67d2072815..f2316b6d37 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -2,9 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
-using System.Security;
 
 #if !DNXCORE50
 using System.Runtime.ConstrainedExecution;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
index 2949371fb9..629f4caa19 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -14,8 +14,6 @@ namespace Microsoft.AspNet.Cryptography
 {
     internal unsafe static class UnsafeBufferUtil
     {
-        private static readonly byte[] _emptyArray = new byte[0];
-
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
 #if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
@@ -33,7 +31,7 @@ namespace Microsoft.AspNet.Cryptography
         {
             if (byteCount != 0)
             {
-                BlockCopyImpl((byte*)from, (byte*)to, byteCount);
+                BlockCopyCore((byte*)from, (byte*)to, byteCount);
             }
         }
 
@@ -60,7 +58,7 @@ namespace Microsoft.AspNet.Cryptography
 #if !DNXCORE50
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
-        public static void BlockCopy(byte* from, LocalAllocHandle to, uint byteCount)
+        public static void BlockCopy(void* from, LocalAllocHandle to, uint byteCount)
         {
             bool refAdded = false;
             try
@@ -95,10 +93,11 @@ namespace Microsoft.AspNet.Cryptography
                 to.DangerousAddRef(ref toRefAdded);
                 if (sizeof(IntPtr) == 4)
                 {
-                    BlockCopyImpl(from: (byte*)from.DangerousGetHandle(), to: (byte*)to.DangerousGetHandle(), byteCount: (uint)length.ToInt32());
-                } else
+                    BlockCopyCore(from: (byte*)from.DangerousGetHandle(), to: (byte*)to.DangerousGetHandle(), byteCount: (uint)length.ToInt32());
+                }
+                else
                 {
-                    BlockCopyImpl(from: (byte*)from.DangerousGetHandle(), to: (byte*)to.DangerousGetHandle(), byteCount: (ulong)length.ToInt64());
+                    BlockCopyCore(from: (byte*)from.DangerousGetHandle(), to: (byte*)to.DangerousGetHandle(), byteCount: (ulong)length.ToInt64());
                 }
             }
             finally
@@ -115,24 +114,26 @@ namespace Microsoft.AspNet.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static void BlockCopyImpl(byte* from, byte* to, uint byteCount)
+        private static void BlockCopyCore(byte* from, byte* to, uint byteCount)
         {
 #if DNXCORE50
             Buffer.MemoryCopy(from, to, (ulong)byteCount, (ulong)byteCount);
 #else
-            while (byteCount-- != 0) {
+            while (byteCount-- != 0)
+            {
                 to[byteCount] = from[byteCount];
             }
 #endif
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        private static void BlockCopyImpl(byte* from, byte* to, ulong byteCount)
+        private static void BlockCopyCore(byte* from, byte* to, ulong byteCount)
         {
 #if DNXCORE50
             Buffer.MemoryCopy(from, to, byteCount, byteCount);
 #else
-            while (byteCount-- != 0) {
+            while (byteCount-- != 0)
+            {
                 to[byteCount] = from[byteCount];
             }
 #endif
@@ -209,33 +210,5 @@ namespace Microsoft.AspNet.Cryptography
                 SecureZeroMemory(buffer, (ulong)length.ToInt64());
             }
         }
-
-        /// <summary>
-        /// Creates a new managed byte[] from unmanaged memory.
-        /// </summary>
-        public static byte[] ToManagedByteArray(byte* ptr, int byteCount)
-        {
-            return ToManagedByteArray(ptr, checked((uint)byteCount));
-        }
-
-        /// <summary>
-        /// Creates a new managed byte[] from unmanaged memory.
-        /// </summary>
-        public static byte[] ToManagedByteArray(byte* ptr, uint byteCount)
-        {
-            if (byteCount == 0)
-            {
-                return _emptyArray; // degenerate case
-            }
-            else
-            {
-                byte[] bytes = new byte[byteCount];
-                fixed (byte* pBytes = bytes)
-                {
-                    BlockCopy(from: ptr, to: pBytes, byteCount: byteCount);
-                }
-                return bytes;
-            }
-        }
     }
 }
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
index 07769f8dd4..80c9111d46 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -200,44 +200,7 @@ namespace Microsoft.AspNet.Cryptography
         /*
          * CRYPT32.DLL
          */
-
-        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !DNXCORE50
-        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376045(v=vs.85).aspx
-        internal static extern SafeCertContextHandle CertDuplicateCertificateContext(
-            [In] IntPtr pCertContext);
-
-        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !DNXCORE50
-        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376075(v=vs.85).aspx
-        internal static extern bool CertFreeCertificateContext(
-            [In] IntPtr pCertContext);
-
-        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376079(v=vs.85).aspx
-        internal static extern bool CertGetCertificateContextProperty(
-            [In] SafeCertContextHandle pCertContext,
-            [In] uint dwPropId,
-            [In] void* pvData,
-            [In, Out] ref uint pcbData);
-
-        [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa379885(v=vs.85).aspx
-#if !DNXCORE50
-        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
-#endif
-        internal static extern bool CryptAcquireCertificatePrivateKey(
-            [In] SafeCertContextHandle pCert,
-            [In] uint dwFlags,
-            [In] void* pvParameters,
-            [Out] out SafeNCryptKeyHandle phCryptProvOrNCryptKey,
-            [Out] out uint pdwKeySpec,
-            [Out] out bool pfCallerFreeProvOrNCryptKey);
-
+         
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx
         internal static extern bool CryptProtectData(
@@ -301,16 +264,12 @@ namespace Microsoft.AspNet.Cryptography
             [Out] out NCryptDescriptorHandle phDescriptor);
 
         [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-        // http://msdn.microsoft.com/en-us/library/windows/desktop/aa376249(v=vs.85).aspx
-        internal static extern int NCryptDecrypt(
-            [In] SafeNCryptKeyHandle hKey,
-            [In] byte* pbInput,
-            [In] uint cbInput,
-            [In] void* pPaddingInfo,
-            [In] byte* pbOutput,
-            [In] uint cbOutput,
-            [Out] out uint pcbResult,
-            [In] NCryptEncryptFlags dwFlags);
+        // https://msdn.microsoft.com/en-us/library/windows/desktop/hh706801(v=vs.85).aspx
+        internal static extern int NCryptGetProtectionDescriptorInfo(
+            [In] NCryptDescriptorHandle hDescriptor,
+            [In] IntPtr pMemPara,
+            [In] uint dwInfoType,
+            [Out] out LocalAllocHandle ppvInfo);
 
         [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706802(v=vs.85).aspx
@@ -336,6 +295,18 @@ namespace Microsoft.AspNet.Cryptography
             [Out] out LocalAllocHandle ppbData,
             [Out] out uint pcbData);
 
+        [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
+        // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706811(v=vs.85).aspx
+        internal static extern int NCryptUnprotectSecret(
+           [Out] out NCryptDescriptorHandle phDescriptor,
+           [In] uint dwFlags,
+           [In] byte* pbProtectedBlob,
+           [In] uint cbProtectedBlob,
+           [In] IntPtr pMemPara,
+           [In] IntPtr hWnd,
+           [Out] out LocalAllocHandle ppbData,
+           [Out] out uint pcbData);
+
         /*
          * HELPER FUNCTIONS
          */
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
index 8e2a4db593..3bb818b433 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
@@ -6,8 +6,24 @@ using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
 
 namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
+    /// <summary>
+    /// Provides algorithms for performing key derivation.
+    /// </summary>
     public static class KeyDerivation
     {
+        /// <summary>
+        /// Performs key derivation using the PBKDF2 algorithm.
+        /// </summary>
+        /// <param name="password">The password from which to derive the key.</param>
+        /// <param name="salt">The salt to be used during the key derivation process.</param>
+        /// <param name="prf">The pseudo-random function to be used in the key derivation process.</param>
+        /// <param name="iterationCount">The number of iterations of the pseudo-random function to apply
+        /// during the key derivation process.</param>
+        /// <param name="numBytesRequested">The desired length (in bytes) of the derived key.</param>
+        /// <returns>The derived key.</returns>
+        /// <remarks>
+        /// The PBKDF2 algorithm is specified in RFC 2898.
+        /// </remarks>
         public static byte[] Pbkdf2(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
         {
             // parameter checking
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
index 3e0d1a0c3a..26ce118b15 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
@@ -16,11 +16,11 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
         private static IPbkdf2Provider GetPbkdf2Provider()
         {
             // In priority order, our three implementations are Win8, Win7, and "other".
-            if (OSVersionUtil.IsBCryptOnWin8OrLaterAvailable())
+            if (OSVersionUtil.IsWindows8OrLater())
             {
                 // fastest implementation
                 return new Win8Pbkdf2Provider();
-            } else if (OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+            } else if (OSVersionUtil.IsWindows())
             {
                 // acceptable implementation
                 return new Win7Pbkdf2Provider();
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs b/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
index df31596d09..777a9654ea 100644
--- a/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
@@ -9,6 +9,7 @@ using System.Net;
 using System.Runtime.ExceptionServices;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.Framework.Internal;
 using Microsoft.Framework.OptionsModel;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Blob;
@@ -49,7 +50,7 @@ namespace Microsoft.AspNet.DataProtection.Azure
         {
             var blobRef = GetKeyRingBlockBlobReference();
             XDocument document = ReadDocumentFromStorage(blobRef);
-            return document?.Root.Elements().ToArray() ?? new XElement[0];
+            return (IReadOnlyCollection<XElement>)document?.Root.Elements().ToList().AsReadOnly() ?? new XElement[0];
         }
 
         private XDocument ReadDocumentFromStorage(CloudBlockBlob blobRef)
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/NotNullAttribute.cs b/src/Microsoft.AspNet.DataProtection.Azure/NotNullAttribute.cs
deleted file mode 100644
index 05b991841e..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Azure/NotNullAttribute.cs
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.DataProtection.Azure
-{
-    [AttributeUsage(AttributeTargets.Parameter, AllowMultiple = false)]
-    internal sealed class NotNullAttribute : Attribute
-    {
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/project.json b/src/Microsoft.AspNet.DataProtection.Azure/project.json
index 159333396b..38fe54a39b 100644
--- a/src/Microsoft.AspNet.DataProtection.Azure/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Azure/project.json
@@ -3,6 +3,7 @@
     "description": "ASP.NET 5 blob storage repository for DataProtection.",
     "dependencies": {
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
+        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" },
         "WindowsAzure.Storage": "4.3.0"
     },
     "frameworks": {
diff --git a/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectionProviderHelper.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectionProviderHelper.cs
deleted file mode 100644
index 0237a782a0..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectionProviderHelper.cs
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-using System.Threading;
-
-namespace Microsoft.AspNet.DataProtection.Compatibility
-{
-    internal sealed class DataProtectionProviderHelper
-    {
-        private IDataProtectionProvider _dataProtectionProvider;
-
-        private DataProtectionProviderHelper() { } // can only be instantaited by self
-
-        public static IDataProtectionProvider GetDataProtectionProvider(ref DataProtectionProviderHelper helperRef, IFactorySupportFunctions supportFunctions)
-        {
-            // First, make sure that only one thread ever initializes the helper instance.
-            var helper = Volatile.Read(ref helperRef);
-            if (helper == null)
-            {
-                var newHelper = new DataProtectionProviderHelper();
-                helper = Interlocked.CompareExchange(ref helperRef, newHelper, null) ?? newHelper;
-            }
-
-            // Has the provider already been created?
-            var provider = Volatile.Read(ref helper._dataProtectionProvider);
-            if (provider == null)
-            {
-                // Since the helper is accessed by reference, all threads should agree on the one true helper
-                // instance, so this lock is global given a particular reference. This is an implementation
-                // of the double-check lock pattern.
-                lock (helper)
-                {
-                    provider = Volatile.Read(ref helper._dataProtectionProvider);
-                    if (provider == null)
-                    {
-                        provider = supportFunctions.CreateDataProtectionProvider();
-                        Volatile.Write(ref helper._dataProtectionProvider, provider);
-                    }
-                }
-            }
-
-            // And we're done!
-            Debug.Assert(provider != null);
-            return provider;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtector.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtector.cs
deleted file mode 100644
index b05407d92f..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtector.cs
+++ /dev/null
@@ -1,72 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-using System.Security.Cryptography;
-
-namespace Microsoft.AspNet.DataProtection.Compatibility
-{
-    public sealed class DataProtector<T> : DataProtector, IFactorySupportFunctions
-        where T : class, IDataProtectionProviderFactory, new()
-    {
-        private static DataProtectionProviderHelper _staticHelper;
-        private DataProtectorHelper _helper;
-
-        public DataProtector(string applicationName, string primaryPurpose, string[] specificPurposes)
-            : base(applicationName, primaryPurpose, specificPurposes)
-        {
-        }
-
-        protected override bool PrependHashedPurposeToPlaintext
-        {
-            get
-            {
-                return false;
-            }
-        }
-
-        private IDataProtector GetCachedDataProtector()
-        {
-            var dataProtectionProvider = DataProtectionProviderHelper.GetDataProtectionProvider(ref _staticHelper, this);
-            return DataProtectorHelper.GetDataProtector(ref _helper, dataProtectionProvider, this);
-        }
-
-        public override bool IsReprotectRequired(byte[] encryptedData)
-        {
-            return false;
-        }
-
-        protected override byte[] ProviderProtect(byte[] userData)
-        {
-            return GetCachedDataProtector().Protect(userData);
-        }
-
-        protected override byte[] ProviderUnprotect(byte[] encryptedData)
-        {
-            return GetCachedDataProtector().Unprotect(encryptedData);
-        }
-
-        IDataProtectionProvider IFactorySupportFunctions.CreateDataProtectionProvider()
-        {
-            IDataProtectionProviderFactory factory = Activator.CreateInstance<T>();
-            IDataProtectionProvider dataProtectionProvider = factory.CreateDataProtectionProvider();
-            Debug.Assert(dataProtectionProvider != null);
-            return dataProtectionProvider;
-        }
-
-        IDataProtector IFactorySupportFunctions.CreateDataProtector(IDataProtectionProvider dataProtectionProvider)
-        {
-            Debug.Assert(dataProtectionProvider != null);
-
-            IDataProtector dataProtector = dataProtectionProvider.CreateProtector(ApplicationName).CreateProtector(PrimaryPurpose);
-            foreach (string specificPurpose in SpecificPurposes)
-            {
-                dataProtector = dataProtector.CreateProtector(specificPurpose);
-            }
-
-            Debug.Assert(dataProtector != null);
-            return dataProtector;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectorHelper.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectorHelper.cs
deleted file mode 100644
index 62e756a442..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Compatibility/DataProtectorHelper.cs
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-using System.Threading;
-
-namespace Microsoft.AspNet.DataProtection.Compatibility
-{
-    internal sealed class DataProtectorHelper
-    {
-        private IDataProtector _dataProtector;
-
-        private DataProtectorHelper() { } // can only be instantaited by self
-
-        public static IDataProtector GetDataProtector(ref DataProtectorHelper helperRef, IDataProtectionProvider protectionProvider, IFactorySupportFunctions supportFunctions)
-        {
-            // First, make sure that only one thread ever initializes the helper instance.
-            var helper = Volatile.Read(ref helperRef);
-            if (helper == null)
-            {
-                var newHelper = new DataProtectorHelper();
-                helper = Interlocked.CompareExchange(ref helperRef, newHelper, null) ?? newHelper;
-            }
-
-            // Has the protector already been created?
-            var protector = Volatile.Read(ref helper._dataProtector);
-            if (protector == null)
-            {
-                // Since the helper is accessed by reference, all threads should agree on the one true helper
-                // instance, so this lock is global given a particular reference. This is an implementation
-                // of the double-check lock pattern.
-                lock (helper)
-                {
-                    protector = Volatile.Read(ref helper._dataProtector);
-                    if (protector == null)
-                    {
-                        protector = supportFunctions.CreateDataProtector(protectionProvider);
-                        Volatile.Write(ref helper._dataProtector, protector);
-                    }
-                }
-            }
-
-            // And we're done!
-            Debug.Assert(protector != null);
-            return protector;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection.Compatibility/IFactorySupportFunctions.cs b/src/Microsoft.AspNet.DataProtection.Compatibility/IFactorySupportFunctions.cs
deleted file mode 100644
index 1adc41e58f..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Compatibility/IFactorySupportFunctions.cs
+++ /dev/null
@@ -1,14 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.DataProtection.Compatibility
-{
-    internal interface IFactorySupportFunctions
-    {
-        IDataProtectionProvider CreateDataProtectionProvider();
-
-        IDataProtector CreateDataProtector(IDataProtectionProvider dataProtectionProvider);
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/CryptoUtil.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/CryptoUtil.cs
new file mode 100644
index 0000000000..a6c7fc2d9f
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/CryptoUtil.cs
@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    internal static class CryptoUtil
+    {
+        // This isn't a typical Debug.Fail; an error always occurs, even in retail builds.
+        // This method doesn't return, but since the CLR doesn't allow specifying a 'never'
+        // return type, we mimic it by specifying our return type as Exception. That way
+        // callers can write 'throw Fail(...);' to make the C# compiler happy, as the
+        // throw keyword is implicitly of type O.
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        public static Exception Fail(string message)
+        {
+            Debug.Fail(message);
+            throw new CryptographicException("Assertion failed: " + message);
+        }
+
+        // Allows callers to write "var x = Method() ?? Fail<T>(message);" as a convenience to guard
+        // against a method returning null unexpectedly.
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        public static T Fail<T>(string message) where T : class
+        {
+            throw Fail(message);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
new file mode 100644
index 0000000000..291ab59633
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
@@ -0,0 +1,124 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using Microsoft.AspNet.DataProtection.Interfaces;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Helpful extension methods for data protection APIs.
+    /// </summary>
+    public static class DataProtectionExtensions
+    {
+        /// <summary>
+        /// Creates an <see cref="IDataProtector"/> given a list of purposes.
+        /// </summary>
+        /// <param name="provider">The <see cref="IDataProtectionProvider"/> from which to generate the purpose chain.</param>
+        /// <param name="purposes">The list of purposes which contribute to the purpose chain. This list must
+        /// contain at least one element, and it may not contain null elements.</param>
+        /// <returns>An <see cref="IDataProtector"/> tied to the provided purpose chain.</returns>
+        /// <remarks>
+        /// This is a convenience method which chains together several calls to
+        /// <see cref="IDataProtectionProvider.CreateProtector(string)"/>. See that method's
+        /// documentation for more information.
+        /// </remarks>
+        public static IDataProtector CreateProtector([NotNull] this IDataProtectionProvider provider, [NotNull] IEnumerable<string> purposes)
+        {
+            bool collectionIsEmpty = true;
+            IDataProtectionProvider retVal = provider;
+            foreach (string purpose in purposes)
+            {
+                if (purpose == null)
+                {
+                    throw new ArgumentException(Resources.DataProtectionExtensions_NullPurposesCollection, nameof(purposes));
+                }
+                retVal = retVal.CreateProtector(purpose) ?? CryptoUtil.Fail<IDataProtector>("CreateProtector returned null.");
+                collectionIsEmpty = false;
+            }
+
+            if (collectionIsEmpty)
+            {
+                throw new ArgumentException(Resources.DataProtectionExtensions_NullPurposesCollection, nameof(purposes));
+            }
+
+            Debug.Assert(retVal is IDataProtector); // CreateProtector is supposed to return an instance of this interface
+            return (IDataProtector)retVal;
+        }
+
+        /// <summary>
+        /// Creates an <see cref="IDataProtector"/> given a list of purposes.
+        /// </summary>
+        /// <param name="provider">The <see cref="IDataProtectionProvider"/> from which to generate the purpose chain.</param>
+        /// <param name="purpose">The primary purpose used to create the <see cref="IDataProtectionProvider"/>.</param>
+        /// <param name="subPurposes">An optional list of secondary purposes which contribute to the purpose chain.
+        /// If this list is provided it cannot contain null elements.</param>
+        /// <returns>An <see cref="IDataProtector"/> tied to the provided purpose chain.</returns>
+        /// <remarks>
+        /// This is a convenience method which chains together several calls to
+        /// <see cref="IDataProtectionProvider.CreateProtector(string)"/>. See that method's
+        /// documentation for more information.
+        /// </remarks>
+        public static IDataProtector CreateProtector([NotNull] this IDataProtectionProvider provider, [NotNull] string purpose, params string[] subPurposes)
+        {
+            // The method signature isn't simply CreateProtector(this IDataProtectionProvider, params string[] purposes)
+            // because we don't want the code provider.CreateProtector() [parameterless] to inadvertently compile.
+            // The actual signature for this method forces at least one purpose to be provided at the call site.
+
+            IDataProtector protector = provider.CreateProtector(purpose);
+            if (subPurposes != null && subPurposes.Length > 0)
+            {
+                protector = protector?.CreateProtector((IEnumerable<string>)subPurposes);
+            }
+            return protector ?? CryptoUtil.Fail<IDataProtector>("CreateProtector returned null.");
+        }
+        
+        /// <summary>
+        /// Cryptographically protects a piece of plaintext data.
+        /// </summary>
+        /// <param name="protector">The data protector to use for this operation.</param>
+        /// <param name="plaintext">The plaintext data to protect.</param>
+        /// <returns>The protected form of the plaintext data.</returns>
+        public static string Protect([NotNull] this IDataProtector protector, [NotNull] string plaintext)
+        {
+            try
+            {
+                byte[] plaintextAsBytes = EncodingUtil.SecureUtf8Encoding.GetBytes(plaintext);
+                byte[] protectedDataAsBytes = protector.Protect(plaintextAsBytes);
+                return WebEncoders.Base64UrlEncode(protectedDataAsBytes);
+            }
+            catch (Exception ex) when (ex.RequiresHomogenization())
+            {
+                // Homogenize exceptions to CryptographicException
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+
+        /// <summary>
+        /// Cryptographically unprotects a piece of protected data.
+        /// </summary>
+        /// <param name="protector">The data protector to use for this operation.</param>
+        /// <param name="protectedData">The protected data to unprotect.</param>
+        /// <returns>The plaintext form of the protected data.</returns>
+        /// <remarks>
+        /// This method will throw CryptographicException if the input is invalid or malformed.
+        /// </remarks>
+        public static string Unprotect([NotNull] this IDataProtector protector, [NotNull] string protectedData)
+        {
+            try
+            {
+                byte[] protectedDataAsBytes = WebEncoders.Base64UrlDecode(protectedData);
+                byte[] plaintextAsBytes = protector.Unprotect(protectedDataAsBytes);
+                return EncodingUtil.SecureUtf8Encoding.GetString(plaintextAsBytes);
+            }
+            catch (Exception ex) when (ex.RequiresHomogenization())
+            {
+                // Homogenize exceptions to CryptographicException
+                throw Error.CryptCommon_GenericError(ex);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Error.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/Error.cs
new file mode 100644
index 0000000000..e479a1b833
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Error.cs
@@ -0,0 +1,23 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNet.DataProtection.Interfaces;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    internal static class Error
+    {
+        public static CryptographicException CryptCommon_GenericError(Exception inner = null)
+        {
+            return new CryptographicException(Resources.CryptCommon_GenericError, inner);
+        }
+
+        public static CryptographicException CryptCommon_PayloadInvalid()
+        {
+            string message = Resources.CryptCommon_PayloadInvalid;
+            return new CryptographicException(message);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/IApplicationDiscriminator.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/IApplicationDiscriminator.cs
new file mode 100644
index 0000000000..232780a311
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/IApplicationDiscriminator.cs
@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Provides information used to discriminate applications.
+    /// </summary>
+    public interface IApplicationDiscriminator
+    {
+        /// <summary>
+        /// An identifier that uniquely discriminates this application from all other
+        /// applications on the machine.
+        /// </summary>
+        string Discriminator { get; }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtectionProvider.cs
new file mode 100644
index 0000000000..cc06dbadf0
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtectionProvider.cs
@@ -0,0 +1,29 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// An interface that can be used to create <see cref="IDataProtector"/> instances.
+    /// </summary>
+    public interface IDataProtectionProvider
+    {
+        /// <summary>
+        /// Creates an <see cref="IDataProtector"/> given a purpose.
+        /// </summary>
+        /// <param name="purposes">
+        /// The purpose to be assigned to the newly-created <see cref="IDataProtector"/>.
+        /// </param>
+        /// <returns>An IDataProtector tied to the provided purpose.</returns>
+        /// <remarks>
+        /// The <paramref name="purpose"/> parameter must be unique for the intended use case; two
+        /// different <see cref="IDataProtector"/> instances created with two different <paramref name="purpose"/>
+        /// values will not be able to decipher each other's payloads. The <paramref name="purpose"/> parameter
+        /// value is not intended to be kept secret.
+        /// </remarks>
+        IDataProtector CreateProtector([NotNull] string purpose);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/IDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtector.cs
similarity index 68%
rename from src/Microsoft.AspNet.DataProtection/IDataProtector.cs
rename to src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtector.cs
index 28a0d571b3..89dd31d759 100644
--- a/src/Microsoft.AspNet.DataProtection/IDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtector.cs
@@ -2,6 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Security.Cryptography;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -13,19 +15,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <summary>
         /// Cryptographically protects a piece of plaintext data.
         /// </summary>
-        /// <param name="unprotectedData">The plaintext data to protect.</param>
+        /// <param name="plaintext">The plaintext data to protect.</param>
         /// <returns>The protected form of the plaintext data.</returns>
-        byte[] Protect(byte[] unprotectedData);
+        byte[] Protect([NotNull] byte[] plaintext);
 
         /// <summary>
         /// Cryptographically unprotects a piece of protected data.
         /// </summary>
         /// <param name="protectedData">The protected data to unprotect.</param>
         /// <returns>The plaintext form of the protected data.</returns>
-        /// <remarks>
-        /// Implementations should throw CryptographicException if the protected data is
-        /// invalid or malformed.
-        /// </remarks>
-        byte[] Unprotect(byte[] protectedData);
+        /// <exception cref="CryptographicException">
+        /// Thrown if the protected data is invalid or malformed.
+        /// </exception>
+        byte[] Unprotect([NotNull] byte[] protectedData);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection.Compatibility/Microsoft.AspNet.DataProtection.Compatibility.kproj b/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.kproj
similarity index 94%
rename from src/Microsoft.AspNet.DataProtection.Compatibility/Microsoft.AspNet.DataProtection.Compatibility.kproj
rename to src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.kproj
index 24ce7cf3b8..2937e9a8f7 100644
--- a/src/Microsoft.AspNet.DataProtection.Compatibility/Microsoft.AspNet.DataProtection.Compatibility.kproj
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.kproj
@@ -6,7 +6,7 @@
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
-    <ProjectGuid>C2FD9D02-AA0E-45FA-8561-EE357A94B73D</ProjectGuid>
+    <ProjectGuid>4b115bde-b253-46a6-97bf-a8b37b344ff2</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
   </PropertyGroup>
diff --git a/src/Microsoft.AspNet.DataProtection.Compatibility/IDataProtectionProviderFactory.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs
similarity index 51%
rename from src/Microsoft.AspNet.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
rename to src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs
index f470d7827a..57b7412919 100644
--- a/src/Microsoft.AspNet.DataProtection.Compatibility/IDataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs
@@ -2,11 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Runtime.CompilerServices;
 
-namespace Microsoft.AspNet.DataProtection.Compatibility
-{
-    public interface IDataProtectionProviderFactory
-    {
-        IDataProtectionProvider CreateDataProtectionProvider();
-    }
-}
+// for unit testing
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Interfaces.Test")]
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs
new file mode 100644
index 0000000000..9c0eed3510
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs
@@ -0,0 +1,78 @@
+// <auto-generated />
+namespace Microsoft.AspNet.DataProtection.Interfaces
+{
+    using System.Globalization;
+    using System.Reflection;
+    using System.Resources;
+
+    internal static class Resources
+    {
+        private static readonly ResourceManager _resourceManager
+            = new ResourceManager("Microsoft.AspNet.DataProtection.Interfaces.Resources", typeof(Resources).GetTypeInfo().Assembly);
+
+        /// <summary>
+        /// The payload was invalid.
+        /// </summary>
+        internal static string CryptCommon_PayloadInvalid
+        {
+            get { return GetString("CryptCommon_PayloadInvalid"); }
+        }
+
+        /// <summary>
+        /// The payload was invalid.
+        /// </summary>
+        internal static string FormatCryptCommon_PayloadInvalid()
+        {
+            return GetString("CryptCommon_PayloadInvalid");
+        }
+
+        /// <summary>
+        /// The purposes collection cannot be null or empty and cannot contain null elements.
+        /// </summary>
+        internal static string DataProtectionExtensions_NullPurposesCollection
+        {
+            get { return GetString("DataProtectionExtensions_NullPurposesCollection"); }
+        }
+
+        /// <summary>
+        /// The purposes collection cannot be null or empty and cannot contain null elements.
+        /// </summary>
+        internal static string FormatDataProtectionExtensions_NullPurposesCollection()
+        {
+            return GetString("DataProtectionExtensions_NullPurposesCollection");
+        }
+
+        /// <summary>
+        /// An error occurred during a cryptographic operation.
+        /// </summary>
+        internal static string CryptCommon_GenericError
+        {
+            get { return GetString("CryptCommon_GenericError"); }
+        }
+
+        /// <summary>
+        /// An error occurred during a cryptographic operation.
+        /// </summary>
+        internal static string FormatCryptCommon_GenericError()
+        {
+            return GetString("CryptCommon_GenericError");
+        }
+
+        private static string GetString(string name, params string[] formatterNames)
+        {
+            var value = _resourceManager.GetString(name);
+
+            System.Diagnostics.Debug.Assert(value != null);
+
+            if (formatterNames != null)
+            {
+                for (var i = 0; i < formatterNames.Length; i++)
+                {
+                    value = value.Replace("{" + formatterNames[i] + "}", "{" + i + "}");
+                }
+            }
+
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx b/src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx
new file mode 100644
index 0000000000..84fa596602
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="CryptCommon_PayloadInvalid" xml:space="preserve">
+    <value>The payload was invalid.</value>
+  </data>
+  <data name="DataProtectionExtensions_NullPurposesCollection" xml:space="preserve">
+    <value>The purposes collection cannot be null or empty and cannot contain null elements.</value>
+  </data>
+  <data name="CryptCommon_GenericError" xml:space="preserve">
+    <value>An error occurred during a cryptographic operation.</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/WebEncoders.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/WebEncoders.cs
similarity index 95%
rename from src/Microsoft.AspNet.DataProtection/WebEncoders.cs
rename to src/Microsoft.AspNet.DataProtection.Interfaces/WebEncoders.cs
index c963b0c4b4..17d225f9d1 100644
--- a/src/Microsoft.AspNet.DataProtection/WebEncoders.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/WebEncoders.cs
@@ -18,7 +18,7 @@ namespace Microsoft.AspNet.DataProtection
         /// The input must not contain any whitespace or padding characters.
         /// Throws FormatException if the input is malformed.
         /// </remarks>
-        public static byte[] Base64UrlDecode([NotNull] string input)
+        public static byte[] Base64UrlDecode(string input)
         {
             // Assumption: input is base64url encoded without padding and contains no whitespace.
 
@@ -56,7 +56,7 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="input">The binary input to encode.</param>
         /// <returns>The base64url-encoded form of the input.</returns>
-        public static string Base64UrlEncode([NotNull] byte[] input)
+        public static string Base64UrlEncode(byte[] input)
         {
             // Special-case empty input
             if (input.Length == 0)
@@ -126,7 +126,7 @@ namespace Microsoft.AspNet.DataProtection
                 case 3:
                     return 1;
                 default:
-                    throw new FormatException("TODO: Malformed input.");
+                    throw Error.CryptCommon_PayloadInvalid(); // not valid base64
             }
         }
     }
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/project.json b/src/Microsoft.AspNet.DataProtection.Interfaces/project.json
new file mode 100644
index 0000000000..f8543204e6
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/project.json
@@ -0,0 +1,25 @@
+{
+    "version": "1.0.0-*",
+    "description": "Contains the core IDataProtector and IDataProtectionProvider interfaces for ASP.NET 5 Data Protection.",
+    "dependencies": {
+        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" },
+        "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" }
+    },
+    "frameworks": {
+        "net451": { },
+        "dnx451": { },
+        "dnxcore50": {
+            "dependencies": {
+                "System.Diagnostics.Debug": "4.0.10-beta-*",
+                "System.Reflection": "4.0.10-beta-*",
+                "System.Resources.ResourceManager": "4.0.0-beta-*",
+                "System.Runtime.Extensions": "4.0.10-beta-*",
+                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+                "System.Text.Encoding.Extensions": "4.0.10-beta-*"
+            }
+        }
+    },
+    "compilationOptions": {
+        "warningsAsErrors": true
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/EncodingUtil.cs b/src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs
similarity index 91%
rename from src/Microsoft.AspNet.DataProtection/EncodingUtil.cs
rename to src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs
index 0966289874..46571e69ab 100644
--- a/src/Microsoft.AspNet.DataProtection/EncodingUtil.cs
+++ b/src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs
@@ -6,7 +6,7 @@ using System.Text;
 
 namespace Microsoft.AspNet.DataProtection
 {
-    internal unsafe static class EncodingUtil
+    internal static class EncodingUtil
     {
         // UTF8 encoding that fails on invalid chars
         public static readonly UTF8Encoding SecureUtf8Encoding = new UTF8Encoding(encoderShouldEmitUTF8Identifier: false, throwOnInvalidBytes: true);
diff --git a/src/Microsoft.AspNet.DataProtection/ExceptionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Shared/ExceptionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/ExceptionExtensions.cs
rename to src/Microsoft.AspNet.DataProtection.Shared/ExceptionExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.kproj b/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.kproj
new file mode 100644
index 0000000000..081f013085
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>3277bb22-033f-4010-8131-a515b910caad</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/project.json b/src/Microsoft.AspNet.DataProtection.Shared/project.json
new file mode 100644
index 0000000000..96df0952d9
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Shared/project.json
@@ -0,0 +1,20 @@
+{
+    "version": "1.0.0-*",
+    "description": "ASP.NET 5 Data Protection shared code.",
+    "dependencies": {
+    },
+    "frameworks": {
+        "net451": { },
+        "dnx451": { },
+        "dnxcore50": {
+            "dependencies": {
+                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+                "System.Text.Encoding.Extensions": "4.0.10-beta-*"
+            }
+        }
+    },
+    "shared": "**\\*.cs",
+    "compilationOptions": {
+        "warningsAsErrors": true
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
new file mode 100644
index 0000000000..5bf5b5b6d4
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
@@ -0,0 +1,82 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel;
+using System.Configuration;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.DataProtection.SystemWeb
+{
+    /// <summary>
+    /// A <see cref="DataProtector"/> that can be used by ASP.NET 4.x to interact with ASP.NET 5's
+    /// DataProtection stack. This type is for internal use only and shouldn't be directly used by
+    /// developers.
+    /// </summary>
+    [EditorBrowsable(EditorBrowsableState.Never)]
+    public sealed class CompatibilityDataProtector : DataProtector
+    {
+        private static readonly Lazy<IDataProtectionProvider> _lazyProtectionProvider = new Lazy<IDataProtectionProvider>(CreateProtectionProvider);
+
+        private readonly Lazy<IDataProtector> _lazyProtector;
+
+        public CompatibilityDataProtector(string applicationName, string primaryPurpose, string[] specificPurposes)
+            : base("application-name", "primary-purpose", null) // we feed dummy values to the base ctor
+        {
+            // We don't want to evaluate the IDataProtectionProvider factory quite yet,
+            // as we'd rather defer failures to the call to Protect so that we can bubble
+            // up a good error message to the developer.
+
+            _lazyProtector = new Lazy<IDataProtector>(() => _lazyProtectionProvider.Value.CreateProtector(primaryPurpose, specificPurposes));
+        }
+
+        // We take care of flowing purposes ourselves.
+        protected override bool PrependHashedPurposeToPlaintext { get; } = false;
+
+        private static IDataProtectionProvider CreateProtectionProvider()
+        {
+            // Read from <appSettings> the startup type we need to use, then create it
+            const string APPSETTINGS_KEY = "aspnet:dataProtectionStartupType";
+            string startupTypeName = ConfigurationManager.AppSettings[APPSETTINGS_KEY];
+            if (String.IsNullOrEmpty(startupTypeName))
+            {
+                // fall back to default startup type if one hasn't been specified in config
+                startupTypeName = typeof(DataProtectionStartup).AssemblyQualifiedName;
+            }
+            Type startupType = Type.GetType(startupTypeName, throwOnError: true);
+            var startupInstance = (DataProtectionStartup)Activator.CreateInstance(startupType);
+
+            // Use it to initialize the system.
+            return startupInstance.InternalConfigureServicesAndCreateProtectionProvider();
+        }
+
+        public override bool IsReprotectRequired(byte[] encryptedData)
+        {
+            // Nobody ever calls this.
+            return false;
+        }
+
+        protected override byte[] ProviderProtect(byte[] userData)
+        {
+            try
+            {
+                return _lazyProtector.Value.Protect(userData);
+            }
+            catch (Exception ex)
+            {
+                // System.Web special-cases ConfigurationException errors and allows them to bubble
+                // up to the developer without being homogenized. Since a call to Protect should
+                // never fail, any exceptions here really do imply a misconfiguration.
+
+#pragma warning disable CS0618 // Type or member is obsolete
+                throw new ConfigurationException(Resources.DataProtector_ProtectFailed, ex);
+#pragma warning restore CS0618 // Type or member is obsolete
+            }
+        }
+
+        protected override byte[] ProviderUnprotect(byte[] encryptedData)
+        {
+            return _lazyProtector.Value.Unprotect(encryptedData);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
new file mode 100644
index 0000000000..b6792c9882
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
@@ -0,0 +1,94 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Configuration;
+using System.Web;
+using System.Web.Configuration;
+using Microsoft.Framework.DependencyInjection;
+
+namespace Microsoft.AspNet.DataProtection.SystemWeb
+{
+    /// <summary>
+    /// Allows controlling the configuration of the ASP.NET 5 Data Protection system.
+    /// </summary>
+    /// <remarks>
+    /// Developers should not call these APIs directly. Instead, developers should subclass
+    /// this type and override the <see cref="ConfigureServices(IServiceCollection)"/>
+    /// method or <see cref="CreateDataProtectionProvider(IServiceProvider)"/> methods
+    /// as appropriate.
+    /// </remarks>
+    public class DataProtectionStartup
+    {
+        /// <summary>
+        /// Configures services used by the Data Protection system.
+        /// </summary>
+        /// <param name="services">A mutable collection of services.</param>
+        /// <remarks>
+        /// Developers may override this method to change the default behaviors of
+        /// the Data Protection system.
+        /// </remarks>
+        public virtual void ConfigureServices(IServiceCollection services)
+        {
+            // InternalConfigureServices already takes care of default configuration.
+            // The reason we don't configure default logic in this method is that we don't
+            // want to punish the developer for forgetting to call base.ConfigureServices
+            // from within his own override.
+        }
+
+        /// <summary>
+        /// Creates a new instance of an <see cref="IDataProtectionProvider"/>.
+        /// </summary>
+        /// <param name="services">A collection of services from which to create the <see cref="IDataProtectionProvider"/>.</param>
+        /// <returns>An <see cref="IDataProtectionProvider"/>.</returns>
+        /// <remarks>
+        /// Developers should generally override the <see cref="ConfigureServices(IServiceCollection)"/>
+        /// method instead of this method.
+        /// </remarks>
+        public virtual IDataProtectionProvider CreateDataProtectionProvider(IServiceProvider services)
+        {
+            return services.GetRequiredService<IDataProtectionProvider>();
+        }
+
+        /// <summary>
+        /// Provides a default implementation of required services, calls the developer's
+        /// configuration overrides, then creates an <see cref="IDataProtectionProvider"/>.
+        /// </summary>
+        internal IDataProtectionProvider InternalConfigureServicesAndCreateProtectionProvider()
+        {
+            var services = new ServiceCollection();
+            services.AddDataProtection();
+            services.Configure<DataProtectionOptions>(options =>
+            {
+                // Try reading the discriminator from <machineKey applicationName="..." /> defined
+                // at the web app root. If the value was set explicitly (even if the value is empty),
+                // honor it as the discriminator. Otherwise, fall back to the metabase config path.
+                var machineKeySection = (MachineKeySection)WebConfigurationManager.GetWebApplicationSection("system.web/machineKey");
+                if (machineKeySection.ElementInformation.Properties["applicationName"].ValueOrigin != PropertyValueOrigin.Default)
+                {
+                    options.ApplicationDiscriminator = machineKeySection.ApplicationName;
+                }
+                else
+                {
+                    options.ApplicationDiscriminator = HttpRuntime.AppDomainAppId;
+                }
+
+                if (String.IsNullOrEmpty(options.ApplicationDiscriminator))
+                {
+                    options.ApplicationDiscriminator = null; // homogenize to null
+                }
+            });
+
+            // Run configuration and get an instance of the provider.
+            ConfigureServices(services);
+            var provider = CreateDataProtectionProvider(services.BuildServiceProvider());
+            if (provider == null)
+            {
+                throw new InvalidOperationException(Resources.Startup_CreateProviderReturnedNull);
+            }
+
+            // And we're done!
+            return provider;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.kproj b/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.kproj
new file mode 100644
index 0000000000..07283ae05e
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>e3552deb-4173-43ae-bf69-3c10dff3bab6</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/Resources.Designer.cs
new file mode 100644
index 0000000000..2a33533a17
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/Resources.Designer.cs
@@ -0,0 +1,62 @@
+// <auto-generated />
+namespace Microsoft.AspNet.DataProtection.SystemWeb
+{
+    using System.Globalization;
+    using System.Reflection;
+    using System.Resources;
+
+    internal static class Resources
+    {
+        private static readonly ResourceManager _resourceManager
+            = new ResourceManager("Microsoft.AspNet.DataProtection.SystemWeb.Resources", typeof(Resources).GetTypeInfo().Assembly);
+
+        /// <summary>
+        /// A call to Protect failed. This most likely means that the data protection system is misconfigured. See the inner exception for more information.
+        /// </summary>
+        internal static string DataProtector_ProtectFailed
+        {
+            get { return GetString("DataProtector_ProtectFailed"); }
+        }
+
+        /// <summary>
+        /// A call to Protect failed. This most likely means that the data protection system is misconfigured. See the inner exception for more information.
+        /// </summary>
+        internal static string FormatDataProtector_ProtectFailed()
+        {
+            return GetString("DataProtector_ProtectFailed");
+        }
+
+        /// <summary>
+        /// The CreateDataProtectionProvider method returned null.
+        /// </summary>
+        internal static string Startup_CreateProviderReturnedNull
+        {
+            get { return GetString("Startup_CreateProviderReturnedNull"); }
+        }
+
+        /// <summary>
+        /// The CreateDataProtectionProvider method returned null.
+        /// </summary>
+        internal static string FormatStartup_CreateProviderReturnedNull()
+        {
+            return GetString("Startup_CreateProviderReturnedNull");
+        }
+
+        private static string GetString(string name, params string[] formatterNames)
+        {
+            var value = _resourceManager.GetString(name);
+
+            System.Diagnostics.Debug.Assert(value != null);
+
+            if (formatterNames != null)
+            {
+                for (var i = 0; i < formatterNames.Length; i++)
+                {
+                    value = value.Replace("{" + formatterNames[i] + "}", "{" + i + "}");
+                }
+            }
+
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Resources.resx b/src/Microsoft.AspNet.DataProtection.SystemWeb/Resources.resx
new file mode 100644
index 0000000000..0923e71d3c
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/Resources.resx
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="DataProtector_ProtectFailed" xml:space="preserve">
+    <value>A call to Protect failed. This most likely means that the data protection system is misconfigured. See the inner exception for more information.</value>
+  </data>
+  <data name="Startup_CreateProviderReturnedNull" xml:space="preserve">
+    <value>The CreateDataProtectionProvider method returned null.</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Compatibility/project.json b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
similarity index 58%
rename from src/Microsoft.AspNet.DataProtection.Compatibility/project.json
rename to src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
index 519529f83f..620beafd64 100644
--- a/src/Microsoft.AspNet.DataProtection.Compatibility/project.json
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
@@ -4,10 +4,13 @@
     "frameworks": {
         "net451": {
             "dependencies": {
-                "Microsoft.AspNet.DataProtection": "1.0.0-*"
+                "Microsoft.AspNet.DataProtection": "1.0.0-*",
+                "Microsoft.Framework.DependencyInjection": "1.0.0-*"
             },
             "frameworkAssemblies": {
-                "System.Security": "4.0.0.0"
+                "System.Configuration": "4.0.0.0",
+                "System.Security": "4.0.0.0",
+                "System.Web": "4.0.0.0"
             }
         }
     },
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/web.config.transform b/src/Microsoft.AspNet.DataProtection.SystemWeb/web.config.transform
new file mode 100644
index 0000000000..470f2ca79c
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/web.config.transform
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <appSettings>
+    <!--
+    If you want to customize the behavior of the ASP.NET 5 Data Protection stack, set the
+    "aspnet:dataProtectionStartupType" switch below to be the fully-qualified name of a
+    type which subclasses Microsoft.AspNet.DataProtection.SystemWeb.DataProtectionStartup.
+    -->
+    <add key="aspnet:dataProtectionStartupType" value="" />
+  </appSettings>
+  <system.web>
+    <machineKey compatibilityMode="Framework45" dataProtectorType="Microsoft.AspNet.DataProtection.SystemWeb.CompatibilityDataProtector, Microsoft.AspNet.DataProtection.SystemWeb" />
+  </system.web>
+</configuration>
diff --git a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
new file mode 100644
index 0000000000..5801287b72
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
@@ -0,0 +1,86 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Reflection;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Extension methods for working with <see cref="IActivator"/>.
+    /// </summary>
+    internal static class ActivatorExtensions
+    {
+        /// <summary>
+        /// Creates an instance of <paramref name="implementationTypeName"/> and ensures
+        /// that it is assignable to <typeparamref name="T"/>.
+        /// </summary>
+        public static T CreateInstance<T>(this IActivator activator, [NotNull] string implementationTypeName)
+            where T : class
+        {
+            return activator.CreateInstance(typeof(T), implementationTypeName) as T
+                ?? CryptoUtil.Fail<T>("CreateInstance returned null.");
+        }
+
+        /// <summary>
+        /// Returns a <see cref="IActivator"/> given an <see cref="IServiceProvider"/>.
+        /// Guaranteed to return non-null, even if <paramref name="serviceProvider"/> is null.
+        /// </summary>
+        public static IActivator GetActivator(this IServiceProvider serviceProvider)
+        {
+            return (serviceProvider != null)
+                ? (serviceProvider.GetService<IActivator>() ?? new SimpleActivator(serviceProvider))
+                : SimpleActivator.DefaultWithoutServices;
+        }
+
+        /// <summary>
+        /// A simplified default implementation of <see cref="IActivator"/> that understands
+        /// how to call ctors which take <see cref="IServiceProvider"/>.
+        /// </summary>
+        private sealed class SimpleActivator : IActivator
+        {
+            /// <summary>
+            /// A default <see cref="SimpleActivator"/> whose wrapped <see cref="IServiceProvider"/> is null.
+            /// </summary>
+            internal static readonly SimpleActivator DefaultWithoutServices = new SimpleActivator(null);
+
+            private readonly IServiceProvider _services;
+
+            public SimpleActivator(IServiceProvider services)
+            {
+                _services = services;
+            }
+
+            public object CreateInstance(Type expectedBaseType, string implementationTypeName)
+            {
+                // Would the assignment even work?
+                var implementationType = Type.GetType(implementationTypeName, throwOnError: true);
+                expectedBaseType.AssertIsAssignableFrom(implementationType);
+
+                // If no IServiceProvider was specified, prefer .ctor() [if it exists]
+                if (_services == null)
+                {
+                    var ctorParameterless = implementationType.GetConstructor(Type.EmptyTypes);
+                    if (ctorParameterless != null)
+                    {
+                        return Activator.CreateInstance(implementationType);
+                    }
+                }
+
+                // If an IServiceProvider was specified or if .ctor() doesn't exist, prefer .ctor(IServiceProvider) [if it exists]
+                var ctorWhichTakesServiceProvider = implementationType.GetConstructor(new Type[] { typeof(IServiceProvider) });
+                if (ctorWhichTakesServiceProvider != null)
+                {
+                    return ctorWhichTakesServiceProvider.Invoke(new[] { _services });
+                }
+
+                // Finally, prefer .ctor() as an ultimate fallback.
+                // This will throw if the ctor cannot be called.
+                return Activator.CreateInstance(implementationType);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs b/src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs
new file mode 100644
index 0000000000..43db6a0021
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs
@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Signifies that the <see cref="RegistryPolicyResolver"/> should bind this property from the registry.
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Property, AllowMultiple = false, Inherited = false)]
+    internal sealed class ApplyPolicyAttribute : Attribute { }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
new file mode 100644
index 0000000000..2687a34a8f
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Cryptography;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+{
+    internal static class AlgorithmAssert
+    {
+        // Our analysis re: IV collision resistance for CBC only holds if we're working with block ciphers
+        // with a block length of 64 bits or greater.
+        private const uint SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BITS = 64;
+
+        // Min security bar: encryption algorithm must have a min 128-bit key.
+        private const uint SYMMETRIC_ALG_MIN_KEY_LENGTH_IN_BITS = 128;
+
+        // Min security bar: authentication tag must have at least 128 bits of output.
+        private const uint HASH_ALG_MIN_DIGEST_LENGTH_IN_BITS = 128;
+
+        // Since we're performing some stack allocs based on these buffers, make sure we don't explode.
+        private const uint MAX_SIZE_IN_BITS = Constants.MAX_STACKALLOC_BYTES * 8;
+
+        public static void IsAllowableSymmetricAlgorithmBlockSize(uint blockSizeInBits)
+        {
+            if (!IsValidCore(blockSizeInBits, SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BITS))
+            {
+                throw new InvalidOperationException(Resources.FormatAlgorithmAssert_BadBlockSize(blockSizeInBits));
+            }
+        }
+
+        public static void IsAllowableSymmetricAlgorithmKeySize(uint keySizeInBits)
+        {
+            if (!IsValidCore(keySizeInBits, SYMMETRIC_ALG_MIN_KEY_LENGTH_IN_BITS))
+            {
+                throw new InvalidOperationException(Resources.FormatAlgorithmAssert_BadKeySize(keySizeInBits));
+            }
+        }
+
+        public static void IsAllowableValidationAlgorithmDigestSize(uint digestSizeInBits)
+        {
+            if (!IsValidCore(digestSizeInBits, HASH_ALG_MIN_DIGEST_LENGTH_IN_BITS))
+            {
+                throw new InvalidOperationException(Resources.FormatAlgorithmAssert_BadDigestSize(digestSizeInBits));
+            }
+        }
+
+        private static bool IsValidCore(uint value, uint minValue)
+        {
+            return (value % 8 == 0) // must be whole bytes
+                && (value >= minValue) // must meet our basic security requirements
+                && (value <= MAX_SIZE_IN_BITS); // mustn't overflow our stack
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
new file mode 100644
index 0000000000..da90f3b5b5
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
@@ -0,0 +1,200 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Options for configuring authenticated encryption algorithms.
+    /// </summary>
+    public sealed class AuthenticatedEncryptionOptions : IInternalAuthenticatedEncryptionOptions
+    {
+        /// <summary>
+        /// The algorithm to use for symmetric encryption (confidentiality).
+        /// </summary>
+        /// <remarks>
+        /// The default value is <see cref="EncryptionAlgorithm.AES_256_CBC"/>.
+        /// </remarks>
+        public EncryptionAlgorithm EncryptionAlgorithm { get; set; } = EncryptionAlgorithm.AES_256_CBC;
+
+        /// <summary>
+        /// The algorithm to use for message authentication (tamper-proofing).
+        /// </summary>
+        /// <remarks>
+        /// The default value is <see cref="ValidationAlgorithm.HMACSHA256"/>.
+        /// This property is ignored if <see cref="EncryptionAlgorithm"/> specifies a 'GCM' algorithm.
+        /// </remarks>
+        public ValidationAlgorithm ValidationAlgorithm { get; set; } = ValidationAlgorithm.HMACSHA256;
+
+        /// <summary>
+        /// Validates that this <see cref="AuthenticatedEncryptionOptions"/> is well-formed, i.e.,
+        /// that the specified algorithms actually exist and that they can be instantiated properly.
+        /// An exception will be thrown if validation fails.
+        /// </summary>
+        public void Validate()
+        {
+            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
+            var encryptor = CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8));
+            try
+            {
+                encryptor.PerformSelfTest();
+            }
+            finally
+            {
+                (encryptor as IDisposable)?.Dispose();
+            }
+        }
+
+        /*
+         * HELPER ROUTINES
+         */
+
+        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret)
+        {
+            return CreateImplementationOptions()
+                .ToConfiguration()
+                .CreateDescriptorFromSecret(secret)
+                .CreateEncryptorInstance();
+        }
+
+        internal IInternalAuthenticatedEncryptionOptions CreateImplementationOptions()
+        {
+            if (IsGcmAlgorithm(EncryptionAlgorithm))
+            {
+                // GCM requires CNG, and CNG is only supported on Windows.
+                if (!OSVersionUtil.IsWindows())
+                {
+                    throw new PlatformNotSupportedException(Resources.Platform_WindowsRequiredForGcm);
+                }
+                return new CngGcmAuthenticatedEncryptionOptions()
+                {
+                    EncryptionAlgorithm = GetBCryptAlgorithmName(EncryptionAlgorithm),
+                    EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm)
+                };
+            }
+            else
+            {
+                if (OSVersionUtil.IsWindows())
+                {
+                    // CNG preferred over managed implementations if running on Windows
+                    return new CngCbcAuthenticatedEncryptionOptions()
+                    {
+                        EncryptionAlgorithm = GetBCryptAlgorithmName(EncryptionAlgorithm),
+                        EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm),
+                        HashAlgorithm = GetBCryptAlgorithmName(ValidationAlgorithm)
+                    };
+                }
+                else
+                {
+                    // Use managed implementations as a fallback
+                    return new ManagedAuthenticatedEncryptionOptions()
+                    {
+                        EncryptionAlgorithmType = GetManagedTypeForAlgorithm(EncryptionAlgorithm),
+                        EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm),
+                        ValidationAlgorithmType = GetManagedTypeForAlgorithm(ValidationAlgorithm)
+                    };
+                }
+            }
+        }
+
+        private static int GetAlgorithmKeySizeInBits(EncryptionAlgorithm algorithm)
+        {
+            switch (algorithm)
+            {
+                case EncryptionAlgorithm.AES_128_CBC:
+                case EncryptionAlgorithm.AES_128_GCM:
+                    return 128;
+
+                case EncryptionAlgorithm.AES_192_CBC:
+                case EncryptionAlgorithm.AES_192_GCM:
+                    return 192;
+
+                case EncryptionAlgorithm.AES_256_CBC:
+                case EncryptionAlgorithm.AES_256_GCM:
+                    return 256;
+
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+            }
+        }
+
+        private static string GetBCryptAlgorithmName(EncryptionAlgorithm algorithm)
+        {
+            switch (algorithm)
+            {
+                case EncryptionAlgorithm.AES_128_CBC:
+                case EncryptionAlgorithm.AES_192_CBC:
+                case EncryptionAlgorithm.AES_256_CBC:
+                case EncryptionAlgorithm.AES_128_GCM:
+                case EncryptionAlgorithm.AES_192_GCM:
+                case EncryptionAlgorithm.AES_256_GCM:
+                    return Constants.BCRYPT_AES_ALGORITHM;
+
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+            }
+        }
+
+        private static string GetBCryptAlgorithmName(ValidationAlgorithm algorithm)
+        {
+            switch (algorithm)
+            {
+                case ValidationAlgorithm.HMACSHA256:
+                    return Constants.BCRYPT_SHA256_ALGORITHM;
+
+                case ValidationAlgorithm.HMACSHA512:
+                    return Constants.BCRYPT_SHA512_ALGORITHM;
+
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+            }
+        }
+
+        private static Type GetManagedTypeForAlgorithm(EncryptionAlgorithm algorithm)
+        {
+            switch (algorithm)
+            {
+                case EncryptionAlgorithm.AES_128_CBC:
+                case EncryptionAlgorithm.AES_192_CBC:
+                case EncryptionAlgorithm.AES_256_CBC:
+                case EncryptionAlgorithm.AES_128_GCM:
+                case EncryptionAlgorithm.AES_192_GCM:
+                case EncryptionAlgorithm.AES_256_GCM:
+                    return typeof(Aes);
+
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+            }
+        }
+
+        private static Type GetManagedTypeForAlgorithm(ValidationAlgorithm algorithm)
+        {
+            switch (algorithm)
+            {
+                case ValidationAlgorithm.HMACSHA256:
+                    return typeof(HMACSHA256);
+
+                case ValidationAlgorithm.HMACSHA512:
+                    return typeof(HMACSHA512);
+
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+            }
+        }
+
+        internal static bool IsGcmAlgorithm(EncryptionAlgorithm algorithm)
+        {
+            return (EncryptionAlgorithm.AES_128_GCM <= algorithm && algorithm <= EncryptionAlgorithm.AES_256_GCM);
+        }
+
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration()
+        {
+            return new AuthenticatedEncryptorConfiguration(this);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
index 3941cb2e5f..56261ad27d 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.Cryptography;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
@@ -31,5 +31,25 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 return retVal;
             }
         }
+
+        /// <summary>
+        /// Performs a self-test of this encryptor by running a sample payload through an
+        /// encrypt-then-decrypt operation. Throws if the operation fails.
+        /// </summary>
+        public static void PerformSelfTest(this IAuthenticatedEncryptor encryptor)
+        {
+            // Arrange
+            Guid plaintextAsGuid = Guid.NewGuid();
+            byte[] plaintextAsBytes = plaintextAsGuid.ToByteArray();
+            byte[] aad = Guid.NewGuid().ToByteArray();
+
+            // Act
+            byte[] protectedData = encryptor.Encrypt(new ArraySegment<byte>(plaintextAsBytes), new ArraySegment<byte>(aad));
+            byte[] roundTrippedData = encryptor.Decrypt(new ArraySegment<byte>(protectedData), new ArraySegment<byte>(aad));
+
+            // Assert
+            CryptoUtil.Assert(roundTrippedData != null && roundTrippedData.Length == plaintextAsBytes.Length && plaintextAsGuid == new Guid(roundTrippedData),
+                "Plaintext did not round-trip properly through the authenticated encryptor.");
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
similarity index 53%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
rename to src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
index b403c37203..feacc7996b 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
@@ -5,15 +5,16 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Cng;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Options for configuring an authenticated encryption mechanism which uses
-    /// Windows CNG algorithms in CBC encryption + HMAC validation modes.
+    /// Windows CNG algorithms in CBC encryption + HMAC authentication modes.
     /// </summary>
-    public sealed class CngCbcAuthenticatedEncryptorConfigurationOptions : IInternalConfigurationOptions
+    public sealed class CngCbcAuthenticatedEncryptionOptions : IInternalAuthenticatedEncryptionOptions
     {
         /// <summary>
         /// The name of the algorithm to use for symmetric encryption.
@@ -21,9 +22,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
         /// This property is required to have a value.
         /// </summary>
         /// <remarks>
-        /// The algorithm must support CBC-style encryption and must have a block size of 64 bits or greater.
+        /// The algorithm must support CBC-style encryption and must have a block size of 64 bits
+        /// or greater.
         /// The default value is 'AES'.
         /// </remarks>
+        [ApplyPolicy]
         public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
 
         /// <summary>
@@ -34,6 +37,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
         /// <remarks>
         /// The default value is null.
         /// </remarks>
+        [ApplyPolicy]
         public string EncryptionAlgorithmProvider { get; set; } = null;
 
         /// <summary>
@@ -44,6 +48,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
         /// The key length must be 128 bits or greater.
         /// The default value is 256.
         /// </remarks>
+        [ApplyPolicy]
         public int EncryptionAlgorithmKeySize { get; set; } = 256;
 
         /// <summary>
@@ -56,6 +61,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
         /// of 128 bits or greater.
         /// The default value is 'SHA256'.
         /// </remarks>
+        [ApplyPolicy]
         public string HashAlgorithm { get; set; } = Constants.BCRYPT_SHA256_ALGORITHM;
 
         /// <summary>
@@ -66,124 +72,109 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
         /// <remarks>
         /// The default value is null.
         /// </remarks>
+        [ApplyPolicy]
         public string HashAlgorithmProvider { get; set; } = null;
 
         /// <summary>
-        /// Makes a duplicate of this object, which allows the original object to remain mutable.
+        /// Validates that this <see cref="CngCbcAuthenticatedEncryptionOptions"/> is well-formed, i.e.,
+        /// that the specified algorithms actually exist and that they can be instantiated properly.
+        /// An exception will be thrown if validation fails.
         /// </summary>
-        internal CngCbcAuthenticatedEncryptorConfigurationOptions Clone()
+        public void Validate()
         {
-            return new CngCbcAuthenticatedEncryptorConfigurationOptions()
+            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
+            using (var encryptor = CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8)))
             {
-                EncryptionAlgorithm = this.EncryptionAlgorithm,
-                EncryptionAlgorithmKeySize = this.EncryptionAlgorithmKeySize,
-                EncryptionAlgorithmProvider = this.EncryptionAlgorithmProvider,
-                HashAlgorithm = this.HashAlgorithm,
-                HashAlgorithmProvider = this.HashAlgorithmProvider
-            };
+                encryptor.PerformSelfTest();
+            }
         }
 
-        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptor([NotNull] ISecret secret)
+        /*
+         * HELPER ROUTINES
+         */
+
+        internal CbcAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret)
         {
-            // Create the encryption object
-            string encryptionAlgorithm = GetPropertyValueNotNullOrEmpty(EncryptionAlgorithm, nameof(EncryptionAlgorithm));
-            string encryptionAlgorithmProvider = GetPropertyValueNormalizeToNull(EncryptionAlgorithmProvider);
-            uint encryptionAlgorithmKeySizeInBits = GetKeySizeInBits(EncryptionAlgorithmKeySize);
-            BCryptAlgorithmHandle encryptionAlgorithmHandle = GetEncryptionAlgorithmHandleAndCheckKeySize(encryptionAlgorithm, encryptionAlgorithmProvider, encryptionAlgorithmKeySizeInBits);
-
-            // Create the validation object
-            string hashAlgorithm = GetPropertyValueNotNullOrEmpty(HashAlgorithm, nameof(HashAlgorithm));
-            string hashAlgorithmProvider = GetPropertyValueNormalizeToNull(HashAlgorithmProvider);
-            BCryptAlgorithmHandle hashAlgorithmHandle = GetHashAlgorithmHandle(hashAlgorithm, hashAlgorithmProvider);
-
-            // and we're good to go!
             return new CbcAuthenticatedEncryptor(
                 keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmHandle: encryptionAlgorithmHandle,
-                symmetricAlgorithmKeySizeInBytes: encryptionAlgorithmKeySizeInBits / 8,
-                hmacAlgorithmHandle: hashAlgorithmHandle);
+                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(),
+                symmetricAlgorithmKeySizeInBytes: (uint)(EncryptionAlgorithmKeySize / 8),
+                hmacAlgorithmHandle: GetHmacAlgorithmHandle());
         }
 
-        private static BCryptAlgorithmHandle GetEncryptionAlgorithmHandleAndCheckKeySize(string encryptionAlgorithm, string encryptionAlgorithmProvider, uint keyLengthInBits)
+        private BCryptAlgorithmHandle GetHmacAlgorithmHandle()
         {
+            // basic argument checking
+            if (String.IsNullOrEmpty(HashAlgorithm))
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(HashAlgorithm));
+            }
+
             BCryptAlgorithmHandle algorithmHandle = null;
 
             // Special-case cached providers
-            if (encryptionAlgorithmProvider == null)
+            if (HashAlgorithmProvider == null)
             {
-                if (encryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_CBC; }
+                if (HashAlgorithm == Constants.BCRYPT_SHA1_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA1; }
+                else if (HashAlgorithm == Constants.BCRYPT_SHA256_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA256; }
+                else if (HashAlgorithm == Constants.BCRYPT_SHA512_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA512; }
             }
 
             // Look up the provider dynamically if we couldn't fetch a cached instance
             if (algorithmHandle == null)
             {
-                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(encryptionAlgorithm, encryptionAlgorithmProvider);
-                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_CBC);
-            }
-
-            // make sure we're using a block cipher with an appropriate block size
-            uint cipherBlockSizeInBytes = algorithmHandle.GetCipherBlockLength();
-            CryptoUtil.Assert(cipherBlockSizeInBytes >= CbcAuthenticatedEncryptor.SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES,
-                "cipherBlockSizeInBytes >= CbcAuthenticatedEncryptor.SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES");
-
-            // make sure the provided key length is valid
-            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength(keyLengthInBits);
-
-            // all good!
-            return algorithmHandle;
-        }
-
-        private static BCryptAlgorithmHandle GetHashAlgorithmHandle(string hashAlgorithm, string hashAlgorithmProvider)
-        {
-            BCryptAlgorithmHandle algorithmHandle = null;
-
-            // Special-case cached providers
-            if (hashAlgorithmProvider == null)
-            {
-                if (hashAlgorithm == Constants.BCRYPT_SHA1_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA1; }
-                else if (hashAlgorithm == Constants.BCRYPT_SHA256_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA256; }
-                else if (hashAlgorithm == Constants.BCRYPT_SHA512_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA512; }
-            }
-
-            // Look up the provider dynamically if we couldn't fetch a cached instance
-            if (algorithmHandle == null)
-            {
-                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(hashAlgorithm, hashAlgorithmProvider, hmac: true);
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(HashAlgorithm, HashAlgorithmProvider, hmac: true);
             }
 
             // Make sure we're using a hash algorithm. We require a minimum 128-bit digest.
             uint digestSize = algorithmHandle.GetHashDigestLength();
-            CryptoUtil.Assert(digestSize >= CbcAuthenticatedEncryptor.HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES,
-                "digestSize >= CbcAuthenticatedEncryptor.HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES");
+            AlgorithmAssert.IsAllowableValidationAlgorithmDigestSize(checked(digestSize * 8));
 
             // all good!
             return algorithmHandle;
         }
 
-        private static uint GetKeySizeInBits(int value)
+        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle()
         {
-            CryptoUtil.Assert(value >= 0, "value >= 0");
-            CryptoUtil.Assert(value % 8 == 0, "value % 8 == 0");
-            return (uint)value;
-        }
-
-        private static string GetPropertyValueNormalizeToNull(string value)
-        {
-            return (String.IsNullOrEmpty(value)) ? null : value;
-        }
-
-        private static string GetPropertyValueNotNullOrEmpty(string value, string propertyName)
-        {
-            if (String.IsNullOrEmpty(value))
+            // basic argument checking
+            if (String.IsNullOrEmpty(EncryptionAlgorithm))
             {
-                throw Error.Common_PropertyCannotBeNullOrEmpty(propertyName);
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(EncryptionAlgorithm));
             }
-            return value;
+            if (EncryptionAlgorithmKeySize < 0)
+            {
+                throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
+            }
+
+            BCryptAlgorithmHandle algorithmHandle = null;
+
+            // Special-case cached providers
+            if (EncryptionAlgorithmProvider == null)
+            {
+                if (EncryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_CBC; }
+            }
+
+            // Look up the provider dynamically if we couldn't fetch a cached instance
+            if (algorithmHandle == null)
+            {
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(EncryptionAlgorithm, EncryptionAlgorithmProvider);
+                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_CBC);
+            }
+
+            // make sure we're using a block cipher with an appropriate key size & block size
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmBlockSize(checked(algorithmHandle.GetCipherBlockLength() * 8));
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked((uint)EncryptionAlgorithmKeySize));
+
+            // make sure the provided key length is valid
+            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength((uint)EncryptionAlgorithmKeySize);
+
+            // all good!
+            return algorithmHandle;
         }
 
-        IAuthenticatedEncryptor IInternalConfigurationOptions.CreateAuthenticatedEncryptor(ISecret secret)
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration()
         {
-            return CreateAuthenticatedEncryptor(secret);
+            return new CngCbcAuthenticatedEncryptorConfiguration(this);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
deleted file mode 100644
index dc4b3b7a89..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    internal sealed class CngCbcAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
-    {
-        internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/2014/dataProtection/cng");
-        internal static readonly XName CbcEncryptorElementName = XmlNamespace.GetName("cbcEncryptor");
-        internal static readonly XName EncryptionElementName = XmlNamespace.GetName("encryption");
-        internal static readonly XName SecretElementName = XmlNamespace.GetName("secret");
-        internal static readonly XName ValidationElementName = XmlNamespace.GetName("validation");
-
-        private readonly CngCbcAuthenticatedEncryptorConfigurationOptions _options;
-        private readonly ISecret _secret;
-
-        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptorConfigurationOptions options, ISecret secret)
-        {
-            _options = options;
-            _secret = secret;
-        }
-
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
-        {
-            return _options.CreateAuthenticatedEncryptor(_secret);
-        }
-
-        private XElement EncryptSecret(IXmlEncryptor encryptor)
-        {
-            // First, create the inner <secret> element.
-            XElement secretElement;
-            byte[] plaintextSecret = new byte[_secret.Length];
-            try
-            {
-                _secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
-                secretElement = new XElement(SecretElementName, Convert.ToBase64String(plaintextSecret));
-            }
-            finally
-            {
-                Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
-            }
-
-            // Then encrypt it and wrap it in another <secret> element.
-            var encryptedSecretElement = encryptor.Encrypt(secretElement);
-            CryptoUtil.Assert(!String.IsNullOrEmpty((string)encryptedSecretElement.Attribute("decryptor")),
-                @"TODO: <secret> encryption was invalid.");
-
-            return new XElement(SecretElementName, encryptedSecretElement);
-        }
-
-        public XElement ToXml([NotNull] IXmlEncryptor xmlEncryptor)
-        {
-            // <cbcEncryptor reader="{TYPE}">
-            //   <encryption algorithm="{STRING}" provider="{STRING}" keyLength="{INT}" />
-            //   <validation algorithm="{STRING}" provider="{STRING}" />
-            //   <secret>...</secret>
-            // </cbcEncryptor>
-
-            return new XElement(CbcEncryptorElementName,
-                new XAttribute("reader", typeof(CngCbcAuthenticatedEncryptorConfigurationXmlReader).AssemblyQualifiedName),
-                new XElement(EncryptionElementName,
-                    new XAttribute("algorithm", _options.EncryptionAlgorithm),
-                    new XAttribute("provider", _options.EncryptionAlgorithmProvider ?? String.Empty),
-                    new XAttribute("keyLength", _options.EncryptionAlgorithmKeySize)),
-                new XElement(ValidationElementName,
-                    new XAttribute("algorithm", _options.HashAlgorithm),
-                    new XAttribute("provider", _options.HashAlgorithmProvider ?? String.Empty)),
-                EncryptSecret(xmlEncryptor));
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
deleted file mode 100644
index a82760350f..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationFactory.cs
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.Framework.OptionsModel;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// A factory that is able to create a CNG-based IAuthenticatedEncryptor
-    /// using CBC encryption + HMAC validation.
-    /// </summary>
-    public unsafe sealed class CngCbcAuthenticatedEncryptorConfigurationFactory : IAuthenticatedEncryptorConfigurationFactory
-    {
-        private readonly CngCbcAuthenticatedEncryptorConfigurationOptions _options;
-
-        public CngCbcAuthenticatedEncryptorConfigurationFactory([NotNull] IOptions<CngCbcAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
-        {
-            _options = optionsAccessor.Options.Clone();
-        }
-
-        public IAuthenticatedEncryptorConfiguration CreateNewConfiguration()
-        {
-            // generate a 512-bit secret randomly
-            const int KDK_SIZE_IN_BYTES = 512 / 8;
-            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
-            return new CngCbcAuthenticatedEncryptorConfiguration(_options, secret);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
deleted file mode 100644
index c799c3823c..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorConfigurationXmlReader.cs
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Linq;
-using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.DependencyInjection;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    internal sealed class CngCbcAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
-    {
-        private readonly IServiceProvider _serviceProvider;
-
-        public CngCbcAuthenticatedEncryptorConfigurationXmlReader(
-            [NotNull] IServiceProvider serviceProvider)
-        {
-            _serviceProvider = serviceProvider;
-        }
-
-        public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
-        {
-            // <cbcEncryptor reader="{TYPE}">
-            //   <encryption algorithm="{STRING}" provider="{STRING}" keyLength="{INT}" />
-            //   <validation algorithm="{STRING}" provider="{STRING}" />
-            //   <secret>...</secret>
-            // </cbcEncryptor>
-
-            CryptoUtil.Assert(element.Name == CngCbcAuthenticatedEncryptorConfiguration.CbcEncryptorElementName,
-                @"TODO: Bad element.");
-
-            var options = new CngCbcAuthenticatedEncryptorConfigurationOptions();
-
-            // read <encryption> element
-            var encryptionElement = element.Element(CngCbcAuthenticatedEncryptorConfiguration.EncryptionElementName);
-            options.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
-            options.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider");
-            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
-
-            // read <validation> element
-            var validationElement = element.Element(CngCbcAuthenticatedEncryptorConfiguration.ValidationElementName);
-            options.HashAlgorithm = (string)validationElement.Attribute("algorithm");
-            options.HashAlgorithmProvider = (string)validationElement.Attribute("provider");
-
-            // read the child of the <secret> element, then decrypt it
-            var encryptedSecretElement = element.Element(CngCbcAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
-            var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
-            var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
-            var secretElementDecryptor = (IXmlDecryptor)ActivatorUtilities.CreateInstance(_serviceProvider, secretElementDecryptorType);
-            var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
-            CryptoUtil.Assert(decryptedSecretElement.Name == CngCbcAuthenticatedEncryptorConfiguration.SecretElementName,
-                @"TODO: Bad element.");
-
-            byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
-            try
-            {
-                var secret = new Secret(decryptedSecretBytes);
-                return new CngCbcAuthenticatedEncryptorConfiguration(options, secret);
-            }
-            finally
-            {
-                Array.Clear(decryptedSecretBytes, 0, decryptedSecretBytes.Length);
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
new file mode 100644
index 0000000000..c9b1f38b84
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
@@ -0,0 +1,123 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Cng;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Options for configuring an authenticated encryption mechanism which uses
+    /// Windows CNG algorithms in GCM encryption + authentication modes.
+    /// </summary>
+    public sealed class CngGcmAuthenticatedEncryptionOptions : IInternalAuthenticatedEncryptionOptions
+    {
+        /// <summary>
+        /// The name of the algorithm to use for symmetric encryption.
+        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support CBC-style encryption and must have a block size exactly
+        /// 128 bits.
+        /// The default value is 'AES'.
+        /// </remarks>
+        [ApplyPolicy]
+        public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
+
+        /// <summary>
+        /// The name of the provider which contains the implementation of the symmetric encryption algorithm.
+        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is optional.
+        /// </summary>
+        /// <remarks>
+        /// The default value is null.
+        /// </remarks>
+        [ApplyPolicy]
+        public string EncryptionAlgorithmProvider { get; set; } = null;
+
+        /// <summary>
+        /// The length (in bits) of the key that will be used for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The key length must be 128 bits or greater.
+        /// The default value is 256.
+        /// </remarks>
+        [ApplyPolicy]
+        public int EncryptionAlgorithmKeySize { get; set; } = 256;
+
+        /// <summary>
+        /// Validates that this <see cref="CngGcmAuthenticatedEncryptionOptions"/> is well-formed, i.e.,
+        /// that the specified algorithm actually exists and can be instantiated properly.
+        /// An exception will be thrown if validation fails.
+        /// </summary>
+        public void Validate()
+        {
+            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
+            using (var encryptor = CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8)))
+            {
+                encryptor.PerformSelfTest();
+            }
+        }
+
+        /*
+         * HELPER ROUTINES
+         */
+
+        internal GcmAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret)
+        {
+            return new GcmAuthenticatedEncryptor(
+                keyDerivationKey: new Secret(secret),
+                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(),
+                symmetricAlgorithmKeySizeInBytes: (uint)(EncryptionAlgorithmKeySize / 8));
+        }
+
+        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle()
+        {
+            // basic argument checking
+            if (String.IsNullOrEmpty(EncryptionAlgorithm))
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(EncryptionAlgorithm));
+            }
+            if (EncryptionAlgorithmKeySize < 0)
+            {
+                throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
+            }
+
+            BCryptAlgorithmHandle algorithmHandle = null;
+
+            // Special-case cached providers
+            if (EncryptionAlgorithmProvider == null)
+            {
+                if (EncryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_GCM; }
+            }
+
+            // Look up the provider dynamically if we couldn't fetch a cached instance
+            if (algorithmHandle == null)
+            {
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(EncryptionAlgorithm, EncryptionAlgorithmProvider);
+                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_GCM);
+            }
+
+            // make sure we're using a block cipher with an appropriate key size & block size
+            CryptoUtil.Assert(algorithmHandle.GetCipherBlockLength() == 128 / 8, "GCM requires a block cipher algorithm with a 128-bit block size.");
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked((uint)EncryptionAlgorithmKeySize));
+
+            // make sure the provided key length is valid
+            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength((uint)EncryptionAlgorithmKeySize);
+
+            // all good!
+            return algorithmHandle;
+        }
+
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration()
+        {
+            return new CngGcmAuthenticatedEncryptorConfiguration(this);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
deleted file mode 100644
index 2224bfa71d..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    internal sealed class CngGcmAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
-    {
-        internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/2014/dataProtection/cng");
-        internal static readonly XName EncryptionElementName = XmlNamespace.GetName("encryption");
-        internal static readonly XName GcmEncryptorElementName = XmlNamespace.GetName("gcmEncryptor");
-        internal static readonly XName SecretElementName = XmlNamespace.GetName("secret");
-
-        private readonly CngGcmAuthenticatedEncryptorConfigurationOptions _options;
-        private readonly ISecret _secret;
-
-        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptorConfigurationOptions options, ISecret secret)
-        {
-            _options = options;
-            _secret = secret;
-        }
-
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
-        {
-            return _options.CreateAuthenticatedEncryptor(_secret);
-        }
-
-        private XElement EncryptSecret(IXmlEncryptor encryptor)
-        {
-            // First, create the inner <secret> element.
-            XElement secretElement;
-            byte[] plaintextSecret = new byte[_secret.Length];
-            try
-            {
-                _secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
-                secretElement = new XElement(SecretElementName, Convert.ToBase64String(plaintextSecret));
-            }
-            finally
-            {
-                Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
-            }
-
-            // Then encrypt it and wrap it in another <secret> element.
-            var encryptedSecretElement = encryptor.Encrypt(secretElement);
-            CryptoUtil.Assert(!String.IsNullOrEmpty((string)encryptedSecretElement.Attribute("decryptor")),
-                @"TODO: <secret> encryption was invalid.");
-
-            return new XElement(SecretElementName, encryptedSecretElement);
-        }
-
-        public XElement ToXml([NotNull] IXmlEncryptor xmlEncryptor)
-        {
-            // <cbcEncryptor reader="{TYPE}">
-            //   <encryption algorithm="{STRING}" provider="{STRING}" keyLength="{INT}" />
-            //   <secret>...</secret>
-            // </cbcEncryptor>
-
-            return new XElement(GcmEncryptorElementName,
-                new XAttribute("reader", typeof(CngGcmAuthenticatedEncryptorConfigurationXmlReader).AssemblyQualifiedName),
-                new XElement(EncryptionElementName,
-                    new XAttribute("algorithm", _options.EncryptionAlgorithm),
-                    new XAttribute("provider", _options.EncryptionAlgorithmProvider ?? String.Empty),
-                    new XAttribute("keyLength", _options.EncryptionAlgorithmKeySize)),
-                EncryptSecret(xmlEncryptor));
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
deleted file mode 100644
index 6c87153d04..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationFactory.cs
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.Framework.OptionsModel;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// A factory that is able to create a CNG-based IAuthenticatedEncryptor
-    /// using CBC encryption + HMAC validation.
-    /// </summary>
-    public unsafe sealed class CngGcmAuthenticatedEncryptorConfigurationFactory : IAuthenticatedEncryptorConfigurationFactory
-    {
-        private readonly CngGcmAuthenticatedEncryptorConfigurationOptions _options;
-
-        public CngGcmAuthenticatedEncryptorConfigurationFactory([NotNull] IOptions<CngGcmAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
-        {
-            _options = optionsAccessor.Options.Clone();
-        }
-
-        public IAuthenticatedEncryptorConfiguration CreateNewConfiguration()
-        {
-            // generate a 512-bit secret randomly
-            const int KDK_SIZE_IN_BYTES = 512 / 8;
-            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
-            return new CngGcmAuthenticatedEncryptorConfiguration(_options, secret);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
deleted file mode 100644
index bd455d36c9..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationOptions.cs
+++ /dev/null
@@ -1,131 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.Cng;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Options for configuring an authenticated encryption mechanism which uses
-    /// Windows CNG encryption algorithms in Galois/Counter Mode.
-    /// </summary>
-    public sealed class CngGcmAuthenticatedEncryptorConfigurationOptions : IInternalConfigurationOptions
-    {
-        /// <summary>
-        /// The name of the algorithm to use for symmetric encryption.
-        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The algorithm must support GCM-style encryption and must have a block size of exactly 128 bits.
-        /// The default value is 'AES'.
-        /// </remarks>
-        public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
-
-        /// <summary>
-        /// The name of the provider which contains the implementation of the symmetric encryption algorithm.
-        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
-        /// This property is optional.
-        /// </summary>
-        /// <remarks>
-        /// The default value is null.
-        /// </remarks>
-        public string EncryptionAlgorithmProvider { get; set; } = null;
-
-        /// <summary>
-        /// The length (in bits) of the key that will be used for symmetric encryption.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The key length must be 128 bits or greater.
-        /// The default value is 256.
-        /// </remarks>
-        public int EncryptionAlgorithmKeySize { get; set; } = 256;
-
-        /// <summary>
-        /// Makes a duplicate of this object, which allows the original object to remain mutable.
-        /// </summary>
-        internal CngGcmAuthenticatedEncryptorConfigurationOptions Clone()
-        {
-            return new CngGcmAuthenticatedEncryptorConfigurationOptions()
-            {
-                EncryptionAlgorithm = this.EncryptionAlgorithm,
-                EncryptionAlgorithmKeySize = this.EncryptionAlgorithmKeySize,
-                EncryptionAlgorithmProvider = this.EncryptionAlgorithmProvider
-            };
-        }
-
-        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptor([NotNull] ISecret secret)
-        {
-            // Create the encryption object
-            string encryptionAlgorithm = GetPropertyValueNotNullOrEmpty(EncryptionAlgorithm, nameof(EncryptionAlgorithm));
-            string encryptionAlgorithmProvider = GetPropertyValueNormalizeToNull(EncryptionAlgorithmProvider);
-            uint encryptionAlgorithmKeySizeInBits = GetKeySizeInBits(EncryptionAlgorithmKeySize);
-            BCryptAlgorithmHandle encryptionAlgorithmHandle = GetEncryptionAlgorithmHandleAndCheckKeySize(encryptionAlgorithm, encryptionAlgorithmProvider, encryptionAlgorithmKeySizeInBits);
-
-            // and we're good to go!
-            return new GcmAuthenticatedEncryptor(
-                keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmHandle: encryptionAlgorithmHandle,
-                symmetricAlgorithmKeySizeInBytes: encryptionAlgorithmKeySizeInBits / 8);
-        }
-
-        private static BCryptAlgorithmHandle GetEncryptionAlgorithmHandleAndCheckKeySize(string encryptionAlgorithm, string encryptionAlgorithmProvider, uint keyLengthInBits)
-        {
-            BCryptAlgorithmHandle algorithmHandle = null;
-
-            // Special-case cached providers
-            if (encryptionAlgorithmProvider == null)
-            {
-                if (encryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_GCM; }
-            }
-
-            // Look up the provider dynamically if we couldn't fetch a cached instance
-            if (algorithmHandle == null)
-            {
-                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(encryptionAlgorithm, encryptionAlgorithmProvider);
-                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_GCM);
-            }
-
-            // make sure we're using a block cipher with an appropriate block size
-            uint cipherBlockSizeInBytes = algorithmHandle.GetCipherBlockLength();
-            CryptoUtil.Assert(cipherBlockSizeInBytes == 128 / 8, "cipherBlockSizeInBytes == 128 / 8");
-
-            // make sure the provided key length is valid
-            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength(keyLengthInBits);
-
-            // all good!
-            return algorithmHandle;
-        }
-
-        private static uint GetKeySizeInBits(int value)
-        {
-            CryptoUtil.Assert(value >= 0, "value >= 0");
-            CryptoUtil.Assert(value % 8 == 0, "value % 8 == 0");
-            return (uint)value;
-        }
-
-        private static string GetPropertyValueNormalizeToNull(string value)
-        {
-            return (String.IsNullOrEmpty(value)) ? null : value;
-        }
-
-        private static string GetPropertyValueNotNullOrEmpty(string value, string propertyName)
-        {
-            if (String.IsNullOrEmpty(value))
-            {
-                throw Error.Common_PropertyCannotBeNullOrEmpty(propertyName);
-            }
-            return value;
-        }
-
-        IAuthenticatedEncryptor IInternalConfigurationOptions.CreateAuthenticatedEncryptor(ISecret secret)
-        {
-            return CreateAuthenticatedEncryptor(secret);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
deleted file mode 100644
index de6a1bc707..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorConfigurationXmlReader.cs
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Linq;
-using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.DependencyInjection;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    internal sealed class CngGcmAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
-    {
-        private readonly IServiceProvider _serviceProvider;
-
-        public CngGcmAuthenticatedEncryptorConfigurationXmlReader(
-            [NotNull] IServiceProvider serviceProvider)
-        {
-            _serviceProvider = serviceProvider;
-        }
-
-        public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
-        {
-            // <cbcEncryptor reader="{TYPE}">
-            //   <encryption algorithm="{STRING}" provider="{STRING}" keyLength="{INT}" />
-            //   <secret>...</secret>
-            // </cbcEncryptor>
-
-            CryptoUtil.Assert(element.Name == CngGcmAuthenticatedEncryptorConfiguration.GcmEncryptorElementName,
-                @"TODO: Bad element.");
-
-            var options = new CngGcmAuthenticatedEncryptorConfigurationOptions();
-
-            // read <encryption> element
-            var encryptionElement = element.Element(CngGcmAuthenticatedEncryptorConfiguration.EncryptionElementName);
-            options.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
-            options.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider");
-            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
-
-            // read the child of the <secret> element, then decrypt it
-            var encryptedSecretElement = element.Element(CngGcmAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
-            var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
-            var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
-            var secretElementDecryptor = (IXmlDecryptor)ActivatorUtilities.CreateInstance(_serviceProvider, secretElementDecryptorType);
-            var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
-            CryptoUtil.Assert(decryptedSecretElement.Name == CngGcmAuthenticatedEncryptorConfiguration.SecretElementName,
-                @"TODO: Bad element.");
-
-            byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
-            try
-            {
-                var secret = new Secret(decryptedSecretBytes);
-                return new CngGcmAuthenticatedEncryptorConfiguration(options, secret);
-            }
-            finally
-            {
-                Array.Clear(decryptedSecretBytes, 0, decryptedSecretBytes.Length);
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..7b39b10715
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// Represents a generalized authenticated encryption mechanism.
+    /// </summary>
+    public unsafe sealed class AuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    {
+        public AuthenticatedEncryptorConfiguration([NotNull] AuthenticatedEncryptionOptions options)
+        {
+            Options = options;
+        }
+
+        public AuthenticatedEncryptionOptions Options { get; }
+
+        public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
+        {
+            // generate a 512-bit secret randomly
+            const int KDK_SIZE_IN_BYTES = 512 / 8;
+            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
+            return ((IInternalAuthenticatedEncryptorConfiguration)this).CreateDescriptorFromSecret(secret);
+        }
+
+        IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
+        {
+            return new AuthenticatedEncryptorDescriptor(Options, secret);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
new file mode 100644
index 0000000000..c5ca78573d
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A descriptor which can create an authenticated encryption system based upon the
+    /// configuration provided by an <see cref="AuthenticatedEncryptionOptions"/> object.
+    /// </summary>
+    public sealed class AuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
+    {
+        private readonly ISecret _masterKey;
+        private readonly AuthenticatedEncryptionOptions _options;
+
+        public AuthenticatedEncryptorDescriptor([NotNull] AuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+        {
+            _options = options;
+            _masterKey = masterKey;
+        }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return _options.CreateAuthenticatedEncryptorInstance(_masterKey);
+        }
+
+        public XmlSerializedDescriptorInfo ExportToXml()
+        {
+            // <descriptor>
+            //   <encryption algorithm="..." />
+            //   <validation algorithm="..." /> <!-- only if not GCM -->
+            //   <masterKey requiresEncryption="true">...</masterKey>
+            // </descriptor>
+
+            var encryptionElement = new XElement("encryption",
+                new XAttribute("algorithm", _options.EncryptionAlgorithm));
+
+            var validationElement = (AuthenticatedEncryptionOptions.IsGcmAlgorithm(_options.EncryptionAlgorithm))
+                ? (object)new XComment(" AES-GCM includes a 128-bit authentication tag, no extra validation algorithm required. ")
+                : (object)new XElement("validation",
+                    new XAttribute("algorithm", _options.ValidationAlgorithm));
+
+            var outerElement = new XElement("descriptor",
+                encryptionElement,
+                validationElement,
+                _masterKey.ToMasterKeyElement());
+
+            return new XmlSerializedDescriptorInfo(outerElement, typeof(AuthenticatedEncryptorDescriptorDeserializer));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
new file mode 100644
index 0000000000..7908b98748
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A class that can deserialize an <see cref="XElement"/> that represents the serialized version
+    /// of an <see cref="AuthenticatedEncryptorDescriptor"/>.
+    /// </summary>
+    public sealed class AuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
+    {
+        /// <summary>
+        /// Imports the <see cref="AuthenticatedEncryptorDescriptor"/> from serialized XML.
+        /// </summary>
+        public IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element)
+        {
+            // <descriptor>
+            //   <encryption algorithm="..." />
+            //   <validation algorithm="..." /> <!-- only if not GCM -->
+            //   <masterKey requiresEncryption="true">...</masterKey>
+            // </descriptor>
+            
+            var options = new AuthenticatedEncryptionOptions();
+
+            var encryptionElement = element.Element("encryption");
+            options.EncryptionAlgorithm = (EncryptionAlgorithm)Enum.Parse(typeof(EncryptionAlgorithm), (string)encryptionElement.Attribute("algorithm"));
+
+            // only read <validation> if not GCM
+            if (!AuthenticatedEncryptionOptions.IsGcmAlgorithm(options.EncryptionAlgorithm))
+            {
+                var validationElement = element.Element("validation");
+                options.ValidationAlgorithm = (ValidationAlgorithm)Enum.Parse(typeof(ValidationAlgorithm), (string)validationElement.Attribute("algorithm"));
+            }
+
+            Secret masterKey = ((string)element.Elements("masterKey").Single()).ToSecret();
+            return new AuthenticatedEncryptorDescriptor(options, masterKey);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..b5dd186849
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// Represents a configured authenticated encryption mechanism which uses
+    /// Windows CNG algorithms in CBC encryption + HMAC authentication modes.
+    /// </summary>
+    public unsafe sealed class CngCbcAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    {
+        public CngCbcAuthenticatedEncryptorConfiguration([NotNull] CngCbcAuthenticatedEncryptionOptions options)
+        {
+            Options = options;
+        }
+
+        public CngCbcAuthenticatedEncryptionOptions Options { get; }
+
+        public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
+        {
+            // generate a 512-bit secret randomly
+            const int KDK_SIZE_IN_BYTES = 512 / 8;
+            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
+            return ((IInternalAuthenticatedEncryptorConfiguration)this).CreateDescriptorFromSecret(secret);
+        }
+
+        IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
+        {
+            return new CngCbcAuthenticatedEncryptorDescriptor(Options, secret);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
new file mode 100644
index 0000000000..536dd573b4
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
@@ -0,0 +1,64 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A descriptor which can create an authenticated encryption system based upon the
+    /// configuration provided by an <see cref="CngCbcAuthenticatedEncryptionOptions"/> object.
+    /// </summary>
+    public sealed class CngCbcAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
+    {
+        public CngCbcAuthenticatedEncryptorDescriptor([NotNull] CngCbcAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+        {
+            Options = options;
+            MasterKey = masterKey;
+        }
+
+        internal ISecret MasterKey { get; }
+
+        internal CngCbcAuthenticatedEncryptionOptions Options { get; }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return Options.CreateAuthenticatedEncryptorInstance(MasterKey);
+        }
+
+        public XmlSerializedDescriptorInfo ExportToXml()
+        {
+            // <descriptor>
+            //   <!-- Windows CNG-CBC -->
+            //   <encryption algorithm="..." keyLength="..." [provider="..."] />
+            //   <hash algorithm="..." [provider="..."] />
+            //   <masterKey>...</masterKey>
+            // </descriptor>
+
+            var encryptionElement = new XElement("encryption",
+                new XAttribute("algorithm", Options.EncryptionAlgorithm),
+                new XAttribute("keyLength", Options.EncryptionAlgorithmKeySize));
+            if (Options.EncryptionAlgorithmProvider != null)
+            {
+                encryptionElement.SetAttributeValue("provider", Options.EncryptionAlgorithmProvider);
+            }
+
+            var hashElement = new XElement("hash",
+                new XAttribute("algorithm", Options.HashAlgorithm));
+            if (Options.HashAlgorithmProvider != null)
+            {
+                hashElement.SetAttributeValue("provider", Options.HashAlgorithmProvider);
+            }
+            
+            var rootElement = new XElement("descriptor",
+                new XComment(" Algorithms provided by Windows CNG, using CBC-mode encryption with HMAC validation "),
+                encryptionElement,
+                hashElement,
+                MasterKey.ToMasterKeyElement());
+
+            return new XmlSerializedDescriptorInfo(rootElement, typeof(CngCbcAuthenticatedEncryptorDescriptorDeserializer));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
new file mode 100644
index 0000000000..86f5c5a162
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A class that can deserialize an <see cref="XElement"/> that represents the serialized version
+    /// of an <see cref="CngCbcAuthenticatedEncryptorDescriptor"/>.
+    /// </summary>
+    public sealed class CngCbcAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
+    {
+        /// <summary>
+        /// Imports the <see cref="CngCbcAuthenticatedEncryptorDescriptor"/> from serialized XML.
+        /// </summary>
+        public IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element)
+        {
+            // <descriptor>
+            //   <!-- Windows CNG-CBC -->
+            //   <encryption algorithm="..." keyLength="..." [provider="..."] />
+            //   <hash algorithm="..." [provider="..."] />
+            //   <masterKey>...</masterKey>
+            // </descriptor>
+            
+            var options = new CngCbcAuthenticatedEncryptionOptions();
+
+            var encryptionElement = element.Element("encryption");
+            options.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
+            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+            options.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
+
+            var hashElement = element.Element("hash");
+            options.HashAlgorithm = (string)hashElement.Attribute("algorithm");
+            options.HashAlgorithmProvider = (string)hashElement.Attribute("provider"); // could be null
+
+            Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
+
+            return new CngCbcAuthenticatedEncryptorDescriptor(options, masterKey);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..4dc914bb70
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// Represents a configured authenticated encryption mechanism which uses
+    /// Windows CNG algorithms in GCM encryption + authentication modes.
+    /// </summary>
+    public unsafe sealed class CngGcmAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    {
+        public CngGcmAuthenticatedEncryptorConfiguration([NotNull] CngGcmAuthenticatedEncryptionOptions options)
+        {
+            Options = options;
+        }
+
+        public CngGcmAuthenticatedEncryptionOptions Options { get; }
+
+        public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
+        {
+            // generate a 512-bit secret randomly
+            const int KDK_SIZE_IN_BYTES = 512 / 8;
+            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
+            return ((IInternalAuthenticatedEncryptorConfiguration)this).CreateDescriptorFromSecret(secret);
+        }
+
+        IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
+        {
+            return new CngGcmAuthenticatedEncryptorDescriptor(Options, secret);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
new file mode 100644
index 0000000000..82bb7217a6
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A descriptor which can create an authenticated encryption system based upon the
+    /// configuration provided by an <see cref="CngGcmAuthenticatedEncryptionOptions"/> object.
+    /// </summary>
+    public sealed class CngGcmAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
+    {
+        public CngGcmAuthenticatedEncryptorDescriptor([NotNull] CngGcmAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+        {
+            Options = options;
+            MasterKey = masterKey;
+        }
+
+        internal ISecret MasterKey { get; }
+
+        internal CngGcmAuthenticatedEncryptionOptions Options { get; }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return Options.CreateAuthenticatedEncryptorInstance(MasterKey);
+        }
+
+        public XmlSerializedDescriptorInfo ExportToXml()
+        {
+            // <descriptor>
+            //   <!-- Windows CNG-GCM -->
+            //   <encryption algorithm="..." keyLength="..." [provider="..."] />
+            //   <masterKey>...</masterKey>
+            // </descriptor>
+
+            var encryptionElement = new XElement("encryption",
+                new XAttribute("algorithm", Options.EncryptionAlgorithm),
+                new XAttribute("keyLength", Options.EncryptionAlgorithmKeySize));
+            if (Options.EncryptionAlgorithmProvider != null)
+            {
+                encryptionElement.SetAttributeValue("provider", Options.EncryptionAlgorithmProvider);
+            }
+            
+            var rootElement = new XElement("descriptor",
+                new XComment(" Algorithms provided by Windows CNG, using GCM mode encryption and validation "),
+                encryptionElement,
+                MasterKey.ToMasterKeyElement());
+
+            return new XmlSerializedDescriptorInfo(rootElement, typeof(CngGcmAuthenticatedEncryptorDescriptorDeserializer));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
new file mode 100644
index 0000000000..6da12b3b23
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A class that can deserialize an <see cref="XElement"/> that represents the serialized version
+    /// of an <see cref="CngGcmAuthenticatedEncryptorDescriptor"/>.
+    /// </summary>
+    public sealed class CngGcmAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
+    {
+        /// <summary>
+        /// Imports the <see cref="CngCbcAuthenticatedEncryptorDescriptor"/> from serialized XML.
+        /// </summary>
+        public IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element)
+        {
+            // <descriptor>
+            //   <!-- Windows CNG-GCM -->
+            //   <encryption algorithm="..." keyLength="..." [provider="..."] />
+            //   <masterKey>...</masterKey>
+            // </descriptor>
+
+            var options = new CngGcmAuthenticatedEncryptionOptions();
+
+            var encryptionElement = element.Element("encryption");
+            options.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
+            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+            options.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
+
+            Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
+
+            return new CngGcmAuthenticatedEncryptorDescriptor(options, masterKey);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..40817c3b3a
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// The basic configuration that serves as a factory for types related to authenticated encryption.
+    /// </summary>
+    public interface IAuthenticatedEncryptorConfiguration
+    {
+        /// <summary>
+        /// Creates a new <see cref="IAuthenticatedEncryptorDescriptor"/> instance based on this
+        /// configuration. The newly-created instance contains unique key material and is distinct
+        /// from all other descriptors created by the <see cref="CreateNewDescriptor"/> method.
+        /// </summary>
+        /// <returns>A unique <see cref="IAuthenticatedEncryptorDescriptor"/>.</returns>
+        IAuthenticatedEncryptorDescriptor CreateNewDescriptor();
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
new file mode 100644
index 0000000000..09d4334ce7
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A self-contained descriptor that wraps all information (including secret key
+    /// material) necessary to create an instance of an <see cref="IAuthenticatedEncryptor"/>.
+    /// </summary>
+    public interface IAuthenticatedEncryptorDescriptor
+    {
+        /// <summary>
+        /// Creates an <see cref="IAuthenticatedEncryptor"/> instance based on the current descriptor.
+        /// </summary>
+        /// <returns>An <see cref="IAuthenticatedEncryptor"/> instance.</returns>
+        /// <remarks>
+        /// For a given descriptor, any two instances returned by this method should
+        /// be considered equivalent, e.g., the payload returned by one's <see cref="IAuthenticatedEncryptor.Encrypt(ArraySegment{byte}, ArraySegment{byte})"/>
+        /// method should be consumable by the other's <see cref="IAuthenticatedEncryptor.Decrypt(ArraySegment{byte}, ArraySegment{byte})"/> method.
+        /// </remarks>
+        IAuthenticatedEncryptor CreateEncryptorInstance();
+
+        /// <summary>
+        /// Exports the current descriptor to XML.
+        /// </summary>
+        /// <returns>
+        /// An <see cref="XmlSerializedDescriptorInfo"/> wrapping the <see cref="XElement"/> which represents the serialized
+        /// current descriptor object. The deserializer type must be assignable to <see cref="IAuthenticatedEncryptorDescriptorDeserializer"/>.
+        /// </returns>
+        /// <remarks>
+        /// If an element contains sensitive information (such as key material), the
+        /// element should be marked via the <see cref="XmlExtensions.MarkAsRequiresEncryption(XElement)" />
+        /// extension method, and the caller should encrypt the element before persisting
+        /// the XML to storage.
+        /// </remarks>
+        XmlSerializedDescriptorInfo ExportToXml();
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
new file mode 100644
index 0000000000..805ded53b4
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// The basic interface for deserializing an XML element into an <see cref="IAuthenticatedEncryptorDescriptor"/>.
+    /// </summary>
+    public interface IAuthenticatedEncryptorDescriptorDeserializer
+    {
+        /// <summary>
+        /// Deserializes the specified XML element.
+        /// </summary>
+        /// <param name="element">The element to deserialize.</param>
+        /// <returns>The <see cref="IAuthenticatedEncryptorDescriptor"/> represented by <paramref name="element"/>.</returns>
+        IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..f05c33fb4f
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    // This type is not public because we don't want to lock ourselves into a contract stating
+    // that a descriptor is simply a configuration plus a single serializable, reproducible secret.
+
+    /// <summary>
+    /// A type that knows how to create instances of an <see cref="IAuthenticatedEncryptorDescriptor"/>
+    /// given specific secret key material.
+    /// </summary>
+    internal interface IInternalAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
+    {
+        /// <summary>
+        /// Creates a new <see cref="IAuthenticatedEncryptorDescriptor"/> instance from this
+        /// configuration given specific secret key material.
+        /// </summary>
+        /// <returns></returns>
+        IAuthenticatedEncryptorDescriptor CreateDescriptorFromSecret(ISecret secret);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
new file mode 100644
index 0000000000..3bdc2e2f96
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.Internal;
+using System.Security.Cryptography;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// Represents a configured authenticated encryption mechanism which uses
+    /// managed <see cref="SymmetricAlgorithm"/> and <see cref="KeyedHashAlgorithm"/> types.
+    /// </summary>
+    public sealed class ManagedAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    {
+        public ManagedAuthenticatedEncryptorConfiguration([NotNull] ManagedAuthenticatedEncryptionOptions options)
+        {
+            Options = options;
+        }
+
+        public ManagedAuthenticatedEncryptionOptions Options { get; }
+
+        public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
+        {
+            // generate a 512-bit secret randomly
+            const int KDK_SIZE_IN_BYTES = 512 / 8;
+            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
+            return ((IInternalAuthenticatedEncryptorConfiguration)this).CreateDescriptorFromSecret(secret);
+        }
+
+        IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
+        {
+            return new ManagedAuthenticatedEncryptorDescriptor(Options, secret);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
new file mode 100644
index 0000000000..0d0642b1f1
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
@@ -0,0 +1,87 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A descriptor which can create an authenticated encryption system based upon the
+    /// configuration provided by an <see cref="ManagedAuthenticatedEncryptionOptions"/> object.
+    /// </summary>
+    public sealed class ManagedAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
+    {
+        public ManagedAuthenticatedEncryptorDescriptor([NotNull] ManagedAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+        {
+            Options = options;
+            MasterKey = masterKey;
+        }
+
+        internal ISecret MasterKey { get; }
+
+        internal ManagedAuthenticatedEncryptionOptions Options { get; }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return Options.CreateAuthenticatedEncryptorInstance(MasterKey);
+        }
+
+        public XmlSerializedDescriptorInfo ExportToXml()
+        {
+            // <descriptor>
+            //   <!-- managed implementations -->
+            //   <encryption algorithm="..." keyLength="..." />
+            //   <validation algorithm="..." />
+            //   <masterKey>...</masterKey>
+            // </descriptor>
+
+            var encryptionElement = new XElement("encryption",
+                new XAttribute("algorithm", TypeToFriendlyName(Options.EncryptionAlgorithmType)),
+                new XAttribute("keyLength", Options.EncryptionAlgorithmKeySize));
+
+            var validationElement = new XElement("validation",
+                new XAttribute("algorithm", TypeToFriendlyName(Options.ValidationAlgorithmType)));
+
+            var rootElement = new XElement("descriptor",
+                new XComment(" Algorithms provided by specified SymmetricAlgorithm and KeyedHashAlgorithm "),
+                encryptionElement,
+                validationElement,
+                MasterKey.ToMasterKeyElement());
+
+            return new XmlSerializedDescriptorInfo(rootElement, typeof(ManagedAuthenticatedEncryptorDescriptorDeserializer));
+        }
+
+        // Any changes to this method should also be be reflected
+        // in ManagedAuthenticatedEncryptorDescriptorDeserializer.FriendlyNameToType.
+        private static string TypeToFriendlyName(Type type)
+        {
+            if (type == typeof(Aes))
+            {
+                return nameof(Aes);
+            }
+            else if (type == typeof(HMACSHA1))
+            {
+                return nameof(HMACSHA1);
+            }
+            else if (type == typeof(HMACSHA256))
+            {
+                return nameof(HMACSHA256);
+            }
+            else if (type == typeof(HMACSHA384))
+            {
+                return nameof(HMACSHA384);
+            }
+            else if (type == typeof(HMACSHA512))
+            {
+                return nameof(HMACSHA512);
+            }
+            else
+            {
+                return type.AssemblyQualifiedName;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
new file mode 100644
index 0000000000..59878538f3
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -0,0 +1,73 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// A class that can deserialize an <see cref="XElement"/> that represents the serialized version
+    /// of an <see cref="ManagedAuthenticatedEncryptorDescriptor"/>.
+    /// </summary>
+    public sealed class ManagedAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
+    {
+        /// <summary>
+        /// Imports the <see cref="ManagedAuthenticatedEncryptorDescriptor"/> from serialized XML.
+        /// </summary>
+        public IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element)
+        {
+            // <descriptor>
+            //   <!-- managed implementations -->
+            //   <encryption algorithm="..." keyLength="..." />
+            //   <validation algorithm="..." />
+            //   <masterKey>...</masterKey>
+            // </descriptor>
+
+            var options = new ManagedAuthenticatedEncryptionOptions();
+
+            var encryptionElement = element.Element("encryption");
+            options.EncryptionAlgorithmType = FriendlyNameToType((string)encryptionElement.Attribute("algorithm"));
+            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+
+            var validationElement = element.Element("validation");
+            options.ValidationAlgorithmType = FriendlyNameToType((string)validationElement.Attribute("algorithm"));
+
+            Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
+
+            return new ManagedAuthenticatedEncryptorDescriptor(options, masterKey);
+        }
+
+        // Any changes to this method should also be be reflected
+        // in ManagedAuthenticatedEncryptorDescriptor.TypeToFriendlyName.
+        private static Type FriendlyNameToType(string typeName)
+        {
+            if (typeName == nameof(Aes))
+            {
+                return typeof(Aes);
+            }
+            else if (typeName == nameof(HMACSHA1))
+            {
+                return typeof(HMACSHA1);
+            }
+            else if (typeName == nameof(HMACSHA256))
+            {
+                return typeof(HMACSHA256);
+            }
+            else if (typeName == nameof(HMACSHA384))
+            {
+                return typeof(HMACSHA384);
+            }
+            else if (typeName == nameof(HMACSHA512))
+            {
+                return typeof(HMACSHA512);
+            }
+            else
+            {
+                return Type.GetType(typeName, throwOnError: true);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
new file mode 100644
index 0000000000..de3b2cb607
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
@@ -0,0 +1,63 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    internal unsafe static class SecretExtensions
+    {
+        /// <summary>
+        /// Converts an <see cref="ISecret"/> to an &lt;masterKey&gt; element which is marked
+        /// as requiring encryption.
+        /// </summary>
+        /// <returns></returns>
+        public static XElement ToMasterKeyElement(this ISecret secret)
+        {
+            // Technically we'll be keeping the unprotected secret around in memory as
+            // a string, so it can get moved by the GC, but we should be good citizens
+            // and try to pin / clear our our temporary buffers regardless.
+            byte[] unprotectedSecretRawBytes = new byte[secret.Length];
+            string unprotectedSecretAsBase64String;
+            fixed (byte* __unused__ = unprotectedSecretRawBytes)
+            {
+                try
+                {
+                    secret.WriteSecretIntoBuffer(new ArraySegment<byte>(unprotectedSecretRawBytes));
+                    unprotectedSecretAsBase64String = Convert.ToBase64String(unprotectedSecretRawBytes);
+                }
+                finally
+                {
+                    Array.Clear(unprotectedSecretRawBytes, 0, unprotectedSecretRawBytes.Length);
+                }
+            }
+
+            XElement masterKeyElement = new XElement("masterKey",
+                new XComment(" Warning: the key below is in an unencrypted form. "),
+                new XElement("value", unprotectedSecretAsBase64String));
+            masterKeyElement.MarkAsRequiresEncryption();
+            return masterKeyElement;
+        }
+
+        /// <summary>
+        /// Converts a base64-encoded string into an <see cref="ISecret"/>.
+        /// </summary>
+        /// <returns></returns>
+        public static Secret ToSecret(this string base64String)
+        {
+            byte[] unprotectedSecret = Convert.FromBase64String(base64String);
+            fixed (byte* __unused__ = unprotectedSecret)
+            {
+                try
+                {
+                    return new Secret(unprotectedSecret);
+                }
+                finally
+                {
+                    Array.Clear(unprotectedSecret, 0, unprotectedSecret.Length);
+                }
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
new file mode 100644
index 0000000000..d6914c83d3
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public static class XmlExtensions
+    {
+        internal static bool IsMarkedAsRequiringEncryption(this XElement element)
+        {
+            return ((bool?)element.Attribute(XmlConstants.RequiresEncryptionAttributeName)).GetValueOrDefault();
+        }
+
+        /// <summary>
+        /// Marks the provided <see cref="XElement"/> as requiring encryption before being persisted
+        /// to storage. Use when implementing <see cref="IAuthenticatedEncryptorDescriptor.ExportToXml"/>.
+        /// </summary>
+        public static void MarkAsRequiresEncryption([NotNull] this XElement element)
+        {
+            element.SetAttributeValue(XmlConstants.RequiresEncryptionAttributeName, true);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
new file mode 100644
index 0000000000..0f0b695b9f
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
@@ -0,0 +1,48 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Reflection;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    /// <summary>
+    /// Wraps an <see cref="XElement"/> that contains the XML-serialized representation of an
+    /// <see cref="IAuthenticatedEncryptorDescriptor"/> along with the type that can be used
+    /// to deserialize it.
+    /// </summary>
+    public sealed class XmlSerializedDescriptorInfo
+    {
+        /// <summary>
+        /// Creates an instance of an <see cref="XmlSerializedDescriptorInfo"/>.
+        /// </summary>
+        /// <param name="serializedDescriptorElement">The XML-serialized form of the <see cref="IAuthenticatedEncryptorDescriptor"/>.</param>
+        /// <param name="deserializerType">The class whose <see cref="IAuthenticatedEncryptorDescriptorDeserializer.ImportFromXml(XElement)"/>
+        /// method can be used to deserialize <paramref name="serializedDescriptorElement"/>.</param>
+        public XmlSerializedDescriptorInfo([NotNull] XElement serializedDescriptorElement, [NotNull] Type deserializerType)
+        {
+            if (!typeof(IAuthenticatedEncryptorDescriptorDeserializer).IsAssignableFrom(deserializerType))
+            {
+                throw new ArgumentException(
+                    Resources.FormatTypeExtensions_BadCast(deserializerType.FullName, typeof(IAuthenticatedEncryptorDescriptorDeserializer).FullName),
+                    nameof(deserializerType));
+            }
+
+            SerializedDescriptorElement = serializedDescriptorElement;
+            DeserializerType = deserializerType;
+        }
+
+        /// <summary>
+        /// The class whose <see cref="IAuthenticatedEncryptorDescriptorDeserializer.ImportFromXml(XElement)"/>
+        /// method can be used to deserialize the value stored in <see cref="SerializedDescriptorElement"/>.
+        /// </summary>
+        public Type DeserializerType { get; }
+
+        /// <summary>
+        /// An XML-serialized representation of an <see cref="IAuthenticatedEncryptorDescriptor"/>.
+        /// </summary>
+        public XElement SerializedDescriptorElement { get; }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
new file mode 100644
index 0000000000..26b6e38fe4
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Specifies a symmetric encryption algorithm to use for providing confidentiality
+    /// to protected payloads.
+    /// </summary>
+    public enum EncryptionAlgorithm
+    {
+        /// <summary>
+        /// The AES algorithm (FIPS 197) with a 128-bit key running in Cipher Block Chaining mode.
+        /// </summary>
+        AES_128_CBC,
+
+        /// <summary>
+        /// The AES algorithm (FIPS 197) with a 192-bit key running in Cipher Block Chaining mode.
+        /// </summary>
+        AES_192_CBC,
+
+        /// <summary>
+        /// The AES algorithm (FIPS 197) with a 256-bit key running in Cipher Block Chaining mode.
+        /// </summary>
+        AES_256_CBC,
+
+        /// <summary>
+        /// The AES algorithm (FIPS 197) with a 128-bit key running in Galois/Counter Mode (FIPS SP 800-38D).
+        /// </summary>
+        /// <remarks>
+        /// This cipher mode produces a 128-bit authentication tag. This algorithm is currently only
+        /// supported on Windows.
+        /// </remarks>
+        AES_128_GCM,
+
+        /// <summary>
+        /// The AES algorithm (FIPS 197) with a 192-bit key running in Galois/Counter Mode (FIPS SP 800-38D).
+        /// </summary>
+        /// <remarks>
+        /// This cipher mode produces a 128-bit authentication tag.
+        /// </remarks>
+        AES_192_GCM,
+
+        /// <summary>
+        /// The AES algorithm (FIPS 197) with a 256-bit key running in Galois/Counter Mode (FIPS SP 800-38D).
+        /// </summary>
+        /// <remarks>
+        /// This cipher mode produces a 128-bit authentication tag.
+        /// </remarks>
+        AES_256_GCM,
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
deleted file mode 100644
index 6d4b3f518a..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfiguration.cs
+++ /dev/null
@@ -1,29 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Represents a type that contains configuration information about an IAuthenticatedEncryptor
-    /// instance, including how to serialize it to XML.
-    /// </summary>
-    public interface IAuthenticatedEncryptorConfiguration
-    {
-        /// <summary>
-        /// Creates a new IAuthenticatedEncryptor instance based on the current configuration.
-        /// </summary>
-        /// <returns>An IAuthenticatedEncryptor instance.</returns>
-        IAuthenticatedEncryptor CreateEncryptorInstance();
-
-        /// <summary>
-        /// Exports the current configuration to XML, optionally encrypting secret key material.
-        /// </summary>
-        /// <param name="xmlEncryptor">The XML encryptor used to encrypt secret material.</param>
-        /// <returns>An XElement representing the current configuration object.</returns>
-        XElement ToXml(IXmlEncryptor xmlEncryptor);
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
deleted file mode 100644
index e25bacbcc8..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationFactory.cs
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Represents a type that can create new authenticated encryption configuration objects.
-    /// </summary>
-    public interface IAuthenticatedEncryptorConfigurationFactory
-    {
-        /// <summary>
-        /// Creates a new configuration object with fresh secret key material.
-        /// </summary>
-        /// <returns>
-        /// An IAuthenticatedEncryptorConfiguration instance.
-        /// </returns>
-        IAuthenticatedEncryptorConfiguration CreateNewConfiguration();
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
deleted file mode 100644
index 7a211fc8cd..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorConfigurationXmlReader.cs
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Xml.Linq;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Represents a type that can deserialize an XML-serialized IAuthenticatedEncryptorConfiguration.
-    /// </summary>
-    public interface IAuthenticatedEncryptorConfigurationXmlReader
-    {
-        /// <summary>
-        /// Deserializes an XML-serialized IAuthenticatedEncryptorConfiguration.
-        /// </summary>
-        /// <param name="element">The XML element to deserialize.</param>
-        /// <returns>The deserialized IAuthenticatedEncryptorConfiguration.</returns>
-        IAuthenticatedEncryptorConfiguration FromXml(XElement element);
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
new file mode 100644
index 0000000000..444990a3ba
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Implemented by our options classes to generalize creating configuration objects.
+    /// </summary>
+    internal interface IInternalAuthenticatedEncryptionOptions
+    {
+        /// <summary>
+        /// Creates a <see cref="IInternalAuthenticatedEncryptorConfiguration"/> object
+        /// from the given options.
+        /// </summary>
+        IInternalAuthenticatedEncryptorConfiguration ToConfiguration();
+
+        /// <summary>
+        /// Performs a self-test of the algorithm specified by the options object.
+        /// </summary>
+        void Validate();
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
deleted file mode 100644
index 6ae9384f03..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalConfigurationOptions.cs
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    internal interface IInternalConfigurationOptions
-    {
-        IAuthenticatedEncryptor CreateAuthenticatedEncryptor(ISecret secret);
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
new file mode 100644
index 0000000000..cb71ca58bc
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -0,0 +1,162 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Managed;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Options for configuring an authenticated encryption mechanism which uses
+    /// managed SymmetricAlgorithm and KeyedHashAlgorithm implementations.
+    /// </summary>
+    public sealed class ManagedAuthenticatedEncryptionOptions : IInternalAuthenticatedEncryptionOptions
+    {
+        /// <summary>
+        /// The type of the algorithm to use for symmetric encryption.
+        /// The type must subclass <see cref="SymmetricAlgorithm"/>.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support CBC-style encryption and PKCS#7 padding and must have a block size of 64 bits or greater.
+        /// The default algorithm is AES.
+        /// </remarks>
+        [ApplyPolicy]
+        public Type EncryptionAlgorithmType { get; set; } = typeof(Aes);
+
+        /// <summary>
+        /// The length (in bits) of the key that will be used for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The key length must be 128 bits or greater.
+        /// The default value is 256.
+        /// </remarks>
+        [ApplyPolicy]
+        public int EncryptionAlgorithmKeySize { get; set; } = 256;
+
+        /// <summary>
+        /// The type of the algorithm to use for validation.
+        /// Type type must subclass <see cref="KeyedHashAlgorithm"/>.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must have a digest length of 128 bits or greater.
+        /// The default algorithm is HMACSHA256.
+        /// </remarks>
+        [ApplyPolicy]
+        public Type ValidationAlgorithmType { get; set; } = typeof(HMACSHA256);
+
+        /// <summary>
+        /// Validates that this <see cref="ManagedAuthenticatedEncryptionOptions"/> is well-formed, i.e.,
+        /// that the specified algorithms actually exist and can be instantiated properly.
+        /// An exception will be thrown if validation fails.
+        /// </summary>
+        public void Validate()
+        {
+            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
+            using (var encryptor = CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8)))
+            {
+                encryptor.PerformSelfTest();
+            }
+        }
+
+        /*
+         * HELPER ROUTINES
+         */
+
+        internal ManagedAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret)
+        {
+            return new ManagedAuthenticatedEncryptor(
+                keyDerivationKey: new Secret(secret),
+                symmetricAlgorithmFactory: GetSymmetricBlockCipherAlgorithmFactory(),
+                symmetricAlgorithmKeySizeInBytes: EncryptionAlgorithmKeySize / 8,
+                validationAlgorithmFactory: GetKeyedHashAlgorithmFactory());
+        }
+
+        private Func<KeyedHashAlgorithm> GetKeyedHashAlgorithmFactory()
+        {
+            // basic argument checking
+            if (ValidationAlgorithmType == null)
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(ValidationAlgorithmType));
+            }
+
+            if (ValidationAlgorithmType == typeof(HMACSHA256))
+            {
+                return () => new HMACSHA256();
+            }
+            else if (ValidationAlgorithmType == typeof(HMACSHA512))
+            {
+                return () => new HMACSHA512();
+            }
+            else
+            {
+                return AlgorithmActivator.CreateFactory<KeyedHashAlgorithm>(ValidationAlgorithmType);
+            }
+        }
+
+        private Func<SymmetricAlgorithm> GetSymmetricBlockCipherAlgorithmFactory()
+        {
+            // basic argument checking
+            if (EncryptionAlgorithmType == null)
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(EncryptionAlgorithmType));
+            }
+            typeof(SymmetricAlgorithm).AssertIsAssignableFrom(EncryptionAlgorithmType);
+            if (EncryptionAlgorithmKeySize < 0)
+            {
+                throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
+            }
+
+            if (EncryptionAlgorithmType == typeof(Aes))
+            {
+                Func<Aes> factory = null;
+#if !DNXCORE50
+                if (OSVersionUtil.IsWindows())
+                {
+                    // If we're on desktop CLR and running on Windows, use the FIPS-compliant implementation.
+                    factory = () => new AesCryptoServiceProvider();
+                }
+#endif
+                return factory ?? Aes.Create;
+            }
+            else
+            {
+                return AlgorithmActivator.CreateFactory<SymmetricAlgorithm>(EncryptionAlgorithmType);
+            }
+        }
+
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration()
+        {
+            return new ManagedAuthenticatedEncryptorConfiguration(this);
+        }
+
+        /// <summary>
+        /// Contains helper methods for generating cryptographic algorithm factories.
+        /// </summary>
+        private static class AlgorithmActivator
+        {
+            /// <summary>
+            /// Creates a factory that wraps a call to <see cref="Activator.CreateInstance{T}"/>.
+            /// </summary>
+            public static Func<T> CreateFactory<T>(Type implementation)
+            {
+                return ((IActivator<T>)Activator.CreateInstance(typeof(AlgorithmActivatorCore<>).MakeGenericType(implementation))).Creator;
+            }
+
+            private interface IActivator<out T>
+            {
+                Func<T> Creator { get; }
+            }
+
+            private class AlgorithmActivatorCore<T> : IActivator<T> where T : new()
+            {
+                public Func<T> Creator { get; } = Activator.CreateInstance<T>;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
deleted file mode 100644
index 8e0295711b..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfiguration.cs
+++ /dev/null
@@ -1,74 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    internal sealed class ManagedAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
-    {
-        internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/2014/dataProtection/managed");
-        internal static readonly XName ManagedEncryptorElementName = XmlNamespace.GetName("managedEncryptor");
-        internal static readonly XName EncryptionElementName = XmlNamespace.GetName("encryption");
-        internal static readonly XName SecretElementName = XmlNamespace.GetName("secret");
-        internal static readonly XName ValidationElementName = XmlNamespace.GetName("validation");
-
-        private readonly ManagedAuthenticatedEncryptorConfigurationOptions _options;
-        private readonly ISecret _secret;
-
-        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptorConfigurationOptions options, ISecret secret)
-        {
-            _options = options;
-            _secret = secret;
-        }
-
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
-        {
-            return _options.CreateAuthenticatedEncryptor(_secret);
-        }
-
-        private XElement EncryptSecret(IXmlEncryptor encryptor)
-        {
-            // First, create the inner <secret> element.
-            XElement secretElement;
-            byte[] plaintextSecret = new byte[_secret.Length];
-            try
-            {
-                _secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
-                secretElement = new XElement(SecretElementName, Convert.ToBase64String(plaintextSecret));
-            }
-            finally
-            {
-                Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
-            }
-
-            // Then encrypt it and wrap it in another <secret> element.
-            var encryptedSecretElement = encryptor.Encrypt(secretElement);
-            CryptoUtil.Assert(!String.IsNullOrEmpty((string)encryptedSecretElement.Attribute("decryptor")),
-                @"TODO: <secret> encryption was invalid.");
-
-            return new XElement(SecretElementName, encryptedSecretElement);
-        }
-
-        public XElement ToXml([NotNull] IXmlEncryptor xmlEncryptor)
-        {
-            // <managedEncryptor reader="{TYPE}">
-            //   <encryption type="{TYPE}" keyLength="{INT}" />
-            //   <validation type="{TYPE}" />
-            //   <secret>...</secret>
-            // </managedEncryptor>
-
-            return new XElement(ManagedEncryptorElementName,
-                new XAttribute("reader", typeof(ManagedAuthenticatedEncryptorConfigurationXmlReader).AssemblyQualifiedName),
-                new XElement(EncryptionElementName,
-                    new XAttribute("type", _options.EncryptionAlgorithmType),
-                    new XAttribute("keyLength", _options.EncryptionAlgorithmKeySize)),
-                new XElement(ValidationElementName,
-                    new XAttribute("type", _options.ValidationAlgorithmType)),
-                EncryptSecret(xmlEncryptor));
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
deleted file mode 100644
index e977694d1d..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationFactory.cs
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNet.DataProtection.Managed;
-using Microsoft.Framework.OptionsModel;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    public sealed class ManagedAuthenticatedEncryptorConfigurationFactory : IAuthenticatedEncryptorConfigurationFactory
-    {
-        private readonly ManagedAuthenticatedEncryptorConfigurationOptions _options;
-
-        public ManagedAuthenticatedEncryptorConfigurationFactory([NotNull] IOptions<ManagedAuthenticatedEncryptorConfigurationOptions> optionsAccessor)
-        {
-            _options = optionsAccessor.Options.Clone();
-        }
-
-        public IAuthenticatedEncryptorConfiguration CreateNewConfiguration()
-        {
-            // generate a 512-bit secret randomly
-            const int KDK_SIZE_IN_BYTES = 512 / 8;
-            byte[] kdk = ManagedGenRandomImpl.Instance.GenRandom(KDK_SIZE_IN_BYTES);
-            Secret secret;
-            try
-            {
-                secret = new Secret(kdk);
-            }
-            finally
-            {
-                Array.Clear(kdk, 0, kdk.Length);
-            }
-
-            return new ManagedAuthenticatedEncryptorConfiguration(_options, secret);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
deleted file mode 100644
index 4495f0ec94..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationOptions.cs
+++ /dev/null
@@ -1,121 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Reflection;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.Managed;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Options for configuring an authenticated encryption mechanism which uses
-    /// managed SymmetricAlgorithm and KeyedHashAlgorithm implementations.
-    /// </summary>
-    public sealed class ManagedAuthenticatedEncryptorConfigurationOptions : IInternalConfigurationOptions
-    {
-        /// <summary>
-        /// The type of the algorithm to use for symmetric encryption.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The algorithm must support CBC-style encryption and PKCS#7 padding and must have a block size of 64 bits or greater.
-        /// The default algorithm is AES.
-        /// </remarks>
-        public Type EncryptionAlgorithmType { get; set; } = typeof(Aes);
-
-        /// <summary>
-        /// The length (in bits) of the key that will be used for symmetric encryption.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The key length must be 128 bits or greater.
-        /// The default value is 256.
-        /// </remarks>
-        public int EncryptionAlgorithmKeySize { get; set; } = 256;
-
-        /// <summary>
-        /// A factory for the algorithm to use for validation.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The algorithm must have a digest length of 128 bits or greater.
-        /// The default algorithm is HMACSHA256.
-        /// </remarks>
-        public Type ValidationAlgorithmType { get; set; } = typeof(HMACSHA256);
-
-        /// <summary>
-        /// Makes a duplicate of this object, which allows the original object to remain mutable.
-        /// </summary>
-        internal ManagedAuthenticatedEncryptorConfigurationOptions Clone()
-        {
-            return new ManagedAuthenticatedEncryptorConfigurationOptions()
-            {
-                EncryptionAlgorithmType = this.EncryptionAlgorithmType,
-                EncryptionAlgorithmKeySize = this.EncryptionAlgorithmKeySize,
-                ValidationAlgorithmType = this.ValidationAlgorithmType
-            };
-        }
-
-        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptor([NotNull] ISecret secret)
-        {
-            // Create the encryption and validation object
-            Func<SymmetricAlgorithm> encryptorFactory = GetEncryptionAlgorithmFactory();
-            Func<KeyedHashAlgorithm> validatorFactory = GetValidationAlgorithmFactory();
-
-            // Check key size here
-            int keySizeInBits = EncryptionAlgorithmKeySize;
-            CryptoUtil.Assert(keySizeInBits % 8 == 0, "keySizeInBits % 8 == 0");
-            int keySizeInBytes = keySizeInBits / 8;
-
-            // We're good to go!
-            return new ManagedAuthenticatedEncryptor(
-                keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmFactory: encryptorFactory,
-                symmetricAlgorithmKeySizeInBytes: keySizeInBytes,
-                validationAlgorithmFactory: validatorFactory);
-        }
-
-        private Func<SymmetricAlgorithm> GetEncryptionAlgorithmFactory()
-        {
-            CryptoUtil.Assert(EncryptionAlgorithmType != null, "EncryptionAlgorithmType != null");
-            CryptoUtil.Assert(typeof(SymmetricAlgorithm).IsAssignableFrom(EncryptionAlgorithmType), "typeof(SymmetricAlgorithm).IsAssignableFrom(EncryptionAlgorithmType)");
-
-            if (EncryptionAlgorithmType == typeof(Aes))
-            {
-                // On Core CLR, there's no public concrete implementation of AES, so we'll special-case it here
-                return Aes.Create;
-            }
-            else
-            {
-                // Otherwise the algorithm must have a default ctor
-                return ((IActivator<SymmetricAlgorithm>)Activator.CreateInstance(typeof(AlgorithmActivator<>).MakeGenericType(EncryptionAlgorithmType))).Creator;
-            }
-        }
-
-        private Func<KeyedHashAlgorithm> GetValidationAlgorithmFactory()
-        {
-            CryptoUtil.Assert(ValidationAlgorithmType != null, "ValidationAlgorithmType != null");
-            CryptoUtil.Assert(typeof(KeyedHashAlgorithm).IsAssignableFrom(ValidationAlgorithmType), "typeof(KeyedHashAlgorithm).IsAssignableFrom(ValidationAlgorithmType)");
-
-            // The algorithm must have a default ctor
-            return ((IActivator<KeyedHashAlgorithm>)Activator.CreateInstance(typeof(AlgorithmActivator<>).MakeGenericType(ValidationAlgorithmType))).Creator;
-        }
-
-        IAuthenticatedEncryptor IInternalConfigurationOptions.CreateAuthenticatedEncryptor(ISecret secret)
-        {
-            return CreateAuthenticatedEncryptor(secret);
-        }
-
-        private interface IActivator<out T>
-        {
-            Func<T> Creator { get; }
-        }
-
-        private class AlgorithmActivator<T> : IActivator<T> where T : new()
-        {
-            public Func<T> Creator { get; } = Activator.CreateInstance<T>;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
deleted file mode 100644
index b9b8821a40..0000000000
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorConfigurationXmlReader.cs
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Linq;
-using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.DependencyInjection;
-
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
-{
-    internal sealed class ManagedAuthenticatedEncryptorConfigurationXmlReader : IAuthenticatedEncryptorConfigurationXmlReader
-    {
-        private readonly IServiceProvider _serviceProvider;
-
-        public ManagedAuthenticatedEncryptorConfigurationXmlReader(
-            [NotNull] IServiceProvider serviceProvider)
-        {
-            _serviceProvider = serviceProvider;
-        }
-
-        public IAuthenticatedEncryptorConfiguration FromXml([NotNull] XElement element)
-        {
-            // <managedEncryptor reader="{TYPE}">
-            //   <encryption type="{STRING}" keyLength="{INT}" />
-            //   <validation type="{STRING}" />
-            //   <secret>...</secret>
-            // </managedEncryptor>
-
-            CryptoUtil.Assert(element.Name == ManagedAuthenticatedEncryptorConfiguration.EncryptionElementName,
-                @"TODO: Bad element.");
-
-            var options = new ManagedAuthenticatedEncryptorConfigurationOptions();
-
-            // read <encryption> element
-            var encryptionElement = element.Element(ManagedAuthenticatedEncryptorConfiguration.EncryptionElementName);
-            options.EncryptionAlgorithmType = Type.GetType((string)encryptionElement.Attribute("type"), throwOnError: true);
-            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
-
-            // read <validation> element
-            var validationElement = element.Element(ManagedAuthenticatedEncryptorConfiguration.ValidationElementName);
-            options.ValidationAlgorithmType = Type.GetType((string)validationElement.Attribute("type"), throwOnError: true);
-
-            // read the child of the <secret> element, then decrypt it
-            var encryptedSecretElement = element.Element(ManagedAuthenticatedEncryptorConfiguration.SecretElementName).Elements().Single();
-            var secretElementDecryptorTypeName = (string)encryptedSecretElement.Attribute("decryptor");
-            var secretElementDecryptorType = Type.GetType(secretElementDecryptorTypeName, throwOnError: true);
-            var secretElementDecryptor = (IXmlDecryptor)ActivatorUtilities.CreateInstance(_serviceProvider, secretElementDecryptorType);
-            var decryptedSecretElement = secretElementDecryptor.Decrypt(encryptedSecretElement);
-            CryptoUtil.Assert(decryptedSecretElement.Name == ManagedAuthenticatedEncryptorConfiguration.SecretElementName,
-                @"TODO: Bad element.");
-
-            byte[] decryptedSecretBytes = Convert.FromBase64String((string)decryptedSecretElement);
-            try
-            {
-                var secret = new Secret(decryptedSecretBytes);
-                return new ManagedAuthenticatedEncryptorConfiguration(options, secret);
-            }
-            finally
-            {
-                Array.Clear(decryptedSecretBytes, 0, decryptedSecretBytes.Length);
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
new file mode 100644
index 0000000000..93d96fdd97
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+{
+    /// <summary>
+    /// Specifies a message authentication algorithm to use for providing tamper-proofing
+    /// to protected payloads.
+    /// </summary>
+    public enum ValidationAlgorithm
+    {
+        /// <summary>
+        /// The HMAC algorithm (RFC 2104) using the SHA-256 hash function (FIPS 180-4).
+        /// </summary>
+        HMACSHA256,
+
+        /// <summary>
+        /// The HMAC algorithm (RFC 2104) using the SHA-512 hash function (FIPS 180-4).
+        /// </summary>
+        HMACSHA512,
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index 2a27d5633b..f88c224a68 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -5,6 +5,7 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.DataProtection.Cng
@@ -25,13 +26,6 @@ namespace Microsoft.AspNet.DataProtection.Cng
         // probability of collision, and this is acceptable for the expected KDK lifetime.
         private const uint KEY_MODIFIER_SIZE_IN_BYTES = 128 / 8;
 
-        // Our analysis re: IV collision resistance only holds if we're working with block ciphers
-        // with a block length of 64 bits or greater.
-        internal const uint SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES = 64 / 8;
-
-        // Min security bar: authentication tag must have at least 128 bits of output.
-        internal const uint HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES = 128 / 8;
-
         private readonly byte[] _contextHeader;
         private readonly IBCryptGenRandom _genRandom;
         private readonly BCryptAlgorithmHandle _hmacAlgorithmHandle;
@@ -44,9 +38,6 @@ namespace Microsoft.AspNet.DataProtection.Cng
 
         public CbcAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHandle symmetricAlgorithmHandle, uint symmetricAlgorithmKeySizeInBytes, BCryptAlgorithmHandle hmacAlgorithmHandle, IBCryptGenRandom genRandom = null)
         {
-            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
-                "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
-
             _genRandom = genRandom ?? BCryptGenRandomImpl.Instance;
             _sp800_108_ctr_hmac_provider = SP800_108_CTR_HMACSHA512Util.CreateProvider(keyDerivationKey);
             _symmetricAlgorithmHandle = symmetricAlgorithmHandle;
@@ -56,14 +47,10 @@ namespace Microsoft.AspNet.DataProtection.Cng
             _hmacAlgorithmDigestLengthInBytes = hmacAlgorithmHandle.GetHashDigestLength();
             _hmacAlgorithmSubkeyLengthInBytes = _hmacAlgorithmDigestLengthInBytes; // for simplicity we'll generate HMAC subkeys with a length equal to the digest length
 
-            CryptoUtil.Assert(SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES <= _symmetricAlgorithmBlockSizeInBytes && _symmetricAlgorithmBlockSizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
-                "SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES <= _symmetricAlgorithmBlockSizeInBytes && _symmetricAlgorithmBlockSizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
-
-            CryptoUtil.Assert(HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES <= _hmacAlgorithmDigestLengthInBytes,
-                "HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES <= _hmacAlgorithmDigestLengthInBytes");
-
-            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= _hmacAlgorithmSubkeyLengthInBytes && _hmacAlgorithmSubkeyLengthInBytes <= Constants.MAX_STACKALLOC_BYTES,
-                "KEY_MODIFIER_SIZE_IN_BYTES <= _hmacAlgorithmSubkeyLengthInBytes && _hmacAlgorithmSubkeyLengthInBytes <= Constants.MAX_STACKALLOC_BYTES");
+            // Argument checking on the algorithms and lengths passed in to us
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmBlockSize(checked(_symmetricAlgorithmBlockSizeInBytes * 8));
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked(_symmetricAlgorithmSubkeyLengthInBytes * 8));
+            AlgorithmAssert.IsAllowableValidationAlgorithmDigestSize(checked(_hmacAlgorithmDigestLengthInBytes * 8));
 
             _contextHeader = CreateContextHeader();
         }
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index 13b583c4bf..791f6a5915 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -23,6 +23,22 @@ namespace Microsoft.AspNet.DataProtection.Cng
 
         private static readonly byte[] _purpose = Encoding.UTF8.GetBytes("DPAPI-Protected Secret");
 
+        // Probes to see if protecting to the current Windows user account is available.
+        // In theory this should never fail if the user profile is available, so it's more a defense-in-depth check.
+        public static bool CanProtectToCurrentUserAccount()
+        {
+            try
+            {
+                Guid dummy;
+                ProtectWithDpapi(new Secret((byte*)&dummy, sizeof(Guid)), protectToLocalMachine: false);
+                return true;
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
         public static byte[] ProtectWithDpapi(ISecret secret, bool protectToLocalMachine = false)
         {
             Debug.Assert(secret != null);
@@ -35,7 +51,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
                     secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
                     fixed (byte* pbPurpose = _purpose)
                     {
-                        return ProtectWithDpapiImpl(pbPlaintextSecret, (uint)plaintextSecret.Length, pbPurpose, (uint)_purpose.Length, fLocalMachine: protectToLocalMachine);
+                        return ProtectWithDpapiCore(pbPlaintextSecret, (uint)plaintextSecret.Length, pbPurpose, (uint)_purpose.Length, fLocalMachine: protectToLocalMachine);
                     }
                 }
                 finally
@@ -46,7 +62,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             }
         }
 
-        internal static byte[] ProtectWithDpapiImpl(byte* pbSecret, uint cbSecret, byte* pbOptionalEntropy, uint cbOptionalEntropy, bool fLocalMachine = false)
+        internal static byte[] ProtectWithDpapiCore(byte* pbSecret, uint cbSecret, byte* pbOptionalEntropy, uint cbOptionalEntropy, bool fLocalMachine = false)
         {
             byte dummy; // provides a valid memory address if the secret or entropy has zero length
 
@@ -110,7 +126,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
                     secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
 
                     byte dummy; // used to provide a valid memory address if secret is zero-length
-                    return ProtectWithDpapiNGImpl(
+                    return ProtectWithDpapiNGCore(
                         protectionDescriptorHandle: protectionDescriptorHandle,
                         pbData: (pbPlaintextSecret != null) ? pbPlaintextSecret : &dummy,
                         cbData: (uint)plaintextSecret.Length);
@@ -123,7 +139,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             }
         }
 
-        private static byte[] ProtectWithDpapiNGImpl(NCryptDescriptorHandle protectionDescriptorHandle, byte* pbData, uint cbData)
+        private static byte[] ProtectWithDpapiNGCore(NCryptDescriptorHandle protectionDescriptorHandle, byte* pbData, uint cbData)
         {
             Debug.Assert(protectionDescriptorHandle != null);
             Debug.Assert(pbData != null);
@@ -141,7 +157,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
                 ppbProtectedBlob: out protectedData,
                 pcbProtectedBlob: out cbProtectedData);
             UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
-            CryptoUtil.Assert(protectedData != null && !protectedData.IsInvalid, "protectedData != null && !protectedData.IsInvalid");
+            CryptoUtil.AssertSafeHandleIsValid(protectedData);
 
             // Copy the data from LocalAlloc-allocated memory into a managed memory buffer.
             using (protectedData)
@@ -181,12 +197,12 @@ namespace Microsoft.AspNet.DataProtection.Cng
             {
                 fixed (byte* pbPurpose = _purpose)
                 {
-                    return UnprotectWithDpapiImpl(pbProtectedSecret, (uint)protectedSecret.Length, pbPurpose, (uint)_purpose.Length);
+                    return UnprotectWithDpapiCore(pbProtectedSecret, (uint)protectedSecret.Length, pbPurpose, (uint)_purpose.Length);
                 }
             }
         }
 
-        internal static Secret UnprotectWithDpapiImpl(byte* pbProtectedData, uint cbProtectedData, byte* pbOptionalEntropy, uint cbOptionalEntropy)
+        internal static Secret UnprotectWithDpapiCore(byte* pbProtectedData, uint cbProtectedData, byte* pbOptionalEntropy, uint cbOptionalEntropy)
         {
             byte dummy; // provides a valid memory address if the secret or entropy has zero length
 
@@ -242,13 +258,13 @@ namespace Microsoft.AspNet.DataProtection.Cng
             fixed (byte* pbProtectedData = protectedData)
             {
                 byte dummy; // used to provide a valid memory address if protected data is zero-length
-                return UnprotectWithDpapiNGImpl(
+                return UnprotectWithDpapiNGCore(
                     pbData: (pbProtectedData != null) ? pbProtectedData : &dummy,
                     cbData: (uint)protectedData.Length);
             }
         }
 
-        private static Secret UnprotectWithDpapiNGImpl(byte* pbData, uint cbData)
+        private static Secret UnprotectWithDpapiNGCore(byte* pbData, uint cbData)
         {
             Debug.Assert(pbData != null);
 
@@ -265,7 +281,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
                 ppbData: out unencryptedPayloadHandle,
                 pcbData: out cbUnencryptedPayload);
             UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
-            CryptoUtil.Assert(unencryptedPayloadHandle != null && !unencryptedPayloadHandle.IsInvalid, "unencryptedPayloadHandle != null && !unencryptedPayloadHandle.IsInvalid");
+            CryptoUtil.AssertSafeHandleIsValid(unencryptedPayloadHandle);
 
             // Copy the data from LocalAlloc-allocated memory into a CryptProtectMemory-protected buffer.
             // There's a small window between NCryptUnprotectSecret returning and the call to PrepareConstrainedRegions
@@ -293,5 +309,50 @@ namespace Microsoft.AspNet.DataProtection.Cng
                 }
             }
         }
+
+        public static string GetRuleFromDpapiNGProtectedPayload(byte[] protectedData)
+        {
+            Debug.Assert(protectedData != null);
+
+            fixed (byte* pbProtectedData = protectedData)
+            {
+                byte dummy; // used to provide a valid memory address if protected data is zero-length
+                return GetRuleFromDpapiNGProtectedPayloadCore(
+                    pbData: (pbProtectedData != null) ? pbProtectedData : &dummy,
+                    cbData: (uint)protectedData.Length);
+            }
+        }
+
+        private static string GetRuleFromDpapiNGProtectedPayloadCore(byte* pbData, uint cbData)
+        {
+            // from ncryptprotect.h
+            const uint NCRYPT_UNPROTECT_NO_DECRYPT = 0x00000001;
+
+            NCryptDescriptorHandle descriptorHandle;
+            LocalAllocHandle unprotectedDataHandle;
+            uint cbUnprotectedData;
+            int ntstatus = UnsafeNativeMethods.NCryptUnprotectSecret(
+                phDescriptor: out descriptorHandle,
+                dwFlags: NCRYPT_UNPROTECT_NO_DECRYPT,
+                pbProtectedBlob: pbData,
+                cbProtectedBlob: cbData,
+                pMemPara: IntPtr.Zero,
+                hWnd: IntPtr.Zero,
+                ppbData: out unprotectedDataHandle,
+                pcbData: out cbUnprotectedData);
+            UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
+            CryptoUtil.AssertSafeHandleIsValid(descriptorHandle);
+
+            if (unprotectedDataHandle != null && !unprotectedDataHandle.IsInvalid)
+            {
+                // we don't care about this value
+                unprotectedDataHandle.Dispose();
+            }
+
+            using (descriptorHandle)
+            {
+                return descriptorHandle.GetProtectionDescriptorRuleString();
+            }
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index a7998c0885..5176da5fc6 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -5,6 +5,7 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.DataProtection.Cng
@@ -38,9 +39,10 @@ namespace Microsoft.AspNet.DataProtection.Cng
 
         public GcmAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHandle symmetricAlgorithmHandle, uint symmetricAlgorithmKeySizeInBytes, IBCryptGenRandom genRandom = null)
         {
-            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
-                "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
-
+            // Is the key size appropriate?
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked(symmetricAlgorithmKeySizeInBytes * 8));
+            CryptoUtil.Assert(symmetricAlgorithmHandle.GetCipherBlockLength() == 128 / 8, "GCM requires a block cipher algorithm with a 128-bit block size.");
+            
             _genRandom = genRandom ?? BCryptGenRandomImpl.Instance;
             _sp800_108_ctr_hmac_provider = SP800_108_CTR_HMACSHA512Util.CreateProvider(keyDerivationKey);
             _symmetricAlgorithmHandle = symmetricAlgorithmHandle;
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
new file mode 100644
index 0000000000..2fa1164d04
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -0,0 +1,372 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel;
+using System.IO;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Internal;
+using Microsoft.Win32;
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+using System.Security.Cryptography.X509Certificates;
+#endif
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Provides access to configuration for the data protection system, which allows the
+    /// developer to configure default cryptographic algorithms, key storage locations,
+    /// and the mechanism by which keys are protected at rest.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// If the developer changes the at-rest key protection mechanism, it is intended that
+    /// he also change the key storage location, and vice versa. For instance, a call to
+    /// <see cref="ProtectKeysWithCertificate(string)"/> should generally be accompanied by
+    /// a call to <see cref="PersistKeysToFileSystem(DirectoryInfo)"/>, or exceptions may
+    /// occur at runtime due to the data protection system not knowing where to persist keys.
+    /// </para>
+    /// <para>
+    /// Similarly, when a developer modifies the default protected payload cryptographic
+    /// algorithms, it is intended that he also select an explitiy key storage location.
+    /// A call to <see cref="UseCryptographicAlgorithms(AuthenticatedEncryptionOptions)"/>
+    /// should therefore generally be paired with a call to <see cref="PersistKeysToFileSystem(DirectoryInfo)"/>,
+    /// for example.
+    /// </para>
+    /// <para>
+    /// When the default cryptographic algorithms or at-rest key protection mechanisms are
+    /// changed, they only affect <strong>new</strong> keys in the repository. The repository may
+    /// contain existing keys that use older algorithms or protection mechanisms.
+    /// </para>
+    /// </remarks>
+    public class DataProtectionConfiguration
+    {
+        /// <summary>
+        /// Creates a new configuration object linked to a <see cref="IServiceCollection"/>.
+        /// </summary>
+        public DataProtectionConfiguration([NotNull] IServiceCollection services)
+        {
+            Services = services;
+        }
+
+        /// <summary>
+        /// Provides access to the <see cref="IServiceCollection"/> passed to this object's constructor.
+        /// </summary>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public IServiceCollection Services { get; }
+
+        /// <summary>
+        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
+        /// </summary>
+        /// <param name="sink">The instance of the <see cref="IKeyEscrowSink"/> to register.</param>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// Registrations are additive.
+        /// </remarks>
+        public DataProtectionConfiguration AddKeyEscrowSink([NotNull] IKeyEscrowSink sink)
+        {
+            Services.AddInstance<IKeyEscrowSink>(sink);
+            return this;
+        }
+
+        /// <summary>
+        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
+        /// </summary>
+        /// <typeparam name="TImplementation">The concrete type of the <see cref="IKeyEscrowSink"/> to register.</typeparam>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// Registrations are additive.
+        /// </remarks>
+        public DataProtectionConfiguration AddKeyEscrowSink<TImplementation>()
+            where TImplementation : IKeyEscrowSink
+        {
+            Services.AddSingleton<IKeyEscrowSink, TImplementation>();
+            return this;
+        }
+
+        /// <summary>
+        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
+        /// </summary>
+        /// <param name="factory">A factory that creates the <see cref="IKeyEscrowSink"/> instance.</param>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// Registrations are additive.
+        /// </remarks>
+        public DataProtectionConfiguration AddKeyEscrowSink([NotNull] Func<IServiceProvider, IKeyEscrowSink> factory)
+        {
+            Services.AddSingleton<IKeyEscrowSink>(factory);
+            return this;
+        }
+
+        /// <summary>
+        /// Configures miscellaneous global options.
+        /// </summary>
+        /// <param name="setupAction">A callback that configures the global options.</param>
+        /// <returns>The 'this' instance.</returns>
+        public DataProtectionConfiguration ConfigureGlobalOptions([NotNull] Action<DataProtectionOptions> setupAction)
+        {
+            Services.Configure(setupAction);
+            return this;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the specified directory.
+        /// This path may be on the local machine or may point to a UNC share.
+        /// </summary>
+        /// <param name="directory">The directory in which to store keys.</param>
+        /// <returns>The 'this' instance.</returns>
+        public DataProtectionConfiguration PersistKeysToFileSystem([NotNull] DirectoryInfo directory)
+        {
+            Use(DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory));
+            return this;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the Windows registry.
+        /// </summary>
+        /// <param name="registryKey">The location in the registry where keys should be stored.</param>
+        /// <returns>The 'this' instance.</returns>
+        public DataProtectionConfiguration PersistKeysToRegistry([NotNull] RegistryKey registryKey)
+        {
+            Use(DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey));
+            return this;
+        }
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
+        /// <summary>
+        /// Configures keys to be encrypted to a given certificate before being persisted to storage.
+        /// </summary>
+        /// <param name="certificate">The certificate to use when encrypting keys.</param>
+        /// <returns>The 'this' instance.</returns>
+        public DataProtectionConfiguration ProtectKeysWithCertificate([NotNull] X509Certificate2 certificate)
+        {
+            Use(DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate));
+            return this;
+        }
+
+        /// <summary>
+        /// Configures keys to be encrypted to a given certificate before being persisted to storage.
+        /// </summary>
+        /// <param name="thumbprint">The thumbprint of the certificate to use when encrypting keys.</param>
+        /// <returns>The 'this' instance.</returns>
+        public DataProtectionConfiguration ProtectKeysWithCertificate([NotNull] string thumbprint)
+        {
+            // Make sure the thumbprint corresponds to a valid certificate.
+            if (new CertificateResolver().ResolveCertificate(thumbprint) == null)
+            {
+                throw Error.CertificateXmlEncryptor_CertificateNotFound(thumbprint);
+            }
+
+            // ICertificateResolver is necessary for this type to work correctly, so register it
+            // if it doesn't already exist.
+            Services.TryAdd(DataProtectionServiceDescriptors.ICertificateResolver_Default());
+            Use(DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(thumbprint));
+            return this;
+        }
+
+#endif
+
+        /// <summary>
+        /// Configures keys to be encrypted with Windows DPAPI before being persisted to
+        /// storage. The encrypted key will only be decryptable by the current Windows user account.
+        /// </summary>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// This API is only supported on Windows platforms.
+        /// </remarks>
+        public DataProtectionConfiguration ProtectKeysWithDpapi()
+        {
+            return ProtectKeysWithDpapi(protectToLocalMachine: false);
+        }
+
+        /// <summary>
+        /// Configures keys to be encrypted with Windows DPAPI before being persisted to
+        /// storage.
+        /// </summary>
+        /// <param name="protectToLocalMachine">'true' if the key should be decryptable by any
+        /// use on the local machine, 'false' if the key should only be decryptable by the current
+        /// Windows user account.</param>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// This API is only supported on Windows platforms.
+        /// </remarks>
+        public DataProtectionConfiguration ProtectKeysWithDpapi(bool protectToLocalMachine)
+        {
+            Use(DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToLocalMachine));
+            return this;
+        }
+
+        /// <summary>
+        /// Configures keys to be encrypted with Windows CNG DPAPI before being persisted
+        /// to storage. The keys will be decryptable by the current Windows user account.
+        /// </summary>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh706794(v=vs.85).aspx
+        /// for more information on DPAPI-NG. This API is only supported on Windows 8 / Windows Server 2012 and higher.
+        /// </remarks>
+        public DataProtectionConfiguration ProtectKeysWithDpapiNG()
+        {
+            return ProtectKeysWithDpapiNG(
+                protectionDescriptorRule: DpapiNGXmlEncryptor.GetDefaultProtectionDescriptorString(),
+                flags: DpapiNGProtectionDescriptorFlags.None);
+        }
+
+        /// <summary>
+        /// Configures keys to be encrypted with Windows CNG DPAPI before being persisted to storage.
+        /// </summary>
+        /// <param name="protectionDescriptorRule">The descriptor rule string with which to protect the key material.</param>
+        /// <param name="flags">Flags that should be passed to the call to 'NCryptCreateProtectionDescriptor'.
+        /// The default value of this parameter is <see cref="DpapiNGProtectionDescriptorFlags.None"/>.</param>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx
+        /// and https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx
+        /// for more information on valid values for the the <paramref name="descriptor"/>
+        /// and <paramref name="flags"/> arguments.
+        /// This API is only supported on Windows 8 / Windows Server 2012 and higher.
+        /// </remarks>
+        public DataProtectionConfiguration ProtectKeysWithDpapiNG([NotNull] string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
+        {
+            Use(DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags));
+            return this;
+        }
+
+        /// <summary>
+        /// Sets the default lifetime of keys created by the data protection system.
+        /// </summary>
+        /// <param name="lifetime">The lifetime (time before expiration) for newly-created keys.
+        /// See <see cref="KeyLifetimeOptions.NewKeyLifetime"/> for more information and
+        /// usage notes.</param>
+        /// <returns>The 'this' instance.</returns>
+        public DataProtectionConfiguration SetDefaultKeyLifetime(TimeSpan lifetime)
+        {
+            Services.Configure<KeyLifetimeOptions>(options =>
+            {
+                options.NewKeyLifetime = lifetime;
+            });
+            return this;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys in storage as plaintext.
+        /// </summary>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// Caution: cryptographic key material will not be protected at rest.
+        /// </remarks>
+        public DataProtectionConfiguration SuppressProtectionOfKeysAtRest()
+        {
+            RemoveAllServicesOfType(typeof(IXmlEncryptor));
+            return this;
+        }
+        
+        /// <summary>
+        /// Configures the data protection system to use the specified cryptographic algorithms
+        /// by default when generating protected payloads.
+        /// </summary>
+        /// <param name="options">Information about what cryptographic algorithms should be used.</param>
+        /// <returns>The 'this' instance.</returns>
+        public DataProtectionConfiguration UseCryptographicAlgorithms([NotNull] AuthenticatedEncryptionOptions options)
+        {
+            return UseCryptographicAlgorithmsCore(options);
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use custom Windows CNG algorithms.
+        /// This API is intended for advanced scenarios where the developer cannot use the
+        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
+        /// <see cref="ValidationAlgorithm"/> enumerations.
+        /// </summary>
+        /// <param name="options">Information about what cryptographic algorithms should be used.</param>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// This API is only available on Windows.
+        /// </remarks>
+        [EditorBrowsable(EditorBrowsableState.Advanced)]
+        public DataProtectionConfiguration UseCustomCryptographicAlgorithms([NotNull] CngCbcAuthenticatedEncryptionOptions options)
+        {
+            return UseCryptographicAlgorithmsCore(options);
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use custom Windows CNG algorithms.
+        /// This API is intended for advanced scenarios where the developer cannot use the
+        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
+        /// <see cref="ValidationAlgorithm"/> enumerations.
+        /// </summary>
+        /// <param name="options">Information about what cryptographic algorithms should be used.</param>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// This API is only available on Windows.
+        /// </remarks>
+        [EditorBrowsable(EditorBrowsableState.Advanced)]
+        public DataProtectionConfiguration UseCustomCryptographicAlgorithms([NotNull] CngGcmAuthenticatedEncryptionOptions options)
+        {
+            return UseCryptographicAlgorithmsCore(options);
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use custom algorithms.
+        /// This API is intended for advanced scenarios where the developer cannot use the
+        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
+        /// <see cref="ValidationAlgorithm"/> enumerations.
+        /// </summary>
+        /// <param name="options">Information about what cryptographic algorithms should be used.</param>
+        /// <returns>The 'this' instance.</returns>
+        [EditorBrowsable(EditorBrowsableState.Advanced)]
+        public DataProtectionConfiguration UseCustomCryptographicAlgorithms([NotNull] ManagedAuthenticatedEncryptionOptions options)
+        {
+            return UseCryptographicAlgorithmsCore(options);
+        }
+
+        private DataProtectionConfiguration UseCryptographicAlgorithmsCore(IInternalAuthenticatedEncryptionOptions options)
+        {
+            options.Validate(); // perform self-test
+            Use(DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromOptions(options));
+            return this;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use the <see cref="EphemeralDataProtectionProvider"/>
+        /// for data protection services.
+        /// </summary>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// If this option is used, payloads protected by the data protection system will
+        /// be permanently undecipherable after the application exits.
+        /// </remarks>
+        public DataProtectionConfiguration UseEphemeralDataProtectionProvider()
+        {
+            Use(DataProtectionServiceDescriptors.IDataProtectionProvider_Ephemeral());
+            return this;
+        }
+
+        /*
+         * UTILITY ISERVICECOLLECTION METHODS
+         */
+
+        private void RemoveAllServicesOfType(Type serviceType)
+        {
+            // We go backward since we're modifying the collection in-place.
+            for (int i = Services.Count - 1; i >= 0; i--)
+            {
+                if (Services[i]?.ServiceType == serviceType)
+                {
+                    Services.RemoveAt(i);
+                }
+            }
+        }
+
+        private void Use(ServiceDescriptor descriptor)
+        {
+            RemoveAllServicesOfType(descriptor.ServiceType);
+            Services.Add(descriptor);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
index 38397f0c68..f2709b584f 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
@@ -2,8 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Diagnostics;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -22,81 +21,5 @@ namespace Microsoft.AspNet.DataProtection
             return (protector as ITimeLimitedDataProtector)
                 ?? new TimeLimitedDataProtector(protector.CreateProtector(TimeLimitedDataProtector.PurposeString));
         }
-
-        /// <summary>
-        /// Creates an IDataProtector given an array of purposes.
-        /// </summary>
-        /// <param name="provider">The provider from which to generate the purpose chain.</param>
-        /// <param name="purposes">
-        /// This is a convenience method used for chaining several purposes together
-        /// in a single call to CreateProtector. See the documentation of
-        /// IDataProtectionProvider.CreateProtector for more information.
-        /// </param>
-        /// <returns>An IDataProtector tied to the provided purpose chain.</returns>
-        public static IDataProtector CreateProtector([NotNull] this IDataProtectionProvider provider, params string[] purposes)
-        {
-            if (purposes == null || purposes.Length == 0)
-            {
-                throw new ArgumentException(Resources.DataProtectionExtensions_NullPurposesArray, nameof(purposes));
-            }
-
-            IDataProtectionProvider retVal = provider;
-            foreach (string purpose in purposes)
-            {
-                if (String.IsNullOrEmpty(purpose))
-                {
-                    throw new ArgumentException(Resources.DataProtectionExtensions_NullPurposesArray, nameof(purposes));
-                }
-                retVal = retVal.CreateProtector(purpose) ?? CryptoUtil.Fail<IDataProtector>("CreateProtector returned null.");
-            }
-
-            Debug.Assert(retVal is IDataProtector); // CreateProtector is supposed to return an instance of this interface
-            return (IDataProtector)retVal;
-        }
-
-        /// <summary>
-        /// Cryptographically protects a piece of plaintext data.
-        /// </summary>
-        /// <param name="protector">The data protector to use for this operation.</param>
-        /// <param name="unprotectedData">The plaintext data to protect.</param>
-        /// <returns>The protected form of the plaintext data.</returns>
-        public static string Protect([NotNull] this IDataProtector protector, [NotNull] string unprotectedData)
-        {
-            try
-            {
-                byte[] unprotectedDataAsBytes = EncodingUtil.SecureUtf8Encoding.GetBytes(unprotectedData);
-                byte[] protectedDataAsBytes = protector.Protect(unprotectedDataAsBytes);
-                return WebEncoders.Base64UrlEncode(protectedDataAsBytes);
-            }
-            catch (Exception ex) when (ex.RequiresHomogenization())
-            {
-                // Homogenize exceptions to CryptographicException
-                throw Error.CryptCommon_GenericError(ex);
-            }
-        }
-
-        /// <summary>
-        /// Cryptographically unprotects a piece of protected data.
-        /// </summary>
-        /// <param name="protector">The data protector to use for this operation.</param>
-        /// <param name="protectedData">The protected data to unprotect.</param>
-        /// <returns>The plaintext form of the protected data.</returns>
-        /// <remarks>
-        /// This method will throw CryptographicException if the input is invalid or malformed.
-        /// </remarks>
-        public static string Unprotect([NotNull] this IDataProtector protector, [NotNull] string protectedData)
-        {
-            try
-            {
-                byte[] protectedDataAsBytes = WebEncoders.Base64UrlDecode(protectedData);
-                byte[] unprotectedDataAsBytes = protector.Unprotect(protectedDataAsBytes);
-                return EncodingUtil.SecureUtf8Encoding.GetString(unprotectedDataAsBytes);
-            }
-            catch (Exception ex) when (ex.RequiresHomogenization())
-            {
-                // Homogenize exceptions to CryptographicException
-                throw Error.CryptCommon_GenericError(ex);
-            }
-        }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
index ccd32586f8..1c6f998012 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
@@ -5,8 +5,21 @@ using System;
 
 namespace Microsoft.AspNet.DataProtection
 {
+    /// <summary>
+    /// Provides global options for the Data Protection system.
+    /// </summary>
     public class DataProtectionOptions
     {
+        /// <summary>
+        /// An identifier that uniquely discriminates this application from all other
+        /// applications on the machine. The discriminator value is implicitly included
+        /// in all protected payloads generated by the data protection system to isolate
+        /// multiple logical applications that all happen to be using the same key material.
+        /// </summary>
+        /// <remarks>
+        /// If two different applications need to share protected payloads, they should
+        /// ensure that this property is set to the same value across both applications.
+        /// </remarks>
         public string ApplicationDiscriminator { get; set; }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs
new file mode 100644
index 0000000000..20d42ee09e
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs
@@ -0,0 +1,89 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.OptionsModel;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Contains static factory methods for creating <see cref="IDataProtectionProvider"/> instances.
+    /// </summary>
+    public static class DataProtectionProvider
+    {
+        /// <summary>
+        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>.
+        /// </summary>
+        /// <returns>An ephemeral <see cref="IDataProtectionProvider"/>.</returns>
+        /// <remarks>
+        /// Payloads generated by any given instance of an <see cref="EphemeralDataProtectionProvider"/>
+        /// can only be unprotected by that same provider instance. Once an instance of an ephemeral
+        /// provider is lost, all payloads generated by that provider are permanently undecipherable.
+        /// </remarks>
+        public static EphemeralDataProtectionProvider CreateNewEphemeralProvider()
+        {
+            return CreateNewEphemeralProvider(services: null);
+        }
+
+        /// <summary>
+        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>.
+        /// </summary>
+        /// <param name="services">Optional services (such as logging) for use by the provider.</param>
+        /// <returns>An ephemeral <see cref="IDataProtectionProvider"/>.</returns>
+        /// <remarks>
+        /// Payloads generated by any given instance of an <see cref="EphemeralDataProtectionProvider"/>
+        /// can only be unprotected by that same provider instance. Once an instance of an ephemeral
+        /// provider is lost, all payloads generated by that provider are permanently undecipherable.
+        /// </remarks>
+        public static EphemeralDataProtectionProvider CreateNewEphemeralProvider(IServiceProvider services)
+        {
+            return new EphemeralDataProtectionProvider(services);
+        }
+
+        /// <summary>
+        /// Creates an <see cref="IDataProtectionProvider"/> given an <see cref="IServiceProvider"/>.
+        /// </summary>
+        /// <param name="options">The global options to use when creating the provider.</param>
+        /// <param name="services">Provides mandatory services for use by the provider.</param>
+        /// <returns>An <see cref="IDataProtectionProvider"/>.</returns>
+        public static IDataProtectionProvider GetProviderFromServices([NotNull] DataProtectionOptions options, [NotNull] IServiceProvider services)
+        {
+            return GetProviderFromServices(options, services, mustCreateImmediately: false);
+        }
+
+        internal static IDataProtectionProvider GetProviderFromServices([NotNull] DataProtectionOptions options, [NotNull] IServiceProvider services, bool mustCreateImmediately)
+        {
+            IDataProtectionProvider dataProtectionProvider = null;
+
+            // If we're being asked to create the provider immediately, then it means that
+            // we're already in a call to GetService, and we're responsible for supplying
+            // the default implementation ourselves. We can't call GetService again or
+            // else we risk stack diving.
+            if (!mustCreateImmediately)
+            {
+                dataProtectionProvider = services.GetService<IDataProtectionProvider>();
+            }
+
+            // If all else fails, create a keyring manually based on the other registered services.
+            if (dataProtectionProvider == null)
+            {
+                var keyRingProvider = new KeyRingProvider(
+                    keyManager: services.GetRequiredService<IKeyManager>(),
+                    keyLifetimeOptions: services.GetService<IOptions<KeyLifetimeOptions>>()?.Options, // might be null
+                    services: services);
+                dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, services);
+            }
+
+            // Finally, link the provider to the supplied discriminator
+            if (!String.IsNullOrEmpty(options.ApplicationDiscriminator))
+            {
+                dataProtectionProvider = dataProtectionProvider.CreateProtector(options.ApplicationDiscriminator);
+            }
+
+            return dataProtectionProvider;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 14832f8d5d..c7f2ca16b7 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -2,156 +2,39 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.Dpapi;
-using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.AspNet.DataProtection.Repositories;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.Framework.DependencyInjection
 {
+    /// <summary>
+    /// Allows registering and configuring Data Protection in the application.
+    /// </summary>
     public static class DataProtectionServiceCollectionExtensions
     {
-        public static IServiceCollection AddDataProtection(this IServiceCollection services)
+        /// <summary>
+        /// Adds default Data Protection services to an <see cref="IServiceCollection"/>.
+        /// </summary>
+        /// <param name="services">The service collection to which to add DataProtection services.</param>
+        /// <returns>The <paramref name="services"/> instance.</returns>
+        public static IServiceCollection AddDataProtection([NotNull] this IServiceCollection services)
         {
             services.AddOptions();
-            services.TryAdd(OSVersionUtil.IsBCryptOnWin7OrLaterAvailable()
-                ? GetDefaultServicesWindows()
-                : GetDefaultServicesNonWindows());
+            services.TryAdd(DataProtectionServices.GetDefaultServices());
             return services;
         }
 
-        private static IEnumerable<ServiceDescriptor> GetDefaultServicesNonWindows()
+        /// <summary>
+        /// Configures the behavior of the Data Protection system.
+        /// </summary>
+        /// <param name="services">A service collection to which Data Protection has already been added.</param>
+        /// <param name="configure">A callback which takes a <see cref="DataProtectionConfiguration"/> parameter.
+        /// This callback will be responsible for configuring the system.</param>
+        /// <returns>The <paramref name="services"/> instance.</returns>
+        public static IServiceCollection ConfigureDataProtection([NotNull] this IServiceCollection services, [NotNull] Action<DataProtectionConfiguration> configure)
         {
-            // If we're not running on Windows, we can't use CNG.
-
-            // TODO: Replace this with something else. Mono's implementation of the
-            // DPAPI routines don't provide authenticity.
-            return new[]
-            {
-                ServiceDescriptor.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.CurrentUser))
-            };
-        }
-
-        private static IEnumerable<ServiceDescriptor> GetDefaultServicesWindows()
-        {
-            List<ServiceDescriptor> descriptors = new List<ServiceDescriptor>();
-
-            // Are we running in Azure Web Sites?
-            DirectoryInfo azureWebSitesKeysFolder = TryGetKeysFolderForAzureWebSites();
-            if (azureWebSitesKeysFolder != null)
-            {
-                // We'll use a null protector at the moment until the
-                // cloud DPAPI service comes online.
-                descriptors.AddRange(new[]
-                {
-                    ServiceDescriptor.Singleton<IXmlEncryptor,NullXmlEncryptor>(),
-                    ServiceDescriptor.Instance<IXmlRepository>(new FileSystemXmlRepository(azureWebSitesKeysFolder))
-                });
-            }
-            else
-            {
-                // Are we running with the user profile loaded?
-                DirectoryInfo localAppDataKeysFolder = TryGetLocalAppDataKeysFolderForUser();
-                if (localAppDataKeysFolder != null)
-                {
-                    descriptors.AddRange(new[]
-                    {
-                        ServiceDescriptor.Instance<IXmlEncryptor>(new DpapiXmlEncryptor(protectToLocalMachine: false)),
-                        ServiceDescriptor.Instance<IXmlRepository>(new FileSystemXmlRepository(localAppDataKeysFolder))
-                    });
-                }
-                else
-                {
-                    // If we've reached this point, we have no user profile loaded.
-
-                    RegistryXmlRepository hklmRegXmlRepository = RegistryXmlRepository.GetDefaultRepositoryForHKLMRegistry();
-                    if (hklmRegXmlRepository != null)
-                    {
-                        // Have WAS and IIS created an auto-gen key folder in the HKLM registry for us?
-                        // If so, use it as the repository, and use DPAPI as the key protection mechanism.
-                        // We use same-machine DPAPI since we already know no user profile is loaded.
-                        descriptors.AddRange(new[]
-                        {
-                            ServiceDescriptor.Instance<IXmlEncryptor>(new DpapiXmlEncryptor(protectToLocalMachine: true)),
-                            ServiceDescriptor.Instance<IXmlRepository>(hklmRegXmlRepository)
-                        });
-                    }
-                    else
-                    {
-                        // Fall back to DPAPI for now
-                        return new[] {
-                            ServiceDescriptor.Instance<IDataProtectionProvider>(new DpapiDataProtectionProvider(DataProtectionScope.LocalMachine))
-                        };
-                    }
-                }
-            }
-
-            // We use CNG CBC + HMAC by default.
-            descriptors.AddRange(new[]
-            {
-                ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfigurationFactory, CngCbcAuthenticatedEncryptorConfigurationFactory>(),
-                ServiceDescriptor.Singleton<IKeyManager, XmlKeyManager>(),
-                ServiceDescriptor.Singleton<IDataProtectionProvider, DefaultDataProtectionProvider>()
-            });
-
-            return descriptors;
-        }
-
-        private static DirectoryInfo TryGetKeysFolderForAzureWebSites()
-        {
-            // There are two environment variables we care about.
-            if (String.IsNullOrEmpty(Environment.GetEnvironmentVariable("WEBSITE_INSTANCE_ID")))
-            {
-                return null;
-            }
-
-            string homeEnvVar = Environment.GetEnvironmentVariable("HOME");
-            if (String.IsNullOrEmpty(homeEnvVar))
-            {
-                return null;
-            }
-
-            // TODO: Remove BETA moniker from below.
-            string fullPathToKeys = Path.Combine(homeEnvVar, "ASP.NET", "keys-BETA6");
-            return new DirectoryInfo(fullPathToKeys);
-        }
-
-        private static DirectoryInfo TryGetLocalAppDataKeysFolderForUser()
-        {
-#if !DNXCORE50
-            // Environment.GetFolderPath returns null if the user profile isn't loaded.
-            string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
-            if (!String.IsNullOrEmpty(folderPath))
-            {
-                // TODO: Remove BETA moniker from below.
-                return new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA6"));
-            }
-            else
-            {
-                return null;
-            }
-#else
-            // On core CLR, we need to fall back to environment variables.
-            string folderPath = Environment.GetEnvironmentVariable("LOCALAPPDATA")
-                ?? Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "AppData", "Local");
-
-            // TODO: Remove BETA moniker from below.
-            DirectoryInfo retVal = new DirectoryInfo(Path.Combine(folderPath, "ASP.NET", "keys-BETA6"));
-            try
-            {
-                retVal.Create(); // throws if we don't have access, e.g., user profile not loaded
-                return retVal;
-            } catch
-            {
-                return null;
-            }
-#endif
+            configure(new DataProtectionConfiguration(services));
+            return services;
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
new file mode 100644
index 0000000000..5a1c08ca29
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -0,0 +1,187 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.Framework.OptionsModel;
+using Microsoft.Win32;
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+using System.Security.Cryptography.X509Certificates;
+#endif
+
+namespace Microsoft.Framework.DependencyInjection
+{
+    /// <summary>
+    /// Default <see cref="ServiceDescriptor"/> instances for the Data Protection system.
+    /// </summary>
+    internal static class DataProtectionServiceDescriptors
+    {
+        /// <summary>
+        /// An <see cref="IConfigureOptions{DataProtectionOptions}"/> backed by the host-provided defaults.
+        /// </summary>
+        public static ServiceDescriptor ConfigureOptions_DataProtectionOptions()
+        {
+            return ServiceDescriptor.Transient<IConfigureOptions<DataProtectionOptions>>(services =>
+            {
+                return new ConfigureOptions<DataProtectionOptions>(options =>
+                {
+                    options.ApplicationDiscriminator = services.GetService<IApplicationDiscriminator>()?.Discriminator;
+                });
+            });
+        }
+
+        /// <summary>
+        /// An <see cref="IConfigureOptions{KeyLifetimeOptions}"/> where the key lifetime is specified explicitly.
+        /// </summary>
+
+        public static ServiceDescriptor ConfigureOptions_DefaultKeyLifetime(int numDays)
+        {
+            return ServiceDescriptor.Transient<IConfigureOptions<KeyLifetimeOptions>>(services =>
+            {
+                return new ConfigureOptions<KeyLifetimeOptions>(options =>
+                {
+                    options.NewKeyLifetime = TimeSpan.FromDays(numDays);
+                });
+            });
+        }
+
+        /// <summary>
+        /// An <see cref="IAuthenticatedEncryptorConfiguration"/> backed by default algorithmic options.
+        /// </summary>
+        public static ServiceDescriptor IAuthenticatedEncryptorConfiguration_Default()
+        {
+            return IAuthenticatedEncryptorConfiguration_FromOptions(new AuthenticatedEncryptionOptions());
+        }
+
+        /// <summary>
+        /// An <see cref="IAuthenticatedEncryptorConfiguration"/> backed by an <see cref="IInternalAuthenticatedEncryptionOptions"/>.
+        /// </summary>
+        public static ServiceDescriptor IAuthenticatedEncryptorConfiguration_FromOptions(IInternalAuthenticatedEncryptionOptions options)
+        {
+            // We don't flow services since there's nothing interesting to flow.
+            return ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfiguration>(services => options.ToConfiguration());
+        }
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+        /// <summary>
+        /// An <see cref="ICertificateResolver"/> backed by the default implementation.
+        /// </summary>
+        public static ServiceDescriptor ICertificateResolver_Default()
+        {
+            return ServiceDescriptor.Singleton<ICertificateResolver, CertificateResolver>();
+        }
+#endif
+
+        /// <summary>
+        /// An <see cref="IDataProtectionProvider"/> backed by the default keyring.
+        /// </summary>
+        public static ServiceDescriptor IDataProtectionProvider_Default()
+        {
+            return ServiceDescriptor.Singleton<IDataProtectionProvider>(
+                services => DataProtectionProvider.GetProviderFromServices(
+                    options: services.GetRequiredService<IOptions<DataProtectionOptions>>().Options,
+                    services: services,
+                    mustCreateImmediately: true /* this is the ultimate fallback */));
+        }
+
+        /// <summary>
+        /// An ephemeral <see cref="IDataProtectionProvider"/>.
+        /// </summary>
+        public static ServiceDescriptor IDataProtectionProvider_Ephemeral()
+        {
+            return ServiceDescriptor.Singleton<IDataProtectionProvider>(services => new EphemeralDataProtectionProvider(services));
+        }
+
+        /// <summary>
+        /// An <see cref="IKeyEscrowSink"/> backed by a given implementation type.
+        /// </summary>
+        /// <remarks>
+        /// The implementation type name is provided as a string so that we can provide activation services.
+        /// </remarks>
+        public static ServiceDescriptor IKeyEscrowSink_FromTypeName(string implementationTypeName)
+        {
+            return ServiceDescriptor.Singleton<IKeyEscrowSink>(services => services.GetActivator().CreateInstance<IKeyEscrowSink>(implementationTypeName));
+        }
+
+        /// <summary>
+        /// An <see cref="IKeyManager"/> backed by the default XML key manager.
+        /// </summary>
+        public static ServiceDescriptor IKeyManager_Default()
+        {
+            return ServiceDescriptor.Singleton<IKeyManager>(services => new XmlKeyManager(services));
+        }
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
+        /// <summary>
+        /// An <see cref="IXmlEncryptor"/> backed by an X.509 certificate.
+        /// </summary>
+        public static ServiceDescriptor IXmlEncryptor_Certificate(X509Certificate2 certificate)
+        {
+            return ServiceDescriptor.Singleton<IXmlEncryptor>(services => new CertificateXmlEncryptor(certificate, services));
+        }
+
+        /// <summary>
+        /// An <see cref="IXmlEncryptor"/> backed by an X.509 certificate.
+        /// </summary>
+        public static ServiceDescriptor IXmlEncryptor_Certificate(string thumbprint)
+        {
+            return ServiceDescriptor.Singleton<IXmlEncryptor>(services => new CertificateXmlEncryptor(
+                thumbprint: thumbprint,
+                certificateResolver: services.GetRequiredService<ICertificateResolver>(),
+                services: services));
+        }
+
+#endif
+
+        /// <summary>
+        /// An <see cref="IXmlEncryptor"/> backed by DPAPI.
+        /// </summary>
+        public static ServiceDescriptor IXmlEncryptor_Dpapi(bool protectToMachine)
+        {
+            CryptoUtil.AssertPlatformIsWindows();
+            return ServiceDescriptor.Singleton<IXmlEncryptor>(services => new DpapiXmlEncryptor(protectToMachine, services));
+        }
+
+        /// <summary>
+        /// An <see cref="IXmlEncryptor"/> backed by DPAPI-NG.
+        /// </summary>
+        public static ServiceDescriptor IXmlEncryptor_DpapiNG(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
+        {
+            CryptoUtil.AssertPlatformIsWindows8OrLater();
+            return ServiceDescriptor.Singleton<IXmlEncryptor>(services => new DpapiNGXmlEncryptor(protectionDescriptorRule, flags, services));
+        }
+
+        /// <summary>
+        /// An <see cref="IXmlRepository"/> backed by a file system.
+        /// </summary>
+        public static ServiceDescriptor IXmlRepository_FileSystem(DirectoryInfo directory)
+        {
+            return ServiceDescriptor.Singleton<IXmlRepository>(services => new FileSystemXmlRepository(directory, services));
+        }
+
+        /// <summary>
+        /// An <see cref="IXmlRepository"/> backed by volatile in-process memory.
+        /// </summary>
+        public static ServiceDescriptor IXmlRepository_InMemory()
+        {
+            return ServiceDescriptor.Singleton<IXmlRepository>(services => new EphemeralXmlRepository(services));
+        }
+
+        /// <summary>
+        /// An <see cref="IXmlRepository"/> backed by the Windows registry.
+        /// </summary>
+        public static ServiceDescriptor IXmlRepository_Registry(RegistryKey registryKey)
+        {
+            return ServiceDescriptor.Singleton<IXmlRepository>(services => new RegistryXmlRepository(registryKey, services));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
new file mode 100644
index 0000000000..3589d588ba
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -0,0 +1,108 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.DataProtection;
+using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.Repositories;
+
+namespace Microsoft.Framework.DependencyInjection
+{
+    /// <summary>
+    /// Provides access to default Data Protection <see cref="ServiceDescriptor"/> instances.
+    /// </summary>
+    public static class DataProtectionServices
+    {
+        /// <summary>
+        /// Returns a collection of default <see cref="ServiceDescriptor"/> instances that can be
+        /// used to bootstrap the Data Protection system.
+        /// </summary>
+        public static IEnumerable<ServiceDescriptor> GetDefaultServices()
+        {
+            // Provide the default algorithmic information.
+            yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_Default();
+
+            // The default key services are a strange beast. We don't want to return
+            // IXmlEncryptor and IXmlRepository as-is because they almost always have to be
+            // set as a matched pair. Instead, our built-in key manager will use a meta-service
+            // which represents the default pairing (logic based on hosting environment as
+            // demonstrated below), and if the developer explicitly specifies one or the other
+            // we'll not use the fallback at all.
+            yield return ServiceDescriptor.Singleton<IDefaultKeyServices>(services =>
+            {
+                ServiceDescriptor keyEncryptorDescriptor = null;
+                ServiceDescriptor keyRepositoryDescriptor = null;
+
+                // If we're running in Azure Web Sites, the key repository goes in the %HOME% directory.
+                var azureWebSitesKeysFolder = FileSystemXmlRepository.GetKeyStorageDirectoryForAzureWebSites();
+                if (azureWebSitesKeysFolder != null)
+                {
+                    // Cloud DPAPI isn't yet available, so we don't encrypt keys at rest.
+                    // This isn't all that different than what Azure Web Sites does today, and we can always add this later.
+                    keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_FileSystem(azureWebSitesKeysFolder);
+                }
+                else
+                {
+                    // If the user profile is available, store keys in the user profile directory.
+                    var localAppDataKeysFolder = FileSystemXmlRepository.DefaultKeyStorageDirectory;
+                    if (localAppDataKeysFolder != null)
+                    {
+                        if (OSVersionUtil.IsWindows())
+                        {
+                            // If the user profile is available, we can protect using DPAPI.
+                            // Probe to see if protecting to local user is available, and use it as the default if so.
+                            keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: !DpapiSecretSerializerHelper.CanProtectToCurrentUserAccount());
+                        }
+                        keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_FileSystem(localAppDataKeysFolder);
+                    }
+                    else
+                    {
+                        // Use profile isn't available - can we use the HKLM registry?
+                        var regKeyStorageKey = RegistryXmlRepository.DefaultRegistryKey;
+                        if (regKeyStorageKey != null)
+                        {
+                            if (OSVersionUtil.IsWindows())
+                            {
+                                // If the user profile isn't available, we can protect using DPAPI (to machine).
+                                keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: true);
+                            }
+                            keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_Registry(regKeyStorageKey);
+                        }
+                        else
+                        {
+                            // Final fallback - use an ephemeral repository since we don't know where else to go.
+                            // This can only be used for development scenarios.
+                            keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_InMemory();
+                        }
+                    }
+                }
+
+                return new DefaultKeyServices(
+                    services: services,
+                    keyEncryptorDescriptor: keyEncryptorDescriptor,
+                    keyRepositoryDescriptor: keyRepositoryDescriptor);
+            });
+
+            // Provide root key management and data protection services
+            yield return DataProtectionServiceDescriptors.IKeyManager_Default();
+            yield return DataProtectionServiceDescriptors.IDataProtectionProvider_Default();
+
+            // Provide services required for XML encryption
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+            yield return DataProtectionServiceDescriptors.ICertificateResolver_Default();
+#endif
+
+            // Hook up the logic which allows populating default options
+            yield return DataProtectionServiceDescriptors.ConfigureOptions_DataProtectionOptions();
+
+            // Finally, read and apply policy from the registry, overriding any other defaults.
+            foreach (var descriptor in RegistryPolicyResolver.ResolveDefaultPolicy())
+            {
+                yield return descriptor;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
deleted file mode 100644
index 1aa439e917..0000000000
--- a/src/Microsoft.AspNet.DataProtection/DefaultDataProtectionProvider.cs
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.OptionsModel;
-
-namespace Microsoft.AspNet.DataProtection
-{
-    public class DefaultDataProtectionProvider : IDataProtectionProvider
-    {
-        private readonly IDataProtectionProvider _innerProvider;
-
-        public DefaultDataProtectionProvider()
-        {
-            // use DI defaults
-            var serviceProvider = new ServiceCollection().AddDataProtection().BuildServiceProvider();
-
-            _innerProvider = serviceProvider.GetRequiredService<IDataProtectionProvider>();
-        }
-
-        public DefaultDataProtectionProvider(
-            [NotNull] IOptions<DataProtectionOptions> optionsAccessor,
-            [NotNull] IKeyManager keyManager)
-        {
-            KeyRingBasedDataProtectionProvider rootProvider = new KeyRingBasedDataProtectionProvider(new KeyRingProvider(keyManager));
-            var options = optionsAccessor.Options;
-            _innerProvider = (!String.IsNullOrEmpty(options.ApplicationDiscriminator))
-                ? (IDataProtectionProvider)rootProvider.CreateProtector(options.ApplicationDiscriminator)
-                : rootProvider;
-        }
-
-        public IDataProtector CreateProtector([NotNull] string purpose)
-        {
-            return _innerProvider.CreateProtector(purpose);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs
deleted file mode 100644
index e55496e2af..0000000000
--- a/src/Microsoft.AspNet.DataProtection/Dpapi/DataProtectionScope.cs
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-// We only define this type in core CLR since desktop CLR already contains it.
-#if DNXCORE50
-using System;
-
-namespace System.Security.Cryptography
-{
-    //
-    // Summary:
-    //     Specifies the scope of the data protection to be applied by the System.Security.Cryptography.ProtectedData.Protect(System.Byte[],System.Byte[],System.Security.Cryptography.DataProtectionScope)
-    //     method.
-    internal enum DataProtectionScope
-    {
-        //
-        // Summary:
-        //     The protected data is associated with the current user. Only threads running
-        //     under the current user context can unprotect the data.
-        CurrentUser,
-        //
-        // Summary:
-        //     The protected data is associated with the machine context. Any process running
-        //     on the computer can unprotect data. This enumeration value is usually used in
-        //     server-specific applications that run on a server where untrusted users are not
-        //     allowed access.
-        LocalMachine
-    }
-}
-#endif
diff --git a/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
deleted file mode 100644
index e3c3dad792..0000000000
--- a/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtectionProvider.cs
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Security.Cryptography;
-
-namespace Microsoft.AspNet.DataProtection.Dpapi
-{
-    // Provides a temporary implementation of IDataProtectionProvider for non-Windows machines
-    // or for Windows machines where we can't depend on the user profile.
-    internal sealed class DpapiDataProtectionProvider : IDataProtectionProvider
-    {
-        private readonly DpapiDataProtector _innerProtector;
-
-        public DpapiDataProtectionProvider(DataProtectionScope scope)
-        {
-            _innerProtector = new DpapiDataProtector(new ProtectedDataImpl(), new byte[0], scope);
-        }
-
-        public IDataProtector CreateProtector([NotNull] string purpose)
-        {
-            return _innerProtector.CreateProtector(purpose);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtector.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtector.cs
deleted file mode 100644
index df1c6d54a7..0000000000
--- a/src/Microsoft.AspNet.DataProtection/Dpapi/DpapiDataProtector.cs
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.IO;
-using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography;
-
-namespace Microsoft.AspNet.DataProtection.Dpapi
-{
-    // Provides a temporary implementation of IDataProtector for non-Windows machines
-    // or for Windows machines where we can't depend on the user profile.
-    internal sealed class DpapiDataProtector : IDataProtector
-    {
-        private readonly byte[] _combinedPurposes;
-        private readonly DataProtectionScope _scope;
-        private readonly IProtectedData _shim;
-
-        internal DpapiDataProtector(IProtectedData shim, byte[] combinedPurposes, DataProtectionScope scope)
-        {
-            _combinedPurposes = combinedPurposes;
-            _scope = scope;
-            _shim = shim;
-        }
-
-        public IDataProtector CreateProtector([NotNull] string purpose)
-        {
-            // Appends the provided purpose to the existing list
-            using (var memoryStream = new MemoryStream())
-            {
-                memoryStream.Write(_combinedPurposes, 0, _combinedPurposes.Length);
-                using (var writer = new BinaryWriter(memoryStream, EncodingUtil.SecureUtf8Encoding, leaveOpen: true))
-                {
-                    writer.Write(purpose);
-                }
-                return new DpapiDataProtector(_shim, memoryStream.ToArray(), _scope);
-            }
-        }
-
-        public byte[] Protect([NotNull] byte[] unprotectedData)
-        {
-            try
-            {
-                return _shim.Protect(unprotectedData, _combinedPurposes, _scope)
-                    ?? CryptoUtil.Fail<byte[]>("Null return value.");
-            }
-            catch (Exception ex) when (ex.RequiresHomogenization())
-            {
-                // Homogenize to CryptographicException
-                throw Error.CryptCommon_GenericError(ex);
-            }
-        }
-
-        public byte[] Unprotect([NotNull] byte[] protectedData)
-        {
-            try
-            {
-                return _shim.Unprotect(protectedData, _combinedPurposes, _scope)
-                    ?? CryptoUtil.Fail<byte[]>("Null return value.");
-            }
-            catch (Exception ex) when (ex.RequiresHomogenization())
-            {
-                // Homogenize to CryptographicException
-                throw Error.CryptCommon_GenericError(ex);
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/Dpapi/IProtectedData.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/IProtectedData.cs
deleted file mode 100644
index a12de6c77a..0000000000
--- a/src/Microsoft.AspNet.DataProtection/Dpapi/IProtectedData.cs
+++ /dev/null
@@ -1,15 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Security.Cryptography;
-
-namespace Microsoft.AspNet.DataProtection.Dpapi
-{
-    internal interface IProtectedData
-    {
-        byte[] Protect(byte[] userData, byte[] optionalEntropy, DataProtectionScope scope);
-
-        byte[] Unprotect(byte[] encryptedData, byte[] optionalEntropy, DataProtectionScope scope);
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs b/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
deleted file mode 100644
index 74929a0d4d..0000000000
--- a/src/Microsoft.AspNet.DataProtection/Dpapi/ProtectedDataImpl.cs
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Security.Cryptography;
-using Microsoft.AspNet.DataProtection.Cng;
-
-namespace Microsoft.AspNet.DataProtection.Dpapi
-{
-    internal unsafe sealed class ProtectedDataImpl : IProtectedData
-    {
-        public byte[] Protect(byte[] userData, byte[] optionalEntropy, DataProtectionScope scope)
-        {
-#if DNXCORE50
-            fixed (byte* pbUserData = userData)
-            {
-                fixed (byte* pbOptionalEntropy = optionalEntropy)
-                {
-                    return DpapiSecretSerializerHelper.ProtectWithDpapiImpl(
-                        pbSecret: pbUserData,
-                        cbSecret: (userData != null) ? (uint)userData.Length : 0,
-                        pbOptionalEntropy: pbOptionalEntropy,
-                        cbOptionalEntropy: (optionalEntropy != null) ? (uint)optionalEntropy.Length : 0,
-                        fLocalMachine: (scope == DataProtectionScope.LocalMachine));
-                }
-            }
-#else
-            return ProtectedData.Protect(userData, optionalEntropy, scope);
-#endif
-        }
-
-        public byte[] Unprotect(byte[] encryptedData, byte[] optionalEntropy, DataProtectionScope scope)
-        {
-#if DNXCORE50
-            Secret blob;
-            fixed (byte* pbEncryptedData = encryptedData)
-            {
-                fixed (byte* pbOptionalEntropy = optionalEntropy)
-                {
-                    blob = DpapiSecretSerializerHelper.UnprotectWithDpapiImpl(
-                        pbProtectedData: pbEncryptedData,
-                        cbProtectedData: (encryptedData != null) ? (uint)encryptedData.Length : 0,
-                        pbOptionalEntropy: pbOptionalEntropy,
-                        cbOptionalEntropy: (optionalEntropy != null) ? (uint)optionalEntropy.Length : 0);
-                }
-            }
-            using (blob)
-            {
-                byte[] retVal = new byte[blob.Length];
-                blob.WriteSecretIntoBuffer(new ArraySegment<byte>(retVal));
-                return retVal;
-            }
-#else
-            return ProtectedData.Unprotect(encryptedData, optionalEntropy, scope);
-#endif
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index d5c323bcd5..262d978e0d 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -4,16 +4,17 @@
 using System;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
-    /// An IDataProtectionProvider that is transient.
+    /// An <see cref="IDataProtectionProvider"/> that is transient.
     /// </summary>
     /// <remarks>
-    /// Payloads generated by a given EphemeralDataProtectionProvider instance can only
+    /// Payloads generated by a given <see cref="EphemeralDataProtectionProvider"/> instance can only
     /// be deciphered by that same instance. Once the instance is lost, all ciphertexts
     /// generated by that instance are permanently undecipherable.
     /// </remarks>
@@ -21,22 +22,39 @@ namespace Microsoft.AspNet.DataProtection
     {
         private readonly KeyRingBasedDataProtectionProvider _dataProtectionProvider;
 
+        /// <summary>
+        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>.
+        /// </summary>
         public EphemeralDataProtectionProvider()
+            : this(services: null)
+        {
+        }
+
+        /// <summary>
+        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>, optionally providing
+        /// services (such as logging) for consumption by the provider.
+        /// </summary>
+        public EphemeralDataProtectionProvider(IServiceProvider services)
         {
             IKeyRingProvider keyringProvider;
-
-            if (OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+            if (OSVersionUtil.IsWindows())
             {
-                // Fastest implementation: AES-GCM
-                keyringProvider = new EphemeralKeyRing<CngGcmAuthenticatedEncryptorConfigurationOptions>();
+                // Fastest implementation: AES-256-GCM [CNG]
+                keyringProvider = new EphemeralKeyRing<CngGcmAuthenticatedEncryptionOptions>();
             }
             else
             {
-                // Slowest implementation: managed CBC + HMAC
-                keyringProvider = new EphemeralKeyRing<ManagedAuthenticatedEncryptorConfigurationOptions>();
+                // Slowest implementation: AES-256-CBC + HMACSHA256 [Managed]
+                keyringProvider = new EphemeralKeyRing<ManagedAuthenticatedEncryptionOptions>();
             }
 
-            _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider);
+            var logger = services.GetLogger<EphemeralDataProtectionProvider>();
+            if (logger.IsWarningLevelEnabled())
+            {
+                logger.LogWarning("Using ephemeral data protection provider. Payloads will be undecipherable upon application shutdown.");
+            }
+
+            _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, services);
         }
 
         public IDataProtector CreateProtector([NotNull] string purpose)
@@ -46,12 +64,12 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         private sealed class EphemeralKeyRing<T> : IKeyRing, IKeyRingProvider
-            where T : IInternalConfigurationOptions, new()
+            where T : IInternalAuthenticatedEncryptionOptions, new()
         {
             // Currently hardcoded to a 512-bit KDK.
             private const int NUM_BYTES_IN_KDK = 512 / 8;
 
-            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new T().CreateAuthenticatedEncryptor(Secret.Random(NUM_BYTES_IN_KDK));
+            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new T().ToConfiguration().CreateNewDescriptor().CreateEncryptorInstance();
 
             public Guid DefaultKeyId { get; } = default(Guid);
 
diff --git a/src/Microsoft.AspNet.DataProtection/Error.cs b/src/Microsoft.AspNet.DataProtection/Error.cs
index 309625bbb7..5d954946ee 100644
--- a/src/Microsoft.AspNet.DataProtection/Error.cs
+++ b/src/Microsoft.AspNet.DataProtection/Error.cs
@@ -9,9 +9,20 @@ namespace Microsoft.AspNet.DataProtection
 {
     internal static class Error
     {
+        public static InvalidOperationException CertificateXmlEncryptor_CertificateNotFound(string thumbprint)
+        {
+            string message = Resources.FormatCertificateXmlEncryptor_CertificateNotFound(thumbprint);
+            return new InvalidOperationException(message);
+        }
+
+        public static ArgumentException Common_ArgumentCannotBeNullOrEmpty(string parameterName)
+        {
+            return new ArgumentException(Resources.Common_ArgumentCannotBeNullOrEmpty, parameterName);
+        }
+
         public static ArgumentException Common_BufferIncorrectlySized(string parameterName, int actualSize, int expectedSize)
         {
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_BufferIncorrectlySized, actualSize, expectedSize);
+            string message = Resources.FormatCommon_BufferIncorrectlySized(actualSize, expectedSize);
             return new ArgumentException(message, parameterName);
         }
 
@@ -29,7 +40,13 @@ namespace Microsoft.AspNet.DataProtection
         public static InvalidOperationException Common_PropertyCannotBeNullOrEmpty(string propertyName)
         {
             string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyCannotBeNullOrEmpty, propertyName);
-            throw new InvalidOperationException(message);
+            return new InvalidOperationException(message);
+        }
+
+        public static InvalidOperationException Common_PropertyMustBeNonNegative(string propertyName)
+        {
+            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyMustBeNonNegative, propertyName);
+            return new InvalidOperationException(message);
         }
 
         public static CryptographicException Common_EncryptionFailed(Exception inner = null)
@@ -49,14 +66,9 @@ namespace Microsoft.AspNet.DataProtection
             return new CryptographicException(message);
         }
 
-        public static CryptographicException Common_NotAValidProtectedPayload()
+        public static ArgumentOutOfRangeException Common_ValueMustBeNonNegative(string paramName)
         {
-            return new CryptographicException(Resources.Common_NotAValidProtectedPayload);
-        }
-
-        public static CryptographicException Common_PayloadProducedByNewerVersion()
-        {
-            return new CryptographicException(Resources.Common_PayloadProducedByNewerVersion);
+            return new ArgumentOutOfRangeException(paramName, Resources.Common_ValueMustBeNonNegative);
         }
 
         public static CryptographicException DecryptionFailed(Exception inner)
@@ -64,11 +76,27 @@ namespace Microsoft.AspNet.DataProtection
             return new CryptographicException(Resources.Common_DecryptionFailed, inner);
         }
 
+        public static CryptographicException ProtectionProvider_BadMagicHeader()
+        {
+            return new CryptographicException(Resources.ProtectionProvider_BadMagicHeader);
+        }
+
+        public static CryptographicException ProtectionProvider_BadVersion()
+        {
+            return new CryptographicException(Resources.ProtectionProvider_BadVersion);
+        }
+
         public static CryptographicException TimeLimitedDataProtector_PayloadExpired(ulong utcTicksExpiration)
         {
             DateTimeOffset expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero).ToLocalTime();
             string message = String.Format(CultureInfo.CurrentCulture, Resources.TimeLimitedDataProtector_PayloadExpired, expiration);
             return new CryptographicException(message);
         }
+
+        public static InvalidOperationException XmlKeyManager_DuplicateKey(Guid keyId)
+        {
+            string message = String.Format(CultureInfo.CurrentCulture, Resources.XmlKeyManager_DuplicateKey, keyId);
+            return new InvalidOperationException(message);
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/IActivator.cs b/src/Microsoft.AspNet.DataProtection/IActivator.cs
new file mode 100644
index 0000000000..a8827f58fa
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/IActivator.cs
@@ -0,0 +1,20 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// An interface into <see cref="Activator.CreateInstance{T}"/> that also supports
+    /// limited dependency injection (of <see cref="IServiceProvider"/>).
+    /// </summary>
+    internal interface IActivator
+    {
+        /// <summary>
+        /// Creates an instance of <paramref name="implementationTypeName"/> and ensures
+        /// that it is assignable to <paramref name="expectedBaseType"/>.
+        /// </summary>
+        object CreateInstance(Type expectedBaseType, string implementationTypeName);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/IDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/IDataProtectionProvider.cs
deleted file mode 100644
index 7c44fea90a..0000000000
--- a/src/Microsoft.AspNet.DataProtection/IDataProtectionProvider.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.DataProtection
-{
-    /// <summary>
-    /// An interface that can be used to create IDataProtector instances.
-    /// </summary>
-    public interface IDataProtectionProvider
-    {
-        /// <summary>
-        /// Creates an IDataProtector given a purpose.
-        /// </summary>
-        /// <param name="purposes">
-        /// The purpose to be assigned to the newly-created IDataProtector.
-        /// This parameter must be unique for the intended use case; two different IDataProtector
-        /// instances created with two different 'purpose' strings will not be able
-        /// to understand each other's payloads. The 'purpose' parameter is not intended to be
-        /// kept secret.
-        /// </param>
-        /// <returns>An IDataProtector tied to the provided purpose.</returns>
-        IDataProtector CreateProtector(string purpose);
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs
new file mode 100644
index 0000000000..a1fe9ef00b
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// An interface that can provide data protection services for data which has been persisted
+    /// to long-term storage.
+    /// </summary>
+    public interface IPersistedDataProtector : IDataProtector
+    {
+        /// <summary>
+        /// Cryptographically unprotects a piece of data, optionally ignoring failures due to
+        /// revocation of the cryptographic keys used to protect the payload.
+        /// </summary>
+        /// <param name="protectedData">The protected data to unprotect.</param>
+        /// <param name="ignoreRevocationErrors">'true' if the payload should be unprotected even
+        /// if the cryptographic key used to protect it has been revoked (due to potential compromise),
+        /// 'false' if revocation should fail the unprotect operation.</param>
+        /// <param name="requiresMigration">'true' if the data should be reprotected before being
+        /// persisted back to long-term storage, 'false' otherwise. Migration might be requested
+        /// when the default protection key has changed, for instance.</param>
+        /// <param name="wasRevoked">'true' if the cryptographic key used to protect this payload
+        /// has been revoked, 'false' otherwise. Payloads whose keys have been revoked should be
+        /// treated as suspect unless the application has separate assurance that the payload
+        /// has not been tampered with.</param>
+        /// <returns>The plaintext form of the protected data.</returns>
+        /// <remarks>
+        /// Implementations should throw CryptographicException if the protected data is
+        /// invalid or malformed.
+        /// </remarks>
+        byte[] DangerousUnprotect(byte[] protectedData, bool ignoreRevocationErrors, out bool requiresMigration, out bool wasRevoked);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
index acada25c6e..7e168a93bc 100644
--- a/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
@@ -26,10 +26,10 @@ namespace Microsoft.AspNet.DataProtection
         /// <summary>
         /// Cryptographically protects a piece of plaintext data and assigns an expiration date to the data.
         /// </summary>
-        /// <param name="unprotectedData">The plaintext data to protect.</param>
+        /// <param name="plaintext">The plaintext data to protect.</param>
         /// <param name="expiration">The date after which the data can no longer be unprotected.</param>
         /// <returns>The protected form of the plaintext data.</returns>
-        byte[] Protect(byte[] unprotectedData, DateTimeOffset expiration);
+        byte[] Protect(byte[] plaintext, DateTimeOffset expiration);
 
         /// <summary>
         /// Cryptographically unprotects a piece of protected data.
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
new file mode 100644
index 0000000000..5ad6d238f8
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Threading;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// Wraps both a keyring and its expiration policy.
+    /// </summary>
+    internal sealed class CacheableKeyRing
+    {
+        private readonly CancellationToken _expirationToken;
+
+        internal CacheableKeyRing(CancellationToken expirationToken, DateTimeOffset expirationTime, IKey defaultKey, IEnumerable<IKey> allKeys)
+            : this(expirationToken, expirationTime, keyRing: new KeyRing(defaultKey.KeyId, allKeys))
+        {
+        }
+
+        internal CacheableKeyRing(CancellationToken expirationToken, DateTimeOffset expirationTime, IKeyRing keyRing)
+        {
+            _expirationToken = expirationToken;
+            ExpirationTimeUtc = expirationTime.UtcDateTime;
+            KeyRing = keyRing;
+        }
+
+        internal DateTime ExpirationTimeUtc { get; }
+
+        internal IKeyRing KeyRing { get; }
+
+        internal static bool IsValid(CacheableKeyRing keyRing, DateTime utcNow)
+        {
+            return keyRing != null
+                && !keyRing._expirationToken.IsCancellationRequested
+                && keyRing.ExpirationTimeUtc > utcNow;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
new file mode 100644
index 0000000000..63f035b057
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    internal struct DefaultKeyResolution
+    {
+        /// <summary>
+        /// The default key, may be null if no key is a good default candidate.
+        /// </summary>
+        public IKey DefaultKey;
+
+        /// <summary>
+        /// 'true' if a new key should be persisted to the keyring, 'false' otherwise.
+        /// This value may be 'true' even if a valid default key was found.
+        /// </summary>
+        public bool ShouldGenerateNewKey;
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
new file mode 100644
index 0000000000..624b23e53f
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -0,0 +1,135 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.Framework.Logging;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// Implements policy for resolving the default key from a candidate keyring.
+    /// </summary>
+    internal sealed class DefaultKeyResolver : IDefaultKeyResolver
+    {
+        /// <summary>
+        /// The window of time before the key expires when a new key should be created
+        /// and persisted to the keyring to ensure uninterrupted service.
+        /// </summary>
+        /// <remarks>
+        /// If the expiration window is 5 days and the current key expires within 5 days,
+        /// a new key will be generated.
+        /// </remarks>
+        private readonly TimeSpan _keyGenBeforeExpirationWindow;
+
+        private readonly ILogger _logger;
+
+        /// <summary>
+        /// The maximum skew that is allowed between servers.
+        /// This is used to allow newly-created keys to be used across servers even though
+        /// their activation dates might be a few minutes into the future.
+        /// </summary>
+        /// <remarks>
+        /// If the max skew is 5 minutes and the best matching candidate default key has
+        /// an activation date of less than 5 minutes in the future, we'll use it.
+        /// </remarks>
+        private readonly TimeSpan _maxServerToServerClockSkew;
+
+        public DefaultKeyResolver(TimeSpan keyGenBeforeExpirationWindow, TimeSpan maxServerToServerClockSkew, IServiceProvider services)
+        {
+            _keyGenBeforeExpirationWindow = keyGenBeforeExpirationWindow;
+            _maxServerToServerClockSkew = maxServerToServerClockSkew;
+            _logger = services.GetLogger<DefaultKeyResolver>();
+        }
+
+        public DefaultKeyResolution ResolveDefaultKeyPolicy(DateTimeOffset now, IEnumerable<IKey> allKeys)
+        {
+            DefaultKeyResolution retVal = default(DefaultKeyResolution);
+            retVal.DefaultKey = FindDefaultKey(now, allKeys, out retVal.ShouldGenerateNewKey);
+            return retVal;
+        }
+
+        private IKey FindDefaultKey(DateTimeOffset now, IEnumerable<IKey> allKeys, out bool callerShouldGenerateNewKey)
+        {
+            // the key with the most recent activation date where the activation date is in the past
+            IKey keyMostRecentlyActivated = (from key in allKeys
+                                             where key.ActivationDate <= now
+                                             orderby key.ActivationDate descending
+                                             select key).FirstOrDefault();
+
+            if (keyMostRecentlyActivated != null)
+            {
+                if (_logger.IsVerboseLevelEnabled())
+                {
+                    _logger.LogVerbose("Considering key '{0:D}' with expiration date {1:u} as default key candidate.", keyMostRecentlyActivated.KeyId, keyMostRecentlyActivated.ExpirationDate);
+                }
+
+                // if the key has been revoked or is expired, it is no longer a candidate
+                if (keyMostRecentlyActivated.IsExpired(now) || keyMostRecentlyActivated.IsRevoked)
+                {
+                    if (_logger.IsVerboseLevelEnabled())
+                    {
+                        _logger.LogVerbose("Key '{0:D}' no longer eligible as default key candidate because it is expired or revoked.", keyMostRecentlyActivated.KeyId);
+                    }
+                    keyMostRecentlyActivated = null;
+                }
+            }
+
+            // There's an interesting edge case here. If two keys have an activation date in the past and
+            // an expiration date in the future, and if the most recently activated of those two keys is
+            // revoked, we won't consider the older key a valid candidate. This is intentional: generating
+            // a new key is an implicit signal that we should stop using older keys without explicitly
+            // revoking them.
+
+            // if the key's expiration is beyond our safety window, we can use this key
+            if (keyMostRecentlyActivated != null && keyMostRecentlyActivated.ExpirationDate - now > _keyGenBeforeExpirationWindow)
+            {
+                callerShouldGenerateNewKey = false;
+                return keyMostRecentlyActivated;
+            }
+
+            // the key with the nearest activation date where the activation date is in the future
+            // and the key isn't expired or revoked
+            IKey keyNextPendingActivation = (from key in allKeys
+                                             where key.ActivationDate > now && !key.IsExpired(now) && !key.IsRevoked
+                                             orderby key.ActivationDate ascending
+                                             select key).FirstOrDefault();
+
+            // if we have a valid current key, return it, and signal to the caller that he must perform
+            // the keygen step only if the next key pending activation won't be activated until *after*
+            // the current key expires (allowing for server-to-server skew)
+            if (keyMostRecentlyActivated != null)
+            {
+                callerShouldGenerateNewKey = (keyNextPendingActivation == null || (keyNextPendingActivation.ActivationDate - keyMostRecentlyActivated.ExpirationDate > _maxServerToServerClockSkew));
+                if (callerShouldGenerateNewKey && _logger.IsVerboseLevelEnabled())
+                {
+                    _logger.LogVerbose("Default key expiration imminent and repository contains no viable successor. Caller should generate a successor.");
+                }
+
+                return keyMostRecentlyActivated;
+            }
+
+            // if there's no valid current key but there is a key pending activation, we can use
+            // it only if its activation period is within the server-to-server clock skew
+            if (keyNextPendingActivation != null && keyNextPendingActivation.ActivationDate - now <= _maxServerToServerClockSkew)
+            {
+                if (_logger.IsVerboseLevelEnabled())
+                {
+                    _logger.LogVerbose("Considering key '{0:D}' with expiration date {1:u} as default key candidate.", keyNextPendingActivation.KeyId, keyNextPendingActivation.ExpirationDate);
+                }
+
+                callerShouldGenerateNewKey = false;
+                return keyNextPendingActivation;
+            }
+
+            // if we got this far, there was no valid default key in the keyring
+            if (_logger.IsVerboseLevelEnabled())
+            {
+                _logger.LogVerbose("Repository contains no viable default key. Caller should generate a key with immediate activation.");
+            }
+            callerShouldGenerateNewKey = true;
+            return null;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
new file mode 100644
index 0000000000..c9dd42484a
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.Framework.DependencyInjection;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    internal sealed class DefaultKeyServices : IDefaultKeyServices
+    {
+        private readonly Lazy<object> _keyEncryptorLazy;
+        private readonly Lazy<object> _keyRepositoryLazy;
+
+        public DefaultKeyServices(IServiceProvider services, ServiceDescriptor keyEncryptorDescriptor, ServiceDescriptor keyRepositoryDescriptor)
+        {
+            if (keyEncryptorDescriptor != null)
+            {
+                // optional
+                CryptoUtil.Assert(keyEncryptorDescriptor.ServiceType == typeof(IXmlEncryptor), "Bad service type.");
+                _keyEncryptorLazy = GetLazyForService(services, keyEncryptorDescriptor);
+            }
+
+            CryptoUtil.Assert(keyRepositoryDescriptor.ServiceType == typeof(IXmlRepository), "Bad service type.");
+            _keyRepositoryLazy = GetLazyForService(services, keyRepositoryDescriptor);
+        }
+
+        /// <summary>
+        /// Gets the default <see cref="IXmlEncryptor"/> service (could return null).
+        /// </summary>
+        /// <returns></returns>
+        public IXmlEncryptor GetKeyEncryptor()
+        {
+            return (IXmlEncryptor)_keyEncryptorLazy?.Value;
+        }
+
+        /// <summary>
+        /// Gets the default <see cref="IXmlRepository"/> service (must not be null).
+        /// </summary>
+        /// <returns></returns>
+        public IXmlRepository GetKeyRepository()
+        {
+            return (IXmlRepository)_keyRepositoryLazy.Value ?? CryptoUtil.Fail<IXmlRepository>("GetKeyRepository returned null.");
+        }
+
+        private static Lazy<object> GetLazyForService(IServiceProvider services, ServiceDescriptor descriptor)
+        {
+            CryptoUtil.Assert(descriptor != null && descriptor.Lifetime == ServiceLifetime.Singleton, "Descriptor must represent singleton.");
+            CryptoUtil.Assert(descriptor.ImplementationFactory != null, "Descriptor must have an implementation factory.");
+
+            // pull the factory out so we don't close over the whole descriptor instance
+            Func<IServiceProvider, object> wrapped = descriptor.ImplementationFactory;
+            return new Lazy<object>(() => wrapped(services));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/NotNullAttribute.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
similarity index 56%
rename from src/Microsoft.AspNet.DataProtection/NotNullAttribute.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
index 5896ea15d8..008b15a607 100644
--- a/src/Microsoft.AspNet.DataProtection/NotNullAttribute.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
@@ -3,10 +3,10 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
-    [AttributeUsage(AttributeTargets.Parameter, AllowMultiple = false)]
-    internal sealed class NotNullAttribute : Attribute
+    internal interface ICacheableKeyRingProvider
     {
+        CacheableKeyRing GetCacheableKeyRing(DateTimeOffset now);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
new file mode 100644
index 0000000000..a5ecdeda16
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// Implements policy for resolving the default key from a candidate keyring.
+    /// </summary>
+    internal interface IDefaultKeyResolver
+    {
+        /// <summary>
+        /// Locates the default key from the keyring.
+        /// </summary>
+        DefaultKeyResolution ResolveDefaultKeyPolicy(DateTimeOffset now, IEnumerable<IKey> allKeys);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
new file mode 100644
index 0000000000..34a4f2ab8b
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// Provides default implementations of the services required by an <see cref="IKeyManager"/>.
+    /// </summary>
+    internal interface IDefaultKeyServices
+    {
+        /// <summary>
+        /// Gets the default <see cref="IXmlEncryptor"/> service (could return null).
+        /// </summary>
+        /// <returns></returns>
+        IXmlEncryptor GetKeyEncryptor();
+
+        /// <summary>
+        /// Gets the default <see cref="IXmlRepository"/> service (must not be null).
+        /// </summary>
+        /// <returns></returns>
+        IXmlRepository GetKeyRepository();
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
new file mode 100644
index 0000000000..7c2cd20685
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
@@ -0,0 +1,14 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    // Used for unit testing
+    internal interface IInternalXmlKeyManager
+    {
+        IKey CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate);
+        void RevokeSingleKey(Guid keyId, DateTimeOffset revocationDate, string reason);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
index 5356351d7b..1d3288d68d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
@@ -34,8 +34,8 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         /// </summary>
         /// <remarks>
         /// A revoked key may still be used to decrypt existing payloads, but the payloads
-        /// must be treated as potentially unauthentic unless the application has some
-        /// other assurance that the payloads are authentic.
+        /// must be treated as tampered unless the application has some other assurance
+        /// that the payloads are authentic.
         /// </remarks>
         bool IsRevoked { get; }
 
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs
new file mode 100644
index 0000000000..4223085202
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs
@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.Repositories;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// The basic interface for implementing a key escrow sink.
+    /// </summary>
+    /// <remarks>
+    /// <see cref="IKeyEscrowSink"/> is distinct from <see cref="IXmlRepository"/> in that
+    /// <see cref="IKeyEscrowSink"/> provides a write-only interface and instances handle unencrypted key material,
+    /// while <see cref="IXmlRepository"/> provides a read+write interface and instances handle encrypted key material.
+    /// </remarks>
+    public interface IKeyEscrowSink
+    {
+        /// <summary>
+        /// Stores the given key material to the escrow service.
+        /// </summary>
+        /// <param name="keyId">The id of the key being persisted to escrow.</param>
+        /// <param name="element">The unencrypted XML element that comprises the key material.</param>
+        void Store(Guid keyId, XElement element);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
index 9f64f7f9d2..104c51a73d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
@@ -3,23 +3,25 @@
 
 using System;
 using System.Collections.Generic;
+using System.Threading;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic interface for performing key management operations.
     /// </summary>
+    /// <remarks>
+    /// Instantiations of this interface are expected to be thread-safe.
+    /// </remarks>
     public interface IKeyManager
     {
         /// <summary>
-        /// Creates a new key with the specified activation and expiration dates.
+        /// Creates a new key with the specified activation and expiration dates and persists
+        /// the new key to the underlying repository.
         /// </summary>
         /// <param name="activationDate">The date on which encryptions to this key may begin.</param>
         /// <param name="expirationDate">The date after which encryptions to this key may no longer take place.</param>
         /// <returns>The newly-created IKey instance.</returns>
-        /// <remarks>
-        /// This method also persists the newly-created IKey instance to the underlying repository.
-        /// </remarks>
         IKey CreateNewKey(DateTimeOffset activationDate, DateTimeOffset expirationDate);
 
         /// <summary>
@@ -29,7 +31,27 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         IReadOnlyCollection<IKey> GetAllKeys();
 
         /// <summary>
-        /// Revokes a specific key.
+        /// Retrieves a token that signals that callers who have cached the return value of
+        /// GetAllKeys should clear their caches. This could be in response to a call to
+        /// CreateNewKey or RevokeKey, or it could be in response to some other external notification.
+        /// Callers who are interested in observing this token should call this method before the
+        /// corresponding call to GetAllKeys.
+        /// </summary>
+        /// <returns>
+        /// The cache expiration token. When an expiration notification is triggered, any
+        /// tokens previously returned by this method will become canceled, and tokens returned by
+        /// future invocations of this method will themselves not trigger until the next expiration
+        /// event.
+        /// </returns>
+        /// <remarks>
+        /// Implementations are free to return 'CancellationToken.None' from this method.
+        /// Since this token is never guaranteed to fire, callers should still manually
+        /// clear their caches at a regular interval.
+        /// </remarks>
+        CancellationToken GetCacheExpirationToken();
+
+        /// <summary>
+        /// Revokes a specific key and persists the revocation to the underlying repository.
         /// </summary>
         /// <param name="keyId">The id of the key to revoke.</param>
         /// <param name="reason">An optional human-readable reason for revocation.</param>
@@ -40,7 +62,8 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         void RevokeKey(Guid keyId, string reason = null);
 
         /// <summary>
-        /// Revokes all keys created before a specified date.
+        /// Revokes all keys created before a specified date and persists the revocation to the
+        /// underlying repository.
         /// </summary>
         /// <param name="revocationDate">The revocation date. All keys with a creation date before
         /// this value will be revoked.</param>
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
index b71aaedd1e..d046a5242a 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
@@ -6,12 +6,31 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
+    /// <summary>
+    /// The basic interface for accessing a read-only keyring.
+    /// </summary>
     internal interface IKeyRing
     {
+        /// <summary>
+        /// The authenticated encryptor that shall be used for new encryption operations.
+        /// </summary>
+        /// <remarks>
+        /// Activation of the encryptor instance is deferred until first access.
+        /// </remarks>
         IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; }
 
+        /// <summary>
+        /// The id of the key associated with <see cref="DefaultAuthenticatedEncryptor"/>.
+        /// </summary>
         Guid DefaultKeyId { get; }
 
+        /// <summary>
+        /// Returns an encryptor instance for the given key, or 'null' if the key with the
+        /// specified id cannot be found in the keyring.
+        /// </summary>
+        /// <remarks>
+        /// Activation of the encryptor instance is deferred until first access.
+        /// </remarks>
         IAuthenticatedEncryptor GetAuthenticatedEncryptorByKeyId(Guid keyId, out bool isRevoked);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
index 5366536ced..d436b18498 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
@@ -3,56 +3,40 @@
 
 using System;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
+    /// <summary>
+    /// The basic implementation of <see cref="IKey"/>.
+    /// </summary>
     internal sealed class Key : IKey
     {
-        private readonly IAuthenticatedEncryptorConfiguration _encryptorConfiguration;
+        private readonly IAuthenticatedEncryptorDescriptor _descriptor;
 
-        public Key(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IAuthenticatedEncryptorConfiguration encryptorConfiguration)
+        public Key(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IAuthenticatedEncryptorDescriptor descriptor)
         {
             KeyId = keyId;
             CreationDate = creationDate;
             ActivationDate = activationDate;
             ExpirationDate = expirationDate;
 
-            _encryptorConfiguration = encryptorConfiguration;
+            _descriptor = descriptor;
         }
 
-        public DateTimeOffset ActivationDate
-        {
-            get;
-            private set;
-        }
+        public DateTimeOffset ActivationDate { get; }
 
-        public DateTimeOffset CreationDate
-        {
-            get;
-            private set;
-        }
+        public DateTimeOffset CreationDate { get; }
 
-        public DateTimeOffset ExpirationDate
-        {
-            get;
-            private set;
-        }
+        public DateTimeOffset ExpirationDate { get; }
 
-        public bool IsRevoked
-        {
-            get;
-            private set;
-        }
+        public bool IsRevoked { get; private set; }
 
-        public Guid KeyId
-        {
-            get;
-            private set;
-        }
+        public Guid KeyId { get; }
 
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return _encryptorConfiguration.CreateEncryptorInstance();
+            return _descriptor.CreateEncryptorInstance();
         }
 
         internal void SetRevoked()
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
new file mode 100644
index 0000000000..6794a4884f
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
@@ -0,0 +1,42 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.Framework.DependencyInjection;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    internal static class KeyEscrowServiceProviderExtensions
+    {
+        /// <summary>
+        /// Gets an aggregate <see cref="IKeyEscrowSink"/> from the underlying <see cref="IServiceProvider"/>.
+        /// This method may return null if no sinks are registered.
+        /// </summary>
+        public static IKeyEscrowSink GetKeyEscrowSink(this IServiceProvider services)
+        {
+            var escrowSinks = services?.GetService<IEnumerable<IKeyEscrowSink>>()?.ToList();
+            return (escrowSinks != null && escrowSinks.Count > 0) ? new AggregateKeyEscrowSink(escrowSinks) : null;
+        }
+
+        private sealed class AggregateKeyEscrowSink : IKeyEscrowSink
+        {
+            private readonly List<IKeyEscrowSink> _sinks;
+
+            public AggregateKeyEscrowSink(List<IKeyEscrowSink> sinks)
+            {
+                _sinks = sinks;
+            }
+
+            public void Store(Guid keyId, XElement element)
+            {
+                foreach (var sink in _sinks)
+                {
+                    sink.Store(keyId, element);
+                }
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
index bed820e872..665be69320 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
@@ -7,9 +7,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal static class KeyExtensions
     {
-        public static bool IsExpired(this IKey key, DateTime utcNow)
+        public static bool IsExpired(this IKey key, DateTimeOffset now)
         {
-            return (key.ExpirationDate.UtcDateTime <= utcNow);
+            return (key.ExpirationDate <= now);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyLifetimeOptions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyLifetimeOptions.cs
new file mode 100644
index 0000000000..7316cdb3f7
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyLifetimeOptions.cs
@@ -0,0 +1,106 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class KeyLifetimeOptions
+    {
+        private readonly TimeSpan _keyExpirationSafetyPeriod = TimeSpan.FromDays(2);
+        private readonly TimeSpan _keyRingRefreshPeriod = TimeSpan.FromHours(24);
+        private readonly TimeSpan _maxServerClockSkew = TimeSpan.FromMinutes(5);
+        private TimeSpan _newKeyLifetime = TimeSpan.FromDays(90);
+
+        public KeyLifetimeOptions()
+        {
+        }
+
+        // copy ctor
+        internal KeyLifetimeOptions(KeyLifetimeOptions other)
+        {
+            if (other != null)
+            {
+                this._newKeyLifetime = other._newKeyLifetime;
+            }
+        }
+
+        /// <summary>
+        /// Specifies the period before key expiration in which a new key should be generated.
+        /// For example, if this period is 72 hours, then a new key will be created and
+        /// persisted to storage approximately 72 hours before expiration.
+        /// </summary>
+        /// <remarks>
+        /// This value is currently fixed at 48 hours.
+        /// </remarks>
+        internal TimeSpan KeyExpirationSafetyPeriod
+        {
+            get
+            {
+                // This value is not settable since there's a complex interaction between
+                // it and the key ring refresh period.
+                return _keyExpirationSafetyPeriod;
+            }
+        }
+
+        /// <summary>
+        /// Controls the auto-refresh period where the key ring provider will
+        /// flush its collection of cached keys and reread the collection from
+        /// backing storage.
+        /// </summary>
+        /// <remarks>
+        /// This value is currently fixed at 24 hours.
+        /// </remarks>
+        internal TimeSpan KeyRingRefreshPeriod
+        {
+            get
+            {
+                // This value is not settable since there's a complex interaction between
+                // it and the key expiration safety period.
+                return _keyRingRefreshPeriod;
+            }
+        }
+
+        /// <summary>
+        /// Specifies the maximum clock skew allowed between servers when reading
+        /// keys from the key ring. The key ring may use a key which has not yet
+        /// been activated or which has expired if the key's valid lifetime is within
+        /// the allowed clock skew window. This value can be set to <see cref="TimeSpan.Zero"/>
+        /// if key activation and expiration times should be strictly honored by this server.
+        /// </summary>
+        /// <remarks>
+        /// This value is currently fixed at 5 minutes.
+        /// </remarks>
+        internal TimeSpan MaxServerClockSkew
+        {
+            get
+            {
+                return _maxServerClockSkew;
+            }
+        }
+
+        /// <summary>
+        /// Controls the lifetime (number of days before expiration)
+        /// for newly-generated keys.
+        /// </summary>
+        /// <remarks>
+        /// The lifetime cannot be less than one week.
+        /// The default value is 90 days.
+        /// </remarks>
+        public TimeSpan NewKeyLifetime
+        {
+            get
+            {
+                return _newKeyLifetime;
+            }
+            set
+            {
+                if (value < TimeSpan.FromDays(7))
+                {
+                    throw new ArgumentOutOfRangeException(nameof(value), Resources.KeyLifetimeOptions_MinNewKeyLifetimeViolated);
+                }
+                _newKeyLifetime = value;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
index 6a15e227ac..38d8b20099 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
@@ -8,66 +8,52 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
+    /// <summary>
+    /// A basic implementation of <see cref="IKeyRing"/>.
+    /// </summary>
     internal sealed class KeyRing : IKeyRing
     {
-        private readonly AuthenticatedEncryptorHolder _defaultEncryptorHolder;
-        private readonly Dictionary<Guid, AuthenticatedEncryptorHolder> _keyToEncryptorMap;
+        private readonly KeyHolder _defaultKeyHolder;
+        private readonly Dictionary<Guid, KeyHolder> _keyIdToKeyHolderMap;
 
-        public KeyRing(Guid defaultKeyId, IKey[] keys)
+        public KeyRing(Guid defaultKeyId, IEnumerable<IKey> keys)
         {
-            DefaultKeyId = defaultKeyId;
-            _keyToEncryptorMap = CreateEncryptorMap(defaultKeyId, keys, out _defaultEncryptorHolder);
-        }
+            _keyIdToKeyHolderMap = new Dictionary<Guid, KeyHolder>();
+            foreach (IKey key in keys)
+            {
+                _keyIdToKeyHolderMap.Add(key.KeyId, new KeyHolder(key));
+            }
 
-        public KeyRing(Guid defaultKeyId, KeyRing other)
-        {
             DefaultKeyId = defaultKeyId;
-            _keyToEncryptorMap = other._keyToEncryptorMap;
-            _defaultEncryptorHolder = _keyToEncryptorMap[defaultKeyId];
+            _defaultKeyHolder = _keyIdToKeyHolderMap[defaultKeyId];
         }
-
+        
         public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor
         {
             get
             {
                 bool unused;
-                return _defaultEncryptorHolder.GetEncryptorInstance(out unused);
+                return _defaultKeyHolder.GetEncryptorInstance(out unused);
             }
         }
 
-        public Guid DefaultKeyId { get; private set; }
-
-        private static Dictionary<Guid, AuthenticatedEncryptorHolder> CreateEncryptorMap(Guid defaultKeyId, IKey[] keys, out AuthenticatedEncryptorHolder defaultEncryptorHolder)
-        {
-            defaultEncryptorHolder = null;
-
-            var encryptorMap = new Dictionary<Guid, AuthenticatedEncryptorHolder>(keys.Length);
-            foreach (var key in keys)
-            {
-                var holder = new AuthenticatedEncryptorHolder(key);
-                encryptorMap.Add(key.KeyId, holder);
-                if (key.KeyId == defaultKeyId)
-                {
-                    defaultEncryptorHolder = holder;
-                }
-            }
-            return encryptorMap;
-        }
+        public Guid DefaultKeyId { get; }
 
         public IAuthenticatedEncryptor GetAuthenticatedEncryptorByKeyId(Guid keyId, out bool isRevoked)
         {
             isRevoked = false;
-            AuthenticatedEncryptorHolder holder;
-            _keyToEncryptorMap.TryGetValue(keyId, out holder);
+            KeyHolder holder;
+            _keyIdToKeyHolderMap.TryGetValue(keyId, out holder);
             return holder?.GetEncryptorInstance(out isRevoked);
         }
 
-        private sealed class AuthenticatedEncryptorHolder
+        // used for providing lazy activation of the authenticated encryptor instance
+        private sealed class KeyHolder
         {
             private readonly IKey _key;
             private IAuthenticatedEncryptor _encryptor;
 
-            internal AuthenticatedEncryptorHolder(IKey key)
+            internal KeyHolder(IKey key)
             {
                 _key = key;
             }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index 0837c0dc2d..dc89a53aa8 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -2,21 +2,29 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     internal unsafe sealed class KeyRingBasedDataProtectionProvider : IDataProtectionProvider
     {
-        private readonly IKeyRingProvider _keyringProvider;
+        private readonly IKeyRingProvider _keyRingProvider;
+        private readonly ILogger _logger;
 
-        public KeyRingBasedDataProtectionProvider(IKeyRingProvider keyringProvider)
+        public KeyRingBasedDataProtectionProvider(IKeyRingProvider keyRingProvider, IServiceProvider services)
         {
-            _keyringProvider = keyringProvider;
+            _keyRingProvider = keyRingProvider;
+            _logger = services.GetLogger<KeyRingBasedDataProtector>(); // note: for protector (not provider!) type, could be null
         }
 
         public IDataProtector CreateProtector([NotNull] string purpose)
         {
-            return new KeyRingBasedDataProtector(_keyringProvider, new[] { purpose });
+            return new KeyRingBasedDataProtector(
+                logger: _logger,
+                keyRingProvider: _keyRingProvider,
+                originalPurposes: null,
+                newPurpose: purpose);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index e7bac85c14..5528cc45e9 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -2,159 +2,139 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using System.Diagnostics;
 using System.IO;
+using System.Linq;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
-    internal unsafe sealed class KeyRingBasedDataProtector : IDataProtector
+    internal unsafe sealed class KeyRingBasedDataProtector : IDataProtector, IPersistedDataProtector
     {
-        // This magic header identifies a v0 protected data blob.
-        // It's the high 28 bits of the SHA1 hash of "Microsoft.AspNet.DataProtection.MultiplexingDataProtector" [US-ASCII].
-        // The last nibble reserved for version information.
-        // There's also the nice property that "F0 C9" can never appear in a well-formed UTF8 sequence, so attempts to
-        // treat a protected payload as a UTF8-encoded string will fail, and devs can catch the mistake early.
+        // This magic header identifies a v0 protected data blob. It's the high 28 bits of the SHA1 hash of
+        // "Microsoft.AspNet.DataProtection.KeyManagement.KeyRingBasedDataProtector" [US-ASCII], big-endian.
+        // The last nibble reserved for version information. There's also the nice property that "F0 C9"
+        // can never appear in a well-formed UTF8 sequence, so attempts to treat a protected payload as a
+        // UTF8-encoded string will fail, and devs can catch the mistake early.
         private const uint MAGIC_HEADER_V0 = 0x09F0C9F0;
 
-        private byte[] _additionalAuthenticatedDataTemplate;
-        private readonly IKeyRingProvider _keyringProvider;
-        private readonly string[] _purposes;
+        private AdditionalAuthenticatedDataTemplate _aadTemplate;
+        private readonly IKeyRingProvider _keyRingProvider;
+        private readonly ILogger _logger;
 
-        public KeyRingBasedDataProtector(IKeyRingProvider keyringProvider, string[] purposes)
+        public KeyRingBasedDataProtector(IKeyRingProvider keyRingProvider, ILogger logger, string[] originalPurposes, string newPurpose)
         {
-            _additionalAuthenticatedDataTemplate = GenerateAdditionalAuthenticatedDataTemplateFromPurposes(purposes);
-            _keyringProvider = keyringProvider;
-            _purposes = purposes;
+            Debug.Assert(keyRingProvider != null);
+
+            Purposes = ConcatPurposes(originalPurposes, newPurpose);
+            _logger = logger; // can be null
+            _keyRingProvider = keyRingProvider;
+            _aadTemplate = new AdditionalAuthenticatedDataTemplate(Purposes);
         }
 
-        private static byte[] ApplyEncryptorIdToAdditionalAuthenticatedDataTemplate(Guid encryptorId, byte[] additionalAuthenticatedDataTemplate)
+        internal string[] Purposes { get; }
+
+        private static string[] ConcatPurposes(string[] originalPurposes, string newPurpose)
         {
-            CryptoUtil.Assert(additionalAuthenticatedDataTemplate.Length >= sizeof(uint) + sizeof(Guid), "additionalAuthenticatedDataTemplate.Length >= sizeof(uint) + sizeof(Guid)");
-
-            // Optimization: just return the original template if the GUID already matches.
-            fixed (byte* pbOriginal = additionalAuthenticatedDataTemplate)
+            if (originalPurposes != null && originalPurposes.Length > 0)
             {
-                if (Read32bitAlignedGuid(&pbOriginal[sizeof(uint)]) == encryptorId)
-                {
-                    return additionalAuthenticatedDataTemplate;
-                }
+                string[] newPurposes = new string[originalPurposes.Length + 1];
+                Array.Copy(originalPurposes, 0, newPurposes, 0, originalPurposes.Length);
+                newPurposes[originalPurposes.Length] = newPurpose;
+                return newPurposes;
             }
-
-            // Clone the template since the input is immutable, then inject the encryptor ID into the new template
-            byte[] cloned = (byte[])additionalAuthenticatedDataTemplate.Clone();
-            fixed (byte* pbCloned = cloned)
+            else
             {
-                Write32bitAlignedGuid(&pbCloned[sizeof(uint)], encryptorId);
+                return new string[] { newPurpose };
             }
-            return cloned;
         }
 
         public IDataProtector CreateProtector([NotNull] string purpose)
         {
-            // Append the incoming purpose to the end of the original array to form a hierarchy
-            string[] newPurposes = new string[_purposes.Length + 1];
-            Array.Copy(_purposes, 0, newPurposes, 0, _purposes.Length);
-            newPurposes[newPurposes.Length - 1] = purpose;
-
-            // Use the same keyring as the current instance
-            return new KeyRingBasedDataProtector(_keyringProvider, newPurposes);
+            return new KeyRingBasedDataProtector(
+                logger: _logger,
+                keyRingProvider: _keyRingProvider,
+                originalPurposes: Purposes,
+                newPurpose: purpose);
         }
 
-        private static byte[] GenerateAdditionalAuthenticatedDataTemplateFromPurposes(string[] purposes)
-        {
-            const int MEMORYSTREAM_DEFAULT_CAPACITY = 0x100; // matches MemoryStream.EnsureCapacity
-            var ms = new MemoryStream(MEMORYSTREAM_DEFAULT_CAPACITY);
-
-            // additionalAuthenticatedData := { magicHeader || encryptor-GUID || purposeCount || (purpose)* }
-            // purpose := { utf8ByteCount || utf8Text }
-            using (var writer = new PurposeBinaryWriter(ms))
-            {
-                writer.WriteBigEndian(MAGIC_HEADER_V0);
-                Debug.Assert(ms.Position == sizeof(uint));
-                writer.Seek(sizeof(Guid), SeekOrigin.Current); // skip over where the encryptor GUID will be stored; we'll fill it in later
-                if (purposes != null)
-                {
-                    writer.Write7BitEncodedInt(purposes.Length);
-                    foreach (var purpose in purposes)
-                    {
-                        if (String.IsNullOrEmpty(purpose))
-                        {
-                            writer.Write7BitEncodedInt(0); // blank purpose
-                        }
-                        else
-                        {
-                            writer.Write(purpose);
-                        }
-                    }
-                }
-                else
-                {
-                    writer.Write7BitEncodedInt(0); // empty purposes array
-                }
-            }
-
-            return ms.ToArray();
-        }
-
-        public byte[] Protect(byte[] unprotectedData)
+        // allows decrypting payloads whose keys have been revoked
+        public byte[] DangerousUnprotect(byte[] protectedData, bool ignoreRevocationErrors, out bool requiresMigration, out bool wasRevoked)
         {
             // argument & state checking
-            if (unprotectedData == null)
+            if (protectedData == null)
             {
-                throw new ArgumentNullException("unprotectedData");
+                throw new ArgumentNullException(nameof(protectedData));
             }
 
-            // Perform the encryption operation using the current default encryptor.
-            var currentKeyRing = _keyringProvider.GetCurrentKeyRing();
-            var defaultKeyId = currentKeyRing.DefaultKeyId;
-            var defaultEncryptorInstance = currentKeyRing.DefaultAuthenticatedEncryptor;
-            CryptoUtil.Assert(defaultEncryptorInstance != null, "defaultEncryptorInstance != null");
+            UnprotectStatus status;
+            byte[] retVal = UnprotectCore(protectedData, ignoreRevocationErrors, status: out status);
+            requiresMigration = (status != UnprotectStatus.Ok);
+            wasRevoked = (status == UnprotectStatus.DecryptionKeyWasRevoked);
+            return retVal;
+        }
 
-            // We'll need to apply the default encryptor ID to the template if it hasn't already been applied.
-            // If the default encryptor ID has been updated since the last call to Protect, also write back the updated template.
-            byte[] aadTemplate = Volatile.Read(ref _additionalAuthenticatedDataTemplate);
-            byte[] aadForInvocation = ApplyEncryptorIdToAdditionalAuthenticatedDataTemplate(defaultKeyId, aadTemplate);
-            if (aadTemplate != aadForInvocation)
+        public byte[] Protect(byte[] plaintext)
+        {
+            // argument & state checking
+            if (plaintext == null)
             {
-                Volatile.Write(ref _additionalAuthenticatedDataTemplate, aadForInvocation);
+                throw new ArgumentNullException(nameof(plaintext));
             }
 
-            // We allocate a 20-byte pre-buffer so that we can inject the magic header and encryptor id into the return value.
-            byte[] retVal;
             try
             {
-                retVal = defaultEncryptorInstance.Encrypt(
-                    plaintext: new ArraySegment<byte>(unprotectedData),
-                    additionalAuthenticatedData: new ArraySegment<byte>(aadForInvocation),
+                // Perform the encryption operation using the current default encryptor.
+                var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+                var defaultKeyId = currentKeyRing.DefaultKeyId;
+                var defaultEncryptorInstance = currentKeyRing.DefaultAuthenticatedEncryptor;
+                CryptoUtil.Assert(defaultEncryptorInstance != null, "defaultEncryptorInstance != null");
+
+                if (_logger.IsDebugLevelEnabled())
+                {
+                    _logger.LogDebug("Performing protect operation to key '{0:D}' with purposes ({1}).",
+                        defaultKeyId, String.Join(", ", Purposes.Select(p => "'" + p + "'")));
+                }
+
+                // We'll need to apply the default key id to the template if it hasn't already been applied.
+                // If the default key id has been updated since the last call to Protect, also write back the updated template.
+                byte[] aad = _aadTemplate.GetAadForKey(defaultKeyId, isProtecting: true);
+
+                // We allocate a 20-byte pre-buffer so that we can inject the magic header and key id into the return value.
+                byte[] retVal = defaultEncryptorInstance.Encrypt(
+                    plaintext: new ArraySegment<byte>(plaintext),
+                    additionalAuthenticatedData: new ArraySegment<byte>(aad),
                     preBufferSize: (uint)(sizeof(uint) + sizeof(Guid)),
                     postBufferSize: 0);
                 CryptoUtil.Assert(retVal != null && retVal.Length >= sizeof(uint) + sizeof(Guid), "retVal != null && retVal.Length >= sizeof(uint) + sizeof(Guid)");
+
+                // At this point: retVal := { 000..000 || encryptorSpecificProtectedPayload },
+                // where 000..000 is a placeholder for our magic header and key id.
+
+                // Write out the magic header and key id
+                fixed (byte* pbRetVal = retVal)
+                {
+                    WriteBigEndianInteger(pbRetVal, MAGIC_HEADER_V0);
+                    Write32bitAlignedGuid(&pbRetVal[sizeof(uint)], defaultKeyId);
+                }
+
+                // At this point, retVal := { magicHeader || keyId || encryptorSpecificProtectedPayload }
+                // And we're done!
+                return retVal;
             }
             catch (Exception ex) when (ex.RequiresHomogenization())
             {
                 // homogenize all errors to CryptographicException
                 throw Error.Common_EncryptionFailed(ex);
             }
-
-            // At this point: retVal := { 000..000 || encryptorSpecificProtectedPayload },
-            // where 000..000 is a placeholder for our magic header and encryptor ID.
-
-            // Write out the magic header and encryptor ID
-            fixed (byte* pbRetVal = retVal)
-            {
-                WriteBigEndianInteger(pbRetVal, MAGIC_HEADER_V0);
-                Write32bitAlignedGuid(&pbRetVal[sizeof(uint)], defaultKeyId);
-            }
-
-            // At this point, retVal := { magicHeader || encryptor-GUID || encryptorSpecificProtectedPayload }
-            // And we're done!
-            return retVal;
         }
 
-        // Helper function to read a GUID from a 32-bit alignment; useful on ARM where unaligned reads
+        // Helper function to read a GUID from a 32-bit alignment; useful on architectures where unaligned reads
         // can result in weird behaviors at runtime.
         private static Guid Read32bitAlignedGuid(void* ptr)
         {
@@ -193,61 +173,104 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
         public byte[] Unprotect(byte[] protectedData)
         {
-            // argument & state checking
-            if (protectedData == null)
-            {
-                throw new ArgumentNullException("protectedData");
-            }
-            if (protectedData.Length < sizeof(uint) /* magic header */ + sizeof(Guid) /* key id */)
-            {
-                throw Error.Common_NotAValidProtectedPayload();
-            }
+            // Argument checking will be done by the callee
+            bool requiresMigration, wasRevoked; // unused
+            return DangerousUnprotect(protectedData,
+                ignoreRevocationErrors: false,
+                requiresMigration: out requiresMigration,
+                wasRevoked: out wasRevoked);
+        }
 
-            // Need to check that protectedData := { magicHeader || encryptor-GUID || encryptorSpecificProtectedPayload }
-
-            // Parse the payload version number and encryptor ID.
-            uint payloadMagicHeader;
-            Guid payloadEncryptorId;
-            fixed (byte* pbInput = protectedData)
-            {
-                payloadMagicHeader = ReadBigEndian32BitInteger(pbInput);
-                payloadEncryptorId = Read32bitAlignedGuid(&pbInput[sizeof(uint)]);
-            }
-
-            // Are the magic header and version information correct?
-            int payloadVersion;
-            if (!TryGetVersionFromMagicHeader(payloadMagicHeader, out payloadVersion))
-            {
-                throw Error.Common_NotAValidProtectedPayload();
-            }
-            else if (payloadVersion != 0)
-            {
-                throw Error.Common_PayloadProducedByNewerVersion();
-            }
-
-            // Find the correct encryptor in the keyring.
-            bool keyWasRevoked;
-            var requestedEncryptor = _keyringProvider.GetCurrentKeyRing().GetAuthenticatedEncryptorByKeyId(payloadEncryptorId, out keyWasRevoked);
-            if (requestedEncryptor == null)
-            {
-                throw Error.Common_KeyNotFound(payloadEncryptorId);
-            }
-            if (keyWasRevoked)
-            {
-                throw Error.Common_KeyRevoked(payloadEncryptorId);
-            }
-
-            // Perform the decryption operation.
-            ArraySegment<byte> ciphertext = new ArraySegment<byte>(protectedData, sizeof(uint) + sizeof(Guid), protectedData.Length - (sizeof(uint) + sizeof(Guid))); // chop off magic header + encryptor id
-            ArraySegment<byte> additionalAuthenticatedData = new ArraySegment<byte>(ApplyEncryptorIdToAdditionalAuthenticatedDataTemplate(payloadEncryptorId, Volatile.Read(ref _additionalAuthenticatedDataTemplate)));
+        private byte[] UnprotectCore(byte[] protectedData, bool allowOperationsOnRevokedKeys, out UnprotectStatus status)
+        {
+            Debug.Assert(protectedData != null);
 
             try
             {
+                // argument & state checking
+                if (protectedData.Length < sizeof(uint) /* magic header */ + sizeof(Guid) /* key id */)
+                {
+                    // payload must contain at least the magic header and key id
+                    throw Error.ProtectionProvider_BadMagicHeader();
+                }
+
+                // Need to check that protectedData := { magicHeader || keyId || encryptorSpecificProtectedPayload }
+
+                // Parse the payload version number and key id.
+                uint magicHeaderFromPayload;
+                Guid keyIdFromPayload;
+                fixed (byte* pbInput = protectedData)
+                {
+                    magicHeaderFromPayload = ReadBigEndian32BitInteger(pbInput);
+                    keyIdFromPayload = Read32bitAlignedGuid(&pbInput[sizeof(uint)]);
+                }
+
+                // Are the magic header and version information correct?
+                int payloadVersion;
+                if (!TryGetVersionFromMagicHeader(magicHeaderFromPayload, out payloadVersion))
+                {
+                    throw Error.ProtectionProvider_BadMagicHeader();
+                }
+                else if (payloadVersion != 0)
+                {
+                    throw Error.ProtectionProvider_BadVersion();
+                }
+
+                if (_logger.IsDebugLevelEnabled())
+                {
+                    _logger.LogDebug("Performing unprotect operation to key '{0:D}' with purposes ({1}).",
+                        keyIdFromPayload, String.Join(", ", Purposes.Select(p => "'" + p + "'")));
+                }
+
+                // Find the correct encryptor in the keyring.
+                bool keyWasRevoked;
+                var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+                var requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out keyWasRevoked);
+                if (requestedEncryptor == null)
+                {
+                    if (_logger.IsWarningLevelEnabled())
+                    {
+                        _logger.LogWarning("Key '{0:D}' was not found in the key ring. Unprotect operation cannot proceed.", keyIdFromPayload);
+                    }
+                    throw Error.Common_KeyNotFound(keyIdFromPayload);
+                }
+
+                // Do we need to notify the caller that he should reprotect the data?
+                status = UnprotectStatus.Ok;
+                if (keyIdFromPayload != currentKeyRing.DefaultKeyId)
+                {
+                    status = UnprotectStatus.DefaultEncryptionKeyChanged;
+                }
+
+                // Do we need to notify the caller that this key was revoked?
+                if (keyWasRevoked)
+                {
+                    if (allowOperationsOnRevokedKeys)
+                    {
+                        if (_logger.IsWarningLevelEnabled())
+                        {
+                            _logger.LogWarning("Key '{0:D}' was revoked. Caller requested unprotect operation proceed regardless.", keyIdFromPayload);
+                        }
+                        status = UnprotectStatus.DecryptionKeyWasRevoked;
+                    }
+                    else
+                    {
+                        if (_logger.IsWarningLevelEnabled())
+                        {
+                            _logger.LogWarning("Key '{0:D}' was revoked. Unprotect operation cannot proceed.", keyIdFromPayload);
+                        }
+                        throw Error.Common_KeyRevoked(keyIdFromPayload);
+                    }
+                }
+
+                // Perform the decryption operation.
+                ArraySegment<byte> ciphertext = new ArraySegment<byte>(protectedData, sizeof(uint) + sizeof(Guid), protectedData.Length - (sizeof(uint) + sizeof(Guid))); // chop off magic header + encryptor id
+                ArraySegment<byte> additionalAuthenticatedData = new ArraySegment<byte>(_aadTemplate.GetAadForKey(keyIdFromPayload, isProtecting: false));
+
                 // At this point, cipherText := { encryptorSpecificPayload },
                 // so all that's left is to invoke the decryption routine directly.
-                byte[] retVal = requestedEncryptor.Decrypt(ciphertext, additionalAuthenticatedData);
-                CryptoUtil.Assert(retVal != null, "retVal != null");
-                return retVal;
+                return requestedEncryptor.Decrypt(ciphertext, additionalAuthenticatedData)
+                    ?? CryptoUtil.Fail<byte[]>("IAuthenticatedEncryptor.Decrypt returned null.");
             }
             catch (Exception ex) when (ex.RequiresHomogenization())
             {
@@ -276,27 +299,95 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             ptr[3] = (byte)(value);
         }
 
-        private sealed class PurposeBinaryWriter : BinaryWriter
+        private struct AdditionalAuthenticatedDataTemplate
         {
-            // Strings should never contain invalid UTF16 chars, so we'll use a secure encoding.
-            private static readonly byte[] _guidBuffer = new byte[sizeof(Guid)];
+            private byte[] _aadTemplate;
 
-            public PurposeBinaryWriter(MemoryStream stream) : base(stream, EncodingUtil.SecureUtf8Encoding, leaveOpen: true) { }
-
-            public new void Write7BitEncodedInt(int value)
+            public AdditionalAuthenticatedDataTemplate(IEnumerable<string> purposes)
             {
-                base.Write7BitEncodedInt(value);
+                const int MEMORYSTREAM_DEFAULT_CAPACITY = 0x100; // matches MemoryStream.EnsureCapacity
+                var ms = new MemoryStream(MEMORYSTREAM_DEFAULT_CAPACITY);
+
+                // additionalAuthenticatedData := { magicHeader (32-bit) || keyId || purposeCount (32-bit) || (purpose)* }
+                // purpose := { utf8ByteCount (7-bit encoded) || utf8Text }
+
+                using (var writer = new PurposeBinaryWriter(ms))
+                {
+                    writer.WriteBigEndian(MAGIC_HEADER_V0);
+                    Debug.Assert(ms.Position == sizeof(uint));
+                    long posPurposeCount = writer.Seek(sizeof(Guid), SeekOrigin.Current); // skip over where the key id will be stored; we'll fill it in later
+                    writer.Seek(sizeof(uint), SeekOrigin.Current); // skip over where the purposeCount will be stored; we'll fill it in later
+
+                    uint purposeCount = 0;
+                    foreach (string purpose in purposes)
+                    {
+                        Debug.Assert(purpose != null);
+                        writer.Write(purpose); // prepends length as a 7-bit encoded integer
+                        purposeCount++;
+                    }
+
+                    // Once we have written all the purposes, go back and fill in 'purposeCount'
+                    writer.Seek(checked((int)posPurposeCount), SeekOrigin.Begin);
+                    writer.WriteBigEndian(purposeCount);
+                }
+
+                _aadTemplate = ms.ToArray();
             }
 
-            // Writes a big-endian 32-bit integer to the underlying stream.
-            public void WriteBigEndian(uint value)
+            public byte[] GetAadForKey(Guid keyId, bool isProtecting)
             {
-                var outStream = BaseStream; // property accessor also performs a flush
-                outStream.WriteByte((byte)(value >> 24));
-                outStream.WriteByte((byte)(value >> 16));
-                outStream.WriteByte((byte)(value >> 8));
-                outStream.WriteByte((byte)(value));
+                // Multiple threads might be trying to read and write the _aadTemplate field
+                // simultaneously. We need to make sure all accesses to it are thread-safe.
+                byte[] existingTemplate = Volatile.Read(ref _aadTemplate);
+                Debug.Assert(existingTemplate.Length >= sizeof(uint) /* MAGIC_HEADER */ + sizeof(Guid) /* keyId */);
+
+                // If the template is already initialized to this key id, return it.
+                // The caller will not mutate it.
+                fixed (byte* pExistingTemplate = existingTemplate)
+                {
+                    if (Read32bitAlignedGuid(&pExistingTemplate[sizeof(uint)]) == keyId)
+                    {
+                        return existingTemplate;
+                    }
+                }
+
+                // Clone since we're about to make modifications.
+                // If this is an encryption operation, we only ever encrypt to the default key,
+                // so we should replace the existing template. This could occur after the protector
+                // has already been created, such as when the underlying key ring has been modified.
+                byte[] newTemplate = (byte[])existingTemplate.Clone();
+                fixed (byte* pNewTemplate = newTemplate)
+                {
+                    Write32bitAlignedGuid(&pNewTemplate[sizeof(uint)], keyId);
+                    if (isProtecting)
+                    {
+                        Volatile.Write(ref _aadTemplate, newTemplate);
+                    }
+                    return newTemplate;
+                }
             }
+
+            private sealed class PurposeBinaryWriter : BinaryWriter
+            {
+                public PurposeBinaryWriter(MemoryStream stream) : base(stream, EncodingUtil.SecureUtf8Encoding, leaveOpen: true) { }
+
+                // Writes a big-endian 32-bit integer to the underlying stream.
+                public void WriteBigEndian(uint value)
+                {
+                    var outStream = BaseStream; // property accessor also performs a flush
+                    outStream.WriteByte((byte)(value >> 24));
+                    outStream.WriteByte((byte)(value >> 16));
+                    outStream.WriteByte((byte)(value >> 8));
+                    outStream.WriteByte((byte)(value));
+                }
+            }
+        }
+
+        private enum UnprotectStatus
+        {
+            Ok,
+            DefaultEncryptionKeyChanged,
+            DecryptionKeyWasRevoked
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index ce37200737..ec8c878c04 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -2,205 +2,162 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using System.Diagnostics;
-using System.Linq;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
-    internal sealed class KeyRingProvider : IKeyRingProvider
+    internal sealed class KeyRingProvider : ICacheableKeyRingProvider, IKeyRingProvider
     {
-        // TODO: Should the below be 3 months?
-        private static readonly TimeSpan KEY_DEFAULT_LIFETIME = TimeSpan.FromDays(30 * 6); // how long should keys be active once created?
-        private static readonly TimeSpan KEYRING_REFRESH_PERIOD = TimeSpan.FromDays(1); // how often should we check for updates to the repository?
-        private static readonly TimeSpan KEY_EXPIRATION_BUFFER = TimeSpan.FromDays(7); // how close to key expiration should we generate a new key?
-        private static readonly TimeSpan MAX_SERVER_TO_SERVER_CLOCK_SKEW = TimeSpan.FromMinutes(10); // max skew we expect to see between servers using the key ring
-
-        private CachedKeyRing _cachedKeyRing;
-        private readonly object _cachedKeyRingLockObj = new object();
+        private CacheableKeyRing _cacheableKeyRing;
+        private readonly object _cacheableKeyRingLockObj = new object();
+        private readonly ICacheableKeyRingProvider _cacheableKeyRingProvider;
+        private readonly IDefaultKeyResolver _defaultKeyResolver;
+        private readonly KeyLifetimeOptions _keyLifetimeOptions;
         private readonly IKeyManager _keyManager;
+        private readonly ILogger _logger;
 
-        public KeyRingProvider(IKeyManager keyManager)
+        public KeyRingProvider(IKeyManager keyManager, KeyLifetimeOptions keyLifetimeOptions, IServiceProvider services)
         {
+            _keyLifetimeOptions = new KeyLifetimeOptions(keyLifetimeOptions); // clone so new instance is immutable
             _keyManager = keyManager;
+            _cacheableKeyRingProvider = services?.GetService<ICacheableKeyRingProvider>() ?? this;
+            _logger = services?.GetLogger<KeyRingProvider>();
+            _defaultKeyResolver = services?.GetService<IDefaultKeyResolver>()
+                ?? new DefaultKeyResolver(_keyLifetimeOptions.KeyExpirationSafetyPeriod, _keyLifetimeOptions.MaxServerClockSkew, services);
+        }
+        
+        private CacheableKeyRing CreateCacheableKeyRingCore(DateTimeOffset now, bool allowRecursiveCalls = false)
+        {
+            // Refresh the list of all keys
+            var cacheExpirationToken = _keyManager.GetCacheExpirationToken();
+            var allKeys = _keyManager.GetAllKeys();
+
+            // Fetch the current default key from the list of all keys
+            var defaultKeyPolicy = _defaultKeyResolver.ResolveDefaultKeyPolicy(now, allKeys);
+            if (!defaultKeyPolicy.ShouldGenerateNewKey)
+            {
+                CryptoUtil.Assert(defaultKeyPolicy.DefaultKey != null, "Expected to see a default key.");
+                return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, defaultKeyPolicy.DefaultKey, allKeys);
+            }
+
+            if (_logger.IsVerboseLevelEnabled())
+            {
+                _logger.LogVerbose("Policy resolution states that a new key should be added to the key ring.");
+            }
+
+            // At this point, we know we need to generate a new key.
+
+            // This should only occur if a call to CreateNewKey immediately followed by a call to
+            // GetAllKeys returned 'you need to add a key to the key ring'. This should never happen
+            // in practice unless there's corruption in the backing store. Regardless, we can't recurse
+            // forever, so we have to bail now.
+            if (!allowRecursiveCalls)
+            {
+                if (_logger.IsErrorLevelEnabled())
+                {
+                    _logger.LogError("Policy resolution states that a new key should be added to the key ring, even after a call to CreateNewKey.");
+                }
+                throw CryptoUtil.Fail("Policy resolution states that a new key should be added to the key ring, even after a call to CreateNewKey.");
+            }
+
+            if (defaultKeyPolicy.DefaultKey == null)
+            {
+                // The case where there's no default key is the easiest scenario, since it
+                // means that we need to create a new key with immediate activation.
+                _keyManager.CreateNewKey(activationDate: now, expirationDate: now + _keyLifetimeOptions.NewKeyLifetime);
+                return CreateCacheableKeyRingCore(now); // recursively call
+            }
+            else
+            {
+                // If there is a default key, then the new key we generate should become active upon
+                // expiration of the default key. The new key lifetime is measured from the creation
+                // date (now), not the activation date.
+                _keyManager.CreateNewKey(activationDate: defaultKeyPolicy.DefaultKey.ExpirationDate, expirationDate: now + _keyLifetimeOptions.NewKeyLifetime);
+                return CreateCacheableKeyRingCore(now); // recursively call
+            }
         }
 
-        private CachedKeyRing CreateCachedKeyRingInstanceUnderLock(DateTime utcNow, CachedKeyRing existingCachedKeyRing)
+        private CacheableKeyRing CreateCacheableKeyRingCoreStep2(DateTimeOffset now, CancellationToken cacheExpirationToken, IKey defaultKey, IEnumerable<IKey> allKeys)
         {
-            bool shouldCreateNewKeyWithDeferredActivation; // flag stating whether the default key will soon expire and doesn't have a suitable replacement
-
-            // Must we discard the cached keyring and refresh directly from the manager?
-            if (existingCachedKeyRing != null && existingCachedKeyRing.HardRefreshTimeUtc <= utcNow)
+            if (_logger.IsVerboseLevelEnabled())
             {
-                existingCachedKeyRing = null;
+                _logger.LogVerbose("Using key '{0:D}' as the default key.", defaultKey.KeyId);
             }
 
-            // Try to locate the current default key, using the cached keyring if we can.
-            IKey defaultKey;
-            if (existingCachedKeyRing != null)
-            {
-                defaultKey = FindDefaultKey(utcNow, existingCachedKeyRing.Keys, out shouldCreateNewKeyWithDeferredActivation);
-                if (defaultKey != null && !shouldCreateNewKeyWithDeferredActivation)
-                {
-                    return new CachedKeyRing
-                    {
-                        KeyRing = new KeyRing(defaultKey.KeyId, existingCachedKeyRing.KeyRing), // this overload allows us to use existing IAuthenticatedEncryptor instances
-                        Keys = existingCachedKeyRing.Keys,
-                        HardRefreshTimeUtc = existingCachedKeyRing.HardRefreshTimeUtc,
-                        SoftRefreshTimeUtc = MinDateTime(existingCachedKeyRing.HardRefreshTimeUtc, utcNow + KEYRING_REFRESH_PERIOD)
-                    };
-                }
-            }
-
-            // That didn't work, so refresh from the underlying key manager.
-            var allKeys = _keyManager.GetAllKeys().ToArray();
-            defaultKey = FindDefaultKey(utcNow, allKeys, out shouldCreateNewKeyWithDeferredActivation);
-
-            if (defaultKey != null && shouldCreateNewKeyWithDeferredActivation)
-            {
-                // If we need to create a new key with deferred activation, do so now.
-                _keyManager.CreateNewKey(activationDate: defaultKey.ExpirationDate, expirationDate: utcNow + KEY_DEFAULT_LIFETIME);
-                allKeys = _keyManager.GetAllKeys().ToArray();
-                defaultKey = FindDefaultKey(utcNow, allKeys);
-            }
-            else if (defaultKey == null)
-            {
-                // If there's no default key, create one now with immediate activation.
-                _keyManager.CreateNewKey(utcNow, utcNow + KEY_DEFAULT_LIFETIME);
-                allKeys = _keyManager.GetAllKeys().ToArray();
-                defaultKey = FindDefaultKey(utcNow, allKeys);
-            }
-
-            // We really should have a default key at this point.
-            CryptoUtil.Assert(defaultKey != null, "defaultKey != null");
-
-            var cachedKeyRingHardRefreshTime = GetNextHardRefreshTime(utcNow);
-            return new CachedKeyRing
-            {
-                KeyRing = new KeyRing(defaultKey.KeyId, allKeys),
-                Keys = allKeys,
-                HardRefreshTimeUtc = cachedKeyRingHardRefreshTime,
-                SoftRefreshTimeUtc = MinDateTime(defaultKey.ExpirationDate.UtcDateTime, cachedKeyRingHardRefreshTime)
-            };
-        }
-
-        private static IKey FindDefaultKey(DateTime utcNow, IKey[] allKeys)
-        {
-            bool unused;
-            return FindDefaultKey(utcNow, allKeys, out unused);
-        }
-
-        private static IKey FindDefaultKey(DateTime utcNow, IKey[] allKeys, out bool callerShouldGenerateNewKey)
-        {
-            callerShouldGenerateNewKey = false;
-
-            // Find the keys with the nearest past and future activation dates.
-            IKey keyWithNearestPastActivationDate = null;
-            IKey keyWithNearestFutureActivationDate = null;
-            foreach (var candidateKey in allKeys)
-            {
-                // Revoked keys are never eligible candidates to be the default key.
-                if (candidateKey.IsRevoked)
-                {
-                    continue;
-                }
-
-                if (candidateKey.ActivationDate.UtcDateTime <= utcNow)
-                {
-                    if (keyWithNearestPastActivationDate == null || keyWithNearestPastActivationDate.ActivationDate < candidateKey.ActivationDate)
-                    {
-                        keyWithNearestPastActivationDate = candidateKey;
-                    }
-                }
-                else
-                {
-                    if (keyWithNearestFutureActivationDate == null || keyWithNearestFutureActivationDate.ActivationDate > candidateKey.ActivationDate)
-                    {
-                        keyWithNearestFutureActivationDate = candidateKey;
-                    }
-                }
-            }
-
-            // If the most recently activated key hasn't yet expired, use it as the default key.
-            if (keyWithNearestPastActivationDate != null && !keyWithNearestPastActivationDate.IsExpired(utcNow))
-            {
-                // Additionally, if it's about to expire and there will be a gap in the keyring during which there
-                // is no valid default encryption key, the caller should generate a new key with deferred activation.
-                if (keyWithNearestPastActivationDate.ExpirationDate.UtcDateTime - utcNow <= KEY_EXPIRATION_BUFFER)
-                {
-                    if (keyWithNearestFutureActivationDate == null || keyWithNearestFutureActivationDate.ActivationDate > keyWithNearestPastActivationDate.ExpirationDate)
-                    {
-                        callerShouldGenerateNewKey = true;
-                    }
-                }
-
-                return keyWithNearestPastActivationDate;
-            }
-
-            // Failing that, is any key due for imminent activation? If so, use it as the default key.
-            // This allows us to account for clock skew when multiple servers touch the repository.
-            if (keyWithNearestFutureActivationDate != null
-                && (keyWithNearestFutureActivationDate.ActivationDate.UtcDateTime - utcNow) < MAX_SERVER_TO_SERVER_CLOCK_SKEW
-                && !keyWithNearestFutureActivationDate.IsExpired(utcNow) /* sanity check: expiration can't occur before activation */)
-            {
-                return keyWithNearestFutureActivationDate;
-            }
-
-            // Otherwise, there's no default key.
-            return null;
+            // The cached keyring should expire at the earliest of (default key expiration, next auto-refresh time).
+            // Since the refresh period and safety window are not user-settable, we can guarantee that there's at
+            // least one auto-refresh between the start of the safety window and the key's expiration date.
+            // This gives us an opportunity to update the key ring before expiration, and it prevents multiple
+            // servers in a cluster from trying to update the key ring simultaneously.
+            return new CacheableKeyRing(
+                expirationToken: cacheExpirationToken,
+                expirationTime: Min(defaultKey.ExpirationDate, now + GetRefreshPeriodWithJitter(_keyLifetimeOptions.KeyRingRefreshPeriod)),
+                defaultKey: defaultKey,
+                allKeys: allKeys);
         }
 
         public IKeyRing GetCurrentKeyRing()
         {
-            DateTime utcNow = DateTime.UtcNow;
+            return GetCurrentKeyRingCore(DateTime.UtcNow);
+        }
+
+        internal IKeyRing GetCurrentKeyRingCore(DateTime utcNow)
+        {
+            Debug.Assert(utcNow.Kind == DateTimeKind.Utc);
 
             // Can we return the cached keyring to the caller?
-            var existingCachedKeyRing = Volatile.Read(ref _cachedKeyRing);
-            if (existingCachedKeyRing != null && existingCachedKeyRing.SoftRefreshTimeUtc > utcNow)
+            var existingCacheableKeyRing = Volatile.Read(ref _cacheableKeyRing);
+            if (CacheableKeyRing.IsValid(existingCacheableKeyRing, utcNow))
             {
-                return existingCachedKeyRing.KeyRing;
+                return existingCacheableKeyRing.KeyRing;
             }
 
             // The cached keyring hasn't been created or must be refreshed.
-            lock (_cachedKeyRingLockObj)
+            lock (_cacheableKeyRingLockObj)
             {
                 // Did somebody update the keyring while we were waiting for the lock?
-                existingCachedKeyRing = Volatile.Read(ref _cachedKeyRing);
-                if (existingCachedKeyRing != null && existingCachedKeyRing.SoftRefreshTimeUtc > utcNow)
+                existingCacheableKeyRing = Volatile.Read(ref _cacheableKeyRing);
+                if (CacheableKeyRing.IsValid(existingCacheableKeyRing, utcNow))
                 {
-                    return existingCachedKeyRing.KeyRing;
+                    return existingCacheableKeyRing.KeyRing;
+                }
+
+                if (existingCacheableKeyRing != null && _logger.IsVerboseLevelEnabled())
+                {
+                    _logger.LogVerbose("Existing cached key ring is expired. Refreshing.");
                 }
 
                 // It's up to us to refresh the cached keyring.
-                var newCachedKeyRing = CreateCachedKeyRingInstanceUnderLock(utcNow, existingCachedKeyRing);
-                Volatile.Write(ref _cachedKeyRing, newCachedKeyRing);
-                return newCachedKeyRing.KeyRing;
+                // This call is performed *under lock*.
+                var newCacheableKeyRing = _cacheableKeyRingProvider.GetCacheableKeyRing(utcNow);
+                Volatile.Write(ref _cacheableKeyRing, newCacheableKeyRing);
+                return newCacheableKeyRing.KeyRing;
             }
         }
 
-        private static DateTime GetNextHardRefreshTime(DateTime utcNow)
+        private static TimeSpan GetRefreshPeriodWithJitter(TimeSpan refreshPeriod)
         {
-            // We'll fudge the refresh period up to 20% so that multiple applications don't try to
+            // We'll fudge the refresh period up to -20% so that multiple applications don't try to
             // hit a single repository simultaneously. For instance, if the refresh period is 1 hour,
-            // we'll calculate the new refresh time as somewhere between 48 - 60 minutes from now.
-            var skewedRefreshPeriod = TimeSpan.FromTicks((long)(KEYRING_REFRESH_PERIOD.Ticks * ((new Random().NextDouble() / 5) + 0.8d)));
-            return utcNow + skewedRefreshPeriod;
+            // we'll return a value in the vicinity of 48 - 60 minutes. We use the Random class since
+            // we don't need a secure PRNG for this.
+            return TimeSpan.FromTicks((long)(refreshPeriod.Ticks * (1.0d - (new Random().NextDouble() / 5))));
         }
 
-        private static DateTime MinDateTime(DateTime a, DateTime b)
+        private static DateTimeOffset Min(DateTimeOffset a, DateTimeOffset b)
         {
-            Debug.Assert(a.Kind == DateTimeKind.Utc);
-            Debug.Assert(b.Kind == DateTimeKind.Utc);
             return (a < b) ? a : b;
         }
 
-        private sealed class CachedKeyRing
+        CacheableKeyRing ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
         {
-            internal DateTime HardRefreshTimeUtc;
-            internal KeyRing KeyRing;
-            internal IKey[] Keys;
-            internal DateTime SoftRefreshTimeUtc;
+            // the entry point allows one recursive call
+            return CreateCacheableKeyRingCore(now, allowRecursiveCalls: true);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index e31cd5353a..4466158062 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -7,98 +7,121 @@ using System.Diagnostics;
 using System.Globalization;
 using System.Linq;
 using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Threading;
+using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
-    public sealed class XmlKeyManager : IKeyManager
+    /// <summary>
+    /// A key manager backed by an <see cref="IXmlRepository"/>.
+    /// </summary>
+    public sealed class XmlKeyManager : IKeyManager, IInternalXmlKeyManager
     {
-        private const string KEY_MANAGEMENT_XML_NAMESPACE_STRING = "http://www.asp.net/dataProtection/2014";
-        internal static readonly XNamespace KeyManagementXmlNamespace = XNamespace.Get(KEY_MANAGEMENT_XML_NAMESPACE_STRING);
+        // Used for serializing elements to persistent storage
+        internal static readonly XName KeyElementName = "key";
+        internal static readonly XName IdAttributeName = "id";
+        internal static readonly XName VersionAttributeName = "version";
+        internal static readonly XName CreationDateElementName = "creationDate";
+        internal static readonly XName ActivationDateElementName = "activationDate";
+        internal static readonly XName ExpirationDateElementName = "expirationDate";
+        internal static readonly XName DescriptorElementName = "descriptor";
+        internal static readonly XName DeserializerTypeAttributeName = "deserializerType";
+        internal static readonly XName RevocationElementName = "revocation";
+        internal static readonly XName RevocationDateElementName = "revocationDate";
+        internal static readonly XName ReasonElementName = "reason";
 
-        internal static readonly XName ActivationDateElementName = KeyManagementXmlNamespace.GetName("activationDate");
-        internal static readonly XName AuthenticatedEncryptorElementName = KeyManagementXmlNamespace.GetName("authenticatedEncryptor");
-        internal static readonly XName CreationDateElementName = KeyManagementXmlNamespace.GetName("creationDate");
-        internal static readonly XName ExpirationDateElementName = KeyManagementXmlNamespace.GetName("expirationDate");
-        internal static readonly XName IdAttributeName = XNamespace.None.GetName("id");
-        internal static readonly XName KeyElementName = KeyManagementXmlNamespace.GetName("key");
-        internal static readonly XName ReaderAttributeName = XNamespace.None.GetName("reader");
-        internal static readonly XName ReasonElementName = KeyManagementXmlNamespace.GetName("reason");
-        internal static readonly XName RevocationDateElementName = KeyManagementXmlNamespace.GetName("revocationDate");
-        internal static readonly XName RevocationElementName = KeyManagementXmlNamespace.GetName("revocation");
-        internal static readonly XName VersionAttributeName = XNamespace.None.GetName("version");
+        private const string RevokeAllKeysValue = "*";
 
-        private readonly IAuthenticatedEncryptorConfigurationFactory _authenticatedEncryptorConfigurationFactory;
-        private readonly IServiceProvider _serviceProvider;
-        private readonly IXmlRepository _xmlRepository;
-        private readonly IXmlEncryptor _xmlEncryptor;
+        private readonly IActivator _activator;
+        private readonly IAuthenticatedEncryptorConfiguration _authenticatedEncryptorConfiguration;
+        private readonly IInternalXmlKeyManager _internalKeyManager;
+        private readonly IKeyEscrowSink _keyEscrowSink;
+        private readonly ILogger _logger;
 
+        private CancellationTokenSource _cacheExpirationTokenSource;
+
+        /// <summary>
+        /// Creates an <see cref="XmlKeyManager"/>.
+        /// </summary>
+        /// <param name="repository">The repository where keys are stored.</param>
+        /// <param name="configuration">Configuration for newly-created keys.</param>
+        /// <param name="services">A provider of optional services.</param>
         public XmlKeyManager(
-            [NotNull] IServiceProvider serviceProvider,
-            [NotNull] IAuthenticatedEncryptorConfigurationFactory authenticatedEncryptorConfigurationFactory,
-            [NotNull] IXmlRepository xmlRepository,
-            [NotNull] IXmlEncryptor xmlEncryptor)
+            [NotNull] IXmlRepository repository,
+            [NotNull] IAuthenticatedEncryptorConfiguration configuration,
+            IServiceProvider services)
         {
-            _serviceProvider = serviceProvider;
-            _authenticatedEncryptorConfigurationFactory = authenticatedEncryptorConfigurationFactory;
-            _xmlRepository = xmlRepository;
-            _xmlEncryptor = xmlEncryptor;
+            KeyEncryptor = services.GetService<IXmlEncryptor>(); // optional
+            KeyRepository = repository;
+
+            _activator = services.GetActivator(); // returns non-null
+            _authenticatedEncryptorConfiguration = configuration;
+            _internalKeyManager = services.GetService<IInternalXmlKeyManager>() ?? this;
+            _keyEscrowSink = services.GetKeyEscrowSink(); // not required
+            _logger = services.GetLogger<XmlKeyManager>(); // not required
+            TriggerAndResetCacheExpirationToken(suppressLogging: true);
         }
 
+        internal XmlKeyManager(IServiceProvider services)
+        {
+            // First, see if an explicit encryptor or repository was specified.
+            // If either was specified, then we won't use the fallback.
+            KeyEncryptor = services.GetService<IXmlEncryptor>(); // optional
+            KeyRepository = (KeyEncryptor != null)
+                ? services.GetRequiredService<IXmlRepository>() // required if encryptor is specified
+                : services.GetService<IXmlRepository>(); // optional if encryptor not specified
+
+            // If the repository is missing, then we get both the encryptor and the repository from the fallback.
+            // If the fallback is missing, the final call to GetRequiredService below will throw.
+            if (KeyRepository == null)
+            {
+                var defaultKeyServices = services.GetService<IDefaultKeyServices>();
+                KeyEncryptor = defaultKeyServices?.GetKeyEncryptor(); // optional
+                KeyRepository = defaultKeyServices?.GetKeyRepository() ?? services.GetRequiredService<IXmlRepository>();
+            }
+
+            _activator = services.GetActivator(); // returns non-null
+            _authenticatedEncryptorConfiguration = services.GetRequiredService<IAuthenticatedEncryptorConfiguration>();
+            _internalKeyManager = services.GetService<IInternalXmlKeyManager>() ?? this;
+            _keyEscrowSink = services.GetKeyEscrowSink(); // not required
+            _logger = services.GetLogger<XmlKeyManager>(); // not required
+            TriggerAndResetCacheExpirationToken(suppressLogging: true);
+        }
+
+        internal IXmlEncryptor KeyEncryptor { get; }
+
+        internal IXmlRepository KeyRepository { get; }
+
         public IKey CreateNewKey(DateTimeOffset activationDate, DateTimeOffset expirationDate)
         {
-            return CreateNewKey(Guid.NewGuid(), DateTimeOffset.UtcNow, activationDate, expirationDate);
+            return _internalKeyManager.CreateNewKey(
+                keyId: Guid.NewGuid(),
+                creationDate: DateTimeOffset.UtcNow,
+                activationDate: activationDate,
+                expirationDate: expirationDate);
         }
 
-        private IKey CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate)
+        private static string DateTimeOffsetToFilenameSafeString(DateTimeOffset dateTime)
         {
-            // <key id="{GUID}" version="1" xmlns="{XMLNS}">
-            //   <creationDate>...</creationDate>
-            //   <activationDate>...</activationDate>
-            //   <expirationDate>...</expirationDate>
-            //   <authenticatedEncryptor>
-            //     <... parser="{TYPE}" />
-            //   </authenticatedEncryptor>
-            // </xxx:key>
-
-            // Create the <xxx:authenticatedEncryptor /> element and make sure it's well-formed.
-            var encryptorConfiguration = _authenticatedEncryptorConfigurationFactory.CreateNewConfiguration();
-            var encryptorElementAsXml = encryptorConfiguration.ToXml(_xmlEncryptor);
-            CryptoUtil.Assert(!String.IsNullOrEmpty((string)encryptorElementAsXml.Attribute(ReaderAttributeName)), "!String.IsNullOrEmpty((string)encryptorElementAsXml.Attribute(ParserAttributeName))");
-
-            // Create the <xxx:key /> element.
-            var keyElement = new XElement(KeyElementName,
-                new XAttribute(IdAttributeName, keyId),
-                new XAttribute(VersionAttributeName, 1),
-                new XElement(CreationDateElementName, creationDate),
-                new XElement(ActivationDateElementName, activationDate),
-                new XElement(ExpirationDateElementName, expirationDate),
-                new XElement(AuthenticatedEncryptorElementName,
-                    encryptorElementAsXml));
-
-            // Persist it to the underlying repository
-            string friendlyName = String.Format(CultureInfo.InvariantCulture, "key-{0:D}", keyId);
-            _xmlRepository.StoreElement(keyElement, friendlyName);
-
-            // And we're done!
-            return new Key(
-                keyId: keyId,
-                creationDate: creationDate,
-                activationDate: activationDate,
-                expirationDate: expirationDate,
-                encryptorConfiguration: encryptorConfiguration);
+            // similar to the XML format for dates, but with punctuation stripped
+            return dateTime.UtcDateTime.ToString("yyyyMMddTHHmmssFFFFFFFZ");
         }
 
         public IReadOnlyCollection<IKey> GetAllKeys()
         {
-            var allElements = _xmlRepository.GetAllElements();
+            var allElements = KeyRepository.GetAllElements();
 
-            Dictionary<Guid, Key> idToKeyMap = new Dictionary<Guid, Key>();
+            // We aggregate all the information we read into three buckets
+            Dictionary<Guid, Key> keyIdToKeyMap = new Dictionary<Guid, Key>();
             HashSet<Guid> revokedKeyIds = null;
             DateTimeOffset? mostRecentMassRevocationDate = null;
 
@@ -106,149 +129,344 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 if (element.Name == KeyElementName)
                 {
-                    var thisKey = ParseKeyElement(element);
-                    if (idToKeyMap.ContainsKey(thisKey.KeyId))
+                    // ProcessKeyElement can return null in the case of failure, and if this happens we'll move on.
+                    // Still need to throw if we see duplicate keys with the same id.
+                    Key key = ProcessKeyElement(element);
+                    if (key != null)
                     {
-                        throw CryptoUtil.Fail("TODO: Duplicate key.");
+                        if (keyIdToKeyMap.ContainsKey(key.KeyId))
+                        {
+                            throw Error.XmlKeyManager_DuplicateKey(key.KeyId);
+                        }
+                        keyIdToKeyMap[key.KeyId] = key;
                     }
-                    idToKeyMap.Add(thisKey.KeyId, thisKey);
                 }
                 else if (element.Name == RevocationElementName)
                 {
-                    object revocationInfo = ParseRevocationElement(element);
-                    DateTimeOffset? revocationInfoAsDate = revocationInfo as DateTimeOffset?;
-                    if (revocationInfoAsDate != null)
+                    object revocationInfo = ProcessRevocationElement(element);
+                    if (revocationInfo is Guid)
                     {
-                        // We're revoking all keys created on or after a specific date.
-                        if (!mostRecentMassRevocationDate.HasValue || mostRecentMassRevocationDate < revocationInfoAsDate)
-                        {
-                            // This new value is the most recent mass revocation date.
-                            mostRecentMassRevocationDate = revocationInfoAsDate;
-                        }
-                    }
-                    else
-                    {
-                        // We're revoking only a specific key
+                        // a single key was revoked
                         if (revokedKeyIds == null)
                         {
                             revokedKeyIds = new HashSet<Guid>();
                         }
                         revokedKeyIds.Add((Guid)revocationInfo);
                     }
+                    else
+                    {
+                        // all keys as of a certain date were revoked
+                        DateTimeOffset thisMassRevocationDate = (DateTimeOffset)revocationInfo;
+                        if (!mostRecentMassRevocationDate.HasValue || mostRecentMassRevocationDate < thisMassRevocationDate)
+                        {
+                            mostRecentMassRevocationDate = thisMassRevocationDate;
+                        }
+                    }
                 }
                 else
                 {
-                    throw CryptoUtil.Fail("TODO: Unknown element.");
-                }
-            }
-
-            // Now process all revocations
-            if (revokedKeyIds != null || mostRecentMassRevocationDate.HasValue)
-            {
-                foreach (Key key in idToKeyMap.Values)
-                {
-                    if ((revokedKeyIds != null && revokedKeyIds.Contains(key.KeyId))
-                        || (mostRecentMassRevocationDate.HasValue && mostRecentMassRevocationDate >= key.CreationDate))
+                    // Skip unknown elements.
+                    if (_logger.IsWarningLevelEnabled())
                     {
-                        key.SetRevoked();
+                        _logger.LogWarning("Unknown element with name '{0}' found in keyring, skipping.", element.Name);
                     }
                 }
             }
 
-            // And we're done!
-            return idToKeyMap.Values.ToArray();
+            // Apply individual revocations
+            if (revokedKeyIds != null)
+            {
+                foreach (Guid revokedKeyId in revokedKeyIds)
+                {
+                    Key key;
+                    keyIdToKeyMap.TryGetValue(revokedKeyId, out key);
+                    if (key != null)
+                    {
+                        key.SetRevoked();
+                        if (_logger.IsVerboseLevelEnabled())
+                        {
+                            _logger.LogVerbose("Marked key '{0:D}' as revoked in the keyring.", revokedKeyId);
+                        }
+                    }
+                    else
+                    {
+                        if (_logger.IsWarningLevelEnabled())
+                        {
+                            _logger.LogWarning("Tried to process revocation of key '{0:D}', but no such key was found in keyring. Skipping.", revokedKeyId);
+                        }
+                    }
+                }
+            }
+
+            // Apply mass revocations
+            if (mostRecentMassRevocationDate.HasValue)
+            {
+                foreach (var key in keyIdToKeyMap.Values)
+                {
+                    if (key.CreationDate <= mostRecentMassRevocationDate)
+                    {
+                        key.SetRevoked();
+                        if (_logger.IsVerboseLevelEnabled())
+                        {
+                            _logger.LogVerbose("Marked key '{0:D}' as revoked in the keyring.", key.KeyId);
+                        }
+                    }
+                }
+            }
+
+            // And we're finished!
+            return keyIdToKeyMap.Values.ToList().AsReadOnly();
         }
 
-        private Key ParseKeyElement(XElement keyElement)
+        public CancellationToken GetCacheExpirationToken()
+        {
+            return Interlocked.CompareExchange(ref _cacheExpirationTokenSource, null, null).Token;
+        }
+
+        private Key ProcessKeyElement(XElement keyElement)
         {
             Debug.Assert(keyElement.Name == KeyElementName);
 
-            int version = (int)keyElement.Attribute(VersionAttributeName);
-            CryptoUtil.Assert(version == 1, "TODO: version == 1");
+            try
+            {
+                // Read metadata
+                Guid keyId = (Guid)keyElement.Attribute(IdAttributeName);
+                DateTimeOffset creationDate = (DateTimeOffset)keyElement.Element(CreationDateElementName);
+                DateTimeOffset activationDate = (DateTimeOffset)keyElement.Element(ActivationDateElementName);
+                DateTimeOffset expirationDate = (DateTimeOffset)keyElement.Element(ExpirationDateElementName);
 
-            XElement encryptorConfigurationAsXml = keyElement.Element(AuthenticatedEncryptorElementName).Elements().Single();
-            string encryptorConfigurationParserTypeName = (string)encryptorConfigurationAsXml.Attribute(ReaderAttributeName);
-            Type encryptorConfigurationParserType = Type.GetType(encryptorConfigurationParserTypeName, throwOnError: true);
-            CryptoUtil.Assert(typeof(IAuthenticatedEncryptorConfigurationXmlReader).IsAssignableFrom(encryptorConfigurationParserType),
-                "TODO: typeof(IAuthenticatedEncryptorConfigurationXmlReader).IsAssignableFrom(encryptorConfigurationParserType)");
+                // Figure out who will be deserializing this
+                XElement descriptorElement = keyElement.Element(DescriptorElementName);
+                string descriptorDeserializerTypeName = (string)descriptorElement.Attribute(DeserializerTypeAttributeName);
 
-            var parser = (IAuthenticatedEncryptorConfigurationXmlReader)ActivatorUtilities.CreateInstance(_serviceProvider, encryptorConfigurationParserType);
-            var encryptorConfiguration = parser.FromXml(encryptorConfigurationAsXml);
+                // Decrypt the descriptor element and pass it to the descriptor for consumption
+                XElement unencryptedInputToDeserializer = descriptorElement.Elements().Single().DecryptElement(_activator);
+                var deserializerInstance = _activator.CreateInstance<IAuthenticatedEncryptorDescriptorDeserializer>(descriptorDeserializerTypeName);
+                var descriptorInstance = deserializerInstance.ImportFromXml(unencryptedInputToDeserializer);
 
-            Guid keyId = (Guid)keyElement.Attribute(IdAttributeName);
-            DateTimeOffset creationDate = (DateTimeOffset)keyElement.Element(CreationDateElementName);
-            DateTimeOffset activationDate = (DateTimeOffset)keyElement.Element(ActivationDateElementName);
-            DateTimeOffset expirationDate = (DateTimeOffset)keyElement.Element(ExpirationDateElementName);
+                // Finally, create the Key instance
+                if (_logger.IsVerboseLevelEnabled())
+                {
+                    _logger.LogVerbose("Found key '{0:D}'.", keyId);
+                }
+                return new Key(
+                    keyId: keyId,
+                    creationDate: creationDate,
+                    activationDate: activationDate,
+                    expirationDate: expirationDate,
+                    descriptor: descriptorInstance);
+            }
+            catch (Exception ex)
+            {
+                // We only write the exception out to the 'debug' log since it could contain sensitive
+                // information and we don't want to leak it.
+                if (_logger.IsDebugLevelEnabled())
+                {
+                    if (_logger.IsWarningLevelEnabled())
+                    {
+                        _logger.LogWarning("An exception of type '{0}' occurred while processing the key element '{1}', so the key will not be included in the keyring." + Environment.NewLine
+                            + "Full details of the exception will be written to the 'Debug' log.",
+                            ex.GetType().FullName, keyElement.WithoutChildNodes());
+                    }
+                    _logger.LogDebug(ex, "An exception occurred while processing the key element '{0}'.", keyElement);
+                }
+                else
+                {
+                    if (_logger.IsWarningLevelEnabled())
+                    {
+                        _logger.LogWarning("An exception of type '{0}' occurred while processing the key element '{1}', so the key will not be included in the keyring." + Environment.NewLine
+                            + "To prevent accidental disclosure of sensitive information the full exception details are not being logged. To enable logging full exception details, enable 'Debug' level logging for this provider.",
+                            ex.GetType().FullName, keyElement.WithoutChildNodes());
+                    }
+                }
 
-            return new Key(
-                keyId: keyId,
-                creationDate: creationDate,
-                activationDate: activationDate,
-                expirationDate: expirationDate,
-                encryptorConfiguration: encryptorConfiguration);
+                // If an error occurs, we just skip this key.
+                return null;
+            }
         }
 
         // returns a Guid (for specific keys) or a DateTimeOffset (for all keys created on or before a specific date)
-        private object ParseRevocationElement(XElement revocationElement)
+        private object ProcessRevocationElement(XElement revocationElement)
         {
             Debug.Assert(revocationElement.Name == RevocationElementName);
 
-            string keyIdAsString = revocationElement.Element(KeyElementName).Attribute(IdAttributeName).Value;
-            if (keyIdAsString == "*")
+            try
             {
-                // all keys
-                return (DateTimeOffset)revocationElement.Element(RevocationDateElementName);
+                string keyIdAsString = (string)revocationElement.Element(KeyElementName).Attribute(IdAttributeName);
+                if (keyIdAsString == RevokeAllKeysValue)
+                {
+                    // this is a mass revocation of all keys as of the specified revocation date
+                    DateTimeOffset massRevocationDate = (DateTimeOffset)revocationElement.Element(RevocationDateElementName);
+                    if (_logger.IsVerboseLevelEnabled())
+                    {
+                        _logger.LogVerbose("Found revocation of all keys created prior to {0:u}.", massRevocationDate);
+                    }
+                    return massRevocationDate;
+                }
+                else
+                {
+                    // only one key is being revoked
+                    Guid keyId = XmlConvert.ToGuid(keyIdAsString);
+                    if (_logger.IsVerboseLevelEnabled())
+                    {
+                        _logger.LogVerbose("Found revocation of key '{0:D}'.", keyId);
+                    }
+                    return keyId;
+                }
             }
-            else
+            catch (Exception ex)
             {
-                // only one key
-                return new Guid(keyIdAsString);
+                // Any exceptions that occur are fatal - we don't want to continue if we cannot process
+                // revocation information.
+                if (_logger.IsErrorLevelEnabled())
+                {
+                    _logger.LogError(ex, "An exception occurred while processing the revocation element '{0}'. Cannot continue keyring processing.", revocationElement);
+                }
+                throw;
             }
         }
 
         public void RevokeAllKeys(DateTimeOffset revocationDate, string reason = null)
         {
-            // <revocation version="1" xmlns="{XMLNS}">
+            // <revocation version="1">
             //   <revocationDate>...</revocationDate>
+            //   <!-- ... -->
             //   <key id="*" />
             //   <reason>...</reason>
             // </revocation>
 
+            if (_logger.IsInformationLevelEnabled())
+            {
+                _logger.LogInformation("Revoking all keys as of {0:u} for reason '{1}'.", revocationDate, reason);
+            }
+
+            var revocationElement = new XElement(RevocationElementName,
+                new XAttribute(VersionAttributeName, 1),
+                new XElement(RevocationDateElementName, revocationDate),
+                new XComment(" All keys created before the revocation date are revoked. "),
+                new XElement(KeyElementName,
+                    new XAttribute(IdAttributeName, RevokeAllKeysValue)),
+                new XElement(ReasonElementName, reason));
+
+            // Persist it to the underlying repository and trigger the cancellation token
+            string friendlyName = "revocation-" + DateTimeOffsetToFilenameSafeString(revocationDate);
+            KeyRepository.StoreElement(revocationElement, friendlyName);
+            TriggerAndResetCacheExpirationToken();
+        }
+
+        public void RevokeKey(Guid keyId, string reason = null)
+        {
+            _internalKeyManager.RevokeSingleKey(
+                keyId: keyId,
+                revocationDate: DateTimeOffset.UtcNow,
+                reason: reason);
+        }
+
+        private void TriggerAndResetCacheExpirationToken([CallerMemberName] string opName = null, bool suppressLogging = false)
+        {
+            if (!suppressLogging && _logger.IsVerboseLevelEnabled())
+            {
+                _logger.LogVerbose("Key cache expiration token triggered by '{0}' operation.", opName);
+            }
+
+            Interlocked.Exchange(ref _cacheExpirationTokenSource, new CancellationTokenSource())?.Cancel();
+        }
+
+        IKey IInternalXmlKeyManager.CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate)
+        {
+            // <key id="{guid}" version="1">
+            //   <creationDate>...</creationDate>
+            //   <activationDate>...</activationDate>
+            //   <expirationDate>...</expirationDate>
+            //   <descriptor deserializerType="{typeName}">
+            //     ...
+            //   </descriptor>
+            // </key>
+
+            if (_logger.IsInformationLevelEnabled())
+            {
+                _logger.LogInformation("Creating key {0:D} with creation date {1:u}, activation date {2:u}, and expiration date {3:u}.", keyId, creationDate, activationDate, expirationDate);
+            }
+
+            var newDescriptor = _authenticatedEncryptorConfiguration.CreateNewDescriptor()
+                ?? CryptoUtil.Fail<IAuthenticatedEncryptorDescriptor>("CreateNewDescriptor returned null.");
+            var descriptorXmlInfo = newDescriptor.ExportToXml();
+
+            if (_logger.IsVerboseLevelEnabled())
+            {
+                _logger.LogVerbose("Descriptor deserializer type for key {0:D} is {1}.", keyId, descriptorXmlInfo.DeserializerType.AssemblyQualifiedName);
+            }
+
+            // build the <key> element
+            var keyElement = new XElement(KeyElementName,
+                new XAttribute(IdAttributeName, keyId),
+                new XAttribute(VersionAttributeName, 1),
+                new XElement(CreationDateElementName, creationDate),
+                new XElement(ActivationDateElementName, activationDate),
+                new XElement(ExpirationDateElementName, expirationDate),
+                new XElement(DescriptorElementName,
+                    new XAttribute(DeserializerTypeAttributeName, descriptorXmlInfo.DeserializerType.AssemblyQualifiedName),
+                    descriptorXmlInfo.SerializedDescriptorElement));
+
+            // If key escrow policy is in effect, write the *unencrypted* key now.
+            if (_logger.IsVerboseLevelEnabled())
+            {
+                if (_keyEscrowSink != null)
+                {
+                    _logger.LogVerbose("Key escrow sink found. Writing key {0:D} to escrow.", keyId);
+                }
+                else
+                {
+                    _logger.LogVerbose("No key escrow sink found. Not writing key {0:D} to escrow.", keyId);
+                }
+            }
+            _keyEscrowSink?.Store(keyId, keyElement);
+
+            // If an XML encryptor has been configured, protect secret key material now.
+            if (KeyEncryptor == null && _logger.IsWarningLevelEnabled())
+            {
+                _logger.LogWarning("No XML encryptor configured. Key {0:D} may be persisted to storage in unencrypted form.", keyId);
+            }
+            var possiblyEncryptedKeyElement = KeyEncryptor?.EncryptIfNecessary(keyElement) ?? keyElement;
+
+            // Persist it to the underlying repository and trigger the cancellation token.
+            string friendlyName = String.Format(CultureInfo.InvariantCulture, "key-{0:D}", keyId);
+            KeyRepository.StoreElement(possiblyEncryptedKeyElement, friendlyName);
+            TriggerAndResetCacheExpirationToken();
+
+            // And we're done!
+            return new Key(
+                keyId: keyId,
+                creationDate: creationDate,
+                activationDate: activationDate,
+                expirationDate: expirationDate,
+                descriptor: newDescriptor);
+        }
+
+        void IInternalXmlKeyManager.RevokeSingleKey(Guid keyId, DateTimeOffset revocationDate, string reason)
+        {
+            // <revocation version="1">
+            //   <revocationDate>...</revocationDate>
+            //   <key id="{guid}" />
+            //   <reason>...</reason>
+            // </revocation>
+
+            if (_logger.IsInformationLevelEnabled())
+            {
+                _logger.LogInformation("Revoking key {0:D} at {1:u} for reason '{2}'.", keyId, revocationDate, reason);
+            }
+
             var revocationElement = new XElement(RevocationElementName,
                 new XAttribute(VersionAttributeName, 1),
                 new XElement(RevocationDateElementName, revocationDate),
-                new XElement(KeyElementName,
-                    new XAttribute(IdAttributeName, "*")),
-                new XElement(ReasonElementName, reason));
-
-            // Persist it to the underlying repository
-            string friendlyName = String.Format(CultureInfo.InvariantCulture, "revocation-{0:X16}", (ulong)revocationDate.UtcTicks);
-            _xmlRepository.StoreElement(revocationElement, friendlyName);
-        }
-
-        public void RevokeKey(Guid keyId, string reason = null)
-        {
-            RevokeSingleKey(keyId, DateTimeOffset.UtcNow, reason);
-        }
-
-        private void RevokeSingleKey(Guid keyId, DateTimeOffset utcNow, string reason)
-        {
-            // <revocation version="1" xmlns="{XMLNS}">
-            //   <revocationDate>...</revocationDate>
-            //   <key id="{GUID}" />
-            //   <reason>...</reason>
-            // </revocation>
-
-            var revocationElement = new XElement(RevocationElementName,
-                new XAttribute(VersionAttributeName, 1),
-                new XElement(RevocationDateElementName, utcNow),
                 new XElement(KeyElementName,
                     new XAttribute(IdAttributeName, keyId)),
                 new XElement(ReasonElementName, reason));
 
-            // Persist it to the underlying repository
+            // Persist it to the underlying repository and trigger the cancellation token
             string friendlyName = String.Format(CultureInfo.InvariantCulture, "revocation-{0:D}", keyId);
-            _xmlRepository.StoreElement(revocationElement, friendlyName);
+            KeyRepository.StoreElement(revocationElement, friendlyName);
+            TriggerAndResetCacheExpirationToken();
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
new file mode 100644
index 0000000000..ee7735fe2f
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
@@ -0,0 +1,86 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+using Microsoft.Framework.Logging.Internal;
+
+namespace Microsoft.Framework.Logging
+{
+    /// <summary>
+    /// Helpful extension methods on ILogger.
+    /// </summary>
+    internal static class LoggingExtensions
+    {
+        /// <summary>
+        /// Returns a value stating whether the 'debug' log level is enabled.
+        /// Returns false if the logger instance is null.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static bool IsDebugLevelEnabled(this ILogger logger)
+        {
+            return IsLogLevelEnabledCore(logger, LogLevel.Debug);
+        }
+
+        /// <summary>
+        /// Returns a value stating whether the 'error' log level is enabled.
+        /// Returns false if the logger instance is null.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static bool IsErrorLevelEnabled(this ILogger logger)
+        {
+            return IsLogLevelEnabledCore(logger, LogLevel.Error);
+        }
+
+        /// <summary>
+        /// Returns a value stating whether the 'information' log level is enabled.
+        /// Returns false if the logger instance is null.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static bool IsInformationLevelEnabled(this ILogger logger)
+        {
+            return IsLogLevelEnabledCore(logger, LogLevel.Information);
+        }
+
+        /// <summary>
+        /// Returns a value stating whether the 'verbose' log level is enabled.
+        /// Returns false if the logger instance is null.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static bool IsVerboseLevelEnabled(this ILogger logger)
+        {
+            return IsLogLevelEnabledCore(logger, LogLevel.Verbose);
+        }
+
+        /// <summary>
+        /// Returns a value stating whether the 'warning' log level is enabled.
+        /// Returns false if the logger instance is null.
+        /// </summary>
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        public static bool IsWarningLevelEnabled(this ILogger logger)
+        {
+            return IsLogLevelEnabledCore(logger, LogLevel.Warning);
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static bool IsLogLevelEnabledCore(ILogger logger, LogLevel level)
+        {
+            return (logger != null && logger.IsEnabled(level));
+        }
+
+        public static void LogDebug(this ILogger logger, Exception error, string message, params object[] args)
+        {
+            logger.LogDebug(new FormattedLogValues(message, args), error);
+        }
+
+        public static void LogError(this ILogger logger, Exception error, string message, params object[] args)
+        {
+            logger.LogError(new FormattedLogValues(message, args), error);
+        }
+
+        public static void LogWarning(this ILogger logger, Exception error, string message, params object[] args)
+        {
+            logger.LogWarning(new FormattedLogValues(message, args), error);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
new file mode 100644
index 0000000000..4b9f05ec59
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Logging;
+
+namespace System
+{
+    /// <summary>
+    /// Helpful extension methods on IServiceProvider.
+    /// </summary>
+    internal static class LoggingServiceProviderExtensions
+    {
+        /// <summary>
+        /// Retrieves an instance of ILogger given the type name of the caller.
+        /// The caller's type name is used as the name of the ILogger created.
+        /// This method returns null if the IServiceProvider is null or if it
+        /// does not contain a registered ILoggerFactory.
+        /// </summary>
+        public static ILogger GetLogger<T>(this IServiceProvider services)
+        {
+            return services?.GetService<ILoggerFactory>()?.CreateLogger<T>();
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 687f5002a6..5e67f3ac07 100644
--- a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -26,13 +26,6 @@ namespace Microsoft.AspNet.DataProtection.Managed
         // probability of collision, and this is acceptable for the expected KDK lifetime.
         private const int KEY_MODIFIER_SIZE_IN_BYTES = 128 / 8;
 
-        // Our analysis re: IV collision resistance only holds if we're working with block ciphers
-        // with a block length of 64 bits or greater.
-        internal const int SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES = 64 / 8;
-
-        // Min security bar: authentication tag must have at least 128 bits of output.
-        internal const int HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES = 128 / 8;
-
         private static readonly Func<byte[], HashAlgorithm> _kdkPrfFactory = key => new HMACSHA512(key); // currently hardcoded to SHA512
 
         private readonly byte[] _contextHeader;
@@ -47,9 +40,6 @@ namespace Microsoft.AspNet.DataProtection.Managed
 
         public ManagedAuthenticatedEncryptor(Secret keyDerivationKey, Func<SymmetricAlgorithm> symmetricAlgorithmFactory, int symmetricAlgorithmKeySizeInBytes, Func<KeyedHashAlgorithm> validationAlgorithmFactory, IManagedGenRandom genRandom = null)
         {
-            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
-                "KEY_MODIFIER_SIZE_IN_BYTES <= symmetricAlgorithmKeySizeInBytes && symmetricAlgorithmKeySizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
-
             _genRandom = genRandom ?? ManagedGenRandomImpl.Instance;
             _keyDerivationKey = keyDerivationKey;
 
@@ -69,14 +59,10 @@ namespace Microsoft.AspNet.DataProtection.Managed
                 _validationAlgorithmSubkeyLengthInBytes = _validationAlgorithmDigestLengthInBytes; // for simplicity we'll generate MAC subkeys with a length equal to the digest length
             }
 
-            CryptoUtil.Assert(SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES <= _symmetricAlgorithmBlockSizeInBytes && _symmetricAlgorithmBlockSizeInBytes <= Constants.MAX_STACKALLOC_BYTES,
-                "SYMMETRIC_ALG_MIN_BLOCK_SIZE_IN_BYTES <= _symmetricAlgorithmBlockSizeInBytes && _symmetricAlgorithmBlockSizeInBytes <= Constants.MAX_STACKALLOC_BYTES");
-
-            CryptoUtil.Assert(HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES <= _validationAlgorithmDigestLengthInBytes,
-                "HASH_ALG_MIN_DIGEST_LENGTH_IN_BYTES <= _validationAlgorithmDigestLengthInBytes");
-
-            CryptoUtil.Assert(KEY_MODIFIER_SIZE_IN_BYTES <= _validationAlgorithmSubkeyLengthInBytes && _validationAlgorithmSubkeyLengthInBytes <= Constants.MAX_STACKALLOC_BYTES,
-                "KEY_MODIFIER_SIZE_IN_BYTES <= _validationAlgorithmSubkeyLengthInBytes && _validationAlgorithmSubkeyLengthInBytes <= Constants.MAX_STACKALLOC_BYTES");
+            // Argument checking on the algorithms and lengths passed in to us
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmBlockSize(checked((uint)_symmetricAlgorithmBlockSizeInBytes * 8));
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked((uint)_symmetricAlgorithmSubkeyLengthInBytes * 8));
+            AlgorithmAssert.IsAllowableValidationAlgorithmDigestSize(checked((uint)_validationAlgorithmDigestLengthInBytes * 8));
 
             _contextHeader = CreateContextHeader();
         }
diff --git a/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs b/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
index 2be0be5db0..6171796765 100644
--- a/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
+++ b/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
@@ -8,7 +8,7 @@ using Microsoft.AspNet.Cryptography;
 namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
-    /// Support for generating random data.
+    /// Wrappers around CryptProtectMemory / CryptUnprotectMemory.
     /// </summary>
     internal unsafe static class MemoryProtection
     {
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
index c262afe4c7..68aea95cb4 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
@@ -6,3 +6,4 @@ using System.Runtime.CompilerServices;
 
 // for unit testing
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
index 563030c9b4..fad1928f16 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
@@ -107,7 +107,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key {0:B} was not found in the keyring.
+        /// The key '{0:D}' was not found in the key ring.
         /// </summary>
         internal static string Common_KeyNotFound
         {
@@ -115,7 +115,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key {0:B} was not found in the keyring.
+        /// The key '{0:D}' was not found in the key ring.
         /// </summary>
         internal static string FormatCommon_KeyNotFound()
         {
@@ -123,7 +123,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key {0:B} has been revoked.
+        /// The key '{0:D}' has been revoked.
         /// </summary>
         internal static string Common_KeyRevoked
         {
@@ -131,7 +131,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key {0:B} has been revoked.
+        /// The key '{0:D}' has been revoked.
         /// </summary>
         internal static string FormatCommon_KeyRevoked()
         {
@@ -139,35 +139,35 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The provided payload was not protected with this protection provider.
+        /// The provided payload cannot be decrypted because it was not protected with this protection provider.
         /// </summary>
-        internal static string Common_NotAValidProtectedPayload
+        internal static string ProtectionProvider_BadMagicHeader
         {
-            get { return GetString("Common_NotAValidProtectedPayload"); }
+            get { return GetString("ProtectionProvider_BadMagicHeader"); }
         }
 
         /// <summary>
-        /// The provided payload was not protected with this protection provider.
+        /// The provided payload cannot be decrypted because it was not protected with this protection provider.
         /// </summary>
-        internal static string FormatCommon_NotAValidProtectedPayload()
+        internal static string FormatProtectionProvider_BadMagicHeader()
         {
-            return GetString("Common_NotAValidProtectedPayload");
+            return GetString("ProtectionProvider_BadMagicHeader");
         }
 
         /// <summary>
-        /// The protected payload cannot be decrypted because it was protected with a newer version of the protection provider.
+        /// The provided payload cannot be decrypted because it was protected with a newer version of the protection provider.
         /// </summary>
-        internal static string Common_PayloadProducedByNewerVersion
+        internal static string ProtectionProvider_BadVersion
         {
-            get { return GetString("Common_PayloadProducedByNewerVersion"); }
+            get { return GetString("ProtectionProvider_BadVersion"); }
         }
 
         /// <summary>
-        /// The protected payload cannot be decrypted because it was protected with a newer version of the protection provider.
+        /// The provided payload cannot be decrypted because it was protected with a newer version of the protection provider.
         /// </summary>
-        internal static string FormatCommon_PayloadProducedByNewerVersion()
+        internal static string FormatProtectionProvider_BadVersion()
         {
-            return GetString("Common_PayloadProducedByNewerVersion");
+            return GetString("ProtectionProvider_BadVersion");
         }
 
         /// <summary>
@@ -187,19 +187,195 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The purposes array cannot be null or empty and cannot contain null or empty elements.
+        /// Value must be non-negative.
         /// </summary>
-        internal static string DataProtectionExtensions_NullPurposesArray
+        internal static string Common_ValueMustBeNonNegative
         {
-            get { return GetString("DataProtectionExtensions_NullPurposesArray"); }
+            get { return GetString("Common_ValueMustBeNonNegative"); }
         }
 
         /// <summary>
-        /// The purposes array cannot be null or empty and cannot contain null or empty elements.
+        /// Value must be non-negative.
         /// </summary>
-        internal static string FormatDataProtectionExtensions_NullPurposesArray()
+        internal static string FormatCommon_ValueMustBeNonNegative()
         {
-            return GetString("DataProtectionExtensions_NullPurposesArray");
+            return GetString("Common_ValueMustBeNonNegative");
+        }
+
+        /// <summary>
+        /// The type '{1}' is not assignable to '{0}'.
+        /// </summary>
+        internal static string TypeExtensions_BadCast
+        {
+            get { return GetString("TypeExtensions_BadCast"); }
+        }
+
+        /// <summary>
+        /// The type '{1}' is not assignable to '{0}'.
+        /// </summary>
+        internal static string FormatTypeExtensions_BadCast(object p0, object p1)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("TypeExtensions_BadCast"), p0, p1);
+        }
+
+        /// <summary>
+        /// The default new key lifetime must be at least one week.
+        /// </summary>
+        internal static string KeyLifetimeOptions_MinNewKeyLifetimeViolated
+        {
+            get { return GetString("KeyLifetimeOptions_MinNewKeyLifetimeViolated"); }
+        }
+
+        /// <summary>
+        /// The default new key lifetime must be at least one week.
+        /// </summary>
+        internal static string FormatKeyLifetimeOptions_MinNewKeyLifetimeViolated()
+        {
+            return GetString("KeyLifetimeOptions_MinNewKeyLifetimeViolated");
+        }
+
+        /// <summary>
+        /// The key '{0:D}' already exists in the keyring.
+        /// </summary>
+        internal static string XmlKeyManager_DuplicateKey
+        {
+            get { return GetString("XmlKeyManager_DuplicateKey"); }
+        }
+
+        /// <summary>
+        /// The key '{0:D}' already exists in the keyring.
+        /// </summary>
+        internal static string FormatXmlKeyManager_DuplicateKey()
+        {
+            return GetString("XmlKeyManager_DuplicateKey");
+        }
+
+        /// <summary>
+        /// Argument cannot be null or empty.
+        /// </summary>
+        internal static string Common_ArgumentCannotBeNullOrEmpty
+        {
+            get { return GetString("Common_ArgumentCannotBeNullOrEmpty"); }
+        }
+
+        /// <summary>
+        /// Argument cannot be null or empty.
+        /// </summary>
+        internal static string FormatCommon_ArgumentCannotBeNullOrEmpty()
+        {
+            return GetString("Common_ArgumentCannotBeNullOrEmpty");
+        }
+
+        /// <summary>
+        /// Property {0} must have a non-negative value.
+        /// </summary>
+        internal static string Common_PropertyMustBeNonNegative
+        {
+            get { return GetString("Common_PropertyMustBeNonNegative"); }
+        }
+
+        /// <summary>
+        /// Property {0} must have a non-negative value.
+        /// </summary>
+        internal static string FormatCommon_PropertyMustBeNonNegative(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("Common_PropertyMustBeNonNegative"), p0);
+        }
+
+        /// <summary>
+        /// GCM algorithms require the Windows platform.
+        /// </summary>
+        internal static string Platform_WindowsRequiredForGcm
+        {
+            get { return GetString("Platform_WindowsRequiredForGcm"); }
+        }
+
+        /// <summary>
+        /// GCM algorithms require the Windows platform.
+        /// </summary>
+        internal static string FormatPlatform_WindowsRequiredForGcm()
+        {
+            return GetString("Platform_WindowsRequiredForGcm");
+        }
+
+        /// <summary>
+        /// A certificate with the thumbprint '{0}' could not be found.
+        /// </summary>
+        internal static string CertificateXmlEncryptor_CertificateNotFound
+        {
+            get { return GetString("CertificateXmlEncryptor_CertificateNotFound"); }
+        }
+
+        /// <summary>
+        /// A certificate with the thumbprint '{0}' could not be found.
+        /// </summary>
+        internal static string FormatCertificateXmlEncryptor_CertificateNotFound(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("CertificateXmlEncryptor_CertificateNotFound"), p0);
+        }
+
+        /// <summary>
+        /// Decrypting EncryptedXml-encapsulated payloads is not yet supported on Core CLR.
+        /// </summary>
+        internal static string EncryptedXmlDecryptor_DoesNotWorkOnCoreClr
+        {
+            get { return GetString("EncryptedXmlDecryptor_DoesNotWorkOnCoreClr"); }
+        }
+
+        /// <summary>
+        /// Decrypting EncryptedXml-encapsulated payloads is not yet supported on Core CLR.
+        /// </summary>
+        internal static string FormatEncryptedXmlDecryptor_DoesNotWorkOnCoreClr()
+        {
+            return GetString("EncryptedXmlDecryptor_DoesNotWorkOnCoreClr");
+        }
+
+        /// <summary>
+        /// The symmetric algorithm block size of {0} bits is invalid. The block size must be between 64 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
+        /// </summary>
+        internal static string AlgorithmAssert_BadBlockSize
+        {
+            get { return GetString("AlgorithmAssert_BadBlockSize"); }
+        }
+
+        /// <summary>
+        /// The symmetric algorithm block size of {0} bits is invalid. The block size must be between 64 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
+        /// </summary>
+        internal static string FormatAlgorithmAssert_BadBlockSize(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadBlockSize"), p0);
+        }
+
+        /// <summary>
+        /// The validation algorithm digest size of {0} bits is invalid. The digest size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
+        /// </summary>
+        internal static string AlgorithmAssert_BadDigestSize
+        {
+            get { return GetString("AlgorithmAssert_BadDigestSize"); }
+        }
+
+        /// <summary>
+        /// The validation algorithm digest size of {0} bits is invalid. The digest size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
+        /// </summary>
+        internal static string FormatAlgorithmAssert_BadDigestSize(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadDigestSize"), p0);
+        }
+
+        /// <summary>
+        /// The symmetric algorithm key size of {0} bits is invalid. The key size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
+        /// </summary>
+        internal static string AlgorithmAssert_BadKeySize
+        {
+            get { return GetString("AlgorithmAssert_BadKeySize"); }
+        }
+
+        /// <summary>
+        /// The symmetric algorithm key size of {0} bits is invalid. The key size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
+        /// </summary>
+        internal static string FormatAlgorithmAssert_BadKeySize(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadKeySize"), p0);
         }
 
         private static string GetString(string name, params string[] formatterNames)
diff --git a/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
new file mode 100644
index 0000000000..c4b2bfb703
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
@@ -0,0 +1,149 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Linq;
+using System.Reflection;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Win32;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// A type which allows reading policy from the system registry.
+    /// </summary>
+    internal sealed class RegistryPolicyResolver
+    {
+        private readonly RegistryKey _policyRegKey;
+
+        internal RegistryPolicyResolver(RegistryKey policyRegKey)
+        {
+            _policyRegKey = policyRegKey;
+        }
+
+        // populates an options object from values stored in the registry
+        private static void PopulateOptions(object options, RegistryKey key)
+        {
+            foreach (PropertyInfo propInfo in options.GetType().GetProperties())
+            {
+                if (propInfo.IsDefined(typeof(ApplyPolicyAttribute)))
+                {
+                    object valueFromRegistry = key.GetValue(propInfo.Name);
+                    if (valueFromRegistry != null)
+                    {
+                        if (propInfo.PropertyType == typeof(string))
+                        {
+                            propInfo.SetValue(options, Convert.ToString(valueFromRegistry, CultureInfo.InvariantCulture));
+                        }
+                        else if (propInfo.PropertyType == typeof(int))
+                        {
+                            propInfo.SetValue(options, Convert.ToInt32(valueFromRegistry, CultureInfo.InvariantCulture));
+                        }
+                        else if (propInfo.PropertyType == typeof(Type))
+                        {
+                            propInfo.SetValue(options, Type.GetType(Convert.ToString(valueFromRegistry, CultureInfo.InvariantCulture), throwOnError: true));
+                        }
+                        else
+                        {
+                            throw CryptoUtil.Fail("Unexpected type on property: " + propInfo.Name);
+                        }
+                    }
+                }
+            }
+        }
+
+        private static List<string> ReadKeyEscrowSinks(RegistryKey key)
+        {
+            List<string> sinks = new List<string>();
+
+            // The format of this key is "type1; type2; ...".
+            // We call Type.GetType to perform an eager check that the type exists.
+            string sinksFromRegistry = (string)key.GetValue("KeyEscrowSinks");
+            if (sinksFromRegistry != null)
+            {
+                foreach (string sinkFromRegistry in sinksFromRegistry.Split(';'))
+                {
+                    string candidate = sinkFromRegistry.Trim();
+                    if (!String.IsNullOrEmpty(candidate))
+                    {
+                        typeof(IKeyEscrowSink).AssertIsAssignableFrom(Type.GetType(candidate, throwOnError: true));
+                        sinks.Add(candidate);
+                    }
+                }
+            }
+
+            return sinks;
+        }
+
+        /// <summary>
+        /// Returns a <see cref="Policy"/> object from the default registry location.
+        /// </summary>
+        public static ServiceDescriptor[] ResolveDefaultPolicy()
+        {
+            RegistryKey subKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNet.DataProtection");
+            if (subKey != null)
+            {
+                using (subKey)
+                {
+                    return new RegistryPolicyResolver(subKey).ResolvePolicy();
+                }
+            }
+            else
+            {
+                return new ServiceDescriptor[0];
+            }
+        }
+
+        internal ServiceDescriptor[] ResolvePolicy()
+        {
+            return ResolvePolicyCore().ToArray(); // fully evaluate enumeration while the reg key is open
+        }
+
+        private IEnumerable<ServiceDescriptor> ResolvePolicyCore()
+        {
+            // Read the encryption options type: CNG-CBC, CNG-GCM, Managed
+            IInternalAuthenticatedEncryptionOptions options = null;
+            string encryptionType = (string)_policyRegKey.GetValue("EncryptionType");
+            if (String.Equals(encryptionType, "CNG-CBC", StringComparison.OrdinalIgnoreCase))
+            {
+                options = new CngCbcAuthenticatedEncryptionOptions();
+            }
+            else if (String.Equals(encryptionType, "CNG-GCM", StringComparison.OrdinalIgnoreCase))
+            {
+                options = new CngGcmAuthenticatedEncryptionOptions();
+            }
+            else if (String.Equals(encryptionType, "Managed", StringComparison.OrdinalIgnoreCase))
+            {
+                options = new ManagedAuthenticatedEncryptionOptions();
+            }
+            else if (!String.IsNullOrEmpty(encryptionType))
+            {
+                throw CryptoUtil.Fail("Unrecognized EncryptionType: " + encryptionType);
+            }
+            if (options != null)
+            {
+                PopulateOptions(options, _policyRegKey);
+                yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromOptions(options);
+            }
+
+            // Read ancillary data
+
+            int? defaultKeyLifetime = (int?)_policyRegKey.GetValue("DefaultKeyLifetime");
+            if (defaultKeyLifetime.HasValue)
+            {
+                yield return DataProtectionServiceDescriptors.ConfigureOptions_DefaultKeyLifetime(defaultKeyLifetime.Value);
+            }
+
+            var keyEscrowSinks = ReadKeyEscrowSinks(_policyRegKey);
+            foreach (var keyEscrowSink in keyEscrowSinks)
+            {
+                yield return DataProtectionServiceDescriptors.IKeyEscrowSink_FromTypeName(keyEscrowSink);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
new file mode 100644
index 0000000000..46e993e979
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -0,0 +1,59 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
+
+namespace Microsoft.AspNet.DataProtection.Repositories
+{
+    /// <summary>
+    /// An ephemeral XML repository backed by process memory. This class must not be used for
+    /// anything other than dev scenarios as the keys will not be persisted to storage.
+    /// </summary>
+    internal class EphemeralXmlRepository : IXmlRepository
+    {
+        private readonly List<XElement> _storedElements = new List<XElement>();
+
+        public EphemeralXmlRepository(IServiceProvider services)
+        {
+            var logger = services?.GetLogger<EphemeralXmlRepository>();
+            if (logger.IsWarningLevelEnabled())
+            {
+                logger.LogWarning("Using an in-memory repository. Keys will not be persisted to storage.");
+            }
+        }
+
+        public virtual IReadOnlyCollection<XElement> GetAllElements()
+        {
+            // force complete enumeration under lock to avoid races
+            lock (_storedElements)
+            {
+                return GetAllElementsCore().ToList().AsReadOnly();
+            }
+        }
+
+        private IEnumerable<XElement> GetAllElementsCore()
+        {
+            // this method must be called under lock
+            foreach (XElement element in _storedElements)
+            {
+                yield return new XElement(element); // makes a deep copy so caller doesn't inadvertently modify it
+            }
+        }
+
+        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        {
+            XElement cloned = new XElement(element); // makes a deep copy so caller doesn't inadvertently modify it
+
+            // under lock to avoid races
+            lock (_storedElements)
+            {
+                _storedElements.Add(cloned);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index a5e219e50b..52c1718aa9 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -3,10 +3,11 @@
 
 using System;
 using System.Collections.Generic;
-using System.Globalization;
 using System.IO;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.Repositories
 {
@@ -15,76 +16,190 @@ namespace Microsoft.AspNet.DataProtection.Repositories
     /// </summary>
     public class FileSystemXmlRepository : IXmlRepository
     {
+        private static readonly Lazy<DirectoryInfo> _defaultDirectoryLazy = new Lazy<DirectoryInfo>(GetDefaultKeyStorageDirectory);
+
+        private readonly ILogger _logger;
+
+        /// <summary>
+        /// Creates a <see cref="FileSystemXmlRepository"/> with keys stored at the given directory.
+        /// </summary>
+        /// <param name="directory">The directory in which to persist key material.</param>
         public FileSystemXmlRepository([NotNull] DirectoryInfo directory)
+            : this(directory, services: null)
         {
-            Directory = directory;
         }
 
-        protected DirectoryInfo Directory
+        /// <summary>
+        /// Creates a <see cref="FileSystemXmlRepository"/> with keys stored at the given directory.
+        /// </summary>
+        /// <param name="directory">The directory in which to persist key material.</param>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public FileSystemXmlRepository([NotNull] DirectoryInfo directory, IServiceProvider services)
         {
-            get;
-            private set;
+            Directory = directory;
+            Services = services;
+            _logger = services?.GetLogger<FileSystemXmlRepository>();
+        }
+
+        /// <summary>
+        /// The default key storage directory, which currently corresponds to
+        /// "%LOCALAPPDATA%\ASP.NET\DataProtection-Keys".
+        /// </summary>
+        /// <remarks>
+        /// This property can return null if no suitable default key storage directory can
+        /// be found, such as the case when the user profile is unavailable.
+        /// </remarks>
+        public static DirectoryInfo DefaultKeyStorageDirectory => _defaultDirectoryLazy.Value;
+
+        /// <summary>
+        /// The directory into which key material will be written.
+        /// </summary>
+        public DirectoryInfo Directory { get; }
+
+        /// <summary>
+        /// The <see cref="IServiceProvider"/> provided to the constructor.
+        /// </summary>
+        protected IServiceProvider Services { get; }
+
+        private static DirectoryInfo GetKeyStorageDirectoryFromBaseAppDataPath(string basePath)
+        {
+            return new DirectoryInfo(Path.Combine(basePath, "ASP.NET", "DataProtection-Keys"));
         }
 
         public virtual IReadOnlyCollection<XElement> GetAllElements()
         {
             // forces complete enumeration
-            return GetAllElementsImpl().ToArray();
+            return GetAllElementsCore().ToList().AsReadOnly();
         }
 
-        private IEnumerable<XElement> GetAllElementsImpl()
+        private IEnumerable<XElement> GetAllElementsCore()
         {
             Directory.Create(); // won't throw if the directory already exists
 
-            // Find all files matching the pattern "{guid}.xml"
+            // Find all files matching the pattern "*.xml".
+            // Note: Inability to read any file is considered a fatal error (since the file may contain
+            // revocation information), and we'll fail the entire operation rather than return a partial
+            // set of elements. If a file contains well-formed XML but its contents are meaningless, we
+            // won't fail that operation here. The caller is responsible for failing as appropriate given
+            // that scenario.
             foreach (var fileSystemInfo in Directory.EnumerateFileSystemInfos("*.xml", SearchOption.TopDirectoryOnly))
             {
-                string simpleFilename = fileSystemInfo.Name;
-                if (simpleFilename.EndsWith(".xml", StringComparison.OrdinalIgnoreCase))
-                {
-                    simpleFilename = simpleFilename.Substring(0, simpleFilename.Length - ".xml".Length);
-                }
+                yield return ReadElementFromFile(fileSystemInfo.FullName);
+            }
+        }
 
-                Guid unused;
-                if (Guid.TryParseExact(simpleFilename, "D" /* registry format */, out unused))
-                {
-                    XDocument document;
-                    using (var fileStream = File.OpenRead(fileSystemInfo.FullName))
-                    {
-                        document = XDocument.Load(fileStream);
-                    }
+        private static DirectoryInfo GetDefaultKeyStorageDirectory()
+        {
+#if !DNXCORE50
+            // Environment.GetFolderPath returns null if the user profile isn't loaded.
+            string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+            if (!String.IsNullOrEmpty(folderPath))
+            {
+                return GetKeyStorageDirectoryFromBaseAppDataPath(folderPath);
+            }
+            else
+            {
+                return null;
+            }
+#else
+            // On core CLR, we need to fall back to environment variables.
+            string folderPath = Environment.GetEnvironmentVariable("LOCALAPPDATA")
+                ?? Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "AppData", "Local");
 
-                    // 'yield return' outside the preceding 'using' block so we don't hold files open longer than necessary
-                    yield return document.Root;
+            DirectoryInfo retVal = GetKeyStorageDirectoryFromBaseAppDataPath(folderPath);
+            try
+            {
+                retVal.Create(); // throws if we don't have access, e.g., user profile not loaded
+                return retVal;
+            }
+            catch
+            {
+                return null;
+            }
+#endif
+        }
+
+        internal static DirectoryInfo GetKeyStorageDirectoryForAzureWebSites()
+        {
+            // Azure Web Sites needs to be treated specially, as we need to store the keys in a
+            // correct persisted location. We use the existence of the %WEBSITE_INSTANCE_ID% env
+            // variable to determine if we're running in this environment, and if so we then use
+            // the %HOME% variable to build up our base key storage path.
+            if (!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("WEBSITE_INSTANCE_ID")))
+            {
+                string homeEnvVar = Environment.GetEnvironmentVariable("HOME");
+                if (!String.IsNullOrEmpty(homeEnvVar))
+                {
+                    return GetKeyStorageDirectoryFromBaseAppDataPath(homeEnvVar);
                 }
             }
+
+            // nope
+            return null;
+        }
+
+        private static bool IsSafeFilename(string filename)
+        {
+            // Must be non-empty and contain only a-zA-Z0-9, hyphen, and underscore.
+            return (!String.IsNullOrEmpty(filename) && filename.All(c =>
+                c == '-'
+                || c == '_'
+                || ('0' <= c && c <= '9')
+                || ('A' <= c && c <= 'Z')
+                || ('a' <= c && c <= 'z')));
+        }
+
+        private XElement ReadElementFromFile(string fullPath)
+        {
+            if (_logger.IsVerboseLevelEnabled())
+            {
+                _logger.LogVerbose("Reading data from file '{0}'.", fullPath);
+            }
+
+            using (var fileStream = File.OpenRead(fullPath))
+            {
+                return XElement.Load(fileStream);
+            }
         }
 
         public virtual void StoreElement([NotNull] XElement element, string friendlyName)
         {
-            // We're going to ignore the friendly name for now and just use a GUID.
-            StoreElement(element, Guid.NewGuid());
+            if (!IsSafeFilename(friendlyName))
+            {
+                string newFriendlyName = Guid.NewGuid().ToString();
+                if (_logger.IsVerboseLevelEnabled())
+                {
+                    _logger.LogVerbose("The name '{0}' is not a safe file name, using '{1}' instead.", friendlyName, newFriendlyName);
+                }
+                friendlyName = newFriendlyName;
+            }
+
+            StoreElementCore(element, friendlyName);
         }
 
-        private void StoreElement(XElement element, Guid id)
+        private void StoreElementCore(XElement element, string filename)
         {
             // We're first going to write the file to a temporary location. This way, another consumer
             // won't try reading the file in the middle of us writing it. Additionally, if our process
             // crashes mid-write, we won't end up with a corrupt .xml file.
 
             Directory.Create(); // won't throw if the directory already exists
-            string tempFilename = Path.Combine(Directory.FullName, String.Format(CultureInfo.InvariantCulture, "{0:D}.tmp", id));
-            string finalFilename = Path.Combine(Directory.FullName, String.Format(CultureInfo.InvariantCulture, "{0:D}.xml", id));
+            string tempFilename = Path.Combine(Directory.FullName, Guid.NewGuid().ToString() + ".tmp");
+            string finalFilename = Path.Combine(Directory.FullName, filename + ".xml");
 
             try
             {
                 using (var tempFileStream = File.OpenWrite(tempFilename))
                 {
-                    new XDocument(element).Save(tempFileStream);
+                    element.Save(tempFileStream);
                 }
 
                 // Once the file has been fully written, perform the rename.
                 // Renames are atomic operations on the file systems we support.
+                if (_logger.IsInformationLevelEnabled())
+                {
+                    _logger.LogInformation("Writing data to file '{0}.", finalFilename);
+                }
                 File.Move(tempFilename, finalFilename);
             }
             finally
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
index e5e649594c..b17b395407 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
@@ -28,6 +28,10 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         /// For instance, if this repository stores XML files on disk, the friendly name may
         /// be used as part of the file name. Repository implementations are not required to
         /// observe this parameter even if it has been provided by the caller.</param>
+        /// <remarks>
+        /// The 'friendlyName' parameter must be unique if specified. For instance, it could
+        /// be the id of the key being stored.
+        /// </remarks>
         void StoreElement(XElement element, string friendlyName);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index a25fc6a3d4..bc42ef4a23 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -4,10 +4,11 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
-using System.IO;
 using System.Linq;
 using System.Security.Principal;
 using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 using Microsoft.Win32;
 
 namespace Microsoft.AspNet.DataProtection.Repositories
@@ -17,70 +18,96 @@ namespace Microsoft.AspNet.DataProtection.Repositories
     /// </summary>
     public class RegistryXmlRepository : IXmlRepository
     {
+        private static readonly Lazy<RegistryKey> _defaultRegistryKeyLazy = new Lazy<RegistryKey>(GetDefaultHklmStorageKey);
+
+        private readonly ILogger _logger;
+
+        /// <summary>
+        /// Creates a <see cref="RegistryXmlRepository"/> with keys stored in the given registry key.
+        /// </summary>
+        /// <param name="registryKey">The registry key in which to persist key material.</param>
         public RegistryXmlRepository([NotNull] RegistryKey registryKey)
+            : this(registryKey, services: null)
         {
-            RegistryKey = registryKey;
         }
 
-        protected RegistryKey RegistryKey
+        /// <summary>
+        /// Creates a <see cref="RegistryXmlRepository"/> with keys stored in the given registry key.
+        /// </summary>
+        /// <param name="registryKey">The registry key in which to persist key material.</param>
+        public RegistryXmlRepository([NotNull] RegistryKey registryKey, IServiceProvider services)
         {
-            get;
-            private set;
+            RegistryKey = registryKey;
+            Services = services;
+            _logger = services?.GetLogger<RegistryXmlRepository>();
         }
 
+        /// <summary>
+        /// The default key storage directory, which currently corresponds to
+        /// "HKLM\SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{SID}".
+        /// </summary>
+        /// <remarks>
+        /// This property can return null if no suitable default registry key can
+        /// be found, such as the case when this application is not hosted inside IIS.
+        /// </remarks>
+        public static RegistryKey DefaultRegistryKey => _defaultRegistryKeyLazy.Value;
+
+        /// <summary>
+        /// The registry key into which key material will be written.
+        /// </summary>
+        public RegistryKey RegistryKey { get; }
+
+        /// <summary>
+        /// The <see cref="IServiceProvider"/> provided to the constructor.
+        /// </summary>
+        protected IServiceProvider Services { get; }
+
         public virtual IReadOnlyCollection<XElement> GetAllElements()
         {
             // forces complete enumeration
-            return GetAllElementsImpl().ToArray();
+            return GetAllElementsCore().ToList().AsReadOnly();
         }
 
-        private IEnumerable<XElement> GetAllElementsImpl()
+        private IEnumerable<XElement> GetAllElementsCore()
         {
-            string[] allValueNames = RegistryKey.GetValueNames();
-            foreach (var valueName in allValueNames)
-            {
-                string thisValue = RegistryKey.GetValue(valueName) as string;
-                if (!String.IsNullOrEmpty(thisValue))
-                {
-                    XDocument document;
-                    using (var textReader = new StringReader(thisValue))
-                    {
-                        document = XDocument.Load(textReader);
-                    }
+            // Note: Inability to parse any value is considered a fatal error (since the value may contain
+            // revocation information), and we'll fail the entire operation rather than return a partial
+            // set of elements. If a file contains well-formed XML but its contents are meaningless, we
+            // won't fail that operation here. The caller is responsible for failing as appropriate given
+            // that scenario.
 
-                    // 'yield return' outside the preceding 'using' block so we can release the reader
-                    yield return document.Root;
+            foreach (string valueName in RegistryKey.GetValueNames())
+            {
+                XElement element = ReadElementFromRegKey(RegistryKey, valueName);
+                if (element != null)
+                {
+                    yield return element;
                 }
             }
         }
 
-        internal static RegistryXmlRepository GetDefaultRepositoryForHKLMRegistry()
+        private static RegistryKey GetDefaultHklmStorageKey()
         {
             try
             {
                 // Try reading the auto-generated machine key from HKLM
                 using (var hklmBaseKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry32))
                 {
-                    // TODO: Do we need to change the version number below?
+                    // Even though this is in HKLM, WAS ensures that applications hosted in IIS are properly isolated.
+                    // See APP_POOL::EnsureSharedMachineKeyStorage in WAS source for more info.
+                    // The version number will need to change if IIS hosts Core CLR directly.
                     string aspnetAutoGenKeysBaseKeyName = String.Format(CultureInfo.InvariantCulture, @"SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{0}", WindowsIdentity.GetCurrent().User.Value);
                     var aspnetBaseKey = hklmBaseKey.OpenSubKey(aspnetAutoGenKeysBaseKeyName, writable: true);
-                    if (aspnetBaseKey == null)
+                    if (aspnetBaseKey != null)
                     {
-                        return null; // couldn't find the auto-generated machine key
-                    }
-
-                    using (aspnetBaseKey) {
-                        // TODO: Remove the ".BETA" moniker.
-                        var dataProtectionKey = aspnetBaseKey.OpenSubKey("DataProtection.BETA6", writable: true);
-                        if (dataProtectionKey == null)
+                        using (aspnetBaseKey)
                         {
-                            // TODO: Remove the ".BETA" moniker from here, also.
-                            dataProtectionKey = aspnetBaseKey.CreateSubKey("DataProtection.BETA6");
+                            // We'll create a 'DataProtection' subkey under the auto-gen keys base
+                            return aspnetBaseKey.OpenSubKey("DataProtection", writable: true)
+                                ?? aspnetBaseKey.CreateSubKey("DataProtection");
                         }
-
-                        // Once we've opened the HKLM reg key, return a repository which wraps it.
-                        return new RegistryXmlRepository(dataProtectionKey);
                     }
+                    return null; // couldn't find the auto-generated machine key
                 }
             }
             catch
@@ -90,28 +117,50 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             }
         }
 
-        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        private static bool IsSafeRegistryValueName(string filename)
         {
-            // We're going to ignore the friendly name for now and just use a GUID.
-            StoreElement(element, Guid.NewGuid());
+            // Must be non-empty and contain only a-zA-Z0-9, hyphen, and underscore.
+            return (!String.IsNullOrEmpty(filename) && filename.All(c =>
+                c == '-'
+                || c == '_'
+                || ('0' <= c && c <= '9')
+                || ('A' <= c && c <= 'Z')
+                || ('a' <= c && c <= 'z')));
         }
 
-        private void StoreElement(XElement element, Guid id)
+        private XElement ReadElementFromRegKey(RegistryKey regKey, string valueName)
         {
-            // First, serialize the XElement to a string.
-            string serializedString;
-            using (var writer = new StringWriter())
+            if (_logger.IsVerboseLevelEnabled())
             {
-                new XDocument(element).Save(writer);
-                serializedString = writer.ToString();
+                _logger.LogVerbose("Reading data from registry key '{0}', value '{1}'.", regKey.ToString(), valueName);
             }
 
+            string data = regKey.GetValue(valueName) as string;
+            return (!String.IsNullOrEmpty(data)) ? XElement.Parse(data) : null;
+        }
+
+        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        {
+            if (!IsSafeRegistryValueName(friendlyName))
+            {
+                string newFriendlyName = Guid.NewGuid().ToString();
+                if (_logger.IsVerboseLevelEnabled())
+                {
+                    _logger.LogVerbose("The name '{0}' is not a safe registry value name, using '{1}' instead.", friendlyName, newFriendlyName);
+                }
+                friendlyName = newFriendlyName;
+            }
+
+            StoreElementCore(element, friendlyName);
+        }
+
+        private void StoreElementCore(XElement element, string valueName)
+        {
             // Technically calls to RegSetValue* and RegGetValue* are atomic, so we don't have to worry about
             // another thread trying to read this value while we're writing it. There's still a small risk of
             // data corruption if power is lost while the registry file is being flushed to the file system,
             // but the window for that should be small enough that we shouldn't have to worry about it.
-            string idAsString = id.ToString("D");
-            RegistryKey.SetValue(idAsString, serializedString, RegistryValueKind.String);
+            RegistryKey.SetValue(valueName, element.ToString(), RegistryValueKind.String);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/Resources.resx b/src/Microsoft.AspNet.DataProtection/Resources.resx
index 3db16f062c..ad1f4512df 100644
--- a/src/Microsoft.AspNet.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNet.DataProtection/Resources.resx
@@ -136,21 +136,54 @@
     <value>An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information.</value>
   </data>
   <data name="Common_KeyNotFound" xml:space="preserve">
-    <value>The key {0:B} was not found in the keyring.</value>
+    <value>The key '{0:D}' was not found in the key ring.</value>
   </data>
   <data name="Common_KeyRevoked" xml:space="preserve">
-    <value>The key {0:B} has been revoked.</value>
+    <value>The key '{0:D}' has been revoked.</value>
   </data>
-  <data name="Common_NotAValidProtectedPayload" xml:space="preserve">
-    <value>The provided payload was not protected with this protection provider.</value>
+  <data name="ProtectionProvider_BadMagicHeader" xml:space="preserve">
+    <value>The provided payload cannot be decrypted because it was not protected with this protection provider.</value>
   </data>
-  <data name="Common_PayloadProducedByNewerVersion" xml:space="preserve">
-    <value>The protected payload cannot be decrypted because it was protected with a newer version of the protection provider.</value>
+  <data name="ProtectionProvider_BadVersion" xml:space="preserve">
+    <value>The provided payload cannot be decrypted because it was protected with a newer version of the protection provider.</value>
   </data>
   <data name="TimeLimitedDataProtector_PayloadExpired" xml:space="preserve">
     <value>The payload expired at {0}.</value>
   </data>
-  <data name="DataProtectionExtensions_NullPurposesArray" xml:space="preserve">
-    <value>The purposes array cannot be null or empty and cannot contain null or empty elements.</value>
+  <data name="Common_ValueMustBeNonNegative" xml:space="preserve">
+    <value>Value must be non-negative.</value>
+  </data>
+  <data name="TypeExtensions_BadCast" xml:space="preserve">
+    <value>The type '{1}' is not assignable to '{0}'.</value>
+  </data>
+  <data name="KeyLifetimeOptions_MinNewKeyLifetimeViolated" xml:space="preserve">
+    <value>The default new key lifetime must be at least one week.</value>
+  </data>
+  <data name="XmlKeyManager_DuplicateKey" xml:space="preserve">
+    <value>The key '{0:D}' already exists in the keyring.</value>
+  </data>
+  <data name="Common_ArgumentCannotBeNullOrEmpty" xml:space="preserve">
+    <value>Argument cannot be null or empty.</value>
+  </data>
+  <data name="Common_PropertyMustBeNonNegative" xml:space="preserve">
+    <value>Property {0} must have a non-negative value.</value>
+  </data>
+  <data name="Platform_WindowsRequiredForGcm" xml:space="preserve">
+    <value>GCM algorithms require the Windows platform.</value>
+  </data>
+  <data name="CertificateXmlEncryptor_CertificateNotFound" xml:space="preserve">
+    <value>A certificate with the thumbprint '{0}' could not be found.</value>
+  </data>
+  <data name="EncryptedXmlDecryptor_DoesNotWorkOnCoreClr" xml:space="preserve">
+    <value>Decrypting EncryptedXml-encapsulated payloads is not yet supported on Core CLR.</value>
+  </data>
+  <data name="AlgorithmAssert_BadBlockSize" xml:space="preserve">
+    <value>The symmetric algorithm block size of {0} bits is invalid. The block size must be between 64 and 2048 bits, inclusive, and it must be a multiple of 8 bits.</value>
+  </data>
+  <data name="AlgorithmAssert_BadDigestSize" xml:space="preserve">
+    <value>The validation algorithm digest size of {0} bits is invalid. The digest size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.</value>
+  </data>
+  <data name="AlgorithmAssert_BadKeySize" xml:space="preserve">
+    <value>The symmetric algorithm key size of {0} bits is invalid. The key size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.</value>
   </data>
 </root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index 9105d95fc3..e93eb7da4a 100644
--- a/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -26,7 +26,7 @@ namespace Microsoft.AspNet.DataProtection.SP800_108
         // Creates a provider from the given key.
         public static ISP800_108_CTR_HMACSHA512Provider CreateProvider(byte* pbKdk, uint cbKdk)
         {
-            if (OSVersionUtil.IsBCryptOnWin8OrLaterAvailable())
+            if (OSVersionUtil.IsWindows8OrLater())
             {
                 return new Win8SP800_108_CTR_HMACSHA512Provider(pbKdk, cbKdk);
             }
diff --git a/src/Microsoft.AspNet.DataProtection/Secret.cs b/src/Microsoft.AspNet.DataProtection/Secret.cs
index 6f04529c52..991624e6a6 100644
--- a/src/Microsoft.AspNet.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNet.DataProtection/Secret.cs
@@ -6,6 +6,7 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.Managed;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -36,7 +37,7 @@ namespace Microsoft.AspNet.DataProtection
         /// Creates a new Secret from the provided input value, where the input value
         /// is specified as an array.
         /// </summary>
-        public Secret(byte[] value)
+        public Secret([NotNull] byte[] value)
             : this(new ArraySegment<byte>(value))
         {
         }
@@ -49,11 +50,11 @@ namespace Microsoft.AspNet.DataProtection
         {
             if (secret == null)
             {
-                throw new ArgumentNullException("secret");
+                throw new ArgumentNullException(nameof(secret));
             }
             if (secretLength < 0)
             {
-                throw new ArgumentOutOfRangeException("secretLength");
+                throw Error.Common_ValueMustBeNonNegative(nameof(secretLength));
             }
 
             _localAllocHandle = Protect(secret, (uint)secretLength);
@@ -63,13 +64,8 @@ namespace Microsoft.AspNet.DataProtection
         /// <summary>
         /// Creates a new Secret from another secret object.
         /// </summary>
-        public Secret(ISecret secret)
+        public Secret([NotNull] ISecret secret)
         {
-            if (secret == null)
-            {
-                throw new ArgumentNullException("secret");
-            }
-
             Secret other = secret as Secret;
             if (other != null)
             {
@@ -130,7 +126,7 @@ namespace Microsoft.AspNet.DataProtection
             // If we're not running on a platform that supports CryptProtectMemory,
             // shove the plaintext directly into a LocalAlloc handle. Ideally we'd
             // mark this memory page as non-pageable, but this is fraught with peril.
-            if (!OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+            if (!OSVersionUtil.IsWindows())
             {
                 SecureLocalAllocHandle handle = SecureLocalAllocHandle.Allocate((IntPtr)checked((int)cbPlaintext));
                 UnsafeBufferUtil.BlockCopy(from: pbPlaintext, to: handle, byteCount: cbPlaintext);
@@ -165,7 +161,10 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         public static Secret Random(int numBytes)
         {
-            CryptoUtil.Assert(numBytes >= 0, "numBytes >= 0");
+            if (numBytes < 0)
+            {
+                throw Error.Common_ValueMustBeNonNegative(nameof(numBytes));
+            }
 
             if (numBytes == 0)
             {
@@ -175,7 +174,7 @@ namespace Microsoft.AspNet.DataProtection
             else
             {
                 // Don't use CNG if we're not on Windows.
-                if (!OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+                if (!OSVersionUtil.IsWindows())
                 {
                     return new Secret(ManagedGenRandomImpl.Instance.GenRandom(numBytes));
                 }
@@ -200,7 +199,7 @@ namespace Microsoft.AspNet.DataProtection
         {
             // If we're not running on a platform that supports CryptProtectMemory,
             // the handle contains plaintext bytes.
-            if (!OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
+            if (!OSVersionUtil.IsWindows())
             {
                 UnsafeBufferUtil.BlockCopy(from: _localAllocHandle, to: pbBuffer, byteCount: _plaintextLength);
                 return;
@@ -209,7 +208,6 @@ namespace Microsoft.AspNet.DataProtection
             if (_plaintextLength % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0)
             {
                 // Case 1: Secret length is an exact multiple of the block size. Copy directly to the buffer and decrypt there.
-                // We go through this code path even for empty plaintexts since we still want SafeHandle dispose semantics.
                 UnsafeBufferUtil.BlockCopy(from: _localAllocHandle, to: pbBuffer, byteCount: _plaintextLength);
                 MemoryProtection.CryptUnprotectMemory(pbBuffer, _plaintextLength);
             }
@@ -237,7 +235,7 @@ namespace Microsoft.AspNet.DataProtection
             buffer.Validate();
             if (buffer.Count != Length)
             {
-                throw Error.Common_BufferIncorrectlySized("buffer", actualSize: buffer.Count, expectedSize: Length);
+                throw Error.Common_BufferIncorrectlySized(nameof(buffer), actualSize: buffer.Count, expectedSize: Length);
             }
 
             // only unprotect if the secret is zero-length, as CLR doesn't like pinning zero-length buffers
@@ -253,6 +251,8 @@ namespace Microsoft.AspNet.DataProtection
         /// <summary>
         /// Writes the secret value to the specified buffer.
         /// </summary>
+        /// <param name="buffer">The buffer into which to write the secret value.</param>
+        /// <param name="bufferLength">The size (in bytes) of the provided buffer.</param>
         /// <remarks>
         /// The 'bufferLength' parameter must exactly match the length of the secret value.
         /// </remarks>
@@ -260,18 +260,17 @@ namespace Microsoft.AspNet.DataProtection
         {
             if (buffer == null)
             {
-                throw new ArgumentNullException("buffer");
-            }
-            if (bufferLength < 0)
-            {
-                throw new ArgumentOutOfRangeException("bufferLength");
+                throw new ArgumentNullException(nameof(buffer));
             }
             if (bufferLength != Length)
             {
-                throw Error.Common_BufferIncorrectlySized("bufferLength", actualSize: bufferLength, expectedSize: Length);
+                throw Error.Common_BufferIncorrectlySized(nameof(bufferLength), actualSize: bufferLength, expectedSize: Length);
             }
 
-            UnprotectInto(buffer);
+            if (Length != 0)
+            {
+                UnprotectInto(buffer);
+            }
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
index a1c4ef1454..a9033d4c25 100644
--- a/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
@@ -2,8 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -27,28 +27,28 @@ namespace Microsoft.AspNet.DataProtection
             return new TimeLimitedDataProtector(InnerProtector.CreateProtector(purpose));
         }
 
-        public byte[] Protect([NotNull] byte[] unprotectedData)
+        public byte[] Protect([NotNull] byte[] plaintext)
         {
-            return Protect(unprotectedData, DateTimeOffset.MaxValue);
+            return Protect(plaintext, DateTimeOffset.MaxValue);
         }
 
-        public byte[] Protect([NotNull] byte[] unprotectedData, DateTimeOffset expiration)
+        public byte[] Protect([NotNull] byte[] plaintext, DateTimeOffset expiration)
         {
             // We prepend the expiration time (as a big-endian 64-bit UTC tick count) to the unprotected data.
             ulong utcTicksExpiration = (ulong)expiration.UtcTicks;
 
-            byte[] unprotectedDataWithHeader = new byte[checked(8 + unprotectedData.Length)];
-            unprotectedDataWithHeader[0] = (byte)(utcTicksExpiration >> 56);
-            unprotectedDataWithHeader[1] = (byte)(utcTicksExpiration >> 48);
-            unprotectedDataWithHeader[2] = (byte)(utcTicksExpiration >> 40);
-            unprotectedDataWithHeader[3] = (byte)(utcTicksExpiration >> 32);
-            unprotectedDataWithHeader[4] = (byte)(utcTicksExpiration >> 24);
-            unprotectedDataWithHeader[5] = (byte)(utcTicksExpiration >> 16);
-            unprotectedDataWithHeader[6] = (byte)(utcTicksExpiration >> 8);
-            unprotectedDataWithHeader[7] = (byte)(utcTicksExpiration);
-            Buffer.BlockCopy(unprotectedData, 0, unprotectedDataWithHeader, 8, unprotectedData.Length);
+            byte[] plaintextWithHeader = new byte[checked(8 + plaintext.Length)];
+            plaintextWithHeader[0] = (byte)(utcTicksExpiration >> 56);
+            plaintextWithHeader[1] = (byte)(utcTicksExpiration >> 48);
+            plaintextWithHeader[2] = (byte)(utcTicksExpiration >> 40);
+            plaintextWithHeader[3] = (byte)(utcTicksExpiration >> 32);
+            plaintextWithHeader[4] = (byte)(utcTicksExpiration >> 24);
+            plaintextWithHeader[5] = (byte)(utcTicksExpiration >> 16);
+            plaintextWithHeader[6] = (byte)(utcTicksExpiration >> 8);
+            plaintextWithHeader[7] = (byte)(utcTicksExpiration);
+            Buffer.BlockCopy(plaintext, 0, plaintextWithHeader, 8, plaintext.Length);
 
-            return InnerProtector.Protect(unprotectedDataWithHeader);
+            return InnerProtector.Protect(plaintextWithHeader);
         }
 
         public byte[] Unprotect([NotNull] byte[] protectedData)
@@ -61,18 +61,18 @@ namespace Microsoft.AspNet.DataProtection
         {
             try
             {
-                byte[] unprotectedDataWithHeader = InnerProtector.Unprotect(protectedData);
-                CryptoUtil.Assert(unprotectedDataWithHeader.Length >= 8, "No header present.");
+                byte[] plaintextWithHeader = InnerProtector.Unprotect(protectedData);
+                CryptoUtil.Assert(plaintextWithHeader.Length >= 8, "No header present.");
 
                 // Read expiration time back out of the payload
-                ulong utcTicksExpiration = (((ulong)unprotectedDataWithHeader[0]) << 56)
-                    | (((ulong)unprotectedDataWithHeader[1]) << 48)
-                    | (((ulong)unprotectedDataWithHeader[2]) << 40)
-                    | (((ulong)unprotectedDataWithHeader[3]) << 32)
-                    | (((ulong)unprotectedDataWithHeader[4]) << 24)
-                    | (((ulong)unprotectedDataWithHeader[5]) << 16)
-                    | (((ulong)unprotectedDataWithHeader[6]) << 8)
-                    | (ulong)unprotectedDataWithHeader[7];
+                ulong utcTicksExpiration = (((ulong)plaintextWithHeader[0]) << 56)
+                    | (((ulong)plaintextWithHeader[1]) << 48)
+                    | (((ulong)plaintextWithHeader[2]) << 40)
+                    | (((ulong)plaintextWithHeader[3]) << 32)
+                    | (((ulong)plaintextWithHeader[4]) << 24)
+                    | (((ulong)plaintextWithHeader[5]) << 16)
+                    | (((ulong)plaintextWithHeader[6]) << 8)
+                    | (ulong)plaintextWithHeader[7];
 
                 // Are we expired?
                 DateTime utcNow = DateTime.UtcNow;
@@ -81,8 +81,8 @@ namespace Microsoft.AspNet.DataProtection
                     throw Error.TimeLimitedDataProtector_PayloadExpired(utcTicksExpiration);
                 }
 
-                byte[] retVal = new byte[unprotectedDataWithHeader.Length - 8];
-                Buffer.BlockCopy(unprotectedDataWithHeader, 8, retVal, 0, retVal.Length);
+                byte[] retVal = new byte[plaintextWithHeader.Length - 8];
+                Buffer.BlockCopy(plaintextWithHeader, 8, retVal, 0, retVal.Length);
 
                 expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero);
                 return retVal;
diff --git a/src/Microsoft.AspNet.DataProtection/TypeExtensions.cs b/src/Microsoft.AspNet.DataProtection/TypeExtensions.cs
new file mode 100644
index 0000000000..7f4c12b529
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/TypeExtensions.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Reflection;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Helpful extension methods on <see cref="Type"/>.
+    /// </summary>
+    internal static class TypeExtensions
+    {
+        /// <summary>
+        /// Throws <see cref="InvalidCastException"/> if <paramref name="implementationType"/>
+        /// is not assignable to <paramref name="expectedBaseType"/>.
+        /// </summary>
+        public static void AssertIsAssignableFrom(this Type expectedBaseType, Type implementationType)
+        {
+            if (!expectedBaseType.IsAssignableFrom(implementationType))
+            {
+                // It might seem a bit weird to throw an InvalidCastException explicitly rather than
+                // to let the CLR generate one, but searching through NetFX there is indeed precedent
+                // for this pattern when the caller knows ahead of time the operation will fail.
+                throw new InvalidCastException(Resources.FormatTypeExtensions_BadCast(
+                    expectedBaseType.AssemblyQualifiedName, implementationType.AssemblyQualifiedName));
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/XmlConstants.cs b/src/Microsoft.AspNet.DataProtection/XmlConstants.cs
new file mode 100644
index 0000000000..e41785f59a
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlConstants.cs
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Contains XLinq constants.
+    /// </summary>
+    internal static class XmlConstants
+    {
+        /// <summary>
+        /// The root namespace used for all DataProtection-specific XML elements and attributes.
+        /// </summary>
+        private static readonly XNamespace RootNamespace = XNamespace.Get("http://schemas.asp.net/2015/03/dataProtection");
+
+        /// <summary>
+        /// Represents the type of decryptor that can be used when reading 'encryptedSecret' elements.
+        /// </summary>
+        internal static readonly XName DecryptorTypeAttributeName = "decryptorType";
+
+        /// <summary>
+        /// Elements with this attribute will be read with the specified deserializer type.
+        /// </summary>
+        internal static readonly XName DeserializerTypeAttributeName = "deserializerType";
+
+        /// <summary>
+        /// Elements with this name will be automatically decrypted when read by the XML key manager.
+        /// </summary>
+        internal static readonly XName EncryptedSecretElementName = RootNamespace.GetName("encryptedSecret");
+
+        /// <summary>
+        /// Elements where this attribute has a value of 'true' should be encrypted before storage.
+        /// </summary>
+        internal static readonly XName RequiresEncryptionAttributeName = RootNamespace.GetName("requiresEncryption");
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
new file mode 100644
index 0000000000..d16a4f9af6
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
@@ -0,0 +1,50 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// A default implementation of <see cref="ICertificateResolver"/> that looks in the current user
+    /// and local machine certificate stores.
+    /// </summary>
+    public class CertificateResolver : ICertificateResolver
+    {
+        /// <summary>
+        /// Locates an <see cref="X509Certificate2"/> given its thumbprint.
+        /// </summary>
+        /// <param name="thumbprint">The thumbprint (as a hex string) of the certificate to resolve.</param>
+        /// <returns>The resolved <see cref="X509Certificate2"/>, or null if the certificate cannot be found.</returns>
+        public virtual X509Certificate2 ResolveCertificate(string thumbprint)
+        {
+            if (String.IsNullOrEmpty(thumbprint))
+            {
+                throw Error.Common_ArgumentCannotBeNullOrEmpty(nameof(thumbprint));
+            }
+
+            return GetCertificateFromStore(StoreLocation.CurrentUser, thumbprint)
+                ?? GetCertificateFromStore(StoreLocation.LocalMachine, thumbprint);
+        }
+
+        private static X509Certificate2 GetCertificateFromStore(StoreLocation location, string thumbprint)
+        {
+            var store = new X509Store(location);
+            try
+            {
+                store.Open(OpenFlags.ReadOnly);
+                var matchingCerts = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: true);
+                return (matchingCerts != null && matchingCerts.Count > 0) ? matchingCerts[0] : null;
+            }
+            finally
+            {
+                store.Close();
+            }
+        }
+    }
+}
+
+#endif
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 39f6d3e1a5..f89820b02c 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -1,37 +1,168 @@
 // Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
 using System;
 using System.Security.Cryptography.X509Certificates;
+using System.Security.Cryptography.Xml;
+using System.Xml;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
-    /// A class that performs XML encryption using an X.509 certificate.
+    /// An <see cref="IXmlEncryptor"/> that can perform XML encryption by using an X.509 certificate.
     /// </summary>
-    /// <remarks>
-    /// This type currently requires Windows 8.1 (Windows Server 2012 R2) or higher.
-    /// </remarks>
-    public sealed class CertificateXmlEncryptor : IXmlEncryptor
+    public sealed class CertificateXmlEncryptor : IInternalCertificateXmlEncryptor, IXmlEncryptor
     {
-        private readonly DpapiNGXmlEncryptor _dpapiEncryptor;
+        private readonly Func<X509Certificate2> _certFactory;
+        private readonly IInternalCertificateXmlEncryptor _encryptor;
+        private readonly ILogger _logger;
 
-        public CertificateXmlEncryptor([NotNull] X509Certificate2 cert)
+        /// <summary>
+        /// Creates a <see cref="CertificateXmlEncryptor"/> given a certificate's thumbprint and an
+        /// <see cref="ICertificateResolver"/> that can be used to resolve the certificate.
+        /// </summary>
+        /// <param name="thumbprint">The thumbprint (as a hex string) of the certificate with which to
+        /// encrypt the key material. The certificate must be locatable by <paramref name="certificateResolver"/>.</param>
+        /// <param name="certificateResolver">A resolver which can locate <see cref="X509Certificate2"/> objects.</param>
+        public CertificateXmlEncryptor([NotNull] string thumbprint, [NotNull] ICertificateResolver certificateResolver)
+            : this(thumbprint, certificateResolver, services: null)
         {
-            byte[] certAsBytes = cert.Export(X509ContentType.Cert);
-            string protectionDescriptor = "CERTIFICATE=CertBlob:" + Convert.ToBase64String(certAsBytes);
-            _dpapiEncryptor = new DpapiNGXmlEncryptor(protectionDescriptor, DpapiNGProtectionDescriptorFlags.None);
         }
 
         /// <summary>
-        /// Encrypts the specified XML element using an X.509 certificate.
+        /// Creates a <see cref="CertificateXmlEncryptor"/> given a certificate's thumbprint, an
+        /// <see cref="ICertificateResolver"/> that can be used to resolve the certificate, and
+        /// an <see cref="IServiceProvider"/>.
         /// </summary>
-        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
-        /// <returns>The encrypted form of the XML element.</returns>
-        public XElement Encrypt([NotNull] XElement plaintextElement)
+        /// <param name="thumbprint">The thumbprint (as a hex string) of the certificate with which to
+        /// encrypt the key material. The certificate must be locatable by <paramref name="certificateResolver"/>.</param>
+        /// <param name="certificateResolver">A resolver which can locate <see cref="X509Certificate2"/> objects.</param>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public CertificateXmlEncryptor([NotNull] string thumbprint, [NotNull] ICertificateResolver certificateResolver, IServiceProvider services)
+            : this(services)
         {
-            return _dpapiEncryptor.Encrypt(plaintextElement);
+            _certFactory = CreateCertFactory(thumbprint, certificateResolver);
+        }
+
+        /// <summary>
+        /// Creates a <see cref="CertificateXmlEncryptor"/> given an <see cref="X509Certificate2"/> instance.
+        /// </summary>
+        /// <param name="certificate">The <see cref="X509Certificate2"/> with which to encrypt the key material.</param>
+        public CertificateXmlEncryptor([NotNull] X509Certificate2 certificate)
+            : this(certificate, services: null)
+        {
+        }
+
+        /// <summary>
+        /// Creates a <see cref="CertificateXmlEncryptor"/> given an <see cref="X509Certificate2"/> instance
+        /// and an <see cref="IServiceProvider"/>.
+        /// </summary>
+        /// <param name="certificate">The <see cref="X509Certificate2"/> with which to encrypt the key material.</param>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public CertificateXmlEncryptor([NotNull] X509Certificate2 certificate, IServiceProvider services)
+            : this(services)
+        {
+            _certFactory = () => certificate;
+        }
+
+        internal CertificateXmlEncryptor(IServiceProvider services)
+        {
+            _encryptor = services?.GetService<IInternalCertificateXmlEncryptor>() ?? this;
+            _logger = services.GetLogger<CertificateXmlEncryptor>();
+        }
+
+        /// <summary>
+        /// Encrypts the specified <see cref="XElement"/> with an X.509 certificate.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext to encrypt.</param>
+        /// <returns>
+        /// An <see cref="EncryptedXmlInfo"/> that contains the encrypted value of
+        /// <paramref name="plaintextElement"/> along with information about how to
+        /// decrypt it.
+        /// </returns>
+        public EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement)
+        {
+            // <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
+            //   ...
+            // </EncryptedData>
+
+            XElement encryptedElement = EncryptElement(plaintextElement);
+            return new EncryptedXmlInfo(encryptedElement, typeof(EncryptedXmlDecryptor));
+        }
+
+        private XElement EncryptElement(XElement plaintextElement)
+        {
+            // EncryptedXml works with XmlDocument, not XLinq. When we perform the conversion
+            // we'll wrap the incoming element in a dummy <root /> element since encrypted XML
+            // doesn't handle encrypting the root element all that well.
+            var xmlDocument = new XmlDocument();
+            xmlDocument.Load(new XElement("root", plaintextElement).CreateReader());
+            var elementToEncrypt = (XmlElement)xmlDocument.DocumentElement.FirstChild;
+
+            // Perform the encryption and update the document in-place.
+            var encryptedXml = new EncryptedXml(xmlDocument);
+            var encryptedData = _encryptor.PerformEncryption(encryptedXml, elementToEncrypt);
+            EncryptedXml.ReplaceElement(elementToEncrypt, encryptedData, content: false);
+
+            // Strip the <root /> element back off and convert the XmlDocument to an XElement.
+            return XElement.Load(xmlDocument.DocumentElement.FirstChild.CreateNavigator().ReadSubtree());
+        }
+
+        private Func<X509Certificate2> CreateCertFactory(string thumbprint, ICertificateResolver resolver)
+        {
+            return () =>
+            {
+                try
+                {
+                    var cert = resolver.ResolveCertificate(thumbprint);
+                    if (cert == null)
+                    {
+                        throw Error.CertificateXmlEncryptor_CertificateNotFound(thumbprint);
+                    }
+                    return cert;
+                }
+                catch (Exception ex)
+                {
+                    if (_logger.IsErrorLevelEnabled())
+                    {
+                        _logger.LogError(ex, "An exception occurred while trying to resolve certificate with thumbprint '{0}'.", thumbprint);
+                    }
+                    throw;
+                }
+            };
+        }
+
+        EncryptedData IInternalCertificateXmlEncryptor.PerformEncryption(EncryptedXml encryptedXml, XmlElement elementToEncrypt)
+        {
+            var cert = _certFactory()
+                ?? CryptoUtil.Fail<X509Certificate2>("Cert factory returned null.");
+
+            if (_logger.IsVerboseLevelEnabled())
+            {
+                _logger.LogVerbose("Encrypting to X.509 certificate with thumbprint '{0}'.", cert.Thumbprint);
+            }
+
+            try
+            {
+                return encryptedXml.Encrypt(elementToEncrypt, cert);
+            }
+            catch (Exception ex)
+            {
+                if (_logger.IsErrorLevelEnabled())
+                {
+                    _logger.LogError(ex, "An error occurred while encrypting to X.509 certificate with thumbprint '{0}'.", cert.Thumbprint);
+                }
+                throw;
+            }
         }
     }
 }
+
+#endif
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
index dd7d0938d2..17b9a762c2 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
@@ -5,12 +5,31 @@ using System;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
-    // from ncrypt.h and ncryptprotect.h
+    /// <summary>
+    /// Flags used to control the creation of protection descriptors.
+    /// </summary>
+    /// <remarks>
+    /// These values correspond to the 'dwFlags' parameter on NCryptCreateProtectionDescriptor.
+    /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx for more information.
+    /// </remarks>
     [Flags]
     public enum DpapiNGProtectionDescriptorFlags
     {
+        /// <summary>
+        /// No special handling is necessary.
+        /// </summary>
         None = 0,
+
+        /// <summary>
+        /// The provided descriptor is a reference to a full descriptor stored
+        /// in the system registry.
+        /// </summary>
         NamedDescriptor = 0x00000001,
+
+        /// <summary>
+        /// When combined with <see cref="NamedDescriptor"/>, uses the HKLM registry
+        /// instead of the HKCU registry when locating the full descriptor.
+        /// </summary>
         MachineKey = 0x00000020,
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index debd74b5a0..e804c1d7cb 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -2,48 +2,90 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.IO;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
-    /// A class that can decrypt XML elements which were encrypted using Windows DPAPI:NG.
+    /// An <see cref="IXmlDecryptor"/> that decrypts XML elements that were encrypted with <see cref="DpapiNGXmlEncryptor"/>.
     /// </summary>
-    internal unsafe sealed class DpapiNGXmlDecryptor : IXmlDecryptor
+    /// <remarks>
+    /// This API is only supported on Windows 8 / Windows Server 2012 and higher.
+    /// </remarks>
+    public sealed class DpapiNGXmlDecryptor : IXmlDecryptor
     {
+        private readonly ILogger _logger;
+
         /// <summary>
-        /// Decrypts the specified XML element using Windows DPAPI:NG.
+        /// Creates a new instance of a <see cref="DpapiNGXmlDecryptor"/>.
         /// </summary>
-        /// <param name="encryptedElement">The encrypted XML element to decrypt. This element is unchanged by the method.</param>
-        /// <returns>The decrypted form of the XML element.</returns>
+        public DpapiNGXmlDecryptor()
+            : this(services: null)
+        {
+        }
+
+        /// <summary>
+        /// Creates a new instance of a <see cref="DpapiNGXmlDecryptor"/>.
+        /// </summary>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public DpapiNGXmlDecryptor(IServiceProvider services)
+        {
+            CryptoUtil.AssertPlatformIsWindows8OrLater();
+
+            _logger = services.GetLogger<DpapiNGXmlDecryptor>();
+        }
+
+        /// <summary>
+        /// Decrypts the specified XML element.
+        /// </summary>
+        /// <param name="encryptedElement">An encrypted XML element.</param>
+        /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
+        /// <remarks>
         public XElement Decrypt([NotNull] XElement encryptedElement)
         {
-            CryptoUtil.Assert(encryptedElement.Name == DpapiNGXmlEncryptor.DpapiNGEncryptedSecretElementName,
-                "TODO: Incorrect element.");
-
-            int version = (int)encryptedElement.Attribute("version");
-            CryptoUtil.Assert(version == 1, "TODO: Bad version.");
-
-            byte[] dpapiNGProtectedBytes = Convert.FromBase64String(encryptedElement.Value);
-            using (var secret = DpapiSecretSerializerHelper.UnprotectWithDpapiNG(dpapiNGProtectedBytes))
+            try
             {
-                byte[] plaintextXmlBytes = new byte[secret.Length];
-                try
+                // <encryptedKey>
+                //   <!-- This key is encrypted with {provider}. -->
+                //   <!-- rule string -->
+                //   <value>{base64}</value>
+                // </encryptedKey>
+
+                byte[] protectedSecret = Convert.FromBase64String((string)encryptedElement.Element("value"));
+                if (_logger.IsVerboseLevelEnabled())
                 {
-                    secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextXmlBytes));
-                    using (var memoryStream = new MemoryStream(plaintextXmlBytes, writable: false))
+                    string protectionDescriptorRule;
+                    try
                     {
-                        return XElement.Load(memoryStream);
+                        protectionDescriptorRule = DpapiSecretSerializerHelper.GetRuleFromDpapiNGProtectedPayload(protectedSecret);
                     }
+                    catch
+                    {
+                        // swallow all errors - it's just a log
+                        protectionDescriptorRule = null;
+                    }
+                    _logger.LogVerbose("Decrypting secret element using Windows DPAPI-NG with protection descriptor '{0}'.", protectionDescriptorRule);
                 }
-                finally
+
+                using (Secret secret = DpapiSecretSerializerHelper.UnprotectWithDpapiNG(protectedSecret))
                 {
-                    Array.Clear(plaintextXmlBytes, 0, plaintextXmlBytes.Length);
+                    return secret.ToXElement();
                 }
             }
+            catch (Exception ex)
+            {
+                // It's OK for us to log the error, as we control the exception, and it doesn't contain
+                // sensitive information.
+                if (_logger.IsErrorLevelEnabled())
+                {
+                    _logger.LogError(ex, "An exception occurred while trying to decrypt the element.");
+                }
+                throw;
+            }
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index 498df42350..1a11ce10a7 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -3,79 +3,112 @@
 
 using System;
 using System.Globalization;
-using System.IO;
 using System.Security.Principal;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that can encrypt XML elements using Windows DPAPI:NG.
     /// </summary>
+    /// <remarks>
+    /// This API is only supported on Windows 8 / Windows Server 2012 and higher.
+    /// </remarks>
     public sealed class DpapiNGXmlEncryptor : IXmlEncryptor
     {
-        internal static readonly XName DpapiNGEncryptedSecretElementName = XmlKeyManager.KeyManagementXmlNamespace.GetName("dpapiNGEncryptedSecret");
-
+        private readonly ILogger _logger;
         private readonly NCryptDescriptorHandle _protectionDescriptorHandle;
 
-        public DpapiNGXmlEncryptor()
-            : this(GetDefaultProtectionDescriptorString(), DpapiNGProtectionDescriptorFlags.None)
+        /// <summary>
+        /// Creates a new instance of a <see cref="DpapiNGXmlEncryptor"/>.
+        /// </summary>
+        /// <param name="protectionDescriptorRule">The rule string from which to create the protection descriptor.</param>
+        /// <param name="flags">Flags controlling the creation of the protection descriptor.</param>
+        public DpapiNGXmlEncryptor([NotNull] string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
+            : this(protectionDescriptorRule, flags, services: null)
         {
         }
 
-        public DpapiNGXmlEncryptor(string protectionDescriptor, DpapiNGProtectionDescriptorFlags protectionDescriptorFlags = DpapiNGProtectionDescriptorFlags.None)
-        {
-            if (String.IsNullOrEmpty(protectionDescriptor))
-            {
-                throw new Exception("TODO: Null or empty.");
-            }
-
-            int ntstatus = UnsafeNativeMethods.NCryptCreateProtectionDescriptor(protectionDescriptor, (uint)protectionDescriptorFlags, out _protectionDescriptorHandle);
-            UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
-            CryptoUtil.AssertSafeHandleIsValid(_protectionDescriptorHandle);
-        }
-
         /// <summary>
-        /// Encrypts the specified XML element using Windows DPAPI:NG.
+        /// Creates a new instance of a <see cref="DpapiNGXmlEncryptor"/>.
         /// </summary>
-        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
-        /// <returns>The encrypted form of the XML element.</returns>
-        public XElement Encrypt([NotNull] XElement plaintextElement)
+        /// <param name="protectionDescriptorRule">The rule string from which to create the protection descriptor.</param>
+        /// <param name="flags">Flags controlling the creation of the protection descriptor.</param>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public DpapiNGXmlEncryptor([NotNull] string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags, IServiceProvider services)
         {
-            // First, convert the XML element to a byte[] so that it can be encrypted.
-            Secret secret;
-            using (var memoryStream = new MemoryStream())
-            {
-                plaintextElement.Save(memoryStream);
-#if !DNXCORE50
-                // If we're on full desktop CLR, utilize the underlying buffer directly as an optimization.
-                byte[] underlyingBuffer = memoryStream.GetBuffer();
-                secret = new Secret(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
-                Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
-#else
-                // Otherwise, need to make a copy of the buffer.
-                byte[] clonedBuffer = memoryStream.ToArray();
-                secret = new Secret(clonedBuffer);
-                Array.Clear(clonedBuffer, 0, clonedBuffer.Length);
-#endif
-            }
+            CryptoUtil.AssertPlatformIsWindows8OrLater();
 
-            // <secret decryptor="{TYPE}">
-            //   ... base64 data ...
-            // </secret>
-            byte[] encryptedBytes = DpapiSecretSerializerHelper.ProtectWithDpapiNG(secret, _protectionDescriptorHandle);
-            return new XElement(DpapiNGEncryptedSecretElementName,
-                new XAttribute("decryptor", typeof(DpapiNGXmlDecryptor).AssemblyQualifiedName),
-                new XAttribute("version", 1),
-                Convert.ToBase64String(encryptedBytes));
+            int ntstatus = UnsafeNativeMethods.NCryptCreateProtectionDescriptor(protectionDescriptorRule, (uint)flags, out _protectionDescriptorHandle);
+            UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
+            CryptoUtil.AssertSafeHandleIsValid(_protectionDescriptorHandle);
+
+            _logger = services.GetLogger<DpapiNGXmlEncryptor>();
         }
 
-        private static string GetDefaultProtectionDescriptorString()
+        /// <summary>
+        /// Encrypts the specified <see cref="XElement"/>.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext to encrypt.</param>
+        /// <returns>
+        /// An <see cref="EncryptedXmlInfo"/> that contains the encrypted value of
+        /// <paramref name="plaintextElement"/> along with information about how to
+        /// decrypt it.
+        /// </returns>
+        public EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement)
         {
+            string protectionDescriptorRuleString = _protectionDescriptorHandle.GetProtectionDescriptorRuleString();
+            if (_logger.IsVerboseLevelEnabled())
+            {
+                _logger.LogVerbose("Encrypting to Windows DPAPI-NG using protection descriptor '{0}'.", protectionDescriptorRuleString);
+            }
+
+            // Convert the XML element to a binary secret so that it can be run through DPAPI
+            byte[] cngDpapiEncryptedData;
+            try
+            {
+                using (Secret plaintextElementAsSecret = plaintextElement.ToSecret())
+                {
+                    cngDpapiEncryptedData = DpapiSecretSerializerHelper.ProtectWithDpapiNG(plaintextElementAsSecret, _protectionDescriptorHandle);
+                }
+            }
+            catch (Exception ex)
+            {
+                if (_logger.IsErrorLevelEnabled())
+                {
+                    _logger.LogError(ex, "An error occurred while encrypting to Windows DPAPI-NG.");
+                }
+                throw;
+            }
+
+            // <encryptedKey>
+            //   <!-- This key is encrypted with {provider}. -->
+            //   <!-- rule string -->
+            //   <value>{base64}</value>
+            // </encryptedKey>
+            
+            var element = new XElement("encryptedKey",
+                new XComment(" This key is encrypted with Windows DPAPI-NG. "),
+                new XComment(" Rule: " + protectionDescriptorRuleString + " "),
+                new XElement("value",
+                    Convert.ToBase64String(cngDpapiEncryptedData)));
+
+            return new EncryptedXmlInfo(element, typeof(DpapiNGXmlDecryptor));
+        }
+
+        /// <summary>
+        /// Creates a rule string tied to the current Windows user and which is transferrable
+        /// across machines (backed up in AD).
+        /// </summary>
+        internal static string GetDefaultProtectionDescriptorString()
+        {
+            CryptoUtil.AssertPlatformIsWindows8OrLater();
+
             // Creates a SID=... protection descriptor string for the current user.
             // Reminder: DPAPI:NG provides only encryption, not authentication.
             using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index c55a6ba47d..10d0b81a84 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -2,47 +2,75 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.IO;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
-    /// A class that can decrypt XML elements which were encrypted using Windows DPAPI.
+    /// An <see cref="IXmlDecryptor"/> that decrypts XML elements that were encrypted with <see cref="DpapiXmlEncryptor"/>.
     /// </summary>
-    internal unsafe sealed class DpapiXmlDecryptor : IXmlDecryptor
+    public sealed class DpapiXmlDecryptor : IXmlDecryptor
     {
+        private readonly ILogger _logger;
+
         /// <summary>
-        /// Decrypts the specified XML element using Windows DPAPI.
+        /// Creates a new instance of a <see cref="DpapiXmlDecryptor"/>.
         /// </summary>
-        /// <param name="encryptedElement">The encrypted XML element to decrypt. This element is unchanged by the method.</param>
-        /// <returns>The decrypted form of the XML element.</returns>
+        public DpapiXmlDecryptor()
+            : this(services: null)
+        {
+        }
+
+        /// <summary>
+        /// Creates a new instance of a <see cref="DpapiXmlDecryptor"/>.
+        /// </summary>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public DpapiXmlDecryptor(IServiceProvider services)
+        {
+            CryptoUtil.AssertPlatformIsWindows();
+
+            _logger = services.GetLogger<DpapiXmlDecryptor>();
+        }
+
+        /// <summary>
+        /// Decrypts the specified XML element.
+        /// </summary>
+        /// <param name="encryptedElement">An encrypted XML element.</param>
+        /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
+        /// <remarks>
         public XElement Decrypt([NotNull] XElement encryptedElement)
         {
-            CryptoUtil.Assert(encryptedElement.Name == DpapiXmlEncryptor.DpapiEncryptedSecretElementName,
-                "TODO: Incorrect element.");
-
-            int version = (int)encryptedElement.Attribute("version");
-            CryptoUtil.Assert(version == 1, "TODO: Bad version.");
-
-            byte[] dpapiProtectedBytes = Convert.FromBase64String(encryptedElement.Value);
-            using (var secret = DpapiSecretSerializerHelper.UnprotectWithDpapi(dpapiProtectedBytes))
+            if (_logger.IsVerboseLevelEnabled())
             {
-                byte[] plaintextXmlBytes = new byte[secret.Length];
-                try
+                _logger.LogVerbose("Decrypting secret element using Windows DPAPI.");
+            }
+
+            try
+            {
+                // <encryptedKey>
+                //   <!-- This key is encrypted with {provider}. -->
+                //   <value>{base64}</value>
+                // </encryptedKey>
+
+                byte[] protectedSecret = Convert.FromBase64String((string)encryptedElement.Element("value"));
+                using (Secret secret = DpapiSecretSerializerHelper.UnprotectWithDpapi(protectedSecret))
                 {
-                    secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextXmlBytes));
-                    using (var memoryStream = new MemoryStream(plaintextXmlBytes, writable: false))
-                    {
-                        return XElement.Load(memoryStream);
-                    }
+                    return secret.ToXElement();
                 }
-                finally
+            }
+            catch (Exception ex)
+            {
+                // It's OK for us to log the error, as we control the exception, and it doesn't contain
+                // sensitive information.
+                if (_logger.IsErrorLevelEnabled())
                 {
-                    Array.Clear(plaintextXmlBytes, 0, plaintextXmlBytes.Length);
+                    _logger.LogError(ex, "An exception occurred while trying to decrypt the element.");
                 }
+                throw;
             }
         }
     }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 121384d7bc..d0b5908092 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -2,61 +2,103 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.IO;
+using System.Security.Principal;
 using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
-    /// A class that can encrypt XML elements using Windows DPAPI.
+    /// An <see cref="IXmlEncryptor"/> that encrypts XML by using Windows DPAPI.
     /// </summary>
+    /// <remarks>
+    /// This API is only supported on Windows platforms.
+    /// </remarks>
     public sealed class DpapiXmlEncryptor : IXmlEncryptor
     {
-        internal static readonly XName DpapiEncryptedSecretElementName = XmlKeyManager.KeyManagementXmlNamespace.GetName("dpapiEncryptedSecret");
-
+        private readonly ILogger _logger;
         private readonly bool _protectToLocalMachine;
 
+        /// <summary>
+        /// Creates a <see cref="DpapiXmlEncryptor"/> given a protection scope.
+        /// </summary>
+        /// <param name="protectToLocalMachine">'true' if the data should be decipherable by anybody on the local machine,
+        /// 'false' if the data should only be decipherable by the current Windows user account.</param>
         public DpapiXmlEncryptor(bool protectToLocalMachine)
+            : this(protectToLocalMachine, services: null)
         {
-            _protectToLocalMachine = protectToLocalMachine;
         }
 
         /// <summary>
-        /// Encrypts the specified XML element using Windows DPAPI.
+        /// Creates a <see cref="DpapiXmlEncryptor"/> given a protection scope and an <see cref="IServiceProvider"/>.
         /// </summary>
-        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
-        /// <returns>The encrypted form of the XML element.</returns>
-        public XElement Encrypt([NotNull] XElement plaintextElement)
+        /// <param name="protectToLocalMachine">'true' if the data should be decipherable by anybody on the local machine,
+        /// 'false' if the data should only be decipherable by the current Windows user account.</param>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public DpapiXmlEncryptor(bool protectToLocalMachine, IServiceProvider services)
         {
-            // First, convert the XML element to a byte[] so that it can be encrypted.
-            Secret secret;
-            using (var memoryStream = new MemoryStream())
-            {
-                plaintextElement.Save(memoryStream);
+            CryptoUtil.AssertPlatformIsWindows();
 
-#if !DNXCORE50
-                // If we're on full desktop CLR, utilize the underlying buffer directly as an optimization.
-                byte[] underlyingBuffer = memoryStream.GetBuffer();
-                secret = new Secret(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
-                Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
-#else
-                // Otherwise, need to make a copy of the buffer.
-                byte[] clonedBuffer = memoryStream.ToArray();
-                secret = new Secret(clonedBuffer);
-                Array.Clear(clonedBuffer, 0, clonedBuffer.Length);
-#endif
+            _protectToLocalMachine = protectToLocalMachine;
+            _logger = services.GetLogger<DpapiXmlEncryptor>();
+        }
+
+        /// <summary>
+        /// Encrypts the specified <see cref="XElement"/>.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext to encrypt.</param>
+        /// <returns>
+        /// An <see cref="EncryptedXmlInfo"/> that contains the encrypted value of
+        /// <paramref name="plaintextElement"/> along with information about how to
+        /// decrypt it.
+        /// </returns>
+        public EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement)
+        {
+            if (_logger.IsVerboseLevelEnabled())
+            {
+                if (_protectToLocalMachine)
+                {
+                    _logger.LogVerbose("Encrypting to Windows DPAPI for local machine account.");
+                }
+                else
+                {
+                    _logger.LogVerbose("Encrypting to Windows DPAPI for current user account ({0}).", WindowsIdentity.GetCurrent().Name);
+                }
             }
 
-            // <secret decryptor="{TYPE}">
-            //   ... base64 data ...
-            // </secret>
-            byte[] encryptedBytes = DpapiSecretSerializerHelper.ProtectWithDpapi(secret, protectToLocalMachine: _protectToLocalMachine);
-            return new XElement(DpapiEncryptedSecretElementName,
-                new XAttribute("decryptor", typeof(DpapiXmlDecryptor).AssemblyQualifiedName),
-                new XAttribute("version", 1),
-                Convert.ToBase64String(encryptedBytes));
+            // Convert the XML element to a binary secret so that it can be run through DPAPI
+            byte[] dpapiEncryptedData;
+            try
+            {
+                using (Secret plaintextElementAsSecret = plaintextElement.ToSecret())
+                {
+                    dpapiEncryptedData = DpapiSecretSerializerHelper.ProtectWithDpapi(plaintextElementAsSecret, protectToLocalMachine: _protectToLocalMachine);
+                }
+            }
+            catch (Exception ex)
+            {
+                if (_logger.IsErrorLevelEnabled())
+                {
+                    _logger.LogError(ex, "An error occurred while encrypting to Windows DPAPI.");
+                }
+                throw;
+            }
+
+            // <encryptedKey>
+            //   <!-- This key is encrypted with {provider}. -->
+            //   <value>{base64}</value>
+            // </encryptedKey>
+
+            var element = new XElement("encryptedKey",
+                new XComment(" This key is encrypted with Windows DPAPI. "),
+                new XElement("value",
+                    Convert.ToBase64String(dpapiEncryptedData)));
+
+            return new EncryptedXmlInfo(element, typeof(DpapiXmlDecryptor));
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
new file mode 100644
index 0000000000..d3889429b9
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
@@ -0,0 +1,43 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#if DNXCORE50
+// [[ISSUE60]] Remove this entire file when Core CLR gets support for EncryptedXml.
+// This is just a dummy implementation of the class that always throws.
+// The only reason it's here (albeit internal) is to provide a nice error message if key
+// material that was generated by Desktop CLR needs to be read by Core CLR.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    internal sealed class EncryptedXmlDecryptor : IXmlDecryptor
+    {
+        private readonly ILogger _logger;
+
+        public EncryptedXmlDecryptor()
+            : this(services: null)
+        {
+        }
+
+        public EncryptedXmlDecryptor(IServiceProvider services)
+        {
+            _logger = services.GetLogger<EncryptedXmlDecryptor>();
+        }
+
+        public XElement Decrypt([NotNull] XElement encryptedElement)
+        {
+            if (_logger.IsErrorLevelEnabled())
+            {
+                _logger.LogError(Resources.EncryptedXmlDecryptor_DoesNotWorkOnCoreClr);
+            }
+
+            throw new PlatformNotSupportedException(Resources.EncryptedXmlDecryptor_DoesNotWorkOnCoreClr);
+        }
+    }
+}
+
+#endif
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
new file mode 100644
index 0000000000..870cdda96c
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
+using System;
+using System.Security.Cryptography.Xml;
+using System.Xml;
+using System.Xml.Linq;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// An <see cref="IXmlDecryptor"/> that decrypts XML elements by using the <see cref="EncryptedXml"/> class.
+    /// </summary>
+    public sealed class EncryptedXmlDecryptor : IInternalEncryptedXmlDecryptor, IXmlDecryptor
+    {
+        private readonly IInternalEncryptedXmlDecryptor _decryptor;
+
+        /// <summary>
+        /// Creates a new instance of an <see cref="EncryptedXmlDecryptor"/>.
+        /// </summary>
+        public EncryptedXmlDecryptor()
+            : this(services: null)
+        {
+        }
+
+        /// <summary>
+        /// Creates a new instance of an <see cref="EncryptedXmlDecryptor"/>.
+        /// </summary>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public EncryptedXmlDecryptor(IServiceProvider services)
+        {
+            _decryptor = services?.GetService<IInternalEncryptedXmlDecryptor>() ?? this;
+        }
+
+        /// <summary>
+        /// Decrypts the specified XML element.
+        /// </summary>
+        /// <param name="encryptedElement">An encrypted XML element.</param>
+        /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
+        /// <remarks>
+        public XElement Decrypt([NotNull] XElement encryptedElement)
+        {
+            // <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
+            //   ...
+            // </EncryptedData>
+
+            // EncryptedXml works with XmlDocument, not XLinq. When we perform the conversion
+            // we'll wrap the incoming element in a dummy <root /> element since encrypted XML
+            // doesn't handle encrypting the root element all that well.
+            var xmlDocument = new XmlDocument();
+            xmlDocument.Load(new XElement("root", encryptedElement).CreateReader());
+            var elementToDecrypt = (XmlElement)xmlDocument.DocumentElement.FirstChild;
+
+            // Perform the decryption and update the document in-place.
+            var encryptedXml = new EncryptedXml(xmlDocument);
+            _decryptor.PerformPreDecryptionSetup(encryptedXml);
+            encryptedXml.DecryptDocument();
+
+            // Strip the <root /> element back off and convert the XmlDocument to an XElement.
+            return XElement.Load(xmlDocument.DocumentElement.FirstChild.CreateNavigator().ReadSubtree());
+        }
+
+        void IInternalEncryptedXmlDecryptor.PerformPreDecryptionSetup(EncryptedXml encryptedXml)
+        {
+            // no-op
+        }
+    }
+}
+
+#endif
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
new file mode 100644
index 0000000000..f9e4141054
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Reflection;
+using System.Xml.Linq;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// Wraps an <see cref="XElement"/> that contains a blob of encrypted XML
+    /// and information about the class which can be used to decrypt it.
+    /// </summary>
+    public sealed class EncryptedXmlInfo
+    {
+        /// <summary>
+        /// Creates an instance of an <see cref="EncryptedXmlInfo"/>.
+        /// </summary>
+        /// <param name="encryptedElement">A piece of encrypted XML.</param>
+        /// <param name="decryptorType">The class whose <see cref="IXmlDecryptor.Decrypt(XElement)"/>
+        /// method can be used to decrypt <paramref name="encryptedElement"/>.</param>
+        public EncryptedXmlInfo([NotNull] XElement encryptedElement, [NotNull] Type decryptorType)
+        {
+            if (!typeof(IXmlDecryptor).IsAssignableFrom(decryptorType))
+            {
+                throw new ArgumentException(
+                    Resources.FormatTypeExtensions_BadCast(decryptorType.FullName, typeof(IXmlDecryptor).FullName),
+                    nameof(decryptorType));
+            }
+
+            EncryptedElement = encryptedElement;
+            DecryptorType = decryptorType;
+        }
+
+        /// <summary>
+        /// The class whose <see cref="IXmlDecryptor.Decrypt(XElement)"/> method can be used to
+        /// decrypt the value stored in <see cref="EncryptedElement"/>.
+        /// </summary>
+        public Type DecryptorType { get; }
+
+        /// <summary>
+        /// A piece of encrypted XML.
+        /// </summary>
+        public XElement EncryptedElement { get; }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
new file mode 100644
index 0000000000..037c7fcc07
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// Provides services for locating <see cref="X509Certificate2"/> instances.
+    /// </summary>
+    public interface ICertificateResolver
+    {
+        /// <summary>
+        /// Locates an <see cref="X509Certificate2"/> given its thumbprint.
+        /// </summary>
+        /// <param name="thumbprint">The thumbprint (as a hex string) of the certificate to resolve.</param>
+        /// <returns>The resolved <see cref="X509Certificate2"/>, or null if the certificate cannot be found.</returns>
+        X509Certificate2 ResolveCertificate([NotNull] string thumbprint);
+    }
+}
+
+#endif
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
new file mode 100644
index 0000000000..1a0169cf42
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
+using System;
+using System.Xml;
+using System.Security.Cryptography.Xml;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// Internal implementation details of <see cref="CertificateXmlEncryptor"/> for unit testing.
+    /// </summary>
+    internal interface IInternalCertificateXmlEncryptor
+    {
+        EncryptedData PerformEncryption(EncryptedXml encryptedXml, XmlElement elementToEncrypt);
+    }
+}
+
+#endif
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
new file mode 100644
index 0000000000..441a300e49
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
@@ -0,0 +1,20 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
+using System;
+using System.Security.Cryptography.Xml;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// Internal implementation details of <see cref="EncryptedXmlDecryptor"/> for unit testing.
+    /// </summary>
+    internal interface IInternalEncryptedXmlDecryptor
+    {
+        void PerformPreDecryptionSetup(EncryptedXml encryptedXml);
+    }
+}
+
+#endif
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
index 3b7f2a516c..474a6d0dda 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
@@ -14,8 +15,12 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <summary>
         /// Decrypts the specified XML element.
         /// </summary>
-        /// <param name="encryptedElement">The encrypted XML element to decrypt. This element is unchanged by the method.</param>
-        /// <returns>The decrypted form of the XML element.</returns>
-        XElement Decrypt(XElement encryptedElement);
+        /// <param name="encryptedElement">An encrypted XML element.</param>
+        /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
+        /// <remarks>
+        /// Implementations of this method must not mutate the <see cref="XElement"/>
+        /// instance provided by <paramref name="encryptedElement"/>.
+        /// </remarks>
+        XElement Decrypt([NotNull] XElement encryptedElement);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
index 019c32d7f4..ebb5f092ba 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
@@ -3,19 +3,29 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
-    /// The basic interface for encrypting an XML element.
+    /// The basic interface for encrypting XML elements.
     /// </summary>
     public interface IXmlEncryptor
     {
         /// <summary>
-        /// Encrypts the specified XML element.
+        /// Encrypts the specified <see cref="XElement"/>.
         /// </summary>
-        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
-        /// <returns>The encrypted form of the XML element.</returns>
-        XElement Encrypt(XElement plaintextElement);
+        /// <param name="plaintextElement">The plaintext to encrypt.</param>
+        /// <returns>
+        /// An <see cref="EncryptedXmlInfo"/> that contains the encrypted value of
+        /// <paramref name="plaintextElement"/> along with information about how to
+        /// decrypt it.
+        /// </returns>
+        /// <remarks>
+        /// Implementations of this method must not mutate the <see cref="XElement"/>
+        /// instance provided by <paramref name="plaintextElement"/>.
+        /// </remarks>
+        EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index e5b8b1ab5b..d43c068e6b 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -4,21 +4,30 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
-    /// A class that can decrypt XML elements which were encrypted using a null encryptor.
+    /// An <see cref="IXmlDecryptor"/> that decrypts XML elements with a null decryptor.
     /// </summary>
-    internal unsafe sealed class NullXmlDecryptor : IXmlDecryptor
+    public sealed class NullXmlDecryptor : IXmlDecryptor
     {
+        /// <summary>
+        /// Decrypts the specified XML element.
+        /// </summary>
+        /// <param name="encryptedElement">An encrypted XML element.</param>
+        /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
+        /// <remarks>
         public XElement Decrypt([NotNull] XElement encryptedElement)
         {
-            CryptoUtil.Assert(encryptedElement.Name == NullXmlEncryptor.NullEncryptedSecretElementName,
-                "TODO: Incorrect element.");
+            // <unencryptedKey>
+            //   <!-- This key is not encrypted. -->
+            //   <plaintextElement />
+            // </unencryptedKey>
 
-            return encryptedElement.Elements().Single();
+            // Return a clone of the single child node.
+            return new XElement(encryptedElement.Elements().Single());
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
index 170f4eb6e3..9343053537 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -3,30 +3,62 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
-    /// A class that performs null XML encryption (just returns the plaintext).
+    /// An <see cref="IXmlEncryptor"/> that encrypts XML elements with a null encryptor.
     /// </summary>
     public sealed class NullXmlEncryptor : IXmlEncryptor
     {
-        internal static readonly XName NullEncryptedSecretElementName = XmlKeyManager.KeyManagementXmlNamespace.GetName("nullEncryptedSecret");
+        private readonly ILogger _logger;
 
         /// <summary>
-        /// Encrypts the specified XML element using a null encryptor.
+        /// Creates a new instance of <see cref="NullXmlEncryptor"/>.
         /// </summary>
-        /// <param name="plaintextElement">The plaintext XML element to encrypt. This element is unchanged by the method.</param>
-        /// <returns>The null-encrypted form of the XML element.</returns>
-        public XElement Encrypt([NotNull] XElement plaintextElement)
+        public NullXmlEncryptor()
+            : this(services: null)
         {
-            // <nullEncryptedSecret decryptor="{TYPE}">
+        }
+
+        /// <summary>
+        /// Creates a new instance of <see cref="NullXmlEncryptor"/>.
+        /// </summary>
+        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
+        public NullXmlEncryptor(IServiceProvider services)
+        {
+            _logger = services.GetLogger<NullXmlEncryptor>();
+        }
+
+        /// <summary>
+        /// Encrypts the specified <see cref="XElement"/> with a null encryptor, i.e.,
+        /// by returning the original value of <paramref name="plaintextElement"/> unencrypted.
+        /// </summary>
+        /// <param name="plaintextElement">The plaintext to echo back.</param>
+        /// <returns>
+        /// An <see cref="EncryptedXmlInfo"/> that contains the null-encrypted value of
+        /// <paramref name="plaintextElement"/> along with information about how to
+        /// decrypt it.
+        /// </returns>
+        public EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement)
+        {
+            if (_logger.IsWarningLevelEnabled())
+            {
+                _logger.LogWarning("Encrypting using a null encryptor; secret information isn't being protected.");
+            }
+
+            // <unencryptedKey>
+            //   <!-- This key is not encrypted. -->
             //   <plaintextElement />
-            // </nullEncryptedSecret>
-            return new XElement(NullEncryptedSecretElementName,
-                new XAttribute("decryptor", typeof(NullXmlDecryptor).AssemblyQualifiedName),
-                plaintextElement);
+            // </unencryptedKey>
+
+            var newElement = new XElement("unencryptedKey",
+                new XComment(" This key is not encrypted. "),
+                new XElement(plaintextElement) /* copy ctor */);
+
+            return new EncryptedXmlInfo(newElement, typeof(NullXmlDecryptor));
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
new file mode 100644
index 0000000000..e97bc112e9
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -0,0 +1,201 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    internal unsafe static class XmlEncryptionExtensions
+    {
+        public static XElement DecryptElement(this XElement element, IActivator activator)
+        {
+            // If no decryption necessary, return original element.
+            if (!DoesElementOrDescendentRequireDecryption(element))
+            {
+                return element;
+            }
+
+            // Deep copy the element (since we're going to mutate) and put
+            // it into a document to guarantee it has a parent.
+            var doc = new XDocument(new XElement(element));
+
+            // We remove elements from the document as we decrypt them and perform
+            // fix-up later. This keeps us from going into an infinite loop in
+            // the case of a null decryptor (which returns its original input which
+            // is still marked as 'requires decryption').
+            var placeholderReplacements = new Dictionary<XElement, XElement>();
+
+            while (true)
+            {
+                var elementWhichRequiresDecryption = doc.Descendants(XmlConstants.EncryptedSecretElementName).FirstOrDefault();
+                if (elementWhichRequiresDecryption == null)
+                {
+                    // All encryption is finished.
+                    break;
+                }
+
+                // Decrypt the clone so that the decryptor doesn't inadvertently modify
+                // the original document or other data structures. The element we pass to
+                // the decryptor should be the child of the 'encryptedSecret' element.
+                var clonedElementWhichRequiresDecryption = new XElement(elementWhichRequiresDecryption);
+                var innerDoc = new XDocument(clonedElementWhichRequiresDecryption);
+                string decryptorTypeName = (string)clonedElementWhichRequiresDecryption.Attribute(XmlConstants.DecryptorTypeAttributeName);
+                var decryptorInstance = activator.CreateInstance<IXmlDecryptor>(decryptorTypeName);
+                var decryptedElement = decryptorInstance.Decrypt(clonedElementWhichRequiresDecryption.Elements().Single());
+
+                // Put a placeholder into the original document so that we can continue our
+                // search for elements which need to be decrypted.
+                var newPlaceholder = new XElement("placeholder");
+                placeholderReplacements[newPlaceholder] = decryptedElement;
+                elementWhichRequiresDecryption.ReplaceWith(newPlaceholder);
+            }
+
+            // Finally, perform fixup.
+            Debug.Assert(placeholderReplacements.Count > 0);
+            foreach (var entry in placeholderReplacements)
+            {
+                entry.Key.ReplaceWith(entry.Value);
+            }
+            return doc.Root;
+        }
+
+        public static XElement EncryptIfNecessary(this IXmlEncryptor encryptor, XElement element)
+        {
+            // If no encryption is necessary, return null.
+            if (!DoesElementOrDescendentRequireEncryption(element))
+            {
+                return null;
+            }
+
+            // Deep copy the element (since we're going to mutate) and put
+            // it into a document to guarantee it has a parent.
+            var doc = new XDocument(new XElement(element));
+
+            // We remove elements from the document as we encrypt them and perform
+            // fix-up later. This keeps us from going into an infinite loop in
+            // the case of a null encryptor (which returns its original input which
+            // is still marked as 'requires encryption').
+            var placeholderReplacements = new Dictionary<XElement, EncryptedXmlInfo>();
+
+            while (true)
+            {
+                var elementWhichRequiresEncryption = doc.Descendants().FirstOrDefault(DoesSingleElementRequireEncryption);
+                if (elementWhichRequiresEncryption == null)
+                {
+                    // All encryption is finished.
+                    break;
+                }
+
+                // Encrypt the clone so that the encryptor doesn't inadvertently modify
+                // the original document or other data structures.
+                var clonedElementWhichRequiresEncryption = new XElement(elementWhichRequiresEncryption);
+                var innerDoc = new XDocument(clonedElementWhichRequiresEncryption);
+                var encryptedXmlInfo = encryptor.Encrypt(clonedElementWhichRequiresEncryption);
+                CryptoUtil.Assert(encryptedXmlInfo != null, "IXmlEncryptor.Encrypt returned null.");
+
+                // Put a placeholder into the original document so that we can continue our
+                // search for elements which need to be encrypted.
+                var newPlaceholder = new XElement("placeholder");
+                placeholderReplacements[newPlaceholder] = encryptedXmlInfo;
+                elementWhichRequiresEncryption.ReplaceWith(newPlaceholder);
+            }
+
+            // Finally, perform fixup.
+            Debug.Assert(placeholderReplacements.Count > 0);
+            foreach (var entry in placeholderReplacements)
+            {
+                // <enc:encryptedSecret decryptorType="{type}" xmlns:enc="{ns}">
+                //   <element />
+                // </enc:encryptedSecret>
+                entry.Key.ReplaceWith(
+                    new XElement(XmlConstants.EncryptedSecretElementName,
+                        new XAttribute(XmlConstants.DecryptorTypeAttributeName, entry.Value.DecryptorType.AssemblyQualifiedName),
+                        entry.Value.EncryptedElement));
+            }
+            return doc.Root;
+        }
+
+        /// <summary>
+        /// Converts an <see cref="XElement"/> to a <see cref="Secret"/> so that it can be run through
+        /// the DPAPI routines.
+        /// </summary>
+        public static Secret ToSecret(this XElement element)
+        {
+            const int DEFAULT_BUFFER_SIZE = 16 * 1024; // 16k buffer should be large enough to encrypt any realistic secret
+            var memoryStream = new MemoryStream(DEFAULT_BUFFER_SIZE);
+            element.Save(memoryStream);
+
+#if !DNXCORE50
+            byte[] underlyingBuffer = memoryStream.GetBuffer();
+            fixed (byte* __unused__ = underlyingBuffer) // try to limit this moving around in memory while we allocate
+            {
+                try
+                {
+                    return new Secret(new ArraySegment<byte>(underlyingBuffer, 0, checked((int)memoryStream.Length)));
+                }
+                finally
+                {
+                    Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
+                }
+            }
+#else
+            ArraySegment<byte> underlyingBuffer;
+            CryptoUtil.Assert(memoryStream.TryGetBuffer(out underlyingBuffer), "Underlying buffer isn't exposable.");
+            fixed (byte* __unused__ = underlyingBuffer.Array) // try to limit this moving around in memory while we allocate
+            {
+                try
+                {
+                    return new Secret(underlyingBuffer);
+                }
+                finally
+                {
+                    Array.Clear(underlyingBuffer.Array, underlyingBuffer.Offset, underlyingBuffer.Count);
+                }
+            }
+#endif
+        }
+
+        /// <summary>
+        /// Converts a <see cref="Secret"/> provided by the DPAPI routines back into an <see cref="XElement"/>.
+        /// </summary>
+        public static XElement ToXElement(this Secret secret)
+        {
+            byte[] plaintextSecret = new byte[secret.Length];
+            fixed (byte* __unused__ = plaintextSecret) // try to keep the GC from moving it around
+            {
+                try
+                {
+                    secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
+                    MemoryStream memoryStream = new MemoryStream(plaintextSecret, writable: false);
+                    return XElement.Load(memoryStream);
+                }
+                finally
+                {
+                    Array.Clear(plaintextSecret, 0, plaintextSecret.Length);
+                }
+            }
+        }
+
+        private static bool DoesElementOrDescendentRequireDecryption(XElement element)
+        {
+            return element.DescendantsAndSelf(XmlConstants.EncryptedSecretElementName).Any();
+        }
+
+        private static bool DoesElementOrDescendentRequireEncryption(XElement element)
+        {
+            return element.DescendantsAndSelf().Any(DoesSingleElementRequireEncryption);
+        }
+
+        private static bool DoesSingleElementRequireEncryption(XElement element)
+        {
+            return element.IsMarkedAsRequiringEncryption();
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/XmlExtensions.cs b/src/Microsoft.AspNet.DataProtection/XmlExtensions.cs
new file mode 100644
index 0000000000..6021878bc9
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/XmlExtensions.cs
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Contains helpers to work with XElement objects.
+    /// </summary>
+    internal static class XmlExtensions
+    {
+        /// <summary>
+        /// Returns a new XElement which is a carbon copy of the provided element,
+        /// but with no child nodes. Useful for writing exception messages without
+        /// inadvertently disclosing secret key material. It is assumed that the
+        /// element name itself and its attribute values are not secret.
+        /// </summary>
+        public static XElement WithoutChildNodes(this XElement element)
+        {
+            var newElement = new XElement(element.Name);
+            foreach (var attr in element.Attributes())
+            {
+                newElement.SetAttributeValue(attr.Name, attr.Value);
+            }
+            return newElement;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index eb11984e4d..8de03164c8 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -3,19 +3,25 @@
     "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.Framework.DependencyInjection": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Interfaces": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" },
+        "Microsoft.Framework.DependencyInjection.Interfaces": "1.0.0-*",
+        "Microsoft.Framework.Logging.Interfaces": "1.0.0-*",
+        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.Framework.OptionsModel": "1.0.0-*"
     },
     "frameworks": {
         "net451": {
-            "frameworkAssemblies": { 
+            "frameworkAssemblies": {
+                "System.Runtime": { "version": "", "type": "build" },
                 "System.Security": "",
                 "System.Xml": "",
                 "System.Xml.Linq": ""
             }
         },
         "dnx451": {
-            "frameworkAssemblies": { 
+            "frameworkAssemblies": {
+                "System.Runtime": { "version": "", "type": "build" },
                 "System.Security": "",
                 "System.Xml": "",
                 "System.Xml.Linq": ""
@@ -25,6 +31,8 @@
             "dependencies": {
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
                 "System.IO": "4.0.10-beta-*",
+                "System.Linq": "4.0.0-beta-*",
+                "System.Reflection.Extensions": "4.0.0-beta-*",
                 "System.Reflection.TypeExtensions": "4.0.0-beta-*",
                 "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
                 "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
new file mode 100644
index 0000000000..74f9da1b98
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.Cryptography.Cng
+{
+    public unsafe class BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests
+    {
+        [Fact]
+        public void Init_SetsProperties()
+        {
+            // Arrange
+            BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO cipherModeInfo;
+
+            // Act
+            BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out cipherModeInfo);
+
+            // Assert
+            Assert.Equal((uint)sizeof(BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO), cipherModeInfo.cbSize);
+            Assert.Equal(1U, cipherModeInfo.dwInfoVersion);
+            Assert.Equal(IntPtr.Zero, (IntPtr)cipherModeInfo.pbNonce);
+            Assert.Equal(0U, cipherModeInfo.cbNonce);
+            Assert.Equal(IntPtr.Zero, (IntPtr)cipherModeInfo.pbAuthData);
+            Assert.Equal(0U, cipherModeInfo.cbAuthData);
+            Assert.Equal(IntPtr.Zero, (IntPtr)cipherModeInfo.pbTag);
+            Assert.Equal(0U, cipherModeInfo.cbTag);
+            Assert.Equal(IntPtr.Zero, (IntPtr)cipherModeInfo.pbMacContext);
+            Assert.Equal(0U, cipherModeInfo.cbMacContext);
+            Assert.Equal(0U, cipherModeInfo.cbAAD);
+            Assert.Equal(0UL, cipherModeInfo.cbData);
+            Assert.Equal(0U, cipherModeInfo.dwFlags);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
new file mode 100644
index 0000000000..9817dcb205
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Cryptography.Internal;
+using Microsoft.AspNet.Testing;
+using Xunit;
+
+namespace Microsoft.AspNet.Cryptography.Cng
+{
+    public class BCRYPT_KEY_LENGTHS_STRUCT_Tests
+    {
+        [Theory]
+        [InlineData(128, 128, 0, 128)]
+        [InlineData(128, 256, 64, 128)]
+        [InlineData(128, 256, 64, 192)]
+        [InlineData(128, 256, 64, 256)]
+        public void EnsureValidKeyLength_SuccessCases(int minLength, int maxLength, int increment, int testValue)
+        {
+            // Arrange
+            var keyLengthsStruct = new BCRYPT_KEY_LENGTHS_STRUCT
+            {
+                dwMinLength = (uint)minLength,
+                dwMaxLength = (uint)maxLength,
+                dwIncrement = (uint)increment
+            };
+
+            // Act
+            keyLengthsStruct.EnsureValidKeyLength((uint)testValue);
+
+            // Assert
+            // Nothing to do - if we got this far without throwing, success!
+        }
+
+        [Theory]
+        [InlineData(128, 128, 0, 192)]
+        [InlineData(128, 256, 64, 64)]
+        [InlineData(128, 256, 64, 512)]
+        [InlineData(128, 256, 64, 160)]
+        [InlineData(128, 256, 64, 129)]
+        public void EnsureValidKeyLength_FailureCases(int minLength, int maxLength, int increment, int testValue)
+        {
+            // Arrange
+            var keyLengthsStruct = new BCRYPT_KEY_LENGTHS_STRUCT
+            {
+                dwMinLength = (uint)minLength,
+                dwMaxLength = (uint)maxLength,
+                dwIncrement = (uint)increment
+            };
+
+            // Act & assert
+            ExceptionAssert.ThrowsArgumentOutOfRange(
+                () => keyLengthsStruct.EnsureValidKeyLength((uint)testValue),
+                paramName: "keyLengthInBits",
+                exceptionMessage: Resources.FormatBCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength(testValue, minLength, maxLength, increment));
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
new file mode 100644
index 0000000000..4166f51e32
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
@@ -0,0 +1,61 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using Microsoft.AspNet.DataProtection.Test.Shared;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.Cryptography.Cng
+{
+    public unsafe class BCryptUtilTests
+    {
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void GenRandom_PopulatesBuffer()
+        {
+            // Arrange
+            byte[] bytes = new byte[sizeof(Guid) + 6];
+            bytes[0] = 0x04; // leading canary
+            bytes[1] = 0x10;
+            bytes[2] = 0xE4;
+            bytes[sizeof(Guid) + 3] = 0xEA; // trailing canary
+            bytes[sizeof(Guid) + 4] = 0xF2;
+            bytes[sizeof(Guid) + 5] = 0x6A;
+
+            fixed (byte* pBytes = &bytes[3])
+            {
+                for (int i = 0; i < 100; i++)
+                {
+                    // Act
+                    BCryptUtil.GenRandom(pBytes, (uint)sizeof(Guid));
+
+                    // Check that the canaries haven't changed
+                    Assert.Equal(0x04, bytes[0]);
+                    Assert.Equal(0x10, bytes[1]);
+                    Assert.Equal(0xE4, bytes[2]);
+                    Assert.Equal(0xEA, bytes[sizeof(Guid) + 3]);
+                    Assert.Equal(0xF2, bytes[sizeof(Guid) + 4]);
+                    Assert.Equal(0x6A, bytes[sizeof(Guid) + 5]);
+
+                    // Check that the buffer was actually filled.
+                    // This check will fail once every 2**128 runs, which is insignificant.
+                    Guid newGuid = new Guid(bytes.Skip(3).Take(sizeof(Guid)).ToArray());
+                    Assert.NotEqual(Guid.Empty, newGuid);
+
+                    // Check that the first and last bytes of the buffer are not zero, which indicates that they
+                    // were in fact filled. This check will fail around 0.8% of the time, so we'll iterate up
+                    // to 100 times, which puts the total failure rate at once every 2**700 runs,
+                    // which is insignificant.
+                    if (bytes[3] != 0x00 && bytes[18] != 0x00)
+                    {
+                        return; // success!
+                    }
+                }
+            }
+
+            Assert.True(false, "Buffer was not filled as expected.");
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
new file mode 100644
index 0000000000..dd5547efeb
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
@@ -0,0 +1,189 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Text;
+using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNet.DataProtection.Test.Shared;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.Cryptography.Cng
+{
+    // This class tests both the properties and the output of hash algorithms.
+    // It only tests the properties of the encryption algorithms.
+    // Output of the encryption and key derivatoin functions are tested by other projects.
+    public unsafe class CachedAlgorithmHandlesTests
+    {
+        private static readonly byte[] _dataToHash = Encoding.UTF8.GetBytes("Sample input data.");
+        private static readonly byte[] _hmacKey = Encoding.UTF8.GetBytes("Secret key material.");
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void AES_CBC_Cached_Handle()
+        {
+            RunAesBlockCipherAlgorithmTest(() => CachedAlgorithmHandles.AES_CBC);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void AES_GCM_Cached_Handle()
+        {
+            RunAesBlockCipherAlgorithmTest(() => CachedAlgorithmHandles.AES_GCM);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void SHA1_Cached_Handle_No_HMAC()
+        {
+            RunHashAlgorithmTest_No_HMAC(
+                getter: () => CachedAlgorithmHandles.SHA1,
+                expectedAlgorithmName: "SHA1",
+                expectedBlockSizeInBytes: 512 / 8,
+                expectedDigestSizeInBytes: 160 / 8,
+                expectedDigest: "MbYo3dZmXtgUZcUoWoxkCDKFvkk=");
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void SHA1_Cached_Handle_With_HMAC()
+        {
+            RunHashAlgorithmTest_With_HMAC(
+                getter: () => CachedAlgorithmHandles.HMAC_SHA1,
+                expectedAlgorithmName: "SHA1",
+                expectedBlockSizeInBytes: 512 / 8,
+                expectedDigestSizeInBytes: 160 / 8,
+                expectedDigest: "PjYTgLTWkt6NeH0NudIR7N47Ipg=");
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void SHA256_Cached_Handle_No_HMAC()
+        {
+            RunHashAlgorithmTest_No_HMAC(
+                getter: () => CachedAlgorithmHandles.SHA256,
+                expectedAlgorithmName: "SHA256",
+                expectedBlockSizeInBytes: 512 / 8,
+                expectedDigestSizeInBytes: 256 / 8,
+                expectedDigest: "5uRfQadsrnUTa3/TEo5PP6SDZQkb9AcE4wNXDVcM0Fo=");
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void SHA256_Cached_Handle_With_HMAC()
+        {
+            RunHashAlgorithmTest_With_HMAC(
+                getter: () => CachedAlgorithmHandles.HMAC_SHA256,
+                expectedAlgorithmName: "SHA256",
+                expectedBlockSizeInBytes: 512 / 8,
+                expectedDigestSizeInBytes: 256 / 8,
+                expectedDigest: "KLzo0lVg5gZkpL5D6Ck7QT8w4iuPCe/pGCrMcOXWbKY=");
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void SHA512_Cached_Handle_No_HMAC()
+        {
+            RunHashAlgorithmTest_No_HMAC(
+                getter: () => CachedAlgorithmHandles.SHA512,
+                expectedAlgorithmName: "SHA512",
+                expectedBlockSizeInBytes: 1024 / 8,
+                expectedDigestSizeInBytes: 512 / 8,
+                expectedDigest: "jKI7WrcgPP7n2HAYOb8uFRi7xEsNG/BmdGd18dwwkIpqJ4Vmlk2b+8hssLyMQlprTSKVJNObSiYUqW5THS7okw==");
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void SHA512_Cached_Handle_With_HMAC()
+        {
+            RunHashAlgorithmTest_With_HMAC(
+                getter: () => CachedAlgorithmHandles.HMAC_SHA512,
+                expectedAlgorithmName: "SHA512",
+                expectedBlockSizeInBytes: 1024 / 8,
+                expectedDigestSizeInBytes: 512 / 8,
+                expectedDigest: "pKTX5vtPtbsn7pX9ISDlOYr1NFklTBIPYAFICy0ZQbFc0QVzGaTUvtqTOi91I0sHa1DIod6uIogux5iLdHjfcA==");
+        }
+
+        private static void RunAesBlockCipherAlgorithmTest(Func<BCryptAlgorithmHandle> getter)
+        {
+            // Getter must return the same instance of the cached handle
+            var algorithmHandle = getter();
+            var algorithmHandleSecondAttempt = getter();
+            Assert.NotNull(algorithmHandle);
+            Assert.Same(algorithmHandle, algorithmHandleSecondAttempt);
+
+            // Validate that properties are what we expect
+            Assert.Equal("AES", algorithmHandle.GetAlgorithmName());
+            Assert.Equal((uint)(128 / 8), algorithmHandle.GetCipherBlockLength());
+            var supportedKeyLengths = algorithmHandle.GetSupportedKeyLengths();
+            Assert.Equal(128U, supportedKeyLengths.dwMinLength);
+            Assert.Equal(256U, supportedKeyLengths.dwMaxLength);
+            Assert.Equal(64U, supportedKeyLengths.dwIncrement);
+        }
+
+        private static void RunHashAlgorithmTest_No_HMAC(
+            Func<BCryptAlgorithmHandle> getter,
+            string expectedAlgorithmName,
+            uint expectedBlockSizeInBytes,
+            uint expectedDigestSizeInBytes,
+            string expectedDigest)
+        {
+            // Getter must return the same instance of the cached handle
+            var algorithmHandle = getter();
+            var algorithmHandleSecondAttempt = getter();
+            Assert.NotNull(algorithmHandle);
+            Assert.Same(algorithmHandle, algorithmHandleSecondAttempt);
+
+            // Validate that properties are what we expect
+            Assert.Equal(expectedAlgorithmName, algorithmHandle.GetAlgorithmName());
+            Assert.Equal(expectedBlockSizeInBytes, algorithmHandle.GetHashBlockLength());
+            Assert.Equal(expectedDigestSizeInBytes, algorithmHandle.GetHashDigestLength());
+
+            // Perform the digest calculation and validate against our expectation
+            var hashHandle = algorithmHandle.CreateHash();
+            byte[] outputHash = new byte[expectedDigestSizeInBytes];
+            fixed (byte* pInput = _dataToHash)
+            {
+                fixed (byte* pOutput = outputHash)
+                {
+                    hashHandle.HashData(pInput, (uint)_dataToHash.Length, pOutput, (uint)outputHash.Length);
+                }
+            }
+            Assert.Equal(expectedDigest, Convert.ToBase64String(outputHash));
+        }
+
+        private static void RunHashAlgorithmTest_With_HMAC(
+           Func<BCryptAlgorithmHandle> getter,
+           string expectedAlgorithmName,
+           uint expectedBlockSizeInBytes,
+           uint expectedDigestSizeInBytes,
+           string expectedDigest)
+        {
+            // Getter must return the same instance of the cached handle
+            var algorithmHandle = getter();
+            var algorithmHandleSecondAttempt = getter();
+            Assert.NotNull(algorithmHandle);
+            Assert.Same(algorithmHandle, algorithmHandleSecondAttempt);
+
+            // Validate that properties are what we expect
+            Assert.Equal(expectedAlgorithmName, algorithmHandle.GetAlgorithmName());
+            Assert.Equal(expectedBlockSizeInBytes, algorithmHandle.GetHashBlockLength());
+            Assert.Equal(expectedDigestSizeInBytes, algorithmHandle.GetHashDigestLength());
+
+            // Perform the digest calculation and validate against our expectation
+            fixed (byte* pKey = _hmacKey)
+            {
+                var hashHandle = algorithmHandle.CreateHmac(pKey, (uint)_hmacKey.Length);
+                byte[] outputHash = new byte[expectedDigestSizeInBytes];
+                fixed (byte* pInput = _dataToHash)
+                {
+                    fixed (byte* pOutput = outputHash)
+                    {
+                        hashHandle.HashData(pInput, (uint)_dataToHash.Length, pOutput, (uint)outputHash.Length);
+                    }
+                }
+                Assert.Equal(expectedDigest, Convert.ToBase64String(outputHash));
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs
new file mode 100644
index 0000000000..1ddd951e7f
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs
@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.Cryptography
+{
+    public unsafe class CryptoUtilTests
+    {
+        [Fact]
+        public void TimeConstantBuffersAreEqual_Array_Equal()
+        {
+            // Arrange
+            byte[] a = new byte[] { 0x01, 0x23, 0x45, 0x67 };
+            byte[] b = new byte[] { 0xAB, 0xCD, 0x23, 0x45, 0x67, 0xEF };
+
+            // Act & assert
+            Assert.True(CryptoUtil.TimeConstantBuffersAreEqual(a, 1, 3, b, 2, 3));
+        }
+
+        [Fact]
+        public void TimeConstantBuffersAreEqual_Array_Unequal()
+        {
+            byte[] a = new byte[] { 0x01, 0x23, 0x45, 0x67 };
+            byte[] b = new byte[] { 0xAB, 0xCD, 0x23, 0xFF, 0x67, 0xEF };
+
+            // Act & assert
+            Assert.False(CryptoUtil.TimeConstantBuffersAreEqual(a, 1, 3, b, 2, 3));
+        }
+
+        [Fact]
+        public void TimeConstantBuffersAreEqual_Pointers_Equal()
+        {
+            // Arrange
+            uint a = 0x01234567;
+            uint b = 0x01234567;
+
+            // Act & assert
+            Assert.True(CryptoUtil.TimeConstantBuffersAreEqual((byte*)&a, (byte*)&b, sizeof(uint)));
+        }
+
+        [Fact]
+        public void TimeConstantBuffersAreEqual_Pointers_Unequal()
+        {
+            // Arrange
+            uint a = 0x01234567;
+            uint b = 0x89ABCDEF;
+
+            // Act & assert
+            Assert.False(CryptoUtil.TimeConstantBuffersAreEqual((byte*)&a, (byte*)&b, sizeof(uint)));
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
new file mode 100644
index 0000000000..f892af7d63
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.Cryptography.SafeHandles
+{
+    public unsafe class SecureLocalAllocHandleTests
+    {
+        [Fact]
+        public void Duplicate_Copies_Data()
+        {
+            // Arrange
+            const string expected = "xyz";
+            int cbExpected = expected.Length * sizeof(char);
+            var controlHandle = SecureLocalAllocHandle.Allocate((IntPtr)cbExpected);
+            for (int i = 0; i < expected.Length; i++)
+            {
+                ((char*)controlHandle.DangerousGetHandle())[i] = expected[i];
+            }
+
+            // Act
+            var duplicateHandle = controlHandle.Duplicate();
+
+            // Assert
+            Assert.Equal(expected, new string((char*)duplicateHandle.DangerousGetHandle(), 0, expected.Length)); // contents the same data
+            Assert.NotEqual(controlHandle.DangerousGetHandle(), duplicateHandle.DangerousGetHandle()); // shouldn't just point to the same memory location
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
new file mode 100644
index 0000000000..9835b11131
--- /dev/null
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
@@ -0,0 +1,162 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Reflection;
+using System.Runtime.InteropServices;
+using Microsoft.AspNet.Cryptography.SafeHandles;
+using Xunit;
+
+namespace Microsoft.AspNet.Cryptography
+{
+    public unsafe class UnsafeBufferUtilTests
+    {
+        [Fact]
+        public void BlockCopy_PtrToPtr_IntLength()
+        {
+            // Arrange
+            long x = 0x0123456789ABCDEF;
+            long y = 0;
+
+            // Act
+            UnsafeBufferUtil.BlockCopy(from: &x, to: &y, byteCount: (int)sizeof(long));
+
+            // Assert
+            Assert.Equal(x, y);
+        }
+
+        [Fact]
+        public void BlockCopy_PtrToPtr_UIntLength()
+        {
+            // Arrange
+            long x = 0x0123456789ABCDEF;
+            long y = 0;
+
+            // Act
+            UnsafeBufferUtil.BlockCopy(from: &x, to: &y, byteCount: (uint)sizeof(long));
+
+            // Assert
+            Assert.Equal(x, y);
+        }
+
+        [Fact]
+        public void BlockCopy_HandleToHandle()
+        {
+            // Arrange
+            const string expected = "Hello there!";
+            int cbExpected = expected.Length * sizeof(char);
+            var controlHandle = LocalAlloc(cbExpected);
+            for (int i = 0; i < expected.Length; i++)
+            {
+                ((char*)controlHandle.DangerousGetHandle())[i] = expected[i];
+            }
+            var testHandle = LocalAlloc(cbExpected);
+
+            // Act
+            UnsafeBufferUtil.BlockCopy(from: controlHandle, to: testHandle, length: (IntPtr)cbExpected);
+
+            // Assert
+            string actual = new string((char*)testHandle.DangerousGetHandle(), 0, expected.Length);
+            GC.KeepAlive(testHandle);
+            Assert.Equal(expected, actual);
+        }
+
+        [Fact]
+        public void BlockCopy_HandleToPtr()
+        {
+            // Arrange
+            const string expected = "Hello there!";
+            int cbExpected = expected.Length * sizeof(char);
+            var controlHandle = LocalAlloc(cbExpected);
+            for (int i = 0; i < expected.Length; i++)
+            {
+                ((char*)controlHandle.DangerousGetHandle())[i] = expected[i];
+            }
+            char* dest = stackalloc char[expected.Length];
+
+            // Act
+            UnsafeBufferUtil.BlockCopy(from: controlHandle, to: dest, byteCount: (uint)cbExpected);
+
+            // Assert
+            string actual = new string(dest, 0, expected.Length);
+            Assert.Equal(expected, actual);
+        }
+
+        [Fact]
+        public void BlockCopy_PtrToHandle()
+        {
+            // Arrange
+            const string expected = "Hello there!";
+            int cbExpected = expected.Length * sizeof(char);
+            var testHandle = LocalAlloc(cbExpected);
+
+            // Act
+            fixed (char* pExpected = expected)
+            {
+                UnsafeBufferUtil.BlockCopy(from: pExpected, to: testHandle, byteCount: (uint)cbExpected);
+            }
+
+            // Assert
+            string actual = new string((char*)testHandle.DangerousGetHandle(), 0, expected.Length);
+            GC.KeepAlive(testHandle);
+            Assert.Equal(expected, actual);
+        }
+
+        [Fact]
+        public void SecureZeroMemory_IntLength()
+        {
+            // Arrange
+            long x = 0x0123456789ABCDEF;
+
+            // Act
+            UnsafeBufferUtil.SecureZeroMemory((byte*)&x, byteCount: (int)sizeof(long));
+
+            // Assert
+            Assert.Equal(0, x);
+        }
+
+        [Fact]
+        public void SecureZeroMemory_UIntLength()
+        {
+            // Arrange
+            long x = 0x0123456789ABCDEF;
+
+            // Act
+            UnsafeBufferUtil.SecureZeroMemory((byte*)&x, byteCount: (uint)sizeof(long));
+
+            // Assert
+            Assert.Equal(0, x);
+        }
+
+        [Fact]
+        public void SecureZeroMemory_ULongLength()
+        {
+            // Arrange
+            long x = 0x0123456789ABCDEF;
+
+            // Act
+            UnsafeBufferUtil.SecureZeroMemory((byte*)&x, byteCount: (ulong)sizeof(long));
+
+            // Assert
+            Assert.Equal(0, x);
+        }
+
+        [Fact]
+        public void SecureZeroMemory_IntPtrLength()
+        {
+            // Arrange
+            long x = 0x0123456789ABCDEF;
+
+            // Act
+            UnsafeBufferUtil.SecureZeroMemory((byte*)&x, length: (IntPtr)sizeof(long));
+
+            // Assert
+            Assert.Equal(0, x);
+        }
+
+        private static LocalAllocHandle LocalAlloc(int cb)
+        {
+            return SecureLocalAllocHandle.Allocate((IntPtr)cb);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index 6f59035881..d34f53f281 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -1,6 +1,7 @@
 {
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "xunit.runner.kre": "1.0.0-*"
     },
@@ -9,5 +10,8 @@
     },
     "commands": {
         "test": "xunit.runner.kre"
+    },
+    "compilationOptions": {
+        "allowUnsafe": true
     }
 }
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
deleted file mode 100644
index e435d081dc..0000000000
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Globalization;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.Testing.xunit;
-
-namespace Microsoft.AspNet.Cryptography
-{
-    public class ConditionalRunTestOnlyIfBcryptAvailableAttribute : Attribute, ITestCondition
-    {
-        private static readonly SafeLibraryHandle _bcryptLibHandle = GetBCryptLibHandle();
-
-        private readonly string _requiredExportFunction;
-
-        public ConditionalRunTestOnlyIfBcryptAvailableAttribute(string requiredExportFunction = null)
-        {
-            _requiredExportFunction = requiredExportFunction;
-        }
-
-        public bool IsMet
-        {
-            get
-            {
-                if (_bcryptLibHandle == null)
-                {
-                    return false; // no bcrypt.dll available
-                }
-
-                return (_requiredExportFunction == null || _bcryptLibHandle.DoesProcExist(_requiredExportFunction));
-            }
-        }
-
-        public string SkipReason
-        {
-            get
-            {
-                return (_bcryptLibHandle != null)
-                    ? String.Format(CultureInfo.InvariantCulture, "Export {0} not found in bcrypt.dll", _requiredExportFunction)
-                    : "bcrypt.dll not found on this platform.";
-            }
-        }
-
-        private static SafeLibraryHandle GetBCryptLibHandle()
-        {
-            try
-            {
-                return SafeLibraryHandle.Open("bcrypt.dll");
-            }
-            catch
-            {
-                // If we're not on an OS with BCRYPT.DLL, just bail.
-                return null;
-            }
-        }
-    }
-}
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
index 6fc684797d..81b0908ce0 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Text;
 using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
+using Microsoft.AspNet.DataProtection.Test.Shared;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
@@ -40,7 +41,8 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF. We only use 5 iterations so
         // that our unit tests are fast.
-        [Theory]
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyOnWindows]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
@@ -67,7 +69,7 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
         // this value straddles the digest length of the PRF. We only use 5 iterations so
         // that our unit tests are fast.
         [ConditionalTheory]
-        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptKeyDerivation")]
+        [ConditionalRunTestOnlyOnWindows8OrLater]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
         [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
@@ -97,14 +99,14 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptDeriveKeyPBKDF2")]
+        [ConditionalRunTestOnlyOnWindows]
         public void RunTest_WithLongPassword_Win7()
         {
             RunTest_WithLongPassword_Impl<Win7Pbkdf2Provider>();
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptKeyDerivation")]
+        [ConditionalRunTestOnlyOnWindows8OrLater]
         public void RunTest_WithLongPassword_Win8()
         {
             RunTest_WithLongPassword_Impl<Win8Pbkdf2Provider>();
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index 90dcd88b09..7fbc91ad6c 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -2,6 +2,7 @@
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Test.Shared": "",
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "Moq": "4.2.1312.1622",
         "xunit.runner.kre": "1.0.0-*"
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
new file mode 100644
index 0000000000..268e3e1d21
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
@@ -0,0 +1,179 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Text;
+using Microsoft.AspNet.DataProtection.Interfaces;
+using Microsoft.AspNet.Testing;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    public class DataProtectionExtensionsTests
+    {
+        [Theory]
+        [InlineData(new object[] { new string[0] })]
+        [InlineData(new object[] { new string[] { null } })]
+        [InlineData(new object[] { new string[] { "the next value is bad", null } })]
+        public void CreateProtector_ChainedAsIEnumerable_FailureCases(string[] purposes)
+        {
+            // Arrange
+            var mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(o => o.CreateProtector(It.IsAny<string>())).Returns(mockProtector.Object);
+            var provider = mockProtector.Object;
+
+            // Act & assert
+            ExceptionAssert.ThrowsArgument(
+                testCode: () => provider.CreateProtector((IEnumerable<string>)purposes),
+                paramName: "purposes",
+                exceptionMessage: Resources.DataProtectionExtensions_NullPurposesCollection);
+        }
+
+        [Theory]
+        [InlineData(new object[] { new string[] { null } })]
+        [InlineData(new object[] { new string[] { "the next value is bad", null } })]
+        public void CreateProtector_ChainedAsParams_FailureCases(string[] subPurposes)
+        {
+            // Arrange
+            var mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(o => o.CreateProtector(It.IsAny<string>())).Returns(mockProtector.Object);
+            var provider = mockProtector.Object;
+
+            // Act & assert
+            ExceptionAssert.ThrowsArgument(
+                testCode: () => provider.CreateProtector("primary-purpose", subPurposes),
+                paramName: "purposes",
+                exceptionMessage: Resources.DataProtectionExtensions_NullPurposesCollection);
+        }
+
+        [Fact]
+        public void CreateProtector_ChainedAsIEnumerable_SuccessCase()
+        {
+            // Arrange
+            var finalExpectedProtector = new Mock<IDataProtector>().Object;
+
+            var thirdMock = new Mock<IDataProtector>();
+            thirdMock.Setup(o => o.CreateProtector("third")).Returns(finalExpectedProtector);
+            var secondMock = new Mock<IDataProtector>();
+            secondMock.Setup(o => o.CreateProtector("second")).Returns(thirdMock.Object);
+            var firstMock = new Mock<IDataProtector>();
+            firstMock.Setup(o => o.CreateProtector("first")).Returns(secondMock.Object);
+
+            // Act
+            var retVal = firstMock.Object.CreateProtector((IEnumerable<string>)new string[] { "first", "second", "third" });
+
+            // Assert
+            Assert.Same(finalExpectedProtector, retVal);
+        }
+
+        [Fact]
+        public void CreateProtector_ChainedAsParams_NonEmptyParams_SuccessCase()
+        {
+            // Arrange
+            var finalExpectedProtector = new Mock<IDataProtector>().Object;
+
+            var thirdMock = new Mock<IDataProtector>();
+            thirdMock.Setup(o => o.CreateProtector("third")).Returns(finalExpectedProtector);
+            var secondMock = new Mock<IDataProtector>();
+            secondMock.Setup(o => o.CreateProtector("second")).Returns(thirdMock.Object);
+            var firstMock = new Mock<IDataProtector>();
+            firstMock.Setup(o => o.CreateProtector("first")).Returns(secondMock.Object);
+
+            // Act
+            var retVal = firstMock.Object.CreateProtector("first", "second", "third");
+
+            // Assert
+            Assert.Same(finalExpectedProtector, retVal);
+        }
+
+        [Theory]
+        [InlineData(new object[] { null })]
+        [InlineData(new object[] { new string[0] })]
+        public void CreateProtector_ChainedAsParams_EmptyParams_SuccessCases(string[] subPurposes)
+        {
+            // Arrange
+            var finalExpectedProtector = new Mock<IDataProtector>().Object;
+            var firstMock = new Mock<IDataProtector>();
+            firstMock.Setup(o => o.CreateProtector("first")).Returns(finalExpectedProtector);
+
+            // Act
+            var retVal = firstMock.Object.CreateProtector("first", subPurposes);
+
+            // Assert
+            Assert.Same(finalExpectedProtector, retVal);
+        }
+
+        [Fact]
+        public void Protect_InvalidUtf8_Failure()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+
+            // Act & assert
+            var ex = Assert.Throws<CryptographicException>(() =>
+            {
+                mockProtector.Object.Protect("Hello\ud800");
+            });
+            Assert.IsAssignableFrom(typeof(EncoderFallbackException), ex.InnerException);
+        }
+
+        [Fact]
+        public void Protect_Success()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(p => p.Protect(new byte[] { 0x48, 0x65, 0x6c, 0x6c, 0x6f })).Returns(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 });
+
+            // Act
+            string retVal = mockProtector.Object.Protect("Hello");
+
+            // Assert
+            Assert.Equal("AQIDBAU", retVal);
+        }
+
+        [Fact]
+        public void Unprotect_InvalidBase64BeforeDecryption_Failure()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+
+            // Act & assert
+            var ex = Assert.Throws<CryptographicException>(() =>
+            {
+                mockProtector.Object.Unprotect("A");
+            });
+        }
+
+        [Fact]
+        public void Unprotect_InvalidUtf8AfterDecryption_Failure()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(p => p.Unprotect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0xff });
+
+            // Act & assert
+            var ex = Assert.Throws<CryptographicException>(() =>
+            {
+                mockProtector.Object.Unprotect("AQIDBAU");
+            });
+            Assert.IsAssignableFrom(typeof(DecoderFallbackException), ex.InnerException);
+        }
+
+        [Fact]
+        public void Unprotect_Success()
+        {
+            // Arrange
+            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(p => p.Unprotect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0x48, 0x65, 0x6c, 0x6c, 0x6f });
+
+            // Act
+            string retVal = DataProtectionExtensions.Unprotect(mockProtector.Object, "AQIDBAU");
+
+            // Assert
+            Assert.Equal("Hello", retVal);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.kproj b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.kproj
new file mode 100644
index 0000000000..85d49cd927
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>ff650a69-dee4-4b36-9e30-264ee7cfb478</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
new file mode 100644
index 0000000000..2be80d1ab4
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
@@ -0,0 +1,19 @@
+{
+    "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Interfaces": "1.0.0-*",
+        "Microsoft.AspNet.Testing": "1.0.0-*",
+        "Moq": "4.2.1312.1622",
+        "xunit.runner.kre": "1.0.0-*"
+    },
+    "frameworks": {
+        "dnx451": { }
+    },
+    "commands": {
+        "test": "xunit.runner.kre"
+    },
+    "code": "**\\*.cs;..\\common\\**\\*.cs",
+    "compilationOptions": {
+        
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs b/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
new file mode 100644
index 0000000000..1a41ae9d7c
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Testing.xunit;
+
+namespace Microsoft.AspNet.DataProtection.Test.Shared
+{
+    public class ConditionalRunTestOnlyOnWindows8OrLaterAttribute : Attribute, ITestCondition
+    {
+        public bool IsMet => OSVersionUtil.IsWindows8OrLater();
+
+        public string SkipReason { get; } = "Test requires Windows 8 / Windows Server 2012 or higher.";
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs b/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
new file mode 100644
index 0000000000..37b05192be
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Testing.xunit;
+
+namespace Microsoft.AspNet.DataProtection.Test.Shared
+{
+    public class ConditionalRunTestOnlyOnWindowsAttribute : Attribute, ITestCondition
+    {
+        public bool IsMet => OSVersionUtil.IsWindows();
+
+        public string SkipReason { get; } = "Test requires Windows 7 / Windows Server 2008 R2 or higher.";
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs b/test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs
new file mode 100644
index 0000000000..79c53bb99f
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs
@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Xunit;
+
+namespace Microsoft.AspNet.Testing
+{
+    internal static class ExceptionAssert2
+    {
+        /// <summary>
+        /// Verifies that the code throws an <see cref="ArgumentNullException"/>.
+        /// </summary>
+        /// <param name="testCode">A delegate to the code to be tested</param>
+        /// <param name="paramName">The name of the parameter that should throw the exception</param>
+        /// <returns>The <see cref="ArgumentNullException"/> that was thrown, when successful</returns>
+        /// <exception>Thrown when an exception was not thrown, or when an exception of the incorrect type is thrown</exception>
+        public static ArgumentNullException ThrowsArgumentNull(Action testCode, string paramName)
+        {
+            var ex = Assert.Throws<ArgumentNullException>(testCode);
+            Assert.Equal(paramName, ex.ParamName);
+            return ex;
+        }
+
+        /// <summary>
+        /// Verifies that the code throws a <see cref="CryptographicException"/>.
+        /// </summary>
+        /// <param name="testCode">A delegate to the code to be tested</param>
+        /// <returns>The <see cref="CryptographicException"/> that was thrown, when successful</returns>
+        /// <exception>Thrown when an exception was not thrown, or when an exception of the incorrect type is thrown</exception>
+        public static CryptographicException ThrowsCryptographicException(Action testCode)
+        {
+            return Assert.Throws<CryptographicException>(testCode);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.kproj b/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.kproj
new file mode 100644
index 0000000000..35909b7c73
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.kproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>4f14ba2a-4f04-4676-8586-ec380977ee2e</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
new file mode 100644
index 0000000000..03f270e861
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
@@ -0,0 +1,17 @@
+{
+    "dependencies": {
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+        "Microsoft.AspNet.Testing": "1.0.0-*",
+        "xunit.runner.kre": "1.0.0-*"
+    },
+    "frameworks": {
+        "dnx451": { },
+        "dnxcore50": { }
+    },
+    "commands": {
+        
+    },
+    "compilationOptions": {
+    },
+    "shared": "**\\*.cs"
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
new file mode 100644
index 0000000000..ae0fdba4df
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
@@ -0,0 +1,116 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Framework.DependencyInjection;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    public class ActivatorTests
+    {
+        [Fact]
+        public void CreateInstance_WithServiceProvider_PrefersParameterfulCtor()
+        {
+            // Arrange
+            var serviceCollection = new ServiceCollection();
+            var services = serviceCollection.BuildServiceProvider();
+            var activator = services.GetActivator();
+
+            // Act
+            var retVal1 = (ClassWithParameterlessCtor)activator.CreateInstance<object>(typeof(ClassWithParameterlessCtor).AssemblyQualifiedName);
+            var retVal2 = (ClassWithServiceProviderCtor)activator.CreateInstance<object>(typeof(ClassWithServiceProviderCtor).AssemblyQualifiedName);
+            var retVal3 = (ClassWithBothCtors)activator.CreateInstance<object>(typeof(ClassWithBothCtors).AssemblyQualifiedName);
+
+            // Assert
+            Assert.NotNull(services);
+            Assert.NotNull(retVal1);
+            Assert.NotNull(retVal2);
+            Assert.Same(services, retVal2.Services);
+            Assert.NotNull(retVal3);
+            Assert.False(retVal3.ParameterlessCtorCalled);
+            Assert.Same(services, retVal3.Services);
+        }
+
+        [Fact]
+        public void CreateInstance_WithoutServiceProvider_PrefersParameterlessCtor()
+        {
+            // Arrange
+            var activator = ((IServiceProvider)null).GetActivator();
+
+            // Act
+            var retVal1 = (ClassWithParameterlessCtor)activator.CreateInstance<object>(typeof(ClassWithParameterlessCtor).AssemblyQualifiedName);
+            var retVal2 = (ClassWithServiceProviderCtor)activator.CreateInstance<object>(typeof(ClassWithServiceProviderCtor).AssemblyQualifiedName);
+            var retVal3 = (ClassWithBothCtors)activator.CreateInstance<object>(typeof(ClassWithBothCtors).AssemblyQualifiedName);
+
+            // Assert
+            Assert.NotNull(retVal1);
+            Assert.NotNull(retVal2);
+            Assert.Null(retVal2.Services);
+            Assert.NotNull(retVal3);
+            Assert.True(retVal3.ParameterlessCtorCalled);
+            Assert.Null(retVal3.Services);
+        }
+
+
+        [Fact]
+        public void CreateInstance_TypeDoesNotImplementInterface_ThrowsInvalidCast()
+        {
+            // Arrange
+            var activator = ((IServiceProvider)null).GetActivator();
+
+            // Act & assert
+            var ex = Assert.Throws<InvalidCastException>(
+                () => activator.CreateInstance<IDisposable>(typeof(ClassWithParameterlessCtor).AssemblyQualifiedName));
+            Assert.Equal(Resources.FormatTypeExtensions_BadCast(typeof(IDisposable).AssemblyQualifiedName, typeof(ClassWithParameterlessCtor).AssemblyQualifiedName), ex.Message);
+        }
+
+        [Fact]
+        public void GetActivator_ServiceProviderHasActivator_ReturnsSameInstance()
+        {
+            // Arrange
+            var expectedActivator = new Mock<IActivator>().Object;
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IActivator>(expectedActivator);
+
+            // Act
+            var actualActivator = serviceCollection.BuildServiceProvider().GetActivator();
+
+            // Assert
+            Assert.Same(expectedActivator, actualActivator);
+        }
+
+        private class ClassWithParameterlessCtor
+        {
+        }
+
+        private class ClassWithServiceProviderCtor
+        {
+            public readonly IServiceProvider Services;
+
+            public ClassWithServiceProviderCtor(IServiceProvider services)
+            {
+                Services = services;
+            }
+        }
+
+        private class ClassWithBothCtors
+        {
+            public readonly IServiceProvider Services;
+            public readonly bool ParameterlessCtorCalled;
+
+            public ClassWithBothCtors()
+            {
+                ParameterlessCtorCalled = true;
+                Services = null;
+            }
+
+            public ClassWithBothCtors(IServiceProvider services)
+            {
+                ParameterlessCtorCalled = false;
+                Services = services;
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
new file mode 100644
index 0000000000..b0793bc5d2
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
@@ -0,0 +1,87 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.ConstrainedExecution;
+using System.Runtime.InteropServices;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Helpers for working with the anonymous Windows identity.
+    /// </summary>
+    internal static class AnonymousImpersonation
+    {
+        /// <summary>
+        /// Performs an action while impersonated under the anonymous user (NT AUTHORITY\ANONYMOUS LOGIN).
+        /// </summary>
+        public static void Run(Action callback)
+        {
+            using (var threadHandle = ThreadHandle.OpenCurrentThreadHandle())
+            {
+                bool impersonated = false;
+                try
+                {
+                    impersonated = ImpersonateAnonymousToken(threadHandle);
+                    if (!impersonated)
+                    {
+                        Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());
+                    }
+                    callback();
+                }
+                finally
+                {
+                    if (impersonated && !RevertToSelf())
+                    {
+                        Environment.FailFast("RevertToSelf() returned false!");
+                    }
+                }
+            }
+        }
+
+        [DllImport("advapi32.dll", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        private static extern bool ImpersonateAnonymousToken([In] ThreadHandle ThreadHandle);
+
+        [DllImport("advapi32.dll", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+        private static extern bool RevertToSelf();
+
+        private sealed class ThreadHandle : SafeHandleZeroOrMinusOneIsInvalid
+        {
+            private ThreadHandle()
+                : base(ownsHandle: true)
+            {
+            }
+
+            public static ThreadHandle OpenCurrentThreadHandle()
+            {
+                const int THREAD_ALL_ACCESS = 0x1FFFFF;
+                var handle = OpenThread(
+                    dwDesiredAccess: THREAD_ALL_ACCESS,
+                    bInheritHandle: false,
+#pragma warning disable CS0618 // Type or member is obsolete
+                    dwThreadId: (uint)AppDomain.GetCurrentThreadId());
+#pragma warning restore CS0618 // Type or member is obsolete
+                CryptoUtil.AssertSafeHandleIsValid(handle);
+                return handle;
+            }
+
+            protected override bool ReleaseHandle()
+            {
+                return CloseHandle(handle);
+            }
+
+            [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+            [DllImport("kernel32.dll", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+            private static extern bool CloseHandle(
+                [In] IntPtr hObject);
+
+            [DllImport("kernel32.dll", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+            private static extern ThreadHandle OpenThread(
+                [In] uint dwDesiredAccess,
+                [In] bool bInheritHandle,
+                [In] uint dwThreadId);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
new file mode 100644
index 0000000000..829d478ede
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class AuthenticatedEncryptorDescriptorDeserializerTests
+    {
+        [Fact]
+        public void ImportFromXml_Cbc_CreatesAppropriateDescriptor()
+        {
+            // Arrange
+            var control = new AuthenticatedEncryptorDescriptor(
+                new AuthenticatedEncryptionOptions()
+                {
+                    EncryptionAlgorithm = EncryptionAlgorithm.AES_192_CBC,
+                    ValidationAlgorithm = ValidationAlgorithm.HMACSHA512
+                },
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+
+            const string xml = @"
+                <encryptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                  <encryption algorithm='AES_192_CBC' />
+                  <validation algorithm='HMACSHA512' />
+                  <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
+                </encryptor>";
+            var test = new AuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+
+            // Act & assert
+            byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
+            byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
+            byte[] ciphertext = control.Encrypt(new ArraySegment<byte>(plaintext), new ArraySegment<byte>(aad));
+            byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
+            Assert.Equal(plaintext, roundTripPlaintext);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
new file mode 100644
index 0000000000..d707579cbb
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -0,0 +1,161 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using System.Security.Cryptography;
+using System.Text.RegularExpressions;
+using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Managed;
+using Microsoft.AspNet.DataProtection.Test.Shared;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class AuthenticatedEncryptorDescriptorTests
+    {
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyOnWindows]
+        [InlineData(EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+        [InlineData(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA256)]
+        [InlineData(EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA256)]
+        [InlineData(EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA512)]
+        [InlineData(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512)]
+        [InlineData(EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA512)]
+        public void CreateAuthenticatedEncryptor_RoundTripsData_CngCbcImplementation(EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm)
+        {
+            // Parse test input
+            int keyLengthInBits = Int32.Parse(Regex.Match(encryptionAlgorithm.ToString(), @"^AES_(?<keyLength>\d{3})_CBC$").Groups["keyLength"].Value, CultureInfo.InvariantCulture);
+            string hashAlgorithm = Regex.Match(validationAlgorithm.ToString(), @"^HMAC(?<hashAlgorithm>.*)$").Groups["hashAlgorithm"].Value;
+
+            // Arrange
+            var masterKey = Secret.Random(512 / 8);
+            var control = new CbcAuthenticatedEncryptor(
+                keyDerivationKey: masterKey,
+                symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
+                symmetricAlgorithmKeySizeInBytes: (uint)(keyLengthInBits / 8),
+                hmacAlgorithmHandle: BCryptAlgorithmHandle.OpenAlgorithmHandle(hashAlgorithm, hmac: true));
+            var test = CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey).CreateEncryptorInstance();
+
+            // Act & assert - data round trips properly from control to test
+            byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
+            byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
+            byte[] ciphertext = control.Encrypt(new ArraySegment<byte>(plaintext), new ArraySegment<byte>(aad));
+            byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
+            Assert.Equal(plaintext, roundTripPlaintext);
+        }
+
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyOnWindows]
+        [InlineData(EncryptionAlgorithm.AES_128_GCM)]
+        [InlineData(EncryptionAlgorithm.AES_192_GCM)]
+        [InlineData(EncryptionAlgorithm.AES_256_GCM)]
+        public void CreateAuthenticatedEncryptor_RoundTripsData_CngGcmImplementation(EncryptionAlgorithm encryptionAlgorithm)
+        {
+            // Parse test input
+            int keyLengthInBits = Int32.Parse(Regex.Match(encryptionAlgorithm.ToString(), @"^AES_(?<keyLength>\d{3})_GCM$").Groups["keyLength"].Value, CultureInfo.InvariantCulture);
+
+            // Arrange
+            var masterKey = Secret.Random(512 / 8);
+            var control = new GcmAuthenticatedEncryptor(
+                keyDerivationKey: masterKey,
+                symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_GCM,
+                symmetricAlgorithmKeySizeInBytes: (uint)(keyLengthInBits / 8));
+            var test = CreateDescriptor(encryptionAlgorithm, ValidationAlgorithm.HMACSHA256 /* unused */, masterKey).CreateEncryptorInstance();
+
+            // Act & assert - data round trips properly from control to test
+            byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
+            byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
+            byte[] ciphertext = control.Encrypt(new ArraySegment<byte>(plaintext), new ArraySegment<byte>(aad));
+            byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
+            Assert.Equal(plaintext, roundTripPlaintext);
+        }
+
+        [Theory]
+        [InlineData(EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+        [InlineData(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA256)]
+        [InlineData(EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA256)]
+        [InlineData(EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA512)]
+        [InlineData(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512)]
+        [InlineData(EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA512)]
+        public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm)
+        {
+            // Parse test input
+            int keyLengthInBits = Int32.Parse(Regex.Match(encryptionAlgorithm.ToString(), @"^AES_(?<keyLength>\d{3})_CBC$").Groups["keyLength"].Value, CultureInfo.InvariantCulture);
+
+            // Arrange
+            var masterKey = Secret.Random(512 / 8);
+            var control = new ManagedAuthenticatedEncryptor(
+                keyDerivationKey: masterKey,
+                symmetricAlgorithmFactory: () => new AesCryptoServiceProvider(),
+                symmetricAlgorithmKeySizeInBytes: keyLengthInBits / 8,
+                validationAlgorithmFactory: () => KeyedHashAlgorithm.Create(validationAlgorithm.ToString()));
+            var test = CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey).CreateEncryptorInstance();
+
+            // Act & assert - data round trips properly from control to test
+            byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
+            byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
+            byte[] ciphertext = control.Encrypt(new ArraySegment<byte>(plaintext), new ArraySegment<byte>(aad));
+            byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
+            Assert.Equal(plaintext, roundTripPlaintext);
+        }
+
+        [Fact]
+        public void ExportToXml_ProducesCorrectPayload_Cbc()
+        {
+            // Arrange
+            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey);
+
+            // Act
+            var retVal = descriptor.ExportToXml();
+
+            // Assert
+            Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
+            const string expectedXml = @"
+                <descriptor>
+                  <encryption algorithm='AES_192_CBC' />
+                  <validation algorithm='HMACSHA512' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>";
+            XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
+        }
+
+        [Fact]
+        public void ExportToXml_ProducesCorrectPayload_Gcm()
+        {
+            // Arrange
+            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey);
+
+            // Act
+            var retVal = descriptor.ExportToXml();
+
+            // Assert
+            Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
+            const string expectedXml = @"
+                <descriptor>
+                  <encryption algorithm='AES_192_GCM' />
+                  <!-- some comment here -->
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>";
+            XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
+        }
+
+        private static AuthenticatedEncryptorDescriptor CreateDescriptor(EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm, ISecret masterKey)
+        {
+            return new AuthenticatedEncryptorDescriptor(new AuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithm = encryptionAlgorithm,
+                ValidationAlgorithm = validationAlgorithm
+            }, masterKey);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
new file mode 100644
index 0000000000..12b4e75b2d
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class CngCbcAuthenticatedEncryptorConfigurationTests
+    {
+        [Fact]
+        public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
+        {
+            // Arrange
+            var configuration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionOptions());
+
+            // Act
+            var masterKey1 = ((CngCbcAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
+            var masterKey2 = ((CngCbcAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
+
+            // Assert
+            SecretAssert.NotEqual(masterKey1, masterKey2);
+            SecretAssert.LengthIs(512 /* bits */, masterKey1);
+            SecretAssert.LengthIs(512 /* bits */, masterKey2);
+        }
+
+        [Fact]
+        public void CreateNewDescriptor_PropagatesOptions()
+        {
+            // Arrange
+            var configuration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionOptions());
+
+            // Act
+            var descriptor = (CngCbcAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
+
+            // Assert
+            Assert.Equal(configuration.Options, descriptor.Options);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
new file mode 100644
index 0000000000..b0aede26e5
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.Test.Shared;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class CngCbcAuthenticatedEncryptorDescriptorDeserializerTests
+    {
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void ImportFromXml_CreatesAppropriateDescriptor()
+        {
+            // Arrange
+            var control = new CngCbcAuthenticatedEncryptorDescriptor(
+                new CngCbcAuthenticatedEncryptionOptions()
+                {
+                    EncryptionAlgorithm = Constants.BCRYPT_AES_ALGORITHM,
+                    EncryptionAlgorithmKeySize = 192,
+                    EncryptionAlgorithmProvider = null,
+                    HashAlgorithm = Constants.BCRYPT_SHA512_ALGORITHM,
+                    HashAlgorithmProvider = null
+                },
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+
+            const string xml = @"
+                <descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                  <encryption algorithm='AES' keyLength='192' />
+                  <hash algorithm='SHA512' />
+                  <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
+                </descriptor>";
+            var test = new CngCbcAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+
+            // Act & assert
+            byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
+            byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
+            byte[] ciphertext = control.Encrypt(new ArraySegment<byte>(plaintext), new ArraySegment<byte>(aad));
+            byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
+            Assert.Equal(plaintext, roundTripPlaintext);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
new file mode 100644
index 0000000000..baa19dde89
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
@@ -0,0 +1,69 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class CngCbcAuthenticatedEncryptorDescriptorTests
+    {
+        [Fact]
+        public void ExportToXml_WithProviders_ProducesCorrectPayload()
+        {
+            // Arrange
+            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithm = "enc-alg",
+                EncryptionAlgorithmKeySize = 2048,
+                EncryptionAlgorithmProvider = "enc-alg-prov",
+                HashAlgorithm = "hash-alg",
+                HashAlgorithmProvider = "hash-alg-prov"
+            }, masterKey);
+
+            // Act
+            var retVal = descriptor.ExportToXml();
+
+            // Assert
+            Assert.Equal(typeof(CngCbcAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
+            const string expectedXml = @"
+                <descriptor>
+                  <encryption algorithm='enc-alg' keyLength='2048' provider='enc-alg-prov' />
+                  <hash algorithm='hash-alg' provider='hash-alg-prov' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>";
+            XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
+        }
+
+        [Fact]
+        public void ExportToXml_WithoutProviders_ProducesCorrectPayload()
+        {
+            // Arrange
+            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithm = "enc-alg",
+                EncryptionAlgorithmKeySize = 2048,
+                HashAlgorithm = "hash-alg"
+            }, masterKey);
+
+            // Act
+            var retVal = descriptor.ExportToXml();
+
+            // Assert
+            Assert.Equal(typeof(CngCbcAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
+            const string expectedXml = @"
+                <descriptor>
+                  <encryption algorithm='enc-alg' keyLength='2048' />
+                  <hash algorithm='hash-alg' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>";
+            XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
new file mode 100644
index 0000000000..d3af69a74d
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class CngGcmAuthenticatedEncryptorConfigurationTests
+    {
+        [Fact]
+        public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
+        {
+            // Arrange
+            var configuration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionOptions());
+
+            // Act
+            var masterKey1 = ((CngGcmAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
+            var masterKey2 = ((CngGcmAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
+
+            // Assert
+            SecretAssert.NotEqual(masterKey1, masterKey2);
+            SecretAssert.LengthIs(512 /* bits */, masterKey1);
+            SecretAssert.LengthIs(512 /* bits */, masterKey2);
+        }
+
+        [Fact]
+        public void CreateNewDescriptor_PropagatesOptions()
+        {
+            // Arrange
+            var configuration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionOptions());
+
+            // Act
+            var descriptor = (CngGcmAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
+
+            // Assert
+            Assert.Equal(configuration.Options, descriptor.Options);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
new file mode 100644
index 0000000000..5e0c48d72b
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.Test.Shared;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class CngGcmAuthenticatedEncryptorDescriptorDeserializerTests
+    {
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void ImportFromXml_CreatesAppropriateDescriptor()
+        {
+            // Arrange
+            var control = new CngGcmAuthenticatedEncryptorDescriptor(
+                new CngGcmAuthenticatedEncryptionOptions()
+                {
+                    EncryptionAlgorithm = Constants.BCRYPT_AES_ALGORITHM,
+                    EncryptionAlgorithmKeySize = 192,
+                    EncryptionAlgorithmProvider = null
+                },
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+
+            const string xml = @"
+                <descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                  <encryption algorithm='AES' keyLength='192' />
+                  <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
+                </descriptor>";
+            var test = new CngGcmAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+
+            // Act & assert
+            byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
+            byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
+            byte[] ciphertext = control.Encrypt(new ArraySegment<byte>(plaintext), new ArraySegment<byte>(aad));
+            byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
+            Assert.Equal(plaintext, roundTripPlaintext);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
new file mode 100644
index 0000000000..96fd83afdb
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
@@ -0,0 +1,64 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class CngGcmAuthenticatedEncryptorDescriptorTests
+    {
+        [Fact]
+        public void ExportToXml_WithProviders_ProducesCorrectPayload()
+        {
+            // Arrange
+            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithm = "enc-alg",
+                EncryptionAlgorithmKeySize = 2048,
+                EncryptionAlgorithmProvider = "enc-alg-prov"
+            }, masterKey);
+
+            // Act
+            var retVal = descriptor.ExportToXml();
+
+            // Assert
+            Assert.Equal(typeof(CngGcmAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
+            const string expectedXml = @"
+                <descriptor>
+                  <encryption algorithm='enc-alg' keyLength='2048' provider='enc-alg-prov' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>";
+            XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
+        }
+
+        [Fact]
+        public void ExportToXml_WithoutProviders_ProducesCorrectPayload()
+        {
+            // Arrange
+            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithm = "enc-alg",
+                EncryptionAlgorithmKeySize = 2048
+            }, masterKey);
+
+            // Act
+            var retVal = descriptor.ExportToXml();
+
+            // Assert
+            Assert.Equal(typeof(CngGcmAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
+            const string expectedXml = @"
+                <descriptor>
+                  <encryption algorithm='enc-alg' keyLength='2048' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>";
+            XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
new file mode 100644
index 0000000000..dcc8d365ee
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class ManagedAuthenticatedEncryptorConfigurationTests
+    {
+        [Fact]
+        public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
+        {
+            // Arrange
+            var configuration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions());
+
+            // Act
+            var masterKey1 = ((ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
+            var masterKey2 = ((ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
+
+            // Assert
+            SecretAssert.NotEqual(masterKey1, masterKey2);
+            SecretAssert.LengthIs(512 /* bits */, masterKey1);
+            SecretAssert.LengthIs(512 /* bits */, masterKey2);
+        }
+
+        [Fact]
+        public void CreateNewDescriptor_PropagatesOptions()
+        {
+            // Arrange
+            var configuration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions());
+
+            // Act
+            var descriptor = (ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
+
+            // Assert
+            Assert.Equal(configuration.Options, descriptor.Options);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
new file mode 100644
index 0000000000..6b249c1072
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -0,0 +1,81 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using System.Xml.Linq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class ManagedAuthenticatedEncryptorDescriptorDeserializerTests
+    {
+        [Theory]
+        [InlineData(typeof(Aes), typeof(HMACSHA1))]
+        [InlineData(typeof(Aes), typeof(HMACSHA256))]
+        [InlineData(typeof(Aes), typeof(HMACSHA384))]
+        [InlineData(typeof(Aes), typeof(HMACSHA512))]
+        public void ImportFromXml_BuiltInTypes_CreatesAppropriateDescriptor(Type encryptionAlgorithmType, Type validationAlgorithmType)
+        {
+            // Arrange
+            var control = new ManagedAuthenticatedEncryptorDescriptor(
+                new ManagedAuthenticatedEncryptionOptions()
+                {
+                    EncryptionAlgorithmType = encryptionAlgorithmType,
+                    EncryptionAlgorithmKeySize = 192,
+                    ValidationAlgorithmType = validationAlgorithmType
+                },
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+
+            string xml = String.Format(@"
+                <descriptor>
+                  <encryption algorithm='{0}' keyLength='192' />
+                  <validation algorithm='{1}' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>",
+                 encryptionAlgorithmType.Name, validationAlgorithmType.Name);
+            var test = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+
+            // Act & assert
+            byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
+            byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
+            byte[] ciphertext = control.Encrypt(new ArraySegment<byte>(plaintext), new ArraySegment<byte>(aad));
+            byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
+            Assert.Equal(plaintext, roundTripPlaintext);
+        }
+
+        [Fact]
+        public void ImportFromXml_CustomType_CreatesAppropriateDescriptor()
+        {
+            // Arrange
+            var control = new ManagedAuthenticatedEncryptorDescriptor(
+                new ManagedAuthenticatedEncryptionOptions()
+                {
+                    EncryptionAlgorithmType = typeof(AesCryptoServiceProvider),
+                    EncryptionAlgorithmKeySize = 192,
+                    ValidationAlgorithmType = typeof(HMACSHA384)
+                },
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+
+            string xml = String.Format(@"
+                <descriptor>
+                  <encryption algorithm='{0}' keyLength='192' />
+                  <validation algorithm='{1}' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>",
+                 typeof(AesCryptoServiceProvider).AssemblyQualifiedName, typeof(HMACSHA384).AssemblyQualifiedName);
+            var test = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+
+            // Act & assert
+            byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
+            byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
+            byte[] ciphertext = control.Encrypt(new ArraySegment<byte>(plaintext), new ArraySegment<byte>(aad));
+            byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
+            Assert.Equal(plaintext, roundTripPlaintext);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
new file mode 100644
index 0000000000..f944037880
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
@@ -0,0 +1,115 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    public class ManagedAuthenticatedEncryptorDescriptorTests
+    {
+        [Fact]
+        public void ExportToXml_CustomTypes_ProducesCorrectPayload()
+        {
+            // Arrange
+            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithmType = typeof(MySymmetricAlgorithm),
+                EncryptionAlgorithmKeySize = 2048,
+                ValidationAlgorithmType = typeof(MyKeyedHashAlgorithm)
+            }, masterKey);
+
+            // Act
+            var retVal = descriptor.ExportToXml();
+
+            // Assert
+            Assert.Equal(typeof(ManagedAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
+            string expectedXml = String.Format(@"
+                <descriptor>
+                  <encryption algorithm='{0}' keyLength='2048' />
+                  <validation algorithm='{1}' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>",
+                typeof(MySymmetricAlgorithm).AssemblyQualifiedName, typeof(MyKeyedHashAlgorithm).AssemblyQualifiedName);
+            XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
+        }
+
+        [Theory]
+        [InlineData(typeof(Aes), typeof(HMACSHA1))]
+        [InlineData(typeof(Aes), typeof(HMACSHA256))]
+        [InlineData(typeof(Aes), typeof(HMACSHA384))]
+        [InlineData(typeof(Aes), typeof(HMACSHA512))]
+        public void ExportToXml_BuiltInTypes_ProducesCorrectPayload(Type encryptionAlgorithmType, Type validationAlgorithmType)
+        {
+            // Arrange
+            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithmType = encryptionAlgorithmType,
+                EncryptionAlgorithmKeySize = 2048,
+                ValidationAlgorithmType = validationAlgorithmType
+            }, masterKey);
+
+            // Act
+            var retVal = descriptor.ExportToXml();
+
+            // Assert
+            Assert.Equal(typeof(ManagedAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
+            string expectedXml = String.Format(@"
+                <descriptor>
+                  <encryption algorithm='{0}' keyLength='2048' />
+                  <validation algorithm='{1}' />
+                  <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                  </masterKey>
+                </descriptor>",
+                encryptionAlgorithmType.Name, validationAlgorithmType.Name);
+            XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
+        }
+
+        private sealed class MySymmetricAlgorithm : SymmetricAlgorithm
+        {
+            public override ICryptoTransform CreateDecryptor(byte[] rgbKey, byte[] rgbIV)
+            {
+                throw new NotImplementedException();
+            }
+
+            public override ICryptoTransform CreateEncryptor(byte[] rgbKey, byte[] rgbIV)
+            {
+                throw new NotImplementedException();
+            }
+
+            public override void GenerateIV()
+            {
+                throw new NotImplementedException();
+            }
+
+            public override void GenerateKey()
+            {
+                throw new NotImplementedException();
+            }
+        }
+
+        private sealed class MyKeyedHashAlgorithm : KeyedHashAlgorithm
+        {
+            public override void Initialize()
+            {
+                throw new NotImplementedException();
+            }
+
+            protected override void HashCore(byte[] array, int ibStart, int cbSize)
+            {
+                throw new NotImplementedException();
+            }
+
+            protected override byte[] HashFinal()
+            {
+                throw new NotImplementedException();
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index 85a80c25af..8e0b8e4a8e 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -6,16 +6,16 @@ using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Test.Shared;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     public class CbcAuthenticatedEncryptorTests
     {
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_Decrypt_RoundTrips()
         {
             // Arrange
@@ -36,7 +36,7 @@ namespace Microsoft.AspNet.DataProtection.Test.Cng
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_Decrypt_Tampering_Fails()
         {
             // Arrange
@@ -83,7 +83,7 @@ namespace Microsoft.AspNet.DataProtection.Test.Cng
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_KnownKey()
         {
             // Arrange
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
index 1aa5a8afb7..84335935b2 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -2,17 +2,17 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Test.Shared;
 using Microsoft.AspNet.Testing.xunit;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     public unsafe class CngAuthenticatedEncryptorBaseTests
     {
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Decrypt_ForwardsArraySegment()
         {
             // Arrange
@@ -38,7 +38,7 @@ namespace Microsoft.AspNet.DataProtection.Test.Cng
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Decrypt_HandlesEmptyAADPointerFixup()
         {
             // Arrange
@@ -64,7 +64,7 @@ namespace Microsoft.AspNet.DataProtection.Test.Cng
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Decrypt_HandlesEmptyCiphertextPointerFixup()
         {
             // Arrange
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index b5d1b757ad..80b57a14f1 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -6,16 +6,16 @@ using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNet.DataProtection.Test.Shared;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test.Cng
+namespace Microsoft.AspNet.DataProtection.Cng
 {
     public class GcmAuthenticatedEncryptorTests
     {
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_Decrypt_RoundTrips()
         {
             // Arrange
@@ -33,7 +33,7 @@ namespace Microsoft.AspNet.DataProtection.Test.Cng
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_Decrypt_Tampering_Fails()
         {
             // Arrange
@@ -77,7 +77,7 @@ namespace Microsoft.AspNet.DataProtection.Test.Cng
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_KnownKey()
         {
             // Arrange
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs b/test/Microsoft.AspNet.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
deleted file mode 100644
index 99e1762625..0000000000
--- a/test/Microsoft.AspNet.DataProtection.Test/ConditionalRunTestOnlyIfBcryptAvailableAttribute.cs
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Globalization;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.Testing.xunit;
-
-namespace Microsoft.AspNet.DataProtection.Test
-{
-    public class ConditionalRunTestOnlyIfBcryptAvailableAttribute : Attribute, ITestCondition
-    {
-        private static readonly SafeLibraryHandle _bcryptLibHandle = GetBcryptLibHandle();
-
-        private readonly string _requiredExportFunction;
-
-        public ConditionalRunTestOnlyIfBcryptAvailableAttribute(string requiredExportFunction = null)
-        {
-            _requiredExportFunction = requiredExportFunction;
-        }
-
-        public bool IsMet
-        {
-            get
-            {
-                if (_bcryptLibHandle == null)
-                {
-                    return false; // no bcrypt.dll available
-                }
-
-                return (_requiredExportFunction == null || _bcryptLibHandle.DoesProcExist(_requiredExportFunction));
-            }
-        }
-
-        public string SkipReason
-        {
-            get
-            {
-                return (_bcryptLibHandle != null)
-                    ? String.Format(CultureInfo.InvariantCulture, "Export {0} not found in bcrypt.dll", _requiredExportFunction)
-                    : "bcrypt.dll not found on this platform.";
-            }
-        }
-
-        private static SafeLibraryHandle GetBcryptLibHandle()
-        {
-            try
-            {
-                return SafeLibraryHandle.Open("bcrypt.dll");
-            }
-            catch
-            {
-                // If we're not on an OS with BCRYPT.DLL, just bail.
-                return null;
-            }
-        }
-    }
-}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
index c7f50b17cb..2b2c122265 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
@@ -2,12 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
-using System.Text;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection
 {
     public class DataProtectionExtensionsTests
     {
@@ -38,113 +36,5 @@ namespace Microsoft.AspNet.DataProtection.Test
             // Assert
             Assert.Same(innerProtector, timeLimitedProtector.InnerProtector);
         }
-
-        [Theory]
-        [InlineData(new object[] { null })]
-        [InlineData(new object[] { new string[0] })]
-        [InlineData(new object[] { new string[] { null } })]
-        [InlineData(new object[] { new string[] { "the next value is bad", "" } })]
-        public void CreateProtector_Chained_FailureCases(string[] purposes)
-        {
-            // Arrange
-            var mockProtector = new Mock<IDataProtector>();
-            mockProtector.Setup(o => o.CreateProtector(It.IsAny<string>())).Returns(mockProtector.Object);
-            var provider = mockProtector.Object;
-
-            // Act & assert
-            var ex = Assert.Throws<ArgumentException>(() => provider.CreateProtector(purposes));
-            ex.AssertMessage("purposes", Resources.DataProtectionExtensions_NullPurposesArray);
-        }
-
-        [Fact]
-        public void CreateProtector_Chained_SuccessCase()
-        {
-            // Arrange
-            var finalExpectedProtector = new Mock<IDataProtector>().Object;
-
-            var thirdMock = new Mock<IDataProtector>();
-            thirdMock.Setup(o => o.CreateProtector("third")).Returns(finalExpectedProtector);
-            var secondMock = new Mock<IDataProtector>();
-            secondMock.Setup(o => o.CreateProtector("second")).Returns(thirdMock.Object);
-            var firstMock = new Mock<IDataProtector>();
-            firstMock.Setup(o => o.CreateProtector("first")).Returns(secondMock.Object);
-
-            // Act
-            var retVal = firstMock.Object.CreateProtector("first", "second", "third");
-
-            // Assert
-            Assert.Same(finalExpectedProtector, retVal);
-        }
-
-        [Fact]
-        public void Protect_InvalidUtf_Failure()
-        {
-            // Arrange
-            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
-
-            // Act & assert
-            var ex = Assert.Throws<CryptographicException>(() =>
-            {
-                DataProtectionExtensions.Protect(mockProtector.Object, "Hello\ud800");
-            });
-            Assert.IsAssignableFrom(typeof(EncoderFallbackException), ex.InnerException);
-        }
-
-        [Fact]
-        public void Protect_Success()
-        {
-            // Arrange
-            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
-            mockProtector.Setup(p => p.Protect(new byte[] { 0x48, 0x65, 0x6c, 0x6c, 0x6f })).Returns(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 });
-
-            // Act
-            string retVal = DataProtectionExtensions.Protect(mockProtector.Object, "Hello");
-
-            // Assert
-            Assert.Equal("AQIDBAU", retVal);
-        }
-
-        [Fact]
-        public void Unprotect_InvalidBase64BeforeDecryption_Failure()
-        {
-            // Arrange
-            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
-
-            // Act & assert
-            var ex = Assert.Throws<CryptographicException>(() =>
-            {
-                DataProtectionExtensions.Unprotect(mockProtector.Object, "A");
-            });
-            Assert.IsAssignableFrom(typeof(FormatException), ex.InnerException);
-        }
-
-        [Fact]
-        public void Unprotect_InvalidUtfAfterDecryption_Failure()
-        {
-            // Arrange
-            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
-            mockProtector.Setup(p => p.Unprotect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0xff });
-
-            // Act & assert
-            var ex = Assert.Throws<CryptographicException>(() =>
-            {
-                DataProtectionExtensions.Unprotect(mockProtector.Object, "AQIDBAU");
-            });
-            Assert.IsAssignableFrom(typeof(DecoderFallbackException), ex.InnerException);
-        }
-
-        [Fact]
-        public void Unprotect_Success()
-        {
-            // Arrange
-            Mock<IDataProtector> mockProtector = new Mock<IDataProtector>();
-            mockProtector.Setup(p => p.Unprotect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0x48, 0x65, 0x6c, 0x6c, 0x6f });
-
-            // Act
-            string retVal = DataProtectionExtensions.Unprotect(mockProtector.Object, "AQIDBAU");
-
-            // Assert
-            Assert.Equal("Hello", retVal);
-        }
     }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
index 17e86f2279..04acee0a65 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using System.Text;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection
 {
     public class EphemeralDataProtectionProviderTests
     {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ExceptionHelpers.cs b/test/Microsoft.AspNet.DataProtection.Test/ExceptionHelpers.cs
deleted file mode 100644
index a05290105c..0000000000
--- a/test/Microsoft.AspNet.DataProtection.Test/ExceptionHelpers.cs
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Xunit;
-
-namespace Microsoft.AspNet.DataProtection.Test
-{
-    internal static class ExceptionHelpers
-    {
-        public static void AssertMessage(this ArgumentException exception, string parameterName, string message)
-        {
-            Assert.Equal(parameterName, exception.ParamName);
-
-            // We'll let ArgumentException handle the message formatting for us and treat it as our control value
-            var controlException = new ArgumentException(message, parameterName);
-            Assert.Equal(controlException.Message, exception.Message);
-        }
-    }
-}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
new file mode 100644
index 0000000000..d92b38ec5a
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
@@ -0,0 +1,60 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Threading;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class CacheableKeyRingTests
+    {
+        [Fact]
+        public void IsValid_NullKeyRing_ReturnsFalse()
+        {
+            Assert.False(CacheableKeyRing.IsValid(null, DateTime.UtcNow));
+        }
+
+        [Fact]
+        public void IsValid_CancellationTokenTriggered_ReturnsFalse()
+        {
+            // Arrange
+            var keyRing = new Mock<IKeyRing>().Object;
+            DateTimeOffset now = DateTimeOffset.UtcNow;
+            var cts = new CancellationTokenSource();
+            var cacheableKeyRing = new CacheableKeyRing(cts.Token, now.AddHours(1), keyRing);
+
+            // Act & assert
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now.UtcDateTime));
+            cts.Cancel();
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now.UtcDateTime));
+        }
+
+        [Fact]
+        public void IsValid_Expired_ReturnsFalse()
+        {
+            // Arrange
+            var keyRing = new Mock<IKeyRing>().Object;
+            DateTimeOffset now = DateTimeOffset.UtcNow;
+            var cts = new CancellationTokenSource();
+            var cacheableKeyRing = new CacheableKeyRing(cts.Token, now.AddHours(1), keyRing);
+
+            // Act & assert
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now.UtcDateTime));
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now.AddHours(1).UtcDateTime));
+        }
+
+
+        [Fact]
+        public void KeyRing_Prop()
+        {
+            // Arrange
+            var keyRing = new Mock<IKeyRing>().Object;
+            var cacheableKeyRing = new CacheableKeyRing(CancellationToken.None, DateTimeOffset.Now, keyRing);
+
+            // Act & assert
+            Assert.Same(keyRing, cacheableKeyRing.KeyRing);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
new file mode 100644
index 0000000000..7c66fdc3e0
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -0,0 +1,165 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class DefaultKeyResolverTests
+    {
+        [Fact]
+        public void ResolveDefaultKeyPolicy_EmptyKeyRing_ReturnsNullDefaultKey()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy(DateTimeOffset.Now, new IKey[0]);
+
+            // Assert
+            Assert.Null(resolution.DefaultKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_ValidExistingKey_ReturnsExistingKey()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-04-01 00:00:00Z", key1);
+
+            // Assert
+            Assert.Same(key1, resolution.DefaultKey);
+            Assert.False(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_ValidExistingKey_ApproachingSafetyWindow_ReturnsExistingKey_SignalsGenerateNewKey()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2015-04-01 00:00:00Z");
+            var key2 = CreateKey("2015-04-01 00:00:00Z", "2015-05-01 00:00:00Z", isRevoked: true);
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-03-30 00:00:00Z", key1, key2);
+
+            // Assert
+            Assert.Same(key1, resolution.DefaultKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_ValidExistingKey_ApproachingSafetyWindow_FutureKeyIsValidAndWithinSkew_ReturnsExistingKey_NoSignalToGenerateNewKey()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2015-04-01 00:00:00Z");
+            var key2 = CreateKey("2015-04-01 00:00:00Z", "2015-05-01 00:00:00Z", isRevoked: true);
+            var key3 = CreateKey("2015-04-01 00:01:00Z", "2015-05-01 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-03-31 23:59:00Z", key1, key2, key3);
+
+            // Assert
+            Assert.Same(key1, resolution.DefaultKey);
+            Assert.False(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_ReturnsNull()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z", isRevoked: true);
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-04-01 00:00:00Z", key1, key2);
+
+            // Assert
+            Assert.Null(resolution.DefaultKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_FutureKeyIsValidAndWithinClockSkew_ReturnsFutureKey()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-02-28 23:53:00Z", key1);
+
+            // Assert
+            Assert.Same(key1, resolution.DefaultKey);
+            Assert.False(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_FutureKeyIsValidButNotWithinClockSkew_ReturnsNull()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-02-28 23:00:00Z", key1);
+
+            // Assert
+            Assert.Null(resolution.DefaultKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_IgnoresExpiredOrRevokedFutureKeys()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2014-03-01 00:00:00Z"); // expiration before activation should never occur
+            var key2 = CreateKey("2015-03-01 00:01:00Z", "2015-04-01 00:00:00Z", isRevoked: true);
+            var key3 = CreateKey("2015-03-01 00:02:00Z", "2015-04-01 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-02-28 23:59:00Z", key1, key2, key3);
+
+            // Assert
+            Assert.Same(key3, resolution.DefaultKey);
+            Assert.False(resolution.ShouldGenerateNewKey);
+        }
+
+        private static IDefaultKeyResolver CreateDefaultKeyResolver()
+        {
+            return new DefaultKeyResolver(
+                keyGenBeforeExpirationWindow: TimeSpan.FromDays(2),
+                maxServerToServerClockSkew: TimeSpan.FromMinutes(7),
+                services: null);
+        }
+
+        private static IKey CreateKey(string activationDate, string expirationDate, bool isRevoked = false)
+        {
+            var mockKey = new Mock<IKey>();
+            mockKey.Setup(o => o.KeyId).Returns(Guid.NewGuid());
+            mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
+            mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
+            mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
+            return mockKey.Object;
+        }
+    }
+
+    internal static class DefaultKeyResolverExtensions
+    {
+        public static DefaultKeyResolution ResolveDefaultKeyPolicy(this IDefaultKeyResolver resolver, string now, params IKey[] allKeys)
+        {
+            return resolver.ResolveDefaultKeyPolicy(DateTimeOffset.ParseExact(now, "u", CultureInfo.InvariantCulture), (IEnumerable<IKey>)allKeys);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
new file mode 100644
index 0000000000..755509b42b
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
@@ -0,0 +1,90 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Xml.Linq;
+using Microsoft.Framework.DependencyInjection;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class KeyEscrowServiceProviderExtensionsTests
+    {
+        [Fact]
+        public void GetKeyEscrowSink_NullServiceProvider_ReturnsNull()
+        {
+            Assert.Null(((IServiceProvider)null).GetKeyEscrowSink());
+        }
+
+        [Fact]
+        public void GetKeyEscrowSink_EmptyServiceProvider_ReturnsNull()
+        {
+            // Arrange
+            var services = new ServiceCollection().BuildServiceProvider();
+
+            // Act & assert
+            Assert.Null(services.GetKeyEscrowSink());
+        }
+
+        [Fact]
+        public void GetKeyEscrowSink_SingleKeyEscrowRegistration_ReturnsAggregateOverSingleSink()
+        {
+            // Arrange
+            List<string> output = new List<string>();
+
+            var mockKeyEscrowSink = new Mock<IKeyEscrowSink>();
+            mockKeyEscrowSink.Setup(o => o.Store(It.IsAny<Guid>(), It.IsAny<XElement>()))
+                .Callback<Guid, XElement>((keyId, element) =>
+                {
+                    output.Add(String.Format(CultureInfo.InvariantCulture, "{0:D}: {1}", keyId, element.Name.LocalName));
+                });
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IKeyEscrowSink>(mockKeyEscrowSink.Object);
+            var services = serviceCollection.BuildServiceProvider();
+
+            // Act
+            var sink = services.GetKeyEscrowSink();
+            sink.Store(new Guid("39974d8e-3e53-4d78-b7e9-4ff64a2a5d7b"), XElement.Parse("<theElement />"));
+
+            // Assert
+            Assert.Equal(new[] { "39974d8e-3e53-4d78-b7e9-4ff64a2a5d7b: theElement" }, output);
+        }
+
+        [Fact]
+        public void GetKeyEscrowSink_MultipleKeyEscrowRegistration_ReturnsAggregate()
+        {
+            // Arrange
+            List<string> output = new List<string>();
+
+            var mockKeyEscrowSink1 = new Mock<IKeyEscrowSink>();
+            mockKeyEscrowSink1.Setup(o => o.Store(It.IsAny<Guid>(), It.IsAny<XElement>()))
+                .Callback<Guid, XElement>((keyId, element) =>
+                {
+                    output.Add(String.Format(CultureInfo.InvariantCulture, "[sink1] {0:D}: {1}", keyId, element.Name.LocalName));
+                });
+
+            var mockKeyEscrowSink2 = new Mock<IKeyEscrowSink>();
+            mockKeyEscrowSink2.Setup(o => o.Store(It.IsAny<Guid>(), It.IsAny<XElement>()))
+                .Callback<Guid, XElement>((keyId, element) =>
+                {
+                    output.Add(String.Format(CultureInfo.InvariantCulture, "[sink2] {0:D}: {1}", keyId, element.Name.LocalName));
+                });
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IKeyEscrowSink>(mockKeyEscrowSink1.Object);
+            serviceCollection.AddInstance<IKeyEscrowSink>(mockKeyEscrowSink2.Object);
+            var services = serviceCollection.BuildServiceProvider();
+
+            // Act
+            var sink = services.GetKeyEscrowSink();
+            sink.Store(new Guid("39974d8e-3e53-4d78-b7e9-4ff64a2a5d7b"), XElement.Parse("<theElement />"));
+
+            // Assert
+            Assert.Equal(new[] { "[sink1] 39974d8e-3e53-4d78-b7e9-4ff64a2a5d7b: theElement", "[sink2] 39974d8e-3e53-4d78-b7e9-4ff64a2a5d7b: theElement" }, output);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
new file mode 100644
index 0000000000..6bd46fc6c6
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -0,0 +1,486 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Linq;
+using System.Net;
+using System.Text;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.Testing;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class KeyRingBasedDataProtectorTests
+    {
+        [Fact]
+        public void Protect_NullPlaintext_Throws()
+        {
+            // Arrange
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: new Mock<IKeyRingProvider>().Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act & assert
+            ExceptionAssert2.ThrowsArgumentNull(() => protector.Protect(plaintext: null), "plaintext");
+        }
+
+        [Fact]
+        public void Protect_EncryptsToDefaultProtector_MultiplePurposes()
+        {
+            // Arrange
+            Guid defaultKey = new Guid("ba73c9ce-d322-4e45-af90-341307e11c38");
+            byte[] expectedPlaintext = new byte[] { 0x03, 0x05, 0x07, 0x11, 0x13, 0x17, 0x19 };
+            byte[] expectedAad = BuildAadFromPurposeStrings(defaultKey, "purpose1", "purpose2", "yet another purpose");
+            byte[] expectedProtectedData = BuildProtectedDataFromCiphertext(defaultKey, new byte[] { 0x23, 0x29, 0x31, 0x37 });
+
+            var mockEncryptor = new Mock<IAuthenticatedEncryptor>();
+            mockEncryptor
+                .Setup(o => o.Encrypt(It.IsAny<ArraySegment<byte>>(), It.IsAny<ArraySegment<byte>>()))
+                .Returns<ArraySegment<byte>, ArraySegment<byte>>((actualPlaintext, actualAad) =>
+                {
+                    Assert.Equal(expectedPlaintext, actualPlaintext);
+                    Assert.Equal(expectedAad, actualAad);
+                    return new byte[] { 0x23, 0x29, 0x31, 0x37 }; // ciphertext + tag
+                });
+
+            var mockKeyRing = new Mock<IKeyRing>(MockBehavior.Strict);
+            mockKeyRing.Setup(o => o.DefaultKeyId).Returns(defaultKey);
+            mockKeyRing.Setup(o => o.DefaultAuthenticatedEncryptor).Returns(mockEncryptor.Object);
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(mockKeyRing.Object);
+
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: new[] { "purpose1", "purpose2" },
+                newPurpose: "yet another purpose");
+
+            // Act
+            byte[] retVal = protector.Protect(expectedPlaintext);
+
+            // Assert
+            Assert.Equal(expectedProtectedData, retVal);
+        }
+
+        [Fact]
+        public void Protect_EncryptsToDefaultProtector_SinglePurpose()
+        {
+            // Arrange
+            Guid defaultKey = new Guid("ba73c9ce-d322-4e45-af90-341307e11c38");
+            byte[] expectedPlaintext = new byte[] { 0x03, 0x05, 0x07, 0x11, 0x13, 0x17, 0x19 };
+            byte[] expectedAad = BuildAadFromPurposeStrings(defaultKey, "single purpose");
+            byte[] expectedProtectedData = BuildProtectedDataFromCiphertext(defaultKey, new byte[] { 0x23, 0x29, 0x31, 0x37 });
+
+            var mockEncryptor = new Mock<IAuthenticatedEncryptor>();
+            mockEncryptor
+                .Setup(o => o.Encrypt(It.IsAny<ArraySegment<byte>>(), It.IsAny<ArraySegment<byte>>()))
+                .Returns<ArraySegment<byte>, ArraySegment<byte>>((actualPlaintext, actualAad) =>
+                {
+                    Assert.Equal(expectedPlaintext, actualPlaintext);
+                    Assert.Equal(expectedAad, actualAad);
+                    return new byte[] { 0x23, 0x29, 0x31, 0x37 }; // ciphertext + tag
+                });
+
+            var mockKeyRing = new Mock<IKeyRing>(MockBehavior.Strict);
+            mockKeyRing.Setup(o => o.DefaultKeyId).Returns(defaultKey);
+            mockKeyRing.Setup(o => o.DefaultAuthenticatedEncryptor).Returns(mockEncryptor.Object);
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(mockKeyRing.Object);
+
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: new string[0],
+                newPurpose: "single purpose");
+
+            // Act
+            byte[] retVal = protector.Protect(expectedPlaintext);
+
+            // Assert
+            Assert.Equal(expectedProtectedData, retVal);
+        }
+
+        [Fact]
+        public void Protect_HomogenizesExceptionsToCryptographicException()
+        {
+            // Arrange
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: new Mock<IKeyRingProvider>(MockBehavior.Strict).Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act & assert
+            var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Protect(new byte[0]));
+            Assert.IsAssignableFrom(typeof(MockException), ex.InnerException);
+        }
+
+        [Fact]
+        public void Unprotect_NullProtectedData_Throws()
+        {
+            // Arrange
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: new Mock<IKeyRingProvider>().Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act & assert
+            ExceptionAssert2.ThrowsArgumentNull(() => protector.Unprotect(protectedData: null), "protectedData");
+        }
+
+        [Fact]
+        public void Unprotect_PayloadTooShort_ThrowsBadMagicHeader()
+        {
+            // Arrange
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: new Mock<IKeyRingProvider>().Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            byte[] badProtectedPayload = BuildProtectedDataFromCiphertext(Guid.NewGuid(), new byte[0]);
+            badProtectedPayload = badProtectedPayload.Take(badProtectedPayload.Length - 1).ToArray(); // chop off the last byte
+
+            // Act & assert
+            var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(badProtectedPayload));
+            Assert.Equal(Resources.ProtectionProvider_BadMagicHeader, ex.Message);
+        }
+
+        [Fact]
+        public void Unprotect_PayloadHasBadMagicHeader_ThrowsBadMagicHeader()
+        {
+            // Arrange
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: new Mock<IKeyRingProvider>().Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            byte[] badProtectedPayload = BuildProtectedDataFromCiphertext(Guid.NewGuid(), new byte[0]);
+            badProtectedPayload[0]++; // corrupt the magic header
+
+            // Act & assert
+            var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(badProtectedPayload));
+            Assert.Equal(Resources.ProtectionProvider_BadMagicHeader, ex.Message);
+        }
+
+        [Fact]
+        public void Unprotect_PayloadHasIncorrectVersionMarker_ThrowsNewerVersion()
+        {
+            // Arrange
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: new Mock<IKeyRingProvider>().Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            byte[] badProtectedPayload = BuildProtectedDataFromCiphertext(Guid.NewGuid(), new byte[0]);
+            badProtectedPayload[3]++; // bump the version payload
+
+            // Act & assert
+            var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(badProtectedPayload));
+            Assert.Equal(Resources.ProtectionProvider_BadVersion, ex.Message);
+        }
+
+        [Fact]
+        public void Unprotect_KeyNotFound_ThrowsKeyNotFound()
+        {
+            // Arrange
+            Guid notFoundKeyId = new Guid("654057ab-2491-4471-a72a-b3b114afda38");
+            byte[] protectedData = BuildProtectedDataFromCiphertext(
+                keyId: notFoundKeyId,
+                ciphertext: new byte[0]);
+
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+
+            // the keyring has only one key
+            Key key = new Key(Guid.Empty, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
+            var keyRing = new KeyRing(Guid.Empty, new[] { key });
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act & assert
+            var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(protectedData));
+            Assert.Equal(Error.Common_KeyNotFound(notFoundKeyId).Message, ex.Message);
+        }
+
+        [Fact]
+        public void Unprotect_KeyRevoked_RevocationDisallowed_ThrowsKeyRevoked()
+        {
+            // Arrange
+            Guid keyId = new Guid("654057ab-2491-4471-a72a-b3b114afda38");
+            byte[] protectedData = BuildProtectedDataFromCiphertext(
+                keyId: keyId,
+                ciphertext: new byte[0]);
+
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+
+            // the keyring has only one key
+            Key key = new Key(keyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
+            key.SetRevoked();
+            var keyRing = new KeyRing(keyId, new[] { key });
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act & assert
+            var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(protectedData));
+            Assert.Equal(Error.Common_KeyRevoked(keyId).Message, ex.Message);
+        }
+
+        [Fact]
+        public void Unprotect_KeyRevoked_RevocationAllowed_ReturnsOriginalData_SetsRevokedAndMigrationFlags()
+        {
+            // Arrange
+            Guid defaultKeyId = new Guid("ba73c9ce-d322-4e45-af90-341307e11c38");
+            byte[] expectedCiphertext = new byte[] { 0x03, 0x05, 0x07, 0x11, 0x13, 0x17, 0x19 };
+            byte[] protectedData = BuildProtectedDataFromCiphertext(defaultKeyId, expectedCiphertext);
+            byte[] expectedAad = BuildAadFromPurposeStrings(defaultKeyId, "purpose");
+            byte[] expectedPlaintext = new byte[] { 0x23, 0x29, 0x31, 0x37 };
+
+            var mockEncryptor = new Mock<IAuthenticatedEncryptor>();
+            mockEncryptor
+                .Setup(o => o.Decrypt(It.IsAny<ArraySegment<byte>>(), It.IsAny<ArraySegment<byte>>()))
+                .Returns<ArraySegment<byte>, ArraySegment<byte>>((actualCiphertext, actualAad) =>
+                {
+                    Assert.Equal(expectedCiphertext, actualCiphertext);
+                    Assert.Equal(expectedAad, actualAad);
+                    return expectedPlaintext;
+                });
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(mockEncryptor.Object);
+
+            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
+            defaultKey.SetRevoked();
+            var keyRing = new KeyRing(defaultKeyId, new[] { defaultKey });
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act
+            bool requiresMigration, wasRevoked;
+            byte[] retVal = ((IPersistedDataProtector)protector).DangerousUnprotect(protectedData,
+                ignoreRevocationErrors: true,
+                requiresMigration: out requiresMigration,
+                wasRevoked: out wasRevoked);
+
+            // Assert
+            Assert.Equal(expectedPlaintext, retVal);
+            Assert.True(requiresMigration);
+            Assert.True(wasRevoked);
+        }
+
+        [Fact]
+        public void Unprotect_IsAlsoDefaultKey_Success_NoMigrationRequired()
+        {
+            // Arrange
+            Guid defaultKeyId = new Guid("ba73c9ce-d322-4e45-af90-341307e11c38");
+            byte[] expectedCiphertext = new byte[] { 0x03, 0x05, 0x07, 0x11, 0x13, 0x17, 0x19 };
+            byte[] protectedData = BuildProtectedDataFromCiphertext(defaultKeyId, expectedCiphertext);
+            byte[] expectedAad = BuildAadFromPurposeStrings(defaultKeyId, "purpose");
+            byte[] expectedPlaintext = new byte[] { 0x23, 0x29, 0x31, 0x37 };
+
+            var mockEncryptor = new Mock<IAuthenticatedEncryptor>();
+            mockEncryptor
+                .Setup(o => o.Decrypt(It.IsAny<ArraySegment<byte>>(), It.IsAny<ArraySegment<byte>>()))
+                .Returns<ArraySegment<byte>, ArraySegment<byte>>((actualCiphertext, actualAad) =>
+                {
+                    Assert.Equal(expectedCiphertext, actualCiphertext);
+                    Assert.Equal(expectedAad, actualAad);
+                    return expectedPlaintext;
+                });
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(mockEncryptor.Object);
+
+            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
+            var keyRing = new KeyRing(defaultKeyId, new[] { defaultKey });
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act & assert - IDataProtector
+            byte[] retVal = protector.Unprotect(protectedData);
+            Assert.Equal(expectedPlaintext, retVal);
+
+            // Act & assert - IPersistedDataProtector
+            bool requiresMigration, wasRevoked;
+            retVal = ((IPersistedDataProtector)protector).DangerousUnprotect(protectedData,
+                ignoreRevocationErrors: false,
+                requiresMigration: out requiresMigration,
+                wasRevoked: out wasRevoked);
+            Assert.Equal(expectedPlaintext, retVal);
+            Assert.False(requiresMigration);
+            Assert.False(wasRevoked);
+        }
+
+        [Fact]
+        public void Unprotect_IsNotDefaultKey_Success_RequiresMigration()
+        {
+            // Arrange
+            Guid defaultKeyId = new Guid("ba73c9ce-d322-4e45-af90-341307e11c38");
+            Guid embeddedKeyId = new Guid("9b5d2db3-299f-4eac-89e9-e9067a5c1853");
+            byte[] expectedCiphertext = new byte[] { 0x03, 0x05, 0x07, 0x11, 0x13, 0x17, 0x19 };
+            byte[] protectedData = BuildProtectedDataFromCiphertext(embeddedKeyId, expectedCiphertext);
+            byte[] expectedAad = BuildAadFromPurposeStrings(embeddedKeyId, "purpose");
+            byte[] expectedPlaintext = new byte[] { 0x23, 0x29, 0x31, 0x37 };
+
+            var mockEncryptor = new Mock<IAuthenticatedEncryptor>();
+            mockEncryptor
+                .Setup(o => o.Decrypt(It.IsAny<ArraySegment<byte>>(), It.IsAny<ArraySegment<byte>>()))
+                .Returns<ArraySegment<byte>, ArraySegment<byte>>((actualCiphertext, actualAad) =>
+                {
+                    Assert.Equal(expectedCiphertext, actualCiphertext);
+                    Assert.Equal(expectedAad, actualAad);
+                    return expectedPlaintext;
+                });
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(mockEncryptor.Object);
+
+            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+            Key embeddedKey = new Key(embeddedKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
+            var keyRing = new KeyRing(defaultKeyId, new[] { defaultKey, embeddedKey });
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act & assert - IDataProtector
+            byte[] retVal = protector.Unprotect(protectedData);
+            Assert.Equal(expectedPlaintext, retVal);
+
+            // Act & assert - IPersistedDataProtector
+            bool requiresMigration, wasRevoked;
+            retVal = ((IPersistedDataProtector)protector).DangerousUnprotect(protectedData,
+                ignoreRevocationErrors: false,
+                requiresMigration: out requiresMigration,
+                wasRevoked: out wasRevoked);
+            Assert.Equal(expectedPlaintext, retVal);
+            Assert.True(requiresMigration);
+            Assert.False(wasRevoked);
+        }
+
+        [Fact]
+        public void Protect_Unprotect_RoundTripsProperly()
+        {
+            // Arrange
+            byte[] plaintext = new byte[] { 0x10, 0x20, 0x30, 0x40, 0x50 };
+            Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration(new AuthenticatedEncryptionOptions()).CreateNewDescriptor());
+            var keyRing = new KeyRing(key.KeyId, new[] { key });
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+            var protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose");
+
+            // Act - protect
+            byte[] protectedData = protector.Protect(plaintext);
+            Assert.NotNull(protectedData);
+            Assert.NotEqual(plaintext, protectedData);
+
+            // Act - unprotect
+            byte[] roundTrippedPlaintext = protector.Unprotect(protectedData);
+            Assert.Equal(plaintext, roundTrippedPlaintext);
+        }
+
+        [Fact]
+        public void CreateProtector_ChainsPurposes()
+        {
+            // Arrange
+            Guid defaultKey = new Guid("ba73c9ce-d322-4e45-af90-341307e11c38");
+            byte[] expectedPlaintext = new byte[] { 0x03, 0x05, 0x07, 0x11, 0x13, 0x17, 0x19 };
+            byte[] expectedAad = BuildAadFromPurposeStrings(defaultKey, "purpose1", "purpose2");
+            byte[] expectedProtectedData = BuildProtectedDataFromCiphertext(defaultKey, new byte[] { 0x23, 0x29, 0x31, 0x37 });
+
+            var mockEncryptor = new Mock<IAuthenticatedEncryptor>();
+            mockEncryptor
+                .Setup(o => o.Encrypt(It.IsAny<ArraySegment<byte>>(), It.IsAny<ArraySegment<byte>>()))
+                .Returns<ArraySegment<byte>, ArraySegment<byte>>((actualPlaintext, actualAad) =>
+                {
+                    Assert.Equal(expectedPlaintext, actualPlaintext);
+                    Assert.Equal(expectedAad, actualAad);
+                    return new byte[] { 0x23, 0x29, 0x31, 0x37 }; // ciphertext + tag
+                });
+
+            var mockKeyRing = new Mock<IKeyRing>(MockBehavior.Strict);
+            mockKeyRing.Setup(o => o.DefaultKeyId).Returns(defaultKey);
+            mockKeyRing.Setup(o => o.DefaultAuthenticatedEncryptor).Returns(mockEncryptor.Object);
+            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
+            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(mockKeyRing.Object);
+
+            IDataProtector protector = new KeyRingBasedDataProtector(
+                keyRingProvider: mockKeyRingProvider.Object,
+                logger: null,
+                originalPurposes: null,
+                newPurpose: "purpose1").CreateProtector("purpose2");
+
+            // Act
+            byte[] retVal = protector.Protect(expectedPlaintext);
+
+            // Assert
+            Assert.Equal(expectedProtectedData, retVal);
+        }
+
+        private static byte[] BuildAadFromPurposeStrings(Guid keyId, params string[] purposes)
+        {
+            var expectedAad = new byte[] { 0x09, 0xF0, 0xC9, 0xF0 } // magic header
+                .Concat(keyId.ToByteArray()) // key id
+                .Concat(BitConverter.GetBytes(IPAddress.HostToNetworkOrder(purposes.Length))); // purposeCount
+
+            foreach (string purpose in purposes)
+            {
+                var memStream = new MemoryStream();
+                var writer = new BinaryWriter(memStream, encoding: new UTF8Encoding(encoderShouldEmitUTF8Identifier: false), leaveOpen: true);
+                writer.Write(purpose); // also writes 7-bit encoded int length
+                writer.Dispose();
+                expectedAad = expectedAad.Concat(memStream.ToArray());
+            }
+
+            return expectedAad.ToArray();
+        }
+
+        private static byte[] BuildProtectedDataFromCiphertext(Guid keyId, byte[] ciphertext)
+        {
+            return new byte[] { 0x09, 0xF0, 0xC9, 0xF0 } // magic header
+              .Concat(keyId.ToByteArray()) // key id
+              .Concat(ciphertext).ToArray();
+
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
new file mode 100644
index 0000000000..b117c9e215
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -0,0 +1,397 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Framework.DependencyInjection;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class KeyRingProviderTests
+    {
+        [Fact]
+        public void CreateCacheableKeyRing_NoGenerationRequired_DefaultKeyExpiresAfterRefreshPeriod()
+        {
+            // Arrange
+            var callSequence = new List<string>();
+            var expirationCts = new CancellationTokenSource();
+
+            var now = StringToDateTime("2015-03-01 00:00:00Z");
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
+            var allKeys = new[] { key1, key2 };
+
+            var keyRingProvider = SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+                callSequence: callSequence,
+                getCacheExpirationTokenReturnValues: new[] { expirationCts.Token },
+                getAllKeysReturnValues: new[] { allKeys },
+                createNewKeyCallbacks: null,
+                resolveDefaultKeyPolicyReturnValues: new[]
+                {
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys, new DefaultKeyResolution()
+                        {
+                            DefaultKey = key1,
+                            ShouldGenerateNewKey = false
+                        })
+                });
+            
+            // Act
+            var cacheableKeyRing = keyRingProvider.GetCacheableKeyRing(now);
+
+            // Assert
+            Assert.Equal(key1.KeyId, cacheableKeyRing.KeyRing.DefaultKeyId);
+            AssertWithinJitterRange(cacheableKeyRing.ExpirationTimeUtc, now);
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts.Cancel();
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
+        }
+
+        [Fact]
+        public void CreateCacheableKeyRing_NoGenerationRequired_DefaultKeyExpiresBeforeRefreshPeriod()
+        {
+            // Arrange
+            var callSequence = new List<string>();
+            var expirationCts = new CancellationTokenSource();
+
+            var now = StringToDateTime("2016-02-29 20:00:00Z");
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
+            var allKeys = new[] { key1, key2 };
+
+            var keyRingProvider = SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+                callSequence: callSequence,
+                getCacheExpirationTokenReturnValues: new[] { expirationCts.Token },
+                getAllKeysReturnValues: new[] { allKeys },
+                createNewKeyCallbacks: null,
+                resolveDefaultKeyPolicyReturnValues: new[]
+                {
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys, new DefaultKeyResolution()
+                        {
+                            DefaultKey = key1,
+                            ShouldGenerateNewKey = false
+                        })
+                });
+
+            // Act
+            var cacheableKeyRing = keyRingProvider.GetCacheableKeyRing(now);
+
+            // Assert
+            Assert.Equal(key1.KeyId, cacheableKeyRing.KeyRing.DefaultKeyId);
+            Assert.Equal(StringToDateTime("2016-03-01 00:00:00Z"), cacheableKeyRing.ExpirationTimeUtc);
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts.Cancel();
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
+        }
+
+        [Fact]
+        public void CreateCacheableKeyRing_GenerationRequired_NoDefaultKey_CreatesNewKeyWithImmediateActivation()
+        {
+            // Arrange
+            var callSequence = new List<string>();
+            var expirationCts1 = new CancellationTokenSource();
+            var expirationCts2 = new CancellationTokenSource();
+
+            var now = StringToDateTime("2015-03-01 00:00:00Z");
+            var allKeys1 = new IKey[0];
+
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
+            var allKeys2 = new[] { key1, key2 };
+
+            var keyRingProvider = SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+                callSequence: callSequence,
+                getCacheExpirationTokenReturnValues: new[] { expirationCts1.Token, expirationCts2.Token },
+                getAllKeysReturnValues: new[] { allKeys1, allKeys2 },
+                createNewKeyCallbacks: new[] {
+                    Tuple.Create((DateTimeOffset)now, (DateTimeOffset)now + TimeSpan.FromDays(90))
+                },
+                resolveDefaultKeyPolicyReturnValues: new[]
+                {
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys1, new DefaultKeyResolution()
+                        {
+                            DefaultKey = null,
+                            ShouldGenerateNewKey = true
+                        }),
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys2, new DefaultKeyResolution()
+                        {
+                            DefaultKey = key1,
+                            ShouldGenerateNewKey = false
+                        })
+                });
+
+            // Act
+            var cacheableKeyRing = keyRingProvider.GetCacheableKeyRing(now);
+
+            // Assert
+            Assert.Equal(key1.KeyId, cacheableKeyRing.KeyRing.DefaultKeyId);
+            AssertWithinJitterRange(cacheableKeyRing.ExpirationTimeUtc, now);
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts1.Cancel();
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts2.Cancel();
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy", "CreateNewKey", "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
+        }
+
+        [Fact]
+        public void CreateCacheableKeyRing_GenerationRequired_WithDefaultKey_CreatesNewKeyWithDeferredActivationAndExpirationBasedOnCreationTime()
+        {
+            // Arrange
+            var callSequence = new List<string>();
+            var expirationCts1 = new CancellationTokenSource();
+            var expirationCts2 = new CancellationTokenSource();
+
+            var now = StringToDateTime("2016-02-01 00:00:00Z");
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var allKeys1 = new[] { key1 };
+
+            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
+            var allKeys2 = new[] { key1, key2 };
+
+            var keyRingProvider = SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+                callSequence: callSequence,
+                getCacheExpirationTokenReturnValues: new[] { expirationCts1.Token, expirationCts2.Token },
+                getAllKeysReturnValues: new[] { allKeys1, allKeys2 },
+                createNewKeyCallbacks: new[] {
+                    Tuple.Create(key1.ExpirationDate, (DateTimeOffset)now + TimeSpan.FromDays(90))
+                },
+                resolveDefaultKeyPolicyReturnValues: new[]
+                {
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys1, new DefaultKeyResolution()
+                        {
+                            DefaultKey = key1,
+                            ShouldGenerateNewKey = true
+                        }),
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys2, new DefaultKeyResolution()
+                        {
+                            DefaultKey = key2,
+                            ShouldGenerateNewKey = false
+                        })
+                });
+
+            // Act
+            var cacheableKeyRing = keyRingProvider.GetCacheableKeyRing(now);
+
+            // Assert
+            Assert.Equal(key2.KeyId, cacheableKeyRing.KeyRing.DefaultKeyId);
+            AssertWithinJitterRange(cacheableKeyRing.ExpirationTimeUtc, now);
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts1.Cancel();
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts2.Cancel();
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy", "CreateNewKey", "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
+        }
+
+        private static ICacheableKeyRingProvider SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+            IList<string> callSequence,
+            IEnumerable<CancellationToken> getCacheExpirationTokenReturnValues,
+            IEnumerable<IReadOnlyCollection<IKey>> getAllKeysReturnValues,
+            IEnumerable<Tuple<DateTimeOffset,DateTimeOffset>> createNewKeyCallbacks,
+            IEnumerable<Tuple<DateTimeOffset, IEnumerable<IKey>, DefaultKeyResolution>> resolveDefaultKeyPolicyReturnValues)
+        {
+            var getCacheExpirationTokenReturnValuesEnumerator = getCacheExpirationTokenReturnValues.GetEnumerator();
+            var mockKeyManager = new Mock<IKeyManager>(MockBehavior.Strict);
+            mockKeyManager.Setup(o => o.GetCacheExpirationToken())
+                .Returns(() =>
+                {
+                    callSequence.Add("GetCacheExpirationToken");
+                    getCacheExpirationTokenReturnValuesEnumerator.MoveNext();
+                    return getCacheExpirationTokenReturnValuesEnumerator.Current;
+                });
+
+            var getAllKeysReturnValuesEnumerator = getAllKeysReturnValues.GetEnumerator();
+            mockKeyManager.Setup(o => o.GetAllKeys())
+              .Returns(() =>
+              {
+                  callSequence.Add("GetAllKeys");
+                  getAllKeysReturnValuesEnumerator.MoveNext();
+                  return getAllKeysReturnValuesEnumerator.Current;
+              });
+
+            if (createNewKeyCallbacks != null)
+            {
+                var createNewKeyCallbacksEnumerator = createNewKeyCallbacks.GetEnumerator();
+                mockKeyManager.Setup(o => o.CreateNewKey(It.IsAny<DateTimeOffset>(), It.IsAny<DateTimeOffset>()))
+                    .Returns<DateTimeOffset, DateTimeOffset>((activationDate, expirationDate) =>
+                    {
+                        callSequence.Add("CreateNewKey");
+                        createNewKeyCallbacksEnumerator.MoveNext();
+                        Assert.Equal(createNewKeyCallbacksEnumerator.Current.Item1, activationDate);
+                        Assert.Equal(createNewKeyCallbacksEnumerator.Current.Item2, expirationDate);
+                        return null; // nobody uses this return value
+                });
+            }
+
+            var resolveDefaultKeyPolicyReturnValuesEnumerator = resolveDefaultKeyPolicyReturnValues.GetEnumerator();
+            var mockDefaultKeyResolver = new Mock<IDefaultKeyResolver>(MockBehavior.Strict);
+            mockDefaultKeyResolver.Setup(o => o.ResolveDefaultKeyPolicy(It.IsAny<DateTimeOffset>(), It.IsAny<IEnumerable<IKey>>()))
+                .Returns<DateTimeOffset,IEnumerable<IKey>>((now, allKeys) =>
+                {
+                    callSequence.Add("ResolveDefaultKeyPolicy");
+                    resolveDefaultKeyPolicyReturnValuesEnumerator.MoveNext();
+                    Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item1, now);
+                    Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item2, allKeys);
+                    return resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item3;
+                });
+
+            return CreateKeyRingProvider(mockKeyManager.Object, mockDefaultKeyResolver.Object);
+        }
+
+        [Fact]
+        public void GetCurrentKeyRing_NoKeyRingCached_CachesAndReturns()
+        {
+            // Arrange
+            var now = StringToDateTime("2015-03-01 00:00:00Z");
+            var expectedKeyRing = new Mock<IKeyRing>().Object;
+            var mockCacheableKeyRingProvider = new Mock<ICacheableKeyRingProvider>();
+            mockCacheableKeyRingProvider
+                .Setup(o => o.GetCacheableKeyRing(now))
+                .Returns(new CacheableKeyRing(
+                    expirationToken: CancellationToken.None,
+                    expirationTime: StringToDateTime("2015-03-02 00:00:00Z"),
+                    keyRing: expectedKeyRing));
+
+            var keyRingProvider = CreateKeyRingProvider(mockCacheableKeyRingProvider.Object);
+
+            // Act
+            var retVal1 = keyRingProvider.GetCurrentKeyRingCore(now);
+            var retVal2 = keyRingProvider.GetCurrentKeyRingCore(now + TimeSpan.FromHours(1));
+
+            // Assert - underlying provider only should have been called once
+            Assert.Same(expectedKeyRing, retVal1);
+            Assert.Same(expectedKeyRing, retVal2);
+            mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(It.IsAny<DateTimeOffset>()), Times.Once);
+        }
+
+        [Fact]
+        public void GetCurrentKeyRing_KeyRingCached_AfterExpiration_ClearsCache()
+        {
+            // Arrange
+            var now = StringToDateTime("2015-03-01 00:00:00Z");
+            var expectedKeyRing1 = new Mock<IKeyRing>().Object;
+            var expectedKeyRing2 = new Mock<IKeyRing>().Object;
+            var mockCacheableKeyRingProvider = new Mock<ICacheableKeyRingProvider>();
+            mockCacheableKeyRingProvider
+                .Setup(o => o.GetCacheableKeyRing(now))
+                .Returns(new CacheableKeyRing(
+                    expirationToken: CancellationToken.None,
+                    expirationTime: StringToDateTime("2015-03-01 00:30:00Z"), // expire in half an hour
+                    keyRing: expectedKeyRing1));
+            mockCacheableKeyRingProvider
+                .Setup(o => o.GetCacheableKeyRing(now + TimeSpan.FromHours(1)))
+                .Returns(new CacheableKeyRing(
+                    expirationToken: CancellationToken.None,
+                    expirationTime: StringToDateTime("2015-03-02 00:00:00Z"),
+                    keyRing: expectedKeyRing2));
+
+            var keyRingProvider = CreateKeyRingProvider(mockCacheableKeyRingProvider.Object);
+
+            // Act
+            var retVal1 = keyRingProvider.GetCurrentKeyRingCore(now);
+            var retVal2 = keyRingProvider.GetCurrentKeyRingCore(now + TimeSpan.FromHours(1));
+
+            // Assert - underlying provider only should have been called once
+            Assert.Same(expectedKeyRing1, retVal1);
+            Assert.Same(expectedKeyRing2, retVal2);
+            mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(It.IsAny<DateTimeOffset>()), Times.Exactly(2));
+        }
+
+        [Fact]
+        public void GetCurrentKeyRing_ImplementsDoubleCheckLockPatternCorrectly()
+        {
+            // Arrange
+            var now = StringToDateTime("2015-03-01 00:00:00Z");
+            var expectedKeyRing = new Mock<IKeyRing>().Object;
+            var mockCacheableKeyRingProvider = new Mock<ICacheableKeyRingProvider>();
+            var keyRingProvider = CreateKeyRingProvider(mockCacheableKeyRingProvider.Object);
+
+            // This test spawns a background thread which calls GetCurrentKeyRing then waits
+            // for the foreground thread to call GetCurrentKeyRing. When the foreground thread
+            // blocks (inside the lock), the background thread will return the cached keyring
+            // object, and the foreground thread should consume that same object instance.
+
+            TimeSpan testTimeout = TimeSpan.FromSeconds(10);
+
+            Thread foregroundThread = Thread.CurrentThread;
+            ManualResetEventSlim mreBackgroundThreadHasCalledGetCurrentKeyRing = new ManualResetEventSlim();
+            ManualResetEventSlim mreForegroundThreadIsCallingGetCurrentKeyRing = new ManualResetEventSlim();
+            var backgroundGetKeyRingTask = Task.Run(() =>
+            {
+                mockCacheableKeyRingProvider
+                    .Setup(o => o.GetCacheableKeyRing(now))
+                    .Returns(() =>
+                    {
+                        mreBackgroundThreadHasCalledGetCurrentKeyRing.Set();
+                        Assert.True(mreForegroundThreadIsCallingGetCurrentKeyRing.Wait(testTimeout), "Test timed out.");
+                        SpinWait.SpinUntil(() => (foregroundThread.ThreadState & ThreadState.WaitSleepJoin) != 0, testTimeout);
+                        return new CacheableKeyRing(
+                            expirationToken: CancellationToken.None,
+                            expirationTime: StringToDateTime("2015-03-02 00:00:00Z"),
+                            keyRing: expectedKeyRing);
+                    });
+
+                return keyRingProvider.GetCurrentKeyRingCore(now);
+            });
+
+            Assert.True(mreBackgroundThreadHasCalledGetCurrentKeyRing.Wait(testTimeout), "Test timed out.");
+            mreForegroundThreadIsCallingGetCurrentKeyRing.Set();
+            var foregroundRetVal = keyRingProvider.GetCurrentKeyRingCore(now);
+            backgroundGetKeyRingTask.Wait(testTimeout);
+            var backgroundRetVal = backgroundGetKeyRingTask.GetAwaiter().GetResult();
+
+            // Assert - underlying provider only should have been called once
+            Assert.Same(expectedKeyRing, foregroundRetVal);
+            Assert.Same(expectedKeyRing, backgroundRetVal);
+            mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(It.IsAny<DateTimeOffset>()), Times.Once);
+        }
+
+        private static KeyRingProvider CreateKeyRingProvider(ICacheableKeyRingProvider cacheableKeyRingProvider)
+        {
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<ICacheableKeyRingProvider>(cacheableKeyRingProvider);
+            return new KeyRingProvider(
+                keyManager: null,
+                keyLifetimeOptions: null,
+                services: serviceCollection.BuildServiceProvider());
+        }
+
+        private static ICacheableKeyRingProvider CreateKeyRingProvider(IKeyManager keyManager, IDefaultKeyResolver defaultKeyResolver)
+        {
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IDefaultKeyResolver>(defaultKeyResolver);
+            return new KeyRingProvider(
+                keyManager: keyManager,
+                keyLifetimeOptions: null,
+                services: serviceCollection.BuildServiceProvider());
+        }
+
+        private static void AssertWithinJitterRange(DateTimeOffset actual, DateTimeOffset now)
+        {
+            // The jitter can cause the actual value to fall in the range [now + 80% of refresh period, now + 100% of refresh period)
+            Assert.InRange(actual, now + TimeSpan.FromHours(24 * 0.8), now + TimeSpan.FromHours(24));
+        }
+
+        private static DateTime StringToDateTime(string input)
+        {
+            return DateTimeOffset.ParseExact(input, "u", CultureInfo.InvariantCulture).UtcDateTime;
+        }
+
+        private static IKey CreateKey(string activationDate, string expirationDate, bool isRevoked = false)
+        {
+            var mockKey = new Mock<IKey>();
+            mockKey.Setup(o => o.KeyId).Returns(Guid.NewGuid());
+            mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
+            mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
+            mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
+            return mockKey.Object;
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
new file mode 100644
index 0000000000..aa192fc4d6
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
@@ -0,0 +1,108 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class KeyRingTests
+    {
+        [Fact]
+        public void DefaultAuthenticatedEncryptor_Prop_InstantiationIsDeferred()
+        {
+            // Arrange
+            var expectedEncryptorInstance = new Mock<IAuthenticatedEncryptor>().Object;
+
+            var key1 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance);
+            var key2 = new MyKey();
+
+            // Act
+            var keyRing = new KeyRing(key1.KeyId, new[] { key1, key2 });
+
+            // Assert
+            Assert.Equal(0, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Same(expectedEncryptorInstance, keyRing.DefaultAuthenticatedEncryptor);
+            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Same(expectedEncryptorInstance, keyRing.DefaultAuthenticatedEncryptor);
+            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled); // should've been cached
+        }
+
+        [Fact]
+        public void DefaultKeyId_Prop()
+        {
+            // Arrange
+            var key1 = new MyKey();
+            var key2 = new MyKey();
+
+            // Act
+            var keyRing = new KeyRing(key2.KeyId, new[] { key1, key2 });
+
+            // Assert
+            Assert.Equal(key2.KeyId, keyRing.DefaultKeyId);
+        }
+
+        [Fact]
+        public void GetAuthenticatedEncryptorByKeyId_DefersInstantiation_AndReturnsRevocationInfo()
+        {
+            // Arrange
+            var expectedEncryptorInstance1 = new Mock<IAuthenticatedEncryptor>().Object;
+            var expectedEncryptorInstance2 = new Mock<IAuthenticatedEncryptor>().Object;
+
+            var key1 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance1, isRevoked: true);
+            var key2 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance2);
+
+            // Act
+            var keyRing = new KeyRing(key2.KeyId, new[] { key1, key2 });
+
+            // Assert
+            bool isRevoked;
+            Assert.Equal(0, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out isRevoked));
+            Assert.True(isRevoked);
+            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out isRevoked));
+            Assert.True(isRevoked);
+            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(0, key2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Same(expectedEncryptorInstance2, keyRing.GetAuthenticatedEncryptorByKeyId(key2.KeyId, out isRevoked));
+            Assert.False(isRevoked);
+            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Same(expectedEncryptorInstance2, keyRing.GetAuthenticatedEncryptorByKeyId(key2.KeyId, out isRevoked));
+            Assert.False(isRevoked);
+            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Same(expectedEncryptorInstance2, keyRing.DefaultAuthenticatedEncryptor);
+            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
+        }
+
+        private sealed class MyKey : IKey
+        {
+            public int NumTimesCreateEncryptorInstanceCalled;
+            private readonly Func<IAuthenticatedEncryptor> _encryptorFactory;
+
+            public MyKey(bool isRevoked = false, IAuthenticatedEncryptor expectedEncryptorInstance = null)
+            {
+                CreationDate = DateTimeOffset.Now;
+                ActivationDate = CreationDate + TimeSpan.FromHours(1);
+                ExpirationDate = CreationDate + TimeSpan.FromDays(30);
+                IsRevoked = isRevoked;
+                KeyId = Guid.NewGuid();
+                _encryptorFactory = () => expectedEncryptorInstance ?? new Mock<IAuthenticatedEncryptor>().Object;
+            }
+
+            public DateTimeOffset ActivationDate { get; }
+            public DateTimeOffset CreationDate { get; }
+            public DateTimeOffset ExpirationDate { get; }
+            public bool IsRevoked { get; }
+            public Guid KeyId { get; }
+
+            public IAuthenticatedEncryptor CreateEncryptorInstance()
+            {
+                NumTimesCreateEncryptorInstanceCalled++;
+                return _encryptorFactory();
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
new file mode 100644
index 0000000000..388b5bc67e
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -0,0 +1,747 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Xml;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Logging;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class XmlKeyManagerTests
+    {
+        private static readonly XElement serializedDescriptor = XElement.Parse(@"
+            <theElement>
+              <secret enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                <![CDATA[This is a secret value.]]>
+              </secret>
+            </theElement>");
+
+        [Fact]
+        public void Ctor_WithoutEncryptorOrRepository_UsesFallback()
+        {
+            // Arrange
+            var expectedEncryptor = new Mock<IXmlEncryptor>().Object;
+            var expectedRepository = new Mock<IXmlRepository>().Object;
+            var mockFallback = new Mock<IDefaultKeyServices>();
+            mockFallback.Setup(o => o.GetKeyEncryptor()).Returns(expectedEncryptor);
+            mockFallback.Setup(o => o.GetKeyRepository()).Returns(expectedRepository);
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IDefaultKeyServices>(mockFallback.Object);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            var services = serviceCollection.BuildServiceProvider();
+
+            // Act
+            var keyManager = new XmlKeyManager(services);
+
+            // Assert
+            Assert.Same(expectedEncryptor, keyManager.KeyEncryptor);
+            Assert.Same(expectedRepository, keyManager.KeyRepository);
+        }
+
+        [Fact]
+        public void Ctor_WithEncryptorButNoRepository_IgnoresFallback_FailsWithServiceNotFound()
+        {
+            // Arrange
+            var mockFallback = new Mock<IDefaultKeyServices>();
+            mockFallback.Setup(o => o.GetKeyEncryptor()).Returns(new Mock<IXmlEncryptor>().Object);
+            mockFallback.Setup(o => o.GetKeyRepository()).Returns(new Mock<IXmlRepository>().Object);
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IDefaultKeyServices>(mockFallback.Object);
+            serviceCollection.AddInstance<IXmlEncryptor>(new Mock<IXmlEncryptor>().Object);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            var services = serviceCollection.BuildServiceProvider();
+
+            // Act & assert - we don't care about exception type, only exception message
+            Exception ex = Assert.ThrowsAny<Exception>(() => new XmlKeyManager(services));
+            Assert.Contains("IXmlRepository", ex.Message);
+        }
+
+        [Fact]
+        public void CreateNewKey_Internal_NoEscrowOrEncryption()
+        {
+            // Constants
+            var creationDate = new DateTimeOffset(2014, 01, 01, 0, 0, 0, TimeSpan.Zero);
+            var activationDate = new DateTimeOffset(2014, 02, 01, 0, 0, 0, TimeSpan.Zero);
+            var expirationDate = new DateTimeOffset(2014, 03, 01, 0, 0, 0, TimeSpan.Zero);
+            var keyId = new Guid("3d6d01fd-c0e7-44ae-82dd-013b996b4093");
+
+            // Arrange - mocks
+            XElement elementStoredInRepository = null;
+            string friendlyNameStoredInRepository = null;
+            var expectedAuthenticatedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.ExportToXml()).Returns(new XmlSerializedDescriptorInfo(serializedDescriptor, typeof(MyDeserializer)));
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expectedAuthenticatedEncryptor);
+            var mockConfiguration = new Mock<IAuthenticatedEncryptorConfiguration>();
+            mockConfiguration.Setup(o => o.CreateNewDescriptor()).Returns(mockDescriptor.Object);
+            var mockXmlRepository = new Mock<IXmlRepository>();
+            mockXmlRepository
+                .Setup(o => o.StoreElement(It.IsAny<XElement>(), It.IsAny<string>()))
+                .Callback<XElement, string>((el, friendlyName) =>
+                {
+                    elementStoredInRepository = el;
+                    friendlyNameStoredInRepository = friendlyName;
+                });
+
+            // Arrange - services
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(mockConfiguration.Object);
+            var services = serviceCollection.BuildServiceProvider();
+            var keyManager = new XmlKeyManager(services);
+
+            // Act & assert
+
+            // The cancellation token should not already be fired
+            var firstCancellationToken = keyManager.GetCacheExpirationToken();
+            Assert.False(firstCancellationToken.IsCancellationRequested);
+
+            // After the call to CreateNewKey, the first CT should be fired,
+            // and we should've gotten a new CT.
+            var newKey = ((IInternalXmlKeyManager)keyManager).CreateNewKey(
+                keyId: keyId,
+                creationDate: creationDate,
+                activationDate: activationDate,
+                expirationDate: expirationDate);
+            var secondCancellationToken = keyManager.GetCacheExpirationToken();
+            Assert.True(firstCancellationToken.IsCancellationRequested);
+            Assert.False(secondCancellationToken.IsCancellationRequested);
+
+            // Does the IKey have the properties we requested?
+            Assert.Equal(keyId, newKey.KeyId);
+            Assert.Equal(creationDate, newKey.CreationDate);
+            Assert.Equal(activationDate, newKey.ActivationDate);
+            Assert.Equal(expirationDate, newKey.ExpirationDate);
+            Assert.False(newKey.IsRevoked);
+            Assert.Same(expectedAuthenticatedEncryptor, newKey.CreateEncryptorInstance());
+
+            // Finally, was the correct element stored in the repository?
+            string expectedXml = String.Format(@"
+                <key id='3d6d01fd-c0e7-44ae-82dd-013b996b4093' version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                  <creationDate>2014-01-01T00:00:00Z</creationDate>
+                  <activationDate>2014-02-01T00:00:00Z</activationDate>
+                  <expirationDate>2014-03-01T00:00:00Z</expirationDate>
+                  <descriptor deserializerType='{0}'>
+                    <theElement>
+                      <secret enc:requiresEncryption='true'>
+                        <![CDATA[This is a secret value.]]>
+                      </secret>
+                    </theElement>
+                  </descriptor>
+                </key>",
+                typeof(MyDeserializer).AssemblyQualifiedName);
+            XmlAssert.Equal(expectedXml, elementStoredInRepository);
+            Assert.Equal("key-3d6d01fd-c0e7-44ae-82dd-013b996b4093", friendlyNameStoredInRepository);
+        }
+
+        [Fact]
+        public void CreateNewKey_Internal_WithEscrowAndEncryption()
+        {
+            // Constants
+            var creationDate = new DateTimeOffset(2014, 01, 01, 0, 0, 0, TimeSpan.Zero);
+            var activationDate = new DateTimeOffset(2014, 02, 01, 0, 0, 0, TimeSpan.Zero);
+            var expirationDate = new DateTimeOffset(2014, 03, 01, 0, 0, 0, TimeSpan.Zero);
+            var keyId = new Guid("3d6d01fd-c0e7-44ae-82dd-013b996b4093");
+
+            // Arrange - mocks
+            XElement elementStoredInEscrow = null;
+            Guid? keyIdStoredInEscrow = null;
+            XElement elementStoredInRepository = null;
+            string friendlyNameStoredInRepository = null;
+            var expectedAuthenticatedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.ExportToXml()).Returns(new XmlSerializedDescriptorInfo(serializedDescriptor, typeof(MyDeserializer)));
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expectedAuthenticatedEncryptor);
+            var mockConfiguration = new Mock<IAuthenticatedEncryptorConfiguration>();
+            mockConfiguration.Setup(o => o.CreateNewDescriptor()).Returns(mockDescriptor.Object);
+            var mockXmlRepository = new Mock<IXmlRepository>();
+            mockXmlRepository
+                .Setup(o => o.StoreElement(It.IsAny<XElement>(), It.IsAny<string>()))
+                .Callback<XElement, string>((el, friendlyName) =>
+                {
+                    elementStoredInRepository = el;
+                    friendlyNameStoredInRepository = friendlyName;
+                });
+            var mockKeyEscrow = new Mock<IKeyEscrowSink>();
+            mockKeyEscrow
+                .Setup(o => o.Store(It.IsAny<Guid>(), It.IsAny<XElement>()))
+                .Callback<Guid, XElement>((innerKeyId, el) =>
+                {
+                    keyIdStoredInEscrow = innerKeyId;
+                    elementStoredInEscrow = el;
+                });
+
+            // Arrange - services
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(mockConfiguration.Object);
+            serviceCollection.AddInstance<IKeyEscrowSink>(mockKeyEscrow.Object);
+            serviceCollection.AddSingleton<IXmlEncryptor, NullXmlEncryptor>();
+            var services = serviceCollection.BuildServiceProvider();
+            var keyManager = new XmlKeyManager(services);
+
+            // Act & assert
+
+            // The cancellation token should not already be fired
+            var firstCancellationToken = keyManager.GetCacheExpirationToken();
+            Assert.False(firstCancellationToken.IsCancellationRequested);
+
+            // After the call to CreateNewKey, the first CT should be fired,
+            // and we should've gotten a new CT.
+            var newKey = ((IInternalXmlKeyManager)keyManager).CreateNewKey(
+                keyId: keyId,
+                creationDate: creationDate,
+                activationDate: activationDate,
+                expirationDate: expirationDate);
+            var secondCancellationToken = keyManager.GetCacheExpirationToken();
+            Assert.True(firstCancellationToken.IsCancellationRequested);
+            Assert.False(secondCancellationToken.IsCancellationRequested);
+
+            // Does the IKey have the properties we requested?
+            Assert.Equal(keyId, newKey.KeyId);
+            Assert.Equal(creationDate, newKey.CreationDate);
+            Assert.Equal(activationDate, newKey.ActivationDate);
+            Assert.Equal(expirationDate, newKey.ExpirationDate);
+            Assert.False(newKey.IsRevoked);
+            Assert.Same(expectedAuthenticatedEncryptor, newKey.CreateEncryptorInstance());
+
+            // Was the correct element stored in escrow?
+            // This should not have gone through the encryptor.
+            string expectedEscrowXml = String.Format(@"
+                <key id='3d6d01fd-c0e7-44ae-82dd-013b996b4093' version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                  <creationDate>2014-01-01T00:00:00Z</creationDate>
+                  <activationDate>2014-02-01T00:00:00Z</activationDate>
+                  <expirationDate>2014-03-01T00:00:00Z</expirationDate>
+                  <descriptor deserializerType='{0}'>
+                    <theElement>
+                      <secret enc:requiresEncryption='true'>
+                        <![CDATA[This is a secret value.]]>
+                      </secret>
+                    </theElement>
+                  </descriptor>
+                </key>",
+                typeof(MyDeserializer).AssemblyQualifiedName);
+            XmlAssert.Equal(expectedEscrowXml, elementStoredInEscrow);
+            Assert.Equal(keyId, keyIdStoredInEscrow.Value);
+
+            // Finally, was the correct element stored in the repository?
+            // This should have gone through the encryptor (which we set to be the null encryptor in this test)
+            string expectedRepositoryXml = String.Format(@"
+                <key id='3d6d01fd-c0e7-44ae-82dd-013b996b4093' version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                  <creationDate>2014-01-01T00:00:00Z</creationDate>
+                  <activationDate>2014-02-01T00:00:00Z</activationDate>
+                  <expirationDate>2014-03-01T00:00:00Z</expirationDate>
+                  <descriptor deserializerType='{0}'>
+                    <theElement>
+                      <enc:encryptedSecret decryptorType='{1}'>
+                        <unencryptedKey>
+                          <secret enc:requiresEncryption='true'>
+                            <![CDATA[This is a secret value.]]>
+                          </secret>
+                        </unencryptedKey>
+                      </enc:encryptedSecret>
+                    </theElement>
+                  </descriptor>
+                </key>",
+                typeof(MyDeserializer).AssemblyQualifiedName,
+                typeof(NullXmlDecryptor).AssemblyQualifiedName);
+            XmlAssert.Equal(expectedRepositoryXml, elementStoredInRepository);
+            Assert.Equal("key-3d6d01fd-c0e7-44ae-82dd-013b996b4093", friendlyNameStoredInRepository);
+        }
+
+        [Fact]
+        public void CreateNewKey_CallsInternalManager()
+        {
+            // Arrange - mocks
+            DateTimeOffset minCreationDate = DateTimeOffset.UtcNow;
+            DateTimeOffset? actualCreationDate = null;
+            DateTimeOffset activationDate = minCreationDate + TimeSpan.FromDays(7);
+            DateTimeOffset expirationDate = activationDate.AddMonths(1);
+            var mockInternalKeyManager = new Mock<IInternalXmlKeyManager>();
+            mockInternalKeyManager
+                .Setup(o => o.CreateNewKey(It.IsAny<Guid>(), It.IsAny<DateTimeOffset>(), activationDate, expirationDate))
+                .Callback<Guid, DateTimeOffset, DateTimeOffset, DateTimeOffset>((innerKeyId, innerCreationDate, innerActivationDate, innerExpirationDate) =>
+                {
+                    actualCreationDate = innerCreationDate;
+                });
+
+            // Arrange - services
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IXmlRepository>(new Mock<IXmlRepository>().Object);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddInstance<IInternalXmlKeyManager>(mockInternalKeyManager.Object);
+            var services = serviceCollection.BuildServiceProvider();
+            var keyManager = new XmlKeyManager(services);
+
+            // Act
+            keyManager.CreateNewKey(activationDate, expirationDate);
+
+            // Assert
+            Assert.InRange(actualCreationDate.Value, minCreationDate, DateTimeOffset.UtcNow);
+        }
+
+        [Fact]
+        public void GetAllKeys_Empty()
+        {
+            // Arrange
+            const string xml = @"<root />";
+            var activator = new Mock<IActivator>().Object;
+
+            // Act
+            var keys = RunGetAllKeysCore(xml, activator);
+
+            // Assert
+            Assert.Equal(0, keys.Count);
+        }
+
+        [Fact]
+        public void GetAllKeys_IgnoresUnknownElements()
+        {
+            // Arrange
+            const string xml = @"
+                <root>
+                  <key id='62a72ad9-42d7-4e97-b3fa-05bad5d53d33' version='1'>
+                    <creationDate>2015-01-01T00:00:00Z</creationDate>
+                    <activationDate>2015-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='deserializer-A'>
+                      <elementA />
+                    </descriptor>
+                  </key>
+                  <unknown>
+                    <![CDATA[Unknown elements are ignored.]]>
+                  </unknown>
+                  <key id='041be4c0-52d7-48b4-8d32-f8c0ff315459' version='1'>
+                    <creationDate>2015-04-01T00:00:00Z</creationDate>
+                    <activationDate>2015-05-01T00:00:00Z</activationDate>
+                    <expirationDate>2015-06-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='deserializer-B'>
+                      <elementB />
+                    </descriptor>    
+                  </key>
+                </root>";
+
+            var encryptorA = new Mock<IAuthenticatedEncryptor>().Object;
+            var encryptorB = new Mock<IAuthenticatedEncryptor>().Object;
+            var mockActivator = new Mock<IActivator>();
+            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("deserializer-A", "<elementA />", encryptorA);
+            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("deserializer-B", "<elementB />", encryptorB);
+
+            // Act
+            var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
+
+            // Assert
+            Assert.Equal(2, keys.Length);
+            Assert.Equal(new Guid("62a72ad9-42d7-4e97-b3fa-05bad5d53d33"), keys[0].KeyId);
+            Assert.Equal(XmlConvert.ToDateTimeOffset("2015-01-01T00:00:00Z"), keys[0].CreationDate);
+            Assert.Equal(XmlConvert.ToDateTimeOffset("2015-02-01T00:00:00Z"), keys[0].ActivationDate);
+            Assert.Equal(XmlConvert.ToDateTimeOffset("2015-03-01T00:00:00Z"), keys[0].ExpirationDate);
+            Assert.False(keys[0].IsRevoked);
+            Assert.Same(encryptorA, keys[0].CreateEncryptorInstance());
+            Assert.Equal(new Guid("041be4c0-52d7-48b4-8d32-f8c0ff315459"), keys[1].KeyId);
+            Assert.Equal(XmlConvert.ToDateTimeOffset("2015-04-01T00:00:00Z"), keys[1].CreationDate);
+            Assert.Equal(XmlConvert.ToDateTimeOffset("2015-05-01T00:00:00Z"), keys[1].ActivationDate);
+            Assert.Equal(XmlConvert.ToDateTimeOffset("2015-06-01T00:00:00Z"), keys[1].ExpirationDate);
+            Assert.False(keys[1].IsRevoked);
+            Assert.Same(encryptorB, keys[1].CreateEncryptorInstance());
+        }
+
+        [Fact]
+        public void GetAllKeys_UnderstandsRevocations()
+        {
+            // Arrange
+            const string xml = @"
+                <root>
+                  <key id='67f9cdea-83ba-41ed-b160-2b1d0ea30251' version='1'>
+                    <creationDate>2015-01-01T00:00:00Z</creationDate>
+                    <activationDate>2015-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='theDeserializer'>
+                      <node />
+                    </descriptor>
+                  </key>
+                  <key id='0cf83742-d175-42a8-94b5-1ec049b354c3' version='1'>
+                    <creationDate>2016-01-01T00:00:00Z</creationDate>
+                    <activationDate>2016-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2016-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='theDeserializer'>
+                      <node />
+                    </descriptor>
+                  </key>
+                  <key id='21580ac4-c83a-493c-bde6-29a1cc97ca0f' version='1'>
+                    <creationDate>2017-01-01T00:00:00Z</creationDate>
+                    <activationDate>2017-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2017-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='theDeserializer'>
+                      <node />
+                    </descriptor>
+                  </key>
+                  <key id='6bd14f12-0bb8-4822-91d7-04b360de0497' version='1'>
+                    <creationDate>2018-01-01T00:00:00Z</creationDate>
+                    <activationDate>2018-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2018-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='theDeserializer'>
+                      <node />
+                    </descriptor>
+                  </key>
+                  <revocation version='1'>
+                    <!-- The below will revoke no keys. -->
+                    <revocationDate>2014-01-01T00:00:00Z</revocationDate>
+                    <key id='*' />
+                  </revocation>
+                  <revocation version='1'>
+                    <!-- The below will revoke the first two keys. -->
+                    <revocationDate>2016-01-01T00:00:00Z</revocationDate>
+                    <key id='*' />
+                  </revocation>
+                  <revocation version='1'>
+                    <!-- The below will revoke only the last key. -->
+                    <revocationDate>2020-01-01T00:00:00Z</revocationDate>
+                    <key id='6bd14f12-0bb8-4822-91d7-04b360de0497' />
+                  </revocation>
+                </root>";
+
+            var mockActivator = new Mock<IActivator>();
+            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("theDeserializer", "<node />", new Mock<IAuthenticatedEncryptor>().Object);
+
+            // Act
+            var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
+
+            // Assert
+            Assert.Equal(4, keys.Length);
+            Assert.Equal(new Guid("67f9cdea-83ba-41ed-b160-2b1d0ea30251"), keys[0].KeyId);
+            Assert.True(keys[0].IsRevoked);
+            Assert.Equal(new Guid("0cf83742-d175-42a8-94b5-1ec049b354c3"), keys[1].KeyId);
+            Assert.True(keys[1].IsRevoked);
+            Assert.Equal(new Guid("21580ac4-c83a-493c-bde6-29a1cc97ca0f"), keys[2].KeyId);
+            Assert.False(keys[2].IsRevoked);
+            Assert.Equal(new Guid("6bd14f12-0bb8-4822-91d7-04b360de0497"), keys[3].KeyId);
+            Assert.True(keys[3].IsRevoked);
+        }
+
+        [Fact]
+        public void GetAllKeys_PerformsDecryption()
+        {
+            // Arrange
+            const string xml = @"
+                <root xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
+                  <key id='09712588-ba68-438a-a5ee-fe842b3453b2' version='1'>
+                    <creationDate>2015-01-01T00:00:00Z</creationDate>
+                    <activationDate>2015-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='theDeserializer'>
+                      <enc:encryptedSecret decryptorType='theDecryptor'>
+                        <node xmlns='private' />
+                      </enc:encryptedSecret>
+                    </descriptor>
+                  </key>
+                </root>";
+
+            var expectedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
+            var mockActivator = new Mock<IActivator>();
+            mockActivator.ReturnDecryptedElementGivenDecryptorTypeNameAndInput("theDecryptor", "<node xmlns='private' />", "<decryptedNode />");
+            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("theDeserializer", "<decryptedNode />", expectedEncryptor);
+
+            // Act
+            var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
+
+            // Assert
+            Assert.Equal(1, keys.Length);
+            Assert.Equal(new Guid("09712588-ba68-438a-a5ee-fe842b3453b2"), keys[0].KeyId);
+            Assert.Same(expectedEncryptor, keys[0].CreateEncryptorInstance());
+        }
+
+        [Fact]
+        public void GetAllKeys_SwallowsKeyDeserializationErrors()
+        {
+            // Arrange
+            const string xml = @"
+                <root>
+                  <!-- The below key will throw an exception when deserializing. -->
+                  <key id='78cd498e-9375-4e55-ac0d-d79527ecd09d' version='1'>
+                    <creationDate>2015-01-01T00:00:00Z</creationDate>
+                    <activationDate>2015-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='badDeserializer'>
+                      <node />
+                    </descriptor>
+                  </key>
+                  <!-- The below key will deserialize properly. -->
+                  <key id='49c0cda9-0232-4d8c-a541-de20cc5a73d6' version='1'>
+                    <creationDate>2015-01-01T00:00:00Z</creationDate>
+                    <activationDate>2015-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='goodDeserializer'>
+                      <node xmlns='private' />
+                    </descriptor>
+                  </key>
+                </root>";
+
+            var expectedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
+            var mockActivator = new Mock<IActivator>();
+            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("goodDeserializer", "<node xmlns='private' />", expectedEncryptor);
+            mockActivator.Setup(o => o.CreateInstance(It.IsAny<Type>(), "badDeserializer")).Throws(new Exception("How exceptional!"));
+
+            // Act
+            var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
+
+            // Assert
+            Assert.Equal(1, keys.Length);
+            Assert.Equal(new Guid("49c0cda9-0232-4d8c-a541-de20cc5a73d6"), keys[0].KeyId);
+            Assert.Same(expectedEncryptor, keys[0].CreateEncryptorInstance());
+        }
+
+        [Fact]
+        public void GetAllKeys_WithKeyDeserializationError_LogLevelVerbose_DoesNotWriteSensitiveInformation()
+        {
+            // Arrange
+            const string xml = @"
+                <root>
+                  <!-- The below key will throw an exception when deserializing. -->
+                  <key id='78cd498e-9375-4e55-ac0d-d79527ecd09d' version='1'>
+                    <creationDate>2015-01-01T00:00:00Z</creationDate>
+                    <activationDate>2015-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='badDeserializer'>             
+                      <node>
+                        <!-- Secret information: 1A2B3C4D -->
+                      </node>
+                    </descriptor>
+                  </key>
+                </root>";
+
+            var mockActivator = new Mock<IActivator>();
+            mockActivator.Setup(o => o.CreateInstance(It.IsAny<Type>(), "badDeserializer")).Throws(new Exception("Secret information: 9Z8Y7X6W"));
+
+            var loggerFactory = new StringLoggerFactory(LogLevel.Verbose);
+
+            // Act
+            RunGetAllKeysCore(xml, mockActivator.Object, loggerFactory).ToArray();
+
+            // Assert
+            Assert.False(loggerFactory.ToString().Contains("1A2B3C4D"), "The secret '1A2B3C4D' should not have been logged.");
+            Assert.False(loggerFactory.ToString().Contains("9Z8Y7X6W"), "The secret '1A2B3C4D' should not have been logged.");
+        }
+
+        [Fact]
+        public void GetAllKeys_WithKeyDeserializationError_LogLevelDebug_WritesSensitiveInformation()
+        {
+            // Arrange
+            const string xml = @"
+                <root>
+                  <!-- The below key will throw an exception when deserializing. -->
+                  <key id='78cd498e-9375-4e55-ac0d-d79527ecd09d' version='1'>
+                    <creationDate>2015-01-01T00:00:00Z</creationDate>
+                    <activationDate>2015-02-01T00:00:00Z</activationDate>
+                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
+                    <descriptor deserializerType='badDeserializer'>             
+                      <node>
+                        <!-- Secret information: 1A2B3C4D -->
+                      </node>
+                    </descriptor>
+                  </key>
+                </root>";
+
+            var mockActivator = new Mock<IActivator>();
+            mockActivator.Setup(o => o.CreateInstance(It.IsAny<Type>(), "badDeserializer")).Throws(new Exception("Secret information: 9Z8Y7X6W"));
+
+            var loggerFactory = new StringLoggerFactory(LogLevel.Debug);
+
+            // Act
+            RunGetAllKeysCore(xml, mockActivator.Object, loggerFactory).ToArray();
+
+            // Assert
+            Assert.True(loggerFactory.ToString().Contains("1A2B3C4D"), "The secret '1A2B3C4D' should have been logged.");
+            Assert.True(loggerFactory.ToString().Contains("9Z8Y7X6W"), "The secret '9Z8Y7X6W' should have been logged.");
+        }
+
+        [Fact]
+        public void GetAllKeys_SurfacesRevocationDeserializationErrors()
+        {
+            // Arrange
+            const string xml = @"
+                <root>
+                  <revocation version='1'>
+                    <revocationDate>2015-01-01T00:00:00Z</revocationDate>
+                    <key id='{invalid}' />
+                  </revocation>
+                </root>";
+
+            // Act & assert
+            // Bad GUID will lead to FormatException
+            Assert.Throws<FormatException>(() => RunGetAllKeysCore(xml, new Mock<IActivator>().Object));
+        }
+
+        private static IReadOnlyCollection<IKey> RunGetAllKeysCore(string xml, IActivator activator, ILoggerFactory loggerFactory = null)
+        {
+            // Arrange - mocks
+            var mockXmlRepository = new Mock<IXmlRepository>();
+            mockXmlRepository.Setup(o => o.GetAllElements()).Returns(XElement.Parse(xml).Elements().ToArray());
+
+            // Arrange - services
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddInstance<IActivator>(activator);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            if (loggerFactory != null)
+            {
+                serviceCollection.AddInstance<ILoggerFactory>(loggerFactory);
+            }
+            var services = serviceCollection.BuildServiceProvider();
+            var keyManager = new XmlKeyManager(services);
+
+            // Act
+            return keyManager.GetAllKeys();
+        }
+
+        [Fact]
+        public void RevokeAllKeys()
+        {
+            // Arrange - mocks
+            XElement elementStoredInRepository = null;
+            string friendlyNameStoredInRepository = null;
+            var mockXmlRepository = new Mock<IXmlRepository>();
+            mockXmlRepository
+                .Setup(o => o.StoreElement(It.IsAny<XElement>(), It.IsAny<string>()))
+                .Callback<XElement, string>((el, friendlyName) =>
+                {
+                    elementStoredInRepository = el;
+                    friendlyNameStoredInRepository = friendlyName;
+                });
+
+            // Arrange - services
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            var services = serviceCollection.BuildServiceProvider();
+            var keyManager = new XmlKeyManager(services);
+
+            var revocationDate = XmlConvert.ToDateTimeOffset("2015-03-01T19:13:19.7573854-08:00");
+
+            // Act & assert
+
+            // The cancellation token should not already be fired
+            var firstCancellationToken = keyManager.GetCacheExpirationToken();
+            Assert.False(firstCancellationToken.IsCancellationRequested);
+
+            // After the call to RevokeAllKeys, the first CT should be fired,
+            // and we should've gotten a new CT.
+            keyManager.RevokeAllKeys(revocationDate, "Here's some reason text.");
+            var secondCancellationToken = keyManager.GetCacheExpirationToken();
+            Assert.True(firstCancellationToken.IsCancellationRequested);
+            Assert.False(secondCancellationToken.IsCancellationRequested);
+
+            // Was the correct element stored in the repository?
+            const string expectedRepositoryXml = @"
+                <revocation version='1'>
+                  <revocationDate>2015-03-01T19:13:19.7573854-08:00</revocationDate>
+                  <!--All keys created before the revocation date are revoked.-->
+                  <key id='*' />
+                  <reason>Here's some reason text.</reason>
+                </revocation>";
+            XmlAssert.Equal(expectedRepositoryXml, elementStoredInRepository);
+            Assert.Equal("revocation-20150302T0313197573854Z", friendlyNameStoredInRepository);
+        }
+
+        [Fact]
+        public void RevokeSingleKey_Internal()
+        {
+            // Arrange - mocks
+            XElement elementStoredInRepository = null;
+            string friendlyNameStoredInRepository = null;
+            var mockXmlRepository = new Mock<IXmlRepository>();
+            mockXmlRepository
+                .Setup(o => o.StoreElement(It.IsAny<XElement>(), It.IsAny<string>()))
+                .Callback<XElement, string>((el, friendlyName) =>
+                {
+                    elementStoredInRepository = el;
+                    friendlyNameStoredInRepository = friendlyName;
+                });
+
+            // Arrange - services
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            var services = serviceCollection.BuildServiceProvider();
+            var keyManager = new XmlKeyManager(services);
+
+            var revocationDate = DateTimeOffset.UtcNow;
+
+            // Act & assert
+
+            // The cancellation token should not already be fired
+            var firstCancellationToken = keyManager.GetCacheExpirationToken();
+            Assert.False(firstCancellationToken.IsCancellationRequested);
+
+            // After the call to RevokeKey, the first CT should be fired,
+            // and we should've gotten a new CT.
+            ((IInternalXmlKeyManager)keyManager).RevokeSingleKey(
+                keyId: new Guid("a11f35fc-1fed-4bd4-b727-056a63b70932"),
+                revocationDate: new DateTimeOffset(2014, 01, 01, 0, 0, 0, TimeSpan.Zero),
+                reason: "Here's some reason text.");
+            var secondCancellationToken = keyManager.GetCacheExpirationToken();
+            Assert.True(firstCancellationToken.IsCancellationRequested);
+            Assert.False(secondCancellationToken.IsCancellationRequested);
+
+            // Was the correct element stored in the repository?
+            const string expectedRepositoryXml = @"
+                <revocation version='1'>
+                  <revocationDate>2014-01-01T00:00:00Z</revocationDate>
+                  <key id='a11f35fc-1fed-4bd4-b727-056a63b70932' />
+                  <reason>Here's some reason text.</reason>
+                </revocation>";
+            XmlAssert.Equal(expectedRepositoryXml, elementStoredInRepository);
+            Assert.Equal("revocation-a11f35fc-1fed-4bd4-b727-056a63b70932", friendlyNameStoredInRepository);
+        }
+
+        [Fact]
+        public void RevokeKey_CallsInternalManager()
+        {
+            // Arrange - mocks
+            var keyToRevoke = new Guid("a11f35fc-1fed-4bd4-b727-056a63b70932");
+            DateTimeOffset minRevocationDate = DateTimeOffset.UtcNow;
+            DateTimeOffset? actualRevocationDate = null;
+            var mockInternalKeyManager = new Mock<IInternalXmlKeyManager>();
+            mockInternalKeyManager
+                .Setup(o => o.RevokeSingleKey(keyToRevoke, It.IsAny<DateTimeOffset>(), "Here's some reason text."))
+                .Callback<Guid, DateTimeOffset, string>((innerKeyId, innerRevocationDate, innerReason) =>
+                {
+                    actualRevocationDate = innerRevocationDate;
+                });
+
+            // Arrange - services
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IXmlRepository>(new Mock<IXmlRepository>().Object);
+            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddInstance<IInternalXmlKeyManager>(mockInternalKeyManager.Object);
+            var services = serviceCollection.BuildServiceProvider();
+            var keyManager = new XmlKeyManager(services);
+
+            // Act
+            keyManager.RevokeKey(keyToRevoke, "Here's some reason text.");
+
+            // Assert
+            Assert.InRange(actualRevocationDate.Value, minRevocationDate, DateTimeOffset.UtcNow);
+        }
+
+        private class MyDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
+        {
+            public IAuthenticatedEncryptorDescriptor ImportFromXml(XElement element)
+            {
+                throw new NotImplementedException();
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
index 812e9bf653..9f5ae98d5f 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -5,10 +5,9 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.DataProtection.Managed;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test.Managed
+namespace Microsoft.AspNet.DataProtection.Managed
 {
     public class ManagedAuthenticatedEncryptorTests
     {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs b/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
new file mode 100644
index 0000000000..92cc02c25c
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
@@ -0,0 +1,63 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Moq;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    internal static class MockExtensions
+    {
+        /// <summary>
+        /// Sets up a mock such that given the name of a deserializer class and the XML node that class's
+        /// Import method should expect returns a descriptor which produces the given authenticator.
+        /// </summary>
+        public static void ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput(this Mock<IActivator> mockActivator, string typeName, string xml, IAuthenticatedEncryptor encryptor)
+        {
+            mockActivator
+                .Setup(o => o.CreateInstance(typeof(IAuthenticatedEncryptorDescriptorDeserializer), typeName))
+                .Returns(() =>
+                {
+                    var mockDeserializer = new Mock<IAuthenticatedEncryptorDescriptorDeserializer>();
+                    mockDeserializer
+                        .Setup(o => o.ImportFromXml(It.IsAny<XElement>()))
+                        .Returns<XElement>(el =>
+                        {
+                            // Only return the descriptor if the XML matches
+                            XmlAssert.Equal(xml, el);
+                            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+                            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(encryptor);
+                            return mockDescriptor.Object;
+                        });
+                    return mockDeserializer.Object;
+                });
+        }
+
+        /// <summary>
+        /// Sets up a mock such that given the name of a decryptor class and the XML node that class's
+        /// Decrypt method should expect returns the specified XML elmeent.
+        /// </summary>
+        public static void ReturnDecryptedElementGivenDecryptorTypeNameAndInput(this Mock<IActivator> mockActivator, string typeName, string expectedInputXml, string outputXml)
+        {
+            mockActivator
+                .Setup(o => o.CreateInstance(typeof(IXmlDecryptor), typeName))
+                .Returns(() =>
+                {
+                    var mockDecryptor = new Mock<IXmlDecryptor>();
+                    mockDecryptor
+                        .Setup(o => o.Decrypt(It.IsAny<XElement>()))
+                        .Returns<XElement>(el =>
+                        {
+                            // Only return the descriptor if the XML matches
+                            XmlAssert.Equal(expectedInputXml, el);
+                            return XElement.Parse(outputXml);
+                        });
+                    return mockDecryptor.Object;
+                });
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
new file mode 100644
index 0000000000..12f2818957
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -0,0 +1,282 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.Testing.xunit;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.OptionsModel;
+using Microsoft.Win32;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    public class RegistryPolicyResolverTests
+    {
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_NoEntries_ResultsInNoPolicies()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["unused"] = 42
+            });
+
+            Assert.Empty(serviceCollection);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_KeyEscrowSinks()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["KeyEscrowSinks"] = String.Join(" ;; ; ", new Type[] { typeof(MyKeyEscrowSink1), typeof(MyKeyEscrowSink2) }.Select(t => t.AssemblyQualifiedName))
+            });
+
+            var services = serviceCollection.BuildServiceProvider();
+            var actualKeyEscrowSinks = services.GetService<IEnumerable<IKeyEscrowSink>>().ToArray();
+            Assert.Equal(2, actualKeyEscrowSinks.Length);
+            Assert.IsType(typeof(MyKeyEscrowSink1), actualKeyEscrowSinks[0]);
+            Assert.IsType(typeof(MyKeyEscrowSink2), actualKeyEscrowSinks[1]);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_DefaultKeyLifetime()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            serviceCollection.AddOptions();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["DefaultKeyLifetime"] = 1024 // days
+            });
+
+            var services = serviceCollection.BuildServiceProvider();
+            var keyLifetimeOptions = services.GetService<IOptions<KeyLifetimeOptions>>();
+            Assert.Equal(TimeSpan.FromDays(1024), keyLifetimeOptions.Options.NewKeyLifetime);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_CngCbcEncryption_WithoutExplicitSettings()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["EncryptionType"] = "cng-cbc"
+            });
+
+            var services = serviceCollection.BuildServiceProvider();
+            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionOptions());
+            var actualConfiguration = (CngCbcAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithm, actualConfiguration.Options.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmProvider, actualConfiguration.Options.EncryptionAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.Options.HashAlgorithm, actualConfiguration.Options.HashAlgorithm);
+            Assert.Equal(expectedConfiguration.Options.HashAlgorithmProvider, actualConfiguration.Options.HashAlgorithmProvider);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_CngCbcEncryption_WithExplicitSettings()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["EncryptionType"] = "cng-cbc",
+                ["EncryptionAlgorithm"] = "enc-alg",
+                ["EncryptionAlgorithmKeySize"] = 2048,
+                ["EncryptionAlgorithmProvider"] = "my-enc-alg-provider",
+                ["HashAlgorithm"] = "hash-alg",
+                ["HashAlgorithmProvider"] = "my-hash-alg-provider"
+            });
+
+            var services = serviceCollection.BuildServiceProvider();
+            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithm = "enc-alg",
+                EncryptionAlgorithmKeySize = 2048,
+                EncryptionAlgorithmProvider = "my-enc-alg-provider",
+                HashAlgorithm = "hash-alg",
+                HashAlgorithmProvider = "my-hash-alg-provider"
+            });
+            var actualConfiguration = (CngCbcAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithm, actualConfiguration.Options.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmProvider, actualConfiguration.Options.EncryptionAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.Options.HashAlgorithm, actualConfiguration.Options.HashAlgorithm);
+            Assert.Equal(expectedConfiguration.Options.HashAlgorithmProvider, actualConfiguration.Options.HashAlgorithmProvider);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_CngGcmEncryption_WithoutExplicitSettings()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["EncryptionType"] = "cng-gcm"
+            });
+
+            var services = serviceCollection.BuildServiceProvider();
+            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionOptions());
+            var actualConfiguration = (CngGcmAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithm, actualConfiguration.Options.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmProvider, actualConfiguration.Options.EncryptionAlgorithmProvider);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_CngGcmEncryption_WithExplicitSettings()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["EncryptionType"] = "cng-gcm",
+                ["EncryptionAlgorithm"] = "enc-alg",
+                ["EncryptionAlgorithmKeySize"] = 2048,
+                ["EncryptionAlgorithmProvider"] = "my-enc-alg-provider"
+            });
+
+            var services = serviceCollection.BuildServiceProvider();
+            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithm = "enc-alg",
+                EncryptionAlgorithmKeySize = 2048,
+                EncryptionAlgorithmProvider = "my-enc-alg-provider"
+            });
+            var actualConfiguration = (CngGcmAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithm, actualConfiguration.Options.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmProvider, actualConfiguration.Options.EncryptionAlgorithmProvider);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_ManagedEncryption_WithoutExplicitSettings()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["EncryptionType"] = "managed"
+            });
+
+            var services = serviceCollection.BuildServiceProvider();
+            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions());
+            var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmType, actualConfiguration.Options.EncryptionAlgorithmType);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Options.ValidationAlgorithmType, actualConfiguration.Options.ValidationAlgorithmType);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void ResolvePolicy_ManagedEncryption_WithExplicitSettings()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            {
+                ["EncryptionType"] = "managed",
+                ["EncryptionAlgorithmType"] = typeof(TripleDES).AssemblyQualifiedName,
+                ["EncryptionAlgorithmKeySize"] = 2048,
+                ["ValidationAlgorithmType"] = typeof(HMACMD5).AssemblyQualifiedName
+            });
+
+            var services = serviceCollection.BuildServiceProvider();
+            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions()
+            {
+                EncryptionAlgorithmType = typeof(TripleDES),
+                EncryptionAlgorithmKeySize = 2048,
+                ValidationAlgorithmType = typeof(HMACMD5)
+            });
+            var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmType, actualConfiguration.Options.EncryptionAlgorithmType);
+            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Options.ValidationAlgorithmType, actualConfiguration.Options.ValidationAlgorithmType);
+        }
+
+        private static void RunTestWithRegValues(IServiceCollection services, Dictionary<string, object> regValues)
+        {
+            WithUniqueTempRegKey(registryKey =>
+            {
+                foreach (var entry in regValues)
+                {
+                    registryKey.SetValue(entry.Key, entry.Value);
+                }
+
+                var policyResolver = new RegistryPolicyResolver(registryKey);
+                services.Add(policyResolver.ResolvePolicy());
+            });
+        }
+
+        /// <summary>
+        /// Runs a test and cleans up the registry key afterward.
+        /// </summary>
+        private static void WithUniqueTempRegKey(Action<RegistryKey> testCode)
+        {
+            string uniqueName = Guid.NewGuid().ToString();
+            var uniqueSubkey = LazyHkcuTempKey.Value.CreateSubKey(uniqueName);
+            try
+            {
+                testCode(uniqueSubkey);
+            }
+            finally
+            {
+                // clean up when test is done
+                LazyHkcuTempKey.Value.DeleteSubKeyTree(uniqueName, throwOnMissingSubKey: false);
+            }
+        }
+
+        private static readonly Lazy<RegistryKey> LazyHkcuTempKey = new Lazy<RegistryKey>(() =>
+        {
+            try
+            {
+                return Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\ASP.NET\temp");
+            }
+            catch
+            {
+                // swallow all failures
+                return null;
+            }
+        });
+
+        private class ConditionalRunTestOnlyIfHkcuRegistryAvailable : Attribute, ITestCondition
+        {
+            public bool IsMet => (LazyHkcuTempKey.Value != null);
+
+            public string SkipReason { get; } = "HKCU registry couldn't be opened.";
+        }
+
+        private class MyKeyEscrowSink1 : IKeyEscrowSink
+        {
+            public void Store(Guid keyId, XElement element)
+            {
+                throw new NotImplementedException();
+            }
+        }
+
+        private class MyKeyEscrowSink2 : IKeyEscrowSink
+        {
+            public void Store(Guid keyId, XElement element)
+            {
+                throw new NotImplementedException();
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
new file mode 100644
index 0000000000..3c9c2dd57c
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.Repositories
+{
+    public class EphemeralXmlRepositoryTests
+    {
+        [Fact]
+        public void GetAllElements_Empty()
+        {
+            // Arrange
+            var repository = new EphemeralXmlRepository(null);
+
+            // Act & assert
+            Assert.Empty(repository.GetAllElements());
+        }
+
+        [Fact]
+        public void Store_Then_Get()
+        {
+            // Arrange
+            var element1 = XElement.Parse(@"<element1 />");
+            var element2 = XElement.Parse(@"<element1 />");
+            var element3 = XElement.Parse(@"<element1 />");
+            var repository = new EphemeralXmlRepository(null);
+
+            // Act & assert
+            repository.StoreElement(element1, "Invalid friendly name."); // nobody should care about the friendly name
+            repository.StoreElement(element2, "abcdefg");
+            Assert.Equal(new[] { element1, element2 }, repository.GetAllElements(), XmlAssert.EqualityComparer);
+            repository.StoreElement(element3, null);
+            Assert.Equal(new[] { element1, element2, element3 }, repository.GetAllElements(), XmlAssert.EqualityComparer);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
new file mode 100644
index 0000000000..829acad4cb
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -0,0 +1,166 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.Repositories
+{
+    public class FileSystemXmlRepositoryTests
+    {
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
+        public void DefaultKeyStorageDirectory_Property()
+        {
+            // Act
+            var defaultDirInfo = FileSystemXmlRepository.DefaultKeyStorageDirectory;
+
+            // Assert
+            Assert.Equal(defaultDirInfo.FullName,
+                new DirectoryInfo(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "ASP.NET", "DataProtection-Keys")).FullName);
+        }
+
+        [Fact]
+        public void Directory_Property()
+        {
+            WithUniqueTempDirectory(dirInfo =>
+            {
+                // Arrange
+                var repository = new FileSystemXmlRepository(dirInfo);
+
+                // Act
+                var retVal = repository.Directory;
+
+                // Assert
+                Assert.Equal(dirInfo, retVal);
+            });
+        }
+
+        [Fact]
+        public void GetAllElements_EmptyOrNonexistentDirectory_ReturnsEmptyCollection()
+        {
+            WithUniqueTempDirectory(dirInfo =>
+            {
+                // Arrange
+                var repository = new FileSystemXmlRepository(dirInfo);
+
+                // Act
+                var allElements = repository.GetAllElements();
+
+                // Assert
+                Assert.Equal(0, allElements.Count);
+            });
+        }
+
+        [Fact]
+        public void StoreElement_WithValidFriendlyName_UsesFriendlyName()
+        {
+            WithUniqueTempDirectory(dirInfo =>
+            {
+                // Arrange
+                var element = XElement.Parse("<element1 />");
+                var repository = new FileSystemXmlRepository(dirInfo);
+
+                // Act
+                repository.StoreElement(element, "valid-friendly-name");
+
+                // Assert
+                var fileInfos = dirInfo.GetFiles();
+                var fileInfo = fileInfos.Single(); // only one file should've been created
+
+                // filename should be "valid-friendly-name.xml"
+                Assert.Equal("valid-friendly-name.xml", fileInfo.Name, StringComparer.OrdinalIgnoreCase);
+
+                // file contents should be "<element1 />"
+                var parsedElement = XElement.Parse(File.ReadAllText(fileInfo.FullName));
+                XmlAssert.Equal("<element1 />", parsedElement);
+            });
+        }
+
+        [Theory]
+        [InlineData(null)]
+        [InlineData("")]
+        [InlineData(" ")]
+        [InlineData("..")]
+        [InlineData("not*friendly")]
+        public void StoreElement_WithInvalidFriendlyName_CreatesNewGuidAsName(string friendlyName)
+        {
+            WithUniqueTempDirectory(dirInfo =>
+            {
+                // Arrange
+                var element = XElement.Parse("<element1 />");
+                var repository = new FileSystemXmlRepository(dirInfo);
+
+                // Act
+                repository.StoreElement(element, friendlyName);
+
+                // Assert
+                var fileInfos = dirInfo.GetFiles();
+                var fileInfo = fileInfos.Single(); // only one file should've been created
+
+                // filename should be "{GUID}.xml"
+                var filename = fileInfo.Name;
+                Assert.EndsWith(".xml", filename, StringComparison.OrdinalIgnoreCase);
+                var filenameNoSuffix = filename.Substring(0, filename.Length - ".xml".Length);
+                Guid parsedGuid = Guid.Parse(filenameNoSuffix);
+                Assert.NotEqual(Guid.Empty, parsedGuid);
+
+                // file contents should be "<element1 />"
+                var parsedElement = XElement.Parse(File.ReadAllText(fileInfo.FullName));
+                XmlAssert.Equal("<element1 />", parsedElement);
+            });
+        }
+
+        [Fact]
+        public void StoreElements_ThenRetrieve_SeesAllElements()
+        {
+            WithUniqueTempDirectory(dirInfo =>
+            {
+                // Arrange
+                var repository = new FileSystemXmlRepository(dirInfo);
+
+                // Act
+                repository.StoreElement(new XElement("element1"), friendlyName: null);
+                repository.StoreElement(new XElement("element2"), friendlyName: null);
+                repository.StoreElement(new XElement("element3"), friendlyName: null);
+                var allElements = repository.GetAllElements();
+
+                // Assert
+                var orderedNames = allElements.Select(el => el.Name.LocalName).OrderBy(name => name);
+                Assert.Equal(new[] { "element1", "element2", "element3" }, orderedNames);
+            });
+        }
+
+        /// <summary>
+        /// Runs a test and cleans up the temp directory afterward.
+        /// </summary>
+        private static void WithUniqueTempDirectory(Action<DirectoryInfo> testCode)
+        {
+            string uniqueTempPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString());
+            var dirInfo = new DirectoryInfo(uniqueTempPath);
+            try
+            {
+                testCode(dirInfo);
+            }
+            finally
+            {
+                // clean up when test is done
+                if (dirInfo.Exists)
+                {
+                    dirInfo.Delete(recursive: true);
+                }
+            }
+        }
+
+        private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
+        {
+            public bool IsMet => (Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) != null);
+
+            public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
new file mode 100644
index 0000000000..ce9178e092
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
@@ -0,0 +1,166 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.AspNet.Testing.xunit;
+using Microsoft.Win32;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.Repositories
+{
+    public class RegistryXmlRepositoryTests
+    {
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void RegistryKey_Property()
+        {
+            WithUniqueTempRegKey(regKey =>
+            {
+                // Arrange
+                var repository = new RegistryXmlRepository(regKey);
+
+                // Act
+                var retVal = repository.RegistryKey;
+
+                // Assert
+                Assert.Equal(regKey, retVal);
+            });
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void GetAllElements_EmptyOrNonexistentDirectory_ReturnsEmptyCollection()
+        {
+            WithUniqueTempRegKey(regKey =>
+            {
+                // Arrange
+                var repository = new RegistryXmlRepository(regKey);
+
+                // Act
+                var allElements = repository.GetAllElements();
+
+                // Assert
+                Assert.Equal(0, allElements.Count);
+            });
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void StoreElement_WithValidFriendlyName_UsesFriendlyName()
+        {
+            WithUniqueTempRegKey(regKey =>
+            {
+                // Arrange
+                var element = XElement.Parse("<element1 />");
+                var repository = new RegistryXmlRepository(regKey);
+
+                // Act
+                repository.StoreElement(element, "valid-friendly-name");
+
+                // Assert
+                var valueNames = regKey.GetValueNames();
+                var valueName = valueNames.Single(); // only one value should've been created
+
+                // value name should be "valid-friendly-name"
+                Assert.Equal("valid-friendly-name", valueName, StringComparer.OrdinalIgnoreCase);
+
+                // value contents should be "<element1 />"
+                var parsedElement = XElement.Parse(regKey.GetValue(valueName) as string);
+                XmlAssert.Equal("<element1 />", parsedElement);
+            });
+        }
+
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        [InlineData(null)]
+        [InlineData("")]
+        [InlineData(" ")]
+        [InlineData("..")]
+        [InlineData("not*friendly")]
+        public void StoreElement_WithInvalidFriendlyName_CreatesNewGuidAsName(string friendlyName)
+        {
+            WithUniqueTempRegKey(regKey =>
+            {
+                // Arrange
+                var element = XElement.Parse("<element1 />");
+                var repository = new RegistryXmlRepository(regKey);
+
+                // Act
+                repository.StoreElement(element, friendlyName);
+
+                // Assert
+                var valueNames = regKey.GetValueNames();
+                var valueName = valueNames.Single(); // only one value should've been created
+
+                // value name should be "{GUID}"
+                Guid parsedGuid = Guid.Parse(valueName as string);
+                Assert.NotEqual(Guid.Empty, parsedGuid);
+
+                // value contents should be "<element1 />"
+                var parsedElement = XElement.Parse(regKey.GetValue(valueName) as string);
+                XmlAssert.Equal("<element1 />", parsedElement);
+            });
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void StoreElements_ThenRetrieve_SeesAllElements()
+        {
+            WithUniqueTempRegKey(regKey =>
+            {
+                // Arrange
+                var repository = new RegistryXmlRepository(regKey);
+
+                // Act
+                repository.StoreElement(new XElement("element1"), friendlyName: null);
+                repository.StoreElement(new XElement("element2"), friendlyName: null);
+                repository.StoreElement(new XElement("element3"), friendlyName: null);
+                var allElements = repository.GetAllElements();
+
+                // Assert
+                var orderedNames = allElements.Select(el => el.Name.LocalName).OrderBy(name => name);
+                Assert.Equal(new[] { "element1", "element2", "element3" }, orderedNames);
+            });
+        }
+
+        /// <summary>
+        /// Runs a test and cleans up the registry key afterward.
+        /// </summary>
+        private static void WithUniqueTempRegKey(Action<RegistryKey> testCode)
+        {
+            string uniqueName = Guid.NewGuid().ToString();
+            var uniqueSubkey = LazyHkcuTempKey.Value.CreateSubKey(uniqueName);
+            try
+            {
+                testCode(uniqueSubkey);
+            }
+            finally
+            {
+                // clean up when test is done
+                LazyHkcuTempKey.Value.DeleteSubKeyTree(uniqueName, throwOnMissingSubKey: false);
+            }
+        }
+
+        private static readonly Lazy<RegistryKey> LazyHkcuTempKey = new Lazy<RegistryKey>(() =>
+        {
+            try
+            {
+                return Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\ASP.NET\temp");
+            }
+            catch
+            {
+                // swallow all failures
+                return null;
+            }
+        });
+
+        private class ConditionalRunTestOnlyIfHkcuRegistryAvailable : Attribute, ITestCondition
+        {
+            public bool IsMet => (LazyHkcuTempKey.Value != null);
+
+            public string SkipReason { get; } = "HKCU registry couldn't be opened.";
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs b/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
index 69ac3097bf..d37d696d07 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
@@ -4,11 +4,11 @@
 using System;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.DataProtection.SP800_108;
+using Microsoft.AspNet.DataProtection.Test.Shared;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test.SP800_108
+namespace Microsoft.AspNet.DataProtection.SP800_108
 {
     public unsafe class SP800_108Tests
     {
@@ -35,7 +35,7 @@ namespace Microsoft.AspNet.DataProtection.Test.SP800_108
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
         [ConditionalTheory]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         [InlineData(512 / 8 - 1, "V47WmHzPSkdC2vkLAomIjCzZlDOAetll3yJLcSvon7LJFjJpEN+KnSNp+gIpeydKMsENkflbrIZ/3s6GkEaH")]
         [InlineData(512 / 8 + 0, "mVaFM4deXLl610CmnCteNzxgbM/VkmKznAlPauHcDBn0le06uOjAKLHx0LfoU2/Ttq9nd78Y6Nk6wArmdwJgJg==")]
         [InlineData(512 / 8 + 1, "GaHPeqdUxriFpjRtkYQYWr5/iqneD/+hPhVJQt4rXblxSpB1UUqGqL00DMU/FJkX0iMCfqUjQXtXyfks+p++Ev4=")]
@@ -54,7 +54,7 @@ namespace Microsoft.AspNet.DataProtection.Test.SP800_108
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
         [ConditionalTheory]
-        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptKeyDerivation")]
+        [ConditionalRunTestOnlyOnWindows8OrLater]
         [InlineData(512 / 8 - 1, "V47WmHzPSkdC2vkLAomIjCzZlDOAetll3yJLcSvon7LJFjJpEN+KnSNp+gIpeydKMsENkflbrIZ/3s6GkEaH")]
         [InlineData(512 / 8 + 0, "mVaFM4deXLl610CmnCteNzxgbM/VkmKznAlPauHcDBn0le06uOjAKLHx0LfoU2/Ttq9nd78Y6Nk6wArmdwJgJg==")]
         [InlineData(512 / 8 + 1, "GaHPeqdUxriFpjRtkYQYWr5/iqneD/+hPhVJQt4rXblxSpB1UUqGqL00DMU/FJkX0iMCfqUjQXtXyfks+p++Ev4=")]
@@ -96,7 +96,7 @@ namespace Microsoft.AspNet.DataProtection.Test.SP800_108
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
         [ConditionalTheory]
-        [ConditionalRunTestOnlyIfBcryptAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         [InlineData(512 / 8 - 1, "rt2hM6kkQ8hAXmkHx0TU4o3Q+S7fie6b3S1LAq107k++P9v8uSYA2G+WX3pJf9ZkpYrTKD7WUIoLkgA1R9lk")]
         [InlineData(512 / 8 + 0, "RKiXmHSrWq5gkiRSyNZWNJrMR0jDyYHJMt9odOayRAE5wLSX2caINpQmfzTH7voJQi3tbn5MmD//dcspghfBiw==")]
         [InlineData(512 / 8 + 1, "KedXO0zAIZ3AfnPqY1NnXxpC3HDHIxefG4bwD3g6nWYEc5+q7pjbam71Yqj0zgHMNC9Z7BX3wS1/tajFocRWZUk=")]
@@ -120,7 +120,7 @@ namespace Microsoft.AspNet.DataProtection.Test.SP800_108
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF (which is hardcoded to HMACSHA512).
         [ConditionalTheory]
-        [ConditionalRunTestOnlyIfBcryptAvailable("BCryptKeyDerivation")]
+        [ConditionalRunTestOnlyOnWindows8OrLater]
         [InlineData(512 / 8 - 1, "rt2hM6kkQ8hAXmkHx0TU4o3Q+S7fie6b3S1LAq107k++P9v8uSYA2G+WX3pJf9ZkpYrTKD7WUIoLkgA1R9lk")]
         [InlineData(512 / 8 + 0, "RKiXmHSrWq5gkiRSyNZWNJrMR0jDyYHJMt9odOayRAE5wLSX2caINpQmfzTH7voJQi3tbn5MmD//dcspghfBiw==")]
         [InlineData(512 / 8 + 1, "KedXO0zAIZ3AfnPqY1NnXxpC3HDHIxefG4bwD3g6nWYEc5+q7pjbam71Yqj0zgHMNC9Z7BX3wS1/tajFocRWZUk=")]
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs b/test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs
new file mode 100644
index 0000000000..ec4f5e0b7c
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs
@@ -0,0 +1,45 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Helpful ISecret-based assertions.
+    /// </summary>
+    public static class SecretAssert
+    {
+        /// <summary>
+        /// Asserts that two <see cref="ISecret"/> instances contain the same material.
+        /// </summary>
+        public static void Equal(ISecret secret1, ISecret secret2)
+        {
+            Assert.Equal(SecretToBase64String(secret1), SecretToBase64String(secret2));
+        }
+
+        /// <summary>
+        /// Asserts that <paramref name="secret"/> has the length specified by <paramref name="expectedLengthInBits"/>.
+        /// </summary>
+        public static void LengthIs(int expectedLengthInBits, ISecret secret)
+        {
+            Assert.Equal(expectedLengthInBits, checked(secret.Length * 8));
+        }
+
+        /// <summary>
+        /// Asserts that two <see cref="ISecret"/> instances do not contain the same material.
+        /// </summary>
+        public static void NotEqual(ISecret secret1, ISecret secret2)
+        {
+            Assert.NotEqual(SecretToBase64String(secret1), SecretToBase64String(secret2));
+        }
+
+        private static string SecretToBase64String(ISecret secret)
+        {
+            byte[] secretBytes = new byte[secret.Length];
+            secret.WriteSecretIntoBuffer(new ArraySegment<byte>(secretBytes));
+            return Convert.ToBase64String(secretBytes);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs b/test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs
new file mode 100644
index 0000000000..d84decfad8
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs
@@ -0,0 +1,269 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Testing;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    public unsafe class SecretTests
+    {
+        [Fact]
+        public void Ctor_ArraySegment_Default_Throws()
+        {
+            // Act & assert
+            ExceptionAssert.ThrowsArgument(
+                testCode: () => new Secret(default(ArraySegment<byte>)),
+                paramName: "array",
+                exceptionMessage: null);
+        }
+
+        [Fact]
+        public void Ctor_ArraySegment_Success()
+        {
+            // Arrange
+            var input = new ArraySegment<byte>(new byte[] { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 }, 1, 3);
+
+            // Act
+            var secret = new Secret(input);
+            input.Array[2] = 0xFF; // mutate original array - secret shouldn't be modified
+
+            // Assert - length
+            Assert.Equal(3, secret.Length);
+
+            // Assert - managed buffer
+            var outputSegment = new ArraySegment<byte>(new byte[7], 2, 3);
+            secret.WriteSecretIntoBuffer(outputSegment);
+            Assert.Equal(new byte[] { 0x20, 0x30, 0x40 }, outputSegment.AsStandaloneArray());
+
+            // Assert - unmanaged buffer
+            var outputBuffer = new byte[3];
+            fixed (byte* pOutputBuffer = outputBuffer)
+            {
+                secret.WriteSecretIntoBuffer(pOutputBuffer, 3);
+            }
+            Assert.Equal(new byte[] { 0x20, 0x30, 0x40 }, outputBuffer);
+        }
+
+        [Fact]
+        public void Ctor_Buffer_Success()
+        {
+            // Arrange
+            var input = new byte[] { 0x20, 0x30, 0x40 };
+
+            // Act
+            var secret = new Secret(input);
+            input[1] = 0xFF; // mutate original array - secret shouldn't be modified
+
+            // Assert - length
+            Assert.Equal(3, secret.Length);
+
+            // Assert - managed buffer
+            var outputSegment = new ArraySegment<byte>(new byte[7], 2, 3);
+            secret.WriteSecretIntoBuffer(outputSegment);
+            Assert.Equal(new byte[] { 0x20, 0x30, 0x40 }, outputSegment.AsStandaloneArray());
+
+            // Assert - unmanaged buffer
+            var outputBuffer = new byte[3];
+            fixed (byte* pOutputBuffer = outputBuffer)
+            {
+                secret.WriteSecretIntoBuffer(pOutputBuffer, 3);
+            }
+            Assert.Equal(new byte[] { 0x20, 0x30, 0x40 }, outputBuffer);
+        }
+
+        [Fact]
+        public void Ctor_Buffer_ZeroLength_Success()
+        {
+            // Act
+            var secret = new Secret(new byte[0]);
+
+            // Assert - none of these methods should throw
+            Assert.Equal(0, secret.Length);
+            secret.WriteSecretIntoBuffer(new ArraySegment<byte>(new byte[0]));
+            byte dummy;
+            secret.WriteSecretIntoBuffer(&dummy, 0);
+        }
+
+        [Fact]
+        public void Ctor_Pointer_WithNullPointer_ThrowsArgumentNull()
+        {
+            // Act & assert
+            ExceptionAssert2.ThrowsArgumentNull(
+                testCode: () => new Secret(null, 0),
+                paramName: "secret");
+        }
+
+        [Fact]
+        public void Ctor_Pointer_WithNegativeLength_ThrowsArgumentOutOfRange()
+        {
+            // Act & assert
+            ExceptionAssert.ThrowsArgumentOutOfRange(
+                testCode: () =>
+                {
+                    byte dummy;
+                    new Secret(&dummy, -1);
+                },
+                paramName: "secretLength",
+                exceptionMessage: Resources.Common_ValueMustBeNonNegative);
+        }
+
+        [Fact]
+        public void Ctor_Pointer_ZeroLength_Success()
+        {
+            // Arrange
+            byte input;
+
+            // Act
+            var secret = new Secret(&input, 0);
+
+            // Assert - none of these methods should throw
+            Assert.Equal(0, secret.Length);
+            secret.WriteSecretIntoBuffer(new ArraySegment<byte>(new byte[0]));
+            byte dummy;
+            secret.WriteSecretIntoBuffer(&dummy, 0);
+        }
+
+        [Fact]
+        public void Ctor_Pointer_Success()
+        {
+            // Arrange
+            byte* input = stackalloc byte[3];
+            input[0] = 0x20;
+            input[1] = 0x30;
+            input[2] = 0x40;
+
+            // Act
+            var secret = new Secret(input, 3);
+            input[1] = 0xFF; // mutate original buffer - secret shouldn't be modified
+
+            // Assert - length
+            Assert.Equal(3, secret.Length);
+
+            // Assert - managed buffer
+            var outputSegment = new ArraySegment<byte>(new byte[7], 2, 3);
+            secret.WriteSecretIntoBuffer(outputSegment);
+            Assert.Equal(new byte[] { 0x20, 0x30, 0x40 }, outputSegment.AsStandaloneArray());
+
+            // Assert - unmanaged buffer
+            var outputBuffer = new byte[3];
+            fixed (byte* pOutputBuffer = outputBuffer)
+            {
+                secret.WriteSecretIntoBuffer(pOutputBuffer, 3);
+            }
+            Assert.Equal(new byte[] { 0x20, 0x30, 0x40 }, outputBuffer);
+        }
+
+        [Fact]
+        public void Random_ZeroLength_Success()
+        {
+            // Act
+            var secret = Secret.Random(0);
+
+            // Assert
+            Assert.Equal(0, secret.Length);
+        }
+
+        [Fact]
+        public void Random_LengthIsMultipleOf16_Success()
+        {
+            // Act
+            var secret = Secret.Random(32);
+
+            // Assert
+            Assert.Equal(32, secret.Length);
+            Guid* pGuids = stackalloc Guid[2];
+            secret.WriteSecretIntoBuffer((byte*)pGuids, 32);
+            Assert.NotEqual(Guid.Empty, pGuids[0]);
+            Assert.NotEqual(Guid.Empty, pGuids[1]);
+            Assert.NotEqual(pGuids[0], pGuids[1]);
+        }
+
+        [Fact]
+        public void Random_LengthIsNotMultipleOf16_Success()
+        {
+            // Act
+            var secret = Secret.Random(31);
+
+            // Assert
+            Assert.Equal(31, secret.Length);
+            Guid* pGuids = stackalloc Guid[2];
+            secret.WriteSecretIntoBuffer((byte*)pGuids, 31);
+            Assert.NotEqual(Guid.Empty, pGuids[0]);
+            Assert.NotEqual(Guid.Empty, pGuids[1]);
+            Assert.NotEqual(pGuids[0], pGuids[1]);
+            Assert.Equal(0, ((byte*)pGuids)[31]); // last byte shouldn't have been overwritten
+        }
+
+        [Fact]
+        public void WriteSecretIntoBuffer_ArraySegment_IncorrectlySizedBuffer_Throws()
+        {
+            // Arrange
+            var secret = Secret.Random(16);
+
+            // Act & assert
+            ExceptionAssert.ThrowsArgument(
+                testCode: () => secret.WriteSecretIntoBuffer(new ArraySegment<byte>(new byte[100])),
+                paramName: "buffer",
+                exceptionMessage: Resources.FormatCommon_BufferIncorrectlySized(100, 16));
+        }
+
+        [Fact]
+        public void WriteSecretIntoBuffer_ArraySegment_Disposed_Throws()
+        {
+            // Arrange
+            var secret = Secret.Random(16);
+            secret.Dispose();
+
+            // Act & assert
+            Assert.Throws<ObjectDisposedException>(
+                testCode: () => secret.WriteSecretIntoBuffer(new ArraySegment<byte>(new byte[16])));
+        }
+
+        [Fact]
+        public void WriteSecretIntoBuffer_Pointer_NullBuffer_Throws()
+        {
+            // Arrange
+            var secret = Secret.Random(16);
+
+            // Act & assert
+            ExceptionAssert2.ThrowsArgumentNull(
+                testCode: () => secret.WriteSecretIntoBuffer(null, 100),
+                paramName: "buffer");
+        }
+
+        [Fact]
+        public void WriteSecretIntoBuffer_Pointer_IncorrectlySizedBuffer_Throws()
+        {
+            // Arrange
+            var secret = Secret.Random(16);
+
+            // Act & assert
+            ExceptionAssert.ThrowsArgument(
+                testCode: () =>
+                {
+                    byte* pBuffer = stackalloc byte[100];
+                    secret.WriteSecretIntoBuffer(pBuffer, 100);
+                },
+                paramName: "bufferLength",
+                exceptionMessage: Resources.FormatCommon_BufferIncorrectlySized(100, 16));
+        }
+
+        [Fact]
+        public void WriteSecretIntoBuffer_Pointer_Disposed_Throws()
+        {
+            // Arrange
+            var secret = Secret.Random(16);
+            secret.Dispose();
+
+            // Act & assert
+            Assert.Throws<ObjectDisposedException>(
+                testCode: () =>
+                {
+                    byte* pBuffer = stackalloc byte[16];
+                    secret.WriteSecretIntoBuffer(pBuffer, 16);
+                });
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs b/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
index fd449f19c7..505e6f0913 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
@@ -5,7 +5,7 @@ using System;
 using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.DataProtection.Managed;
 
-namespace Microsoft.AspNet.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection
 {
     internal unsafe class SequentialGenRandom : IBCryptGenRandom, IManagedGenRandom
     {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
new file mode 100644
index 0000000000..2b2ca32a9e
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
@@ -0,0 +1,78 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using System.Text;
+using Microsoft.Framework.Logging;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    internal sealed class StringLoggerFactory : ILoggerFactory
+    {
+        private readonly StringBuilder _log = new StringBuilder();
+
+        public StringLoggerFactory(LogLevel logLevel)
+        {
+            MinimumLevel = logLevel;
+        }
+
+        public LogLevel MinimumLevel { get; set; }
+
+        public void AddProvider(ILoggerProvider provider)
+        {
+            // no-op
+        }
+
+        public ILogger CreateLogger(string name)
+        {
+            return new StringLogger(name, this);
+        }
+
+        public override string ToString()
+        {
+            return _log.ToString();
+        }
+
+        private sealed class StringLogger : ILogger
+        {
+            private readonly StringLoggerFactory _factory;
+            private readonly string _name;
+
+            public StringLogger(string name, StringLoggerFactory factory)
+            {
+                _name = name;
+                _factory = factory;
+            }
+
+            public IDisposable BeginScope(object state)
+            {
+                return new DummyDisposable();
+            }
+
+            public bool IsEnabled(LogLevel logLevel)
+            {
+                return (logLevel >= _factory.MinimumLevel);
+            }
+
+            public void Log(LogLevel logLevel, int eventId, object state, Exception exception, Func<object, Exception, string> formatter)
+            {
+                string message = String.Format(CultureInfo.InvariantCulture,
+                    "Provider: {0}" + Environment.NewLine +
+                    "Log level: {1}" + Environment.NewLine +
+                    "Event id: {2}" + Environment.NewLine +
+                    "Exception: {3}" + Environment.NewLine +
+                    "Message: {4}", _name, logLevel, eventId, exception?.ToString(), formatter(state, exception));
+                _factory._log.AppendLine(message);
+            }
+
+            private sealed class DummyDisposable : IDisposable
+            {
+                public void Dispose()
+                {
+                    // no-op
+                }
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs
index 459ced47ee..354078de05 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test
+namespace Microsoft.AspNet.DataProtection
 {
     public class TimeLimitedDataProtectorTests
     {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs
new file mode 100644
index 0000000000..e937122773
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs
@@ -0,0 +1,151 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Xml.Linq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Helpful XML-based assertions.
+    /// </summary>
+    public static class XmlAssert
+    {
+        public static readonly IEqualityComparer<XNode> EqualityComparer = new CallbackBasedEqualityComparer<XNode>(Core.AreEqual);
+
+        /// <summary>
+        /// Asserts that a <see cref="string"/> and an <see cref="XElement"/> are semantically equivalent.
+        /// </summary>
+        public static void Equal(string expected, XElement actual)
+        {
+            Assert.NotNull(expected);
+            Assert.NotNull(actual);
+            Equal(XElement.Parse(expected), actual);
+        }
+
+        /// <summary>
+        /// Asserts that two <see cref="XElement"/> instances are semantically equivalent.
+        /// </summary>
+        public static void Equal(XElement expected, XElement actual)
+        {
+            Assert.NotNull(expected);
+            Assert.NotNull(actual);
+
+            if (!Core.AreEqual(expected, actual))
+            {
+                Assert.True(false,
+                       "Expected element:" + Environment.NewLine
+                       + expected.ToString() + Environment.NewLine
+                       + "Actual element:" + Environment.NewLine
+                       + actual.ToString());
+            }
+        }
+
+        private static class Core
+        {
+            private static readonly IEqualityComparer<XAttribute> AttributeEqualityComparer = new CallbackBasedEqualityComparer<XAttribute>(AreEqual);
+
+            private static bool AreEqual(XElement expected, XElement actual)
+            {
+                return expected.Name == actual.Name
+                    && AreEqual(expected.Attributes(), actual.Attributes())
+                    && AreEqual(expected.Nodes(), actual.Nodes());
+            }
+
+            private static bool AreEqual(IEnumerable<XNode> expected, IEnumerable<XNode> actual)
+            {
+                List<XNode> filteredExpected = expected.Where(ShouldIncludeNodeDuringComparison).ToList();
+                List<XNode> filteredActual = actual.Where(ShouldIncludeNodeDuringComparison).ToList();
+                return filteredExpected.SequenceEqual(filteredActual, EqualityComparer);
+            }
+
+            internal static bool AreEqual(XNode expected, XNode actual)
+            {
+                if (expected is XText && actual is XText)
+                {
+                    return AreEqual((XText)expected, (XText)actual);
+                }
+                else if (expected is XElement && actual is XElement)
+                {
+                    return AreEqual((XElement)expected, (XElement)actual);
+                }
+                else
+                {
+                    return false;
+                }
+            }
+
+            private static bool AreEqual(XText expected, XText actual)
+            {
+                return expected.Value == actual.Value;
+            }
+
+            private static bool AreEqual(IEnumerable<XAttribute> expected, IEnumerable<XAttribute> actual)
+            {
+                List<XAttribute> orderedExpected = expected
+                    .Where(ShouldIncludeAttributeDuringComparison)
+                    .OrderBy(attr => attr.Name.ToString())
+                    .ToList();
+
+                List<XAttribute> orderedActual = actual
+                    .Where(ShouldIncludeAttributeDuringComparison)
+                    .OrderBy(attr => attr.Name.ToString())
+                    .ToList();
+
+                return orderedExpected.SequenceEqual(orderedActual, AttributeEqualityComparer);
+            }
+
+            private static bool AreEqual(XAttribute expected, XAttribute actual)
+            {
+                return expected.Name == actual.Name
+                    && expected.Value == actual.Value;
+            }
+
+            private static bool ShouldIncludeAttributeDuringComparison(XAttribute attribute)
+            {
+                // exclude 'xmlns' attributes since they're already considered in the
+                // actual element and attribute names
+                return attribute.Name != (XName)"xmlns"
+                    && attribute.Name.Namespace != XNamespace.Xmlns;
+            }
+
+            private static bool ShouldIncludeNodeDuringComparison(XNode node)
+            {
+                if (node is XComment)
+                {
+                    return false; // not contextually relevant
+                }
+
+                if (node is XText /* includes XCData */ || node is XElement)
+                {
+                    return true; // relevant
+                }
+
+                throw new NotSupportedException(String.Format("Node of type '{0}' is not supported.", node.GetType().Name));
+            }
+        }
+
+        private sealed class CallbackBasedEqualityComparer<T> : IEqualityComparer<T>
+        {
+            private readonly Func<T, T, bool> _equalityCheck;
+
+            public CallbackBasedEqualityComparer(Func<T, T, bool> equalityCheck)
+            {
+                _equalityCheck = equalityCheck;
+            }
+
+            public bool Equals(T x, T y)
+            {
+                return _equalityCheck(x, y);
+            }
+
+            public int GetHashCode(T obj)
+            {
+                return obj.ToString().GetHashCode();
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
new file mode 100644
index 0000000000..44be41b780
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -0,0 +1,60 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using System.Security.Cryptography.Xml;
+using System.Xml;
+using System.Xml.Linq;
+using Microsoft.Framework.DependencyInjection;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    public class CertificateXmlEncryptorTests
+    {
+        [Fact]
+        public void Encrypt_Decrypt_RoundTrips()
+        {
+            // Arrange
+            var aes = new AesCryptoServiceProvider();
+            aes.GenerateKey();
+
+            var serviceCollection = new ServiceCollection();
+            var mockInternalEncryptor = new Mock<IInternalCertificateXmlEncryptor>();
+            mockInternalEncryptor.Setup(o => o.PerformEncryption(It.IsAny<EncryptedXml>(), It.IsAny<XmlElement>()))
+                .Returns<EncryptedXml, XmlElement>((encryptedXml, element) =>
+                {
+                    encryptedXml.AddKeyNameMapping("theKey", aes); // use symmetric encryption
+                    return encryptedXml.Encrypt(element, "theKey");
+                });
+            serviceCollection.AddInstance<IInternalCertificateXmlEncryptor>(mockInternalEncryptor.Object);
+
+            var mockInternalDecryptor = new Mock<IInternalEncryptedXmlDecryptor>();
+            mockInternalDecryptor.Setup(o => o.PerformPreDecryptionSetup(It.IsAny<EncryptedXml>()))
+                .Callback<EncryptedXml>(encryptedXml =>
+                {
+                    encryptedXml.AddKeyNameMapping("theKey", aes); // use symmetric encryption
+                });
+            serviceCollection.AddInstance<IInternalEncryptedXmlDecryptor>(mockInternalDecryptor.Object);
+
+            var services = serviceCollection.BuildServiceProvider();
+            var encryptor = new CertificateXmlEncryptor(services);
+            var decryptor = new EncryptedXmlDecryptor(services);
+
+            var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
+
+            // Act & assert - run through encryptor and make sure we get back <EncryptedData> element
+            var encryptedXmlInfo = encryptor.Encrypt(originalXml);
+            Assert.Equal(typeof(EncryptedXmlDecryptor), encryptedXmlInfo.DecryptorType);
+            Assert.Equal(XName.Get("EncryptedData", "http://www.w3.org/2001/04/xmlenc#"), encryptedXmlInfo.EncryptedElement.Name);
+            Assert.Equal("http://www.w3.org/2001/04/xmlenc#Element", (string)encryptedXmlInfo.EncryptedElement.Attribute("Type"));
+            Assert.DoesNotContain("265ee4ea-ade2-43b1-b706-09b259e58b6b", encryptedXmlInfo.EncryptedElement.ToString(), StringComparison.OrdinalIgnoreCase);
+
+            // Act & assert - run through decryptor and make sure we get back the original value
+            var roundTrippedElement = decryptor.Decrypt(encryptedXmlInfo.EncryptedElement);
+            XmlAssert.Equal(originalXml, roundTrippedElement);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
new file mode 100644
index 0000000000..321e29943c
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.Test.Shared;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    public class DpapiNGXmlEncryptionTests
+    {
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows8OrLater]
+        public void Encrypt_Decrypt_RoundTrips()
+        {
+            // Arrange
+            var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
+            var encryptor = new DpapiNGXmlEncryptor("LOCAL=user", DpapiNGProtectionDescriptorFlags.None);
+            var decryptor = new DpapiNGXmlDecryptor();
+
+            // Act & assert - run through encryptor and make sure we get back an obfuscated element
+            var encryptedXmlInfo = encryptor.Encrypt(originalXml);
+            Assert.Equal(typeof(DpapiNGXmlDecryptor), encryptedXmlInfo.DecryptorType);
+            Assert.DoesNotContain("265ee4ea-ade2-43b1-b706-09b259e58b6b", encryptedXmlInfo.EncryptedElement.ToString(), StringComparison.OrdinalIgnoreCase);
+
+            // Act & assert - run through decryptor and make sure we get back the original value
+            var roundTrippedElement = decryptor.Decrypt(encryptedXmlInfo.EncryptedElement);
+            XmlAssert.Equal(originalXml, roundTrippedElement);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
new file mode 100644
index 0000000000..bb4c2145e9
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.Test.Shared;
+using Microsoft.AspNet.Testing;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    public class DpapiXmlEncryptionTests
+    {
+        [ConditionalTheory]
+        [ConditionalRunTestOnlyOnWindows]
+        [InlineData(true)]
+        [InlineData(false)]
+        public void Encrypt_CurrentUserOrLocalMachine_Decrypt_RoundTrips(bool protectToLocalMachine)
+        {
+            // Arrange
+            var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
+            var encryptor = new DpapiXmlEncryptor(protectToLocalMachine);
+            var decryptor = new DpapiXmlDecryptor();
+
+            // Act & assert - run through encryptor and make sure we get back an obfuscated element
+            var encryptedXmlInfo = encryptor.Encrypt(originalXml);
+            Assert.Equal(typeof(DpapiXmlDecryptor), encryptedXmlInfo.DecryptorType);
+            Assert.DoesNotContain("265ee4ea-ade2-43b1-b706-09b259e58b6b", encryptedXmlInfo.EncryptedElement.ToString(), StringComparison.OrdinalIgnoreCase);
+
+            // Act & assert - run through decryptor and make sure we get back the original value
+            var roundTrippedElement = decryptor.Decrypt(encryptedXmlInfo.EncryptedElement);
+            XmlAssert.Equal(originalXml, roundTrippedElement);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
+        {
+            // Arrange
+            var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
+            var encryptor = new DpapiXmlEncryptor(protectToLocalMachine: false);
+            var decryptor = new DpapiXmlDecryptor();
+
+            // Act & assert - run through encryptor and make sure we get back an obfuscated element
+            var encryptedXmlInfo = encryptor.Encrypt(originalXml);
+            Assert.Equal(typeof(DpapiXmlDecryptor), encryptedXmlInfo.DecryptorType);
+            Assert.DoesNotContain("265ee4ea-ade2-43b1-b706-09b259e58b6b", encryptedXmlInfo.EncryptedElement.ToString(), StringComparison.OrdinalIgnoreCase);
+
+            // Act & assert - run through decryptor (while impersonated as anonymous) and verify failure
+            ExceptionAssert2.ThrowsCryptographicException(() =>
+                AnonymousImpersonation.Run(() => decryptor.Decrypt(encryptedXmlInfo.EncryptedElement)));
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
new file mode 100644
index 0000000000..1e2e92476e
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    public class NullXmlEncryptionTests
+    {
+        [Fact]
+        public void NullDecryptor_ReturnsOriginalElement()
+        {
+            // Arrange
+            var decryptor = new NullXmlDecryptor();
+
+            // Act
+            var retVal = decryptor.Decrypt(XElement.Parse("<unencryptedKey><theElement /></unencryptedKey>"));
+
+            // Assert
+            XmlAssert.Equal("<theElement />", retVal);
+        }
+
+        [Fact]
+        public void NullEncryptor_ReturnsOriginalElement()
+        {
+            // Arrange
+            var encryptor = new NullXmlEncryptor();
+
+            // Act
+            var retVal = encryptor.Encrypt(XElement.Parse("<theElement />"));
+
+            // Assert
+            Assert.Equal(typeof(NullXmlDecryptor), retVal.DecryptorType);
+            XmlAssert.Equal("<unencryptedKey><theElement /></unencryptedKey>", retVal.EncryptedElement);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
new file mode 100644
index 0000000000..c931d1bd48
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
@@ -0,0 +1,234 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.Framework.DependencyInjection;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.XmlEncryption
+{
+    public class XmlEncryptionExtensionsTests
+    {
+        [Fact]
+        public void DecryptElement_NothingToDecrypt_ReturnsOriginalElement()
+        {
+            // Arrange
+            var original = XElement.Parse(@"<element />");
+
+            // Act
+            var retVal = original.DecryptElement(activator: null);
+
+            // Assert
+            Assert.Same(original, retVal);
+            XmlAssert.Equal("<element />", original); // unmutated
+        }
+
+        [Fact]
+        public void DecryptElement_RootNodeRequiresDecryption_Success()
+        {
+            // Arrange
+            var original = XElement.Parse(@"
+                <x:encryptedSecret decryptorType='theDecryptor' xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
+                  <node />
+                </x:encryptedSecret>");
+
+            var mockActivator = new Mock<IActivator>();
+            mockActivator.ReturnDecryptedElementGivenDecryptorTypeNameAndInput("theDecryptor", "<node />", "<newNode />");
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IActivator>(mockActivator.Object);
+            var services = serviceCollection.BuildServiceProvider();
+            var activator = services.GetActivator();
+
+            // Act
+            var retVal = original.DecryptElement(activator);
+
+            // Assert
+            XmlAssert.Equal("<newNode />", retVal);
+        }
+
+        [Fact]
+        public void DecryptElement_MultipleNodesRequireDecryption_AvoidsRecursion_Success()
+        {
+            // Arrange
+            var original = XElement.Parse(@"
+                <rootNode xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
+                  <x:encryptedSecret decryptorType='myDecryptor'>
+                    <node1 />
+                  </x:encryptedSecret>
+                  <node2 x:requiresEncryption='false'>
+                    <![CDATA[This data should stick around.]]>
+                    <x:encryptedSecret decryptorType='myDecryptor'>
+                      <node3 />
+                    </x:encryptedSecret>
+                  </node2>
+                </rootNode>");
+
+            var expected = @"
+                <rootNode xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
+                  <node1_decrypted>
+                    <x:encryptedSecret>nested</x:encryptedSecret>
+                  </node1_decrypted>
+                  <node2 x:requiresEncryption='false'>
+                    <![CDATA[This data should stick around.]]>
+                      <node3_decrypted>
+                        <x:encryptedSecret>nested</x:encryptedSecret>
+                      </node3_decrypted>
+                  </node2>
+                </rootNode>";
+
+            var mockDecryptor = new Mock<IXmlDecryptor>();
+            mockDecryptor
+                .Setup(o => o.Decrypt(It.IsAny<XElement>()))
+                .Returns<XElement>(el => new XElement(el.Name.LocalName + "_decrypted", new XElement(XmlConstants.EncryptedSecretElementName, "nested")));
+
+            var mockActivator = new Mock<IActivator>();
+            mockActivator.Setup(o => o.CreateInstance(typeof(IXmlDecryptor), "myDecryptor")).Returns(mockDecryptor.Object);
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddInstance<IActivator>(mockActivator.Object);
+            var services = serviceCollection.BuildServiceProvider();
+            var activator = services.GetActivator();
+
+            // Act
+            var retVal = original.DecryptElement(activator);
+
+            // Assert
+            XmlAssert.Equal(expected, retVal);
+        }
+
+        [Fact]
+        public void EncryptIfNecessary_NothingToEncrypt_ReturnsNull()
+        {
+            // Arrange
+            var original = XElement.Parse(@"<element />");
+            var xmlEncryptor = new Mock<IXmlEncryptor>(MockBehavior.Strict).Object;
+
+            // Act
+            var retVal = xmlEncryptor.EncryptIfNecessary(original);
+
+            // Assert
+            Assert.Null(retVal);
+            XmlAssert.Equal("<element />", original); // unmutated
+        }
+
+        [Fact]
+        public void EncryptIfNecessary_RootNodeRequiresEncryption_Success()
+        {
+            // Arrange
+            var original = XElement.Parse(@"<rootNode x:requiresEncryption='true' xmlns:x='http://schemas.asp.net/2015/03/dataProtection' />");
+            var mockXmlEncryptor = new Mock<IXmlEncryptor>();
+            mockXmlEncryptor.Setup(o => o.Encrypt(It.IsAny<XElement>())).Returns(new EncryptedXmlInfo(new XElement("theElement"), typeof(MyXmlDecryptor)));
+
+            // Act
+            var retVal = mockXmlEncryptor.Object.EncryptIfNecessary(original);
+
+            // Assert
+            XmlAssert.Equal(@"<rootNode x:requiresEncryption='true' xmlns:x='http://schemas.asp.net/2015/03/dataProtection' />", original); // unmutated
+            Assert.Equal(XmlConstants.EncryptedSecretElementName, retVal.Name);
+            Assert.Equal(typeof(MyXmlDecryptor).AssemblyQualifiedName, (string)retVal.Attribute(XmlConstants.DecryptorTypeAttributeName));
+            XmlAssert.Equal("<theElement />", retVal.Descendants().Single());
+        }
+
+        [Fact]
+        public void EncryptIfNecessary_MultipleNodesRequireEncryption_Success()
+        {
+            // Arrange
+            var original = XElement.Parse(@"
+                <rootNode xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
+                  <node1 x:requiresEncryption='true'>
+                    <![CDATA[This data should be encrypted.]]>
+                  </node1>
+                  <node2 x:requiresEncryption='false'>
+                    <![CDATA[This data should stick around.]]>
+                    <node3 x:requiresEncryption='true'>
+                      <node4 x:requiresEncryption='true' />
+                    </node3>
+                  </node2>
+                </rootNode>");
+
+            var expected = String.Format(@"
+                <rootNode xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
+                  <x:encryptedSecret decryptorType='{0}'>
+                    <node1_encrypted />
+                  </x:encryptedSecret>
+                  <node2 x:requiresEncryption='false'>
+                    <![CDATA[This data should stick around.]]>
+                    <x:encryptedSecret decryptorType='{0}'>
+                      <node3_encrypted />
+                    </x:encryptedSecret>
+                  </node2>
+                </rootNode>",
+                typeof(MyXmlDecryptor).AssemblyQualifiedName);
+
+            var mockXmlEncryptor = new Mock<IXmlEncryptor>();
+            mockXmlEncryptor
+                .Setup(o => o.Encrypt(It.IsAny<XElement>()))
+                .Returns<XElement>(element => new EncryptedXmlInfo(new XElement(element.Name.LocalName + "_encrypted"), typeof(MyXmlDecryptor)));
+
+            // Act
+            var retVal = mockXmlEncryptor.Object.EncryptIfNecessary(original);
+
+            // Assert
+            XmlAssert.Equal(expected, retVal);
+        }
+
+        [Fact]
+        public void EncryptIfNecessary_NullEncryptorWithRecursion_NoStackDive_Success()
+        {
+            // Arrange
+            var original = XElement.Parse(@"
+                <rootNode xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
+                  <node1 x:requiresEncryption='true'>
+                    <![CDATA[This data should be encrypted.]]>
+                  </node1>
+                  <node2 x:requiresEncryption='false'>
+                    <![CDATA[This data should stick around.]]>
+                    <node3 x:requiresEncryption='true'>
+                      <node4 x:requiresEncryption='true' />
+                    </node3>
+                  </node2>
+                </rootNode>");
+
+            var expected = String.Format(@"
+                <rootNode xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
+                  <x:encryptedSecret decryptorType='{0}'>
+                    <node1 x:requiresEncryption='true'>
+                      <![CDATA[This data should be encrypted.]]>
+                    </node1>
+                  </x:encryptedSecret>
+                  <node2 x:requiresEncryption='false'>
+                    <![CDATA[This data should stick around.]]>
+                    <x:encryptedSecret decryptorType='{0}'>
+                      <node3 x:requiresEncryption='true'>
+                          <node4 x:requiresEncryption='true' />
+                      </node3>
+                    </x:encryptedSecret>
+                  </node2>
+                </rootNode>",
+                typeof(MyXmlDecryptor).AssemblyQualifiedName);
+
+            var mockXmlEncryptor = new Mock<IXmlEncryptor>();
+            mockXmlEncryptor
+                .Setup(o => o.Encrypt(It.IsAny<XElement>()))
+                .Returns<XElement>(element => new EncryptedXmlInfo(new XElement(element), typeof(MyXmlDecryptor)));
+
+            // Act
+            var retVal = mockXmlEncryptor.Object.EncryptIfNecessary(original);
+
+            // Assert
+            XmlAssert.Equal(expected, retVal);
+        }
+
+        private sealed class MyXmlDecryptor : IXmlDecryptor
+        {
+            public XElement Decrypt(XElement encryptedElement)
+            {
+                throw new NotImplementedException();
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index 2de96e4f7b..8203d16d13 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -1,7 +1,9 @@
 {
     "dependencies": {
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
         "Microsoft.AspNet.Testing": "1.0.0-*",
+        "Microsoft.Framework.DependencyInjection": "1.0.0-*",
         "Moq": "4.2.1312.1622",
         "xunit.runner.kre": "1.0.0-*"
     },

From bb1b49cc1c8fc21b7d1d6fac44d59b39dad46950 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 10 Mar 2015 23:40:39 -0700
Subject: [PATCH 106/493] Fix PoliCheck violations.

---
 .../Repositories/EphemeralXmlRepository.cs                    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
index 46e993e979..dcfd8a5b59 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -29,7 +29,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         public virtual IReadOnlyCollection<XElement> GetAllElements()
         {
-            // force complete enumeration under lock to avoid races
+            // force complete enumeration under lock for thread safety
             lock (_storedElements)
             {
                 return GetAllElementsCore().ToList().AsReadOnly();
@@ -49,7 +49,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         {
             XElement cloned = new XElement(element); // makes a deep copy so caller doesn't inadvertently modify it
 
-            // under lock to avoid races
+            // under lock for thread safety
             lock (_storedElements)
             {
                 _storedElements.Add(cloned);

From 8c7a47fb002f42912bed83c081fef2e88976bb9b Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Wed, 11 Mar 2015 14:05:01 -0700
Subject: [PATCH 107/493] Update .kproj => .xproj.

---
 DataProtection.sln                            | 24 +++++++++----------
 ...rosoft.AspNet.Cryptography.Internal.xproj} |  0
 ...t.AspNet.Cryptography.KeyDerivation.xproj} |  0
 ...crosoft.AspNet.DataProtection.Azure.xproj} |  0
 ...ft.AspNet.DataProtection.Interfaces.xproj} |  0
 ...rosoft.AspNet.DataProtection.Shared.xproj} |  0
 ...oft.AspNet.DataProtection.SystemWeb.xproj} |  0
 ... => Microsoft.AspNet.DataProtection.xproj} |  0
 ...t.AspNet.Cryptography.Internal.Test.xproj} |  0
 ...Net.Cryptography.KeyDerivation.Test.xproj} |  0
 ...pNet.DataProtection.Interfaces.Test.xproj} |  0
 ...t.AspNet.DataProtection.Test.Shared.xproj} |  0
 ...icrosoft.AspNet.DataProtection.Test.xproj} |  0
 13 files changed, 12 insertions(+), 12 deletions(-)
 rename src/Microsoft.AspNet.Cryptography.Internal/{Microsoft.AspNet.Cryptography.Internal.kproj => Microsoft.AspNet.Cryptography.Internal.xproj} (100%)
 rename src/Microsoft.AspNet.Cryptography.KeyDerivation/{Microsoft.AspNet.Cryptography.KeyDerivation.kproj => Microsoft.AspNet.Cryptography.KeyDerivation.xproj} (100%)
 rename src/Microsoft.AspNet.DataProtection.Azure/{Microsoft.AspNet.DataProtection.Azure.kproj => Microsoft.AspNet.DataProtection.Azure.xproj} (100%)
 rename src/Microsoft.AspNet.DataProtection.Interfaces/{Microsoft.AspNet.DataProtection.Interfaces.kproj => Microsoft.AspNet.DataProtection.Interfaces.xproj} (100%)
 rename src/Microsoft.AspNet.DataProtection.Shared/{Microsoft.AspNet.DataProtection.Shared.kproj => Microsoft.AspNet.DataProtection.Shared.xproj} (100%)
 rename src/Microsoft.AspNet.DataProtection.SystemWeb/{Microsoft.AspNet.DataProtection.SystemWeb.kproj => Microsoft.AspNet.DataProtection.SystemWeb.xproj} (100%)
 rename src/Microsoft.AspNet.DataProtection/{Microsoft.AspNet.DataProtection.kproj => Microsoft.AspNet.DataProtection.xproj} (100%)
 rename test/Microsoft.AspNet.Cryptography.Internal.Test/{Microsoft.AspNet.Cryptography.Internal.Test.kproj => Microsoft.AspNet.Cryptography.Internal.Test.xproj} (100%)
 rename test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/{Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj => Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj} (100%)
 rename test/Microsoft.AspNet.DataProtection.Interfaces.Test/{Microsoft.AspNet.DataProtection.Interfaces.Test.kproj => Microsoft.AspNet.DataProtection.Interfaces.Test.xproj} (100%)
 rename test/Microsoft.AspNet.DataProtection.Test.Shared/{Microsoft.AspNet.DataProtection.Test.Shared.kproj => Microsoft.AspNet.DataProtection.Test.Shared.xproj} (100%)
 rename test/Microsoft.AspNet.DataProtection.Test/{Microsoft.AspNet.DataProtection.Test.kproj => Microsoft.AspNet.DataProtection.Test.xproj} (100%)

diff --git a/DataProtection.sln b/DataProtection.sln
index 2151e23bba..a0e5ba9f50 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -5,31 +5,31 @@ VisualStudioVersion = 14.0.22609.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection", "src\Microsoft.AspNet.DataProtection\Microsoft.AspNet.DataProtection.kproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection", "src\Microsoft.AspNet.DataProtection\Microsoft.AspNet.DataProtection.xproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Azure", "src\Microsoft.AspNet.DataProtection.Azure\Microsoft.AspNet.DataProtection.Azure.kproj", "{DF3671D7-A9B1-45F1-A195-0AD596001735}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Azure", "src\Microsoft.AspNet.DataProtection.Azure\Microsoft.AspNet.DataProtection.Azure.xproj", "{DF3671D7-A9B1-45F1-A195-0AD596001735}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test", "test\Microsoft.AspNet.DataProtection.Test\Microsoft.AspNet.DataProtection.Test.kproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test", "test\Microsoft.AspNet.DataProtection.Test\Microsoft.AspNet.DataProtection.Test.xproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal", "src\Microsoft.AspNet.Cryptography.Internal\Microsoft.AspNet.Cryptography.Internal.kproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal", "src\Microsoft.AspNet.Cryptography.Internal\Microsoft.AspNet.Cryptography.Internal.xproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation", "src\Microsoft.AspNet.Cryptography.KeyDerivation\Microsoft.AspNet.Cryptography.KeyDerivation.kproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation", "src\Microsoft.AspNet.Cryptography.KeyDerivation\Microsoft.AspNet.Cryptography.KeyDerivation.xproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNet.Cryptography.KeyDerivation.Test\Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNet.Cryptography.KeyDerivation.Test\Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal.Test", "test\Microsoft.AspNet.Cryptography.Internal.Test\Microsoft.AspNet.Cryptography.Internal.Test.kproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal.Test", "test\Microsoft.AspNet.Cryptography.Internal.Test\Microsoft.AspNet.Cryptography.Internal.Test.xproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Interfaces", "src\Microsoft.AspNet.DataProtection.Interfaces\Microsoft.AspNet.DataProtection.Interfaces.kproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Interfaces", "src\Microsoft.AspNet.DataProtection.Interfaces\Microsoft.AspNet.DataProtection.Interfaces.xproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Interfaces.Test", "test\Microsoft.AspNet.DataProtection.Interfaces.Test\Microsoft.AspNet.DataProtection.Interfaces.Test.kproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Interfaces.Test", "test\Microsoft.AspNet.DataProtection.Interfaces.Test\Microsoft.AspNet.DataProtection.Interfaces.Test.xproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test.Shared", "test\Microsoft.AspNet.DataProtection.Test.Shared\Microsoft.AspNet.DataProtection.Test.Shared.kproj", "{4F14BA2A-4F04-4676-8586-EC380977EE2E}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test.Shared", "test\Microsoft.AspNet.DataProtection.Test.Shared\Microsoft.AspNet.DataProtection.Test.Shared.xproj", "{4F14BA2A-4F04-4676-8586-EC380977EE2E}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Shared", "src\Microsoft.AspNet.DataProtection.Shared\Microsoft.AspNet.DataProtection.Shared.kproj", "{3277BB22-033F-4010-8131-A515B910CAAD}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Shared", "src\Microsoft.AspNet.DataProtection.Shared\Microsoft.AspNet.DataProtection.Shared.xproj", "{3277BB22-033F-4010-8131-A515B910CAAD}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.SystemWeb", "src\Microsoft.AspNet.DataProtection.SystemWeb\Microsoft.AspNet.DataProtection.SystemWeb.kproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.SystemWeb", "src\Microsoft.AspNet.DataProtection.SystemWeb\Microsoft.AspNet.DataProtection.SystemWeb.xproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj b/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.kproj
rename to src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.kproj
rename to src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.kproj b/src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.kproj
rename to src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.kproj b/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.kproj
rename to src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.kproj b/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.kproj
rename to src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.kproj b/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.kproj
rename to src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj
diff --git a/src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.kproj b/src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.kproj
rename to src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.kproj b/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.kproj
rename to test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.kproj
rename to test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.kproj b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.kproj
rename to test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.kproj b/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.kproj
rename to test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.kproj b/test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.kproj
rename to test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj

From 20fe4f8d63f3c51789a7403eeeab147bb303ab99 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Wed, 11 Mar 2015 16:58:20 -0700
Subject: [PATCH 108/493] Do not use deprecated `dnvm -x86` switch

---
 build.cmd | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.cmd b/build.cmd
index 68a732c182..41025afb26 100644
--- a/build.cmd
+++ b/build.cmd
@@ -20,9 +20,9 @@ IF EXIST packages\KoreBuild goto run
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
 IF "%SKIP_DNX_INSTALL%"=="1" goto run
-CALL packages\KoreBuild\build\dnvm upgrade -runtime CLR -x86
-CALL packages\KoreBuild\build\dnvm install default -runtime CoreCLR -x86
+CALL packages\KoreBuild\build\dnvm upgrade -runtime CLR -arch x86
+CALL packages\KoreBuild\build\dnvm install default -runtime CoreCLR -arch x86
 
 :run
-CALL packages\KoreBuild\build\dnvm use default -runtime CLR -x86
+CALL packages\KoreBuild\build\dnvm use default -runtime CLR -arch x86
 packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*

From 58c823bc45c37b0ebdd75fa64d6fb809a6beb046 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 11 Mar 2015 15:40:15 -0700
Subject: [PATCH 109/493] Rename KeyLifetimeOptions -> KeyManagementOptions
 Simplify default key resolution logic Introduce API for disabling automatic
 key generation

---
 .../DataProtectionConfiguration.cs            | 47 +++++++----
 .../DataProtectionProvider.cs                 |  2 +-
 .../DataProtectionServiceDescriptors.cs       |  6 +-
 .../KeyManagement/DefaultKeyResolver.cs       | 81 +++++++-----------
 ...timeOptions.cs => KeyManagementOptions.cs} | 41 ++++++---
 .../KeyManagement/KeyRingProvider.cs          | 36 ++++++--
 .../Properties/Resources.Designer.cs          | 28 +++++--
 .../Resources.resx                            |  7 +-
 .../KeyManagement/DefaultKeyResolverTests.cs  | 55 +++++++++---
 .../KeyManagement/KeyRingProviderTests.cs     | 83 +++++++++++++++++--
 .../RegistryPolicyResolverTests.cs            |  4 +-
 11 files changed, 273 insertions(+), 117 deletions(-)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{KeyLifetimeOptions.cs => KeyManagementOptions.cs} (64%)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index 2fa1164d04..e2350cd642 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -113,6 +113,36 @@ namespace Microsoft.AspNet.DataProtection
             return this;
         }
 
+        /// <summary>
+        /// Configures the data protection system not to generate new keys automatically.
+        /// </summary>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// Calling this API corresponds to setting <see cref="KeyManagementOptions.AutoGenerateKeys"/>
+        /// to 'false'. See that property's documentation for more information.
+        /// </remarks>
+        public DataProtectionConfiguration DisableAutomaticKeyGeneration()
+        {
+            Services.Configure<KeyManagementOptions>(options =>
+            {
+                options.AutoGenerateKeys = false;
+            });
+            return this;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys in storage as plaintext.
+        /// </summary>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// Caution: cryptographic key material will not be protected at rest.
+        /// </remarks>
+        public DataProtectionConfiguration DisableProtectionOfKeysAtRest()
+        {
+            RemoveAllServicesOfType(typeof(IXmlEncryptor));
+            return this;
+        }
+
         /// <summary>
         /// Configures the data protection system to persist keys to the specified directory.
         /// This path may be on the local machine or may point to a UNC share.
@@ -241,30 +271,17 @@ namespace Microsoft.AspNet.DataProtection
         /// Sets the default lifetime of keys created by the data protection system.
         /// </summary>
         /// <param name="lifetime">The lifetime (time before expiration) for newly-created keys.
-        /// See <see cref="KeyLifetimeOptions.NewKeyLifetime"/> for more information and
+        /// See <see cref="KeyManagementOptions.NewKeyLifetime"/> for more information and
         /// usage notes.</param>
         /// <returns>The 'this' instance.</returns>
         public DataProtectionConfiguration SetDefaultKeyLifetime(TimeSpan lifetime)
         {
-            Services.Configure<KeyLifetimeOptions>(options =>
+            Services.Configure<KeyManagementOptions>(options =>
             {
                 options.NewKeyLifetime = lifetime;
             });
             return this;
         }
-
-        /// <summary>
-        /// Configures the data protection system to persist keys in storage as plaintext.
-        /// </summary>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// Caution: cryptographic key material will not be protected at rest.
-        /// </remarks>
-        public DataProtectionConfiguration SuppressProtectionOfKeysAtRest()
-        {
-            RemoveAllServicesOfType(typeof(IXmlEncryptor));
-            return this;
-        }
         
         /// <summary>
         /// Configures the data protection system to use the specified cryptographic algorithms
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs
index 20d42ee09e..de61cdd9f7 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs
@@ -72,7 +72,7 @@ namespace Microsoft.AspNet.DataProtection
             {
                 var keyRingProvider = new KeyRingProvider(
                     keyManager: services.GetRequiredService<IKeyManager>(),
-                    keyLifetimeOptions: services.GetService<IOptions<KeyLifetimeOptions>>()?.Options, // might be null
+                    keyManagementOptions: services.GetService<IOptions<KeyManagementOptions>>()?.Options, // might be null
                     services: services);
                 dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, services);
             }
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index 5a1c08ca29..43b94d65a5 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -39,14 +39,14 @@ namespace Microsoft.Framework.DependencyInjection
         }
 
         /// <summary>
-        /// An <see cref="IConfigureOptions{KeyLifetimeOptions}"/> where the key lifetime is specified explicitly.
+        /// An <see cref="IConfigureOptions{KeyManagementOptions}"/> where the key lifetime is specified explicitly.
         /// </summary>
 
         public static ServiceDescriptor ConfigureOptions_DefaultKeyLifetime(int numDays)
         {
-            return ServiceDescriptor.Transient<IConfigureOptions<KeyLifetimeOptions>>(services =>
+            return ServiceDescriptor.Transient<IConfigureOptions<KeyManagementOptions>>(services =>
             {
-                return new ConfigureOptions<KeyLifetimeOptions>(options =>
+                return new ConfigureOptions<KeyManagementOptions>(options =>
                 {
                     options.NewKeyLifetime = TimeSpan.FromDays(numDays);
                 });
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 624b23e53f..66beedb862 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -18,10 +18,10 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         /// and persisted to the keyring to ensure uninterrupted service.
         /// </summary>
         /// <remarks>
-        /// If the expiration window is 5 days and the current key expires within 5 days,
+        /// If the propagation time is 5 days and the current key expires within 5 days,
         /// a new key will be generated.
         /// </remarks>
-        private readonly TimeSpan _keyGenBeforeExpirationWindow;
+        private readonly TimeSpan _keyPropagationWindow;
 
         private readonly ILogger _logger;
 
@@ -36,9 +36,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         /// </remarks>
         private readonly TimeSpan _maxServerToServerClockSkew;
 
-        public DefaultKeyResolver(TimeSpan keyGenBeforeExpirationWindow, TimeSpan maxServerToServerClockSkew, IServiceProvider services)
+        public DefaultKeyResolver(TimeSpan keyPropagationWindow, TimeSpan maxServerToServerClockSkew, IServiceProvider services)
         {
-            _keyGenBeforeExpirationWindow = keyGenBeforeExpirationWindow;
+            _keyPropagationWindow = keyPropagationWindow;
             _maxServerToServerClockSkew = maxServerToServerClockSkew;
             _logger = services.GetLogger<DefaultKeyResolver>();
         }
@@ -52,82 +52,61 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
         private IKey FindDefaultKey(DateTimeOffset now, IEnumerable<IKey> allKeys, out bool callerShouldGenerateNewKey)
         {
-            // the key with the most recent activation date where the activation date is in the past
-            IKey keyMostRecentlyActivated = (from key in allKeys
-                                             where key.ActivationDate <= now
-                                             orderby key.ActivationDate descending
-                                             select key).FirstOrDefault();
+            // find the preferred default key (allowing for server-to-server clock skew)
+            var preferredDefaultKey = (from key in allKeys
+                                       where key.ActivationDate <= now + _maxServerToServerClockSkew
+                                       orderby key.ActivationDate descending, key.KeyId ascending
+                                       select key).FirstOrDefault();
 
-            if (keyMostRecentlyActivated != null)
+            if (preferredDefaultKey != null)
             {
                 if (_logger.IsVerboseLevelEnabled())
                 {
-                    _logger.LogVerbose("Considering key '{0:D}' with expiration date {1:u} as default key candidate.", keyMostRecentlyActivated.KeyId, keyMostRecentlyActivated.ExpirationDate);
+                    _logger.LogVerbose("Considering key '{0:D}' with expiration date {1:u} as default key.", preferredDefaultKey.KeyId, preferredDefaultKey.ExpirationDate);
                 }
 
                 // if the key has been revoked or is expired, it is no longer a candidate
-                if (keyMostRecentlyActivated.IsExpired(now) || keyMostRecentlyActivated.IsRevoked)
+                if (preferredDefaultKey.IsExpired(now) || preferredDefaultKey.IsRevoked)
                 {
                     if (_logger.IsVerboseLevelEnabled())
                     {
-                        _logger.LogVerbose("Key '{0:D}' no longer eligible as default key candidate because it is expired or revoked.", keyMostRecentlyActivated.KeyId);
+                        _logger.LogVerbose("Key '{0:D}' is no longer under consideration as default key because it is expired or revoked.", preferredDefaultKey.KeyId);
                     }
-                    keyMostRecentlyActivated = null;
+                    preferredDefaultKey = null;
                 }
             }
 
-            // There's an interesting edge case here. If two keys have an activation date in the past and
-            // an expiration date in the future, and if the most recently activated of those two keys is
-            // revoked, we won't consider the older key a valid candidate. This is intentional: generating
-            // a new key is an implicit signal that we should stop using older keys without explicitly
-            // revoking them.
+            // Only the key that has been most recently activated is eligible to be the preferred default,
+            // and only if it hasn't expired or been revoked. This is intentional: generating a new key is
+            // an implicit signal that we should stop using older keys (even if they're not revoked), so
+            // activating a new key should permanently mark all older keys as non-preferred.
 
-            // if the key's expiration is beyond our safety window, we can use this key
-            if (keyMostRecentlyActivated != null && keyMostRecentlyActivated.ExpirationDate - now > _keyGenBeforeExpirationWindow)
+            if (preferredDefaultKey != null)
             {
-                callerShouldGenerateNewKey = false;
-                return keyMostRecentlyActivated;
-            }
+                // Does *any* key in the key ring fulfill the requirement that its activation date is prior
+                // to the preferred default key's expiration date (allowing for skew) and that it will
+                // remain valid one propagation cycle from now? If so, the caller doesn't need to add a
+                // new key.
+                callerShouldGenerateNewKey = !allKeys.Any(key =>
+                   key.ActivationDate <= (preferredDefaultKey.ExpirationDate + _maxServerToServerClockSkew)
+                   && !key.IsExpired(now + _keyPropagationWindow)
+                   && !key.IsRevoked);
 
-            // the key with the nearest activation date where the activation date is in the future
-            // and the key isn't expired or revoked
-            IKey keyNextPendingActivation = (from key in allKeys
-                                             where key.ActivationDate > now && !key.IsExpired(now) && !key.IsRevoked
-                                             orderby key.ActivationDate ascending
-                                             select key).FirstOrDefault();
-
-            // if we have a valid current key, return it, and signal to the caller that he must perform
-            // the keygen step only if the next key pending activation won't be activated until *after*
-            // the current key expires (allowing for server-to-server skew)
-            if (keyMostRecentlyActivated != null)
-            {
-                callerShouldGenerateNewKey = (keyNextPendingActivation == null || (keyNextPendingActivation.ActivationDate - keyMostRecentlyActivated.ExpirationDate > _maxServerToServerClockSkew));
                 if (callerShouldGenerateNewKey && _logger.IsVerboseLevelEnabled())
                 {
                     _logger.LogVerbose("Default key expiration imminent and repository contains no viable successor. Caller should generate a successor.");
                 }
 
-                return keyMostRecentlyActivated;
+                return preferredDefaultKey;
             }
 
-            // if there's no valid current key but there is a key pending activation, we can use
-            // it only if its activation period is within the server-to-server clock skew
-            if (keyNextPendingActivation != null && keyNextPendingActivation.ActivationDate - now <= _maxServerToServerClockSkew)
-            {
-                if (_logger.IsVerboseLevelEnabled())
-                {
-                    _logger.LogVerbose("Considering key '{0:D}' with expiration date {1:u} as default key candidate.", keyNextPendingActivation.KeyId, keyNextPendingActivation.ExpirationDate);
-                }
+            // If we got this far, the caller must generate a key now.
 
-                callerShouldGenerateNewKey = false;
-                return keyNextPendingActivation;
-            }
-
-            // if we got this far, there was no valid default key in the keyring
             if (_logger.IsVerboseLevelEnabled())
             {
                 _logger.LogVerbose("Repository contains no viable default key. Caller should generate a key with immediate activation.");
             }
+
             callerShouldGenerateNewKey = true;
             return null;
         }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyLifetimeOptions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs
similarity index 64%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyLifetimeOptions.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs
index 7316cdb3f7..ae4d7479b5 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyLifetimeOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs
@@ -5,41 +5,58 @@ using System;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
-    public class KeyLifetimeOptions
+    /// <summary>
+    /// Options that control how an <see cref="IKeyManager"/> should behave.
+    /// </summary>
+    public class KeyManagementOptions
     {
-        private readonly TimeSpan _keyExpirationSafetyPeriod = TimeSpan.FromDays(2);
-        private readonly TimeSpan _keyRingRefreshPeriod = TimeSpan.FromHours(24);
-        private readonly TimeSpan _maxServerClockSkew = TimeSpan.FromMinutes(5);
+        private static readonly TimeSpan _keyPropagationWindow = TimeSpan.FromDays(2);
+        private static readonly TimeSpan _keyRingRefreshPeriod = TimeSpan.FromHours(24);
+        private static readonly TimeSpan _maxServerClockSkew = TimeSpan.FromMinutes(5);
         private TimeSpan _newKeyLifetime = TimeSpan.FromDays(90);
 
-        public KeyLifetimeOptions()
+        public KeyManagementOptions()
         {
         }
 
         // copy ctor
-        internal KeyLifetimeOptions(KeyLifetimeOptions other)
+        internal KeyManagementOptions(KeyManagementOptions other)
         {
             if (other != null)
             {
+                this.AutoGenerateKeys = other.AutoGenerateKeys;
                 this._newKeyLifetime = other._newKeyLifetime;
             }
         }
 
         /// <summary>
-        /// Specifies the period before key expiration in which a new key should be generated.
-        /// For example, if this period is 72 hours, then a new key will be created and
-        /// persisted to storage approximately 72 hours before expiration.
+        /// Specifies whether the data protection system should auto-generate keys.
+        /// </summary>
+        /// <remarks>
+        /// If this value is 'false', the system will not generate new keys automatically.
+        /// The key ring must contain at least one active non-revoked key, otherwise calls
+        /// to <see cref="IDataProtector.Protect(byte[])"/> may fail. The system may end up
+        /// protecting payloads to expired keys if this property is set to 'false'.
+        /// The default value is 'true'.
+        /// </remarks>
+        public bool AutoGenerateKeys { get; set; } = true;
+
+        /// <summary>
+        /// Specifies the period before key expiration in which a new key should be generated
+        /// so that it has time to propagate fully throughout the key ring. For example, if this
+        /// period is 72 hours, then a new key will be created and persisted to storage
+        /// approximately 72 hours before expiration.
         /// </summary>
         /// <remarks>
         /// This value is currently fixed at 48 hours.
         /// </remarks>
-        internal TimeSpan KeyExpirationSafetyPeriod
+        internal TimeSpan KeyPropagationWindow
         {
             get
             {
                 // This value is not settable since there's a complex interaction between
                 // it and the key ring refresh period.
-                return _keyExpirationSafetyPeriod;
+                return _keyPropagationWindow;
             }
         }
 
@@ -97,7 +114,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 if (value < TimeSpan.FromDays(7))
                 {
-                    throw new ArgumentOutOfRangeException(nameof(value), Resources.KeyLifetimeOptions_MinNewKeyLifetimeViolated);
+                    throw new ArgumentOutOfRangeException(nameof(value), Resources.KeyManagementOptions_MinNewKeyLifetimeViolated);
                 }
                 _newKeyLifetime = value;
             }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index ec8c878c04..475ffda929 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -17,20 +17,20 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         private readonly object _cacheableKeyRingLockObj = new object();
         private readonly ICacheableKeyRingProvider _cacheableKeyRingProvider;
         private readonly IDefaultKeyResolver _defaultKeyResolver;
-        private readonly KeyLifetimeOptions _keyLifetimeOptions;
+        private readonly KeyManagementOptions _keyManagementOptions;
         private readonly IKeyManager _keyManager;
         private readonly ILogger _logger;
 
-        public KeyRingProvider(IKeyManager keyManager, KeyLifetimeOptions keyLifetimeOptions, IServiceProvider services)
+        public KeyRingProvider(IKeyManager keyManager, KeyManagementOptions keyManagementOptions, IServiceProvider services)
         {
-            _keyLifetimeOptions = new KeyLifetimeOptions(keyLifetimeOptions); // clone so new instance is immutable
+            _keyManagementOptions = new KeyManagementOptions(keyManagementOptions); // clone so new instance is immutable
             _keyManager = keyManager;
             _cacheableKeyRingProvider = services?.GetService<ICacheableKeyRingProvider>() ?? this;
             _logger = services?.GetLogger<KeyRingProvider>();
             _defaultKeyResolver = services?.GetService<IDefaultKeyResolver>()
-                ?? new DefaultKeyResolver(_keyLifetimeOptions.KeyExpirationSafetyPeriod, _keyLifetimeOptions.MaxServerClockSkew, services);
+                ?? new DefaultKeyResolver(_keyManagementOptions.KeyPropagationWindow, _keyManagementOptions.MaxServerClockSkew, services);
         }
-        
+
         private CacheableKeyRing CreateCacheableKeyRingCore(DateTimeOffset now, bool allowRecursiveCalls = false)
         {
             // Refresh the list of all keys
@@ -67,17 +67,37 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             if (defaultKeyPolicy.DefaultKey == null)
             {
+                // We cannot continue if we have no default key and auto-generation of keys is disabled.
+                if (!_keyManagementOptions.AutoGenerateKeys)
+                {
+                    if (_logger.IsErrorLevelEnabled())
+                    {
+                        _logger.LogError("The key ring does not contain a valid default key, and the key manager is configured with auto-generation of keys disabled.");
+                    }
+                    throw new InvalidOperationException(Resources.KeyRingProvider_NoDefaultKey_AutoGenerateDisabled);
+                }
+
                 // The case where there's no default key is the easiest scenario, since it
                 // means that we need to create a new key with immediate activation.
-                _keyManager.CreateNewKey(activationDate: now, expirationDate: now + _keyLifetimeOptions.NewKeyLifetime);
+                _keyManager.CreateNewKey(activationDate: now, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
                 return CreateCacheableKeyRingCore(now); // recursively call
             }
             else
             {
+                // If auto-generation of keys is disabled, we cannot call CreateNewKey.
+                if (!_keyManagementOptions.AutoGenerateKeys)
+                {
+                    if (_logger.IsWarningLevelEnabled())
+                    {
+                        _logger.LogWarning("Policy resolution states that a new key should be added to the key ring, but automatic generation of keys is disabled.");
+                    }
+                    return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, defaultKeyPolicy.DefaultKey, allKeys);
+                }
+
                 // If there is a default key, then the new key we generate should become active upon
                 // expiration of the default key. The new key lifetime is measured from the creation
                 // date (now), not the activation date.
-                _keyManager.CreateNewKey(activationDate: defaultKeyPolicy.DefaultKey.ExpirationDate, expirationDate: now + _keyLifetimeOptions.NewKeyLifetime);
+                _keyManager.CreateNewKey(activationDate: defaultKeyPolicy.DefaultKey.ExpirationDate, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
                 return CreateCacheableKeyRingCore(now); // recursively call
             }
         }
@@ -96,7 +116,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // servers in a cluster from trying to update the key ring simultaneously.
             return new CacheableKeyRing(
                 expirationToken: cacheExpirationToken,
-                expirationTime: Min(defaultKey.ExpirationDate, now + GetRefreshPeriodWithJitter(_keyLifetimeOptions.KeyRingRefreshPeriod)),
+                expirationTime: Min(defaultKey.ExpirationDate, now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod)),
                 defaultKey: defaultKey,
                 allKeys: allKeys);
         }
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
index fad1928f16..9edb8c1b05 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
@@ -219,19 +219,19 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The default new key lifetime must be at least one week.
+        /// The new key lifetime must be at least one week.
         /// </summary>
-        internal static string KeyLifetimeOptions_MinNewKeyLifetimeViolated
+        internal static string KeyManagementOptions_MinNewKeyLifetimeViolated
         {
-            get { return GetString("KeyLifetimeOptions_MinNewKeyLifetimeViolated"); }
+            get { return GetString("KeyManagementOptions_MinNewKeyLifetimeViolated"); }
         }
 
         /// <summary>
-        /// The default new key lifetime must be at least one week.
+        /// The new key lifetime must be at least one week.
         /// </summary>
-        internal static string FormatKeyLifetimeOptions_MinNewKeyLifetimeViolated()
+        internal static string FormatKeyManagementOptions_MinNewKeyLifetimeViolated()
         {
-            return GetString("KeyLifetimeOptions_MinNewKeyLifetimeViolated");
+            return GetString("KeyManagementOptions_MinNewKeyLifetimeViolated");
         }
 
         /// <summary>
@@ -378,6 +378,22 @@ namespace Microsoft.AspNet.DataProtection
             return string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadKeySize"), p0);
         }
 
+        /// <summary>
+        /// The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
+        /// </summary>
+        internal static string KeyRingProvider_NoDefaultKey_AutoGenerateDisabled
+        {
+            get { return GetString("KeyRingProvider_NoDefaultKey_AutoGenerateDisabled"); }
+        }
+
+        /// <summary>
+        /// The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
+        /// </summary>
+        internal static string FormatKeyRingProvider_NoDefaultKey_AutoGenerateDisabled()
+        {
+            return GetString("KeyRingProvider_NoDefaultKey_AutoGenerateDisabled");
+        }
+
         private static string GetString(string name, params string[] formatterNames)
         {
             var value = _resourceManager.GetString(name);
diff --git a/src/Microsoft.AspNet.DataProtection/Resources.resx b/src/Microsoft.AspNet.DataProtection/Resources.resx
index ad1f4512df..3562a6a959 100644
--- a/src/Microsoft.AspNet.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNet.DataProtection/Resources.resx
@@ -156,8 +156,8 @@
   <data name="TypeExtensions_BadCast" xml:space="preserve">
     <value>The type '{1}' is not assignable to '{0}'.</value>
   </data>
-  <data name="KeyLifetimeOptions_MinNewKeyLifetimeViolated" xml:space="preserve">
-    <value>The default new key lifetime must be at least one week.</value>
+  <data name="KeyManagementOptions_MinNewKeyLifetimeViolated" xml:space="preserve">
+    <value>The new key lifetime must be at least one week.</value>
   </data>
   <data name="XmlKeyManager_DuplicateKey" xml:space="preserve">
     <value>The key '{0:D}' already exists in the keyring.</value>
@@ -186,4 +186,7 @@
   <data name="AlgorithmAssert_BadKeySize" xml:space="preserve">
     <value>The symmetric algorithm key size of {0} bits is invalid. The key size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.</value>
   </data>
+  <data name="KeyRingProvider_NoDefaultKey_AutoGenerateDisabled" xml:space="preserve">
+    <value>The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index 7c66fdc3e0..3eed6faa19 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -31,9 +31,10 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // Arrange
             var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
 
             // Act
-            var resolution = resolver.ResolveDefaultKeyPolicy("2015-04-01 00:00:00Z", key1);
+            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-20 23:59:00Z", key1, key2);
 
             // Assert
             Assert.Same(key1, resolution.DefaultKey);
@@ -41,15 +42,45 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         }
 
         [Fact]
-        public void ResolveDefaultKeyPolicy_ValidExistingKey_ApproachingSafetyWindow_ReturnsExistingKey_SignalsGenerateNewKey()
+        public void ResolveDefaultKeyPolicy_ValidExistingKey_AllowsForClockSkew_KeysStraddleSkewLine_ReturnsExistingKey()
         {
             // Arrange
             var resolver = CreateDefaultKeyResolver();
-            var key1 = CreateKey("2015-03-01 00:00:00Z", "2015-04-01 00:00:00Z");
-            var key2 = CreateKey("2015-04-01 00:00:00Z", "2015-05-01 00:00:00Z", isRevoked: true);
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
 
             // Act
-            var resolution = resolver.ResolveDefaultKeyPolicy("2015-03-30 00:00:00Z", key1, key2);
+            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-29 23:59:00Z", key1, key2);
+
+            // Assert
+            Assert.Same(key2, resolution.DefaultKey);
+            Assert.False(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_ValidExistingKey_AllowsForClockSkew_AllKeysInFuture_ReturnsExistingKey()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-29 23:59:00Z", key1);
+
+            // Assert
+            Assert.Same(key1, resolution.DefaultKey);
+            Assert.False(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_ValidExistingKey_NoSuccessor_ReturnsExistingKey_SignalsGenerateNewKey()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-29 23:59:00Z", key1);
 
             // Assert
             Assert.Same(key1, resolution.DefaultKey);
@@ -57,20 +88,20 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         }
 
         [Fact]
-        public void ResolveDefaultKeyPolicy_ValidExistingKey_ApproachingSafetyWindow_FutureKeyIsValidAndWithinSkew_ReturnsExistingKey_NoSignalToGenerateNewKey()
+        public void ResolveDefaultKeyPolicy_ValidExistingKey_NoLegitimateSuccessor_ReturnsExistingKey_SignalsGenerateNewKey()
         {
             // Arrange
             var resolver = CreateDefaultKeyResolver();
-            var key1 = CreateKey("2015-03-01 00:00:00Z", "2015-04-01 00:00:00Z");
-            var key2 = CreateKey("2015-04-01 00:00:00Z", "2015-05-01 00:00:00Z", isRevoked: true);
-            var key3 = CreateKey("2015-04-01 00:01:00Z", "2015-05-01 00:00:00Z");
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z", isRevoked: true);
+            var key3 = CreateKey("2016-03-01 00:00:00Z", "2016-03-02 00:00:00Z"); // key expires too soon
 
             // Act
-            var resolution = resolver.ResolveDefaultKeyPolicy("2015-03-31 23:59:00Z", key1, key2, key3);
+            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-29 23:50:00Z", key1, key2, key3);
 
             // Assert
             Assert.Same(key1, resolution.DefaultKey);
-            Assert.False(resolution.ShouldGenerateNewKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
         }
 
         [Fact]
@@ -139,7 +170,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         private static IDefaultKeyResolver CreateDefaultKeyResolver()
         {
             return new DefaultKeyResolver(
-                keyGenBeforeExpirationWindow: TimeSpan.FromDays(2),
+                keyPropagationWindow: TimeSpan.FromDays(2),
                 maxServerToServerClockSkew: TimeSpan.FromMinutes(7),
                 services: null);
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index b117c9e215..6bb7ab2c0c 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -140,6 +140,40 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy", "CreateNewKey", "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
         }
 
+        [Fact]
+        public void CreateCacheableKeyRing_GenerationRequired_NoDefaultKey_KeyGenerationDisabled_Fails()
+        {
+            // Arrange
+            var callSequence = new List<string>();
+
+            var now = StringToDateTime("2015-03-01 00:00:00Z");
+            var allKeys = new IKey[0];
+
+            var keyRingProvider = SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+                callSequence: callSequence,
+                getCacheExpirationTokenReturnValues: new[] { CancellationToken.None },
+                getAllKeysReturnValues: new[] { allKeys },
+                createNewKeyCallbacks: new[] {
+                    Tuple.Create((DateTimeOffset)now, (DateTimeOffset)now + TimeSpan.FromDays(90))
+                },
+                resolveDefaultKeyPolicyReturnValues: new[]
+                {
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys, new DefaultKeyResolution()
+                        {
+                            DefaultKey = null,
+                            ShouldGenerateNewKey = true
+                        })
+                },
+                keyManagementOptions: new KeyManagementOptions() { AutoGenerateKeys = false });
+
+            // Act
+            var exception = Assert.Throws<InvalidOperationException>(() => keyRingProvider.GetCacheableKeyRing(now));
+
+            // Assert
+            Assert.Equal(Resources.KeyRingProvider_NoDefaultKey_AutoGenerateDisabled, exception.Message);
+            Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
+        }
+
         [Fact]
         public void CreateCacheableKeyRing_GenerationRequired_WithDefaultKey_CreatesNewKeyWithDeferredActivationAndExpirationBasedOnCreationTime()
         {
@@ -190,12 +224,51 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy", "CreateNewKey", "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
         }
 
+        [Fact]
+        public void CreateCacheableKeyRing_GenerationRequired_WithDefaultKey_KeyGenerationDisabled_DoesNotCreateDefaultKey()
+        {
+            // Arrange
+            var callSequence = new List<string>();
+            var expirationCts = new CancellationTokenSource();
+
+            var now = StringToDateTime("2016-02-01 00:00:00Z");
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var allKeys = new[] { key1 };
+
+            var keyRingProvider = SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+                callSequence: callSequence,
+                getCacheExpirationTokenReturnValues: new[] { expirationCts.Token },
+                getAllKeysReturnValues: new[] { allKeys },
+                createNewKeyCallbacks: null, // empty
+                resolveDefaultKeyPolicyReturnValues: new[]
+                {
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys, new DefaultKeyResolution()
+                        {
+                            DefaultKey = key1,
+                            ShouldGenerateNewKey = true
+                        })
+                },
+                keyManagementOptions: new KeyManagementOptions() { AutoGenerateKeys = false });
+
+            // Act
+            var cacheableKeyRing = keyRingProvider.GetCacheableKeyRing(now);
+
+            // Assert
+            Assert.Equal(key1.KeyId, cacheableKeyRing.KeyRing.DefaultKeyId);
+            AssertWithinJitterRange(cacheableKeyRing.ExpirationTimeUtc, now);
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts.Cancel();
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
+        }
+
         private static ICacheableKeyRingProvider SetupCreateCacheableKeyRingTestAndCreateKeyManager(
             IList<string> callSequence,
             IEnumerable<CancellationToken> getCacheExpirationTokenReturnValues,
             IEnumerable<IReadOnlyCollection<IKey>> getAllKeysReturnValues,
             IEnumerable<Tuple<DateTimeOffset,DateTimeOffset>> createNewKeyCallbacks,
-            IEnumerable<Tuple<DateTimeOffset, IEnumerable<IKey>, DefaultKeyResolution>> resolveDefaultKeyPolicyReturnValues)
+            IEnumerable<Tuple<DateTimeOffset, IEnumerable<IKey>, DefaultKeyResolution>> resolveDefaultKeyPolicyReturnValues,
+            KeyManagementOptions keyManagementOptions = null)
         {
             var getCacheExpirationTokenReturnValuesEnumerator = getCacheExpirationTokenReturnValues.GetEnumerator();
             var mockKeyManager = new Mock<IKeyManager>(MockBehavior.Strict);
@@ -242,7 +315,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     return resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item3;
                 });
 
-            return CreateKeyRingProvider(mockKeyManager.Object, mockDefaultKeyResolver.Object);
+            return CreateKeyRingProvider(mockKeyManager.Object, mockDefaultKeyResolver.Object, keyManagementOptions);
         }
 
         [Fact]
@@ -359,17 +432,17 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             serviceCollection.AddInstance<ICacheableKeyRingProvider>(cacheableKeyRingProvider);
             return new KeyRingProvider(
                 keyManager: null,
-                keyLifetimeOptions: null,
+                keyManagementOptions: null,
                 services: serviceCollection.BuildServiceProvider());
         }
 
-        private static ICacheableKeyRingProvider CreateKeyRingProvider(IKeyManager keyManager, IDefaultKeyResolver defaultKeyResolver)
+        private static ICacheableKeyRingProvider CreateKeyRingProvider(IKeyManager keyManager, IDefaultKeyResolver defaultKeyResolver, KeyManagementOptions keyManagementOptions= null)
         {
             var serviceCollection = new ServiceCollection();
             serviceCollection.AddInstance<IDefaultKeyResolver>(defaultKeyResolver);
             return new KeyRingProvider(
                 keyManager: keyManager,
-                keyLifetimeOptions: null,
+                keyManagementOptions: keyManagementOptions,
                 services: serviceCollection.BuildServiceProvider());
         }
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index 12f2818957..8dcb0424eb 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -61,8 +61,8 @@ namespace Microsoft.AspNet.DataProtection
             });
 
             var services = serviceCollection.BuildServiceProvider();
-            var keyLifetimeOptions = services.GetService<IOptions<KeyLifetimeOptions>>();
-            Assert.Equal(TimeSpan.FromDays(1024), keyLifetimeOptions.Options.NewKeyLifetime);
+            var keyManagementOptions = services.GetService<IOptions<KeyManagementOptions>>();
+            Assert.Equal(TimeSpan.FromDays(1024), keyManagementOptions.Options.NewKeyLifetime);
         }
 
         [ConditionalFact]

From 4f2288c3dac356cf9e4ba2beb456a8d6824a19af Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 11 Mar 2015 18:56:46 -0700
Subject: [PATCH 110/493] Introduce concept of a "fallback key" This key is
 used if there is no preferred default key and the developer has disabled
 automatic key generation. This will keep the service from falling over if the
 keys are not rolled and they all expire.

---
 .../KeyManagement/DefaultKeyResolution.cs     |  7 ++++
 .../KeyManagement/DefaultKeyResolver.cs       | 17 +++++++-
 .../KeyManagement/KeyRingProvider.cs          | 39 ++++++++++++-------
 .../KeyManagement/DefaultKeyResolverTests.cs  | 38 +++++++++++++++++-
 .../KeyManagement/KeyRingProviderTests.cs     | 38 ++++++++++++++++++
 5 files changed, 121 insertions(+), 18 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
index 63f035b057..42cc7c2741 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
@@ -12,6 +12,13 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         /// </summary>
         public IKey DefaultKey;
 
+        /// <summary>
+        /// The fallback key, which should be used only if the caller is configured not to
+        /// honor the <see cref="ShouldGenerateNewKey"/> property. This property may
+        /// be null if there is no viable fallback key.
+        /// </summary>
+        public IKey FallbackKey;
+
         /// <summary>
         /// 'true' if a new key should be persisted to the keyring, 'false' otherwise.
         /// This value may be 'true' even if a valid default key was found.
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 66beedb862..34c64e134e 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -46,11 +46,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         public DefaultKeyResolution ResolveDefaultKeyPolicy(DateTimeOffset now, IEnumerable<IKey> allKeys)
         {
             DefaultKeyResolution retVal = default(DefaultKeyResolution);
-            retVal.DefaultKey = FindDefaultKey(now, allKeys, out retVal.ShouldGenerateNewKey);
+            retVal.DefaultKey = FindDefaultKey(now, allKeys, out retVal.FallbackKey, out retVal.ShouldGenerateNewKey);
             return retVal;
         }
 
-        private IKey FindDefaultKey(DateTimeOffset now, IEnumerable<IKey> allKeys, out bool callerShouldGenerateNewKey)
+        private IKey FindDefaultKey(DateTimeOffset now, IEnumerable<IKey> allKeys, out IKey fallbackKey, out bool callerShouldGenerateNewKey)
         {
             // find the preferred default key (allowing for server-to-server clock skew)
             var preferredDefaultKey = (from key in allKeys
@@ -97,10 +97,23 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     _logger.LogVerbose("Default key expiration imminent and repository contains no viable successor. Caller should generate a successor.");
                 }
 
+                fallbackKey = null;
                 return preferredDefaultKey;
             }
 
             // If we got this far, the caller must generate a key now.
+            // We should locate a fallback key, which is a key that can be used to protect payloads if
+            // the caller is configured not to generate a new key. We should try to make sure the fallback
+            // key has propagated to all callers (so its creation date should be before the previous
+            // propagation period), and we cannot use revoked keys. The fallback key may be expired.
+            fallbackKey = (from key in (from key in allKeys
+                                        where key.CreationDate <= now - _keyPropagationWindow
+                                        orderby key.CreationDate descending
+                                        select key).Concat(from key in allKeys
+                                                           orderby key.CreationDate ascending
+                                                           select key)
+                           where !key.IsRevoked
+                           select key).FirstOrDefault();
 
             if (_logger.IsVerboseLevelEnabled())
             {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index 475ffda929..7aafa50a03 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -65,10 +65,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 throw CryptoUtil.Fail("Policy resolution states that a new key should be added to the key ring, even after a call to CreateNewKey.");
             }
 
-            if (defaultKeyPolicy.DefaultKey == null)
+            // We have been asked to generate a new key, but auto-generation of keys has been disabled.
+            // We need to use the fallback key or fail.
+            if (!_keyManagementOptions.AutoGenerateKeys)
             {
-                // We cannot continue if we have no default key and auto-generation of keys is disabled.
-                if (!_keyManagementOptions.AutoGenerateKeys)
+                var keyToUse = defaultKeyPolicy.DefaultKey ?? defaultKeyPolicy.FallbackKey;
+                if (keyToUse == null)
                 {
                     if (_logger.IsErrorLevelEnabled())
                     {
@@ -76,7 +78,18 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     }
                     throw new InvalidOperationException(Resources.KeyRingProvider_NoDefaultKey_AutoGenerateDisabled);
                 }
+                else
+                {
+                    if (_logger.IsWarningLevelEnabled())
+                    {
+                        _logger.LogWarning("Policy resolution states that a new key should be added to the key ring, but automatic generation of keys is disabled. Using fallback key '{0:D}' with expiration {1:u} as default key.", keyToUse.KeyId, keyToUse.ExpirationDate);
+                    }
+                    return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, keyToUse, allKeys);
+                }
+            }
 
+            if (defaultKeyPolicy.DefaultKey == null)
+            {
                 // The case where there's no default key is the easiest scenario, since it
                 // means that we need to create a new key with immediate activation.
                 _keyManager.CreateNewKey(activationDate: now, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
@@ -84,16 +97,6 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             }
             else
             {
-                // If auto-generation of keys is disabled, we cannot call CreateNewKey.
-                if (!_keyManagementOptions.AutoGenerateKeys)
-                {
-                    if (_logger.IsWarningLevelEnabled())
-                    {
-                        _logger.LogWarning("Policy resolution states that a new key should be added to the key ring, but automatic generation of keys is disabled.");
-                    }
-                    return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, defaultKeyPolicy.DefaultKey, allKeys);
-                }
-
                 // If there is a default key, then the new key we generate should become active upon
                 // expiration of the default key. The new key lifetime is measured from the creation
                 // date (now), not the activation date.
@@ -104,19 +107,25 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
         private CacheableKeyRing CreateCacheableKeyRingCoreStep2(DateTimeOffset now, CancellationToken cacheExpirationToken, IKey defaultKey, IEnumerable<IKey> allKeys)
         {
+            Debug.Assert(defaultKey != null);
+
             if (_logger.IsVerboseLevelEnabled())
             {
                 _logger.LogVerbose("Using key '{0:D}' as the default key.", defaultKey.KeyId);
             }
 
+            DateTimeOffset nextAutoRefreshTime = now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod);
+
             // The cached keyring should expire at the earliest of (default key expiration, next auto-refresh time).
             // Since the refresh period and safety window are not user-settable, we can guarantee that there's at
             // least one auto-refresh between the start of the safety window and the key's expiration date.
             // This gives us an opportunity to update the key ring before expiration, and it prevents multiple
-            // servers in a cluster from trying to update the key ring simultaneously.
+            // servers in a cluster from trying to update the key ring simultaneously. Special case: if the default
+            // key's expiration date is in the past, then we know we're using a fallback key and should disregard
+            // its expiration date in favor of the next auto-refresh time.
             return new CacheableKeyRing(
                 expirationToken: cacheExpirationToken,
-                expirationTime: Min(defaultKey.ExpirationDate, now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod)),
+                expirationTime: (defaultKey.ExpirationDate <= now) ? nextAutoRefreshTime : Min(defaultKey.ExpirationDate, nextAutoRefreshTime),
                 defaultKey: defaultKey,
                 allKeys: allKeys);
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index 3eed6faa19..9f755c2816 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -167,6 +167,41 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             Assert.False(resolution.ShouldGenerateNewKey);
         }
 
+        [Fact]
+        public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-01 00:00:00Z");
+            var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-02 00:00:00Z");
+            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", isRevoked: true);
+            var key4 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2000-01-05 00:00:00Z", key1, key2, key3, key4);
+
+            // Assert
+            Assert.Same(key2, resolution.FallbackKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
+        }
+
+        [Fact]
+        public void ResolveDefaultKeyPolicy_FallbackKey_NoNonRevokedKeysBeforePriorPropagationWindow_SelectsEarliestNonRevokedKey()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", isRevoked: true);
+            var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");
+            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-05 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2000-01-05 00:00:00Z", key1, key2, key3);
+
+            // Assert
+            Assert.Same(key2, resolution.FallbackKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
+        }
+
         private static IDefaultKeyResolver CreateDefaultKeyResolver()
         {
             return new DefaultKeyResolver(
@@ -175,10 +210,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 services: null);
         }
 
-        private static IKey CreateKey(string activationDate, string expirationDate, bool isRevoked = false)
+        private static IKey CreateKey(string activationDate, string expirationDate, string creationDate = null, bool isRevoked = false)
         {
             var mockKey = new Mock<IKey>();
             mockKey.Setup(o => o.KeyId).Returns(Guid.NewGuid());
+            mockKey.Setup(o => o.CreationDate).Returns((creationDate != null) ? DateTimeOffset.ParseExact(creationDate, "u", CultureInfo.InvariantCulture) : DateTimeOffset.MinValue);
             mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index 6bb7ab2c0c..ee896e917f 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -262,6 +262,44 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
         }
 
+        [Fact]
+        public void CreateCacheableKeyRing_GenerationRequired_WithFallbackKey_KeyGenerationDisabled_DoesNotCreateDefaultKey()
+        {
+            // Arrange
+            var callSequence = new List<string>();
+            var expirationCts = new CancellationTokenSource();
+
+            var now = StringToDateTime("2016-02-01 00:00:00Z");
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2015-03-01 00:00:00Z");
+            var allKeys = new[] { key1 };
+
+            var keyRingProvider = SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+                callSequence: callSequence,
+                getCacheExpirationTokenReturnValues: new[] { expirationCts.Token },
+                getAllKeysReturnValues: new[] { allKeys },
+                createNewKeyCallbacks: null, // empty
+                resolveDefaultKeyPolicyReturnValues: new[]
+                {
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys, new DefaultKeyResolution()
+                        {
+                            FallbackKey = key1,
+                            ShouldGenerateNewKey = true
+                        })
+                },
+                keyManagementOptions: new KeyManagementOptions() { AutoGenerateKeys = false });
+
+            // Act
+            var cacheableKeyRing = keyRingProvider.GetCacheableKeyRing(now);
+
+            // Assert
+            Assert.Equal(key1.KeyId, cacheableKeyRing.KeyRing.DefaultKeyId);
+            AssertWithinJitterRange(cacheableKeyRing.ExpirationTimeUtc, now);
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts.Cancel();
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
+        }
+
         private static ICacheableKeyRingProvider SetupCreateCacheableKeyRingTestAndCreateKeyManager(
             IList<string> callSequence,
             IEnumerable<CancellationToken> getCacheExpirationTokenReturnValues,

From 7fe33e81598523e0648a2023d846e8df96b6bf8c Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Thu, 12 Mar 2015 14:22:45 -0700
Subject: [PATCH 111/493] DataProtectionServices should prefer registry over
 defaults Comment cleanup in CNG-GCM ExportToXml

---
 .../CngGcmAuthenticatedEncryptorDescriptor.cs   |  2 +-
 .../DataProtectionServices.cs                   | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
index 82bb7217a6..c70a2a3c90 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -45,7 +45,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             }
             
             var rootElement = new XElement("descriptor",
-                new XComment(" Algorithms provided by Windows CNG, using GCM mode encryption and validation "),
+                new XComment(" Algorithms provided by Windows CNG, using Galois/Counter Mode encryption and validation "),
                 encryptionElement,
                 MasterKey.ToMasterKeyElement());
 
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 3589d588ba..79d640b5e3 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.Repositories;
@@ -22,9 +23,6 @@ namespace Microsoft.Framework.DependencyInjection
         /// </summary>
         public static IEnumerable<ServiceDescriptor> GetDefaultServices()
         {
-            // Provide the default algorithmic information.
-            yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_Default();
-
             // The default key services are a strange beast. We don't want to return
             // IXmlEncryptor and IXmlRepository as-is because they almost always have to be
             // set as a matched pair. Instead, our built-in key manager will use a meta-service
@@ -98,10 +96,21 @@ namespace Microsoft.Framework.DependencyInjection
             // Hook up the logic which allows populating default options
             yield return DataProtectionServiceDescriptors.ConfigureOptions_DataProtectionOptions();
 
-            // Finally, read and apply policy from the registry, overriding any other defaults.
+            // Read and apply policy from the registry, overriding any other defaults.
+            bool encryptorConfigurationReadFromRegistry = false;
             foreach (var descriptor in RegistryPolicyResolver.ResolveDefaultPolicy())
             {
                 yield return descriptor;
+                if (descriptor.ServiceType == typeof(IAuthenticatedEncryptorConfiguration))
+                {
+                    encryptorConfigurationReadFromRegistry = true;
+                }
+            }
+
+            // Finally, provide a fallback encryptor configuration if one wasn't already specified.
+            if (!encryptorConfigurationReadFromRegistry)
+            {
+                yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_Default();
             }
         }
     }

From bf7283697da155341471a7e1d5e3078534f1ca3d Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Thu, 12 Mar 2015 15:45:41 -0700
Subject: [PATCH 112/493] Flow logging through the AuthenticatedEncryption
 types

---
 .../AuthenticatedEncryptionOptions.cs         | 11 ++++----
 .../CngCbcAuthenticatedEncryptionOptions.cs   | 25 ++++++++++++-----
 .../CngGcmAuthenticatedEncryptionOptions.cs   | 16 +++++++----
 .../AuthenticatedEncryptorConfiguration.cs    | 19 ++++++++-----
 .../AuthenticatedEncryptorDescriptor.cs       | 27 ++++++++++++-------
 ...nticatedEncryptorDescriptorDeserializer.cs | 16 +++++++++--
 ...gCbcAuthenticatedEncryptorConfiguration.cs | 17 +++++++-----
 .../CngCbcAuthenticatedEncryptorDescriptor.cs | 13 +++++++--
 ...nticatedEncryptorDescriptorDeserializer.cs | 16 +++++++++--
 ...gGcmAuthenticatedEncryptorConfiguration.cs | 17 +++++++-----
 .../CngGcmAuthenticatedEncryptorDescriptor.cs | 13 +++++++--
 ...nticatedEncryptorDescriptorDeserializer.cs | 14 +++++++++-
 .../ConfigurationModel/ConfigurationCommon.cs | 20 ++++++++++++++
 ...rnalAuthenticatedEncryptorConfiguration.cs |  2 +-
 ...agedAuthenticatedEncryptorConfiguration.cs | 15 +++++++----
 ...ManagedAuthenticatedEncryptorDescriptor.cs | 11 +++++++-
 ...nticatedEncryptorDescriptorDeserializer.cs | 14 +++++++++-
 ...IInternalAuthenticatedEncryptionOptions.cs |  2 +-
 .../ManagedAuthenticatedEncryptionOptions.cs  | 25 ++++++++++++-----
 .../DataProtectionServiceDescriptors.cs       |  3 +--
 .../EphemeralDataProtectionProvider.cs        |  2 +-
 21 files changed, 225 insertions(+), 73 deletions(-)
 create mode 100644 src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs

diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
index da90f3b5b5..8f5bba8e00 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
@@ -6,6 +6,7 @@ using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
@@ -54,15 +55,15 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
          * HELPER ROUTINES
          */
 
-        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret)
+        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret, IServiceProvider services = null)
         {
             return CreateImplementationOptions()
-                .ToConfiguration()
+                .ToConfiguration(services)
                 .CreateDescriptorFromSecret(secret)
                 .CreateEncryptorInstance();
         }
 
-        internal IInternalAuthenticatedEncryptionOptions CreateImplementationOptions()
+        private IInternalAuthenticatedEncryptionOptions CreateImplementationOptions()
         {
             if (IsGcmAlgorithm(EncryptionAlgorithm))
             {
@@ -192,9 +193,9 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             return (EncryptionAlgorithm.AES_128_GCM <= algorithm && algorithm <= EncryptionAlgorithm.AES_256_GCM);
         }
 
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration()
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration(IServiceProvider services)
         {
-            return new AuthenticatedEncryptorConfiguration(this);
+            return new AuthenticatedEncryptorConfiguration(this, services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
index feacc7996b..baa2ca43c0 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
@@ -7,6 +7,7 @@ using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
@@ -93,16 +94,16 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
          * HELPER ROUTINES
          */
 
-        internal CbcAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret)
+        internal CbcAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret, ILogger logger = null)
         {
             return new CbcAuthenticatedEncryptor(
                 keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(),
+                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(logger),
                 symmetricAlgorithmKeySizeInBytes: (uint)(EncryptionAlgorithmKeySize / 8),
-                hmacAlgorithmHandle: GetHmacAlgorithmHandle());
+                hmacAlgorithmHandle: GetHmacAlgorithmHandle(logger));
         }
 
-        private BCryptAlgorithmHandle GetHmacAlgorithmHandle()
+        private BCryptAlgorithmHandle GetHmacAlgorithmHandle(ILogger logger)
         {
             // basic argument checking
             if (String.IsNullOrEmpty(HashAlgorithm))
@@ -110,6 +111,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(HashAlgorithm));
             }
 
+            if (logger.IsVerboseLevelEnabled())
+            {
+                logger.LogVerbose("Opening CNG algorithm '{0}' from provider '{1}' with HMAC.", HashAlgorithm, HashAlgorithmProvider);
+            }
+
             BCryptAlgorithmHandle algorithmHandle = null;
 
             // Special-case cached providers
@@ -134,7 +140,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             return algorithmHandle;
         }
 
-        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle()
+        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle(ILogger logger)
         {
             // basic argument checking
             if (String.IsNullOrEmpty(EncryptionAlgorithm))
@@ -146,6 +152,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
             }
 
+            if (logger.IsVerboseLevelEnabled())
+            {
+                logger.LogVerbose("Opening CNG algorithm '{0}' from provider '{1}' with chaining mode CBC.", EncryptionAlgorithm, EncryptionAlgorithmProvider);
+            }
+
             BCryptAlgorithmHandle algorithmHandle = null;
 
             // Special-case cached providers
@@ -172,9 +183,9 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             return algorithmHandle;
         }
 
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration()
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration(IServiceProvider services)
         {
-            return new CngCbcAuthenticatedEncryptorConfiguration(this);
+            return new CngCbcAuthenticatedEncryptorConfiguration(this, services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
index c9b1f38b84..0213fb1598 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
@@ -7,6 +7,7 @@ using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
@@ -69,15 +70,15 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
          * HELPER ROUTINES
          */
 
-        internal GcmAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret)
+        internal GcmAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret, ILogger logger = null)
         {
             return new GcmAuthenticatedEncryptor(
                 keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(),
+                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(logger),
                 symmetricAlgorithmKeySizeInBytes: (uint)(EncryptionAlgorithmKeySize / 8));
         }
 
-        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle()
+        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle(ILogger logger)
         {
             // basic argument checking
             if (String.IsNullOrEmpty(EncryptionAlgorithm))
@@ -91,6 +92,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 
             BCryptAlgorithmHandle algorithmHandle = null;
 
+            if (logger.IsVerboseLevelEnabled())
+            {
+                logger.LogVerbose("Opening CNG algorithm '{0}' from provider '{1}' with chaining mode GCM.", EncryptionAlgorithm, EncryptionAlgorithmProvider);
+            }
+
             // Special-case cached providers
             if (EncryptionAlgorithmProvider == null)
             {
@@ -115,9 +121,9 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             return algorithmHandle;
         }
 
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration()
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration(IServiceProvider services)
         {
-            return new CngGcmAuthenticatedEncryptorConfiguration(this);
+            return new CngGcmAuthenticatedEncryptorConfiguration(this, services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index 7b39b10715..ec3c0102fc 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -9,26 +9,31 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// <summary>
     /// Represents a generalized authenticated encryption mechanism.
     /// </summary>
-    public unsafe sealed class AuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    public sealed class AuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
     {
+        private readonly IServiceProvider _services;
+
         public AuthenticatedEncryptorConfiguration([NotNull] AuthenticatedEncryptionOptions options)
+            : this(options, services: null)
+        {
+        }
+
+        public AuthenticatedEncryptorConfiguration([NotNull] AuthenticatedEncryptionOptions options, IServiceProvider services)
         {
             Options = options;
+            _services = services;
         }
 
         public AuthenticatedEncryptionOptions Options { get; }
 
         public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
-            // generate a 512-bit secret randomly
-            const int KDK_SIZE_IN_BYTES = 512 / 8;
-            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
-            return ((IInternalAuthenticatedEncryptorConfiguration)this).CreateDescriptorFromSecret(secret);
+            return this.CreateNewDescriptorCore();
         }
-
+        
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            return new AuthenticatedEncryptorDescriptor(Options, secret);
+            return new AuthenticatedEncryptorDescriptor(Options, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
index c5ca78573d..43387d779c 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
@@ -13,18 +13,27 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class AuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
-        private readonly ISecret _masterKey;
-        private readonly AuthenticatedEncryptionOptions _options;
+        private readonly IServiceProvider _services;
 
         public AuthenticatedEncryptorDescriptor([NotNull] AuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+            : this(options, masterKey, services: null)
         {
-            _options = options;
-            _masterKey = masterKey;
         }
 
+        public AuthenticatedEncryptorDescriptor([NotNull] AuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey, IServiceProvider services)
+        {
+            Options = options;
+            MasterKey = masterKey;
+            _services = services;
+        }
+
+        internal ISecret MasterKey { get; }
+
+        internal AuthenticatedEncryptionOptions Options { get; }
+        
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return _options.CreateAuthenticatedEncryptorInstance(_masterKey);
+            return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _services);
         }
 
         public XmlSerializedDescriptorInfo ExportToXml()
@@ -36,17 +45,17 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", _options.EncryptionAlgorithm));
+                new XAttribute("algorithm", Options.EncryptionAlgorithm));
 
-            var validationElement = (AuthenticatedEncryptionOptions.IsGcmAlgorithm(_options.EncryptionAlgorithm))
+            var validationElement = (AuthenticatedEncryptionOptions.IsGcmAlgorithm(Options.EncryptionAlgorithm))
                 ? (object)new XComment(" AES-GCM includes a 128-bit authentication tag, no extra validation algorithm required. ")
                 : (object)new XElement("validation",
-                    new XAttribute("algorithm", _options.ValidationAlgorithm));
+                    new XAttribute("algorithm", Options.ValidationAlgorithm));
 
             var outerElement = new XElement("descriptor",
                 encryptionElement,
                 validationElement,
-                _masterKey.ToMasterKeyElement());
+                MasterKey.ToMasterKeyElement());
 
             return new XmlSerializedDescriptorInfo(outerElement, typeof(AuthenticatedEncryptorDescriptorDeserializer));
         }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
index 7908b98748..947282cd5a 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
@@ -14,6 +14,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class AuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
     {
+        private readonly IServiceProvider _services;
+
+        public AuthenticatedEncryptorDescriptorDeserializer()
+            : this(services: null)
+        {
+        }
+
+        public AuthenticatedEncryptorDescriptorDeserializer(IServiceProvider services)
+        {
+            _services = services;
+        }
+
         /// <summary>
         /// Imports the <see cref="AuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
@@ -24,7 +36,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             //   <validation algorithm="..." /> <!-- only if not GCM -->
             //   <masterKey requiresEncryption="true">...</masterKey>
             // </descriptor>
-            
+
             var options = new AuthenticatedEncryptionOptions();
 
             var encryptionElement = element.Element("encryption");
@@ -38,7 +50,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             }
 
             Secret masterKey = ((string)element.Elements("masterKey").Single()).ToSecret();
-            return new AuthenticatedEncryptorDescriptor(options, masterKey);
+            return new AuthenticatedEncryptorDescriptor(options, masterKey, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index b5dd186849..bb11fabe42 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -10,26 +10,31 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// Represents a configured authenticated encryption mechanism which uses
     /// Windows CNG algorithms in CBC encryption + HMAC authentication modes.
     /// </summary>
-    public unsafe sealed class CngCbcAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    public sealed class CngCbcAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
     {
+        private readonly IServiceProvider _services;
+
         public CngCbcAuthenticatedEncryptorConfiguration([NotNull] CngCbcAuthenticatedEncryptionOptions options)
+            : this(options, services: null)
+        {
+        }
+
+        public CngCbcAuthenticatedEncryptorConfiguration([NotNull] CngCbcAuthenticatedEncryptionOptions options, IServiceProvider services)
         {
             Options = options;
+            _services = services;
         }
 
         public CngCbcAuthenticatedEncryptionOptions Options { get; }
 
         public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
-            // generate a 512-bit secret randomly
-            const int KDK_SIZE_IN_BYTES = 512 / 8;
-            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
-            return ((IInternalAuthenticatedEncryptorConfiguration)this).CreateDescriptorFromSecret(secret);
+            return this.CreateNewDescriptorCore();
         }
 
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            return new CngCbcAuthenticatedEncryptorDescriptor(Options, secret);
+            return new CngCbcAuthenticatedEncryptorDescriptor(Options, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
index 536dd573b4..d298ae719e 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Xml.Linq;
 using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -13,10 +14,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class CngCbcAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
+        private readonly ILogger _log;
+
         public CngCbcAuthenticatedEncryptorDescriptor([NotNull] CngCbcAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+            : this(options, masterKey, services: null)
+        {
+        }
+
+        public CngCbcAuthenticatedEncryptorDescriptor([NotNull] CngCbcAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey, IServiceProvider services)
         {
             Options = options;
             MasterKey = masterKey;
+            _log = services.GetLogger<CngCbcAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
@@ -25,7 +34,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
 
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return Options.CreateAuthenticatedEncryptorInstance(MasterKey);
+            return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
         }
 
         public XmlSerializedDescriptorInfo ExportToXml()
@@ -51,7 +60,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             {
                 hashElement.SetAttributeValue("provider", Options.HashAlgorithmProvider);
             }
-            
+
             var rootElement = new XElement("descriptor",
                 new XComment(" Algorithms provided by Windows CNG, using CBC-mode encryption with HMAC validation "),
                 encryptionElement,
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
index 86f5c5a162..3120c31ba8 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -13,6 +13,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class CngCbcAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
     {
+        private readonly IServiceProvider _services;
+
+        public CngCbcAuthenticatedEncryptorDescriptorDeserializer()
+            : this(services: null)
+        {
+        }
+
+        public CngCbcAuthenticatedEncryptorDescriptorDeserializer(IServiceProvider services)
+        {
+            _services = services;
+        }
+
         /// <summary>
         /// Imports the <see cref="CngCbcAuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
@@ -24,7 +36,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             //   <hash algorithm="..." [provider="..."] />
             //   <masterKey>...</masterKey>
             // </descriptor>
-            
+
             var options = new CngCbcAuthenticatedEncryptionOptions();
 
             var encryptionElement = element.Element("encryption");
@@ -38,7 +50,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new CngCbcAuthenticatedEncryptorDescriptor(options, masterKey);
+            return new CngCbcAuthenticatedEncryptorDescriptor(options, masterKey, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index 4dc914bb70..9ebc51ea7f 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -10,26 +10,31 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// Represents a configured authenticated encryption mechanism which uses
     /// Windows CNG algorithms in GCM encryption + authentication modes.
     /// </summary>
-    public unsafe sealed class CngGcmAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    public sealed class CngGcmAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
     {
+        private readonly IServiceProvider _services;
+
         public CngGcmAuthenticatedEncryptorConfiguration([NotNull] CngGcmAuthenticatedEncryptionOptions options)
+            : this(options, services: null)
+        {
+        }
+
+        public CngGcmAuthenticatedEncryptorConfiguration([NotNull] CngGcmAuthenticatedEncryptionOptions options, IServiceProvider services)
         {
             Options = options;
+            _services = services;
         }
 
         public CngGcmAuthenticatedEncryptionOptions Options { get; }
 
         public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
-            // generate a 512-bit secret randomly
-            const int KDK_SIZE_IN_BYTES = 512 / 8;
-            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
-            return ((IInternalAuthenticatedEncryptorConfiguration)this).CreateDescriptorFromSecret(secret);
+            return this.CreateNewDescriptorCore();
         }
 
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            return new CngGcmAuthenticatedEncryptorDescriptor(Options, secret);
+            return new CngGcmAuthenticatedEncryptorDescriptor(Options, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
index c70a2a3c90..51c10f5d31 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Xml.Linq;
 using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -13,10 +14,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class CngGcmAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
+        private readonly ILogger _log;
+
         public CngGcmAuthenticatedEncryptorDescriptor([NotNull] CngGcmAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+            : this(options, masterKey, services: null)
+        {
+        }
+
+        public CngGcmAuthenticatedEncryptorDescriptor([NotNull] CngGcmAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey, IServiceProvider services)
         {
             Options = options;
             MasterKey = masterKey;
+            _log = services.GetLogger<CngGcmAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
@@ -25,7 +34,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
 
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return Options.CreateAuthenticatedEncryptorInstance(MasterKey);
+            return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
         }
 
         public XmlSerializedDescriptorInfo ExportToXml()
@@ -43,7 +52,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             {
                 encryptionElement.SetAttributeValue("provider", Options.EncryptionAlgorithmProvider);
             }
-            
+
             var rootElement = new XElement("descriptor",
                 new XComment(" Algorithms provided by Windows CNG, using Galois/Counter Mode encryption and validation "),
                 encryptionElement,
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
index 6da12b3b23..801b1e31ef 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -13,6 +13,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class CngGcmAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
     {
+        private readonly IServiceProvider _services;
+
+        public CngGcmAuthenticatedEncryptorDescriptorDeserializer()
+            : this(services: null)
+        {
+        }
+
+        public CngGcmAuthenticatedEncryptorDescriptorDeserializer(IServiceProvider services)
+        {
+            _services = services;
+        }
+
         /// <summary>
         /// Imports the <see cref="CngCbcAuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
@@ -33,7 +45,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new CngGcmAuthenticatedEncryptorDescriptor(options, masterKey);
+            return new CngGcmAuthenticatedEncryptorDescriptor(options, masterKey, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
new file mode 100644
index 0000000000..4d42acca16
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
@@ -0,0 +1,20 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+{
+    internal static class ConfigurationCommon
+    {
+        /// <summary>
+        /// Creates an <see cref="IAuthenticatedEncryptorDescriptor"/> from this <see cref="IInternalAuthenticatedEncryptorConfiguration"/>
+        /// using a random 512-bit master key generated from a secure PRNG.
+        /// </summary>
+        public static IAuthenticatedEncryptorDescriptor CreateNewDescriptorCore(this IInternalAuthenticatedEncryptorConfiguration configuration)
+        {
+            const int KDK_SIZE_IN_BYTES = 512 / 8;
+            return configuration.CreateDescriptorFromSecret(Secret.Random(KDK_SIZE_IN_BYTES));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
index f05c33fb4f..46a9068513 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -18,7 +19,6 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         /// Creates a new <see cref="IAuthenticatedEncryptorDescriptor"/> instance from this
         /// configuration given specific secret key material.
         /// </summary>
-        /// <returns></returns>
         IAuthenticatedEncryptorDescriptor CreateDescriptorFromSecret(ISecret secret);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index 3bdc2e2f96..f4f8aa3410 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -13,24 +13,29 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class ManagedAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
     {
+        private readonly IServiceProvider _services;
+
         public ManagedAuthenticatedEncryptorConfiguration([NotNull] ManagedAuthenticatedEncryptionOptions options)
+            : this(options, services: null)
+        {
+        }
+
+        public ManagedAuthenticatedEncryptorConfiguration([NotNull] ManagedAuthenticatedEncryptionOptions options, IServiceProvider services)
         {
             Options = options;
+            _services = services;
         }
 
         public ManagedAuthenticatedEncryptionOptions Options { get; }
 
         public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
-            // generate a 512-bit secret randomly
-            const int KDK_SIZE_IN_BYTES = 512 / 8;
-            var secret = Secret.Random(KDK_SIZE_IN_BYTES);
-            return ((IInternalAuthenticatedEncryptorConfiguration)this).CreateDescriptorFromSecret(secret);
+            return this.CreateNewDescriptorCore();
         }
 
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            return new ManagedAuthenticatedEncryptorDescriptor(Options, secret);
+            return new ManagedAuthenticatedEncryptorDescriptor(Options, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
index 0d0642b1f1..258fb64db7 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
@@ -5,6 +5,7 @@ using System;
 using System.Security.Cryptography;
 using System.Xml.Linq;
 using Microsoft.Framework.Internal;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -14,10 +15,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class ManagedAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
+        private readonly ILogger _log;
+
         public ManagedAuthenticatedEncryptorDescriptor([NotNull] ManagedAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+            : this(options, masterKey, services: null)
+        {
+        }
+
+        public ManagedAuthenticatedEncryptorDescriptor([NotNull] ManagedAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey, IServiceProvider services)
         {
             Options = options;
             MasterKey = masterKey;
+            _log = services.GetLogger<ManagedAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
@@ -26,7 +35,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
 
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return Options.CreateAuthenticatedEncryptorInstance(MasterKey);
+            return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
         }
 
         public XmlSerializedDescriptorInfo ExportToXml()
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
index 59878538f3..be28842cf2 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -14,6 +14,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     /// </summary>
     public sealed class ManagedAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
     {
+        private readonly IServiceProvider _services;
+
+        public ManagedAuthenticatedEncryptorDescriptorDeserializer()
+            : this(services: null)
+        {
+        }
+
+        public ManagedAuthenticatedEncryptorDescriptorDeserializer(IServiceProvider services)
+        {
+            _services = services;
+        }
+
         /// <summary>
         /// Imports the <see cref="ManagedAuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
@@ -37,7 +49,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new ManagedAuthenticatedEncryptorDescriptor(options, masterKey);
+            return new ManagedAuthenticatedEncryptorDescriptor(options, masterKey, _services);
         }
 
         // Any changes to this method should also be be reflected
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
index 444990a3ba..7718c6a18b 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
@@ -15,7 +15,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
         /// Creates a <see cref="IInternalAuthenticatedEncryptorConfiguration"/> object
         /// from the given options.
         /// </summary>
-        IInternalAuthenticatedEncryptorConfiguration ToConfiguration();
+        IInternalAuthenticatedEncryptorConfiguration ToConfiguration(IServiceProvider services);
 
         /// <summary>
         /// Performs a self-test of the algorithm specified by the options object.
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index cb71ca58bc..944b5b9721 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -6,6 +6,7 @@ using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Managed;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
@@ -68,16 +69,16 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
          * HELPER ROUTINES
          */
 
-        internal ManagedAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret)
+        internal ManagedAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret, ILogger logger = null)
         {
             return new ManagedAuthenticatedEncryptor(
                 keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmFactory: GetSymmetricBlockCipherAlgorithmFactory(),
+                symmetricAlgorithmFactory: GetSymmetricBlockCipherAlgorithmFactory(logger),
                 symmetricAlgorithmKeySizeInBytes: EncryptionAlgorithmKeySize / 8,
-                validationAlgorithmFactory: GetKeyedHashAlgorithmFactory());
+                validationAlgorithmFactory: GetKeyedHashAlgorithmFactory(logger));
         }
 
-        private Func<KeyedHashAlgorithm> GetKeyedHashAlgorithmFactory()
+        private Func<KeyedHashAlgorithm> GetKeyedHashAlgorithmFactory(ILogger logger)
         {
             // basic argument checking
             if (ValidationAlgorithmType == null)
@@ -85,6 +86,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(ValidationAlgorithmType));
             }
 
+            if (logger.IsVerboseLevelEnabled())
+            {
+                logger.LogVerbose("Using managed keyed hash algorithm '{0}'.", ValidationAlgorithmType.FullName);
+            }
+
             if (ValidationAlgorithmType == typeof(HMACSHA256))
             {
                 return () => new HMACSHA256();
@@ -99,7 +105,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             }
         }
 
-        private Func<SymmetricAlgorithm> GetSymmetricBlockCipherAlgorithmFactory()
+        private Func<SymmetricAlgorithm> GetSymmetricBlockCipherAlgorithmFactory(ILogger logger)
         {
             // basic argument checking
             if (EncryptionAlgorithmType == null)
@@ -112,6 +118,11 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
             }
 
+            if (logger.IsVerboseLevelEnabled())
+            {
+                logger.LogVerbose("Using managed symmetric algorithm '{0}'.", EncryptionAlgorithmType.FullName);
+            }
+
             if (EncryptionAlgorithmType == typeof(Aes))
             {
                 Func<Aes> factory = null;
@@ -130,9 +141,9 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             }
         }
 
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration()
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration(IServiceProvider services)
         {
-            return new ManagedAuthenticatedEncryptorConfiguration(this);
+            return new ManagedAuthenticatedEncryptorConfiguration(this, services);
         }
 
         /// <summary>
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index 43b94d65a5..3276c76575 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -66,8 +66,7 @@ namespace Microsoft.Framework.DependencyInjection
         /// </summary>
         public static ServiceDescriptor IAuthenticatedEncryptorConfiguration_FromOptions(IInternalAuthenticatedEncryptionOptions options)
         {
-            // We don't flow services since there's nothing interesting to flow.
-            return ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfiguration>(services => options.ToConfiguration());
+            return ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfiguration>(options.ToConfiguration);
         }
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index 262d978e0d..f0d9fbf856 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -69,7 +69,7 @@ namespace Microsoft.AspNet.DataProtection
             // Currently hardcoded to a 512-bit KDK.
             private const int NUM_BYTES_IN_KDK = 512 / 8;
 
-            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new T().ToConfiguration().CreateNewDescriptor().CreateEncryptorInstance();
+            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new T().ToConfiguration(services: null).CreateNewDescriptor().CreateEncryptorInstance();
 
             public Guid DefaultKeyId { get; } = default(Guid);
 

From d3313f2b6e8494eda4df735f070b620a3af05a0a Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 12 Mar 2015 17:07:49 -0700
Subject: [PATCH 113/493] Update xunit.runner.kre => xunit.runner.aspnet.

---
 test/Microsoft.AspNet.Cryptography.Internal.Test/project.json | 4 ++--
 .../project.json                                              | 4 ++--
 .../project.json                                              | 4 ++--
 test/Microsoft.AspNet.DataProtection.Test.Shared/project.json | 2 +-
 test/Microsoft.AspNet.DataProtection.Test/project.json        | 4 ++--
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index d34f53f281..90f9726223 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -3,13 +3,13 @@
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
         "Microsoft.AspNet.Testing": "1.0.0-*",
-        "xunit.runner.kre": "1.0.0-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },
     "frameworks": {
         "dnx451": { }
     },
     "commands": {
-        "test": "xunit.runner.kre"
+        "test": "xunit.runner.aspnet"
     },
     "compilationOptions": {
         "allowUnsafe": true
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index 7fbc91ad6c..79e645fd53 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -5,13 +5,13 @@
         "Microsoft.AspNet.DataProtection.Test.Shared": "",
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "Moq": "4.2.1312.1622",
-        "xunit.runner.kre": "1.0.0-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },
     "frameworks": {
         "dnx451": { }
     },
     "commands": {
-        "test": "xunit.runner.kre"
+        "test": "xunit.runner.aspnet"
     },
     "compilationOptions": {
         "allowUnsafe": true
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
index 2be80d1ab4..cc31aaa5d0 100644
--- a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
@@ -4,13 +4,13 @@
         "Microsoft.AspNet.DataProtection.Interfaces": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "Moq": "4.2.1312.1622",
-        "xunit.runner.kre": "1.0.0-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },
     "frameworks": {
         "dnx451": { }
     },
     "commands": {
-        "test": "xunit.runner.kre"
+        "test": "xunit.runner.aspnet"
     },
     "code": "**\\*.cs;..\\common\\**\\*.cs",
     "compilationOptions": {
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
index 03f270e861..266a312c09 100644
--- a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
@@ -2,7 +2,7 @@
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",
-        "xunit.runner.kre": "1.0.0-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },
     "frameworks": {
         "dnx451": { },
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index 8203d16d13..ee622b09f7 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -5,13 +5,13 @@
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "Microsoft.Framework.DependencyInjection": "1.0.0-*",
         "Moq": "4.2.1312.1622",
-        "xunit.runner.kre": "1.0.0-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },
     "frameworks": {
         "dnx451": { }
     },
     "commands": {
-        "test": "xunit.runner.kre"
+        "test": "xunit.runner.aspnet"
     },
     "compilationOptions": {
         "allowUnsafe": true

From 82d92064c50c13f2737f96c6d76b45d68e9a9d05 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Thu, 12 Mar 2015 17:54:15 -0700
Subject: [PATCH 114/493] Continued API improvements and refactoring - Add
 helpful extension methods to Interfaces project - Auto heuristic detection
 now writes default protection settings to the ILogger - Cleanup dead methods
 / add useful methods in DataProtectionConfiguration - Update System.Web
 compatibility project to allow mapping MachineKey.Protect directly to
 IDataProtector.Protect

---
 .../DataProtectionExtensions.cs               |  95 +++++++++-
 .../Properties/Resources.Designer.cs          |  16 ++
 .../Resources.resx                            |   3 +
 .../project.json                              |   8 +-
 .../CompatibilityDataProtector.cs             |  55 +++++-
 .../DataProtectionStartup.cs                  |  51 +++---
 .../DataProtectionConfiguration.cs            |  34 ++--
 .../DataProtectionServiceDescriptors.cs       |   2 +-
 .../DataProtectionServices.cs                 |  37 ++++
 .../LoggingServiceProviderExtensions.cs       |  29 ++-
 .../project.json                              |   2 -
 .../DataProtectionExtensionsTests.cs          | 165 ++++++++++++++++++
 12 files changed, 446 insertions(+), 51 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
index 291ab59633..393d9b5307 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
@@ -3,10 +3,15 @@
 
 using System;
 using System.Collections.Generic;
+using System.ComponentModel;
 using System.Diagnostics;
 using Microsoft.AspNet.DataProtection.Interfaces;
 using Microsoft.Framework.Internal;
 
+#if DNX451 || DNXCORE50 // [[ISSUE1400]] Replace with DNX_ANY when it becomes available
+using Microsoft.Framework.Runtime;
+#endif
+
 namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
@@ -53,7 +58,7 @@ namespace Microsoft.AspNet.DataProtection
         /// Creates an <see cref="IDataProtector"/> given a list of purposes.
         /// </summary>
         /// <param name="provider">The <see cref="IDataProtectionProvider"/> from which to generate the purpose chain.</param>
-        /// <param name="purpose">The primary purpose used to create the <see cref="IDataProtectionProvider"/>.</param>
+        /// <param name="purpose">The primary purpose used to create the <see cref="IDataProtector"/>.</param>
         /// <param name="subPurposes">An optional list of secondary purposes which contribute to the purpose chain.
         /// If this list is provided it cannot contain null elements.</param>
         /// <returns>An <see cref="IDataProtector"/> tied to the provided purpose chain.</returns>
@@ -75,7 +80,93 @@ namespace Microsoft.AspNet.DataProtection
             }
             return protector ?? CryptoUtil.Fail<IDataProtector>("CreateProtector returned null.");
         }
-        
+
+        /// <summary>
+        /// Returns a unique identifier for this application.
+        /// </summary>
+        /// <param name="services">The application-level <see cref="IServiceProvider"/>.</param>
+        /// <returns>A unique application identifier, or null if <paramref name="services"/> is null
+        /// or cannot provide a unique application identifier.</returns>
+        /// <remarks>
+        /// The returned identifier should be stable for repeated runs of this same application on
+        /// this machine. Additionally, the identifier is only unique within the scope of a single
+        /// machine, e.g., two different applications on two different machines may return the same
+        /// value.
+        /// </remarks>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public static string GetApplicationUniqueIdentifier(this IServiceProvider services)
+        {
+            string discriminator = (services?.GetService(typeof(IApplicationDiscriminator)) as IApplicationDiscriminator)?.Discriminator;
+#if DNX451 || DNXCORE50 // [[ISSUE1400]] Replace with DNX_ANY when it becomes available
+            if (discriminator == null)
+            {
+                discriminator = (services?.GetService(typeof(IApplicationEnvironment)) as IApplicationEnvironment)?.ApplicationBasePath;
+            }
+#elif NET451 // do nothing
+#else
+#error A new target framework was added to project.json, but it's not accounted for in this #ifdef. Please change the #ifdef accordingly.
+#endif
+
+            // Remove whitespace and homogenize empty -> null
+            discriminator = discriminator?.Trim();
+            return (String.IsNullOrEmpty(discriminator)) ? null : discriminator;
+        }
+
+        /// <summary>
+        /// Retrieves an <see cref="IDataProtectionProvider"/> from an <see cref="IServiceProvider"/>.
+        /// </summary>
+        /// <param name="services">The service provider from which to retrieve the <see cref="IDataProtectionProvider"/>.</param>
+        /// <returns>An <see cref="IDataProtectionProvider"/>. This method is guaranteed never to return null.</returns>
+        /// <exception cref="InvalidOperationException">If no <see cref="IDataProtectionProvider"/> service exists in <paramref name="services"/>.</exception>
+        public static IDataProtectionProvider GetDataProtectionProvider([NotNull] this IServiceProvider services)
+        {
+            // We have our own implementation of GetRequiredService<T> since we don't want to
+            // take a dependency on DependencyInjection.Interfaces.
+            IDataProtectionProvider provider = (IDataProtectionProvider)services.GetService(typeof(IDataProtectionProvider));
+            if (provider == null)
+            {
+                throw new InvalidOperationException(Resources.FormatDataProtectionExtensions_NoService(typeof(IDataProtectionProvider).FullName));
+            }
+            return provider;
+        }
+
+        /// <summary>
+        /// Retrieves an <see cref="IDataProtector"/> from an <see cref="IServiceProvider"/> given a list of purposes.
+        /// </summary>
+        /// <param name="services">An <see cref="IServiceProvider"/> which contains the <see cref="IDataProtectionProvider"/>
+        /// from which to generate the purpose chain.</param>
+        /// <param name="purposes">The list of purposes which contribute to the purpose chain. This list must
+        /// contain at least one element, and it may not contain null elements.</param>
+        /// <returns>An <see cref="IDataProtector"/> tied to the provided purpose chain.</returns>
+        /// <remarks>
+        /// This is a convenience method which calls <see cref="GetDataProtectionProvider(IServiceProvider)"/>
+        /// then <see cref="CreateProtector(IDataProtectionProvider, IEnumerable{string})"/>. See those methods'
+        /// documentation for more information.
+        /// </remarks>
+        public static IDataProtector GetDataProtector([NotNull] this IServiceProvider services, [NotNull] IEnumerable<string> purposes)
+        {
+            return services.GetDataProtectionProvider().CreateProtector(purposes);
+        }
+
+        /// <summary>
+        /// Retrieves an <see cref="IDataProtector"/> from an <see cref="IServiceProvider"/> given a list of purposes.
+        /// </summary>
+        /// <param name="services">An <see cref="IServiceProvider"/> which contains the <see cref="IDataProtectionProvider"/>
+        /// from which to generate the purpose chain.</param>
+        /// <param name="purpose">The primary purpose used to create the <see cref="IDataProtector"/>.</param>
+        /// <param name="subPurposes">An optional list of secondary purposes which contribute to the purpose chain.
+        /// If this list is provided it cannot contain null elements.</param>
+        /// <returns>An <see cref="IDataProtector"/> tied to the provided purpose chain.</returns>
+        /// <remarks>
+        /// This is a convenience method which calls <see cref="GetDataProtectionProvider(IServiceProvider)"/>
+        /// then <see cref="CreateProtector(IDataProtectionProvider, string, string[])"/>. See those methods'
+        /// documentation for more information.
+        /// </remarks>
+        public static IDataProtector GetDataProtector([NotNull] this IServiceProvider services, [NotNull] string purpose, params string[] subPurposes)
+        {
+            return services.GetDataProtectionProvider().CreateProtector(purpose, subPurposes);
+        }
+
         /// <summary>
         /// Cryptographically protects a piece of plaintext data.
         /// </summary>
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs
index 9c0eed3510..c0b13a79e6 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs
@@ -58,6 +58,22 @@ namespace Microsoft.AspNet.DataProtection.Interfaces
             return GetString("CryptCommon_GenericError");
         }
 
+        /// <summary>
+        /// No service for type '{0}' has been registered.
+        /// </summary>
+        internal static string DataProtectionExtensions_NoService
+        {
+            get { return GetString("DataProtectionExtensions_NoService"); }
+        }
+
+        /// <summary>
+        /// No service for type '{0}' has been registered.
+        /// </summary>
+        internal static string FormatDataProtectionExtensions_NoService(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("DataProtectionExtensions_NoService"), p0);
+        }
+
         private static string GetString(string name, params string[] formatterNames)
         {
             var value = _resourceManager.GetString(name);
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx b/src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx
index 84fa596602..daa9e2cbd9 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx
@@ -126,4 +126,7 @@
   <data name="CryptCommon_GenericError" xml:space="preserve">
     <value>An error occurred during a cryptographic operation.</value>
   </data>
+  <data name="DataProtectionExtensions_NoService" xml:space="preserve">
+    <value>No service for type '{0}' has been registered.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/project.json b/src/Microsoft.AspNet.DataProtection.Interfaces/project.json
index f8543204e6..a29ad1792a 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/project.json
@@ -7,9 +7,15 @@
     },
     "frameworks": {
         "net451": { },
-        "dnx451": { },
+        "dnx451": {
+            "dependencies": {
+                "Microsoft.Framework.Runtime.Interfaces": "1.0.0-*"
+            }
+        },
         "dnxcore50": {
             "dependencies": {
+                "Microsoft.Framework.Runtime.Interfaces": "1.0.0-*",
+                "System.ComponentModel": "4.0.0-beta-*",
                 "System.Diagnostics.Debug": "4.0.10-beta-*",
                 "System.Reflection": "4.0.10-beta-*",
                 "System.Resources.ResourceManager": "4.0.0-beta-*",
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
index 5bf5b5b6d4..3f67e256ab 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
@@ -18,7 +18,11 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
     {
         private static readonly Lazy<IDataProtectionProvider> _lazyProtectionProvider = new Lazy<IDataProtectionProvider>(CreateProtectionProvider);
 
+        [ThreadStatic]
+        private static bool _suppressPrimaryPurpose;
+
         private readonly Lazy<IDataProtector> _lazyProtector;
+        private readonly Lazy<IDataProtector> _lazyProtectorSuppressedPrimaryPurpose;
 
         public CompatibilityDataProtector(string applicationName, string primaryPurpose, string[] specificPurposes)
             : base("application-name", "primary-purpose", null) // we feed dummy values to the base ctor
@@ -28,11 +32,27 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
             // up a good error message to the developer.
 
             _lazyProtector = new Lazy<IDataProtector>(() => _lazyProtectionProvider.Value.CreateProtector(primaryPurpose, specificPurposes));
+
+            // System.Web always provides "User.MachineKey.Protect" as the primary purpose for calls
+            // to MachineKey.Protect. Only in this case should we allow suppressing the primary
+            // purpose, as then we can easily map calls to MachineKey.Protect(userData, purposes)
+            // into calls to provider.GetProtector(purposes).Protect(userData).
+            if (primaryPurpose == "User.MachineKey.Protect")
+            {
+                _lazyProtectorSuppressedPrimaryPurpose = new Lazy<IDataProtector>(() => _lazyProtectionProvider.Value.CreateProtector(specificPurposes));
+            }
+            else
+            {
+                _lazyProtectorSuppressedPrimaryPurpose = _lazyProtector;
+            }
         }
 
         // We take care of flowing purposes ourselves.
         protected override bool PrependHashedPurposeToPlaintext { get; } = false;
 
+        // Retrieves the appropriate protector (potentially with a suppressed primary purpose) for this operation.
+        private IDataProtector Protector => ((_suppressPrimaryPurpose) ? _lazyProtectorSuppressedPrimaryPurpose : _lazyProtector).Value;
+
         private static IDataProtectionProvider CreateProtectionProvider()
         {
             // Read from <appSettings> the startup type we need to use, then create it
@@ -60,7 +80,7 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
         {
             try
             {
-                return _lazyProtector.Value.Protect(userData);
+                return Protector.Protect(userData);
             }
             catch (Exception ex)
             {
@@ -76,7 +96,38 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
 
         protected override byte[] ProviderUnprotect(byte[] encryptedData)
         {
-            return _lazyProtector.Value.Unprotect(encryptedData);
+            return Protector.Unprotect(encryptedData);
+        }
+
+        /// <summary>
+        /// Invokes a delegate where calls to <see cref="ProviderProtect(byte[])"/>
+        /// and <see cref="ProviderUnprotect(byte[])"/> will ignore the primary
+        /// purpose and instead use only the sub-purposes.
+        /// </summary>
+        public static byte[] RunWithSuppressedPrimaryPurpose(Func<object, byte[], byte[]> callback, object state, byte[] input)
+        {
+            if (_suppressPrimaryPurpose)
+            {
+                return callback(state, input); // already suppressed - just forward call
+            }
+
+            try
+            {
+                try
+                {
+                    _suppressPrimaryPurpose = true;
+                    return callback(state, input);
+                }
+                finally
+                {
+                    _suppressPrimaryPurpose = false;
+                }
+            }
+            catch
+            {
+                // defeat exception filters
+                throw;
+            }
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
index b6792c9882..664a68aa73 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
@@ -47,7 +47,7 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
         /// </remarks>
         public virtual IDataProtectionProvider CreateDataProtectionProvider(IServiceProvider services)
         {
-            return services.GetRequiredService<IDataProtectionProvider>();
+            return services.GetDataProtectionProvider();
         }
 
         /// <summary>
@@ -56,30 +56,12 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
         /// </summary>
         internal IDataProtectionProvider InternalConfigureServicesAndCreateProtectionProvider()
         {
+            // Configure the default implementation, passing in our custom discriminator
             var services = new ServiceCollection();
             services.AddDataProtection();
-            services.Configure<DataProtectionOptions>(options =>
-            {
-                // Try reading the discriminator from <machineKey applicationName="..." /> defined
-                // at the web app root. If the value was set explicitly (even if the value is empty),
-                // honor it as the discriminator. Otherwise, fall back to the metabase config path.
-                var machineKeySection = (MachineKeySection)WebConfigurationManager.GetWebApplicationSection("system.web/machineKey");
-                if (machineKeySection.ElementInformation.Properties["applicationName"].ValueOrigin != PropertyValueOrigin.Default)
-                {
-                    options.ApplicationDiscriminator = machineKeySection.ApplicationName;
-                }
-                else
-                {
-                    options.ApplicationDiscriminator = HttpRuntime.AppDomainAppId;
-                }
+            services.AddInstance<IApplicationDiscriminator>(new SystemWebApplicationDiscriminator());
 
-                if (String.IsNullOrEmpty(options.ApplicationDiscriminator))
-                {
-                    options.ApplicationDiscriminator = null; // homogenize to null
-                }
-            });
-
-            // Run configuration and get an instance of the provider.
+            // Run user-specified configuration and get an instance of the provider
             ConfigureServices(services);
             var provider = CreateDataProtectionProvider(services.BuildServiceProvider());
             if (provider == null)
@@ -90,5 +72,30 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
             // And we're done!
             return provider;
         }
+
+        private sealed class SystemWebApplicationDiscriminator : IApplicationDiscriminator
+        {
+            private readonly Lazy<string> _lazyDiscriminator = new Lazy<string>(GetAppDiscriminatorCore);
+
+            public string Discriminator => _lazyDiscriminator.Value;
+
+            private static string GetAppDiscriminatorCore()
+            {
+                // Try reading the discriminator from <machineKey applicationName="..." /> defined
+                // at the web app root. If the value was set explicitly (even if the value is empty),
+                // honor it as the discriminator.
+                var machineKeySection = (MachineKeySection)WebConfigurationManager.GetWebApplicationSection("system.web/machineKey");
+                if (machineKeySection.ElementInformation.Properties["applicationName"].ValueOrigin != PropertyValueOrigin.Default)
+                {
+                    return machineKeySection.ApplicationName;
+                }
+                else
+                {
+                    // Otherwise, fall back to the IIS metabase config path.
+                    // This is unique per machine.
+                    return HttpRuntime.AppDomainAppId;
+                }
+            }
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index e2350cd642..371852cb20 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -79,7 +79,7 @@ namespace Microsoft.AspNet.DataProtection
         /// <typeparam name="TImplementation">The concrete type of the <see cref="IKeyEscrowSink"/> to register.</typeparam>
         /// <returns>The 'this' instance.</returns>
         /// <remarks>
-        /// Registrations are additive.
+        /// Registrations are additive. The factory is registered as <see cref="ServiceLifetime.Singleton"/>.
         /// </remarks>
         public DataProtectionConfiguration AddKeyEscrowSink<TImplementation>()
             where TImplementation : IKeyEscrowSink
@@ -94,7 +94,7 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="factory">A factory that creates the <see cref="IKeyEscrowSink"/> instance.</param>
         /// <returns>The 'this' instance.</returns>
         /// <remarks>
-        /// Registrations are additive.
+        /// Registrations are additive. The factory is registered as <see cref="ServiceLifetime.Singleton"/>.
         /// </remarks>
         public DataProtectionConfiguration AddKeyEscrowSink([NotNull] Func<IServiceProvider, IKeyEscrowSink> factory)
         {
@@ -130,19 +130,6 @@ namespace Microsoft.AspNet.DataProtection
             return this;
         }
 
-        /// <summary>
-        /// Configures the data protection system to persist keys in storage as plaintext.
-        /// </summary>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// Caution: cryptographic key material will not be protected at rest.
-        /// </remarks>
-        public DataProtectionConfiguration DisableProtectionOfKeysAtRest()
-        {
-            RemoveAllServicesOfType(typeof(IXmlEncryptor));
-            return this;
-        }
-
         /// <summary>
         /// Configures the data protection system to persist keys to the specified directory.
         /// This path may be on the local machine or may point to a UNC share.
@@ -267,6 +254,23 @@ namespace Microsoft.AspNet.DataProtection
             return this;
         }
 
+        /// <summary>
+        /// Sets the unique name of this application within the data protection system.
+        /// </summary>
+        /// <param name="applicationName">The application name.</param>
+        /// <returns>The 'this' instance.</returns>
+        /// <remarks>
+        /// This API corresponds to setting the <see cref="DataProtectionOptions.ApplicationDiscriminator"/> property
+        /// to the value of <paramref name="applicationName"/>.
+        /// </remarks>
+        public DataProtectionConfiguration SetApplicationName(string applicationName)
+        {
+            return ConfigureGlobalOptions(options =>
+            {
+                options.ApplicationDiscriminator = applicationName;
+            });
+        }
+
         /// <summary>
         /// Sets the default lifetime of keys created by the data protection system.
         /// </summary>
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index 3276c76575..f7a8c3da0b 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -33,7 +33,7 @@ namespace Microsoft.Framework.DependencyInjection
             {
                 return new ConfigureOptions<DataProtectionOptions>(options =>
                 {
-                    options.ApplicationDiscriminator = services.GetService<IApplicationDiscriminator>()?.Discriminator;
+                    options.ApplicationDiscriminator = services.GetApplicationUniqueIdentifier();
                 });
             });
         }
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 79d640b5e3..234099ea4d 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -9,6 +9,7 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.Framework.Logging;
 
 namespace Microsoft.Framework.DependencyInjection
 {
@@ -31,6 +32,8 @@ namespace Microsoft.Framework.DependencyInjection
             // we'll not use the fallback at all.
             yield return ServiceDescriptor.Singleton<IDefaultKeyServices>(services =>
             {
+                ILogger log = services.GetLogger(typeof(DataProtectionServices));
+
                 ServiceDescriptor keyEncryptorDescriptor = null;
                 ServiceDescriptor keyRepositoryDescriptor = null;
 
@@ -38,6 +41,11 @@ namespace Microsoft.Framework.DependencyInjection
                 var azureWebSitesKeysFolder = FileSystemXmlRepository.GetKeyStorageDirectoryForAzureWebSites();
                 if (azureWebSitesKeysFolder != null)
                 {
+                    if (log.IsInformationLevelEnabled())
+                    {
+                        log.LogInformation("Azure Web Sites environment detected. Using '{0}' as key repository; keys will not be encrypted at rest.", azureWebSitesKeysFolder.FullName);
+                    }
+
                     // Cloud DPAPI isn't yet available, so we don't encrypt keys at rest.
                     // This isn't all that different than what Azure Web Sites does today, and we can always add this later.
                     keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_FileSystem(azureWebSitesKeysFolder);
@@ -55,6 +63,18 @@ namespace Microsoft.Framework.DependencyInjection
                             keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: !DpapiSecretSerializerHelper.CanProtectToCurrentUserAccount());
                         }
                         keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_FileSystem(localAppDataKeysFolder);
+
+                        if (log.IsInformationLevelEnabled())
+                        {
+                            if (keyEncryptorDescriptor != null)
+                            {
+                                log.LogInformation("User profile is available. Using '{0}' as key repository and Windows DPAPI to encrypt keys at rest.", localAppDataKeysFolder.FullName);
+                            }
+                            else
+                            {
+                                log.LogInformation("User profile is available. Using '{0}' as key repository; keys will not be encrypted at rest.", localAppDataKeysFolder.FullName);
+                            }
+                        }
                     }
                     else
                     {
@@ -68,12 +88,29 @@ namespace Microsoft.Framework.DependencyInjection
                                 keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: true);
                             }
                             keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_Registry(regKeyStorageKey);
+
+                            if (log.IsInformationLevelEnabled())
+                            {
+                                if (keyEncryptorDescriptor != null)
+                                {
+                                    log.LogInformation("User profile not available. Using '{0}' as key repository and Windows DPAPI to encrypt keys at rest.", regKeyStorageKey.Name);
+                                }
+                                else
+                                {
+                                    log.LogInformation("User profile not available. Using '{0}' as key repository; keys will not be encrypted at rest.", regKeyStorageKey.Name);
+                                }
+                            }
                         }
                         else
                         {
                             // Final fallback - use an ephemeral repository since we don't know where else to go.
                             // This can only be used for development scenarios.
                             keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_InMemory();
+
+                            if (log.IsWarningLevelEnabled())
+                            {
+                                log.LogWarning("Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.");
+                            }
                         }
                     }
                 }
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
index 4b9f05ec59..267b1d8c99 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
@@ -8,19 +8,36 @@ using Microsoft.Framework.Logging;
 namespace System
 {
     /// <summary>
-    /// Helpful extension methods on IServiceProvider.
+    /// Helpful logging-related extension methods on <see cref="IServiceProvider"/>.
     /// </summary>
     internal static class LoggingServiceProviderExtensions
     {
         /// <summary>
-        /// Retrieves an instance of ILogger given the type name of the caller.
-        /// The caller's type name is used as the name of the ILogger created.
-        /// This method returns null if the IServiceProvider is null or if it
-        /// does not contain a registered ILoggerFactory.
+        /// Retrieves an instance of <see cref="ILogger"/> given the type name <typeparamref name="T"/>.
+        /// This is equivalent to <see cref="LoggerFactoryExtensions.CreateLogger{T}(ILoggerFactory)"/>.
         /// </summary>
+        /// <returns>
+        /// An <see cref="ILogger"/> instance, or null if <paramref name="services"/> is null or the
+        /// <see cref="IServiceProvider"/> cannot produce an <see cref="ILoggerFactory"/>.
+        /// </returns>
         public static ILogger GetLogger<T>(this IServiceProvider services)
         {
-            return services?.GetService<ILoggerFactory>()?.CreateLogger<T>();
+            return GetLogger(services, typeof(T));
+        }
+
+        /// <summary>
+        /// Retrieves an instance of <see cref="ILogger"/> given the type name <paramref name="type"/>.
+        /// This is equivalent to <see cref="LoggerFactoryExtensions.CreateLogger{T}(ILoggerFactory)"/>.
+        /// </summary>
+        /// <returns>
+        /// An <see cref="ILogger"/> instance, or null if <paramref name="services"/> is null or the
+        /// <see cref="IServiceProvider"/> cannot produce an <see cref="ILoggerFactory"/>.
+        /// </returns>
+        public static ILogger GetLogger(this IServiceProvider services, Type type)
+        {
+            // Compiler won't allow us to use static types as the type parameter
+            // for the call to CreateLogger<T>, so we'll duplicate its logic here.
+            return services?.GetService<ILoggerFactory>()?.CreateLogger(type.FullName);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 8de03164c8..525328fdea 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -13,7 +13,6 @@
     "frameworks": {
         "net451": {
             "frameworkAssemblies": {
-                "System.Runtime": { "version": "", "type": "build" },
                 "System.Security": "",
                 "System.Xml": "",
                 "System.Xml.Linq": ""
@@ -21,7 +20,6 @@
         },
         "dnx451": {
             "frameworkAssemblies": {
-                "System.Runtime": { "version": "", "type": "build" },
                 "System.Security": "",
                 "System.Xml": "",
                 "System.Xml.Linq": ""
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
index 268e3e1d21..a174b4a4fa 100644
--- a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
@@ -7,6 +7,7 @@ using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.DataProtection.Interfaces;
 using Microsoft.AspNet.Testing;
+using Microsoft.Framework.Runtime;
 using Moq;
 using Xunit;
 
@@ -106,6 +107,170 @@ namespace Microsoft.AspNet.DataProtection
             Assert.Same(finalExpectedProtector, retVal);
         }
 
+        [Theory]
+        [InlineData(" discriminator", "app-path ", "discriminator")] // normalized trim
+        [InlineData("", "app-path", null)] // app discriminator not null -> overrides app base path
+        [InlineData(null, "app-path ", "app-path")] // normalized trim
+        [InlineData(null, "  ", null)] // normalized whitespace -> null
+        [InlineData(null, null, null)] // nothing provided at all
+        public void GetApplicationUniqueIdentifier(string appDiscriminator, string appBasePath, string expected)
+        {
+            // Arrange
+            var mockAppDiscriminator = new Mock<IApplicationDiscriminator>();
+            mockAppDiscriminator.Setup(o => o.Discriminator).Returns(appDiscriminator);
+            var mockAppEnvironment = new Mock<IApplicationEnvironment>();
+            mockAppEnvironment.Setup(o => o.ApplicationBasePath).Returns(appBasePath);
+            var mockServiceProvider = new Mock<IServiceProvider>();
+            mockServiceProvider.Setup(o => o.GetService(typeof(IApplicationDiscriminator))).Returns(mockAppDiscriminator.Object);
+            mockServiceProvider.Setup(o => o.GetService(typeof(IApplicationEnvironment))).Returns(mockAppEnvironment.Object);
+
+            // Act
+            string actual = mockServiceProvider.Object.GetApplicationUniqueIdentifier();
+
+            // Assert
+            Assert.Equal(expected, actual);
+        }
+
+        [Fact]
+        public void GetApplicationUniqueIdentifier_NoServiceProvider_ReturnsNull()
+        {
+            Assert.Null(((IServiceProvider)null).GetApplicationUniqueIdentifier());
+        }
+
+        [Fact]
+        public void GetDataProtectionProvider_NoServiceFound_Throws()
+        {
+            // Arrange
+            var services = new Mock<IServiceProvider>().Object;
+
+            // Act & assert
+            var ex = Assert.Throws<InvalidOperationException>(() => services.GetDataProtectionProvider());
+            Assert.Equal(Resources.FormatDataProtectionExtensions_NoService(typeof(IDataProtectionProvider).FullName), ex.Message);
+        }
+
+        [Fact]
+        public void GetDataProtectionProvider_ServiceFound_ReturnsService()
+        {
+            // Arrange
+            var expected = new Mock<IDataProtectionProvider>().Object;
+            var mockServices = new Mock<IServiceProvider>();
+            mockServices.Setup(o => o.GetService(typeof(IDataProtectionProvider))).Returns(expected);
+            var services = mockServices.Object;
+
+            // Act
+            var actual = services.GetDataProtectionProvider();
+
+            // Assert
+            Assert.Same(expected, actual);
+        }
+
+        [Theory]
+        [InlineData(new object[] { new string[0] })]
+        [InlineData(new object[] { new string[] { null } })]
+        [InlineData(new object[] { new string[] { "the next value is bad", null } })]
+        public void GetDataProtector_ChainedAsIEnumerable_FailureCases(string[] purposes)
+        {
+            // Arrange
+            var mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(o => o.CreateProtector(It.IsAny<string>())).Returns(mockProtector.Object);
+            var mockServices = new Mock<IServiceProvider>();
+            mockServices.Setup(o => o.GetService(typeof(IDataProtectionProvider))).Returns(mockProtector.Object);
+            var services = mockServices.Object;
+
+            // Act & assert
+            ExceptionAssert.ThrowsArgument(
+                testCode: () => services.GetDataProtector((IEnumerable<string>)purposes),
+                paramName: "purposes",
+                exceptionMessage: Resources.DataProtectionExtensions_NullPurposesCollection);
+        }
+
+        [Theory]
+        [InlineData(new object[] { new string[] { null } })]
+        [InlineData(new object[] { new string[] { "the next value is bad", null } })]
+        public void GetDataProtector_ChainedAsParams_FailureCases(string[] subPurposes)
+        {
+            // Arrange
+            var mockProtector = new Mock<IDataProtector>();
+            mockProtector.Setup(o => o.CreateProtector(It.IsAny<string>())).Returns(mockProtector.Object);
+            var mockServices = new Mock<IServiceProvider>();
+            mockServices.Setup(o => o.GetService(typeof(IDataProtectionProvider))).Returns(mockProtector.Object);
+            var services = mockServices.Object;
+
+            // Act & assert
+            ExceptionAssert.ThrowsArgument(
+                testCode: () => services.GetDataProtector("primary-purpose", subPurposes),
+                paramName: "purposes",
+                exceptionMessage: Resources.DataProtectionExtensions_NullPurposesCollection);
+        }
+
+        [Fact]
+        public void GetDataProtector_ChainedAsIEnumerable_SuccessCase()
+        {
+            // Arrange
+            var finalExpectedProtector = new Mock<IDataProtector>().Object;
+
+            var thirdMock = new Mock<IDataProtector>();
+            thirdMock.Setup(o => o.CreateProtector("third")).Returns(finalExpectedProtector);
+            var secondMock = new Mock<IDataProtector>();
+            secondMock.Setup(o => o.CreateProtector("second")).Returns(thirdMock.Object);
+            var firstMock = new Mock<IDataProtector>();
+            firstMock.Setup(o => o.CreateProtector("first")).Returns(secondMock.Object);
+
+            var mockServices = new Mock<IServiceProvider>();
+            mockServices.Setup(o => o.GetService(typeof(IDataProtectionProvider))).Returns(firstMock.Object);
+            var services = mockServices.Object;
+
+            // Act
+            var retVal = services.GetDataProtector((IEnumerable<string>)new string[] { "first", "second", "third" });
+
+            // Assert
+            Assert.Same(finalExpectedProtector, retVal);
+        }
+
+        [Fact]
+        public void GetDataProtector_ChainedAsParams_NonEmptyParams_SuccessCase()
+        {
+            // Arrange
+            var finalExpectedProtector = new Mock<IDataProtector>().Object;
+
+            var thirdMock = new Mock<IDataProtector>();
+            thirdMock.Setup(o => o.CreateProtector("third")).Returns(finalExpectedProtector);
+            var secondMock = new Mock<IDataProtector>();
+            secondMock.Setup(o => o.CreateProtector("second")).Returns(thirdMock.Object);
+            var firstMock = new Mock<IDataProtector>();
+            firstMock.Setup(o => o.CreateProtector("first")).Returns(secondMock.Object);
+
+            var mockServices = new Mock<IServiceProvider>();
+            mockServices.Setup(o => o.GetService(typeof(IDataProtectionProvider))).Returns(firstMock.Object);
+            var services = mockServices.Object;
+
+            // Act
+            var retVal = services.GetDataProtector("first", "second", "third");
+
+            // Assert
+            Assert.Same(finalExpectedProtector, retVal);
+        }
+
+        [Theory]
+        [InlineData(new object[] { null })]
+        [InlineData(new object[] { new string[0] })]
+        public void GetDataProtector_ChainedAsParams_EmptyParams_SuccessCases(string[] subPurposes)
+        {
+            // Arrange
+            var finalExpectedProtector = new Mock<IDataProtector>().Object;
+            var firstMock = new Mock<IDataProtector>();
+            firstMock.Setup(o => o.CreateProtector("first")).Returns(finalExpectedProtector);
+            var mockServices = new Mock<IServiceProvider>();
+            mockServices.Setup(o => o.GetService(typeof(IDataProtectionProvider))).Returns(firstMock.Object);
+            var services = mockServices.Object;
+
+            // Act
+            var retVal = services.GetDataProtector("first", subPurposes);
+
+            // Assert
+            Assert.Same(finalExpectedProtector, retVal);
+        }
+
         [Fact]
         public void Protect_InvalidUtf8_Failure()
         {

From 0966e37d949d4acb24d6bec7bc46065a47d7389e Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Sat, 14 Mar 2015 15:43:39 -0700
Subject: [PATCH 115/493] Doc comment cleanup on GetApplicationUniqueIdentifier

---
 .../DataProtectionExtensions.cs                            | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
index 393d9b5307..4a7312e43c 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
@@ -88,10 +88,17 @@ namespace Microsoft.AspNet.DataProtection
         /// <returns>A unique application identifier, or null if <paramref name="services"/> is null
         /// or cannot provide a unique application identifier.</returns>
         /// <remarks>
+        /// <para>
         /// The returned identifier should be stable for repeated runs of this same application on
         /// this machine. Additionally, the identifier is only unique within the scope of a single
         /// machine, e.g., two different applications on two different machines may return the same
         /// value.
+        /// </para>
+        /// <para>
+        /// This identifier may contain security-sensitive information such as physical file paths,
+        /// configuration settings, or other machine-specific information. Callers should take
+        /// special care not to disclose this information to untrusted entities.
+        /// </para>
         /// </remarks>
         [EditorBrowsable(EditorBrowsableState.Never)]
         public static string GetApplicationUniqueIdentifier(this IServiceProvider services)

From 4365b531d8a4ec319ff26a1e661a6991efbd140f Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Mon, 16 Mar 2015 18:45:31 -0700
Subject: [PATCH 116/493] Use C# 6 string interpolation feature Provides
 cleanup in logging and removes calls to String.Format

---
 .../CngCbcAuthenticatedEncryptionOptions.cs   |  4 +-
 .../CngGcmAuthenticatedEncryptionOptions.cs   |  2 +-
 .../ManagedAuthenticatedEncryptionOptions.cs  |  4 +-
 .../DataProtectionServices.cs                 | 10 ++--
 .../KeyManagement/DefaultKeyResolver.cs       |  4 +-
 .../KeyRingBasedDataProtector.cs              | 23 +++++----
 .../KeyManagement/KeyRingProvider.cs          |  4 +-
 .../KeyManagement/XmlKeyManager.cs            | 49 +++++++++----------
 .../LoggingExtensions.cs                      | 40 ++++++++++++---
 .../Properties/Resources.Designer.cs          | 12 ++---
 .../Repositories/FileSystemXmlRepository.cs   |  6 +--
 .../Repositories/RegistryXmlRepository.cs     |  9 ++--
 .../Resources.resx                            |  6 +--
 .../StringInterpolation.cs                    | 43 ++++++++++++++++
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  6 +--
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  2 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  7 +--
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  2 +-
 18 files changed, 152 insertions(+), 81 deletions(-)
 create mode 100644 src/Microsoft.AspNet.DataProtection/StringInterpolation.cs

diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
index baa2ca43c0..18ed508884 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
@@ -113,7 +113,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 
             if (logger.IsVerboseLevelEnabled())
             {
-                logger.LogVerbose("Opening CNG algorithm '{0}' from provider '{1}' with HMAC.", HashAlgorithm, HashAlgorithmProvider);
+                logger.LogVerboseF($"Opening CNG algorithm '{HashAlgorithm}' from provider '{HashAlgorithmProvider}' with HMAC.");
             }
 
             BCryptAlgorithmHandle algorithmHandle = null;
@@ -154,7 +154,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 
             if (logger.IsVerboseLevelEnabled())
             {
-                logger.LogVerbose("Opening CNG algorithm '{0}' from provider '{1}' with chaining mode CBC.", EncryptionAlgorithm, EncryptionAlgorithmProvider);
+                logger.LogVerboseF($"Opening CNG algorithm '{EncryptionAlgorithm}' from provider '{EncryptionAlgorithmProvider}' with chaining mode CBC.");
             }
 
             BCryptAlgorithmHandle algorithmHandle = null;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
index 0213fb1598..3f0f39392a 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
@@ -94,7 +94,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 
             if (logger.IsVerboseLevelEnabled())
             {
-                logger.LogVerbose("Opening CNG algorithm '{0}' from provider '{1}' with chaining mode GCM.", EncryptionAlgorithm, EncryptionAlgorithmProvider);
+                logger.LogVerboseF($"Opening CNG algorithm '{EncryptionAlgorithm}' from provider '{EncryptionAlgorithmProvider}' with chaining mode GCM.");
             }
 
             // Special-case cached providers
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index 944b5b9721..9b446d5fbe 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -88,7 +88,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 
             if (logger.IsVerboseLevelEnabled())
             {
-                logger.LogVerbose("Using managed keyed hash algorithm '{0}'.", ValidationAlgorithmType.FullName);
+                logger.LogVerboseF($"Using managed keyed hash algorithm '{ValidationAlgorithmType.FullName}'.");
             }
 
             if (ValidationAlgorithmType == typeof(HMACSHA256))
@@ -120,7 +120,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 
             if (logger.IsVerboseLevelEnabled())
             {
-                logger.LogVerbose("Using managed symmetric algorithm '{0}'.", EncryptionAlgorithmType.FullName);
+                logger.LogVerboseF($"Using managed symmetric algorithm '{EncryptionAlgorithmType.FullName}'.");
             }
 
             if (EncryptionAlgorithmType == typeof(Aes))
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 234099ea4d..0b5890e810 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -43,7 +43,7 @@ namespace Microsoft.Framework.DependencyInjection
                 {
                     if (log.IsInformationLevelEnabled())
                     {
-                        log.LogInformation("Azure Web Sites environment detected. Using '{0}' as key repository; keys will not be encrypted at rest.", azureWebSitesKeysFolder.FullName);
+                        log.LogInformationF($"Azure Web Sites environment detected. Using '{azureWebSitesKeysFolder.FullName}' as key repository; keys will not be encrypted at rest.");
                     }
 
                     // Cloud DPAPI isn't yet available, so we don't encrypt keys at rest.
@@ -68,11 +68,11 @@ namespace Microsoft.Framework.DependencyInjection
                         {
                             if (keyEncryptorDescriptor != null)
                             {
-                                log.LogInformation("User profile is available. Using '{0}' as key repository and Windows DPAPI to encrypt keys at rest.", localAppDataKeysFolder.FullName);
+                                log.LogInformationF($"User profile is available. Using '{localAppDataKeysFolder.FullName}' as key repository and Windows DPAPI to encrypt keys at rest.");
                             }
                             else
                             {
-                                log.LogInformation("User profile is available. Using '{0}' as key repository; keys will not be encrypted at rest.", localAppDataKeysFolder.FullName);
+                                log.LogInformationF($"User profile is available. Using '{localAppDataKeysFolder.FullName}' as key repository; keys will not be encrypted at rest.");
                             }
                         }
                     }
@@ -93,11 +93,11 @@ namespace Microsoft.Framework.DependencyInjection
                             {
                                 if (keyEncryptorDescriptor != null)
                                 {
-                                    log.LogInformation("User profile not available. Using '{0}' as key repository and Windows DPAPI to encrypt keys at rest.", regKeyStorageKey.Name);
+                                    log.LogInformationF($"User profile not available. Using '{regKeyStorageKey.Name}' as key repository and Windows DPAPI to encrypt keys at rest.");
                                 }
                                 else
                                 {
-                                    log.LogInformation("User profile not available. Using '{0}' as key repository; keys will not be encrypted at rest.", regKeyStorageKey.Name);
+                                    log.LogInformationF($"User profile not available. Using '{regKeyStorageKey.Name}' as key repository; keys will not be encrypted at rest.");
                                 }
                             }
                         }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 34c64e134e..795751fa50 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -62,7 +62,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 if (_logger.IsVerboseLevelEnabled())
                 {
-                    _logger.LogVerbose("Considering key '{0:D}' with expiration date {1:u} as default key.", preferredDefaultKey.KeyId, preferredDefaultKey.ExpirationDate);
+                    _logger.LogVerboseF($"Considering key {preferredDefaultKey.KeyId:B} with expiration date {preferredDefaultKey.ExpirationDate:u} as default key.");
                 }
 
                 // if the key has been revoked or is expired, it is no longer a candidate
@@ -70,7 +70,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     if (_logger.IsVerboseLevelEnabled())
                     {
-                        _logger.LogVerbose("Key '{0:D}' is no longer under consideration as default key because it is expired or revoked.", preferredDefaultKey.KeyId);
+                        _logger.LogVerboseF($"Key {preferredDefaultKey.KeyId:B} is no longer under consideration as default key because it is expired or revoked.");
                     }
                     preferredDefaultKey = null;
                 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index 5528cc45e9..b807d90e41 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -63,6 +63,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 newPurpose: purpose);
         }
 
+        private static string JoinPurposesForLog(IEnumerable<string> purposes)
+        {
+            return "(" + String.Join(", ", purposes.Select(p => "'" + p + "'")) + ")";
+        }
+
         // allows decrypting payloads whose keys have been revoked
         public byte[] DangerousUnprotect(byte[] protectedData, bool ignoreRevocationErrors, out bool requiresMigration, out bool wasRevoked)
         {
@@ -97,8 +102,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
                 if (_logger.IsDebugLevelEnabled())
                 {
-                    _logger.LogDebug("Performing protect operation to key '{0:D}' with purposes ({1}).",
-                        defaultKeyId, String.Join(", ", Purposes.Select(p => "'" + p + "'")));
+                    _logger.LogDebugF($"Performing protect operation to key {defaultKeyId:B} with purposes {JoinPurposesForLog(Purposes)}.");
                 }
 
                 // We'll need to apply the default key id to the template if it hasn't already been applied.
@@ -218,8 +222,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
                 if (_logger.IsDebugLevelEnabled())
                 {
-                    _logger.LogDebug("Performing unprotect operation to key '{0:D}' with purposes ({1}).",
-                        keyIdFromPayload, String.Join(", ", Purposes.Select(p => "'" + p + "'")));
+                    _logger.LogDebugF($"Performing unprotect operation to key {keyIdFromPayload:B} with purposes {JoinPurposesForLog(Purposes)}.");
                 }
 
                 // Find the correct encryptor in the keyring.
@@ -228,9 +231,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 var requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out keyWasRevoked);
                 if (requestedEncryptor == null)
                 {
-                    if (_logger.IsWarningLevelEnabled())
+                    if (_logger.IsDebugLevelEnabled())
                     {
-                        _logger.LogWarning("Key '{0:D}' was not found in the key ring. Unprotect operation cannot proceed.", keyIdFromPayload);
+                        _logger.LogDebugF($"Key {keyIdFromPayload:B} was not found in the key ring. Unprotect operation cannot proceed.");
                     }
                     throw Error.Common_KeyNotFound(keyIdFromPayload);
                 }
@@ -247,17 +250,17 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     if (allowOperationsOnRevokedKeys)
                     {
-                        if (_logger.IsWarningLevelEnabled())
+                        if (_logger.IsVerboseLevelEnabled())
                         {
-                            _logger.LogWarning("Key '{0:D}' was revoked. Caller requested unprotect operation proceed regardless.", keyIdFromPayload);
+                            _logger.LogVerboseF($"Key {keyIdFromPayload:B} was revoked. Caller requested unprotect operation proceed regardless.");
                         }
                         status = UnprotectStatus.DecryptionKeyWasRevoked;
                     }
                     else
                     {
-                        if (_logger.IsWarningLevelEnabled())
+                        if (_logger.IsVerboseLevelEnabled())
                         {
-                            _logger.LogWarning("Key '{0:D}' was revoked. Unprotect operation cannot proceed.", keyIdFromPayload);
+                            _logger.LogVerboseF($"Key {keyIdFromPayload:B} was revoked. Unprotect operation cannot proceed.");
                         }
                         throw Error.Common_KeyRevoked(keyIdFromPayload);
                     }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index 7aafa50a03..9f12454e40 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -82,7 +82,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     if (_logger.IsWarningLevelEnabled())
                     {
-                        _logger.LogWarning("Policy resolution states that a new key should be added to the key ring, but automatic generation of keys is disabled. Using fallback key '{0:D}' with expiration {1:u} as default key.", keyToUse.KeyId, keyToUse.ExpirationDate);
+                        _logger.LogWarningF($"Policy resolution states that a new key should be added to the key ring, but automatic generation of keys is disabled. Using fallback key {keyToUse.KeyId:B} with expiration {keyToUse.ExpirationDate:u} as default key.");
                     }
                     return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, keyToUse, allKeys);
                 }
@@ -111,7 +111,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             if (_logger.IsVerboseLevelEnabled())
             {
-                _logger.LogVerbose("Using key '{0:D}' as the default key.", defaultKey.KeyId);
+                _logger.LogVerboseF($"Using key {defaultKey.KeyId:B} as the default key.");
             }
 
             DateTimeOffset nextAutoRefreshTime = now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod);
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index 4466158062..baabe020ae 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -4,7 +4,6 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
-using System.Globalization;
 using System.Linq;
 using System.Reflection;
 using System.Runtime.CompilerServices;
@@ -19,6 +18,8 @@ using Microsoft.Framework.DependencyInjection;
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 
+using static System.FormattableString;
+
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     /// <summary>
@@ -168,7 +169,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     // Skip unknown elements.
                     if (_logger.IsWarningLevelEnabled())
                     {
-                        _logger.LogWarning("Unknown element with name '{0}' found in keyring, skipping.", element.Name);
+                        _logger.LogWarningF($"Unknown element with name '{element.Name}' found in keyring, skipping.");
                     }
                 }
             }
@@ -185,14 +186,14 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                         key.SetRevoked();
                         if (_logger.IsVerboseLevelEnabled())
                         {
-                            _logger.LogVerbose("Marked key '{0:D}' as revoked in the keyring.", revokedKeyId);
+                            _logger.LogVerboseF($"Marked key {revokedKeyId:B} as revoked in the keyring.");
                         }
                     }
                     else
                     {
                         if (_logger.IsWarningLevelEnabled())
                         {
-                            _logger.LogWarning("Tried to process revocation of key '{0:D}', but no such key was found in keyring. Skipping.", revokedKeyId);
+                            _logger.LogWarningF($"Tried to process revocation of key {revokedKeyId:B}, but no such key was found in keyring. Skipping.");
                         }
                     }
                 }
@@ -208,7 +209,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                         key.SetRevoked();
                         if (_logger.IsVerboseLevelEnabled())
                         {
-                            _logger.LogVerbose("Marked key '{0:D}' as revoked in the keyring.", key.KeyId);
+                            _logger.LogVerboseF($"Marked key {key.KeyId:B} as revoked in the keyring.");
                         }
                     }
                 }
@@ -247,7 +248,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 // Finally, create the Key instance
                 if (_logger.IsVerboseLevelEnabled())
                 {
-                    _logger.LogVerbose("Found key '{0:D}'.", keyId);
+                    _logger.LogVerboseF($"Found key {keyId:B}.");
                 }
                 return new Key(
                     keyId: keyId,
@@ -264,19 +265,15 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     if (_logger.IsWarningLevelEnabled())
                     {
-                        _logger.LogWarning("An exception of type '{0}' occurred while processing the key element '{1}', so the key will not be included in the keyring." + Environment.NewLine
-                            + "Full details of the exception will be written to the 'Debug' log.",
-                            ex.GetType().FullName, keyElement.WithoutChildNodes());
+                        _logger.LogWarningF($"An exception of type '{ex.GetType().FullName}' occurred while processing the key element '{keyElement.WithoutChildNodes()}', so the key will not be included in the keyring. Full details of the exception will be written to the 'Debug' log.");
                     }
-                    _logger.LogDebug(ex, "An exception occurred while processing the key element '{0}'.", keyElement);
+                    _logger.LogDebugF(ex, $"An exception occurred while processing the key element '{keyElement}'.");
                 }
                 else
                 {
                     if (_logger.IsWarningLevelEnabled())
                     {
-                        _logger.LogWarning("An exception of type '{0}' occurred while processing the key element '{1}', so the key will not be included in the keyring." + Environment.NewLine
-                            + "To prevent accidental disclosure of sensitive information the full exception details are not being logged. To enable logging full exception details, enable 'Debug' level logging for this provider.",
-                            ex.GetType().FullName, keyElement.WithoutChildNodes());
+                        _logger.LogWarningF($"An exception of type '{ex.GetType().FullName}' occurred while processing the key element '{keyElement.WithoutChildNodes()}', so the key will not be included in the keyring. To prevent accidental disclosure of sensitive information the full exception details are not being logged. To enable logging full exception details, enable 'Debug' level logging for this provider.");
                     }
                 }
 
@@ -299,7 +296,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     DateTimeOffset massRevocationDate = (DateTimeOffset)revocationElement.Element(RevocationDateElementName);
                     if (_logger.IsVerboseLevelEnabled())
                     {
-                        _logger.LogVerbose("Found revocation of all keys created prior to {0:u}.", massRevocationDate);
+                        _logger.LogVerboseF($"Found revocation of all keys created prior to {massRevocationDate:u}.");
                     }
                     return massRevocationDate;
                 }
@@ -309,7 +306,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     Guid keyId = XmlConvert.ToGuid(keyIdAsString);
                     if (_logger.IsVerboseLevelEnabled())
                     {
-                        _logger.LogVerbose("Found revocation of key '{0:D}'.", keyId);
+                        _logger.LogVerboseF($"Found revocation of key {keyId:B}.");
                     }
                     return keyId;
                 }
@@ -320,7 +317,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 // revocation information.
                 if (_logger.IsErrorLevelEnabled())
                 {
-                    _logger.LogError(ex, "An exception occurred while processing the revocation element '{0}'. Cannot continue keyring processing.", revocationElement);
+                    _logger.LogErrorF(ex, $"An exception occurred while processing the revocation element '{revocationElement}'. Cannot continue keyring processing.");
                 }
                 throw;
             }
@@ -337,7 +334,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             if (_logger.IsInformationLevelEnabled())
             {
-                _logger.LogInformation("Revoking all keys as of {0:u} for reason '{1}'.", revocationDate, reason);
+                _logger.LogInformationF($"Revoking all keys as of {revocationDate:u} for reason '{reason}'.");
             }
 
             var revocationElement = new XElement(RevocationElementName,
@@ -366,7 +363,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         {
             if (!suppressLogging && _logger.IsVerboseLevelEnabled())
             {
-                _logger.LogVerbose("Key cache expiration token triggered by '{0}' operation.", opName);
+                _logger.LogVerboseF($"Key cache expiration token triggered by '{opName}' operation.");
             }
 
             Interlocked.Exchange(ref _cacheExpirationTokenSource, new CancellationTokenSource())?.Cancel();
@@ -385,7 +382,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             if (_logger.IsInformationLevelEnabled())
             {
-                _logger.LogInformation("Creating key {0:D} with creation date {1:u}, activation date {2:u}, and expiration date {3:u}.", keyId, creationDate, activationDate, expirationDate);
+                _logger.LogInformationF($"Creating key {keyId:B} with creation date {creationDate:u}, activation date {activationDate:u}, and expiration date {expirationDate:u}.");
             }
 
             var newDescriptor = _authenticatedEncryptorConfiguration.CreateNewDescriptor()
@@ -394,7 +391,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             if (_logger.IsVerboseLevelEnabled())
             {
-                _logger.LogVerbose("Descriptor deserializer type for key {0:D} is {1}.", keyId, descriptorXmlInfo.DeserializerType.AssemblyQualifiedName);
+                _logger.LogVerboseF($"Descriptor deserializer type for key {keyId:B} is '{descriptorXmlInfo.DeserializerType.AssemblyQualifiedName}'.");
             }
 
             // build the <key> element
@@ -413,11 +410,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 if (_keyEscrowSink != null)
                 {
-                    _logger.LogVerbose("Key escrow sink found. Writing key {0:D} to escrow.", keyId);
+                    _logger.LogVerboseF($"Key escrow sink found. Writing key {keyId:B} to escrow.");
                 }
                 else
                 {
-                    _logger.LogVerbose("No key escrow sink found. Not writing key {0:D} to escrow.", keyId);
+                    _logger.LogVerboseF($"No key escrow sink found. Not writing key {keyId:B} to escrow.");
                 }
             }
             _keyEscrowSink?.Store(keyId, keyElement);
@@ -425,12 +422,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // If an XML encryptor has been configured, protect secret key material now.
             if (KeyEncryptor == null && _logger.IsWarningLevelEnabled())
             {
-                _logger.LogWarning("No XML encryptor configured. Key {0:D} may be persisted to storage in unencrypted form.", keyId);
+                _logger.LogWarningF($"No XML encryptor configured. Key {keyId:B} may be persisted to storage in unencrypted form.");
             }
             var possiblyEncryptedKeyElement = KeyEncryptor?.EncryptIfNecessary(keyElement) ?? keyElement;
 
             // Persist it to the underlying repository and trigger the cancellation token.
-            string friendlyName = String.Format(CultureInfo.InvariantCulture, "key-{0:D}", keyId);
+            string friendlyName = Invariant($"key-{keyId:D}");
             KeyRepository.StoreElement(possiblyEncryptedKeyElement, friendlyName);
             TriggerAndResetCacheExpirationToken();
 
@@ -453,7 +450,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             if (_logger.IsInformationLevelEnabled())
             {
-                _logger.LogInformation("Revoking key {0:D} at {1:u} for reason '{2}'.", keyId, revocationDate, reason);
+                _logger.LogInformationF($"Revoking key {keyId:B} at {revocationDate:u} for reason '{reason}'.");
             }
 
             var revocationElement = new XElement(RevocationElementName,
@@ -464,7 +461,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 new XElement(ReasonElementName, reason));
 
             // Persist it to the underlying repository and trigger the cancellation token
-            string friendlyName = String.Format(CultureInfo.InvariantCulture, "revocation-{0:D}", keyId);
+            string friendlyName = Invariant($"revocation-{keyId:D}");
             KeyRepository.StoreElement(revocationElement, friendlyName);
             TriggerAndResetCacheExpirationToken();
         }
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
index ee7735fe2f..2ff0a23f79 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
@@ -8,7 +8,8 @@ using Microsoft.Framework.Logging.Internal;
 namespace Microsoft.Framework.Logging
 {
     /// <summary>
-    /// Helpful extension methods on ILogger.
+    /// Helpful extension methods on <see cref="ILogger"/>.
+    /// Methods ending in *F take <see cref="FormattableString"/> as a parameter.
     /// </summary>
     internal static class LoggingExtensions
     {
@@ -68,19 +69,44 @@ namespace Microsoft.Framework.Logging
             return (logger != null && logger.IsEnabled(level));
         }
 
-        public static void LogDebug(this ILogger logger, Exception error, string message, params object[] args)
+        public static void LogDebugF(this ILogger logger, FormattableString message)
         {
-            logger.LogDebug(new FormattedLogValues(message, args), error);
+            logger.LogDebug(message.Format, message.GetArguments());
         }
 
-        public static void LogError(this ILogger logger, Exception error, string message, params object[] args)
+        public static void LogDebugF(this ILogger logger, Exception error, FormattableString message)
         {
-            logger.LogError(new FormattedLogValues(message, args), error);
+            logger.LogDebug(new FormattedLogValues(message.Format, message.GetArguments()), error);
         }
 
-        public static void LogWarning(this ILogger logger, Exception error, string message, params object[] args)
+        public static void LogError(this ILogger logger, Exception error, string message)
         {
-            logger.LogWarning(new FormattedLogValues(message, args), error);
+            logger.LogError(message, error);
+        }
+
+        public static void LogErrorF(this ILogger logger, Exception error, FormattableString message)
+        {
+            logger.LogError(new FormattedLogValues(message.Format, message.GetArguments()), error);
+        }
+
+        public static void LogInformationF(this ILogger logger, FormattableString message)
+        {
+            logger.LogInformation(message.Format, message.GetArguments());
+        }
+
+        public static void LogVerboseF(this ILogger logger, FormattableString message)
+        {
+            logger.LogVerbose(message.Format, message.GetArguments());
+        }
+
+        public static void LogWarningF(this ILogger logger, FormattableString message)
+        {
+            logger.LogWarning(message.Format, message.GetArguments());
+        }
+
+        public static void LogWarningF(this ILogger logger, Exception error, FormattableString message)
+        {
+            logger.LogWarning(new FormattedLogValues(message.Format, message.GetArguments()), error);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
index 9edb8c1b05..e9ac9e8f90 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
@@ -107,7 +107,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key '{0:D}' was not found in the key ring.
+        /// The key {0:B} was not found in the key ring.
         /// </summary>
         internal static string Common_KeyNotFound
         {
@@ -115,7 +115,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key '{0:D}' was not found in the key ring.
+        /// The key {0:B} was not found in the key ring.
         /// </summary>
         internal static string FormatCommon_KeyNotFound()
         {
@@ -123,7 +123,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key '{0:D}' has been revoked.
+        /// The key {0:B} has been revoked.
         /// </summary>
         internal static string Common_KeyRevoked
         {
@@ -131,7 +131,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key '{0:D}' has been revoked.
+        /// The key {0:B} has been revoked.
         /// </summary>
         internal static string FormatCommon_KeyRevoked()
         {
@@ -235,7 +235,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key '{0:D}' already exists in the keyring.
+        /// The key {0:B} already exists in the keyring.
         /// </summary>
         internal static string XmlKeyManager_DuplicateKey
         {
@@ -243,7 +243,7 @@ namespace Microsoft.AspNet.DataProtection
         }
 
         /// <summary>
-        /// The key '{0:D}' already exists in the keyring.
+        /// The key {0:B} already exists in the keyring.
         /// </summary>
         internal static string FormatXmlKeyManager_DuplicateKey()
         {
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index 52c1718aa9..a21a92f4d8 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -153,7 +153,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         {
             if (_logger.IsVerboseLevelEnabled())
             {
-                _logger.LogVerbose("Reading data from file '{0}'.", fullPath);
+                _logger.LogVerboseF($"Reading data from file '{fullPath}'.");
             }
 
             using (var fileStream = File.OpenRead(fullPath))
@@ -169,7 +169,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
                 string newFriendlyName = Guid.NewGuid().ToString();
                 if (_logger.IsVerboseLevelEnabled())
                 {
-                    _logger.LogVerbose("The name '{0}' is not a safe file name, using '{1}' instead.", friendlyName, newFriendlyName);
+                    _logger.LogVerboseF($"The name '{friendlyName}' is not a safe file name, using '{newFriendlyName}' instead.");
                 }
                 friendlyName = newFriendlyName;
             }
@@ -198,7 +198,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
                 // Renames are atomic operations on the file systems we support.
                 if (_logger.IsInformationLevelEnabled())
                 {
-                    _logger.LogInformation("Writing data to file '{0}.", finalFilename);
+                    _logger.LogInformationF($"Writing data to file '{finalFilename}'.");
                 }
                 File.Move(tempFilename, finalFilename);
             }
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index bc42ef4a23..9e0d036ef7 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Collections.Generic;
-using System.Globalization;
 using System.Linq;
 using System.Security.Principal;
 using System.Xml.Linq;
@@ -11,6 +10,8 @@ using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.Win32;
 
+using static System.FormattableString;
+
 namespace Microsoft.AspNet.DataProtection.Repositories
 {
     /// <summary>
@@ -96,7 +97,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
                     // Even though this is in HKLM, WAS ensures that applications hosted in IIS are properly isolated.
                     // See APP_POOL::EnsureSharedMachineKeyStorage in WAS source for more info.
                     // The version number will need to change if IIS hosts Core CLR directly.
-                    string aspnetAutoGenKeysBaseKeyName = String.Format(CultureInfo.InvariantCulture, @"SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{0}", WindowsIdentity.GetCurrent().User.Value);
+                    string aspnetAutoGenKeysBaseKeyName = Invariant($@"SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{WindowsIdentity.GetCurrent().User.Value}");
                     var aspnetBaseKey = hklmBaseKey.OpenSubKey(aspnetAutoGenKeysBaseKeyName, writable: true);
                     if (aspnetBaseKey != null)
                     {
@@ -132,7 +133,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         {
             if (_logger.IsVerboseLevelEnabled())
             {
-                _logger.LogVerbose("Reading data from registry key '{0}', value '{1}'.", regKey.ToString(), valueName);
+                _logger.LogVerboseF($"Reading data from registry key '{regKey}', value '{valueName}'.");
             }
 
             string data = regKey.GetValue(valueName) as string;
@@ -146,7 +147,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
                 string newFriendlyName = Guid.NewGuid().ToString();
                 if (_logger.IsVerboseLevelEnabled())
                 {
-                    _logger.LogVerbose("The name '{0}' is not a safe registry value name, using '{1}' instead.", friendlyName, newFriendlyName);
+                    _logger.LogVerboseF($"The name '{friendlyName}' is not a safe registry value name, using '{newFriendlyName}' instead.");
                 }
                 friendlyName = newFriendlyName;
             }
diff --git a/src/Microsoft.AspNet.DataProtection/Resources.resx b/src/Microsoft.AspNet.DataProtection/Resources.resx
index 3562a6a959..5f368a39c0 100644
--- a/src/Microsoft.AspNet.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNet.DataProtection/Resources.resx
@@ -136,10 +136,10 @@
     <value>An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information.</value>
   </data>
   <data name="Common_KeyNotFound" xml:space="preserve">
-    <value>The key '{0:D}' was not found in the key ring.</value>
+    <value>The key {0:B} was not found in the key ring.</value>
   </data>
   <data name="Common_KeyRevoked" xml:space="preserve">
-    <value>The key '{0:D}' has been revoked.</value>
+    <value>The key {0:B} has been revoked.</value>
   </data>
   <data name="ProtectionProvider_BadMagicHeader" xml:space="preserve">
     <value>The provided payload cannot be decrypted because it was not protected with this protection provider.</value>
@@ -160,7 +160,7 @@
     <value>The new key lifetime must be at least one week.</value>
   </data>
   <data name="XmlKeyManager_DuplicateKey" xml:space="preserve">
-    <value>The key '{0:D}' already exists in the keyring.</value>
+    <value>The key {0:B} already exists in the keyring.</value>
   </data>
   <data name="Common_ArgumentCannotBeNullOrEmpty" xml:space="preserve">
     <value>Argument cannot be null or empty.</value>
diff --git a/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs b/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
new file mode 100644
index 0000000000..e7ba7f9dae
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
@@ -0,0 +1,43 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#if !DNXCORE50
+// These classes allow using the C# string interpolation feature from .NET 4.5.1.
+// They're slimmed-down versions of the classes that exist in .NET 4.6.
+
+using System.Globalization;
+
+namespace System
+{
+    internal struct FormattableString
+    {
+        private readonly object[] _arguments;
+        public readonly string Format;
+
+        internal FormattableString(string format, params object[] arguments)
+        {
+            Format = format;
+            _arguments = arguments;
+        }
+
+        public object[] GetArguments() => _arguments;
+
+        public static string Invariant(FormattableString formattable)
+        {
+            return String.Format(CultureInfo.InvariantCulture, formattable.Format, formattable.GetArguments());
+        }
+    }
+}
+
+namespace System.Runtime.CompilerServices
+{
+    internal static class FormattableStringFactory
+    {
+        public static FormattableString Create(string format, params object[] arguments)
+        {
+            return new FormattableString(format, arguments);
+        }
+    }
+}
+
+#endif
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index f89820b02c..2c6401305b 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -132,7 +132,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 {
                     if (_logger.IsErrorLevelEnabled())
                     {
-                        _logger.LogError(ex, "An exception occurred while trying to resolve certificate with thumbprint '{0}'.", thumbprint);
+                        _logger.LogErrorF(ex, $"An exception occurred while trying to resolve certificate with thumbprint '{thumbprint}'.");
                     }
                     throw;
                 }
@@ -146,7 +146,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
 
             if (_logger.IsVerboseLevelEnabled())
             {
-                _logger.LogVerbose("Encrypting to X.509 certificate with thumbprint '{0}'.", cert.Thumbprint);
+                _logger.LogVerboseF($"Encrypting to X.509 certificate with thumbprint '{cert.Thumbprint}'.");
             }
 
             try
@@ -157,7 +157,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             {
                 if (_logger.IsErrorLevelEnabled())
                 {
-                    _logger.LogError(ex, "An error occurred while encrypting to X.509 certificate with thumbprint '{0}'.", cert.Thumbprint);
+                    _logger.LogErrorF(ex, $"An error occurred while encrypting to X.509 certificate with thumbprint '{cert.Thumbprint}'.");
                 }
                 throw;
             }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index e804c1d7cb..e356c2e259 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -68,7 +68,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                         // swallow all errors - it's just a log
                         protectionDescriptorRule = null;
                     }
-                    _logger.LogVerbose("Decrypting secret element using Windows DPAPI-NG with protection descriptor '{0}'.", protectionDescriptorRule);
+                    _logger.LogVerboseF($"Decrypting secret element using Windows DPAPI-NG with protection descriptor rule '{protectionDescriptorRule}'.");
                 }
 
                 using (Secret secret = DpapiSecretSerializerHelper.UnprotectWithDpapiNG(protectedSecret))
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index 1a11ce10a7..4b6180ce5b 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Globalization;
 using System.Security.Principal;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
@@ -11,6 +10,8 @@ using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 
+using static System.FormattableString;
+
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
     /// <summary>
@@ -65,7 +66,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             string protectionDescriptorRuleString = _protectionDescriptorHandle.GetProtectionDescriptorRuleString();
             if (_logger.IsVerboseLevelEnabled())
             {
-                _logger.LogVerbose("Encrypting to Windows DPAPI-NG using protection descriptor '{0}'.", protectionDescriptorRuleString);
+                _logger.LogVerboseF($"Encrypting to Windows DPAPI-NG using protection descriptor rule '{protectionDescriptorRuleString}'.");
             }
 
             // Convert the XML element to a binary secret so that it can be run through DPAPI
@@ -114,7 +115,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
             {
                 // use the SID to create an SDDL string
-                return String.Format(CultureInfo.InvariantCulture, "SID={0}", currentIdentity.User.Value);
+                return Invariant($"SID={currentIdentity.User.Value}");
             }
         }
     }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index d0b5908092..4ec5f0cef4 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -66,7 +66,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 }
                 else
                 {
-                    _logger.LogVerbose("Encrypting to Windows DPAPI for current user account ({0}).", WindowsIdentity.GetCurrent().Name);
+                    _logger.LogVerboseF($"Encrypting to Windows DPAPI for current user account ({WindowsIdentity.GetCurrent().Name}).");
                 }
             }
 

From 612a81d9ce57e910e7cf654fd40fa7da9f12ff20 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Mon, 16 Mar 2015 11:38:11 -0700
Subject: [PATCH 117/493] Defer processing <key> descriptors until necessary -
 Make CreateNewKey more robust against bad key repositories - Don't hide key
 deserialization errors

---
 .../KeyManagement/CacheableKeyRing.cs         |  2 +-
 .../KeyManagement/DefaultKeyResolution.cs     |  8 ++
 .../KeyManagement/DefaultKeyResolver.cs       | 33 +++++--
 .../KeyManagement/DeferredKey.cs              | 41 ++++++++
 .../KeyManagement/IInternalXmlKeyManager.cs   |  5 +
 .../KeyManagement/Key.cs                      | 34 +------
 .../KeyManagement/KeyBase.cs                  | 45 +++++++++
 .../KeyManagement/KeyRing.cs                  | 16 +++-
 .../KeyManagement/KeyRingProvider.cs          | 36 +++----
 .../KeyManagement/XmlKeyManager.cs            | 88 ++++++++++-------
 .../XmlEncryption/XmlEncryptionExtensions.cs  |  6 +-
 .../KeyManagement/DefaultKeyResolverTests.cs  | 49 +++++++++-
 .../KeyManagement/DeferredKeyTests.cs         | 95 +++++++++++++++++++
 .../KeyRingBasedDataProtectorTests.cs         | 12 +--
 .../KeyManagement/KeyRingProviderTests.cs     | 86 ++++++++++++++---
 .../KeyManagement/KeyRingTests.cs             | 23 ++++-
 .../KeyManagement/KeyTests.cs                 | 64 +++++++++++++
 .../KeyManagement/XmlKeyManagerTests.cs       | 31 ++----
 18 files changed, 526 insertions(+), 148 deletions(-)
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs

diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
index 5ad6d238f8..9ab241650c 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
@@ -15,7 +15,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         private readonly CancellationToken _expirationToken;
 
         internal CacheableKeyRing(CancellationToken expirationToken, DateTimeOffset expirationTime, IKey defaultKey, IEnumerable<IKey> allKeys)
-            : this(expirationToken, expirationTime, keyRing: new KeyRing(defaultKey.KeyId, allKeys))
+            : this(expirationToken, expirationTime, keyRing: new KeyRing(defaultKey, allKeys))
         {
         }
 
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
index 42cc7c2741..f714319fe4 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
@@ -10,6 +10,10 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         /// <summary>
         /// The default key, may be null if no key is a good default candidate.
         /// </summary>
+        /// <remarks>
+        /// If this property is non-null, its <see cref="IKey.CreateEncryptorInstance"/> method will succeed
+        /// so is appropriate for use with deferred keys.
+        /// </remarks>
         public IKey DefaultKey;
 
         /// <summary>
@@ -17,6 +21,10 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         /// honor the <see cref="ShouldGenerateNewKey"/> property. This property may
         /// be null if there is no viable fallback key.
         /// </summary>
+        /// <remarks>
+        /// If this property is non-null, its <see cref="IKey.CreateEncryptorInstance"/> method will succeed
+        /// so is appropriate for use with deferred keys.
+        /// </remarks>
         public IKey FallbackKey;
 
         /// <summary>
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 795751fa50..6698105d41 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -4,6 +4,8 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.Framework.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
@@ -43,11 +45,21 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             _logger = services.GetLogger<DefaultKeyResolver>();
         }
 
-        public DefaultKeyResolution ResolveDefaultKeyPolicy(DateTimeOffset now, IEnumerable<IKey> allKeys)
+        private bool CanCreateAuthenticatedEncryptor(IKey key)
         {
-            DefaultKeyResolution retVal = default(DefaultKeyResolution);
-            retVal.DefaultKey = FindDefaultKey(now, allKeys, out retVal.FallbackKey, out retVal.ShouldGenerateNewKey);
-            return retVal;
+            try
+            {
+                var encryptorInstance = key.CreateEncryptorInstance() ?? CryptoUtil.Fail<IAuthenticatedEncryptor>("CreateEncryptorInstance returned null.");
+                return true;
+            }
+            catch (Exception ex)
+            {
+                if (_logger.IsWarningLevelEnabled())
+                {
+                    _logger.LogWarningF(ex, $"Key {key.KeyId:B} is ineligible to be the default key because its {nameof(IKey.CreateEncryptorInstance)} method failed.");
+                }
+                return false;
+            }
         }
 
         private IKey FindDefaultKey(DateTimeOffset now, IEnumerable<IKey> allKeys, out IKey fallbackKey, out bool callerShouldGenerateNewKey)
@@ -66,11 +78,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 }
 
                 // if the key has been revoked or is expired, it is no longer a candidate
-                if (preferredDefaultKey.IsExpired(now) || preferredDefaultKey.IsRevoked)
+                if (preferredDefaultKey.IsRevoked || preferredDefaultKey.IsExpired(now) || !CanCreateAuthenticatedEncryptor(preferredDefaultKey))
                 {
                     if (_logger.IsVerboseLevelEnabled())
                     {
-                        _logger.LogVerboseF($"Key {preferredDefaultKey.KeyId:B} is no longer under consideration as default key because it is expired or revoked.");
+                        _logger.LogVerboseF($"Key {preferredDefaultKey.KeyId:B} is no longer under consideration as default key because it is expired, revoked, or cannot be deciphered.");
                     }
                     preferredDefaultKey = null;
                 }
@@ -112,7 +124,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                                         select key).Concat(from key in allKeys
                                                            orderby key.CreationDate ascending
                                                            select key)
-                           where !key.IsRevoked
+                           where !key.IsRevoked && CanCreateAuthenticatedEncryptor(key)
                            select key).FirstOrDefault();
 
             if (_logger.IsVerboseLevelEnabled())
@@ -123,5 +135,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             callerShouldGenerateNewKey = true;
             return null;
         }
+
+        public DefaultKeyResolution ResolveDefaultKeyPolicy(DateTimeOffset now, IEnumerable<IKey> allKeys)
+        {
+            DefaultKeyResolution retVal = default(DefaultKeyResolution);
+            retVal.DefaultKey = FindDefaultKey(now, allKeys, out retVal.FallbackKey, out retVal.ShouldGenerateNewKey);
+            return retVal;
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
new file mode 100644
index 0000000000..d75c7d84eb
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.XmlEncryption;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// The basic implementation of <see cref="IKey"/>, where the incoming XML element
+    /// hasn't yet been fully processed.
+    /// </summary>
+    internal sealed class DeferredKey : KeyBase
+    {
+        public DeferredKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IInternalXmlKeyManager keyManager, XElement keyElement)
+            : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptor>(GetLazyEncryptorDelegate(keyManager, keyElement)))
+        {
+        }
+
+        private static Func<IAuthenticatedEncryptor> GetLazyEncryptorDelegate(IInternalXmlKeyManager keyManager, XElement keyElement)
+        {
+            // The <key> element will be held around in memory for a potentially lengthy period
+            // of time. Since it might contain sensitive information, we should protect it.
+            var encryptedKeyElement = keyElement.ToSecret();
+
+            try
+            {
+                return () => keyManager.DeserializeDescriptorFromKeyElement(encryptedKeyElement.ToXElement()).CreateEncryptorInstance();
+            }
+            finally
+            {
+                // It's important that the lambda above doesn't capture 'descriptorElement'. Clearing the reference here
+                // helps us detect if we've done this by causing a null ref at runtime.
+                keyElement = null;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
index 7c2cd20685..1170c14ceb 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
@@ -2,6 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
@@ -9,6 +11,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
     internal interface IInternalXmlKeyManager
     {
         IKey CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate);
+
+        IAuthenticatedEncryptorDescriptor DeserializeDescriptorFromKeyElement(XElement keyElement);
+
         void RevokeSingleKey(Guid keyId, DateTimeOffset revocationDate, string reason);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
index d436b18498..5d8c41e25d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
@@ -8,40 +8,14 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     /// <summary>
-    /// The basic implementation of <see cref="IKey"/>.
+    /// The basic implementation of <see cref="IKey"/>, where the <see cref="IAuthenticatedEncryptorDescriptor"/>
+    /// has already been created.
     /// </summary>
-    internal sealed class Key : IKey
+    internal sealed class Key : KeyBase
     {
-        private readonly IAuthenticatedEncryptorDescriptor _descriptor;
-
         public Key(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IAuthenticatedEncryptorDescriptor descriptor)
+            : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptor>(descriptor.CreateEncryptorInstance))
         {
-            KeyId = keyId;
-            CreationDate = creationDate;
-            ActivationDate = activationDate;
-            ExpirationDate = expirationDate;
-
-            _descriptor = descriptor;
-        }
-
-        public DateTimeOffset ActivationDate { get; }
-
-        public DateTimeOffset CreationDate { get; }
-
-        public DateTimeOffset ExpirationDate { get; }
-
-        public bool IsRevoked { get; private set; }
-
-        public Guid KeyId { get; }
-
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
-        {
-            return _descriptor.CreateEncryptorInstance();
-        }
-
-        internal void SetRevoked()
-        {
-            IsRevoked = true;
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs
new file mode 100644
index 0000000000..aab41a279c
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs
@@ -0,0 +1,45 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    /// <summary>
+    /// The basic implementation of <see cref="IKey"/>.
+    /// </summary>
+    internal abstract class KeyBase : IKey
+    {
+        private readonly Lazy<IAuthenticatedEncryptor> _lazyEncryptor;
+
+        public KeyBase(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, Lazy<IAuthenticatedEncryptor> lazyEncryptor)
+        {
+            KeyId = keyId;
+            CreationDate = creationDate;
+            ActivationDate = activationDate;
+            ExpirationDate = expirationDate;
+            _lazyEncryptor = lazyEncryptor;
+        }
+
+        public DateTimeOffset ActivationDate { get; }
+
+        public DateTimeOffset CreationDate { get; }
+
+        public DateTimeOffset ExpirationDate { get; }
+
+        public bool IsRevoked { get; private set; }
+
+        public Guid KeyId { get; }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        {
+            return _lazyEncryptor.Value;
+        }
+
+        internal void SetRevoked()
+        {
+            IsRevoked = true;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
index 38d8b20099..9aacfb9ed6 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
@@ -16,16 +16,24 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         private readonly KeyHolder _defaultKeyHolder;
         private readonly Dictionary<Guid, KeyHolder> _keyIdToKeyHolderMap;
 
-        public KeyRing(Guid defaultKeyId, IEnumerable<IKey> keys)
+        public KeyRing(IKey defaultKey, IEnumerable<IKey> allKeys)
         {
             _keyIdToKeyHolderMap = new Dictionary<Guid, KeyHolder>();
-            foreach (IKey key in keys)
+            foreach (IKey key in allKeys)
             {
                 _keyIdToKeyHolderMap.Add(key.KeyId, new KeyHolder(key));
             }
 
-            DefaultKeyId = defaultKeyId;
-            _defaultKeyHolder = _keyIdToKeyHolderMap[defaultKeyId];
+            // It's possible under some circumstances that the default key won't be part of 'allKeys',
+            // such as if the key manager is forced to use the key it just generated even if such key
+            // wasn't in the underlying repository. In this case, we just add it now.
+            if (!_keyIdToKeyHolderMap.ContainsKey(defaultKey.KeyId))
+            {
+                _keyIdToKeyHolderMap.Add(defaultKey.KeyId, new KeyHolder(defaultKey));
+            }
+
+            DefaultKeyId = defaultKey.KeyId;
+            _defaultKeyHolder = _keyIdToKeyHolderMap[DefaultKeyId];
         }
         
         public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index 9f12454e40..f5ffaadb53 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -31,7 +31,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 ?? new DefaultKeyResolver(_keyManagementOptions.KeyPropagationWindow, _keyManagementOptions.MaxServerClockSkew, services);
         }
 
-        private CacheableKeyRing CreateCacheableKeyRingCore(DateTimeOffset now, bool allowRecursiveCalls = false)
+        private CacheableKeyRing CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
         {
             // Refresh the list of all keys
             var cacheExpirationToken = _keyManager.GetCacheExpirationToken();
@@ -50,21 +50,18 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 _logger.LogVerbose("Policy resolution states that a new key should be added to the key ring.");
             }
 
-            // At this point, we know we need to generate a new key.
-
-            // This should only occur if a call to CreateNewKey immediately followed by a call to
-            // GetAllKeys returned 'you need to add a key to the key ring'. This should never happen
-            // in practice unless there's corruption in the backing store. Regardless, we can't recurse
-            // forever, so we have to bail now.
-            if (!allowRecursiveCalls)
+            // We shouldn't call CreateKey more than once, else we risk stack diving. This code path shouldn't
+            // get hit unless there was an ineligible key with an activation date slightly later than the one we
+            // just added. If this does happen, then we'll just use whatever key we can instead of creating
+            // new keys endlessly, eventually falling back to the one we just added if all else fails.
+            if (keyJustAdded != null)
             {
-                if (_logger.IsErrorLevelEnabled())
-                {
-                    _logger.LogError("Policy resolution states that a new key should be added to the key ring, even after a call to CreateNewKey.");
-                }
-                throw CryptoUtil.Fail("Policy resolution states that a new key should be added to the key ring, even after a call to CreateNewKey.");
+                var keyToUse = defaultKeyPolicy.DefaultKey ?? defaultKeyPolicy.FallbackKey ?? keyJustAdded;
+                return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, keyToUse, allKeys);
             }
 
+            // At this point, we know we need to generate a new key.
+
             // We have been asked to generate a new key, but auto-generation of keys has been disabled.
             // We need to use the fallback key or fail.
             if (!_keyManagementOptions.AutoGenerateKeys)
@@ -92,16 +89,16 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 // The case where there's no default key is the easiest scenario, since it
                 // means that we need to create a new key with immediate activation.
-                _keyManager.CreateNewKey(activationDate: now, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
-                return CreateCacheableKeyRingCore(now); // recursively call
+                var newKey = _keyManager.CreateNewKey(activationDate: now, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
+                return CreateCacheableKeyRingCore(now, keyJustAdded: newKey); // recursively call
             }
             else
             {
                 // If there is a default key, then the new key we generate should become active upon
                 // expiration of the default key. The new key lifetime is measured from the creation
                 // date (now), not the activation date.
-                _keyManager.CreateNewKey(activationDate: defaultKeyPolicy.DefaultKey.ExpirationDate, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
-                return CreateCacheableKeyRingCore(now); // recursively call
+                var newKey = _keyManager.CreateNewKey(activationDate: defaultKeyPolicy.DefaultKey.ExpirationDate, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
+                return CreateCacheableKeyRingCore(now, keyJustAdded: newKey); // recursively call
             }
         }
 
@@ -109,6 +106,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         {
             Debug.Assert(defaultKey != null);
 
+            // Invariant: our caller ensures that CreateEncryptorInstance succeeded at least once
+            Debug.Assert(defaultKey.CreateEncryptorInstance() != null);
+
             if (_logger.IsVerboseLevelEnabled())
             {
                 _logger.LogVerboseF($"Using key {defaultKey.KeyId:B} as the default key.");
@@ -186,7 +186,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         CacheableKeyRing ICacheableKeyRingProvider.GetCacheableKeyRing(DateTimeOffset now)
         {
             // the entry point allows one recursive call
-            return CreateCacheableKeyRingCore(now, allowRecursiveCalls: true);
+            return CreateCacheableKeyRingCore(now, keyJustAdded: null);
         }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index baabe020ae..2465348513 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -122,7 +122,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             var allElements = KeyRepository.GetAllElements();
 
             // We aggregate all the information we read into three buckets
-            Dictionary<Guid, Key> keyIdToKeyMap = new Dictionary<Guid, Key>();
+            Dictionary<Guid, KeyBase> keyIdToKeyMap = new Dictionary<Guid, KeyBase>();
             HashSet<Guid> revokedKeyIds = null;
             DateTimeOffset? mostRecentMassRevocationDate = null;
 
@@ -132,7 +132,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     // ProcessKeyElement can return null in the case of failure, and if this happens we'll move on.
                     // Still need to throw if we see duplicate keys with the same id.
-                    Key key = ProcessKeyElement(element);
+                    KeyBase key = ProcessKeyElement(element);
                     if (key != null)
                     {
                         if (keyIdToKeyMap.ContainsKey(key.KeyId))
@@ -179,7 +179,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 foreach (Guid revokedKeyId in revokedKeyIds)
                 {
-                    Key key;
+                    KeyBase key;
                     keyIdToKeyMap.TryGetValue(revokedKeyId, out key);
                     if (key != null)
                     {
@@ -224,60 +224,36 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             return Interlocked.CompareExchange(ref _cacheExpirationTokenSource, null, null).Token;
         }
 
-        private Key ProcessKeyElement(XElement keyElement)
+        private KeyBase ProcessKeyElement(XElement keyElement)
         {
             Debug.Assert(keyElement.Name == KeyElementName);
 
             try
             {
-                // Read metadata
+                // Read metadata and prepare the key for deferred instantiation
                 Guid keyId = (Guid)keyElement.Attribute(IdAttributeName);
                 DateTimeOffset creationDate = (DateTimeOffset)keyElement.Element(CreationDateElementName);
                 DateTimeOffset activationDate = (DateTimeOffset)keyElement.Element(ActivationDateElementName);
                 DateTimeOffset expirationDate = (DateTimeOffset)keyElement.Element(ExpirationDateElementName);
 
-                // Figure out who will be deserializing this
-                XElement descriptorElement = keyElement.Element(DescriptorElementName);
-                string descriptorDeserializerTypeName = (string)descriptorElement.Attribute(DeserializerTypeAttributeName);
-
-                // Decrypt the descriptor element and pass it to the descriptor for consumption
-                XElement unencryptedInputToDeserializer = descriptorElement.Elements().Single().DecryptElement(_activator);
-                var deserializerInstance = _activator.CreateInstance<IAuthenticatedEncryptorDescriptorDeserializer>(descriptorDeserializerTypeName);
-                var descriptorInstance = deserializerInstance.ImportFromXml(unencryptedInputToDeserializer);
-
-                // Finally, create the Key instance
                 if (_logger.IsVerboseLevelEnabled())
                 {
                     _logger.LogVerboseF($"Found key {keyId:B}.");
                 }
-                return new Key(
+
+                return new DeferredKey(
                     keyId: keyId,
                     creationDate: creationDate,
                     activationDate: activationDate,
                     expirationDate: expirationDate,
-                    descriptor: descriptorInstance);
+                    keyManager: _internalKeyManager,
+                    keyElement: keyElement);
             }
             catch (Exception ex)
             {
-                // We only write the exception out to the 'debug' log since it could contain sensitive
-                // information and we don't want to leak it.
-                if (_logger.IsDebugLevelEnabled())
-                {
-                    if (_logger.IsWarningLevelEnabled())
-                    {
-                        _logger.LogWarningF($"An exception of type '{ex.GetType().FullName}' occurred while processing the key element '{keyElement.WithoutChildNodes()}', so the key will not be included in the keyring. Full details of the exception will be written to the 'Debug' log.");
-                    }
-                    _logger.LogDebugF(ex, $"An exception occurred while processing the key element '{keyElement}'.");
-                }
-                else
-                {
-                    if (_logger.IsWarningLevelEnabled())
-                    {
-                        _logger.LogWarningF($"An exception of type '{ex.GetType().FullName}' occurred while processing the key element '{keyElement.WithoutChildNodes()}', so the key will not be included in the keyring. To prevent accidental disclosure of sensitive information the full exception details are not being logged. To enable logging full exception details, enable 'Debug' level logging for this provider.");
-                    }
-                }
+                WriteKeyDeserializationErrorToLog(ex, keyElement);
 
-                // If an error occurs, we just skip this key.
+                // Don't include this key in the key ring
                 return null;
             }
         }
@@ -369,6 +345,26 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             Interlocked.Exchange(ref _cacheExpirationTokenSource, new CancellationTokenSource())?.Cancel();
         }
 
+        private void WriteKeyDeserializationErrorToLog(Exception error, XElement keyElement)
+        {
+            // Ideally we'd suppress the error since it might contain sensitive information, but it would be too difficult for
+            // an administrator to diagnose the issue if we hide this information. Instead we'll log the error to the error
+            // log and the raw <key> element to the debug log. This works for our out-of-box XML decryptors since they don't
+            // include sensitive information in the exception message.
+
+            if (_logger.IsErrorLevelEnabled())
+            {
+                // write sanitized <key> element
+                _logger.LogErrorF(error, $"An exception occurred while processing the key element '{keyElement.WithoutChildNodes()}'.");
+            }
+
+            if (_logger.IsDebugLevelEnabled())
+            {
+                // write full <key> element
+                _logger.LogDebugF(error, $"An exception occurred while processing the key element '{keyElement}'.");
+            }
+        }
+
         IKey IInternalXmlKeyManager.CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate)
         {
             // <key id="{guid}" version="1">
@@ -440,6 +436,28 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 descriptor: newDescriptor);
         }
 
+        IAuthenticatedEncryptorDescriptor IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
+        {
+            try
+            {
+                // Figure out who will be deserializing this
+                XElement descriptorElement = keyElement.Element(DescriptorElementName);
+                string descriptorDeserializerTypeName = (string)descriptorElement.Attribute(DeserializerTypeAttributeName);
+
+                // Decrypt the descriptor element and pass it to the descriptor for consumption
+                XElement unencryptedInputToDeserializer = descriptorElement.Elements().Single().DecryptElement(_activator);
+                var deserializerInstance = _activator.CreateInstance<IAuthenticatedEncryptorDescriptorDeserializer>(descriptorDeserializerTypeName);
+                var descriptorInstance = deserializerInstance.ImportFromXml(unencryptedInputToDeserializer);
+
+                return descriptorInstance ?? CryptoUtil.Fail<IAuthenticatedEncryptorDescriptor>("ImportFromXml returned null.");
+            }
+            catch (Exception ex)
+            {
+                WriteKeyDeserializationErrorToLog(ex, keyElement);
+                throw;
+            }
+        }
+
         void IInternalXmlKeyManager.RevokeSingleKey(Guid keyId, DateTimeOffset revocationDate, string reason)
         {
             // <revocation version="1">
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index e97bc112e9..941a0bea66 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -123,8 +123,8 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         }
 
         /// <summary>
-        /// Converts an <see cref="XElement"/> to a <see cref="Secret"/> so that it can be run through
-        /// the DPAPI routines.
+        /// Converts an <see cref="XElement"/> to a <see cref="Secret"/> so that it can be kept in memory
+        /// securely or run through the DPAPI routines.
         /// </summary>
         public static Secret ToSecret(this XElement element)
         {
@@ -163,7 +163,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         }
 
         /// <summary>
-        /// Converts a <see cref="Secret"/> provided by the DPAPI routines back into an <see cref="XElement"/>.
+        /// Converts a <see cref="Secret"/> back into an <see cref="XElement"/>.
         /// </summary>
         public static XElement ToXElement(this Secret secret)
         {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index 9f755c2816..1dd54cac67 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Moq;
 using Xunit;
 
@@ -105,7 +106,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         }
 
         [Fact]
-        public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_ReturnsNull()
+        public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_BecauseOfRevocation_ReturnsNull()
         {
             // Arrange
             var resolver = CreateDefaultKeyResolver();
@@ -120,6 +121,22 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             Assert.True(resolution.ShouldGenerateNewKey);
         }
 
+        [Fact]
+        public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_BecauseOfFailureToDecipher_ReturnsNull()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+            var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z", createEncryptorInstanceThrows: true);
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-04-01 00:00:00Z", key1, key2);
+
+            // Assert
+            Assert.Null(resolution.DefaultKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
+        }
+
         [Fact]
         public void ResolveDefaultKeyPolicy_FutureKeyIsValidAndWithinClockSkew_ReturnsFutureKey()
         {
@@ -168,7 +185,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         }
 
         [Fact]
-        public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow()
+        public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow_IgnoresRevokedKeys()
         {
             // Arrange
             var resolver = CreateDefaultKeyResolver();
@@ -185,6 +202,24 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             Assert.True(resolution.ShouldGenerateNewKey);
         }
 
+        [Fact]
+        public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow_IgnoresFailures()
+        {
+            // Arrange
+            var resolver = CreateDefaultKeyResolver();
+            var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-01 00:00:00Z");
+            var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-02 00:00:00Z");
+            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", createEncryptorInstanceThrows: true);
+            var key4 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");
+
+            // Act
+            var resolution = resolver.ResolveDefaultKeyPolicy("2000-01-05 00:00:00Z", key1, key2, key3, key4);
+
+            // Assert
+            Assert.Same(key2, resolution.FallbackKey);
+            Assert.True(resolution.ShouldGenerateNewKey);
+        }
+
         [Fact]
         public void ResolveDefaultKeyPolicy_FallbackKey_NoNonRevokedKeysBeforePriorPropagationWindow_SelectsEarliestNonRevokedKey()
         {
@@ -210,7 +245,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 services: null);
         }
 
-        private static IKey CreateKey(string activationDate, string expirationDate, string creationDate = null, bool isRevoked = false)
+        private static IKey CreateKey(string activationDate, string expirationDate, string creationDate = null, bool isRevoked = false, bool createEncryptorInstanceThrows = false)
         {
             var mockKey = new Mock<IKey>();
             mockKey.Setup(o => o.KeyId).Returns(Guid.NewGuid());
@@ -218,6 +253,14 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
+            if (createEncryptorInstanceThrows)
+            {
+                mockKey.Setup(o => o.CreateEncryptorInstance()).Throws(new Exception("This method fails."));
+            }
+            else
+            {
+                mockKey.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+            }
             return mockKey.Object;
         }
     }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
new file mode 100644
index 0000000000..a28aef0dd8
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
@@ -0,0 +1,95 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.Testing;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class DeferredKeyTests
+    {
+        [Fact]
+        public void Ctor_Properties()
+        {
+            // Arrange
+            var keyId = Guid.NewGuid();
+            var creationDate = DateTimeOffset.Now;
+            var activationDate = creationDate.AddDays(2);
+            var expirationDate = creationDate.AddDays(90);
+
+            // Act
+            var key = new DeferredKey(keyId, creationDate, activationDate, expirationDate, new Mock<IInternalXmlKeyManager>().Object, XElement.Parse(@"<node />"));
+
+            // Assert
+            Assert.Equal(keyId, key.KeyId);
+            Assert.Equal(creationDate, key.CreationDate);
+            Assert.Equal(activationDate, key.ActivationDate);
+            Assert.Equal(expirationDate, key.ExpirationDate);
+        }
+
+        [Fact]
+        public void SetRevoked_Respected()
+        {
+            // Arrange
+            var now = DateTimeOffset.UtcNow;
+            var key = new DeferredKey(Guid.Empty, now, now, now, new Mock<IInternalXmlKeyManager>().Object, XElement.Parse(@"<node />"));
+
+            // Act & assert
+            Assert.False(key.IsRevoked);
+            key.SetRevoked();
+            Assert.True(key.IsRevoked);
+        }
+
+        [Fact]
+        public void CreateEncryptorInstance_Success()
+        {
+            // Arrange
+            var expectedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expectedEncryptor);
+            var mockKeyManager = new Mock<IInternalXmlKeyManager>();
+            mockKeyManager.Setup(o => o.DeserializeDescriptorFromKeyElement(It.IsAny<XElement>()))
+                .Returns<XElement>(element =>
+                {
+                    XmlAssert.Equal(@"<node />", element);
+                    return mockDescriptor.Object;
+                });
+
+            var now = DateTimeOffset.UtcNow;
+            var key = new DeferredKey(Guid.Empty, now, now, now, mockKeyManager.Object, XElement.Parse(@"<node />"));
+
+            // Act
+            var actual = key.CreateEncryptorInstance();
+
+            // Assert
+            Assert.Same(expectedEncryptor, actual);
+        }
+
+        [Fact]
+        public void CreateEncryptorInstance_CachesFailures()
+        {
+            // Arrange
+            int numTimesCalled = 0;
+            var mockKeyManager = new Mock<IInternalXmlKeyManager>();
+            mockKeyManager.Setup(o => o.DeserializeDescriptorFromKeyElement(It.IsAny<XElement>()))
+                .Returns<XElement>(element =>
+                {
+                    numTimesCalled++;
+                    throw new Exception("How exceptional.");
+                });
+
+            var now = DateTimeOffset.UtcNow;
+            var key = new DeferredKey(Guid.Empty, now, now, now, mockKeyManager.Object, XElement.Parse(@"<node />"));
+
+            // Act & assert
+            ExceptionAssert.Throws<Exception>(() => key.CreateEncryptorInstance(), "How exceptional.");
+            ExceptionAssert.Throws<Exception>(() => key.CreateEncryptorInstance(), "How exceptional.");
+            Assert.Equal(1, numTimesCalled);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 6bd46fc6c6..8f934fe96b 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -203,7 +203,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             // the keyring has only one key
             Key key = new Key(Guid.Empty, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(Guid.Empty, new[] { key });
+            var keyRing = new KeyRing(key, new[] { key });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -233,7 +233,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // the keyring has only one key
             Key key = new Key(keyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
             key.SetRevoked();
-            var keyRing = new KeyRing(keyId, new[] { key });
+            var keyRing = new KeyRing(key, new[] { key });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -272,7 +272,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
             defaultKey.SetRevoked();
-            var keyRing = new KeyRing(defaultKeyId, new[] { defaultKey });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -318,7 +318,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(mockEncryptor.Object);
 
             Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(defaultKeyId, new[] { defaultKey });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -368,7 +368,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
             Key embeddedKey = new Key(embeddedKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(defaultKeyId, new[] { defaultKey, embeddedKey });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey, embeddedKey });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -399,7 +399,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // Arrange
             byte[] plaintext = new byte[] { 0x10, 0x20, 0x30, 0x40, 0x50 };
             Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration(new AuthenticatedEncryptionOptions()).CreateNewDescriptor());
-            var keyRing = new KeyRing(key.KeyId, new[] { key });
+            var keyRing = new KeyRing(key, new[] { key });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index ee896e917f..747dee772b 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -6,10 +6,13 @@ using System.Collections.Generic;
 using System.Globalization;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.Framework.DependencyInjection;
 using Moq;
 using Xunit;
 
+using static System.FormattableString;
+
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
     public class KeyRingProviderTests
@@ -110,7 +113,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 getCacheExpirationTokenReturnValues: new[] { expirationCts1.Token, expirationCts2.Token },
                 getAllKeysReturnValues: new[] { allKeys1, allKeys2 },
                 createNewKeyCallbacks: new[] {
-                    Tuple.Create((DateTimeOffset)now, (DateTimeOffset)now + TimeSpan.FromDays(90))
+                    Tuple.Create((DateTimeOffset)now, (DateTimeOffset)now + TimeSpan.FromDays(90), CreateKey())
                 },
                 resolveDefaultKeyPolicyReturnValues: new[]
                 {
@@ -140,6 +143,54 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy", "CreateNewKey", "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
         }
 
+        [Fact]
+        public void CreateCacheableKeyRing_GenerationRequired_NoDefaultKey_CreatesNewKeyWithImmediateActivation_StillNoDefaultKey_ReturnsNewlyCreatedKey()
+        {
+            // Arrange
+            var callSequence = new List<string>();
+            var expirationCts1 = new CancellationTokenSource();
+            var expirationCts2 = new CancellationTokenSource();
+
+            var now = StringToDateTime("2015-03-01 00:00:00Z");
+            var allKeys = new IKey[0];
+
+            var newlyCreatedKey = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
+
+            var keyRingProvider = SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+                callSequence: callSequence,
+                getCacheExpirationTokenReturnValues: new[] { expirationCts1.Token, expirationCts2.Token },
+                getAllKeysReturnValues: new[] { allKeys, allKeys },
+                createNewKeyCallbacks: new[] {
+                    Tuple.Create((DateTimeOffset)now, (DateTimeOffset)now + TimeSpan.FromDays(90), newlyCreatedKey)
+                },
+                resolveDefaultKeyPolicyReturnValues: new[]
+                {
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys, new DefaultKeyResolution()
+                        {
+                            DefaultKey = null,
+                            ShouldGenerateNewKey = true
+                        }),
+                        Tuple.Create((DateTimeOffset)now, (IEnumerable<IKey>)allKeys, new DefaultKeyResolution()
+                        {
+                            DefaultKey = null,
+                            ShouldGenerateNewKey = true
+                        })
+                });
+
+            // Act
+            var cacheableKeyRing = keyRingProvider.GetCacheableKeyRing(now);
+
+            // Assert
+            Assert.Equal(newlyCreatedKey.KeyId, cacheableKeyRing.KeyRing.DefaultKeyId);
+            AssertWithinJitterRange(cacheableKeyRing.ExpirationTimeUtc, now);
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts1.Cancel();
+            Assert.True(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            expirationCts2.Cancel();
+            Assert.False(CacheableKeyRing.IsValid(cacheableKeyRing, now));
+            Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy", "CreateNewKey", "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
+        }
+
         [Fact]
         public void CreateCacheableKeyRing_GenerationRequired_NoDefaultKey_KeyGenerationDisabled_Fails()
         {
@@ -154,7 +205,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 getCacheExpirationTokenReturnValues: new[] { CancellationToken.None },
                 getAllKeysReturnValues: new[] { allKeys },
                 createNewKeyCallbacks: new[] {
-                    Tuple.Create((DateTimeOffset)now, (DateTimeOffset)now + TimeSpan.FromDays(90))
+                    Tuple.Create((DateTimeOffset)now, (DateTimeOffset)now + TimeSpan.FromDays(90), CreateKey())
                 },
                 resolveDefaultKeyPolicyReturnValues: new[]
                 {
@@ -194,7 +245,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 getCacheExpirationTokenReturnValues: new[] { expirationCts1.Token, expirationCts2.Token },
                 getAllKeysReturnValues: new[] { allKeys1, allKeys2 },
                 createNewKeyCallbacks: new[] {
-                    Tuple.Create(key1.ExpirationDate, (DateTimeOffset)now + TimeSpan.FromDays(90))
+                    Tuple.Create(key1.ExpirationDate, (DateTimeOffset)now + TimeSpan.FromDays(90), CreateKey())
                 },
                 resolveDefaultKeyPolicyReturnValues: new[]
                 {
@@ -304,7 +355,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             IList<string> callSequence,
             IEnumerable<CancellationToken> getCacheExpirationTokenReturnValues,
             IEnumerable<IReadOnlyCollection<IKey>> getAllKeysReturnValues,
-            IEnumerable<Tuple<DateTimeOffset,DateTimeOffset>> createNewKeyCallbacks,
+            IEnumerable<Tuple<DateTimeOffset, DateTimeOffset, IKey>> createNewKeyCallbacks,
             IEnumerable<Tuple<DateTimeOffset, IEnumerable<IKey>, DefaultKeyResolution>> resolveDefaultKeyPolicyReturnValues,
             KeyManagementOptions keyManagementOptions = null)
         {
@@ -337,21 +388,21 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                         createNewKeyCallbacksEnumerator.MoveNext();
                         Assert.Equal(createNewKeyCallbacksEnumerator.Current.Item1, activationDate);
                         Assert.Equal(createNewKeyCallbacksEnumerator.Current.Item2, expirationDate);
-                        return null; // nobody uses this return value
-                });
+                        return createNewKeyCallbacksEnumerator.Current.Item3;
+                    });
             }
 
             var resolveDefaultKeyPolicyReturnValuesEnumerator = resolveDefaultKeyPolicyReturnValues.GetEnumerator();
             var mockDefaultKeyResolver = new Mock<IDefaultKeyResolver>(MockBehavior.Strict);
             mockDefaultKeyResolver.Setup(o => o.ResolveDefaultKeyPolicy(It.IsAny<DateTimeOffset>(), It.IsAny<IEnumerable<IKey>>()))
-                .Returns<DateTimeOffset,IEnumerable<IKey>>((now, allKeys) =>
-                {
-                    callSequence.Add("ResolveDefaultKeyPolicy");
-                    resolveDefaultKeyPolicyReturnValuesEnumerator.MoveNext();
-                    Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item1, now);
-                    Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item2, allKeys);
-                    return resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item3;
-                });
+                .Returns<DateTimeOffset, IEnumerable<IKey>>((now, allKeys) =>
+                 {
+                     callSequence.Add("ResolveDefaultKeyPolicy");
+                     resolveDefaultKeyPolicyReturnValuesEnumerator.MoveNext();
+                     Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item1, now);
+                     Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item2, allKeys);
+                     return resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item3;
+                 });
 
             return CreateKeyRingProvider(mockKeyManager.Object, mockDefaultKeyResolver.Object, keyManagementOptions);
         }
@@ -495,6 +546,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             return DateTimeOffset.ParseExact(input, "u", CultureInfo.InvariantCulture).UtcDateTime;
         }
 
+        private static IKey CreateKey()
+        {
+            var now = DateTimeOffset.Now;
+            return CreateKey(Invariant($"{now:u}"), Invariant($"{now.AddDays(90):u}"));
+        }
+
         private static IKey CreateKey(string activationDate, string expirationDate, bool isRevoked = false)
         {
             var mockKey = new Mock<IKey>();
@@ -502,6 +559,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
+            mockKey.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
             return mockKey.Object;
         }
     }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
index aa192fc4d6..904a8afe86 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
@@ -20,7 +20,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             var key2 = new MyKey();
 
             // Act
-            var keyRing = new KeyRing(key1.KeyId, new[] { key1, key2 });
+            var keyRing = new KeyRing(key1, new[] { key1, key2 });
 
             // Assert
             Assert.Equal(0, key1.NumTimesCreateEncryptorInstanceCalled);
@@ -38,12 +38,29 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             var key2 = new MyKey();
 
             // Act
-            var keyRing = new KeyRing(key2.KeyId, new[] { key1, key2 });
+            var keyRing = new KeyRing(key2, new[] { key1, key2 });
 
             // Assert
             Assert.Equal(key2.KeyId, keyRing.DefaultKeyId);
         }
 
+        [Fact]
+        public void DefaultKeyIdAndEncryptor_IfDefaultKeyNotPresentInAllKeys()
+        {
+            // Arrange
+            var key1 = new MyKey();
+            var key2 = new MyKey();
+            var key3 = new MyKey(expectedEncryptorInstance: new Mock<IAuthenticatedEncryptor>().Object);
+
+            // Act
+            var keyRing = new KeyRing(key3, new[] { key1, key2 });
+
+            // Assert
+            bool unused;
+            Assert.Equal(key3.KeyId, keyRing.DefaultKeyId);
+            Assert.Equal(key3.CreateEncryptorInstance(), keyRing.GetAuthenticatedEncryptorByKeyId(key3.KeyId, out unused));
+        }
+
         [Fact]
         public void GetAuthenticatedEncryptorByKeyId_DefersInstantiation_AndReturnsRevocationInfo()
         {
@@ -55,7 +72,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             var key2 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance2);
 
             // Act
-            var keyRing = new KeyRing(key2.KeyId, new[] { key1, key2 });
+            var keyRing = new KeyRing(key2, new[] { key1, key2 });
 
             // Assert
             bool isRevoked;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs
new file mode 100644
index 0000000000..88c9795eb9
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs
@@ -0,0 +1,64 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection.KeyManagement
+{
+    public class KeyTests
+    {
+        [Fact]
+        public void Ctor_Properties()
+        {
+            // Arrange
+            var keyId = Guid.NewGuid();
+            var creationDate = DateTimeOffset.Now;
+            var activationDate = creationDate.AddDays(2);
+            var expirationDate = creationDate.AddDays(90);
+
+            // Act
+            var key = new Key(keyId, creationDate, activationDate, expirationDate, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+
+            // Assert
+            Assert.Equal(keyId, key.KeyId);
+            Assert.Equal(creationDate, key.CreationDate);
+            Assert.Equal(activationDate, key.ActivationDate);
+            Assert.Equal(expirationDate, key.ExpirationDate);
+        }
+
+        [Fact]
+        public void SetRevoked_Respected()
+        {
+            // Arrange
+            var now = DateTimeOffset.UtcNow;
+            var key = new Key(Guid.Empty, now, now, now, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+
+            // Act & assert
+            Assert.False(key.IsRevoked);
+            key.SetRevoked();
+            Assert.True(key.IsRevoked);
+        }
+
+        [Fact]
+        public void CreateEncryptorInstance()
+        {
+            // Arrange
+            var expected = new Mock<IAuthenticatedEncryptor>().Object;
+            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
+            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expected);
+
+            var now = DateTimeOffset.UtcNow;
+            var key = new Key(Guid.Empty, now, now, now, mockDescriptor.Object);
+
+            // Act
+            var actual = key.CreateEncryptorInstance();
+
+            // Assert
+            Assert.Same(expected, actual);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 388b5bc67e..1fa9079564 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -473,7 +473,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                   <key id='78cd498e-9375-4e55-ac0d-d79527ecd09d' version='1'>
                     <creationDate>2015-01-01T00:00:00Z</creationDate>
                     <activationDate>2015-02-01T00:00:00Z</activationDate>
-                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
+                    <expirationDate>NOT A VALID DATE</expirationDate>
                     <descriptor deserializerType='badDeserializer'>
                       <node />
                     </descriptor>
@@ -492,7 +492,6 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             var expectedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
             var mockActivator = new Mock<IActivator>();
             mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("goodDeserializer", "<node xmlns='private' />", expectedEncryptor);
-            mockActivator.Setup(o => o.CreateInstance(It.IsAny<Type>(), "badDeserializer")).Throws(new Exception("How exceptional!"));
 
             // Act
             var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
@@ -513,26 +512,18 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                   <key id='78cd498e-9375-4e55-ac0d-d79527ecd09d' version='1'>
                     <creationDate>2015-01-01T00:00:00Z</creationDate>
                     <activationDate>2015-02-01T00:00:00Z</activationDate>
-                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
-                    <descriptor deserializerType='badDeserializer'>             
-                      <node>
-                        <!-- Secret information: 1A2B3C4D -->
-                      </node>
-                    </descriptor>
+                    <expirationDate>NOT A VALID DATE</expirationDate>
+                    <!-- Secret information: 1A2B3C4D -->
                   </key>
                 </root>";
 
-            var mockActivator = new Mock<IActivator>();
-            mockActivator.Setup(o => o.CreateInstance(It.IsAny<Type>(), "badDeserializer")).Throws(new Exception("Secret information: 9Z8Y7X6W"));
-
             var loggerFactory = new StringLoggerFactory(LogLevel.Verbose);
 
             // Act
-            RunGetAllKeysCore(xml, mockActivator.Object, loggerFactory).ToArray();
+            RunGetAllKeysCore(xml, new Mock<IActivator>().Object, loggerFactory).ToArray();
 
             // Assert
             Assert.False(loggerFactory.ToString().Contains("1A2B3C4D"), "The secret '1A2B3C4D' should not have been logged.");
-            Assert.False(loggerFactory.ToString().Contains("9Z8Y7X6W"), "The secret '1A2B3C4D' should not have been logged.");
         }
 
         [Fact]
@@ -545,26 +536,18 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                   <key id='78cd498e-9375-4e55-ac0d-d79527ecd09d' version='1'>
                     <creationDate>2015-01-01T00:00:00Z</creationDate>
                     <activationDate>2015-02-01T00:00:00Z</activationDate>
-                    <expirationDate>2015-03-01T00:00:00Z</expirationDate>
-                    <descriptor deserializerType='badDeserializer'>             
-                      <node>
-                        <!-- Secret information: 1A2B3C4D -->
-                      </node>
-                    </descriptor>
+                    <expirationDate>NOT A VALID DATE</expirationDate>
+                    <!-- Secret information: 1A2B3C4D -->
                   </key>
                 </root>";
 
-            var mockActivator = new Mock<IActivator>();
-            mockActivator.Setup(o => o.CreateInstance(It.IsAny<Type>(), "badDeserializer")).Throws(new Exception("Secret information: 9Z8Y7X6W"));
-
             var loggerFactory = new StringLoggerFactory(LogLevel.Debug);
 
             // Act
-            RunGetAllKeysCore(xml, mockActivator.Object, loggerFactory).ToArray();
+            RunGetAllKeysCore(xml, new Mock<IActivator>().Object, loggerFactory).ToArray();
 
             // Assert
             Assert.True(loggerFactory.ToString().Contains("1A2B3C4D"), "The secret '1A2B3C4D' should have been logged.");
-            Assert.True(loggerFactory.ToString().Contains("9Z8Y7X6W"), "The secret '9Z8Y7X6W' should have been logged.");
         }
 
         [Fact]

From d673df7ef3a896883a308edf024d623de64918b5 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Mon, 16 Mar 2015 23:53:56 -0700
Subject: [PATCH 118/493] Reliability improvements to key ring updates -
 Optimistically treat failures as transient and continue to use any existing
 cached key ring for a short period of time - Updates to the key ring
 shouldn't block other threads; they can use the outdated version while
 waiting for the update

---
 .../KeyManagement/CacheableKeyRing.cs         | 11 +++
 .../KeyManagement/KeyRingProvider.cs          | 89 ++++++++++++++++---
 .../KeyManagement/KeyRingProviderTests.cs     | 72 ++++++++++++++-
 3 files changed, 157 insertions(+), 15 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
index 9ab241650c..f9be3fcde7 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
@@ -36,5 +36,16 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 && !keyRing._expirationToken.IsCancellationRequested
                 && keyRing.ExpirationTimeUtc > utcNow;
         }
+
+        /// <summary>
+        /// Returns a new <see cref="CacheableKeyRing"/> which is identical to 'this' but with a
+        /// lifetime extended 2 minutes from <paramref name="now"/>. The inner cancellation token
+        /// is also disconnected.
+        /// </summary>
+        internal CacheableKeyRing WithTemporaryExtendedLifetime(DateTimeOffset now)
+        {
+            TimeSpan extension = TimeSpan.FromMinutes(2);
+            return new CacheableKeyRing(CancellationToken.None, now + extension, KeyRing);
+        }
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index f5ffaadb53..321d5ef062 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -146,26 +146,87 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 return existingCacheableKeyRing.KeyRing;
             }
 
-            // The cached keyring hasn't been created or must be refreshed.
-            lock (_cacheableKeyRingLockObj)
+            // The cached keyring hasn't been created or must be refreshed. We'll allow one thread to
+            // update the keyring, and all other threads will continue to use the existing cached
+            // keyring while the first thread performs the update. There is an exception: if there
+            // is no usable existing cached keyring, all callers must block until the keyring exists.
+            bool acquiredLock = false;
+            try
             {
-                // Did somebody update the keyring while we were waiting for the lock?
-                existingCacheableKeyRing = Volatile.Read(ref _cacheableKeyRing);
-                if (CacheableKeyRing.IsValid(existingCacheableKeyRing, utcNow))
+                Monitor.TryEnter(_cacheableKeyRingLockObj, (existingCacheableKeyRing != null) ? 0 : Timeout.Infinite, ref acquiredLock);
+                if (acquiredLock)
                 {
+                    // This thread acquired the critical section and is responsible for updating the
+                    // cached keyring. But first, let's make sure that somebody didn't sneak in before
+                    // us and update the keyring on our behalf.
+                    existingCacheableKeyRing = Volatile.Read(ref _cacheableKeyRing);
+                    if (CacheableKeyRing.IsValid(existingCacheableKeyRing, utcNow))
+                    {
+                        return existingCacheableKeyRing.KeyRing;
+                    }
+
+                    if (existingCacheableKeyRing != null && _logger.IsVerboseLevelEnabled())
+                    {
+                        _logger.LogVerbose("Existing cached key ring is expired. Refreshing.");
+                    }
+
+                    // It's up to us to refresh the cached keyring.
+                    // This call is performed *under lock*.
+                    CacheableKeyRing newCacheableKeyRing;
+
+                    try
+                    {
+                        newCacheableKeyRing = _cacheableKeyRingProvider.GetCacheableKeyRing(utcNow);
+                    }
+                    catch (Exception ex)
+                    {
+                        if (_logger.IsErrorLevelEnabled())
+                        {
+                            if (existingCacheableKeyRing != null)
+                            {
+                                _logger.LogError(ex, "An error occurred while refreshing the key ring. Will try again in 2 minutes.");
+                            }
+                            else
+                            {
+                                _logger.LogError(ex, "An error occurred while reading the key ring.");
+                            }
+                        }
+
+                        // Failures that occur while refreshing the keyring are most likely transient, perhaps due to a
+                        // temporary network outage. Since we don't want every subsequent call to result in failure, we'll
+                        // create a new keyring object whose expiration is now + some short period of time (currently 2 min),
+                        // and after this period has elapsed the next caller will try refreshing. If we don't have an
+                        // existing keyring (perhaps because this is the first call), then there's nothing to extend, so
+                        // each subsequent caller will keep going down this code path until one succeeds.
+                        if (existingCacheableKeyRing != null)
+                        {
+                            Volatile.Write(ref _cacheableKeyRing, existingCacheableKeyRing.WithTemporaryExtendedLifetime(utcNow));
+                        }
+
+                        // The immediate caller should fail so that he can report the error up his chain. This makes it more likely
+                        // that an administrator can see the error and react to it as appropriate. The caller can retry the operation
+                        // and will probably have success as long as he falls within the temporary extension mentioned above.
+                        throw;
+                    }
+
+                    Volatile.Write(ref _cacheableKeyRing, newCacheableKeyRing);
+                    return newCacheableKeyRing.KeyRing;
+                }
+                else
+                {
+                    // We didn't acquire the critical section. This should only occur if we passed
+                    // zero for the Monitor.TryEnter timeout, which implies that we had an existing
+                    // (but outdated) keyring that we can use as a fallback.
+                    Debug.Assert(existingCacheableKeyRing != null);
                     return existingCacheableKeyRing.KeyRing;
                 }
-
-                if (existingCacheableKeyRing != null && _logger.IsVerboseLevelEnabled())
+            }
+            finally
+            {
+                if (acquiredLock)
                 {
-                    _logger.LogVerbose("Existing cached key ring is expired. Refreshing.");
+                    Monitor.Exit(_cacheableKeyRingLockObj);
                 }
-
-                // It's up to us to refresh the cached keyring.
-                // This call is performed *under lock*.
-                var newCacheableKeyRing = _cacheableKeyRingProvider.GetCacheableKeyRing(utcNow);
-                Volatile.Write(ref _cacheableKeyRing, newCacheableKeyRing);
-                return newCacheableKeyRing.KeyRing;
             }
         }
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index 747dee772b..e315e2855a 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -7,6 +7,7 @@ using System.Globalization;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.Testing;
 using Microsoft.Framework.DependencyInjection;
 using Moq;
 using Xunit;
@@ -467,7 +468,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         }
 
         [Fact]
-        public void GetCurrentKeyRing_ImplementsDoubleCheckLockPatternCorrectly()
+        public void GetCurrentKeyRing_NoExistingKeyRing_HoldsAllThreadsUntilKeyRingCreated()
         {
             // Arrange
             var now = StringToDateTime("2015-03-01 00:00:00Z");
@@ -515,6 +516,75 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(It.IsAny<DateTimeOffset>()), Times.Once);
         }
 
+        [Fact]
+        public void GetCurrentKeyRing_WithExpiredExistingKeyRing_AllowsOneThreadToUpdate_ReturnsExistingKeyRingToOtherCallersWithoutBlocking()
+        {
+            // Arrange
+            var originalKeyRing = new Mock<IKeyRing>().Object;
+            var originalKeyRingTime = StringToDateTime("2015-03-01 00:00:00Z");
+            var updatedKeyRing = new Mock<IKeyRing>().Object;
+            var updatedKeyRingTime = StringToDateTime("2015-03-02 00:00:00Z");
+            var mockCacheableKeyRingProvider = new Mock<ICacheableKeyRingProvider>();
+            var keyRingProvider = CreateKeyRingProvider(mockCacheableKeyRingProvider.Object);
+
+            // In this test, the foreground thread acquires the critial section in GetCurrentKeyRing,
+            // and the background thread returns the original key ring rather than blocking while
+            // waiting for the foreground thread to update the key ring.
+
+            TimeSpan testTimeout = TimeSpan.FromSeconds(10);
+            IKeyRing keyRingReturnedToBackgroundThread = null;
+
+            mockCacheableKeyRingProvider.Setup(o => o.GetCacheableKeyRing(originalKeyRingTime))
+                .Returns(new CacheableKeyRing(CancellationToken.None, StringToDateTime("2015-03-02 00:00:00Z"), originalKeyRing));
+            mockCacheableKeyRingProvider.Setup(o => o.GetCacheableKeyRing(updatedKeyRingTime))
+                .Returns<DateTimeOffset>(dto =>
+                {
+                    // at this point we're inside the critical section - spawn the background thread now
+                    var backgroundGetKeyRingTask = Task.Run(() =>
+                    {
+                        keyRingReturnedToBackgroundThread = keyRingProvider.GetCurrentKeyRingCore(updatedKeyRingTime);
+                    });
+                    Assert.True(backgroundGetKeyRingTask.Wait(testTimeout), "Test timed out.");
+
+                    return new CacheableKeyRing(CancellationToken.None, StringToDateTime("2015-03-03 00:00:00Z"), updatedKeyRing);
+                });
+
+            // Assert - underlying provider only should have been called once with the updated time (by the foreground thread)
+            Assert.Same(originalKeyRing, keyRingProvider.GetCurrentKeyRingCore(originalKeyRingTime));
+            Assert.Same(updatedKeyRing, keyRingProvider.GetCurrentKeyRingCore(updatedKeyRingTime));
+            Assert.Same(originalKeyRing, keyRingReturnedToBackgroundThread);
+            mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(updatedKeyRingTime), Times.Once);
+        }
+
+        [Fact]
+        public void GetCurrentKeyRing_WithExpiredExistingKeyRing_UpdateFails_ThrowsButCachesOldKeyRing()
+        {
+            // Arrange
+            var cts = new CancellationTokenSource();
+            var mockCacheableKeyRingProvider = new Mock<ICacheableKeyRingProvider>();
+            var originalKeyRing = new Mock<IKeyRing>().Object;
+            var originalKeyRingTime = StringToDateTime("2015-03-01 00:00:00Z");
+            mockCacheableKeyRingProvider.Setup(o => o.GetCacheableKeyRing(originalKeyRingTime))
+                .Returns(new CacheableKeyRing(cts.Token, StringToDateTime("2015-03-02 00:00:00Z"), originalKeyRing));
+            var throwKeyRingTime = StringToDateTime("2015-03-01 12:00:00Z");
+            mockCacheableKeyRingProvider.Setup(o => o.GetCacheableKeyRing(throwKeyRingTime)).Throws(new Exception("How exceptional."));
+            var updatedKeyRing = new Mock<IKeyRing>().Object;
+            var updatedKeyRingTime = StringToDateTime("2015-03-01 12:02:00Z");
+            mockCacheableKeyRingProvider.Setup(o => o.GetCacheableKeyRing(updatedKeyRingTime))
+                .Returns(new CacheableKeyRing(CancellationToken.None, StringToDateTime("2015-03-02 00:00:00Z"), updatedKeyRing));
+            var keyRingProvider = CreateKeyRingProvider(mockCacheableKeyRingProvider.Object);
+
+            // Act & assert
+            Assert.Same(originalKeyRing, keyRingProvider.GetCurrentKeyRingCore(originalKeyRingTime));
+            cts.Cancel(); // invalidate the key ring
+            ExceptionAssert.Throws<Exception>(() => keyRingProvider.GetCurrentKeyRingCore(throwKeyRingTime), "How exceptional.");
+            Assert.Same(originalKeyRing, keyRingProvider.GetCurrentKeyRingCore(throwKeyRingTime));
+            Assert.Same(updatedKeyRing, keyRingProvider.GetCurrentKeyRingCore(updatedKeyRingTime));
+            mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(originalKeyRingTime), Times.Once);
+            mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(throwKeyRingTime), Times.Once);
+            mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(updatedKeyRingTime), Times.Once);
+        }
+
         private static KeyRingProvider CreateKeyRingProvider(ICacheableKeyRingProvider cacheableKeyRingProvider)
         {
             var serviceCollection = new ServiceCollection();

From 94233e76ffba1fd9e31992cc63e36b269e3fac82 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 17 Mar 2015 10:45:21 -0700
Subject: [PATCH 119/493] Remove experimental .Azure project

---
 DataProtection.sln                            |  11 +-
 .../BlobStorageXmlRepository.cs               | 143 ------------------
 .../BlobStorageXmlRepositoryOptions.cs        |  19 ---
 .../CryptoUtil.cs                             |  35 -----
 ...icrosoft.AspNet.DataProtection.Azure.xproj |  17 ---
 .../project.json                              |  16 --
 6 files changed, 1 insertion(+), 240 deletions(-)
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Azure/CryptoUtil.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.xproj
 delete mode 100644 src/Microsoft.AspNet.DataProtection.Azure/project.json

diff --git a/DataProtection.sln b/DataProtection.sln
index a0e5ba9f50..c0e088b8b7 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,14 +1,12 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 14
-VisualStudioVersion = 14.0.22609.0
+VisualStudioVersion = 14.0.22710.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection", "src\Microsoft.AspNet.DataProtection\Microsoft.AspNet.DataProtection.xproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Azure", "src\Microsoft.AspNet.DataProtection.Azure\Microsoft.AspNet.DataProtection.Azure.xproj", "{DF3671D7-A9B1-45F1-A195-0AD596001735}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test", "test\Microsoft.AspNet.DataProtection.Test\Microsoft.AspNet.DataProtection.Test.xproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
@@ -45,12 +43,6 @@ Global
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|Any CPU.Build.0 = Release|Any CPU
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2}.Release|x86.ActiveCfg = Release|Any CPU
-		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|Any CPU.Build.0 = Release|Any CPU
-		{DF3671D7-A9B1-45F1-A195-0AD596001735}.Release|x86.ActiveCfg = Release|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}.Debug|x86.ActiveCfg = Debug|Any CPU
@@ -135,7 +127,6 @@ Global
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{1E570CD4-6F12-44F4-961E-005EE2002BC2} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
-		{DF3671D7-A9B1-45F1-A195-0AD596001735} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{E2779976-A28C-4365-A4BB-4AD854FAF23E} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{421F0383-34B1-402D-807B-A94542513ABA} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs b/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
deleted file mode 100644
index 777a9654ea..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepository.cs
+++ /dev/null
@@ -1,143 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Linq;
-using System.Net;
-using System.Runtime.ExceptionServices;
-using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.Repositories;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.OptionsModel;
-using Microsoft.WindowsAzure.Storage;
-using Microsoft.WindowsAzure.Storage.Blob;
-
-namespace Microsoft.AspNet.DataProtection.Azure
-{
-    /// <summary>
-    /// An XML repository backed by Azure blob storage.
-    /// </summary>
-    public class BlobStorageXmlRepository : IXmlRepository
-    {
-        private const int MAX_NUM_UPDATE_ATTEMPTS = 10;
-
-        internal static readonly XNamespace XmlNamespace = XNamespace.Get("http://www.asp.net/dataProtection/2014/azure");
-        internal static readonly XName KeyRingElementName = XmlNamespace.GetName("keyRing");
-
-        public BlobStorageXmlRepository([NotNull] IOptions<BlobStorageXmlRepositoryOptions> optionsAccessor)
-        {
-            Directory = optionsAccessor.Options.Directory;
-            CryptoUtil.Assert(Directory != null, "Directory != null");
-        }
-
-        protected CloudBlobDirectory Directory
-        {
-            get;
-            private set;
-        }
-
-        // IXmlRepository objects are supposed to be thread-safe, but CloudBlockBlob
-        // instances do not meet this criterion. We'll create them on-demand so that each
-        // thread can have its own instance that doesn't impact others.
-        private CloudBlockBlob GetKeyRingBlockBlobReference()
-        {
-            return Directory.GetBlockBlobReference("keyring.xml");
-        }
-
-        public virtual IReadOnlyCollection<XElement> GetAllElements()
-        {
-            var blobRef = GetKeyRingBlockBlobReference();
-            XDocument document = ReadDocumentFromStorage(blobRef);
-            return (IReadOnlyCollection<XElement>)document?.Root.Elements().ToList().AsReadOnly() ?? new XElement[0];
-        }
-
-        private XDocument ReadDocumentFromStorage(CloudBlockBlob blobRef)
-        {
-            // Try downloading from Azure storage
-            using (var memoryStream = new MemoryStream())
-            {
-                try
-                {
-                    blobRef.DownloadToStream(memoryStream);
-                }
-                catch (StorageException ex) when (ex.RequestInformation.HttpStatusCode == (int)HttpStatusCode.NotFound)
-                {
-                    // 404s are not a fatal error - empty keyring
-                    return null;
-                }
-
-                // Rewind the memory stream and read it into an XDocument
-                memoryStream.Position = 0;
-                XDocument document = XDocument.Load(memoryStream);
-
-                // Format checks
-                CryptoUtil.Assert(document.Root.Name == KeyRingElementName, "TODO: Unknown element.");
-                CryptoUtil.Assert((int)document.Root.Attribute("version") == 1, "TODO: Unknown version.");
-                return document;
-            }
-        }
-
-        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
-        {
-            ExceptionDispatchInfo lastException = null;
-
-            // To perform a transactional update of keyring.xml, we first need to get
-            // the original contents of the blob.
-            var blobRef = GetKeyRingBlockBlobReference();
-
-            for (int i = 0; i < MAX_NUM_UPDATE_ATTEMPTS; i++)
-            {
-                AccessCondition updateAccessCondition;
-                XDocument document = ReadDocumentFromStorage(blobRef);
-
-                // Inject the new element into the existing <keyRing> root.
-                if (document != null)
-                {
-                    document.Root.Add(element);
-
-                    // only update if the contents haven't changed (prevents overwrite)
-                    updateAccessCondition = AccessCondition.GenerateIfMatchCondition(blobRef.Properties.ETag);
-                }
-                else
-                {
-                    document = new XDocument(
-                        new XElement(KeyRingElementName,
-                            new XAttribute("version", 1),
-                            element));
-
-                    // only update if the file doesn't exist (prevents overwrite)
-                    updateAccessCondition = AccessCondition.GenerateIfNoneMatchCondition("*");
-                }
-
-                // Write the updated document back out
-                MemoryStream memoryStream = new MemoryStream();
-                document.Save(memoryStream);
-                try
-                {
-                    blobRef.UploadFromByteArray(memoryStream.GetBuffer(), 0, checked((int)memoryStream.Length), accessCondition: updateAccessCondition);
-                    return; // success!
-                }
-                catch (StorageException ex)
-                {
-                    switch ((HttpStatusCode)ex.RequestInformation.HttpStatusCode)
-                    {
-                        // If we couldn't update the blob due to a conflict on the server, try again.
-                        case HttpStatusCode.Conflict:
-                        case HttpStatusCode.PreconditionFailed:
-                            lastException = ExceptionDispatchInfo.Capture(ex);
-                            continue;
-
-                        default:
-                            throw;
-                    }
-                }
-            }
-
-            // If we got this far, too many conflicts occurred while trying to update the blob.
-            // Just bail.
-            lastException.Throw();
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs b/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
deleted file mode 100644
index cd3d44a57e..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Azure/BlobStorageXmlRepositoryOptions.cs
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.WindowsAzure.Storage.Blob;
-
-namespace Microsoft.AspNet.DataProtection.Azure
-{
-    /// <summary>
-    /// Specifies options for configuring an Azure blob storage-based repository.
-    /// </summary>
-    public class BlobStorageXmlRepositoryOptions
-    {
-        /// <summary>
-        /// The blob storage directory where the key ring will be stored.
-        /// </summary>
-        public CloudBlobDirectory Directory { get; set; }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/CryptoUtil.cs b/src/Microsoft.AspNet.DataProtection.Azure/CryptoUtil.cs
deleted file mode 100644
index b666b6f5cd..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Azure/CryptoUtil.cs
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-using System.Runtime.CompilerServices;
-using System.Security.Cryptography;
-
-namespace Microsoft.AspNet.DataProtection
-{
-    internal static class CryptoUtil
-    {
-        // This isn't a typical Debug.Assert; the check is always performed, even in retail builds.
-        [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static void Assert(bool condition, string message)
-        {
-            if (!condition)
-            {
-                Fail(message);
-            }
-        }
-
-        // This isn't a typical Debug.Fail; an error always occurs, even in retail builds.
-        // This method doesn't return, but since the CLR doesn't allow specifying a 'never'
-        // return type, we mimic it by specifying our return type as Exception. That way
-        // callers can write 'throw Fail(...);' to make the C# compiler happy, as the
-        // throw keyword is implicitly of type O.
-        [MethodImpl(MethodImplOptions.NoInlining)]
-        public static Exception Fail(string message)
-        {
-            Debug.Fail(message);
-            throw new CryptographicException("Assertion failed: " + message);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.xproj b/src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.xproj
deleted file mode 100644
index 0279cb8079..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Azure/Microsoft.AspNet.DataProtection.Azure.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>DF3671D7-A9B1-45F1-A195-0AD596001735</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
diff --git a/src/Microsoft.AspNet.DataProtection.Azure/project.json b/src/Microsoft.AspNet.DataProtection.Azure/project.json
deleted file mode 100644
index 38fe54a39b..0000000000
--- a/src/Microsoft.AspNet.DataProtection.Azure/project.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-    "version": "1.0.0-*",
-    "description": "ASP.NET 5 blob storage repository for DataProtection.",
-    "dependencies": {
-        "Microsoft.AspNet.DataProtection": "1.0.0-*",
-        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" },
-        "WindowsAzure.Storage": "4.3.0"
-    },
-    "frameworks": {
-        "net451": {},
-        "dnx451": {}
-    },
-    "compilationOptions": {
-        "warningsAsErrors": true
-    }
-}

From 84490846b658830ee46ba8adf97d814b71daf21c Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 17 Mar 2015 10:49:15 -0700
Subject: [PATCH 120/493] Move time-limited data protector to Extensions
 project

---
 DataProtection.sln                            |  22 +++
 .../BitHelpers.cs                             |  42 +++++
 .../DataProtectionExtensions.cs               | 108 +++++++++++
 .../ITimeLimitedDataProtector.cs              |  57 ++++++
 ...oft.AspNet.DataProtection.Extensions.xproj |  17 ++
 .../Properties/AssemblyInfo.cs                |   7 +
 .../Properties/Resources.Designer.cs          |  78 ++++++++
 .../Resources.resx                            | 129 +++++++++++++
 .../TimeLimitedDataProtector.cs               | 115 +++++++++++
 .../project.json                              |  18 ++
 .../DataProtectionExtensions.cs               |   7 +-
 .../DataProtectionExtensions.cs               |  25 ---
 src/Microsoft.AspNet.DataProtection/Error.cs  |   9 +-
 .../ITimeLimitedDataProtector.cs              |  45 -----
 .../Properties/Resources.Designer.cs          |  16 --
 .../Resources.resx                            |   3 -
 .../TimeLimitedDataProtector.cs               | 102 ----------
 .../DataProtectionExtensionsTests.cs          | 102 ++++++++++
 ...spNet.DataProtection.Extensions.Test.xproj |  17 ++
 .../TimeLimitedDataProtectorTests.cs          | 178 ++++++++++++++++++
 .../project.json                              |  18 ++
 .../DataProtectionExtensionsTests.cs          |  40 ----
 .../TimeLimitedDataProtectorTests.cs          |  87 ---------
 23 files changed, 913 insertions(+), 329 deletions(-)
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/Properties/Resources.Designer.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/Resources.resx
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/project.json
 delete mode 100644 src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
 delete mode 100644 src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj
 create mode 100644 test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
 create mode 100644 test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
 delete mode 100644 test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
 delete mode 100644 test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs

diff --git a/DataProtection.sln b/DataProtection.sln
index c0e088b8b7..cf081e45be 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -29,6 +29,10 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtec
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.SystemWeb", "src\Microsoft.AspNet.DataProtection.SystemWeb\Microsoft.AspNet.DataProtection.SystemWeb.xproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
 EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Extensions.Test", "test\Microsoft.AspNet.DataProtection.Extensions.Test\Microsoft.AspNet.DataProtection.Extensions.Test.xproj", "{04AA8E60-A053-4D50-89FE-E76C3DF45200}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Extensions", "src\Microsoft.AspNet.DataProtection.Extensions\Microsoft.AspNet.DataProtection.Extensions.xproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -121,6 +125,22 @@ Global
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Release|Any CPU.Build.0 = Release|Any CPU
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Release|x86.ActiveCfg = Release|Any CPU
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Release|x86.Build.0 = Release|Any CPU
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200}.Debug|x86.Build.0 = Debug|Any CPU
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200}.Release|Any CPU.Build.0 = Release|Any CPU
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200}.Release|x86.ActiveCfg = Release|Any CPU
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200}.Release|x86.Build.0 = Release|Any CPU
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Debug|x86.Build.0 = Debug|Any CPU
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|x86.ActiveCfg = Release|Any CPU
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -137,5 +157,7 @@ Global
 		{4F14BA2A-4F04-4676-8586-EC380977EE2E} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{3277BB22-033F-4010-8131-A515B910CAAD} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{04AA8E60-A053-4D50-89FE-E76C3DF45200} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 	EndGlobalSection
 EndGlobal
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs b/src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs
new file mode 100644
index 0000000000..145bb900fa
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs
@@ -0,0 +1,42 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    internal static class BitHelpers
+    {
+        /// <summary>
+        /// Reads an unsigned 64-bit integer from <paramref name="buffer"/>
+        /// starting at offset <paramref name="offset"/>. Data is read big-endian.
+        /// </summary>
+        public static ulong ReadUInt64(byte[] buffer, int offset)
+        {
+            return (((ulong)buffer[offset + 0]) << 56)
+                   | (((ulong)buffer[offset + 1]) << 48)
+                   | (((ulong)buffer[offset + 2]) << 40)
+                   | (((ulong)buffer[offset + 3]) << 32)
+                   | (((ulong)buffer[offset + 4]) << 24)
+                   | (((ulong)buffer[offset + 5]) << 16)
+                   | (((ulong)buffer[offset + 6]) << 8)
+                   | (ulong)buffer[offset + 7];
+        }
+
+        /// <summary>
+        /// Writes an unsigned 64-bit integer to <paramref name="buffer"/> starting at
+        /// offset <paramref name="offset"/>. Data is written big-endian.
+        /// </summary>
+        public static void WriteUInt64(byte[] buffer, int offset, ulong value)
+        {
+            buffer[offset + 0] = (byte)(value >> 56);
+            buffer[offset + 1] = (byte)(value >> 48);
+            buffer[offset + 2] = (byte)(value >> 40);
+            buffer[offset + 3] = (byte)(value >> 32);
+            buffer[offset + 4] = (byte)(value >> 24);
+            buffer[offset + 5] = (byte)(value >> 16);
+            buffer[offset + 6] = (byte)(value >> 8);
+            buffer[offset + 7] = (byte)(value);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
new file mode 100644
index 0000000000..250f86cf70
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
@@ -0,0 +1,108 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    public static class DataProtectionExtensions
+    {
+        /// <summary>
+        /// Cryptographically protects a piece of plaintext data, expiring the data after
+        /// the specified amount of time has elapsed.
+        /// </summary>
+        /// <param name="protector">The protector to use.</param>
+        /// <param name="plaintext">The plaintext data to protect.</param>
+        /// <param name="lifetime">The amount of time after which the payload should no longer be unprotectable.</param>
+        /// <returns>The protected form of the plaintext data.</returns>
+        public static byte[] Protect([NotNull] this ITimeLimitedDataProtector protector, [NotNull] byte[] plaintext, TimeSpan lifetime)
+        {
+            return protector.Protect(plaintext, DateTimeOffset.UtcNow + lifetime);
+        }
+
+        /// <summary>
+        /// Cryptographically protects a piece of plaintext data, expiring the data at
+        /// the chosen time.
+        /// </summary>
+        /// <param name="protector">The protector to use.</param>
+        /// <param name="plaintext">The plaintext data to protect.</param>
+        /// <param name="expiration">The time when this payload should expire.</param>
+        /// <returns>The protected form of the plaintext data.</returns>
+        public static string Protect([NotNull] this ITimeLimitedDataProtector protector, [NotNull] string plaintext, DateTimeOffset expiration)
+        {
+            var wrappingProtector = new TimeLimitedWrappingProtector(protector) { Expiration = expiration };
+            return wrappingProtector.Protect(plaintext);
+        }
+
+        /// <summary>
+        /// Cryptographically protects a piece of plaintext data, expiring the data after
+        /// the specified amount of time has elapsed.
+        /// </summary>
+        /// <param name="protector">The protector to use.</param>
+        /// <param name="plaintext">The plaintext data to protect.</param>
+        /// <param name="lifetime">The amount of time after which the payload should no longer be unprotectable.</param>
+        /// <returns>The protected form of the plaintext data.</returns>
+        public static string Protect([NotNull] this ITimeLimitedDataProtector protector, [NotNull] string plaintext, TimeSpan lifetime)
+        {
+            return Protect(protector, plaintext, DateTimeOffset.Now + lifetime);
+        }
+
+        /// <summary>
+        /// Converts an <see cref="IDataProtector"/> into an <see cref="ITimeLimitedDataProtector"/>
+        /// so that payloads can be protected with a finite lifetime.
+        /// </summary>
+        /// <param name="protector">The <see cref="IDataProtector"/> to convert to a time-limited protector.</param>
+        /// <returns>An <see cref="ITimeLimitedDataProtector"/>.</returns>
+        public static ITimeLimitedDataProtector ToTimeLimitedDataProtector([NotNull] this IDataProtector protector)
+        {
+            return (protector as ITimeLimitedDataProtector) ?? new TimeLimitedDataProtector(protector);
+        }
+
+        /// <summary>
+        /// Cryptographically unprotects a piece of protected data.
+        /// </summary>
+        /// <param name="protector">The protector to use.</param>
+        /// <param name="protectedData">The protected data to unprotect.</param>
+        /// <param name="expiration">An 'out' parameter which upon a successful unprotect
+        /// operation receives the expiration date of the payload.</param>
+        /// <returns>The plaintext form of the protected data.</returns>
+        /// <exception cref="CryptographicException">
+        /// Thrown if <paramref name="protectedData"/> is invalid, malformed, or expired.
+        /// </exception>
+        public static string Unprotect([NotNull] this ITimeLimitedDataProtector protector, [NotNull] string protectedData, out DateTimeOffset expiration)
+        {
+            var wrappingProtector = new TimeLimitedWrappingProtector(protector);
+            string retVal = wrappingProtector.Unprotect(protectedData);
+            expiration = wrappingProtector.Expiration;
+            return retVal;
+        }
+
+        private sealed class TimeLimitedWrappingProtector : IDataProtector
+        {
+            public DateTimeOffset Expiration;
+            private readonly ITimeLimitedDataProtector _innerProtector;
+
+            public TimeLimitedWrappingProtector(ITimeLimitedDataProtector innerProtector)
+            {
+                _innerProtector = innerProtector;
+            }
+
+            public IDataProtector CreateProtector(string purpose)
+            {
+                throw new NotImplementedException();
+            }
+
+            public byte[] Protect(byte[] plaintext)
+            {
+                return _innerProtector.Protect(plaintext, Expiration);
+            }
+
+            public byte[] Unprotect(byte[] protectedData)
+            {
+                return _innerProtector.Unprotect(protectedData, out Expiration);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
new file mode 100644
index 0000000000..b3b7e8d150
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
@@ -0,0 +1,57 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// An interface that can provide data protection services where payloads have
+    /// a finite lifetime.
+    /// </summary>
+    /// <remarks>
+    /// It is intended that payload lifetimes be somewhat short. Payloads protected
+    /// via this mechanism are not intended for long-term persistence (e.g., longer
+    /// than a few weeks).
+    /// </remarks>
+    public interface ITimeLimitedDataProtector : IDataProtector
+    {
+        /// <summary>
+        /// Creates an <see cref="ITimeLimitedDataProtector"/> given a purpose.
+        /// </summary>
+        /// <param name="purposes">
+        /// The purpose to be assigned to the newly-created <see cref="ITimeLimitedDataProtector"/>.
+        /// </param>
+        /// <returns>An <see cref="ITimeLimitedDataProtector"/> tied to the provided purpose.</returns>
+        /// <remarks>
+        /// The <paramref name="purpose"/> parameter must be unique for the intended use case; two
+        /// different <see cref="ITimeLimitedDataProtector"/> instances created with two different <paramref name="purpose"/>
+        /// values will not be able to decipher each other's payloads. The <paramref name="purpose"/> parameter
+        /// value is not intended to be kept secret.
+        /// </remarks>
+        new ITimeLimitedDataProtector CreateProtector([NotNull] string purpose);
+
+        /// <summary>
+        /// Cryptographically protects a piece of plaintext data, expiring the data at
+        /// the chosen time.
+        /// </summary>
+        /// <param name="plaintext">The plaintext data to protect.</param>
+        /// <param name="expiration">The time when this payload should expire.</param>
+        /// <returns>The protected form of the plaintext data.</returns>
+        byte[] Protect([NotNull] byte[] plaintext, DateTimeOffset expiration);
+
+        /// <summary>
+        /// Cryptographically unprotects a piece of protected data.
+        /// </summary>
+        /// <param name="protectedData">The protected data to unprotect.</param>
+        /// <param name="expiration">An 'out' parameter which upon a successful unprotect
+        /// operation receives the expiration date of the payload.</param>
+        /// <returns>The plaintext form of the protected data.</returns>
+        /// <exception cref="CryptographicException">
+        /// Thrown if <paramref name="protectedData"/> is invalid, malformed, or expired.
+        /// </exception>
+        byte[] Unprotect([NotNull] byte[] protectedData, out DateTimeOffset expiration);
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj b/src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj
new file mode 100644
index 0000000000..5497c05b2f
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>bf8681db-c28b-441f-bd92-0dcfe9537a9f</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..da10ac701d
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
@@ -0,0 +1,7 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test")]
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/Resources.Designer.cs
new file mode 100644
index 0000000000..76aaef653d
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/Resources.Designer.cs
@@ -0,0 +1,78 @@
+// <auto-generated />
+namespace Microsoft.AspNet.DataProtection.Extensions
+{
+    using System.Globalization;
+    using System.Reflection;
+    using System.Resources;
+
+    internal static class Resources
+    {
+        private static readonly ResourceManager _resourceManager
+            = new ResourceManager("Microsoft.AspNet.DataProtection.Extensions.Resources", typeof(Resources).GetTypeInfo().Assembly);
+
+        /// <summary>
+        /// An error occurred during a cryptographic operation.
+        /// </summary>
+        internal static string CryptCommon_GenericError
+        {
+            get { return GetString("CryptCommon_GenericError"); }
+        }
+
+        /// <summary>
+        /// An error occurred during a cryptographic operation.
+        /// </summary>
+        internal static string FormatCryptCommon_GenericError()
+        {
+            return GetString("CryptCommon_GenericError");
+        }
+
+        /// <summary>
+        /// The payload expired at {0}.
+        /// </summary>
+        internal static string TimeLimitedDataProtector_PayloadExpired
+        {
+            get { return GetString("TimeLimitedDataProtector_PayloadExpired"); }
+        }
+
+        /// <summary>
+        /// The payload expired at {0}.
+        /// </summary>
+        internal static string FormatTimeLimitedDataProtector_PayloadExpired(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("TimeLimitedDataProtector_PayloadExpired"), p0);
+        }
+
+        /// <summary>
+        /// The payload is invalid.
+        /// </summary>
+        internal static string TimeLimitedDataProtector_PayloadInvalid
+        {
+            get { return GetString("TimeLimitedDataProtector_PayloadInvalid"); }
+        }
+
+        /// <summary>
+        /// The payload is invalid.
+        /// </summary>
+        internal static string FormatTimeLimitedDataProtector_PayloadInvalid()
+        {
+            return GetString("TimeLimitedDataProtector_PayloadInvalid");
+        }
+
+        private static string GetString(string name, params string[] formatterNames)
+        {
+            var value = _resourceManager.GetString(name);
+
+            System.Diagnostics.Debug.Assert(value != null);
+
+            if (formatterNames != null)
+            {
+                for (var i = 0; i < formatterNames.Length; i++)
+                {
+                    value = value.Replace("{" + formatterNames[i] + "}", "{" + i + "}");
+                }
+            }
+
+            return value;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Resources.resx b/src/Microsoft.AspNet.DataProtection.Extensions/Resources.resx
new file mode 100644
index 0000000000..b53d26e321
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Resources.resx
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="CryptCommon_GenericError" xml:space="preserve">
+    <value>An error occurred during a cryptographic operation.</value>
+  </data>
+  <data name="TimeLimitedDataProtector_PayloadExpired" xml:space="preserve">
+    <value>The payload expired at {0}.</value>
+  </data>
+  <data name="TimeLimitedDataProtector_PayloadInvalid" xml:space="preserve">
+    <value>The payload is invalid.</value>
+  </data>
+</root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
new file mode 100644
index 0000000000..3f5e5c3e9a
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
@@ -0,0 +1,115 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using System.Threading;
+using Microsoft.AspNet.DataProtection.Extensions;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// Wraps an existing <see cref="IDataProtector"/> and appends a purpose that allows
+    /// protecting data with a finite lifetime.
+    /// </summary>
+    internal sealed class TimeLimitedDataProtector : ITimeLimitedDataProtector
+    {
+        private const string MyPurposeString = "Microsoft.AspNet.DataProtection.TimeLimitedDataProtector.v1";
+
+        private readonly IDataProtector _innerProtector;
+        private IDataProtector _innerProtectorWithTimeLimitedPurpose; // created on-demand
+
+        public TimeLimitedDataProtector(IDataProtector innerProtector)
+        {
+            _innerProtector = innerProtector;
+        }
+
+        public ITimeLimitedDataProtector CreateProtector([NotNull] string purpose)
+        {
+            return new TimeLimitedDataProtector(_innerProtector.CreateProtector(purpose));
+        }
+
+        private IDataProtector GetInnerProtectorWithTimeLimitedPurpose()
+        {
+            // thread-safe lazy init pattern with multi-execution and single publication
+            var retVal = Volatile.Read(ref _innerProtectorWithTimeLimitedPurpose);
+            if (retVal == null)
+            {
+                var newValue = _innerProtector.CreateProtector(MyPurposeString); // we always append our purpose to the end of the chain
+                retVal = Interlocked.CompareExchange(ref _innerProtectorWithTimeLimitedPurpose, newValue, null) ?? newValue;
+            }
+            return retVal;
+        }
+
+        public byte[] Protect([NotNull] byte[] plaintext, DateTimeOffset expiration)
+        {
+            // We prepend the expiration time (as a 64-bit UTC tick count) to the unprotected data.
+            byte[] plaintextWithHeader = new byte[checked(8 + plaintext.Length)];
+            BitHelpers.WriteUInt64(plaintextWithHeader, 0, (ulong)expiration.UtcTicks);
+            Buffer.BlockCopy(plaintext, 0, plaintextWithHeader, 8, plaintext.Length);
+
+            return GetInnerProtectorWithTimeLimitedPurpose().Protect(plaintextWithHeader);
+        }
+
+        public byte[] Unprotect([NotNull] byte[] protectedData, out DateTimeOffset expiration)
+        {
+            return UnprotectCore(protectedData, DateTimeOffset.UtcNow, out expiration);
+        }
+
+        internal byte[] UnprotectCore([NotNull] byte[] protectedData, DateTimeOffset now, out DateTimeOffset expiration)
+        {
+            try
+            {
+                byte[] plaintextWithHeader = GetInnerProtectorWithTimeLimitedPurpose().Unprotect(protectedData);
+                if (plaintextWithHeader.Length < 8)
+                {
+                    // header isn't present
+                    throw new CryptographicException(Resources.TimeLimitedDataProtector_PayloadInvalid);
+                }
+
+                // Read expiration time back out of the payload
+                ulong utcTicksExpiration = BitHelpers.ReadUInt64(plaintextWithHeader, 0);
+                DateTimeOffset embeddedExpiration = new DateTimeOffset(checked((long)utcTicksExpiration), TimeSpan.Zero /* UTC */);
+
+                // Are we expired?
+                if (now > embeddedExpiration)
+                {
+                    throw new CryptographicException(Resources.FormatTimeLimitedDataProtector_PayloadExpired(embeddedExpiration));
+                }
+
+                // Not expired - split and return payload
+                byte[] retVal = new byte[plaintextWithHeader.Length - 8];
+                Buffer.BlockCopy(plaintextWithHeader, 8, retVal, 0, retVal.Length);
+                expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero);
+                return retVal;
+            }
+            catch (Exception ex) when (ex.RequiresHomogenization())
+            {
+                // Homogenize all failures to CryptographicException
+                throw new CryptographicException(Resources.CryptCommon_GenericError, ex);
+            }
+        }
+
+        /*
+         * EXPLICIT INTERFACE IMPLEMENTATIONS
+         */
+
+        IDataProtector IDataProtectionProvider.CreateProtector(string purpose)
+        {
+            return CreateProtector(purpose);
+        }
+
+        byte[] IDataProtector.Protect(byte[] plaintext)
+        {
+            // MaxValue essentially means 'no expiration'
+            return Protect(plaintext, DateTimeOffset.MaxValue);
+        }
+
+        byte[] IDataProtector.Unprotect(byte[] protectedData)
+        {
+            DateTimeOffset expiration; // unused
+            return Unprotect(protectedData, out expiration);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
new file mode 100644
index 0000000000..2fd42f5a21
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
@@ -0,0 +1,18 @@
+{
+    "version": "1.0.0-*",
+    "description": "Additional APIs for ASP.NET 5 data protection.",
+    "dependencies": {
+        "Microsoft.AspNet.DataProtection": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" },
+        "Microsoft.Framework.DependencyInjection": "1.0.0-*",
+        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" }
+    },
+    "frameworks": {
+        "net451": { },
+        "dnx451": { },
+        "dnxcore50": { }
+    },
+    "compilationOptions": {
+        "warningsAsErrors": true
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
index 4a7312e43c..bd41d6ba9a 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Diagnostics;
+using System.Security.Cryptography;
 using Microsoft.AspNet.DataProtection.Interfaces;
 using Microsoft.Framework.Internal;
 
@@ -201,9 +202,9 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="protector">The data protector to use for this operation.</param>
         /// <param name="protectedData">The protected data to unprotect.</param>
         /// <returns>The plaintext form of the protected data.</returns>
-        /// <remarks>
-        /// This method will throw CryptographicException if the input is invalid or malformed.
-        /// </remarks>
+        /// <exception cref="CryptographicException">
+        /// Thrown if <paramref name="protectedData"/> is invalid or malformed.
+        /// </exception>
         public static string Unprotect([NotNull] this IDataProtector protector, [NotNull] string protectedData)
         {
             try
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
deleted file mode 100644
index f2709b584f..0000000000
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionExtensions.cs
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.Framework.Internal;
-
-namespace Microsoft.AspNet.DataProtection
-{
-    /// <summary>
-    /// Helpful extension methods for data protection APIs.
-    /// </summary>
-    public static class DataProtectionExtensions
-    {
-        /// <summary>
-        /// Creates a time-limited data protector based on an existing protector.
-        /// </summary>
-        /// <param name="protector">The existing protector from which to derive a time-limited protector.</param>
-        /// <returns>A time-limited data protector.</returns>
-        public static ITimeLimitedDataProtector AsTimeLimitedDataProtector([NotNull] this IDataProtector protector)
-        {
-            return (protector as ITimeLimitedDataProtector)
-                ?? new TimeLimitedDataProtector(protector.CreateProtector(TimeLimitedDataProtector.PurposeString));
-        }
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/Error.cs b/src/Microsoft.AspNet.DataProtection/Error.cs
index 5d954946ee..034a61c51d 100644
--- a/src/Microsoft.AspNet.DataProtection/Error.cs
+++ b/src/Microsoft.AspNet.DataProtection/Error.cs
@@ -85,14 +85,7 @@ namespace Microsoft.AspNet.DataProtection
         {
             return new CryptographicException(Resources.ProtectionProvider_BadVersion);
         }
-
-        public static CryptographicException TimeLimitedDataProtector_PayloadExpired(ulong utcTicksExpiration)
-        {
-            DateTimeOffset expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero).ToLocalTime();
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.TimeLimitedDataProtector_PayloadExpired, expiration);
-            return new CryptographicException(message);
-        }
-
+        
         public static InvalidOperationException XmlKeyManager_DuplicateKey(Guid keyId)
         {
             string message = String.Format(CultureInfo.CurrentCulture, Resources.XmlKeyManager_DuplicateKey, keyId);
diff --git a/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
deleted file mode 100644
index 7e168a93bc..0000000000
--- a/src/Microsoft.AspNet.DataProtection/ITimeLimitedDataProtector.cs
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNet.DataProtection
-{
-    /// <summary>
-    /// An interface that can provide data protection services.
-    /// </summary>
-    public interface ITimeLimitedDataProtector : IDataProtector
-    {
-        /// <summary>
-        /// Creates an IDataProtector given a purpose.
-        /// </summary>
-        /// <param name="purposes">
-        /// The purpose to be assigned to the newly-created IDataProtector.
-        /// This parameter must be unique for the intended use case; two different IDataProtector
-        /// instances created with two different 'purpose' strings will not be able
-        /// to understand each other's payloads. The 'purpose' parameter is not intended to be
-        /// kept secret.
-        /// </param>
-        /// <returns>An IDataProtector tied to the provided purpose.</returns>
-        new ITimeLimitedDataProtector CreateProtector(string purpose);
-
-        /// <summary>
-        /// Cryptographically protects a piece of plaintext data and assigns an expiration date to the data.
-        /// </summary>
-        /// <param name="plaintext">The plaintext data to protect.</param>
-        /// <param name="expiration">The date after which the data can no longer be unprotected.</param>
-        /// <returns>The protected form of the plaintext data.</returns>
-        byte[] Protect(byte[] plaintext, DateTimeOffset expiration);
-
-        /// <summary>
-        /// Cryptographically unprotects a piece of protected data.
-        /// </summary>
-        /// <param name="protectedData">The protected data to unprotect.</param>
-        /// <param name="expiration">After unprotection, contains the expiration date of the protected data.</param>
-        /// <returns>The plaintext form of the protected data.</returns>
-        /// <remarks>
-        /// Implementations should throw CryptographicException if the protected data is invalid or malformed.
-        /// </remarks>
-        byte[] Unprotect(byte[] protectedData, out DateTimeOffset expiration);
-    }
-}
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
index e9ac9e8f90..2d88c5206c 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
@@ -170,22 +170,6 @@ namespace Microsoft.AspNet.DataProtection
             return GetString("ProtectionProvider_BadVersion");
         }
 
-        /// <summary>
-        /// The payload expired at {0}.
-        /// </summary>
-        internal static string TimeLimitedDataProtector_PayloadExpired
-        {
-            get { return GetString("TimeLimitedDataProtector_PayloadExpired"); }
-        }
-
-        /// <summary>
-        /// The payload expired at {0}.
-        /// </summary>
-        internal static string FormatTimeLimitedDataProtector_PayloadExpired(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("TimeLimitedDataProtector_PayloadExpired"), p0);
-        }
-
         /// <summary>
         /// Value must be non-negative.
         /// </summary>
diff --git a/src/Microsoft.AspNet.DataProtection/Resources.resx b/src/Microsoft.AspNet.DataProtection/Resources.resx
index 5f368a39c0..80b564e98d 100644
--- a/src/Microsoft.AspNet.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNet.DataProtection/Resources.resx
@@ -147,9 +147,6 @@
   <data name="ProtectionProvider_BadVersion" xml:space="preserve">
     <value>The provided payload cannot be decrypted because it was protected with a newer version of the protection provider.</value>
   </data>
-  <data name="TimeLimitedDataProtector_PayloadExpired" xml:space="preserve">
-    <value>The payload expired at {0}.</value>
-  </data>
   <data name="Common_ValueMustBeNonNegative" xml:space="preserve">
     <value>Value must be non-negative.</value>
   </data>
diff --git a/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
deleted file mode 100644
index a9033d4c25..0000000000
--- a/src/Microsoft.AspNet.DataProtection/TimeLimitedDataProtector.cs
+++ /dev/null
@@ -1,102 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.Framework.Internal;
-
-namespace Microsoft.AspNet.DataProtection
-{
-    internal sealed class TimeLimitedDataProtector : ITimeLimitedDataProtector
-    {
-        internal const string PurposeString = "Microsoft.AspNet.DataProtection.TimeLimitedDataProtector";
-
-        public TimeLimitedDataProtector(IDataProtector innerProtector)
-        {
-            InnerProtector = innerProtector;
-        }
-
-        internal IDataProtector InnerProtector
-        {
-            get;
-            private set;
-        }
-
-        public ITimeLimitedDataProtector CreateProtector([NotNull] string purpose)
-        {
-            return new TimeLimitedDataProtector(InnerProtector.CreateProtector(purpose));
-        }
-
-        public byte[] Protect([NotNull] byte[] plaintext)
-        {
-            return Protect(plaintext, DateTimeOffset.MaxValue);
-        }
-
-        public byte[] Protect([NotNull] byte[] plaintext, DateTimeOffset expiration)
-        {
-            // We prepend the expiration time (as a big-endian 64-bit UTC tick count) to the unprotected data.
-            ulong utcTicksExpiration = (ulong)expiration.UtcTicks;
-
-            byte[] plaintextWithHeader = new byte[checked(8 + plaintext.Length)];
-            plaintextWithHeader[0] = (byte)(utcTicksExpiration >> 56);
-            plaintextWithHeader[1] = (byte)(utcTicksExpiration >> 48);
-            plaintextWithHeader[2] = (byte)(utcTicksExpiration >> 40);
-            plaintextWithHeader[3] = (byte)(utcTicksExpiration >> 32);
-            plaintextWithHeader[4] = (byte)(utcTicksExpiration >> 24);
-            plaintextWithHeader[5] = (byte)(utcTicksExpiration >> 16);
-            plaintextWithHeader[6] = (byte)(utcTicksExpiration >> 8);
-            plaintextWithHeader[7] = (byte)(utcTicksExpiration);
-            Buffer.BlockCopy(plaintext, 0, plaintextWithHeader, 8, plaintext.Length);
-
-            return InnerProtector.Protect(plaintextWithHeader);
-        }
-
-        public byte[] Unprotect([NotNull] byte[] protectedData)
-        {
-            DateTimeOffset unused;
-            return Unprotect(protectedData, out unused);
-        }
-
-        public byte[] Unprotect([NotNull] byte[] protectedData, out DateTimeOffset expiration)
-        {
-            try
-            {
-                byte[] plaintextWithHeader = InnerProtector.Unprotect(protectedData);
-                CryptoUtil.Assert(plaintextWithHeader.Length >= 8, "No header present.");
-
-                // Read expiration time back out of the payload
-                ulong utcTicksExpiration = (((ulong)plaintextWithHeader[0]) << 56)
-                    | (((ulong)plaintextWithHeader[1]) << 48)
-                    | (((ulong)plaintextWithHeader[2]) << 40)
-                    | (((ulong)plaintextWithHeader[3]) << 32)
-                    | (((ulong)plaintextWithHeader[4]) << 24)
-                    | (((ulong)plaintextWithHeader[5]) << 16)
-                    | (((ulong)plaintextWithHeader[6]) << 8)
-                    | (ulong)plaintextWithHeader[7];
-
-                // Are we expired?
-                DateTime utcNow = DateTime.UtcNow;
-                if ((ulong)utcNow.Ticks > utcTicksExpiration)
-                {
-                    throw Error.TimeLimitedDataProtector_PayloadExpired(utcTicksExpiration);
-                }
-
-                byte[] retVal = new byte[plaintextWithHeader.Length - 8];
-                Buffer.BlockCopy(plaintextWithHeader, 8, retVal, 0, retVal.Length);
-
-                expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero);
-                return retVal;
-            }
-            catch (Exception ex) when (ex.RequiresHomogenization())
-            {
-                // Homogenize all failures to CryptographicException
-                throw Error.CryptCommon_GenericError(ex);
-            }
-        }
-
-        IDataProtector IDataProtectionProvider.CreateProtector([NotNull] string purpose)
-        {
-            return CreateProtector(purpose);
-        }
-    }
-}
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
new file mode 100644
index 0000000000..d0ef0a770a
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
@@ -0,0 +1,102 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using System.Text;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    public class DataProtectionExtensionsTests
+    {
+        private const string SampleEncodedString = "AQI"; // = WebEncoders.Base64UrlEncode({ 0x01, 0x02 })
+
+        [Fact]
+        public void Protect_PayloadAsString_WithExplicitExpiration()
+        {
+            // Arrange
+            var plaintextAsBytes = Encoding.UTF8.GetBytes("this is plaintext");
+            var expiration = StringToDateTime("2015-01-01 00:00:00Z");
+            var mockDataProtector = new Mock<ITimeLimitedDataProtector>();
+            mockDataProtector.Setup(o => o.Protect(plaintextAsBytes, expiration)).Returns(new byte[] { 0x01, 0x02 });
+
+            // Act
+            string protectedPayload = mockDataProtector.Object.Protect("this is plaintext", expiration);
+
+            // Assert
+            Assert.Equal(SampleEncodedString, protectedPayload);
+        }
+
+        [Fact]
+        public void Protect_PayloadAsString_WithLifetimeAsTimeSpan()
+        {
+            // Arrange
+            var plaintextAsBytes = Encoding.UTF8.GetBytes("this is plaintext");
+            DateTimeOffset actualExpiration = default(DateTimeOffset);
+            var mockDataProtector = new Mock<ITimeLimitedDataProtector>();
+            mockDataProtector.Setup(o => o.Protect(plaintextAsBytes, It.IsAny<DateTimeOffset>()))
+                .Returns<byte[], DateTimeOffset>((_, exp) =>
+                {
+                    actualExpiration = exp;
+                    return new byte[] { 0x01, 0x02 };
+                });
+
+            // Act
+            DateTimeOffset lowerBound = DateTimeOffset.UtcNow.AddHours(48);
+            string protectedPayload = mockDataProtector.Object.Protect("this is plaintext", TimeSpan.FromHours(48));
+            DateTimeOffset upperBound = DateTimeOffset.UtcNow.AddHours(48);
+
+            // Assert
+            Assert.Equal(SampleEncodedString, protectedPayload);
+            Assert.InRange(actualExpiration, lowerBound, upperBound);
+        }
+
+        [Fact]
+        public void Protect_PayloadAsBytes_WithLifetimeAsTimeSpan()
+        {
+            // Arrange
+            DateTimeOffset actualExpiration = default(DateTimeOffset);
+            var mockDataProtector = new Mock<ITimeLimitedDataProtector>();
+            mockDataProtector.Setup(o => o.Protect(new byte[] { 0x11, 0x22, 0x33 }, It.IsAny<DateTimeOffset>()))
+                .Returns<byte[], DateTimeOffset>((_, exp) =>
+                {
+                    actualExpiration = exp;
+                    return new byte[] { 0x01, 0x02 };
+                });
+
+            // Act
+            DateTimeOffset lowerBound = DateTimeOffset.UtcNow.AddHours(48);
+            byte[] protectedPayload = mockDataProtector.Object.Protect(new byte[] { 0x11, 0x22, 0x33 }, TimeSpan.FromHours(48));
+            DateTimeOffset upperBound = DateTimeOffset.UtcNow.AddHours(48);
+
+            // Assert
+            Assert.Equal(new byte[] { 0x01, 0x02 }, protectedPayload);
+            Assert.InRange(actualExpiration, lowerBound, upperBound);
+        }
+
+        [Fact]
+        public void Unprotect_PayloadAsString()
+        {
+            // Arrange
+            var futureDate = DateTimeOffset.UtcNow.AddYears(1);
+            var controlExpiration = futureDate;
+            var mockDataProtector = new Mock<ITimeLimitedDataProtector>();
+            mockDataProtector.Setup(o => o.Unprotect(new byte[] { 0x01, 0x02 }, out controlExpiration)).Returns(Encoding.UTF8.GetBytes("this is plaintext"));
+
+            // Act
+            DateTimeOffset testExpiration;
+            string unprotectedPayload = mockDataProtector.Object.Unprotect(SampleEncodedString, out testExpiration);
+
+            // Assert
+            Assert.Equal("this is plaintext", unprotectedPayload);
+            Assert.Equal(futureDate, testExpiration);
+        }
+
+        private static DateTime StringToDateTime(string input)
+        {
+            return DateTimeOffset.ParseExact(input, "u", CultureInfo.InvariantCulture).UtcDateTime;
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj b/test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj
new file mode 100644
index 0000000000..58119f15de
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>04aa8e60-a053-4d50-89fe-e76c3df45200</ProjectGuid>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
new file mode 100644
index 0000000000..fad95f09b9
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
@@ -0,0 +1,178 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using System.Security.Cryptography;
+using Microsoft.AspNet.DataProtection.Extensions;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    public class TimeLimitedDataProtectorTests
+    {
+        private const string TimeLimitedPurposeString = "Microsoft.AspNet.DataProtection.TimeLimitedDataProtector.v1";
+
+        [Fact]
+        public void Protect_LifetimeSpecified()
+        {
+            // Arrange
+            // 0x08c1220247e44000 is the representation of midnight 2000-01-01 UTC.
+            DateTimeOffset expiration = StringToDateTime("2000-01-01 00:00:00Z");
+            var mockInnerProtector = new Mock<IDataProtector>();
+            mockInnerProtector.Setup(o => o.CreateProtector("new purpose").CreateProtector(TimeLimitedPurposeString).Protect(
+                new byte[] {
+                    0x08, 0xc1, 0x22, 0x02, 0x47, 0xe4, 0x40, 0x00, /* header */
+                    0x01, 0x02, 0x03, 0x04, 0x05 /* payload */
+                })).Returns(new byte[] { 0x10, 0x11 });
+
+            var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
+
+            // Act
+            var subProtector = timeLimitedProtector.CreateProtector("new purpose");
+            var protectedPayload = subProtector.Protect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 }, expiration);
+
+            // Assert
+            Assert.Equal(new byte[] { 0x10, 0x11 }, protectedPayload);
+        }
+
+        [Fact]
+        public void Protect_LifetimeNotSpecified_UsesInfiniteLifetime()
+        {
+            // Arrange
+            // 0x2bca2875f4373fff is the representation of DateTimeOffset.MaxValue.
+            DateTimeOffset expiration = StringToDateTime("2000-01-01 00:00:00Z");
+            var mockInnerProtector = new Mock<IDataProtector>();
+            mockInnerProtector.Setup(o => o.CreateProtector("new purpose").CreateProtector(TimeLimitedPurposeString).Protect(
+                new byte[] {
+                    0x2b, 0xca, 0x28, 0x75, 0xf4, 0x37, 0x3f, 0xff, /* header */
+                    0x01, 0x02, 0x03, 0x04, 0x05 /* payload */
+                })).Returns(new byte[] { 0x10, 0x11 });
+
+            var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
+
+            // Act
+            var subProtector = timeLimitedProtector.CreateProtector("new purpose");
+            var protectedPayload = subProtector.Protect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 });
+
+            // Assert
+            Assert.Equal(new byte[] { 0x10, 0x11 }, protectedPayload);
+        }
+
+        [Fact]
+        public void Unprotect_WithinPayloadValidityPeriod_Success()
+        {
+            // Arrange
+            // 0x08c1220247e44000 is the representation of midnight 2000-01-01 UTC.
+            DateTimeOffset expectedExpiration = StringToDateTime("2000-01-01 00:00:00Z");
+            DateTimeOffset now = StringToDateTime("1999-01-01 00:00:00Z");
+            var mockInnerProtector = new Mock<IDataProtector>();
+            mockInnerProtector.Setup(o => o.CreateProtector(TimeLimitedPurposeString).Unprotect(new byte[] { 0x10, 0x11 })).Returns(
+                new byte[] {
+                    0x08, 0xc1, 0x22, 0x02, 0x47, 0xe4, 0x40, 0x00, /* header */
+                    0x01, 0x02, 0x03, 0x04, 0x05 /* payload */
+                });
+
+            var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
+
+            // Act
+            DateTimeOffset actualExpiration;
+            var retVal = timeLimitedProtector.UnprotectCore(new byte[] { 0x10, 0x11 }, now, out actualExpiration);
+
+            // Assert
+            Assert.Equal(expectedExpiration, actualExpiration);
+            Assert.Equal(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 }, retVal);
+        }
+
+        [Fact]
+        public void Unprotect_PayloadHasExpired_Fails()
+        {
+            // Arrange
+            // 0x08c1220247e44000 is the representation of midnight 2000-01-01 UTC.
+            DateTimeOffset expectedExpiration = StringToDateTime("2000-01-01 00:00:00Z");
+            DateTimeOffset now = StringToDateTime("2001-01-01 00:00:00Z");
+            var mockInnerProtector = new Mock<IDataProtector>();
+            mockInnerProtector.Setup(o => o.CreateProtector(TimeLimitedPurposeString).Unprotect(new byte[] { 0x10, 0x11 })).Returns(
+                new byte[] {
+                    0x08, 0xc1, 0x22, 0x02, 0x47, 0xe4, 0x40, 0x00, /* header */
+                    0x01, 0x02, 0x03, 0x04, 0x05 /* payload */
+                });
+
+            var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
+
+            // Act & assert
+            DateTimeOffset unused;
+            var ex = Assert.Throws<CryptographicException>(() => timeLimitedProtector.UnprotectCore(new byte[] { 0x10, 0x11 }, now, out unused));
+
+            // Assert
+            Assert.Equal(Resources.FormatTimeLimitedDataProtector_PayloadExpired(expectedExpiration), ex.Message);
+        }
+
+        [Fact]
+        public void Unprotect_ProtectedDataMalformed_Fails()
+        {
+            // Arrange
+            // 0x08c1220247e44000 is the representation of midnight 2000-01-01 UTC.
+            var mockInnerProtector = new Mock<IDataProtector>();
+            mockInnerProtector.Setup(o => o.CreateProtector(TimeLimitedPurposeString).Unprotect(new byte[] { 0x10, 0x11 })).Returns(
+                new byte[] {
+                    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 /* header too short */
+                });
+
+            var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
+
+            // Act & assert
+            DateTimeOffset unused;
+            var ex = Assert.Throws<CryptographicException>(() => timeLimitedProtector.Unprotect(new byte[] { 0x10, 0x11 }, out unused));
+
+            // Assert
+            Assert.Equal(Resources.TimeLimitedDataProtector_PayloadInvalid, ex.Message);
+        }
+
+        [Fact]
+        public void Unprotect_UnprotectOperationFails_HomogenizesExceptionToCryptographicException()
+        {
+            // Arrange
+            // 0x08c1220247e44000 is the representation of midnight 2000-01-01 UTC.
+            var mockInnerProtector = new Mock<IDataProtector>();
+            mockInnerProtector.Setup(o => o.CreateProtector(TimeLimitedPurposeString).Unprotect(new byte[] { 0x10, 0x11 })).Throws(new Exception("How exceptional!"));
+            var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
+
+            // Act & assert
+            DateTimeOffset unused;
+            var ex = Assert.Throws<CryptographicException>(() => timeLimitedProtector.Unprotect(new byte[] { 0x10, 0x11 }, out unused));
+
+            // Assert
+            Assert.Equal(Resources.CryptCommon_GenericError, ex.Message);
+            Assert.Equal("How exceptional!", ex.InnerException.Message);
+        }
+
+        [Fact]
+        public void RoundTrip_ProtectedData()
+        {
+            // Arrange
+            var ephemeralProtector = new EphemeralDataProtectionProvider().CreateProtector("my purpose");
+            var timeLimitedProtector = new TimeLimitedDataProtector(ephemeralProtector);
+            var expectedExpiration = StringToDateTime("2020-01-01 00:00:00Z");
+
+            // Act
+            byte[] ephemeralProtectedPayload = ephemeralProtector.Protect(new byte[] { 0x01, 0x02, 0x03, 0x04 });
+            byte[] timeLimitedProtectedPayload = timeLimitedProtector.Protect(new byte[] { 0x11, 0x22, 0x33, 0x44 }, expectedExpiration);
+
+            // Assert
+            DateTimeOffset actualExpiration;
+            Assert.Equal(new byte[] { 0x11, 0x22, 0x33, 0x44 }, timeLimitedProtector.UnprotectCore(timeLimitedProtectedPayload, StringToDateTime("2010-01-01 00:00:00Z"), out actualExpiration));
+            Assert.Equal(expectedExpiration, actualExpiration);
+
+            // the two providers shouldn't be able to talk to one another (due to the purpose chaining)
+            Assert.Throws<CryptographicException>(() => ephemeralProtector.Unprotect(timeLimitedProtectedPayload));
+            Assert.Throws<CryptographicException>(() => timeLimitedProtector.Unprotect(ephemeralProtectedPayload, out actualExpiration));
+        }
+
+        private static DateTime StringToDateTime(string input)
+        {
+            return DateTimeOffset.ParseExact(input, "u", CultureInfo.InvariantCulture).UtcDateTime;
+        }
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
new file mode 100644
index 0000000000..bcc0e2decf
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
@@ -0,0 +1,18 @@
+{
+    "dependencies": {
+        "Microsoft.AspNet.DataProtection.Interfaces": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Extensions": "1.0.0-*",
+        "Microsoft.AspNet.Testing": "1.0.0-*",
+        "Moq": "4.2.1312.1622",
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+    },
+    "frameworks": {
+        "dnx451": { }
+    },
+    "commands": {
+        "test": "xunit.runner.aspnet"
+    },
+    "compilationOptions": {
+        
+    }
+}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
deleted file mode 100644
index 2b2c122265..0000000000
--- a/test/Microsoft.AspNet.DataProtection.Test/DataProtectionExtensionsTests.cs
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Moq;
-using Xunit;
-
-namespace Microsoft.AspNet.DataProtection
-{
-    public class DataProtectionExtensionsTests
-    {
-        [Fact]
-        public void AsTimeLimitedProtector_ProtectorIsAlreadyTimeLimited_ReturnsThis()
-        {
-            // Arrange
-            var originalProtector = new Mock<ITimeLimitedDataProtector>().Object;
-
-            // Act
-            var retVal = originalProtector.AsTimeLimitedDataProtector();
-
-            // Assert
-            Assert.Same(originalProtector, retVal);
-        }
-
-        [Fact]
-        public void AsTimeLimitedProtector_ProtectorIsNotTimeLimited_CreatesNewProtector()
-        {
-            // Arrange
-            var innerProtector = new Mock<IDataProtector>().Object;
-            var outerProtectorMock = new Mock<IDataProtector>();
-            outerProtectorMock.Setup(o => o.CreateProtector("Microsoft.AspNet.DataProtection.TimeLimitedDataProtector")).Returns(innerProtector);
-
-            // Act
-            var timeLimitedProtector = (TimeLimitedDataProtector)outerProtectorMock.Object.AsTimeLimitedDataProtector();
-
-            // Assert
-            Assert.Same(innerProtector, timeLimitedProtector.InnerProtector);
-        }
-    }
-}
diff --git a/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs
deleted file mode 100644
index 354078de05..0000000000
--- a/test/Microsoft.AspNet.DataProtection.Test/TimeLimitedDataProtectorTests.cs
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Security.Cryptography;
-using Moq;
-using Xunit;
-
-namespace Microsoft.AspNet.DataProtection
-{
-    public class TimeLimitedDataProtectorTests
-    {
-        [Fact]
-        public void CreateProtector_And_Protect()
-        {
-            // Arrange
-            // 0x08c1220247e44000 is the representation of midnight 2000-01-01 UTC.
-            DateTimeOffset expiration = new DateTimeOffset(new DateTime(2000, 1, 1, 0, 0, 0, DateTimeKind.Utc));
-            Mock<IDataProtector> innerProtectorMock = new Mock<IDataProtector>();
-            innerProtectorMock.Setup(o => o.Protect(new byte[] { 0x08, 0xc1, 0x22, 0x02, 0x47, 0xe4, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0x10, 0x11 });
-            Mock<IDataProtector> outerProtectorMock = new Mock<IDataProtector>();
-            outerProtectorMock.Setup(p => p.CreateProtector("new purpose")).Returns(innerProtectorMock.Object);
-
-            // Act
-            var timeLimitedProtector = new TimeLimitedDataProtector(outerProtectorMock.Object);
-            var subProtector = timeLimitedProtector.CreateProtector("new purpose");
-            var protectedPayload = subProtector.Protect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 }, expiration);
-
-            // Assert
-            Assert.Equal(new byte[] { 0x10, 0x11 }, protectedPayload);
-        }
-
-        [Fact]
-        public void ExpiredData_Fails()
-        {
-            // Arrange
-            var timeLimitedProtector = CreateEphemeralTimeLimitedProtector();
-            var expiration = DateTimeOffset.UtcNow.AddYears(-1);
-
-            // Act & assert
-            var protectedData = timeLimitedProtector.Protect(new byte[] { 0x04, 0x08, 0x0c }, expiration);
-            Assert.Throws<CryptographicException>(() =>
-            {
-                timeLimitedProtector.Unprotect(protectedData);
-            });
-        }
-
-        [Fact]
-        public void GoodData_RoundTrips()
-        {
-            // Arrange
-            var timeLimitedProtector = CreateEphemeralTimeLimitedProtector();
-            var expectedExpiration = DateTimeOffset.UtcNow.AddYears(1);
-
-            // Act
-            var protectedData = timeLimitedProtector.Protect(new byte[] { 0x04, 0x08, 0x0c }, expectedExpiration);
-            DateTimeOffset actualExpiration;
-            var unprotectedData = timeLimitedProtector.Unprotect(protectedData, out actualExpiration);
-
-            // Assert
-            Assert.Equal(new byte[] { 0x04, 0x08, 0x0c }, unprotectedData);
-            Assert.Equal(expectedExpiration, actualExpiration);
-        }
-
-        [Fact]
-        public void Protect_NoExpiration_UsesDateTimeOffsetMaxValue()
-        {
-            // Should pass DateTimeOffset.MaxValue (utc ticks = 0x2bca2875f4373fff) if no expiration date specified
-
-            // Arrange
-            Mock<IDataProtector> innerProtectorMock = new Mock<IDataProtector>();
-            innerProtectorMock.Setup(o => o.Protect(new byte[] { 0x2b, 0xca, 0x28, 0x75, 0xf4, 0x37, 0x3f, 0xff,0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0x10, 0x11 });
-
-            // Act
-            var timeLimitedProtector = new TimeLimitedDataProtector(innerProtectorMock.Object);
-            var protectedPayload = timeLimitedProtector.Protect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 });
-
-            // Assert
-            Assert.Equal(new byte[] { 0x10, 0x11 }, protectedPayload);
-        }
-
-        private static TimeLimitedDataProtector CreateEphemeralTimeLimitedProtector()
-        {
-            return new TimeLimitedDataProtector(new EphemeralDataProtectionProvider().CreateProtector("purpose"));
-        }
-    }
-}

From 22927ec289880e9c259f237ff69b18ccac04af22 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 17 Mar 2015 15:04:59 -0700
Subject: [PATCH 121/493] Add simple file-based provider instantiation APIs

---
 .../DataProtectionProvider.cs                 | 60 ++++++++++++
 ...er.cs => DataProtectionProviderFactory.cs} | 31 +------
 .../DataProtectionServiceDescriptors.cs       |  2 +-
 .../DataProtectionProviderTests.cs            | 92 +++++++++++++++++++
 4 files changed, 154 insertions(+), 31 deletions(-)
 create mode 100644 src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
 rename src/Microsoft.AspNet.DataProtection/{DataProtectionProvider.cs => DataProtectionProviderFactory.cs} (64%)
 create mode 100644 test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs

diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
new file mode 100644
index 0000000000..badb814072
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
@@ -0,0 +1,60 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.Internal;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    /// <summary>
+    /// A simple implementation of an <see cref="IDataProtectionProvider"/> where keys are stored
+    /// at a particular location on the file system.
+    /// </summary>
+    public sealed class DataProtectionProvider : IDataProtectionProvider
+    {
+        private readonly IDataProtectionProvider _innerProvider;
+
+        /// <summary>
+        /// Creates an <see cref="DataProtectionProvider"/> given a location at which to store keys.
+        /// </summary>
+        /// <param name="keyDirectory">The <see cref="DirectoryInfo"/> in which keys should be stored. This may
+        /// represent a directory on a local disk or a UNC share.</param>
+        public DataProtectionProvider([NotNull] DirectoryInfo keyDirectory)
+            : this(keyDirectory, configure: null)
+        {
+        }
+
+        /// <summary>
+        /// Creates an <see cref="DataProtectionProvider"/> given a location at which to store keys and an
+        /// optional configuration callback.
+        /// </summary>
+        /// <param name="keyDirectory">The <see cref="DirectoryInfo"/> in which keys should be stored. This may
+        /// represent a directory on a local disk or a UNC share.</param>
+        /// <param name="configure">An optional callback which provides further configuration of the data protection
+        /// system. See <see cref="DataProtectionConfiguration"/> for more information.</param>
+        public DataProtectionProvider([NotNull] DirectoryInfo keyDirectory, Action<DataProtectionConfiguration> configure)
+        {
+            // build the service collection
+            ServiceCollection serviceCollection = new ServiceCollection();
+            serviceCollection.AddDataProtection();
+            serviceCollection.ConfigureDataProtection(configurationObject =>
+            {
+                configurationObject.PersistKeysToFileSystem(keyDirectory);
+                configure?.Invoke(configurationObject);
+            });
+
+            // extract the provider instance from the service collection
+            _innerProvider = serviceCollection.BuildServiceProvider().GetRequiredService<IDataProtectionProvider>();
+        }
+
+        /// <summary>
+        /// Implements <see cref="IDataProtectionProvider.CreateProtector(string)"/>.
+        /// </summary>
+        public IDataProtector CreateProtector([NotNull] string purpose)
+        {
+            return _innerProvider.CreateProtector(purpose);
+        }
+    }
+}
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
similarity index 64%
rename from src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs
rename to src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
index de61cdd9f7..d08d326539 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
@@ -12,37 +12,8 @@ namespace Microsoft.AspNet.DataProtection
     /// <summary>
     /// Contains static factory methods for creating <see cref="IDataProtectionProvider"/> instances.
     /// </summary>
-    public static class DataProtectionProvider
+    internal static class DataProtectionProviderFactory
     {
-        /// <summary>
-        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>.
-        /// </summary>
-        /// <returns>An ephemeral <see cref="IDataProtectionProvider"/>.</returns>
-        /// <remarks>
-        /// Payloads generated by any given instance of an <see cref="EphemeralDataProtectionProvider"/>
-        /// can only be unprotected by that same provider instance. Once an instance of an ephemeral
-        /// provider is lost, all payloads generated by that provider are permanently undecipherable.
-        /// </remarks>
-        public static EphemeralDataProtectionProvider CreateNewEphemeralProvider()
-        {
-            return CreateNewEphemeralProvider(services: null);
-        }
-
-        /// <summary>
-        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>.
-        /// </summary>
-        /// <param name="services">Optional services (such as logging) for use by the provider.</param>
-        /// <returns>An ephemeral <see cref="IDataProtectionProvider"/>.</returns>
-        /// <remarks>
-        /// Payloads generated by any given instance of an <see cref="EphemeralDataProtectionProvider"/>
-        /// can only be unprotected by that same provider instance. Once an instance of an ephemeral
-        /// provider is lost, all payloads generated by that provider are permanently undecipherable.
-        /// </remarks>
-        public static EphemeralDataProtectionProvider CreateNewEphemeralProvider(IServiceProvider services)
-        {
-            return new EphemeralDataProtectionProvider(services);
-        }
-
         /// <summary>
         /// Creates an <see cref="IDataProtectionProvider"/> given an <see cref="IServiceProvider"/>.
         /// </summary>
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index f7a8c3da0b..280d0d63d8 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -85,7 +85,7 @@ namespace Microsoft.Framework.DependencyInjection
         public static ServiceDescriptor IDataProtectionProvider_Default()
         {
             return ServiceDescriptor.Singleton<IDataProtectionProvider>(
-                services => DataProtectionProvider.GetProviderFromServices(
+                services => DataProtectionProviderFactory.GetProviderFromServices(
                     options: services.GetRequiredService<IOptions<DataProtectionOptions>>().Options,
                     services: services,
                     mustCreateImmediately: true /* this is the ultimate fallback */));
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
new file mode 100644
index 0000000000..3420dd030a
--- /dev/null
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -0,0 +1,92 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using Microsoft.AspNet.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNet.DataProtection
+{
+    public class DataProtectionProviderTests
+    {
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
+        public void System_UsesProvidedDirectory()
+        {
+            WithUniqueTempDirectory(directory =>
+            {
+                // Step 1: directory should be completely empty
+                directory.Create();
+                Assert.Empty(directory.GetFiles());
+
+                // Step 2: instantiate the system and round-trip a payload
+                var protector = new DataProtectionProvider(directory).CreateProtector("purpose");
+                Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
+
+                // Step 3: validate that there's now a single key in the directory and that it's not protected
+                var allFiles = directory.GetFiles();
+                Assert.Equal(1, allFiles.Length);
+                Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
+                string fileText = File.ReadAllText(allFiles[0].FullName);
+                Assert.Contains("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                Assert.DoesNotContain("Windows DPAPI", fileText, StringComparison.Ordinal);
+            });
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
+        public void System_UsesProvidedDirectory_WithConfigurationCallback()
+        {
+            WithUniqueTempDirectory(directory =>
+            {
+                // Step 1: directory should be completely empty
+                directory.Create();
+                Assert.Empty(directory.GetFiles());
+
+                // Step 2: instantiate the system and round-trip a payload
+                var protector = new DataProtectionProvider(directory, configure =>
+                {
+                    configure.ProtectKeysWithDpapi();
+                }).CreateProtector("purpose");
+                Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
+
+                // Step 3: validate that there's now a single key in the directory and that it's protected with DPAPI
+                var allFiles = directory.GetFiles();
+                Assert.Equal(1, allFiles.Length);
+                Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
+                string fileText = File.ReadAllText(allFiles[0].FullName);
+                Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                Assert.Contains("Windows DPAPI", fileText, StringComparison.Ordinal);
+            });
+        }
+
+        /// <summary>
+        /// Runs a test and cleans up the temp directory afterward.
+        /// </summary>
+        private static void WithUniqueTempDirectory(Action<DirectoryInfo> testCode)
+        {
+            string uniqueTempPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString());
+            var dirInfo = new DirectoryInfo(uniqueTempPath);
+            try
+            {
+                testCode(dirInfo);
+            }
+            finally
+            {
+                // clean up when test is done
+                if (dirInfo.Exists)
+                {
+                    dirInfo.Delete(recursive: true);
+                }
+            }
+        }
+
+        private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
+        {
+            public bool IsMet => (Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) != null);
+
+            public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
+        }
+    }
+}

From 271ec1bd4bb0496e2d758032ad58a00bd919d831 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 17 Mar 2015 20:54:12 -0700
Subject: [PATCH 122/493] Move IApplicationDiscriminator to Infrastructure
 namespace

---
 .../DataProtectionExtensions.cs                           | 1 +
 .../{ => Infrastructure}/IApplicationDiscriminator.cs     | 8 +++++++-
 .../DataProtectionStartup.cs                              | 1 +
 .../DataProtectionExtensionsTests.cs                      | 1 +
 4 files changed, 10 insertions(+), 1 deletion(-)
 rename src/Microsoft.AspNet.DataProtection.Interfaces/{ => Infrastructure}/IApplicationDiscriminator.cs (67%)

diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
index bd41d6ba9a..76693edd73 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
@@ -6,6 +6,7 @@ using System.Collections.Generic;
 using System.ComponentModel;
 using System.Diagnostics;
 using System.Security.Cryptography;
+using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.AspNet.DataProtection.Interfaces;
 using Microsoft.Framework.Internal;
 
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/IApplicationDiscriminator.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/Infrastructure/IApplicationDiscriminator.cs
similarity index 67%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/IApplicationDiscriminator.cs
rename to src/Microsoft.AspNet.DataProtection.Interfaces/Infrastructure/IApplicationDiscriminator.cs
index 232780a311..23c2764f9d 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/IApplicationDiscriminator.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Infrastructure/IApplicationDiscriminator.cs
@@ -2,12 +2,18 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.ComponentModel;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNet.DataProtection.Infrastructure
 {
     /// <summary>
     /// Provides information used to discriminate applications.
     /// </summary>
+    /// <remarks>
+    /// This type supports the data protection system and is not intended to be used
+    /// by consumers.
+    /// </remarks>
+    [EditorBrowsable(EditorBrowsableState.Never)]
     public interface IApplicationDiscriminator
     {
         /// <summary>
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
index 664a68aa73..ef93c82ad8 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
@@ -5,6 +5,7 @@ using System;
 using System.Configuration;
 using System.Web;
 using System.Web.Configuration;
+using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.Framework.DependencyInjection;
 
 namespace Microsoft.AspNet.DataProtection.SystemWeb
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
index a174b4a4fa..42deb31f55 100644
--- a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.AspNet.DataProtection.Interfaces;
 using Microsoft.AspNet.Testing;
 using Microsoft.Framework.Runtime;

From ca840d3711ab9157c4e2db259ddf224566d34240 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Tue, 17 Mar 2015 22:03:43 -0700
Subject: [PATCH 123/493] Code cleanup in KeyDerivation - Rename PRF members to
 be HMAC functions (which is technically correct) - Use NotNullAttribute where
 possible

---
 .../KeyDerivation.cs                          | 13 +----
 .../KeyDerivationPrf.cs                       | 12 ++--
 .../PBKDF2/ManagedPbkdf2Provider.cs           |  6 +-
 .../PBKDF2/Win7Pbkdf2Provider.cs              |  6 +-
 .../PBKDF2/Win8Pbkdf2Provider.cs              | 12 ++--
 .../project.json                              |  3 +-
 .../Pbkdf2Tests.cs                            | 56 +++++++++----------
 7 files changed, 51 insertions(+), 57 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
index 3bb818b433..34e8f71128 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
+using Microsoft.Framework.Internal;
 
 namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
@@ -24,18 +25,10 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
         /// <remarks>
         /// The PBKDF2 algorithm is specified in RFC 2898.
         /// </remarks>
-        public static byte[] Pbkdf2(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
+        public static byte[] Pbkdf2([NotNull] string password, [NotNull] byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
         {
             // parameter checking
-            if (password == null)
-            {
-                throw new ArgumentNullException(nameof(password));
-            }
-            if (salt == null)
-            {
-                throw new ArgumentNullException(nameof(salt));
-            }
-            if (prf < KeyDerivationPrf.Sha1 || prf > KeyDerivationPrf.Sha512)
+            if (prf < KeyDerivationPrf.HMACSHA1 || prf > KeyDerivationPrf.HMACSHA512)
             {
                 throw new ArgumentOutOfRangeException(nameof(prf));
             }
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
index 0f8556eb10..14e666d104 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
@@ -11,18 +11,18 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
     public enum KeyDerivationPrf
     {
         /// <summary>
-        /// SHA-1 (FIPS PUB 180-4)
+        /// The HMAC algorithm (RFC 2104) using the SHA-1 hash function (FIPS 180-4).
         /// </summary>
-        Sha1,
+        HMACSHA1,
 
         /// <summary>
-        /// SHA-256 (FIPS PUB 180-4)
+        /// The HMAC algorithm (RFC 2104) using the SHA-256 hash function (FIPS 180-4).
         /// </summary>
-        Sha256,
+        HMACSHA256,
 
         /// <summary>
-        /// SHA-512 (FIPS PUB 180-4)
+        /// The HMAC algorithm (RFC 2104) using the SHA-512 hash function (FIPS 180-4).
         /// </summary>
-        Sha512,
+        HMACSHA512,
     }
 }
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
index cc6f7d17ec..03df786627 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
@@ -73,11 +73,11 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
             {
                 switch (prf)
                 {
-                    case KeyDerivationPrf.Sha1:
+                    case KeyDerivationPrf.HMACSHA1:
                         return new HMACSHA1(passwordBytes);
-                    case KeyDerivationPrf.Sha256:
+                    case KeyDerivationPrf.HMACSHA256:
                         return new HMACSHA256(passwordBytes);
-                    case KeyDerivationPrf.Sha512:
+                    case KeyDerivationPrf.HMACSHA512:
                         return new HMACSHA512(passwordBytes);
                     default:
                         throw CryptoUtil.Fail("Unrecognized PRF.");
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
index 629f568fcb..343800aa91 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
@@ -86,11 +86,11 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
         {
             switch (prf)
             {
-                case KeyDerivationPrf.Sha1:
+                case KeyDerivationPrf.HMACSHA1:
                     return CachedAlgorithmHandles.HMAC_SHA1;
-                case KeyDerivationPrf.Sha256:
+                case KeyDerivationPrf.HMACSHA256:
                     return CachedAlgorithmHandles.HMAC_SHA256;
-                case KeyDerivationPrf.Sha512:
+                case KeyDerivationPrf.HMACSHA512:
                     return CachedAlgorithmHandles.HMAC_SHA512;
                 default:
                     throw CryptoUtil.Fail("Unrecognized PRF.");
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
index d2ff0ce174..abc0dcec6c 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
@@ -112,13 +112,13 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
                 BCryptAlgorithmHandle prfAlgorithmHandle; // cached; don't dispose
                 switch (prf)
                 {
-                    case KeyDerivationPrf.Sha1:
+                    case KeyDerivationPrf.HMACSHA1:
                         prfAlgorithmHandle = CachedAlgorithmHandles.SHA1;
                         break;
-                    case KeyDerivationPrf.Sha256:
+                    case KeyDerivationPrf.HMACSHA256:
                         prfAlgorithmHandle = CachedAlgorithmHandles.SHA256;
                         break;
-                    case KeyDerivationPrf.Sha512:
+                    case KeyDerivationPrf.HMACSHA512:
                         prfAlgorithmHandle = CachedAlgorithmHandles.SHA512;
                         break;
                     default:
@@ -197,11 +197,11 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
         {
             switch (prf)
             {
-                case KeyDerivationPrf.Sha1:
+                case KeyDerivationPrf.HMACSHA1:
                     return Constants.BCRYPT_SHA1_ALGORITHM;
-                case KeyDerivationPrf.Sha256:
+                case KeyDerivationPrf.HMACSHA256:
                     return Constants.BCRYPT_SHA256_ALGORITHM;
-                case KeyDerivationPrf.Sha512:
+                case KeyDerivationPrf.HMACSHA512:
                     return Constants.BCRYPT_SHA512_ALGORITHM;
                 default:
                     throw CryptoUtil.Fail("Unrecognized PRF.");
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 14dfb3d55a..438713f062 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -2,7 +2,8 @@
     "version": "1.0.0-*",
     "description": "ASP.NET 5 utilities for key derivation.",
     "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*"
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" }
     },
     "frameworks": {
         "net451": { },
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
index 81b0908ce0..3274b8032a 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
@@ -16,15 +16,15 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
         // this value straddles the digest length of the PRF. We only use 5 iterations so
         // that our unit tests are fast.
         [Theory]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
         public void RunTest_Normal_Managed(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
         {
             // Arrange
@@ -43,15 +43,15 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
         // that our unit tests are fast.
         [ConditionalTheory]
         [ConditionalRunTestOnlyOnWindows]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
         public void RunTest_Normal_Win7(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
         {
             // Arrange
@@ -70,15 +70,15 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
         // that our unit tests are fast.
         [ConditionalTheory]
         [ConditionalRunTestOnlyOnWindows8OrLater]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
-        [InlineData("my-password", KeyDerivationPrf.Sha1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
-        [InlineData("my-password", KeyDerivationPrf.Sha256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
-        [InlineData("my-password", KeyDerivationPrf.Sha512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
         public void RunTest_Normal_Win8(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
         {
             // Arrange
@@ -119,7 +119,7 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
             string password = new String('x', 50000); // 50,000 char password
             byte[] salt = Encoding.UTF8.GetBytes("salt");
             const string expectedDerivedKeyBase64 = "Sc+V/c3fiZq5Z5qH3iavAiojTsW97FAp2eBNmCQAwCNzA8hfhFFYyQLIMK65qPnBFHOHXQPwAxNQNhaEAH9hzfiaNBSRJpF9V4rpl02d5ZpI6cZbsQFF7TJW7XJzQVpYoPDgJlg0xVmYLhn1E9qMtUVUuXsBjOOdd7K1M+ZI00c=";
-            const KeyDerivationPrf prf = KeyDerivationPrf.Sha256;
+            const KeyDerivationPrf prf = KeyDerivationPrf.HMACSHA256;
             const int iterationCount = 5;
             const int numBytesRequested = 128;
 

From fd083259188894b80b0653f920dac2d9dddf5999 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 18 Mar 2015 10:42:09 -0700
Subject: [PATCH 124/493] Skip registry checks on non-Windows platforms

---
 .../DataProtectionServices.cs                 | 35 +++++++++----------
 1 file changed, 16 insertions(+), 19 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 0b5890e810..7fd92d7c41 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -10,6 +10,7 @@ using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.Framework.Logging;
+using Microsoft.Win32;
 
 namespace Microsoft.Framework.DependencyInjection
 {
@@ -79,26 +80,19 @@ namespace Microsoft.Framework.DependencyInjection
                     else
                     {
                         // Use profile isn't available - can we use the HKLM registry?
-                        var regKeyStorageKey = RegistryXmlRepository.DefaultRegistryKey;
+                        RegistryKey regKeyStorageKey = null;
+                        if (OSVersionUtil.IsWindows())
+                        {
+                            regKeyStorageKey = RegistryXmlRepository.DefaultRegistryKey;
+                        }
                         if (regKeyStorageKey != null)
                         {
-                            if (OSVersionUtil.IsWindows())
-                            {
-                                // If the user profile isn't available, we can protect using DPAPI (to machine).
-                                keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: true);
-                            }
-                            keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_Registry(regKeyStorageKey);
+                            // If the user profile isn't available, we can protect using DPAPI (to machine).
+                            keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: true);
 
                             if (log.IsInformationLevelEnabled())
                             {
-                                if (keyEncryptorDescriptor != null)
-                                {
-                                    log.LogInformationF($"User profile not available. Using '{regKeyStorageKey.Name}' as key repository and Windows DPAPI to encrypt keys at rest.");
-                                }
-                                else
-                                {
-                                    log.LogInformationF($"User profile not available. Using '{regKeyStorageKey.Name}' as key repository; keys will not be encrypted at rest.");
-                                }
+                                log.LogInformationF($"User profile not available. Using '{regKeyStorageKey.Name}' as key repository and Windows DPAPI to encrypt keys at rest.");
                             }
                         }
                         else
@@ -135,12 +129,15 @@ namespace Microsoft.Framework.DependencyInjection
 
             // Read and apply policy from the registry, overriding any other defaults.
             bool encryptorConfigurationReadFromRegistry = false;
-            foreach (var descriptor in RegistryPolicyResolver.ResolveDefaultPolicy())
+            if (OSVersionUtil.IsWindows())
             {
-                yield return descriptor;
-                if (descriptor.ServiceType == typeof(IAuthenticatedEncryptorConfiguration))
+                foreach (var descriptor in RegistryPolicyResolver.ResolveDefaultPolicy())
                 {
-                    encryptorConfigurationReadFromRegistry = true;
+                    yield return descriptor;
+                    if (descriptor.ServiceType == typeof(IAuthenticatedEncryptorConfiguration))
+                    {
+                        encryptorConfigurationReadFromRegistry = true;
+                    }
                 }
             }
 

From d2def94712a732fa47345702356f1433a0e5fb69 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Wed, 18 Mar 2015 15:12:16 -0700
Subject: [PATCH 125/493] Reliability: Tweak comparison in key revocation
 checks

---
 .../KeyManagement/XmlKeyManager.cs                         | 7 ++++++-
 .../KeyManagement/XmlKeyManagerTests.cs                    | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index 2465348513..7ea42e2737 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -204,7 +204,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 foreach (var key in keyIdToKeyMap.Values)
                 {
-                    if (key.CreationDate <= mostRecentMassRevocationDate)
+                    // The contract of IKeyManager.RevokeAllKeys is that keys created *strictly before* the
+                    // revocation date are revoked. The system clock isn't very granular, and if this were
+                    // a less-than-or-equal check we could end up with the weird case where a revocation
+                    // immediately followed by a key creation results in a newly-created revoked key (since
+                    // the clock hasn't yet stepped).
+                    if (key.CreationDate < mostRecentMassRevocationDate)
                     {
                         key.SetRevoked();
                         if (_logger.IsVerboseLevelEnabled())
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 1fa9079564..559c5cc0be 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -403,7 +403,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                   </revocation>
                   <revocation version='1'>
                     <!-- The below will revoke the first two keys. -->
-                    <revocationDate>2016-01-01T00:00:00Z</revocationDate>
+                    <revocationDate>2017-01-01T00:00:00Z</revocationDate>
                     <key id='*' />
                   </revocation>
                   <revocation version='1'>

From 794f60b1040718d803fb522883b5b69fd630a4c3 Mon Sep 17 00:00:00 2001
From: Levi B <levib@yahoo.com>
Date: Thu, 19 Mar 2015 11:00:05 -0700
Subject: [PATCH 126/493] Fix content path for config transform This forces
 installation failure in a 4.5 project.

---
 makefile.shade | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makefile.shade b/makefile.shade
index bc16f4545f..ad1b0d192a 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -19,7 +19,7 @@ k-standard-goals
                 CreatePartFromFile(
                     package,
                     @"src\Microsoft.AspNet.DataProtection.SystemWeb\web.config.transform",
-                    @"content\web.config.transform");
+                    @"content\net451\web.config.transform");
             }
         }
     }

From 7b707e3b7c7955067398c16e1d3b8a72a48e8564 Mon Sep 17 00:00:00 2001
From: Wei Wang <chengtian.wang@gmail.com>
Date: Tue, 24 Mar 2015 21:28:25 -0700
Subject: [PATCH 127/493] Remove k command and use dnx instead

---
 build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index ec3263114a..d81164353c 100644
--- a/build.sh
+++ b/build.sh
@@ -31,7 +31,7 @@ if ! type dnvm > /dev/null 2>&1; then
     source packages/KoreBuild/build/dnvm.sh
 fi
 
-if ! type k > /dev/null 2>&1; then
+if ! type dnx > /dev/null 2>&1; then
     dnvm upgrade
 fi
 

From 13dc9d6018bc60a20a1a0cf4c7af754160d35694 Mon Sep 17 00:00:00 2001
From: suhasj <suhasbjoshi@hotmail.com>
Date: Wed, 25 Mar 2015 11:29:29 -0700
Subject: [PATCH 128/493] Updating to release NuGet.config

---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index da57d47267..1978dc065a 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet" value="https://nuget.org/api/v2/" />
   </packageSources>
-</configuration>
\ No newline at end of file
+</configuration>

From 0fdf8f6bf194329a7d909c430fc3a4c7d38432c5 Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Tue, 31 Mar 2015 05:23:09 -0700
Subject: [PATCH 129/493] Marked build.sh as executable

---
 build.sh | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 build.sh

diff --git a/build.sh b/build.sh
old mode 100644
new mode 100755

From 33fa06a25c8823cd3f73185573831ed6f769fbd9 Mon Sep 17 00:00:00 2001
From: Praburaj <praburaj.t@microsoft.com>
Date: Wed, 1 Apr 2015 11:54:24 -0700
Subject: [PATCH 130/493] Fixing dataprotection on IIS

Fixes: https://github.com/aspnet/DataProtection/issues/73

On IIS where there is no user profile, the code tries to always read the 32bit registry view irrespective of the bitness of the worker process. So in case of 64 bit app pools the registry key is null so it falls back to in memory ephemeral repository. On 32 bit app pool it can find an appropriate registry key, but the keyRepositoryDescriptor is not populated resulting in a null reference exception.

Current behavior:
X86 throws
X64 falls back to in memory ephemeral

With fix:
Both X86 and X64 will use DPAPI.
---
 src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs  | 1 +
 .../Repositories/RegistryXmlRepository.cs                      | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 7fd92d7c41..32b5d78d01 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -89,6 +89,7 @@ namespace Microsoft.Framework.DependencyInjection
                         {
                             // If the user profile isn't available, we can protect using DPAPI (to machine).
                             keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: true);
+                            keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_Registry(regKeyStorageKey);
 
                             if (log.IsInformationLevelEnabled())
                             {
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index 9e0d036ef7..be466325bd 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -91,8 +91,9 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         {
             try
             {
+                var registryView = IntPtr.Size == 4 ? RegistryView.Registry32 : RegistryView.Registry64;
                 // Try reading the auto-generated machine key from HKLM
-                using (var hklmBaseKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry32))
+                using (var hklmBaseKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, registryView))
                 {
                     // Even though this is in HKLM, WAS ensures that applications hosted in IIS are properly isolated.
                     // See APP_POOL::EnsureSharedMachineKeyStorage in WAS source for more info.

From 56cfbdde82b3ed3034799c64f0259b3e755477e6 Mon Sep 17 00:00:00 2001
From: Praburaj <praburaj.t@microsoft.com>
Date: Wed, 1 Apr 2015 11:54:24 -0700
Subject: [PATCH 131/493] Fixing dataprotection on IIS

Fixes: https://github.com/aspnet/DataProtection/issues/73

On IIS where there is no user profile, the code tries to always read the 32bit registry view irrespective of the bitness of the worker process. So in case of 64 bit app pools the registry key is null so it falls back to in memory ephemeral repository. On 32 bit app pool it can find an appropriate registry key, but the keyRepositoryDescriptor is not populated resulting in a null reference exception.

Current behavior:
X86 throws
X64 falls back to in memory ephemeral

With fix:
Both X86 and X64 will use DPAPI.
---
 src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs  | 1 +
 .../Repositories/RegistryXmlRepository.cs                      | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 7fd92d7c41..32b5d78d01 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -89,6 +89,7 @@ namespace Microsoft.Framework.DependencyInjection
                         {
                             // If the user profile isn't available, we can protect using DPAPI (to machine).
                             keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: true);
+                            keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_Registry(regKeyStorageKey);
 
                             if (log.IsInformationLevelEnabled())
                             {
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index 9e0d036ef7..be466325bd 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -91,8 +91,9 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         {
             try
             {
+                var registryView = IntPtr.Size == 4 ? RegistryView.Registry32 : RegistryView.Registry64;
                 // Try reading the auto-generated machine key from HKLM
-                using (var hklmBaseKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry32))
+                using (var hklmBaseKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, registryView))
                 {
                     // Even though this is in HKLM, WAS ensures that applications hosted in IIS are properly isolated.
                     // See APP_POOL::EnsureSharedMachineKeyStorage in WAS source for more info.

From 2cb0ddce8299cbd8e036d0b04cdd5eb0fe29825d Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Wed, 1 Apr 2015 15:40:28 -0700
Subject: [PATCH 132/493] Add travis and appveyor CI support.

---
 .travis.yml  | 3 +++
 appveyor.yml | 5 +++++
 2 files changed, 8 insertions(+)
 create mode 100644 .travis.yml
 create mode 100644 appveyor.yml

diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000000..0f4cb93e59
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,3 @@
+language: csharp
+script:
+  - ./build.sh verify
\ No newline at end of file
diff --git a/appveyor.yml b/appveyor.yml
new file mode 100644
index 0000000000..88cb9ef145
--- /dev/null
+++ b/appveyor.yml
@@ -0,0 +1,5 @@
+build_script:
+  - build.cmd verify
+clone_depth: 1
+test: off
+deploy: off
\ No newline at end of file

From df74818199c4144f973034bc83e3782d9d6e8d64 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Wed, 1 Apr 2015 17:04:41 -0700
Subject: [PATCH 133/493] Turn off sudo for .travis.yml.

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 0f4cb93e59..5939a529e5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,3 +1,4 @@
 language: csharp
+sudo: false
 script:
   - ./build.sh verify
\ No newline at end of file

From a8134feb037ad20b611273544ee7d553bc23634b Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 1 Apr 2015 18:10:11 -0700
Subject: [PATCH 134/493] Adding status badges

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 8599b75f90..523c6a4e3c 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,8 @@
 DataProtection
 ==============
+AppVeyor: [![AppVeyor](https://ci.appveyor.com/api/projects/status/4mki61bux5vby6it/branch/dev?svg=true)](https://ci.appveyor.com/project/aspnetci/DataProtection/branch/dev)
+
+Travis:   [![Travis](https://travis-ci.org/aspnet/DataProtection.svg?branch=dev)](https://travis-ci.org/aspnet/DataProtection)
 
 Data Protection APIs 
 

From 1d7ac248eeebe06485ccea19cad842ff99f6b323 Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Thu, 2 Apr 2015 09:19:54 -0700
Subject: [PATCH 135/493] Update global.json, sources=>projects

---
 global.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/global.json b/global.json
index cad39504d4..d9b4ed63ae 100644
--- a/global.json
+++ b/global.json
@@ -1,3 +1,3 @@
-{
-    "sources": [ "src" ]
+{
+    "projects": [ "src" ]
 }

From 19567ad39d151461061303b1a4041619233faf74 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Thu, 2 Apr 2015 13:49:24 -0700
Subject: [PATCH 136/493] Update .xproj files for Microsoft.Web.AspNet.* ->
 Microsoft.DNX.* rename

---
 .../Microsoft.AspNet.Cryptography.Internal.xproj            | 6 +++---
 .../Microsoft.AspNet.Cryptography.KeyDerivation.xproj       | 6 +++---
 .../Microsoft.AspNet.DataProtection.Extensions.xproj        | 6 +++---
 .../Microsoft.AspNet.DataProtection.Interfaces.xproj        | 6 +++---
 .../Microsoft.AspNet.DataProtection.Shared.xproj            | 6 +++---
 .../Microsoft.AspNet.DataProtection.SystemWeb.xproj         | 6 +++---
 .../Microsoft.AspNet.DataProtection.xproj                   | 6 +++---
 .../Microsoft.AspNet.Cryptography.Internal.Test.xproj       | 6 +++---
 .../Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj  | 6 +++---
 .../Microsoft.AspNet.DataProtection.Extensions.Test.xproj   | 6 +++---
 .../Microsoft.AspNet.DataProtection.Interfaces.Test.xproj   | 6 +++---
 .../Microsoft.AspNet.DataProtection.Test.Shared.xproj       | 6 +++---
 .../Microsoft.AspNet.DataProtection.Test.xproj              | 6 +++---
 13 files changed, 39 insertions(+), 39 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj b/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj
index 37f5345c21..dc81e9f0a7 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>E2779976-A28C-4365-A4BB-4AD854FAF23E</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj
index 122f0410ea..be90ea0857 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>421F0383-34B1-402D-807B-A94542513ABA</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj b/src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj
index 5497c05b2f..772fd0d3ca 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>bf8681db-c28b-441f-bd92-0dcfe9537a9f</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj b/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj
index 2937e9a8f7..6c3aba85d2 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>4b115bde-b253-46a6-97bf-a8b37b344ff2</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj b/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj
index 081f013085..29f937796f 100644
--- a/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj
+++ b/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>3277bb22-033f-4010-8131-a515b910caad</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj b/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj
index 07283ae05e..8ac91a07c5 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>e3552deb-4173-43ae-bf69-3c10dff3bab6</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj b/src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj
index 885bbdd20e..4a0c8dd84d 100644
--- a/src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj
+++ b/src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>1e570cd4-6f12-44f4-961e-005ee2002bc2</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj b/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj
index bf71fe331c..eff850ff50 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>37053d5f-5b61-47ce-8b72-298ce007ffb0</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj
index 02588fc1d9..e81126fdab 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>42c97f52-8d56-46bd-a712-4f22bed157a7</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj b/test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj
index 58119f15de..177bce8e44 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>04aa8e60-a053-4d50-89fe-e76c3df45200</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj
index 85d49cd927..20fb10d4b3 100644
--- a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj
+++ b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>ff650a69-dee4-4b36-9e30-264ee7cfb478</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj b/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj
index 35909b7c73..f67c2328f8 100644
--- a/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>4f14ba2a-4f04-4676-8586-ec380977ee2e</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj b/test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj
index 66ecc0ff24..da168e5304 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj
+++ b/test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj
@@ -4,7 +4,7 @@
     <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
     <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>7a637185-2ba1-437d-9d4c-7cc4f94cf7bf</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
@@ -13,5 +13,5 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
-  <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file

From ec613154129479dc8ecf66273bbbfa2e41998d32 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 2 Apr 2015 16:15:25 -0700
Subject: [PATCH 137/493] Update project.json, code=>compile. Also remove
 **/*.cs and **/*.vs from compile section. These are now defaulted to on.

---
 .../project.json                                                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
index cc31aaa5d0..b1010674f5 100644
--- a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
@@ -12,7 +12,7 @@
     "commands": {
         "test": "xunit.runner.aspnet"
     },
-    "code": "**\\*.cs;..\\common\\**\\*.cs",
+    "compile": "..\\common\\**\\*.cs",
     "compilationOptions": {
         
     }

From da8f69432881a6b6e0363b4b39f620e537bd42e0 Mon Sep 17 00:00:00 2001
From: Wei Wang <chengtian.wang@gmail.com>
Date: Fri, 3 Apr 2015 17:08:11 -0700
Subject: [PATCH 138/493] Fix AppVeyor git line ending config

---
 appveyor.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/appveyor.yml b/appveyor.yml
index 88cb9ef145..3fab83e134 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,3 +1,5 @@
+init:
+  - git config --global core.autocrlf true
 build_script:
   - build.cmd verify
 clone_depth: 1

From e3f4e51c0da0aa160182d56b01aa119e02b5539f Mon Sep 17 00:00:00 2001
From: Kiran Challa <kichalla@microsoft.com>
Date: Sat, 4 Apr 2015 00:44:36 -0700
Subject: [PATCH 139/493] Reacting to ILogger api changes

---
 .../Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
index 2b2ca32a9e..1c224544fd 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
@@ -45,7 +45,7 @@ namespace Microsoft.AspNet.DataProtection
                 _factory = factory;
             }
 
-            public IDisposable BeginScope(object state)
+            public IDisposable BeginScopeImpl(object state)
             {
                 return new DummyDisposable();
             }

From 8b9b809ecd7b2ac4564e21272107b112432eb50c Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Tue, 7 Apr 2015 14:41:49 -0700
Subject: [PATCH 140/493] Add serviceable attribute to projects.

aspnet/DNX#1600
---
 .../Properties/AssemblyInfo.cs                              | 4 +++-
 .../Properties/AssemblyInfo.cs                              | 4 +++-
 .../Properties/AssemblyInfo.cs                              | 4 +++-
 .../Properties/AssemblyInfo.cs                              | 4 +++-
 .../Properties/AssemblyInfo.cs                              | 6 ++++++
 .../Properties/AssemblyInfo.cs                              | 4 +++-
 6 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index 51cf267319..e0757a8c7e 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -1,7 +1,8 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Reflection;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
@@ -14,3 +15,4 @@ using System.Runtime.InteropServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Interfaces.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
+[assembly: AssemblyMetadata("Serviceable", "True")]
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
index 1810781789..329cc5b736 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -1,7 +1,9 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Reflection;
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
+[assembly: AssemblyMetadata("Serviceable", "True")]
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
index da10ac701d..33cb4b2083 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
@@ -1,7 +1,9 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Reflection;
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test")]
+[assembly: AssemblyMetadata("Serviceable", "True")]
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs
index 57b7412919..b25fbe06e2 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs
@@ -1,8 +1,10 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Reflection;
 using System.Runtime.CompilerServices;
 
 // for unit testing
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Interfaces.Test")]
+[assembly: AssemblyMetadata("Serviceable", "True")]
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..f5c6f4a83a
--- /dev/null
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Reflection;
+
+[assembly: AssemblyMetadata("Serviceable", "True")]
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
index 68aea95cb4..b9ae4cdaa5 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
@@ -1,9 +1,11 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Reflection;
 using System.Runtime.CompilerServices;
 
 // for unit testing
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
 [assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
+[assembly: AssemblyMetadata("Serviceable", "True")]

From 7591d5b813bbebbf852a3440b2900f45ef745042 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Tue, 7 Apr 2015 16:14:26 -0700
Subject: [PATCH 141/493] Update .travis.yml and appveyor.yml to build quietly.

---
 .travis.yml  | 2 +-
 appveyor.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 5939a529e5..947bf868ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,4 @@
 language: csharp
 sudo: false
 script:
-  - ./build.sh verify
\ No newline at end of file
+  - ./build.sh --quiet verify
\ No newline at end of file
diff --git a/appveyor.yml b/appveyor.yml
index 3fab83e134..636a7618d3 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,7 +1,7 @@
 init:
   - git config --global core.autocrlf true
 build_script:
-  - build.cmd verify
+  - build.cmd --quiet verify
 clone_depth: 1
 test: off
 deploy: off
\ No newline at end of file

From 8983a03fedacd305a0ea372c64cfbd7596eab48c Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 16 Apr 2015 16:57:44 -0700
Subject: [PATCH 142/493] Reacting to changes in OptionsModel

---
 src/Microsoft.AspNet.DataProtection/project.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 525328fdea..60b6bf893d 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -29,6 +29,7 @@
             "dependencies": {
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
                 "System.IO": "4.0.10-beta-*",
+                "System.IO.FileSystem": "4.0.0-beta-*",
                 "System.Linq": "4.0.0-beta-*",
                 "System.Reflection.Extensions": "4.0.0-beta-*",
                 "System.Reflection.TypeExtensions": "4.0.0-beta-*",

From d386e78ee611620a8b527767d0584e2e6a285ec9 Mon Sep 17 00:00:00 2001
From: Matt Ellis <matell@microsoft.com>
Date: Thu, 16 Apr 2015 20:00:54 -0700
Subject: [PATCH 143/493] Use $HOME as a possible storage location

If LOCALAPPDATA and USERPROFILE are both null (as is the case on
Linux/OSX) use "$HOME/.aspnet" as the root folder for data protection
keys

Fixes #76
---
 .../Repositories/FileSystemXmlRepository.cs   | 34 ++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index a21a92f4d8..53e281eeaa 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Xml.Linq;
@@ -61,9 +62,11 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         /// </summary>
         protected IServiceProvider Services { get; }
 
+        private const string DataProtectionKeysFolderName = "DataProtection-Keys";
+
         private static DirectoryInfo GetKeyStorageDirectoryFromBaseAppDataPath(string basePath)
         {
-            return new DirectoryInfo(Path.Combine(basePath, "ASP.NET", "DataProtection-Keys"));
+            return new DirectoryInfo(Path.Combine(basePath, "ASP.NET", DataProtectionKeysFolderName));
         }
 
         public virtual IReadOnlyCollection<XElement> GetAllElements()
@@ -103,10 +106,33 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             }
 #else
             // On core CLR, we need to fall back to environment variables.
-            string folderPath = Environment.GetEnvironmentVariable("LOCALAPPDATA")
-                ?? Path.Combine(Environment.GetEnvironmentVariable("USERPROFILE"), "AppData", "Local");
+            DirectoryInfo retVal;
+
+            var localAppDataPath = Environment.GetEnvironmentVariable("LOCALAPPDATA");
+            var userProfilePath = Environment.GetEnvironmentVariable("USERPROFILE");
+            var homePath = Environment.GetEnvironmentVariable("HOME");
+
+            if (localAppDataPath != null)
+            {
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataPath);
+            }
+            else if (userProfilePath != null)
+            {
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(Path.Combine(userProfilePath, "AppData", "Local"));
+            }
+            else if (homePath != null)
+            {
+                // If LOCALAPPDATA and USERPROFILE are not present but HOME is,
+                // it's a good guess that this is a *NIX machine.  Use *NIX conventions for a folder name.
+                retVal = new DirectoryInfo(Path.Combine(homePath, ".aspnet", DataProtectionKeysFolderName));
+            }
+            else
+            {
+                return null;
+            }
+
+            Debug.Assert(retVal != null);
 
-            DirectoryInfo retVal = GetKeyStorageDirectoryFromBaseAppDataPath(folderPath);
             try
             {
                 retVal.Create(); // throws if we don't have access, e.g., user profile not loaded

From 7ecbee2f7d05c056ef0948a7efadaf471f3c74b7 Mon Sep 17 00:00:00 2001
From: Brennan <brecon@microsoft.com>
Date: Wed, 29 Apr 2015 17:21:04 -0700
Subject: [PATCH 144/493] Interfaces->Abstractions

---
 DataProtection.sln                                            | 4 ++--
 .../Properties/AssemblyInfo.cs                                | 2 +-
 .../CryptoUtil.cs                                             | 0
 .../DataProtectionExtensions.cs                               | 2 +-
 .../Error.cs                                                  | 2 +-
 .../IDataProtectionProvider.cs                                | 0
 .../IDataProtector.cs                                         | 0
 .../Infrastructure/IApplicationDiscriminator.cs               | 0
 .../Microsoft.AspNet.DataProtection.Abstractions.xproj}       | 0
 .../Properties/AssemblyInfo.cs                                | 2 +-
 .../Properties/Resources.Designer.cs                          | 4 ++--
 .../Resources.resx                                            | 0
 .../WebEncoders.cs                                            | 0
 .../project.json                                              | 0
 src/Microsoft.AspNet.DataProtection/project.json              | 2 +-
 .../DataProtectionExtensionsTests.cs                          | 2 +-
 .../Microsoft.AspNet.DataProtection.Abstractions.Test.xproj}  | 0
 .../project.json                                              | 2 +-
 .../project.json                                              | 2 +-
 19 files changed, 12 insertions(+), 12 deletions(-)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/CryptoUtil.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/DataProtectionExtensions.cs (99%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/Error.cs (93%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/IDataProtectionProvider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/IDataProtector.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/Infrastructure/IApplicationDiscriminator.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj => Microsoft.AspNet.DataProtection.Abstractions/Microsoft.AspNet.DataProtection.Abstractions.xproj} (100%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/Properties/AssemblyInfo.cs (80%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/Properties/Resources.Designer.cs (95%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/Resources.resx (100%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/WebEncoders.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Interfaces => Microsoft.AspNet.DataProtection.Abstractions}/project.json (100%)
 rename test/{Microsoft.AspNet.DataProtection.Interfaces.Test => Microsoft.AspNet.DataProtection.Abstractions.Test}/DataProtectionExtensionsTests.cs (99%)
 rename test/{Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj => Microsoft.AspNet.DataProtection.Abstractions.Test/Microsoft.AspNet.DataProtection.Abstractions.Test.xproj} (100%)
 rename test/{Microsoft.AspNet.DataProtection.Interfaces.Test => Microsoft.AspNet.DataProtection.Abstractions.Test}/project.json (86%)

diff --git a/DataProtection.sln b/DataProtection.sln
index cf081e45be..32886677e3 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -19,9 +19,9 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptograp
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal.Test", "test\Microsoft.AspNet.Cryptography.Internal.Test\Microsoft.AspNet.Cryptography.Internal.Test.xproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Interfaces", "src\Microsoft.AspNet.DataProtection.Interfaces\Microsoft.AspNet.DataProtection.Interfaces.xproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Abstractions", "src\Microsoft.AspNet.DataProtection.Abstractions\Microsoft.AspNet.DataProtection.Abstractions.xproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Interfaces.Test", "test\Microsoft.AspNet.DataProtection.Interfaces.Test\Microsoft.AspNet.DataProtection.Interfaces.Test.xproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Abstractions.Test", "test\Microsoft.AspNet.DataProtection.Abstractions.Test\Microsoft.AspNet.DataProtection.Abstractions.Test.xproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test.Shared", "test\Microsoft.AspNet.DataProtection.Test.Shared\Microsoft.AspNet.DataProtection.Test.Shared.xproj", "{4F14BA2A-4F04-4676-8586-EC380977EE2E}"
 EndProject
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index e0757a8c7e..2eee92352a 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -13,6 +13,6 @@ using System.Runtime.InteropServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Interfaces.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/CryptoUtil.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/CryptoUtil.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
similarity index 99%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
index 76693edd73..ca2229de33 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -7,7 +7,7 @@ using System.ComponentModel;
 using System.Diagnostics;
 using System.Security.Cryptography;
 using Microsoft.AspNet.DataProtection.Infrastructure;
-using Microsoft.AspNet.DataProtection.Interfaces;
+using Microsoft.AspNet.DataProtection.Abstractions;
 using Microsoft.Framework.Internal;
 
 #if DNX451 || DNXCORE50 // [[ISSUE1400]] Replace with DNX_ANY when it becomes available
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Error.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs
similarity index 93%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/Error.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs
index e479a1b833..119aab9bd3 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/Error.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.AspNet.DataProtection.Interfaces;
+using Microsoft.AspNet.DataProtection.Abstractions;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtectionProvider.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/IDataProtector.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Infrastructure/IApplicationDiscriminator.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/Infrastructure/IApplicationDiscriminator.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj b/src/Microsoft.AspNet.DataProtection.Abstractions/Microsoft.AspNet.DataProtection.Abstractions.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/Microsoft.AspNet.DataProtection.Interfaces.xproj
rename to src/Microsoft.AspNet.DataProtection.Abstractions/Microsoft.AspNet.DataProtection.Abstractions.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
similarity index 80%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
index b25fbe06e2..2164560251 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
@@ -6,5 +6,5 @@ using System.Reflection;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Interfaces.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/Resources.Designer.cs
similarity index 95%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/Properties/Resources.Designer.cs
index c0b13a79e6..c89ea1509b 100644
--- a/src/Microsoft.AspNet.DataProtection.Interfaces/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/Resources.Designer.cs
@@ -1,5 +1,5 @@
 // <auto-generated />
-namespace Microsoft.AspNet.DataProtection.Interfaces
+namespace Microsoft.AspNet.DataProtection.Abstractions
 {
     using System.Globalization;
     using System.Reflection;
@@ -8,7 +8,7 @@ namespace Microsoft.AspNet.DataProtection.Interfaces
     internal static class Resources
     {
         private static readonly ResourceManager _resourceManager
-            = new ResourceManager("Microsoft.AspNet.DataProtection.Interfaces.Resources", typeof(Resources).GetTypeInfo().Assembly);
+            = new ResourceManager("Microsoft.AspNet.DataProtection.Abstractions.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
         /// <summary>
         /// The payload was invalid.
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx b/src/Microsoft.AspNet.DataProtection.Abstractions/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/Resources.resx
rename to src/Microsoft.AspNet.DataProtection.Abstractions/Resources.resx
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/WebEncoders.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/WebEncoders.cs
rename to src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Interfaces/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Interfaces/project.json
rename to src/Microsoft.AspNet.DataProtection.Abstractions/project.json
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 60b6bf893d..9d0fc06edc 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -3,7 +3,7 @@
     "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Interfaces": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" },
         "Microsoft.Framework.DependencyInjection.Interfaces": "1.0.0-*",
         "Microsoft.Framework.Logging.Interfaces": "1.0.0-*",
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
similarity index 99%
rename from test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
rename to test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
index 42deb31f55..47c7013539 100644
--- a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
@@ -6,7 +6,7 @@ using System.Collections.Generic;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.AspNet.DataProtection.Infrastructure;
-using Microsoft.AspNet.DataProtection.Interfaces;
+using Microsoft.AspNet.DataProtection.Abstractions;
 using Microsoft.AspNet.Testing;
 using Microsoft.Framework.Runtime;
 using Moq;
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/Microsoft.AspNet.DataProtection.Abstractions.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Interfaces.Test/Microsoft.AspNet.DataProtection.Interfaces.Test.xproj
rename to test/Microsoft.AspNet.DataProtection.Abstractions.Test/Microsoft.AspNet.DataProtection.Abstractions.Test.xproj
diff --git a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
similarity index 86%
rename from test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
rename to test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
index b1010674f5..5651458299 100644
--- a/test/Microsoft.AspNet.DataProtection.Interfaces.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
@@ -1,7 +1,7 @@
 {
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Interfaces": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "Moq": "4.2.1312.1622",
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
index bcc0e2decf..50d98f9f25 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
@@ -1,6 +1,6 @@
 {
     "dependencies": {
-        "Microsoft.AspNet.DataProtection.Interfaces": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Extensions": "1.0.0-*",
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "Moq": "4.2.1312.1622",

From a1144274a11163cdb76501ec4f88e3fc59553ca3 Mon Sep 17 00:00:00 2001
From: Brennan <brecon@microsoft.com>
Date: Wed, 29 Apr 2015 22:42:00 -0700
Subject: [PATCH 145/493] React to Interface package renames

---
 src/Microsoft.AspNet.DataProtection.Abstractions/project.json | 4 ++--
 src/Microsoft.AspNet.DataProtection/project.json              | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index a29ad1792a..55135aae35 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -9,12 +9,12 @@
         "net451": { },
         "dnx451": {
             "dependencies": {
-                "Microsoft.Framework.Runtime.Interfaces": "1.0.0-*"
+                "Microsoft.Framework.Runtime.Abstractions": "1.0.0-*"
             }
         },
         "dnxcore50": {
             "dependencies": {
-                "Microsoft.Framework.Runtime.Interfaces": "1.0.0-*",
+                "Microsoft.Framework.Runtime.Abstractions": "1.0.0-*",
                 "System.ComponentModel": "4.0.0-beta-*",
                 "System.Diagnostics.Debug": "4.0.10-beta-*",
                 "System.Reflection": "4.0.10-beta-*",
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 9d0fc06edc..7906533836 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -5,8 +5,8 @@
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" },
-        "Microsoft.Framework.DependencyInjection.Interfaces": "1.0.0-*",
-        "Microsoft.Framework.Logging.Interfaces": "1.0.0-*",
+        "Microsoft.Framework.DependencyInjection.Abstractions": "1.0.0-*",
+        "Microsoft.Framework.Logging.Abstractions": "1.0.0-*",
         "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.Framework.OptionsModel": "1.0.0-*"
     },

From d578779fa6611cefa949d083d779643fcfcac91f Mon Sep 17 00:00:00 2001
From: Brennan <brecon@microsoft.com>
Date: Wed, 29 Apr 2015 23:58:04 -0700
Subject: [PATCH 146/493] Revert Runtime.Abstractions

---
 src/Microsoft.AspNet.DataProtection.Abstractions/project.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index 55135aae35..a29ad1792a 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -9,12 +9,12 @@
         "net451": { },
         "dnx451": {
             "dependencies": {
-                "Microsoft.Framework.Runtime.Abstractions": "1.0.0-*"
+                "Microsoft.Framework.Runtime.Interfaces": "1.0.0-*"
             }
         },
         "dnxcore50": {
             "dependencies": {
-                "Microsoft.Framework.Runtime.Abstractions": "1.0.0-*",
+                "Microsoft.Framework.Runtime.Interfaces": "1.0.0-*",
                 "System.ComponentModel": "4.0.0-beta-*",
                 "System.Diagnostics.Debug": "4.0.10-beta-*",
                 "System.Reflection": "4.0.10-beta-*",

From 4a58540bdf352a4e67cb7fc48c52699031c8a516 Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Fri, 1 May 2015 11:05:09 -0700
Subject: [PATCH 147/493] React to DNX packages name change

---
 .../project.json                                            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index a29ad1792a..b9a22befcc 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -1,6 +1,6 @@
 {
     "version": "1.0.0-*",
-    "description": "Contains the core IDataProtector and IDataProtectionProvider interfaces for ASP.NET 5 Data Protection.",
+    "description": "Contains the core IDataProtector and IDataProtectionProvider abstractions for ASP.NET 5 Data Protection.",
     "dependencies": {
         "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" }
@@ -9,12 +9,12 @@
         "net451": { },
         "dnx451": {
             "dependencies": {
-                "Microsoft.Framework.Runtime.Interfaces": "1.0.0-*"
+                "Microsoft.Framework.Runtime.Abstractions": "1.0.0-*"
             }
         },
         "dnxcore50": {
             "dependencies": {
-                "Microsoft.Framework.Runtime.Interfaces": "1.0.0-*",
+                "Microsoft.Framework.Runtime.Abstractions": "1.0.0-*",
                 "System.ComponentModel": "4.0.0-beta-*",
                 "System.Diagnostics.Debug": "4.0.10-beta-*",
                 "System.Reflection": "4.0.10-beta-*",

From c6416f3520e5eba22b985a248b2edbece2b83ca4 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Fri, 1 May 2015 13:45:56 -0700
Subject: [PATCH 148/493] Update LICENSE.txt and license header on files.

---
 LICENSE.txt                                                     | 2 +-
 .../Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs                | 2 +-
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs                            | 2 +-
 src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs  | 2 +-
 .../Cng/BCryptBufferDesc.cs                                     | 2 +-
 .../Cng/BCryptEncryptFlags.cs                                   | 2 +-
 .../Cng/BCryptGenRandomFlags.cs                                 | 2 +-
 .../Cng/BCryptKeyDerivationBufferType.cs                        | 2 +-
 src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs    | 2 +-
 .../Cng/CachedAlgorithmHandles.cs                               | 2 +-
 .../Cng/NCryptEncryptFlags.cs                                   | 2 +-
 src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs | 2 +-
 src/Microsoft.AspNet.Cryptography.Internal/Constants.cs         | 2 +-
 src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs        | 2 +-
 src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs         | 2 +-
 .../Properties/AssemblyInfo.cs                                  | 2 +-
 .../SafeHandles/BCryptAlgorithmHandle.cs                        | 2 +-
 .../SafeHandles/BCryptHandle.cs                                 | 2 +-
 .../SafeHandles/BCryptHashHandle.cs                             | 2 +-
 .../SafeHandles/BCryptKeyHandle.cs                              | 2 +-
 .../SafeHandles/LocalAllocHandle.cs                             | 2 +-
 .../SafeHandles/NCryptDescriptorHandle.cs                       | 2 +-
 .../SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs            | 2 +-
 .../SafeHandles/SafeLibraryHandle.cs                            | 2 +-
 .../SafeHandles/SecureLocalAllocHandle.cs                       | 2 +-
 src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs  | 2 +-
 .../UnsafeNativeMethods.cs                                      | 2 +-
 .../WeakReferenceHelpers.cs                                     | 2 +-
 .../KeyDerivation.cs                                            | 2 +-
 .../KeyDerivationPrf.cs                                         | 2 +-
 .../PBKDF2/IPbkdf2Provider.cs                                   | 2 +-
 .../PBKDF2/ManagedPbkdf2Provider.cs                             | 2 +-
 .../PBKDF2/Pbkdf2Util.cs                                        | 2 +-
 .../PBKDF2/Win7Pbkdf2Provider.cs                                | 2 +-
 .../PBKDF2/Win8Pbkdf2Provider.cs                                | 2 +-
 .../Properties/AssemblyInfo.cs                                  | 2 +-
 src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs  | 2 +-
 .../DataProtectionExtensions.cs                                 | 2 +-
 src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs       | 2 +-
 .../IDataProtectionProvider.cs                                  | 2 +-
 .../IDataProtector.cs                                           | 2 +-
 .../Infrastructure/IApplicationDiscriminator.cs                 | 2 +-
 .../Properties/AssemblyInfo.cs                                  | 2 +-
 src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs | 2 +-
 src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs    | 2 +-
 .../DataProtectionExtensions.cs                                 | 2 +-
 .../DataProtectionProvider.cs                                   | 2 +-
 .../ITimeLimitedDataProtector.cs                                | 2 +-
 .../Properties/AssemblyInfo.cs                                  | 2 +-
 .../TimeLimitedDataProtector.cs                                 | 2 +-
 src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs      | 2 +-
 .../ExceptionExtensions.cs                                      | 2 +-
 .../CompatibilityDataProtector.cs                               | 2 +-
 .../DataProtectionStartup.cs                                    | 2 +-
 .../Properties/AssemblyInfo.cs                                  | 2 +-
 src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs      | 2 +-
 src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs     | 2 +-
 src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs   | 2 +-
 .../AuthenticatedEncryption/AlgorithmAssert.cs                  | 2 +-
 .../AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs   | 2 +-
 .../AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs | 2 +-
 .../CngCbcAuthenticatedEncryptionOptions.cs                     | 2 +-
 .../CngGcmAuthenticatedEncryptionOptions.cs                     | 2 +-
 .../ConfigurationModel/AuthenticatedEncryptorConfiguration.cs   | 2 +-
 .../ConfigurationModel/AuthenticatedEncryptorDescriptor.cs      | 2 +-
 .../AuthenticatedEncryptorDescriptorDeserializer.cs             | 2 +-
 .../CngCbcAuthenticatedEncryptorConfiguration.cs                | 2 +-
 .../CngCbcAuthenticatedEncryptorDescriptor.cs                   | 2 +-
 .../CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs       | 2 +-
 .../CngGcmAuthenticatedEncryptorConfiguration.cs                | 2 +-
 .../CngGcmAuthenticatedEncryptorDescriptor.cs                   | 2 +-
 .../CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs       | 2 +-
 .../ConfigurationModel/ConfigurationCommon.cs                   | 2 +-
 .../ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs  | 2 +-
 .../ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs     | 2 +-
 .../IAuthenticatedEncryptorDescriptorDeserializer.cs            | 2 +-
 .../IInternalAuthenticatedEncryptorConfiguration.cs             | 2 +-
 .../ManagedAuthenticatedEncryptorConfiguration.cs               | 2 +-
 .../ManagedAuthenticatedEncryptorDescriptor.cs                  | 2 +-
 .../ManagedAuthenticatedEncryptorDescriptorDeserializer.cs      | 2 +-
 .../ConfigurationModel/SecretExtensions.cs                      | 2 +-
 .../AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs | 2 +-
 .../ConfigurationModel/XmlSerializedDescriptorInfo.cs           | 2 +-
 .../AuthenticatedEncryption/EncryptionAlgorithm.cs              | 2 +-
 .../AuthenticatedEncryption/IAuthenticatedEncryptor.cs          | 2 +-
 .../IInternalAuthenticatedEncryptionOptions.cs                  | 2 +-
 .../AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs | 2 +-
 .../ManagedAuthenticatedEncryptionOptions.cs                    | 2 +-
 .../AuthenticatedEncryption/ValidationAlgorithm.cs              | 2 +-
 src/Microsoft.AspNet.DataProtection/BitHelpers.cs               | 2 +-
 src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs  | 2 +-
 .../Cng/CbcAuthenticatedEncryptor.cs                            | 2 +-
 .../Cng/CngAuthenticatedEncryptorBase.cs                        | 2 +-
 .../Cng/DpapiSecretSerializerHelper.cs                          | 2 +-
 .../Cng/GcmAuthenticatedEncryptor.cs                            | 2 +-
 src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs     | 2 +-
 .../DataProtectionConfiguration.cs                              | 2 +-
 src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs    | 2 +-
 .../DataProtectionProviderFactory.cs                            | 2 +-
 .../DataProtectionServiceCollectionExtensions.cs                | 2 +-
 .../DataProtectionServiceDescriptors.cs                         | 2 +-
 src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs   | 2 +-
 .../EphemeralDataProtectionProvider.cs                          | 2 +-
 src/Microsoft.AspNet.DataProtection/Error.cs                    | 2 +-
 src/Microsoft.AspNet.DataProtection/IActivator.cs               | 2 +-
 src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs  | 2 +-
 src/Microsoft.AspNet.DataProtection/ISecret.cs                  | 2 +-
 .../KeyManagement/CacheableKeyRing.cs                           | 2 +-
 .../KeyManagement/DefaultKeyResolution.cs                       | 2 +-
 .../KeyManagement/DefaultKeyResolver.cs                         | 2 +-
 .../KeyManagement/DefaultKeyServices.cs                         | 2 +-
 .../KeyManagement/DeferredKey.cs                                | 2 +-
 .../KeyManagement/ICacheableKeyRingProvider.cs                  | 2 +-
 .../KeyManagement/IDefaultKeyResolver.cs                        | 2 +-
 .../KeyManagement/IDefaultKeyServices.cs                        | 2 +-
 .../KeyManagement/IInternalXmlKeyManager.cs                     | 2 +-
 src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs       | 2 +-
 .../KeyManagement/IKeyEscrowSink.cs                             | 2 +-
 .../KeyManagement/IKeyManager.cs                                | 2 +-
 src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs   | 2 +-
 .../KeyManagement/IKeyRingProvider.cs                           | 2 +-
 src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs        | 2 +-
 src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs    | 2 +-
 .../KeyManagement/KeyEscrowServiceProviderExtensions.cs         | 2 +-
 .../KeyManagement/KeyExtensions.cs                              | 2 +-
 .../KeyManagement/KeyManagementOptions.cs                       | 2 +-
 src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs    | 2 +-
 .../KeyManagement/KeyRingBasedDataProtectionProvider.cs         | 2 +-
 .../KeyManagement/KeyRingBasedDataProtector.cs                  | 2 +-
 .../KeyManagement/KeyRingProvider.cs                            | 2 +-
 .../KeyManagement/XmlKeyManager.cs                              | 2 +-
 src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs        | 2 +-
 .../LoggingServiceProviderExtensions.cs                         | 2 +-
 .../Managed/HashAlgorithmExtensions.cs                          | 2 +-
 .../Managed/IManagedGenRandom.cs                                | 2 +-
 .../Managed/ManagedAuthenticatedEncryptor.cs                    | 2 +-
 .../Managed/ManagedGenRandomImpl.cs                             | 2 +-
 .../Managed/SymmetricAlgorithmExtensions.cs                     | 2 +-
 src/Microsoft.AspNet.DataProtection/MemoryProtection.cs         | 2 +-
 src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs  | 2 +-
 src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs   | 2 +-
 .../Repositories/EphemeralXmlRepository.cs                      | 2 +-
 .../Repositories/FileSystemXmlRepository.cs                     | 2 +-
 .../Repositories/IXmlRepository.cs                              | 2 +-
 .../Repositories/RegistryXmlRepository.cs                       | 2 +-
 .../SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs              | 2 +-
 .../SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs                | 2 +-
 .../SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs             | 2 +-
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs                   | 2 +-
 .../SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs           | 2 +-
 .../SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs           | 2 +-
 src/Microsoft.AspNet.DataProtection/Secret.cs                   | 2 +-
 src/Microsoft.AspNet.DataProtection/StringInterpolation.cs      | 2 +-
 src/Microsoft.AspNet.DataProtection/TypeExtensions.cs           | 2 +-
 src/Microsoft.AspNet.DataProtection/XmlConstants.cs             | 2 +-
 .../XmlEncryption/CertificateResolver.cs                        | 2 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs                    | 2 +-
 .../XmlEncryption/DpapiNGProtectionDescriptorFlags.cs           | 2 +-
 .../XmlEncryption/DpapiNGXmlDecryptor.cs                        | 2 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs                        | 2 +-
 .../XmlEncryption/DpapiXmlDecryptor.cs                          | 2 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs                          | 2 +-
 .../XmlEncryption/EncryptedXmlDecryptor.core50.cs               | 2 +-
 .../XmlEncryption/EncryptedXmlDecryptor.cs                      | 2 +-
 .../XmlEncryption/EncryptedXmlInfo.cs                           | 2 +-
 .../XmlEncryption/ICertificateResolver.cs                       | 2 +-
 .../XmlEncryption/IInternalCertificateXmlEncryptor.cs           | 2 +-
 .../XmlEncryption/IInternalEncryptedXmlDecryptor.cs             | 2 +-
 .../XmlEncryption/IXmlDecryptor.cs                              | 2 +-
 .../XmlEncryption/IXmlEncryptor.cs                              | 2 +-
 .../XmlEncryption/NullXmlDecryptor.cs                           | 2 +-
 .../XmlEncryption/NullXmlEncryptor.cs                           | 2 +-
 .../XmlEncryption/XmlEncryptionExtensions.cs                    | 2 +-
 src/Microsoft.AspNet.DataProtection/XmlExtensions.cs            | 2 +-
 .../Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs          | 2 +-
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs                      | 2 +-
 .../Cng/BCryptUtilTests.cs                                      | 2 +-
 .../Cng/CachedAlgorithmHandlesTests.cs                          | 2 +-
 .../CryptoUtilTests.cs                                          | 2 +-
 .../Properties/AssemblyInfo.cs                                  | 2 +-
 .../SafeHandles/SecureLocalAllocHandleTests.cs                  | 2 +-
 .../UnsafeBufferUtilTests.cs                                    | 2 +-
 .../WeakReferenceHelpersTests.cs                                | 2 +-
 .../Pbkdf2Tests.cs                                              | 2 +-
 .../Properties/AssemblyInfo.cs                                  | 2 +-
 .../DataProtectionExtensionsTests.cs                            | 2 +-
 .../DataProtectionExtensionsTests.cs                            | 2 +-
 .../DataProtectionProviderTests.cs                              | 2 +-
 .../TimeLimitedDataProtectorTests.cs                            | 2 +-
 .../ConditionalRunTestOnlyWindows8OrLaterAttribute.cs           | 2 +-
 .../ConditionalRunTestOnlyWindowsAttribute.cs                   | 2 +-
 .../ExceptionAssert2.cs                                         | 2 +-
 test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs     | 2 +-
 .../AnonymousImpersonation.cs                                   | 2 +-
 .../AuthenticatedEncryptorDescriptorDeserializerTests.cs        | 2 +-
 .../ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs | 2 +-
 .../CngCbcAuthenticatedEncryptorConfigurationTests.cs           | 2 +-
 .../CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs  | 2 +-
 .../CngCbcAuthenticatedEncryptorDescriptorTests.cs              | 2 +-
 .../CngGcmAuthenticatedEncryptorConfigurationTests.cs           | 2 +-
 .../CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs  | 2 +-
 .../CngGcmAuthenticatedEncryptorDescriptorTests.cs              | 2 +-
 .../ManagedAuthenticatedEncryptorConfigurationTests.cs          | 2 +-
 .../ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs | 2 +-
 .../ManagedAuthenticatedEncryptorDescriptorTests.cs             | 2 +-
 .../Cng/CbcAuthenticatedEncryptorTests.cs                       | 2 +-
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs                   | 2 +-
 .../Cng/GcmAuthenticatedEncryptorTests.cs                       | 2 +-
 .../EphemeralDataProtectionProviderTests.cs                     | 2 +-
 .../KeyManagement/CacheableKeyRingTests.cs                      | 2 +-
 .../KeyManagement/DefaultKeyResolverTests.cs                    | 2 +-
 .../KeyManagement/DeferredKeyTests.cs                           | 2 +-
 .../KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs    | 2 +-
 .../KeyManagement/KeyRingBasedDataProtectorTests.cs             | 2 +-
 .../KeyManagement/KeyRingProviderTests.cs                       | 2 +-
 .../KeyManagement/KeyRingTests.cs                               | 2 +-
 .../KeyManagement/KeyTests.cs                                   | 2 +-
 .../KeyManagement/XmlKeyManagerTests.cs                         | 2 +-
 .../Managed/ManagedAuthenticatedEncryptorTests.cs               | 2 +-
 test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs     | 2 +-
 .../Properties/AssemblyInfo.cs                                  | 2 +-
 .../RegistryPolicyResolverTests.cs                              | 2 +-
 .../Repositories/EphemeralXmlRepositoryTests.cs                 | 2 +-
 .../Repositories/FileSystemXmlRepositoryTests.cs                | 2 +-
 .../Repositories/RegistryXmlRepositoryTests.cs                  | 2 +-
 .../SP800_108/SP800_108Tests.cs                                 | 2 +-
 test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs       | 2 +-
 test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs        | 2 +-
 .../Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs | 2 +-
 .../Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs | 2 +-
 test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs          | 2 +-
 .../XmlEncryption/CertificateXmlEncryptionTests.cs              | 2 +-
 .../XmlEncryption/DpapiNGXmlEncryptionTests.cs                  | 2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs                    | 2 +-
 .../XmlEncryption/NullXmlEncryptionTests.cs                     | 2 +-
 .../XmlEncryption/XmlEncryptionExtensionsTests.cs               | 2 +-
 236 files changed, 236 insertions(+), 236 deletions(-)

diff --git a/LICENSE.txt b/LICENSE.txt
index d85a1524ad..0bdc1962b6 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,4 +1,4 @@
-Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+Copyright (c) .NET Foundation. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 these files except in compliance with the License. You may obtain a copy of the
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
index ec1d410922..fb0fef9476 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
index ec2bbd8cc1..42826a01b9 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
index f7ce3c86e9..5ab8708f2e 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
index a23edac263..84661f6b0b 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
index 61cee2f864..8f6eaf89a2 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
index f3cb337d48..604b7401f3 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
index 6fcf2cf9b5..eeae8a6c1b 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
index aeca87fbe5..3da19bd054 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
index f1231ffa6f..8c958844c2 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
index 5ddc695ab9..f51e53c653 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
index 541302a0c9..5903624dc5 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs b/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
index 135ea56ec5..de480bb536 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
index 1b402a834e..b0a7c95703 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs b/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
index 132b420e57..8222f4f23a 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index 2eee92352a..7b1f473f6f 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
index 76cd840558..209eafb182 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
index 65a6b97cb1..d27d85f599 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
index 9760d30440..e7875c2e0c 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
index 088f7a0994..4b8e0a406a 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
index 305f1ba34b..e048f45ec6 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
index f5d227cc1d..33032dfef5 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
index 2f7ff5cee7..f00b99c2a9 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index f13924ebb1..86c080ca85 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index f2316b6d37..ea397a0f77 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
index 629f4caa19..e302c5d4fd 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
index 80c9111d46..7d06df9ff4 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs b/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
index 8aaf9c73bb..55769de2c4 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
index 34e8f71128..3837f11bd0 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
index 14e666d104..83ed7419e4 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
index c19837c871..9614a735f5 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
index 03df786627..b7e6a21d41 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
index 26ce118b15..ffa721e1fd 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
index 343800aa91..9219d1b509 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
index abc0dcec6c..e00906ba22 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
index 329cc5b736..1e3c9f69aa 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs
index a6c7fc2d9f..80d51df898 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
index ca2229de33..ecbe0482ca 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs
index 119aab9bd3..a72ace32ca 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
index cc06dbadf0..98697d8705 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
index 89dd31d759..02a4cc350e 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
index 23c2764f9d..09421199e2 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
index 2164560251..19e5fabbbb 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs
index 17d225f9d1..00d27cc48f 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs b/src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs
index 145bb900fa..077df9cebd 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
index 250f86cf70..f246948e07 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
index badb814072..a8a9875be1 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
index b3b7e8d150..e31387bd9f 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
index 33cb4b2083..ff8e404744 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
index 3f5e5c3e9a..a55320a2e8 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs b/src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs
index 46571e69ab..060ab88b26 100644
--- a/src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs
+++ b/src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/ExceptionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Shared/ExceptionExtensions.cs
index 126a7bda3f..44e7d05ede 100644
--- a/src/Microsoft.AspNet.DataProtection.Shared/ExceptionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Shared/ExceptionExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
index 3f67e256ab..c352ad5eb0 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
index ef93c82ad8..c580411d1c 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
index f5c6f4a83a..025a94598c 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Reflection;
diff --git a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
index 5801287b72..448a935607 100644
--- a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs b/src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs
index 43db6a0021..1d237d124e 100644
--- a/src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs
+++ b/src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs b/src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs
index e5a2a13946..f4f0ccb0d2 100644
--- a/src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
index 2687a34a8f..0e92a60cf9 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
index 8f5bba8e00..0bef35432d 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
index 56261ad27d..5ffb4ec4a1 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
index 18ed508884..159db39609 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
index 3f0f39392a..0ba9db209b 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index ec3c0102fc..6f87e92b3b 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
index 43387d779c..5cc9a9694d 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
index 947282cd5a..1aea96b505 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index bb11fabe42..ab14b96b11 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
index d298ae719e..bcb8f17118 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
index 3120c31ba8..796e74110c 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index 9ebc51ea7f..af30b1c766 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
index 51c10f5d31..972de41bec 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
index 801b1e31ef..a42d48c16d 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
index 4d42acca16..f43cba9103 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
index 40817c3b3a..e22e5974a0 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
index 09d4334ce7..7f46726652 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
index 805ded53b4..55f24a7a85 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
index 46a9068513..bde992ba46 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index f4f8aa3410..b29abdb151 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
index 258fb64db7..f616a42c24 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
index be28842cf2..d07b187da5 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
index de3b2cb607..19a08ed92b 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
index d6914c83d3..ba89541f23 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
index 0f0b695b9f..5c5da348e9 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
index 26b6e38fe4..f1410fd162 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
index 7d49777013..c6f53788f5 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
index 7718c6a18b..f89afefa78 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
index 368b570596..6a57c66357 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index 9b446d5fbe..dbff16ae02 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
index 93d96fdd97..394e0a898d 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/BitHelpers.cs b/src/Microsoft.AspNet.DataProtection/BitHelpers.cs
index b9f1e3dc27..9356507d77 100644
--- a/src/Microsoft.AspNet.DataProtection/BitHelpers.cs
+++ b/src/Microsoft.AspNet.DataProtection/BitHelpers.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs
index 24ebf57106..73b0658d55 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index f88c224a68..37a8413a3a 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
index 592c5dbf2d..968a31cd0b 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index 791f6a5915..ffb8a5c9fe 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index 5176da5fc6..953fb05106 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs b/src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs
index 735d92fdb3..d46194422f 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index 371852cb20..71864269d4 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
index 1c6f998012..10ecb56b40 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
index d08d326539..a7b4aed888 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index c7f2ca16b7..0a17eb8e67 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index 280d0d63d8..802249aace 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 32b5d78d01..08f0d1626e 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index f0d9fbf856..b1e7d48143 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Error.cs b/src/Microsoft.AspNet.DataProtection/Error.cs
index 034a61c51d..846cb09bc0 100644
--- a/src/Microsoft.AspNet.DataProtection/Error.cs
+++ b/src/Microsoft.AspNet.DataProtection/Error.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/IActivator.cs b/src/Microsoft.AspNet.DataProtection/IActivator.cs
index a8827f58fa..012510869c 100644
--- a/src/Microsoft.AspNet.DataProtection/IActivator.cs
+++ b/src/Microsoft.AspNet.DataProtection/IActivator.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs
index a1fe9ef00b..2004cef3d2 100644
--- a/src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/ISecret.cs b/src/Microsoft.AspNet.DataProtection/ISecret.cs
index d1e67cfa51..6972dc72bf 100644
--- a/src/Microsoft.AspNet.DataProtection/ISecret.cs
+++ b/src/Microsoft.AspNet.DataProtection/ISecret.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
index f9be3fcde7..b3bde5d737 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
index f714319fe4..a60aa9bf25 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 6698105d41..2921bb905b 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
index c9dd42484a..07addd064c 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
index d75c7d84eb..559d9030ba 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
index 008b15a607..ccdb39ccba 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
index a5ecdeda16..99178eb07a 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
index 34a4f2ab8b..faccf9554b 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
index 1170c14ceb..f94d40e8a8 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
index 1d3288d68d..fd0f736ffb 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs
index 4223085202..5ce6fbcbdb 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
index 104c51a73d..21ed28c40f 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
index d046a5242a..6b7f0e6045 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
index fd3836c58a..966328fc77 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
index 5d8c41e25d..2bc5efc253 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs
index aab41a279c..9429573ade 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
index 6794a4884f..3423ab38de 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
index 665be69320..748c4f1185 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs
index ae4d7479b5..c78409a1be 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
index 9aacfb9ed6..bb5610077b 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index dc89a53aa8..a6a8c7724e 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index b807d90e41..b4f44cf5c9 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index 321d5ef062..35724b2874 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index 7ea42e2737..cd8bd5ca55 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
index 2ff0a23f79..3b746be0c2 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
index 267b1d8c99..1bc698d9f9 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs
index c1717e659f..43c2cd1448 100644
--- a/src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs b/src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs
index d707876d10..a96511b94b 100644
--- a/src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 5e67f3ac07..b9c3724208 100644
--- a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs b/src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs
index f3de3db91e..4b94c473dc 100644
--- a/src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
index 9542d06ce0..aa31f58288 100644
--- a/src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs b/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
index 6171796765..885b71f570 100644
--- a/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
+++ b/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
index b9ae4cdaa5..08f1c43511 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
index c4b2bfb703..65171556f6 100644
--- a/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
index dcfd8a5b59..8fd68f6a60 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index 53e281eeaa..57b4672cab 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
index b17b395407..fa8301e7e8 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index be466325bd..65e3f5e93d 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
index dd8089732a..bc4fc9f82a 100644
--- a/src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
index 89f6b5c987..0e5ce8fb5f 100644
--- a/src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
index a9dc0a4846..82bfa56efc 100644
--- a/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index e93eb7da4a..770fa36a28 100644
--- a/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
index a31935286a..3df74326ca 100644
--- a/src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
index 68d8a935e8..846fb525f0 100644
--- a/src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/Secret.cs b/src/Microsoft.AspNet.DataProtection/Secret.cs
index 991624e6a6..99217666a6 100644
--- a/src/Microsoft.AspNet.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNet.DataProtection/Secret.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs b/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
index e7ba7f9dae..ce40ebed63 100644
--- a/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
+++ b/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if !DNXCORE50
diff --git a/src/Microsoft.AspNet.DataProtection/TypeExtensions.cs b/src/Microsoft.AspNet.DataProtection/TypeExtensions.cs
index 7f4c12b529..178df37159 100644
--- a/src/Microsoft.AspNet.DataProtection/TypeExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/TypeExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlConstants.cs b/src/Microsoft.AspNet.DataProtection/XmlConstants.cs
index e41785f59a..57a396903d 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlConstants.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlConstants.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
index d16a4f9af6..6af1f71ad9 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 2c6401305b..9a60b4f895 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
index 17b9a762c2..1b2d523267 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index e356c2e259..0f23744c0c 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index 4b6180ce5b..ec58f19b65 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index 10d0b81a84..146fc7e4cc 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 4ec5f0cef4..6b1659e567 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
index d3889429b9..ea3f22428e 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if DNXCORE50
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index 870cdda96c..dfaa533ff3 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
index f9e4141054..3a51fb62e2 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
index 037c7fcc07..a457f8df20 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
index 1a0169cf42..c732e08eb4 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
index 441a300e49..223283de65 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
index 474a6d0dda..1221fb21ef 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
index ebb5f092ba..0e1c3f6d61 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index d43c068e6b..9769212115 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
index 9343053537..170e014569 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index 941a0bea66..ff2bd57cdd 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlExtensions.cs b/src/Microsoft.AspNet.DataProtection/XmlExtensions.cs
index 6021878bc9..7340baf281 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
index 74f9da1b98..fec6abeaee 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
index 9817dcb205..a678158a0e 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
index 4166f51e32..c33dfede4c 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
index dd5547efeb..0fb5f0d6cb 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs
index 1ddd951e7f..7ce884177f 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
index 3f8188a594..aa00750af3 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
index f892af7d63..068f729806 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
index 9835b11131..845922bc6c 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
index 9b34dacd6d..288cbd6f51 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
index 3274b8032a..c2209dd6af 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
index 3f8188a594..aa00750af3 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
index 47c7013539..d45104197e 100644
--- a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
index d0ef0a770a..80866a6bf7 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 3420dd030a..e6d31a4d4d 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
index fad95f09b9..5a54b3c7f9 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs b/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
index 1a41ae9d7c..1799324f80 100644
--- a/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs b/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
index 37b05192be..5071921f05 100644
--- a/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs b/test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs
index 79c53bb99f..cf365f42a4 100644
--- a/test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
index ae0fdba4df..83b634d5fe 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
index b0793bc5d2..35b2eaf8ae 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
index 829d478ede..a808113e78 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index d707579cbb..bdfdf504b2 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
index 12b4e75b2d..815658f4bf 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
index b0aede26e5..317758dfef 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
index baa19dde89..a20da3b086 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
index d3af69a74d..348eb3d0a5 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 5e0c48d72b..c07cd32029 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
index 96fd83afdb..3d6b98f0d5 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
index dcc8d365ee..d6aca0f4dc 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 6b249c1072..0a6c668364 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
index f944037880..04882ffabd 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index 8e0b8e4a8e..1ca46ab2b2 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
index 84335935b2..4a47c64b29 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index 80b57a14f1..b94041b79f 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
index 04acee0a65..e0c856cf26 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
index d92b38ec5a..5e4e5b82fd 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index 1dd54cac67..93bd512972 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
index a28aef0dd8..fd41a98ff8 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
index 755509b42b..66a9d754a7 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 8f934fe96b..12676b836d 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index e315e2855a..e40180ee06 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
index 904a8afe86..df03475f7a 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs
index 88c9795eb9..6514a61293 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 559c5cc0be..98e34b73c4 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
index 9f5ae98d5f..cc138e77a6 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs b/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
index 92cc02c25c..a0e1d411a7 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
index 3f8188a594..aa00750af3 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index 8dcb0424eb..ed96b16748 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
index 3c9c2dd57c..dadcfbbf42 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 829acad4cb..a09f77bbd7 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
index ce9178e092..206b804fab 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs b/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
index d37d696d07..e8751c0cea 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs b/test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs
index ec4f5e0b7c..2f92d1c33f 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs b/test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs
index d84decfad8..a1dd672cff 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs b/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
index 505e6f0913..a86ea44d75 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
index 1c224544fd..0842986006 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs
index e937122773..a0481a3f29 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 44be41b780..62279034ab 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
index 321e29943c..cc717c62d9 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index bb4c2145e9..d2ae16a7cd 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
index 1e2e92476e..238b78bd6c 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
index c931d1bd48..8d19c39f00 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;

From d870ae431e1d008be07353ccafc27458ba733ccc Mon Sep 17 00:00:00 2001
From: Barry Dorrans <barryd@idunno.org>
Date: Tue, 5 May 2015 13:16:29 -0700
Subject: [PATCH 149/493] Add link to documentation site

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 523c6a4e3c..cf91ed9152 100644
--- a/README.md
+++ b/README.md
@@ -6,4 +6,4 @@ Travis:   [![Travis](https://travis-ci.org/aspnet/DataProtection.svg?branch=dev)
 
 Data Protection APIs 
 
-This project is part of ASP.NET 5. You can find samples, documentation and getting started instructions for ASP.NET 5 at the [Home](https://github.com/aspnet/home) repo.
+This project is part of ASP.NET 5. You can find documentation for Data Protection in the [ASP.NET 5 Documentation](http://docs.asp.net/en/latest/security/data-protection/index.html). You can find samples, documentation and getting started instructions for ASP.NET 5 at the [Home](https://github.com/aspnet/home) repo. 

From fe80a65ffc0dd85c7db332ce0ee52da24fa4edbc Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Thu, 7 May 2015 09:36:15 -0700
Subject: [PATCH 150/493] React to common package name change

---
 src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json  | 2 +-
 src/Microsoft.AspNet.DataProtection.Abstractions/project.json | 2 +-
 src/Microsoft.AspNet.DataProtection.Extensions/project.json   | 2 +-
 src/Microsoft.AspNet.DataProtection/project.json              | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 438713f062..bb3a47ccc3 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -3,7 +3,7 @@
     "description": "ASP.NET 5 utilities for key derivation.",
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" }
+        "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
     },
     "frameworks": {
         "net451": { },
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index b9a22befcc..4bcfff29a7 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -2,7 +2,7 @@
     "version": "1.0.0-*",
     "description": "Contains the core IDataProtector and IDataProtectionProvider abstractions for ASP.NET 5 Data Protection.",
     "dependencies": {
-        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" },
+        "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" }
     },
     "frameworks": {
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
index 2fd42f5a21..324423da09 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
@@ -5,7 +5,7 @@
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" },
         "Microsoft.Framework.DependencyInjection": "1.0.0-*",
-        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" }
+        "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
     },
     "frameworks": {
         "net451": { },
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 7906533836..c160fd642f 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -7,7 +7,7 @@
         "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" },
         "Microsoft.Framework.DependencyInjection.Abstractions": "1.0.0-*",
         "Microsoft.Framework.Logging.Abstractions": "1.0.0-*",
-        "Microsoft.Framework.NotNullAttribute.Internal": { "type": "build", "version": "1.0.0-*" },
+        "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.Framework.OptionsModel": "1.0.0-*"
     },
     "frameworks": {

From 2f09b07adc6e62d0ebeb29c1a4d9d46548b14880 Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Thu, 7 May 2015 10:16:20 -0700
Subject: [PATCH 151/493] Package rename:
 Microsoft.AspNet.DataProtection.Shared ->
 Microsoft.AspNet.DataProtection.Sources

---
 DataProtection.sln                                              | 2 +-
 src/Microsoft.AspNet.DataProtection.Abstractions/project.json   | 2 +-
 src/Microsoft.AspNet.DataProtection.Extensions/project.json     | 2 +-
 .../EncodingUtil.cs                                             | 0
 .../ExceptionExtensions.cs                                      | 0
 .../Microsoft.AspNet.DataProtection.Sources.xproj}              | 0
 .../project.json                                                | 0
 src/Microsoft.AspNet.DataProtection/project.json                | 2 +-
 8 files changed, 4 insertions(+), 4 deletions(-)
 rename src/{Microsoft.AspNet.DataProtection.Shared => Microsoft.AspNet.DataProtection.Sources}/EncodingUtil.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Shared => Microsoft.AspNet.DataProtection.Sources}/ExceptionExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj => Microsoft.AspNet.DataProtection.Sources/Microsoft.AspNet.DataProtection.Sources.xproj} (100%)
 rename src/{Microsoft.AspNet.DataProtection.Shared => Microsoft.AspNet.DataProtection.Sources}/project.json (100%)

diff --git a/DataProtection.sln b/DataProtection.sln
index 32886677e3..b88d341b6c 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -25,7 +25,7 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtec
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test.Shared", "test\Microsoft.AspNet.DataProtection.Test.Shared\Microsoft.AspNet.DataProtection.Test.Shared.xproj", "{4F14BA2A-4F04-4676-8586-EC380977EE2E}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Shared", "src\Microsoft.AspNet.DataProtection.Shared\Microsoft.AspNet.DataProtection.Shared.xproj", "{3277BB22-033F-4010-8131-A515B910CAAD}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Sources", "src\Microsoft.AspNet.DataProtection.Sources\Microsoft.AspNet.DataProtection.Sources.xproj", "{3277BB22-033F-4010-8131-A515B910CAAD}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.SystemWeb", "src\Microsoft.AspNet.DataProtection.SystemWeb\Microsoft.AspNet.DataProtection.SystemWeb.xproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
 EndProject
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index 4bcfff29a7..b2e5bdbdee 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -3,7 +3,7 @@
     "description": "Contains the core IDataProtector and IDataProtectionProvider abstractions for ASP.NET 5 Data Protection.",
     "dependencies": {
         "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
-        "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" }
+        "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" }
     },
     "frameworks": {
         "net451": { },
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
index 324423da09..4978cfe70a 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
@@ -3,7 +3,7 @@
     "description": "Additional APIs for ASP.NET 5 data protection.",
     "dependencies": {
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" },
+        "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
         "Microsoft.Framework.DependencyInjection": "1.0.0-*",
         "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
     },
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs b/src/Microsoft.AspNet.DataProtection.Sources/EncodingUtil.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Shared/EncodingUtil.cs
rename to src/Microsoft.AspNet.DataProtection.Sources/EncodingUtil.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/ExceptionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Sources/ExceptionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Shared/ExceptionExtensions.cs
rename to src/Microsoft.AspNet.DataProtection.Sources/ExceptionExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj b/src/Microsoft.AspNet.DataProtection.Sources/Microsoft.AspNet.DataProtection.Sources.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Shared/Microsoft.AspNet.DataProtection.Shared.xproj
rename to src/Microsoft.AspNet.DataProtection.Sources/Microsoft.AspNet.DataProtection.Sources.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.Shared/project.json b/src/Microsoft.AspNet.DataProtection.Sources/project.json
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Shared/project.json
rename to src/Microsoft.AspNet.DataProtection.Sources/project.json
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index c160fd642f..ea512d0742 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -4,7 +4,7 @@
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Shared": { "type": "build", "version": "" },
+        "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
         "Microsoft.Framework.DependencyInjection.Abstractions": "1.0.0-*",
         "Microsoft.Framework.Logging.Abstractions": "1.0.0-*",
         "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },

From 77d689f0bd6bda761ac3847976180a3a8df8f9dc Mon Sep 17 00:00:00 2001
From: Eilon Lipton <Eilon@users.noreply.github.com>
Date: Tue, 12 May 2015 11:50:38 -0700
Subject: [PATCH 152/493] Update Home master -> Home dev

---
 CONTRIBUTING.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index eac4268e4c..64ff041d5c 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,4 +1,4 @@
 Contributing
 ======
 
-Information on contributing to this repo is in the [Contributing Guide](https://github.com/aspnet/Home/blob/master/CONTRIBUTING.md) in the Home repo.
+Information on contributing to this repo is in the [Contributing Guide](https://github.com/aspnet/Home/blob/dev/CONTRIBUTING.md) in the Home repo.

From 0d3c29f46a003f5f6bb9271016d708a79986c46e Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 15 May 2015 09:57:18 -0700
Subject: [PATCH 153/493] Reacting to CoreCLR package updates

---
 src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json | 4 +++-
 src/Microsoft.AspNet.DataProtection/project.json             | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index bb3a47ccc3..7e5552393c 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -11,7 +11,9 @@
         "dnxcore50": {
             "dependencies": {
                 "System.Runtime.Extensions": "4.0.10-beta-*",
-                "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*"
+                "System.Security.Cryptography.Hashing": "4.0.0-beta-*",
+                "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
+                "System.Text.Encoding.Extensions": "4.0.10-beta-*"
             }
         }
     },
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index ea512d0742..4e42bcde46 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -37,6 +37,7 @@
                 "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
                 "System.Security.Cryptography.RandomNumberGenerator": "4.0.0-beta-*",
+                "System.Security.Claims": "4.0.0-beta-*",
                 "System.Security.Principal.Windows": "4.0.0-beta-*",
                 "System.Text.Encoding.Extensions": "4.0.10-beta-*",
                 "System.Xml.XDocument": "4.0.10-beta-*"

From 7bedbdfbabb609e75176e6d55c1bd409ada8f64f Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 27 May 2015 16:07:51 -0700
Subject: [PATCH 154/493] Updating to release NuGet.config

---
 NuGet.Config | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index da57d47267..0e74a4912d 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <clear />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet" value="https://nuget.org/api/v2/" />
   </packageSources>
-</configuration>
\ No newline at end of file
+</configuration>

From 430c903f65e74849c9739819a561d0200c4d78bc Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Thu, 4 Jun 2015 10:47:36 -0700
Subject: [PATCH 155/493] Add System.IO to framework assemblies

---
 src/Microsoft.AspNet.DataProtection/project.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 4e42bcde46..02d3219ea7 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -13,6 +13,7 @@
     "frameworks": {
         "net451": {
             "frameworkAssemblies": {
+                "System.IO": "",
                 "System.Security": "",
                 "System.Xml": "",
                 "System.Xml.Linq": ""
@@ -20,6 +21,7 @@
         },
         "dnx451": {
             "frameworkAssemblies": {
+                "System.IO": "",
                 "System.Security": "",
                 "System.Xml": "",
                 "System.Xml.Linq": ""

From 5aaae8ba9bde62a09fa8e74494bf0566eefb9d78 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Tue, 23 Jun 2015 10:52:53 -0700
Subject: [PATCH 156/493] Change hardcoded `bash` shebang to `env` -
 aspnet/Home#695 - support various `bash` installation locations - in
 particular, enable building on FreeBSD

---
 build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index d81164353c..3ef874f9bd 100755
--- a/build.sh
+++ b/build.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 if test `uname` = Darwin; then
     cachedir=~/Library/Caches/KBuild

From e332375f0e3672b1017f8a65244f964a515c5fa7 Mon Sep 17 00:00:00 2001
From: Victor Hurdugaci <victor.hurdugaci@microsoft.com>
Date: Wed, 1 Jul 2015 19:42:39 -0700
Subject: [PATCH 157/493] Add repository information to project files

---
 src/Microsoft.AspNet.Cryptography.Internal/project.json       | 4 ++++
 src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json  | 4 ++++
 src/Microsoft.AspNet.DataProtection.Abstractions/project.json | 4 ++++
 src/Microsoft.AspNet.DataProtection.Extensions/project.json   | 4 ++++
 src/Microsoft.AspNet.DataProtection.Sources/project.json      | 4 ++++
 src/Microsoft.AspNet.DataProtection.SystemWeb/project.json    | 4 ++++
 src/Microsoft.AspNet.DataProtection/project.json              | 4 ++++
 7 files changed, 28 insertions(+)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
index e43b76eba3..2082cc1e33 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -1,6 +1,10 @@
 {
     "version": "1.0.0-*",
     "description": "Infrastructure for ASP.NET 5 cryptographic packages. Developers should not reference this package.",
+    "repository": {
+        "type": "git",
+        "url": "git://github.com/aspnet/dataprotection"
+    },
     "dependencies": {
     },
     "frameworks": {
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 7e5552393c..1d54408978 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -1,6 +1,10 @@
 {
     "version": "1.0.0-*",
     "description": "ASP.NET 5 utilities for key derivation.",
+    "repository": {
+        "type": "git",
+        "url": "git://github.com/aspnet/dataprotection"
+    },
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index b2e5bdbdee..d5b0e15b13 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -1,6 +1,10 @@
 {
     "version": "1.0.0-*",
     "description": "Contains the core IDataProtector and IDataProtectionProvider abstractions for ASP.NET 5 Data Protection.",
+    "repository": {
+        "type": "git",
+        "url": "git://github.com/aspnet/dataprotection"
+    },
     "dependencies": {
         "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" }
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
index 4978cfe70a..35aea29f27 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
@@ -1,6 +1,10 @@
 {
     "version": "1.0.0-*",
     "description": "Additional APIs for ASP.NET 5 data protection.",
+    "repository": {
+        "type": "git",
+        "url": "git://github.com/aspnet/dataprotection"
+    },
     "dependencies": {
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/project.json b/src/Microsoft.AspNet.DataProtection.Sources/project.json
index 96df0952d9..49a87fca56 100644
--- a/src/Microsoft.AspNet.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Sources/project.json
@@ -1,6 +1,10 @@
 {
     "version": "1.0.0-*",
     "description": "ASP.NET 5 Data Protection shared code.",
+    "repository": {
+        "type": "git",
+        "url": "git://github.com/aspnet/dataprotection"
+    },
     "dependencies": {
     },
     "frameworks": {
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
index 620beafd64..7b674bc278 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
@@ -1,6 +1,10 @@
 {
     "version": "1.0.0-*",
     "description": "A component to allow the ASP.NET 5 DataProtection stack to work with the ASP.NET 4.x <machineKey> element.",
+    "repository": {
+        "type": "git",
+        "url": "git://github.com/aspnet/dataprotection"
+    },
     "frameworks": {
         "net451": {
             "dependencies": {
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 4e42bcde46..82b85bb563 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -1,6 +1,10 @@
 {
     "version": "1.0.0-*",
     "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
+    "repository": {
+        "type": "git",
+        "url": "git://github.com/aspnet/dataprotection"
+    },
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",

From bbd57217f2dd9c27ff9ec48443a91dca68604505 Mon Sep 17 00:00:00 2001
From: mikary <mikary@microsoft.com>
Date: Tue, 7 Jul 2015 14:40:20 -0700
Subject: [PATCH 158/493] React to API change in DependencyInjection

---
 .../DataProtectionConfiguration.cs                              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index 71864269d4..c8af02a98d 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -82,7 +82,7 @@ namespace Microsoft.AspNet.DataProtection
         /// Registrations are additive. The factory is registered as <see cref="ServiceLifetime.Singleton"/>.
         /// </remarks>
         public DataProtectionConfiguration AddKeyEscrowSink<TImplementation>()
-            where TImplementation : IKeyEscrowSink
+            where TImplementation : class, IKeyEscrowSink
         {
             Services.AddSingleton<IKeyEscrowSink, TImplementation>();
             return this;

From a3a6a97a968cda9a54e71ead8ed4ba3de18747ec Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 16 Jul 2015 08:54:38 -0700
Subject: [PATCH 159/493] Updating to release NuGet.config

---
 NuGet.Config | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index da57d47267..0e74a4912d 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <clear />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet" value="https://nuget.org/api/v2/" />
   </packageSources>
-</configuration>
\ No newline at end of file
+</configuration>

From 81e8830c673ea5bdb6650d1d546b40882b49f47f Mon Sep 17 00:00:00 2001
From: Victor Hurdugaci <victor.hurdugaci@microsoft.com>
Date: Wed, 29 Jul 2015 00:30:44 -0700
Subject: [PATCH 160/493] React to DNX renames

---
 .../DataProtectionExtensions.cs                               | 2 +-
 src/Microsoft.AspNet.DataProtection.Abstractions/project.json | 4 ++--
 .../DataProtectionExtensionsTests.cs                          | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
index ecbe0482ca..45de288e46 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -11,7 +11,7 @@ using Microsoft.AspNet.DataProtection.Abstractions;
 using Microsoft.Framework.Internal;
 
 #if DNX451 || DNXCORE50 // [[ISSUE1400]] Replace with DNX_ANY when it becomes available
-using Microsoft.Framework.Runtime;
+using Microsoft.Dnx.Runtime;
 #endif
 
 namespace Microsoft.AspNet.DataProtection
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index d5b0e15b13..44404cf494 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -13,12 +13,12 @@
         "net451": { },
         "dnx451": {
             "dependencies": {
-                "Microsoft.Framework.Runtime.Abstractions": "1.0.0-*"
+                "Microsoft.Dnx.Runtime.Abstractions": "1.0.0-*"
             }
         },
         "dnxcore50": {
             "dependencies": {
-                "Microsoft.Framework.Runtime.Abstractions": "1.0.0-*",
+                "Microsoft.Dnx.Runtime.Abstractions": "1.0.0-*",
                 "System.ComponentModel": "4.0.0-beta-*",
                 "System.Diagnostics.Debug": "4.0.10-beta-*",
                 "System.Reflection": "4.0.10-beta-*",
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
index d45104197e..771f7e5133 100644
--- a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
@@ -8,7 +8,7 @@ using System.Text;
 using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.AspNet.DataProtection.Abstractions;
 using Microsoft.AspNet.Testing;
-using Microsoft.Framework.Runtime;
+using Microsoft.Dnx.Runtime;
 using Moq;
 using Xunit;
 

From 7fe2a43b058f6c2fdeec28c814d7835e2c49bbef Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Tue, 4 Aug 2015 10:15:23 -0700
Subject: [PATCH 161/493] Update CoreCLR versions

---
 .../project.json                                 | 14 +++++++-------
 .../project.json                                 |  4 ++--
 .../project.json                                 | 12 ++++++------
 .../project.json                                 |  2 +-
 src/Microsoft.AspNet.DataProtection/project.json | 16 ++++++++--------
 5 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
index 2082cc1e33..ded1620641 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -12,14 +12,14 @@
         "dnx451": { },
         "dnxcore50": {
             "dependencies": {
-                "System.Diagnostics.Debug": "4.0.10-beta-*",
-                "System.Globalization": "4.0.10-beta-*",
-                "System.Resources.ResourceManager": "4.0.0-beta-*",
-                "System.Runtime": "4.0.20-beta-*",
-                "System.Runtime.Handles": "4.0.0-beta-*",
-                "System.Runtime.InteropServices": "4.0.20-beta-*",
+                "System.Diagnostics.Debug": "4.0.11-beta-*",
+                "System.Globalization": "4.0.11-beta-*",
+                "System.Resources.ResourceManager": "4.0.1-beta-*",
+                "System.Runtime": "4.0.21-beta-*",
+                "System.Runtime.Handles": "4.0.1-beta-*",
+                "System.Runtime.InteropServices": "4.0.21-beta-*",
                 "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
-                "System.Threading": "4.0.10-beta-*"
+                "System.Threading": "4.0.11-beta-*"
             }
         }
     },
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 1d54408978..9a2b42e208 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -14,10 +14,10 @@
         "dnx451": { },
         "dnxcore50": {
             "dependencies": {
-                "System.Runtime.Extensions": "4.0.10-beta-*",
+                "System.Runtime.Extensions": "4.0.11-beta-*",
                 "System.Security.Cryptography.Hashing": "4.0.0-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
-                "System.Text.Encoding.Extensions": "4.0.10-beta-*"
+                "System.Text.Encoding.Extensions": "4.0.11-beta-*"
             }
         }
     },
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index 44404cf494..0c1bd7f94b 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -19,13 +19,13 @@
         "dnxcore50": {
             "dependencies": {
                 "Microsoft.Dnx.Runtime.Abstractions": "1.0.0-*",
-                "System.ComponentModel": "4.0.0-beta-*",
-                "System.Diagnostics.Debug": "4.0.10-beta-*",
-                "System.Reflection": "4.0.10-beta-*",
-                "System.Resources.ResourceManager": "4.0.0-beta-*",
-                "System.Runtime.Extensions": "4.0.10-beta-*",
+                "System.ComponentModel": "4.0.1-beta-*",
+                "System.Diagnostics.Debug": "4.0.11-beta-*",
+                "System.Reflection": "4.0.11-beta-*",
+                "System.Resources.ResourceManager": "4.0.1-beta-*",
+                "System.Runtime.Extensions": "4.0.11-beta-*",
                 "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
-                "System.Text.Encoding.Extensions": "4.0.10-beta-*"
+                "System.Text.Encoding.Extensions": "4.0.11-beta-*"
             }
         }
     },
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/project.json b/src/Microsoft.AspNet.DataProtection.Sources/project.json
index 49a87fca56..6244fa890a 100644
--- a/src/Microsoft.AspNet.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Sources/project.json
@@ -13,7 +13,7 @@
         "dnxcore50": {
             "dependencies": {
                 "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
-                "System.Text.Encoding.Extensions": "4.0.10-beta-*"
+                "System.Text.Encoding.Extensions": "4.0.11-beta-*"
             }
         }
     },
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 6ebc06836b..f746667030 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -34,19 +34,19 @@
         "dnxcore50": {
             "dependencies": {
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
-                "System.IO": "4.0.10-beta-*",
-                "System.IO.FileSystem": "4.0.0-beta-*",
-                "System.Linq": "4.0.0-beta-*",
-                "System.Reflection.Extensions": "4.0.0-beta-*",
-                "System.Reflection.TypeExtensions": "4.0.0-beta-*",
+                "System.IO": "4.0.11-beta-*",
+                "System.IO.FileSystem": "4.0.1-beta-*",
+                "System.Linq": "4.0.1-beta-*",
+                "System.Reflection.Extensions": "4.0.1-beta-*",
+                "System.Reflection.TypeExtensions": "4.0.1-beta-*",
                 "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
                 "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
                 "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
                 "System.Security.Cryptography.RandomNumberGenerator": "4.0.0-beta-*",
-                "System.Security.Claims": "4.0.0-beta-*",
+                "System.Security.Claims": "4.0.1-beta-*",
                 "System.Security.Principal.Windows": "4.0.0-beta-*",
-                "System.Text.Encoding.Extensions": "4.0.10-beta-*",
-                "System.Xml.XDocument": "4.0.10-beta-*"
+                "System.Text.Encoding.Extensions": "4.0.11-beta-*",
+                "System.Xml.XDocument": "4.0.11-beta-*"
             }
         }
     },

From 9bebd183d78eb210ec2071ec4cc02458863bd0fd Mon Sep 17 00:00:00 2001
From: Chris R <Tratcher@outlook.com>
Date: Tue, 11 Aug 2015 10:34:11 -0700
Subject: [PATCH 162/493] #396 React to CoreCLR Cryptography package
 refactoring. Remove transitive dependencies.

---
 src/Microsoft.AspNet.Cryptography.Internal/project.json     | 5 +----
 .../project.json                                            | 3 +--
 .../project.json                                            | 3 +--
 src/Microsoft.AspNet.DataProtection.Sources/project.json    | 2 +-
 src/Microsoft.AspNet.DataProtection/project.json            | 6 ------
 5 files changed, 4 insertions(+), 15 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
index ded1620641..071b3888dc 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -13,12 +13,9 @@
         "dnxcore50": {
             "dependencies": {
                 "System.Diagnostics.Debug": "4.0.11-beta-*",
-                "System.Globalization": "4.0.11-beta-*",
-                "System.Resources.ResourceManager": "4.0.1-beta-*",
-                "System.Runtime": "4.0.21-beta-*",
                 "System.Runtime.Handles": "4.0.1-beta-*",
                 "System.Runtime.InteropServices": "4.0.21-beta-*",
-                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+                "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
                 "System.Threading": "4.0.11-beta-*"
             }
         }
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 9a2b42e208..a0a89944c2 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -15,8 +15,7 @@
         "dnxcore50": {
             "dependencies": {
                 "System.Runtime.Extensions": "4.0.11-beta-*",
-                "System.Security.Cryptography.Hashing": "4.0.0-beta-*",
-                "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
+                "System.Security.Cryptography.Algorithms": "4.0.0-beta-*",
                 "System.Text.Encoding.Extensions": "4.0.11-beta-*"
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index 0c1bd7f94b..5e7e8b47e9 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -22,9 +22,8 @@
                 "System.ComponentModel": "4.0.1-beta-*",
                 "System.Diagnostics.Debug": "4.0.11-beta-*",
                 "System.Reflection": "4.0.11-beta-*",
-                "System.Resources.ResourceManager": "4.0.1-beta-*",
                 "System.Runtime.Extensions": "4.0.11-beta-*",
-                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+                "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
                 "System.Text.Encoding.Extensions": "4.0.11-beta-*"
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/project.json b/src/Microsoft.AspNet.DataProtection.Sources/project.json
index 6244fa890a..57c8f34b7c 100644
--- a/src/Microsoft.AspNet.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Sources/project.json
@@ -12,7 +12,7 @@
         "dnx451": { },
         "dnxcore50": {
             "dependencies": {
-                "System.Security.Cryptography.Encryption": "4.0.0-beta-*",
+                "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
                 "System.Text.Encoding.Extensions": "4.0.11-beta-*"
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index f746667030..e3199df631 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -34,18 +34,12 @@
         "dnxcore50": {
             "dependencies": {
                 "Microsoft.Win32.Registry": "4.0.0-beta-*",
-                "System.IO": "4.0.11-beta-*",
-                "System.IO.FileSystem": "4.0.1-beta-*",
                 "System.Linq": "4.0.1-beta-*",
                 "System.Reflection.Extensions": "4.0.1-beta-*",
                 "System.Reflection.TypeExtensions": "4.0.1-beta-*",
                 "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
-                "System.Security.Cryptography.Encryption.Aes": "4.0.0-beta-*",
-                "System.Security.Cryptography.Hashing.Algorithms": "4.0.0-beta-*",
-                "System.Security.Cryptography.RandomNumberGenerator": "4.0.0-beta-*",
                 "System.Security.Claims": "4.0.1-beta-*",
                 "System.Security.Principal.Windows": "4.0.0-beta-*",
-                "System.Text.Encoding.Extensions": "4.0.11-beta-*",
                 "System.Xml.XDocument": "4.0.11-beta-*"
             }
         }

From 4342f25eceec3bdd9b08986592b9bed73dcf9bca Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 11 Aug 2015 13:04:40 -0700
Subject: [PATCH 163/493] Reacting to DI changes

---
 .../DataProtectionConfiguration.cs                               | 1 +
 .../DataProtectionServiceCollectionExtensions.cs                 | 1 +
 .../RegistryPolicyResolverTests.cs                               | 1 +
 3 files changed, 3 insertions(+)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index c8af02a98d..33008d3c36 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -8,6 +8,7 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.DependencyInjection.Extensions;
 using Microsoft.Framework.Internal;
 using Microsoft.Win32;
 
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 0a17eb8e67..d075a61b5c 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNet.DataProtection;
+using Microsoft.Framework.DependencyInjection.Extensions;
 using Microsoft.Framework.Internal;
 
 namespace Microsoft.Framework.DependencyInjection
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index ed96b16748..8e7e0a13b1 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -11,6 +11,7 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.Testing.xunit;
 using Microsoft.Framework.DependencyInjection;
+using Microsoft.Framework.DependencyInjection.Extensions;
 using Microsoft.Framework.OptionsModel;
 using Microsoft.Win32;
 using Xunit;

From 1a7f12245c26751f7f8456b9147a5bd63977438e Mon Sep 17 00:00:00 2001
From: Kiran Challa <kichalla@microsoft.com>
Date: Tue, 11 Aug 2015 16:57:49 -0700
Subject: [PATCH 164/493] Enable pinning build script

---
 build.cmd | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/build.cmd b/build.cmd
index 41025afb26..ccf195aee8 100644
--- a/build.cmd
+++ b/build.cmd
@@ -3,6 +3,8 @@ cd %~dp0
 
 SETLOCAL
 SET CACHED_NUGET=%LocalAppData%\NuGet\NuGet.exe
+SET BUILDCMD_KOREBUILD_VERSION=""
+SET BUILDCMD_DNX_VERSION=""
 
 IF EXIST %CACHED_NUGET% goto copynuget
 echo Downloading latest version of NuGet.exe...
@@ -16,13 +18,21 @@ copy %CACHED_NUGET% .nuget\nuget.exe > nul
 
 :restore
 IF EXIST packages\KoreBuild goto run
-.nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
+IF %BUILDCMD_KOREBUILD_VERSION%=="" (
+	.nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
+) ELSE (
+	.nuget\NuGet.exe install KoreBuild -version %BUILDCMD_KOREBUILD_VERSION% -ExcludeVersion -o packages -nocache -pre
+)
 .nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
 
 IF "%SKIP_DNX_INSTALL%"=="1" goto run
-CALL packages\KoreBuild\build\dnvm upgrade -runtime CLR -arch x86
+IF %BUILDCMD_DNX_VERSION%=="" (
+	CALL packages\KoreBuild\build\dnvm upgrade -runtime CLR -arch x86
+) ELSE (
+	CALL packages\KoreBuild\build\dnvm install %BUILDCMD_DNX_VERSION% -runtime CLR -arch x86 -a default
+)
 CALL packages\KoreBuild\build\dnvm install default -runtime CoreCLR -arch x86
 
 :run
 CALL packages\KoreBuild\build\dnvm use default -runtime CLR -arch x86
-packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
+packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
\ No newline at end of file

From 80bc61cbea5d9ffb75cc3e7aff6236a8aa26d9f6 Mon Sep 17 00:00:00 2001
From: Kiran Challa <kichalla@microsoft.com>
Date: Tue, 11 Aug 2015 15:06:41 -0700
Subject: [PATCH 165/493] Reacting to disposable logger provider

---
 .../StringLoggerFactory.cs                                    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
index 0842986006..888892e10e 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
@@ -29,6 +29,10 @@ namespace Microsoft.AspNet.DataProtection
             return new StringLogger(name, this);
         }
 
+        public void Dispose()
+        {
+        }
+
         public override string ToString()
         {
             return _log.ToString();

From 17b7e92fc3ffc266a8ae45fe52a459ba50f96906 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 17 Aug 2015 14:47:52 -0700
Subject: [PATCH 166/493] Updating to release NuGet.config.

---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index da57d47267..3b8d545754 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
     <add key="NuGet" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>
\ No newline at end of file

From 86c2d546fa833fefb85e9ffe94b5ee57f1156158 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 18 Aug 2015 14:00:17 -0700
Subject: [PATCH 167/493] Updating to aspnetliterelease.

---
 NuGet.Config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index 3b8d545754..e2378fe359 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetrelease/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetliterelease/api/v2" />
     <add key="NuGet" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>
\ No newline at end of file

From df3168a53a30deccf34ef9a12e4ce0b4a547dcbc Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 18 Aug 2015 14:00:18 -0700
Subject: [PATCH 168/493] Updating to aspnetlitedev.

---
 NuGet.Config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.Config b/NuGet.Config
index da57d47267..6685c5330a 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetlitedev/api/v2" />
     <add key="NuGet" value="https://nuget.org/api/v2/" />
   </packageSources>
 </configuration>
\ No newline at end of file

From fb56515af8b83849f44540b0c6050607fd2dbd02 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Wed, 19 Aug 2015 14:52:43 -0700
Subject: [PATCH 169/493] Update NuGet feed from v2 => v3.

---
 NuGet.Config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.Config b/NuGet.Config
index 6685c5330a..10cec18a32 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -2,6 +2,6 @@
 <configuration>
   <packageSources>
     <add key="AspNetVNext" value="https://www.myget.org/F/aspnetlitedev/api/v2" />
-    <add key="NuGet" value="https://nuget.org/api/v2/" />
+    <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file

From 00e703782df5dab31c49c98908bec8994d1f8207 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 20 Aug 2015 15:36:55 -0700
Subject: [PATCH 170/493] Update 'build.cmd' to pull Sake from v2 NuGet feed.

---
 build.cmd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.cmd b/build.cmd
index ccf195aee8..b54d91cf74 100644
--- a/build.cmd
+++ b/build.cmd
@@ -23,7 +23,7 @@ IF %BUILDCMD_KOREBUILD_VERSION%=="" (
 ) ELSE (
 	.nuget\NuGet.exe install KoreBuild -version %BUILDCMD_KOREBUILD_VERSION% -ExcludeVersion -o packages -nocache -pre
 )
-.nuget\NuGet.exe install Sake -version 0.2 -o packages -ExcludeVersion
+.nuget\NuGet.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
 
 IF "%SKIP_DNX_INSTALL%"=="1" goto run
 IF %BUILDCMD_DNX_VERSION%=="" (

From 35fd0403a61137ff126d3ff2012a73694a33bdaf Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 20 Aug 2015 20:46:00 -0700
Subject: [PATCH 171/493] Update 'build.sh' to pull Sake from v2 NuGet feed.

---
 build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index 3ef874f9bd..68c3e8cb52 100755
--- a/build.sh
+++ b/build.sh
@@ -24,7 +24,7 @@ fi
 
 if test ! -d packages/KoreBuild; then
     mono .nuget/nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
-    mono .nuget/nuget.exe install Sake -version 0.2 -o packages -ExcludeVersion
+    mono .nuget/nuget.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
 fi
 
 if ! type dnvm > /dev/null 2>&1; then

From a4144caedd5f69435c16088fb6f00b8b33e5a537 Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Wed, 26 Aug 2015 16:05:01 -0700
Subject: [PATCH 172/493] React to options

---
 .../DataProtectionProviderFactory.cs                            | 2 +-
 .../DataProtectionServiceDescriptors.cs                         | 2 +-
 .../RegistryPolicyResolverTests.cs                              | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
index a7b4aed888..788db53ac1 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
@@ -43,7 +43,7 @@ namespace Microsoft.AspNet.DataProtection
             {
                 var keyRingProvider = new KeyRingProvider(
                     keyManager: services.GetRequiredService<IKeyManager>(),
-                    keyManagementOptions: services.GetService<IOptions<KeyManagementOptions>>()?.Options, // might be null
+                    keyManagementOptions: services.GetService<IOptions<KeyManagementOptions>>()?.Value, // might be null
                     services: services);
                 dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, services);
             }
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index 802249aace..4cbe0e6fd0 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -86,7 +86,7 @@ namespace Microsoft.Framework.DependencyInjection
         {
             return ServiceDescriptor.Singleton<IDataProtectionProvider>(
                 services => DataProtectionProviderFactory.GetProviderFromServices(
-                    options: services.GetRequiredService<IOptions<DataProtectionOptions>>().Options,
+                    options: services.GetRequiredService<IOptions<DataProtectionOptions>>().Value,
                     services: services,
                     mustCreateImmediately: true /* this is the ultimate fallback */));
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index 8e7e0a13b1..3aa2902904 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -63,7 +63,7 @@ namespace Microsoft.AspNet.DataProtection
 
             var services = serviceCollection.BuildServiceProvider();
             var keyManagementOptions = services.GetService<IOptions<KeyManagementOptions>>();
-            Assert.Equal(TimeSpan.FromDays(1024), keyManagementOptions.Options.NewKeyLifetime);
+            Assert.Equal(TimeSpan.FromDays(1024), keyManagementOptions.Value.NewKeyLifetime);
         }
 
         [ConditionalFact]

From 5bf429d212abe987c5b9c2308ebfc844157557a6 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 10 Sep 2015 16:41:24 -0700
Subject: [PATCH 173/493] Adding NeutralResourcesLanguageAttribute

---
 .../Properties/AssemblyInfo.cs                                | 3 ++-
 .../Properties/AssemblyInfo.cs                                | 3 ++-
 .../Properties/AssemblyInfo.cs                                | 3 ++-
 .../Properties/AssemblyInfo.cs                                | 3 ++-
 .../Properties/AssemblyInfo.cs                                | 4 +++-
 .../Properties/AssemblyInfo.cs                                | 3 ++-
 6 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index 7b1f473f6f..5f65cef6e8 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -1,8 +1,8 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Reflection;
+using System.Resources;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
@@ -16,3 +16,4 @@ using System.Runtime.InteropServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
index 1e3c9f69aa..19dcc92ab2 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -1,9 +1,10 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Reflection;
+using System.Resources;
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
index 19e5fabbbb..c1bee7c37f 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
@@ -1,10 +1,11 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Reflection;
+using System.Resources;
 using System.Runtime.CompilerServices;
 
 // for unit testing
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
index ff8e404744..f1012ed502 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
@@ -1,9 +1,10 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Reflection;
+using System.Resources;
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
index 025a94598c..3f4a3b62e0 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
@@ -2,5 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Reflection;
+using System.Resources;
 
-[assembly: AssemblyMetadata("Serviceable", "True")]
\ No newline at end of file
+[assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
index 08f1c43511..a859f1608f 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
@@ -1,11 +1,12 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Reflection;
+using System.Resources;
 using System.Runtime.CompilerServices;
 
 // for unit testing
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
 [assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: NeutralResourcesLanguage("en-US")]

From 2d01d47c18d2b9ca8cd3752ca13d02641d583cc0 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 17 Sep 2015 18:32:10 -0700
Subject: [PATCH 174/493] Update nuget.exe and corresponding feeds to v3.

---
 NuGet.Config => NuGet.config |  2 +-
 build.cmd                    | 11 ++++++-----
 build.sh                     | 12 +++++++-----
 3 files changed, 14 insertions(+), 11 deletions(-)
 rename NuGet.Config => NuGet.config (83%)

diff --git a/NuGet.Config b/NuGet.config
similarity index 83%
rename from NuGet.Config
rename to NuGet.config
index 10cec18a32..1707938c61 100644
--- a/NuGet.Config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetlitedev/api/v2" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcidev/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file
diff --git a/build.cmd b/build.cmd
index b54d91cf74..177997c42e 100644
--- a/build.cmd
+++ b/build.cmd
@@ -2,14 +2,15 @@
 cd %~dp0
 
 SETLOCAL
-SET CACHED_NUGET=%LocalAppData%\NuGet\NuGet.exe
+SET NUGET_VERSION=latest
+SET CACHED_NUGET=%LocalAppData%\NuGet\nuget.%NUGET_VERSION%.exe
 SET BUILDCMD_KOREBUILD_VERSION=""
 SET BUILDCMD_DNX_VERSION=""
 
 IF EXIST %CACHED_NUGET% goto copynuget
 echo Downloading latest version of NuGet.exe...
 IF NOT EXIST %LocalAppData%\NuGet md %LocalAppData%\NuGet
-@powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://www.nuget.org/nuget.exe' -OutFile '%CACHED_NUGET%'"
+@powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://dist.nuget.org/win-x86-commandline/%NUGET_VERSION%/nuget.exe' -OutFile '%CACHED_NUGET%'"
 
 :copynuget
 IF EXIST .nuget\nuget.exe goto restore
@@ -19,11 +20,11 @@ copy %CACHED_NUGET% .nuget\nuget.exe > nul
 :restore
 IF EXIST packages\KoreBuild goto run
 IF %BUILDCMD_KOREBUILD_VERSION%=="" (
-	.nuget\NuGet.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
+	.nuget\nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 ) ELSE (
-	.nuget\NuGet.exe install KoreBuild -version %BUILDCMD_KOREBUILD_VERSION% -ExcludeVersion -o packages -nocache -pre
+	.nuget\nuget.exe install KoreBuild -version %BUILDCMD_KOREBUILD_VERSION% -ExcludeVersion -o packages -nocache -pre
 )
-.nuget\NuGet.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
+.nuget\nuget.exe install Sake -ExcludeVersion -Out packages
 
 IF "%SKIP_DNX_INSTALL%"=="1" goto run
 IF %BUILDCMD_DNX_VERSION%=="" (
diff --git a/build.sh b/build.sh
index 68c3e8cb52..0c66139817 100755
--- a/build.sh
+++ b/build.sh
@@ -10,21 +10,23 @@ else
     fi
 fi
 mkdir -p $cachedir
+nugetVersion=latest
+cachePath=$cachedir/nuget.$nugetVersion.exe
 
-url=https://www.nuget.org/nuget.exe
+url=https://dist.nuget.org/win-x86-commandline/$nugetVersion/nuget.exe
 
-if test ! -f $cachedir/nuget.exe; then
-    wget -O $cachedir/nuget.exe $url 2>/dev/null || curl -o $cachedir/nuget.exe --location $url /dev/null
+if test ! -f $cachePath; then
+    wget -O $cachePath $url 2>/dev/null || curl -o $cachePath --location $url /dev/null
 fi
 
 if test ! -e .nuget; then
     mkdir .nuget
-    cp $cachedir/nuget.exe .nuget/nuget.exe
+    cp $cachePath .nuget/nuget.exe
 fi
 
 if test ! -d packages/KoreBuild; then
     mono .nuget/nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
-    mono .nuget/nuget.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
+    mono .nuget/nuget.exe install Sake -ExcludeVersion -Out packages
 fi
 
 if ! type dnvm > /dev/null 2>&1; then

From 67d9cb7abbceba53c6c546434efa44ba8f2a2269 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Wed, 23 Sep 2015 12:42:57 -0700
Subject: [PATCH 175/493] Enabling NuGetPackageVerifier

---
 NuGetPackageVerifier.json | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 NuGetPackageVerifier.json

diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
new file mode 100644
index 0000000000..1a8e5da220
--- /dev/null
+++ b/NuGetPackageVerifier.json
@@ -0,0 +1,36 @@
+{
+    "adx": { // Packages written by the ADX team and that ship on NuGet.org
+        "rules": [
+            "AssemblyHasDocumentFileRule",
+            "AssemblyHasVersionAttributesRule",
+            "AssemblyHasServicingAttributeRule",
+            "AssemblyHasNeutralResourcesLanguageAttributeRule",
+            "SatellitePackageRule",
+            "StrictSemanticVersionValidationRule"
+        ],
+        "packages": {
+            "Microsoft.AspNet.Cryptography.Internal": { },
+            "Microsoft.AspNet.Cryptography.KeyDerivation": { },
+            "Microsoft.AspNet.DataProtection": { },
+            "Microsoft.AspNet.DataProtection.Abstractions": { },
+            "Microsoft.AspNet.DataProtection.Extensions": { },
+            "Microsoft.AspNet.DataProtection.SystemWeb": { }
+        }
+    },
+    "adx-nonshipping": {
+        "rules": [],
+        "packages": {
+            "Microsoft.AspNet.DataProtection.Sources": { }
+        }
+    },
+    "Default": { // Rules to run for packages not listed in any other set.
+        "rules": [
+            "AssemblyHasDocumentFileRule",
+            "AssemblyHasVersionAttributesRule",
+            "AssemblyHasServicingAttributeRule",
+            "AssemblyHasNeutralResourcesLanguageAttributeRule",
+            "SatellitePackageRule",
+            "StrictSemanticVersionValidationRule"
+        ]
+    }
+}
\ No newline at end of file

From 7334d4922e9baa529650a0d910683b3b367a2ea5 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 28 Sep 2015 23:12:07 -0700
Subject: [PATCH 176/493] Updating to release NuGet.config.

---
 NuGet.config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.config b/NuGet.config
index 1707938c61..9db87a421e 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcidev/api/v3/index.json" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcirelease/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file

From ef8e7a0a29b273624dffa4bdb87a0779901e8c46 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 1 Oct 2015 11:57:15 -0700
Subject: [PATCH 177/493] Update 'build.cmd' alias parameter to use full name.

---
 build.cmd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.cmd b/build.cmd
index 177997c42e..70d974a61f 100644
--- a/build.cmd
+++ b/build.cmd
@@ -30,7 +30,7 @@ IF "%SKIP_DNX_INSTALL%"=="1" goto run
 IF %BUILDCMD_DNX_VERSION%=="" (
 	CALL packages\KoreBuild\build\dnvm upgrade -runtime CLR -arch x86
 ) ELSE (
-	CALL packages\KoreBuild\build\dnvm install %BUILDCMD_DNX_VERSION% -runtime CLR -arch x86 -a default
+	CALL packages\KoreBuild\build\dnvm install %BUILDCMD_DNX_VERSION% -runtime CLR -arch x86 -alias default
 )
 CALL packages\KoreBuild\build\dnvm install default -runtime CoreCLR -arch x86
 

From ad9d75a599470f03349760fc46d5fefd832cb62e Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Sat, 3 Oct 2015 15:44:36 -0700
Subject: [PATCH 178/493] Renaming Microsoft.Framework.* ->
 Microsoft.Extensions.*

---
 .../KeyDerivation.cs                                      | 2 +-
 .../project.json                                          | 2 +-
 .../DataProtectionExtensions.cs                           | 2 +-
 .../IDataProtectionProvider.cs                            | 2 +-
 .../IDataProtector.cs                                     | 2 +-
 .../project.json                                          | 2 +-
 .../DataProtectionExtensions.cs                           | 2 +-
 .../DataProtectionProvider.cs                             | 4 ++--
 .../ITimeLimitedDataProtector.cs                          | 2 +-
 .../TimeLimitedDataProtector.cs                           | 2 +-
 .../project.json                                          | 4 ++--
 .../DataProtectionStartup.cs                              | 2 +-
 .../project.json                                          | 2 +-
 .../ActivatorExtensions.cs                                | 4 ++--
 .../AuthenticatedEncryptionOptions.cs                     | 2 +-
 .../CngCbcAuthenticatedEncryptionOptions.cs               | 2 +-
 .../CngGcmAuthenticatedEncryptionOptions.cs               | 2 +-
 .../AuthenticatedEncryptorConfiguration.cs                | 2 +-
 .../AuthenticatedEncryptorDescriptor.cs                   | 2 +-
 .../AuthenticatedEncryptorDescriptorDeserializer.cs       | 2 +-
 .../CngCbcAuthenticatedEncryptorConfiguration.cs          | 2 +-
 .../CngCbcAuthenticatedEncryptorDescriptor.cs             | 4 ++--
 .../CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs | 2 +-
 .../CngGcmAuthenticatedEncryptorConfiguration.cs          | 2 +-
 .../CngGcmAuthenticatedEncryptorDescriptor.cs             | 4 ++--
 .../CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs | 2 +-
 .../IAuthenticatedEncryptorDescriptorDeserializer.cs      | 2 +-
 .../IInternalAuthenticatedEncryptorConfiguration.cs       | 2 +-
 .../ManagedAuthenticatedEncryptorConfiguration.cs         | 2 +-
 .../ManagedAuthenticatedEncryptorDescriptor.cs            | 4 ++--
 ...ManagedAuthenticatedEncryptorDescriptorDeserializer.cs | 2 +-
 .../ConfigurationModel/XmlExtensions.cs                   | 2 +-
 .../ConfigurationModel/XmlSerializedDescriptorInfo.cs     | 2 +-
 .../ManagedAuthenticatedEncryptionOptions.cs              | 2 +-
 .../DataProtectionConfiguration.cs                        | 6 +++---
 .../DataProtectionProviderFactory.cs                      | 6 +++---
 .../DataProtectionServiceCollectionExtensions.cs          | 6 +++---
 .../DataProtectionServiceDescriptors.cs                   | 4 ++--
 .../DataProtectionServices.cs                             | 4 ++--
 .../EphemeralDataProtectionProvider.cs                    | 4 ++--
 .../KeyManagement/DefaultKeyResolver.cs                   | 2 +-
 .../KeyManagement/DefaultKeyServices.cs                   | 2 +-
 .../KeyManagement/KeyEscrowServiceProviderExtensions.cs   | 2 +-
 .../KeyManagement/KeyRingBasedDataProtectionProvider.cs   | 4 ++--
 .../KeyManagement/KeyRingBasedDataProtector.cs            | 4 ++--
 .../KeyManagement/KeyRingProvider.cs                      | 4 ++--
 .../KeyManagement/XmlKeyManager.cs                        | 6 +++---
 src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs  | 4 ++--
 .../LoggingServiceProviderExtensions.cs                   | 4 ++--
 .../RegistryPolicyResolver.cs                             | 2 +-
 .../Repositories/EphemeralXmlRepository.cs                | 4 ++--
 .../Repositories/FileSystemXmlRepository.cs               | 4 ++--
 .../Repositories/RegistryXmlRepository.cs                 | 4 ++--
 src/Microsoft.AspNet.DataProtection/Secret.cs             | 2 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs              | 6 +++---
 .../XmlEncryption/DpapiNGXmlDecryptor.cs                  | 4 ++--
 .../XmlEncryption/DpapiNGXmlEncryptor.cs                  | 4 ++--
 .../XmlEncryption/DpapiXmlDecryptor.cs                    | 4 ++--
 .../XmlEncryption/DpapiXmlEncryptor.cs                    | 4 ++--
 .../XmlEncryption/EncryptedXmlDecryptor.core50.cs         | 4 ++--
 .../XmlEncryption/EncryptedXmlDecryptor.cs                | 4 ++--
 .../XmlEncryption/EncryptedXmlInfo.cs                     | 2 +-
 .../XmlEncryption/ICertificateResolver.cs                 | 2 +-
 .../XmlEncryption/IXmlDecryptor.cs                        | 2 +-
 .../XmlEncryption/IXmlEncryptor.cs                        | 2 +-
 .../XmlEncryption/NullXmlDecryptor.cs                     | 2 +-
 .../XmlEncryption/NullXmlEncryptor.cs                     | 4 ++--
 src/Microsoft.AspNet.DataProtection/project.json          | 8 ++++----
 .../ActivatorTests.cs                                     | 2 +-
 .../KeyEscrowServiceProviderExtensionsTests.cs            | 2 +-
 .../KeyManagement/KeyRingProviderTests.cs                 | 2 +-
 .../KeyManagement/XmlKeyManagerTests.cs                   | 4 ++--
 .../RegistryPolicyResolverTests.cs                        | 6 +++---
 .../StringLoggerFactory.cs                                | 2 +-
 .../XmlEncryption/CertificateXmlEncryptionTests.cs        | 2 +-
 .../XmlEncryption/XmlEncryptionExtensionsTests.cs         | 2 +-
 test/Microsoft.AspNet.DataProtection.Test/project.json    | 2 +-
 77 files changed, 117 insertions(+), 117 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
index 3837f11bd0..badd516b95 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
@@ -3,7 +3,7 @@
 
 using System;
 using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index a0a89944c2..d6076a7420 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -7,7 +7,7 @@
     },
     "dependencies": {
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
+        "Microsoft.Extensions.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
     },
     "frameworks": {
         "net451": { },
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
index 45de288e46..bba0dd3df3 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -8,7 +8,7 @@ using System.Diagnostics;
 using System.Security.Cryptography;
 using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.AspNet.DataProtection.Abstractions;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 #if DNX451 || DNXCORE50 // [[ISSUE1400]] Replace with DNX_ANY when it becomes available
 using Microsoft.Dnx.Runtime;
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
index 98697d8705..3e8a43a1fd 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
index 02a4cc350e..782256425c 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index 5e7e8b47e9..e12d818db3 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -6,7 +6,7 @@
         "url": "git://github.com/aspnet/dataprotection"
     },
     "dependencies": {
-        "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
+        "Microsoft.Extensions.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" }
     },
     "frameworks": {
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
index f246948e07..08e22d6948 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
index a8a9875be1..b0bb0a3ba3 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
@@ -3,8 +3,8 @@
 
 using System;
 using System.IO;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
index e31387bd9f..df29c8039b 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
index a55320a2e8..0c9aa18126 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
@@ -5,7 +5,7 @@ using System;
 using System.Security.Cryptography;
 using System.Threading;
 using Microsoft.AspNet.DataProtection.Extensions;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
index 35aea29f27..4634bb8825 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
@@ -8,8 +8,8 @@
     "dependencies": {
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
-        "Microsoft.Framework.DependencyInjection": "1.0.0-*",
-        "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
+        "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
+        "Microsoft.Extensions.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
     },
     "frameworks": {
         "net451": { },
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
index c580411d1c..20df0d00d8 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
@@ -6,7 +6,7 @@ using System.Configuration;
 using System.Web;
 using System.Web.Configuration;
 using Microsoft.AspNet.DataProtection.Infrastructure;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNet.DataProtection.SystemWeb
 {
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
index 7b674bc278..40e3e96d4f 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
@@ -9,7 +9,7 @@
         "net451": {
             "dependencies": {
                 "Microsoft.AspNet.DataProtection": "1.0.0-*",
-                "Microsoft.Framework.DependencyInjection": "1.0.0-*"
+                "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
             },
             "frameworkAssemblies": {
                 "System.Configuration": "4.0.0.0",
diff --git a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
index 448a935607..ed736020e5 100644
--- a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
@@ -4,8 +4,8 @@
 using System;
 using System.Reflection;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
index 0bef35432d..5692ed2488 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
index 159db39609..bd187df3d8 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
@@ -7,7 +7,7 @@ using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
index 0ba9db209b..99ab80cdfe 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
@@ -7,7 +7,7 @@ using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index 6f87e92b3b..65f56dc546 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
index 5cc9a9694d..2c8c437ffc 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
index 1aea96b505..29dccbf92a 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index ab14b96b11..3be68f5a6b 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
index bcb8f17118..4ec26a0e61 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
@@ -3,8 +3,8 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
index 796e74110c..9246a80fb1 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index af30b1c766..40c9905e85 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
index 972de41bec..c18c6b3028 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -3,8 +3,8 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
index a42d48c16d..513163eed9 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
index 55f24a7a85..ce131098a3 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
index bde992ba46..238214fde5 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index b29abdb151..d58fa121c4 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
index f616a42c24..d7e40021d7 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
@@ -4,8 +4,8 @@
 using System;
 using System.Security.Cryptography;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
index d07b187da5..905275000a 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Security.Cryptography;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
index ba89541f23..0d485fd855 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
index 5c5da348e9..01a2d24a94 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Reflection;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index dbff16ae02..4751e893ec 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Managed;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index 33008d3c36..deb8119b29 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -7,9 +7,9 @@ using System.IO;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.DependencyInjection.Extensions;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Internal;
 using Microsoft.Win32;
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
index 788db53ac1..fa50355afb 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
@@ -3,9 +3,9 @@
 
 using System;
 using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.OptionsModel;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.OptionsModel;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index d075a61b5c..df79eb2b48 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -3,10 +3,10 @@
 
 using System;
 using Microsoft.AspNet.DataProtection;
-using Microsoft.Framework.DependencyInjection.Extensions;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Internal;
 
-namespace Microsoft.Framework.DependencyInjection
+namespace Microsoft.Extensions.DependencyInjection
 {
     /// <summary>
     /// Allows registering and configuring Data Protection in the application.
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index 4cbe0e6fd0..9e08c553a2 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -10,14 +10,14 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.OptionsModel;
+using Microsoft.Extensions.OptionsModel;
 using Microsoft.Win32;
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 using System.Security.Cryptography.X509Certificates;
 #endif
 
-namespace Microsoft.Framework.DependencyInjection
+namespace Microsoft.Extensions.DependencyInjection
 {
     /// <summary>
     /// Default <see cref="ServiceDescriptor"/> instances for the Data Protection system.
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 08f0d1626e..5989631c4c 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -9,10 +9,10 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.Repositories;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
 
-namespace Microsoft.Framework.DependencyInjection
+namespace Microsoft.Extensions.DependencyInjection
 {
     /// <summary>
     /// Provides access to default Data Protection <see cref="ServiceDescriptor"/> instances.
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index b1e7d48143..48c5789c50 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -5,8 +5,8 @@ using System;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 2921bb905b..242221eb7e 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -6,7 +6,7 @@ using System.Collections.Generic;
 using System.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
index 07addd064c..7d7b79bad3 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
@@ -5,7 +5,7 @@ using System;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
index 3423ab38de..e6431c50a4 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
@@ -5,7 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index a6a8c7724e..5892be7f9c 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -2,8 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index b4f44cf5c9..3fcfbe54de 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -9,8 +9,8 @@ using System.Linq;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index 35724b2874..c5cff61824 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -6,8 +6,8 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index cd8bd5ca55..ee58f769a0 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -14,9 +14,9 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 using static System.FormattableString;
 
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
index 3b746be0c2..2c8a7dd366 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Runtime.CompilerServices;
-using Microsoft.Framework.Logging.Internal;
+using Microsoft.Extensions.Logging.Internal;
 
-namespace Microsoft.Framework.Logging
+namespace Microsoft.Extensions.Logging
 {
     /// <summary>
     /// Helpful extension methods on <see cref="ILogger"/>.
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
index 1bc698d9f9..199f9fd35c 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
@@ -2,8 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace System
 {
diff --git a/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
index 65171556f6..bd5447d172 100644
--- a/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
@@ -9,7 +9,7 @@ using System.Reflection;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Win32;
 
 namespace Microsoft.AspNet.DataProtection
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
index 8fd68f6a60..a42808c83a 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -5,8 +5,8 @@ using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.Repositories
 {
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index 57b4672cab..3825b72c5b 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -7,8 +7,8 @@ using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.Repositories
 {
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index 65e3f5e93d..8006694313 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -6,8 +6,8 @@ using System.Collections.Generic;
 using System.Linq;
 using System.Security.Principal;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
 
 using static System.FormattableString;
diff --git a/src/Microsoft.AspNet.DataProtection/Secret.cs b/src/Microsoft.AspNet.DataProtection/Secret.cs
index 99217666a6..e87446741b 100644
--- a/src/Microsoft.AspNet.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNet.DataProtection/Secret.cs
@@ -6,7 +6,7 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.Managed;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 9a60b4f895..6c862bdde0 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -9,9 +9,9 @@ using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index 0f23744c0c..b903ddf48a 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -5,8 +5,8 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index ec58f19b65..d84be70c45 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -7,8 +7,8 @@ using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 using static System.FormattableString;
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index 146fc7e4cc..0d897d34fa 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -5,8 +5,8 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 6b1659e567..c7f4b429b1 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -7,8 +7,8 @@ using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
index ea3f22428e..a9195d0ef4 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
@@ -9,8 +9,8 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index dfaa533ff3..e8aeda1287 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -7,8 +7,8 @@ using System;
 using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
index 3a51fb62e2..237736a0d4 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Reflection;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
index a457f8df20..9c73d5f9ee 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -5,7 +5,7 @@
 
 using System;
 using System.Security.Cryptography.X509Certificates;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
index 1221fb21ef..53cfe278f7 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
@@ -3,7 +3,7 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
index 0e1c3f6d61..8e503d2548 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index 9769212115..db699c0146 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
index 170e014569..84ada1112d 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -3,8 +3,8 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Framework.Internal;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index e3199df631..a398e7e5e2 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -9,10 +9,10 @@
         "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
-        "Microsoft.Framework.DependencyInjection.Abstractions": "1.0.0-*",
-        "Microsoft.Framework.Logging.Abstractions": "1.0.0-*",
-        "Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
-        "Microsoft.Framework.OptionsModel": "1.0.0-*"
+        "Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-*",
+        "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",
+        "Microsoft.Extensions.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
+        "Microsoft.Extensions.OptionsModel": "1.0.0-*"
     },
     "frameworks": {
         "net451": {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
index 83b634d5fe..5535eba438 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
index 66a9d754a7..3a0148b33e 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
@@ -5,7 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Globalization;
 using System.Xml.Linq;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index e40180ee06..3cba1f3f58 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -8,7 +8,7 @@ using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.Testing;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 98e34b73c4..2fbe9d9f2d 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -10,8 +10,8 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index 3aa2902904..450c778c57 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -10,9 +10,9 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.Testing.xunit;
-using Microsoft.Framework.DependencyInjection;
-using Microsoft.Framework.DependencyInjection.Extensions;
-using Microsoft.Framework.OptionsModel;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.OptionsModel;
 using Microsoft.Win32;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
index 888892e10e..ef97826d13 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Globalization;
 using System.Text;
-using Microsoft.Framework.Logging;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 62279034ab..84e4d85f31 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
index 8d19c39f00..be0b05dfd9 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Framework.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index ee622b09f7..380927c2f1 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -3,7 +3,7 @@
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
         "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Microsoft.Framework.DependencyInjection": "1.0.0-*",
+        "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
         "Moq": "4.2.1312.1622",
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },

From 76cbb57f9ab90407163c525fbbd4fc51c8279217 Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesars@microsoft.com>
Date: Mon, 5 Oct 2015 21:50:38 -0700
Subject: [PATCH 179/493] Fix build on Linux.

---
 makefile.shade                                | 131 ++++++++++++------
 .../Properties/AssemblyInfo.cs                |   1 +
 .../project.json                              |   3 +
 .../DataProtectionProviderTests.cs            |   2 +
 .../project.json                              |   1 +
 .../KeyManagement/XmlKeyManagerTests.cs       |  44 +++---
 .../ManagedAuthenticatedEncryptorTests.cs     |   5 +-
 .../CertificateXmlEncryptionTests.cs          |   8 +-
 8 files changed, 128 insertions(+), 67 deletions(-)

diff --git a/makefile.shade b/makefile.shade
index ad1b0d192a..2364f26b21 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -1,45 +1,86 @@
-use assembly='WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
-use namespace='System.IO.Packaging'
-
-var VERSION='0.1'
-var FULL_VERSION='0.1'
-var AUTHORS='Microsoft Open Technologies, Inc.'
-
-use-standard-lifecycle
-k-standard-goals
-
-#nupkg-patch target='compile'
-    @{
-        var packagePaths = Files.Include("artifacts/build/**/Microsoft.AspNet.DataProtection.SystemWeb.*.nupkg")
-            .Exclude("**/*.symbols.nupkg");
-        foreach (var packagePath in packagePaths)
-        {
-            using (var package = Package.Open(packagePath, FileMode.Open, FileAccess.ReadWrite))
-            {
-                CreatePartFromFile(
-                    package,
-                    @"src\Microsoft.AspNet.DataProtection.SystemWeb\web.config.transform",
-                    @"content\net451\web.config.transform");
-            }
-        }
-    }
-
-functions
-    @{
-        PackagePart CreatePartFromFile(
-            Package destination,
-            string sourceFileName,
-            string partUriString)
-        {
-            var partUri = PackUriHelper.CreatePartUri(new Uri(partUriString, UriKind.Relative));
-            var packagePart = destination.CreatePart(partUri, "application/octet", CompressionOption.Maximum);
-
-            using (var sourceStream = File.OpenRead(sourceFileName))
-            using (var stream = packagePart.GetStream())
-            {
-                sourceStream.CopyTo(stream);
-            }
-
-            return packagePart;
-        }
-    }
+use assembly='WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
+use namespace='System.IO.Packaging'
+use import="Environment"
+
+var VERSION='0.1'
+var FULL_VERSION='0.1'
+var AUTHORS='Microsoft Open Technologies, Inc.'
+
+use-standard-lifecycle
+k-standard-goals
+
+var Configuration2='${E("Configuration")}'
+var ROOT = '${Directory.GetCurrentDirectory()}'
+var BUILD_DIR2 = '${Path.Combine(ROOT, "build")}'
+
+#build-compile target='compile' if='!IsWindows && !IsBuildV2 && Directory.Exists("src")'
+    @{
+        var projectFiles = Files.Include("src/**/project.json")
+            .Exclude("src/Microsoft.AspNet.DataProtection.SystemWeb/project.json")
+            .ToList();
+
+        if (ShouldRunInParallel)
+        {
+            Parallel.ForEach(projectFiles, projectFile => DnuPack(projectFile, BUILD_DIR2, Configuration2));
+        }
+        else
+        {
+            projectFiles.ForEach(projectFile => DnuPack(projectFile, BUILD_DIR2, Configuration2));
+        }
+
+        foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR2, "*/*.nupkg")))
+        {
+            File.Copy(nupkg, Path.Combine(BUILD_DIR2, Path.GetFileName(nupkg)), true);
+        }
+    }
+
+#build-compile target='compile' if='!IsWindows && IsBuildV2'
+    @{
+        if (Directory.Exists("src"))
+        {
+            var projects = Files.Include("src/*")
+                .Exclude("src/Microsoft.AspNet.DataProtection.SystemWeb")
+                .ToList();
+
+            DnuPack(string.Join(";", projects), BUILD_DIR2, Configuration2);
+
+            foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR2, "*/*.nupkg")))
+            {
+                File.Copy(nupkg, Path.Combine(BUILD_DIR2, Path.GetFileName(nupkg)), true);
+            }
+        }
+
+        if (Directory.Exists("test"))
+        {
+            DnuBuild("test/*", Configuration2);
+        }
+    }
+
+functions
+    @{
+        PackagePart CreatePartFromFile(
+            Package destination,
+            string sourceFileName,
+            string partUriString)
+        {
+            var partUri = PackUriHelper.CreatePartUri(new Uri(partUriString, UriKind.Relative));
+            var packagePart = destination.CreatePart(partUri, "application/octet", CompressionOption.Maximum);
+
+            using (var sourceStream = File.OpenRead(sourceFileName))
+            using (var stream = packagePart.GetStream())
+            {
+                sourceStream.CopyTo(stream);
+            }
+
+            return packagePart;
+        }
+
+        bool IsWindows
+        {
+            get
+            {
+                var p = (int)Environment.OSVersion.Platform;
+                return (p != 4) && (p != 6) && (p != 128);
+            }
+        }
+    }
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index 5f65cef6e8..bc9a2929e1 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -14,6 +14,7 @@ using System.Runtime.InteropServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test")]
 [assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
index 40e3e96d4f..65738ec429 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
@@ -20,5 +20,8 @@
     },
     "compilationOptions": {
         "warningsAsErrors": true
+    },
+    "packInclude": {
+        "content/net451/": "web.config.transform"
     }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index e6d31a4d4d..7bfc8b0d6c 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.IO;
+using Microsoft.AspNet.DataProtection.Test.Shared;
 using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
@@ -36,6 +37,7 @@ namespace Microsoft.AspNet.DataProtection
 
         [ConditionalFact]
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
+        [ConditionalRunTestOnlyOnWindows]
         public void System_UsesProvidedDirectory_WithConfigurationCallback()
         {
             WithUniqueTempDirectory(directory =>
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
index 50d98f9f25..f839a2023e 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
@@ -2,6 +2,7 @@
     "dependencies": {
         "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Extensions": "1.0.0-*",
+        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
         "Microsoft.AspNet.Testing": "1.0.0-*",
         "Moq": "4.2.1312.1622",
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 2fbe9d9f2d..19c8c75460 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -130,9 +130,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // Finally, was the correct element stored in the repository?
             string expectedXml = String.Format(@"
                 <key id='3d6d01fd-c0e7-44ae-82dd-013b996b4093' version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                  <creationDate>2014-01-01T00:00:00Z</creationDate>
-                  <activationDate>2014-02-01T00:00:00Z</activationDate>
-                  <expirationDate>2014-03-01T00:00:00Z</expirationDate>
+                  {1}
+                  {2}
+                  {3}
                   <descriptor deserializerType='{0}'>
                     <theElement>
                       <secret enc:requiresEncryption='true'>
@@ -141,7 +141,10 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     </theElement>
                   </descriptor>
                 </key>",
-                typeof(MyDeserializer).AssemblyQualifiedName);
+                typeof(MyDeserializer).AssemblyQualifiedName,
+                new XElement("creationDate", creationDate),
+                new XElement("activationDate", activationDate),
+                new XElement("expirationDate", expirationDate));
             XmlAssert.Equal(expectedXml, elementStoredInRepository);
             Assert.Equal("key-3d6d01fd-c0e7-44ae-82dd-013b996b4093", friendlyNameStoredInRepository);
         }
@@ -221,9 +224,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // This should not have gone through the encryptor.
             string expectedEscrowXml = String.Format(@"
                 <key id='3d6d01fd-c0e7-44ae-82dd-013b996b4093' version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                  <creationDate>2014-01-01T00:00:00Z</creationDate>
-                  <activationDate>2014-02-01T00:00:00Z</activationDate>
-                  <expirationDate>2014-03-01T00:00:00Z</expirationDate>
+                  {1}
+                  {2}
+                  {3}
                   <descriptor deserializerType='{0}'>
                     <theElement>
                       <secret enc:requiresEncryption='true'>
@@ -232,7 +235,10 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     </theElement>
                   </descriptor>
                 </key>",
-                typeof(MyDeserializer).AssemblyQualifiedName);
+                typeof(MyDeserializer).AssemblyQualifiedName,
+                new XElement("creationDate", creationDate),
+                new XElement("activationDate", activationDate),
+                new XElement("expirationDate", expirationDate));
             XmlAssert.Equal(expectedEscrowXml, elementStoredInEscrow);
             Assert.Equal(keyId, keyIdStoredInEscrow.Value);
 
@@ -240,9 +246,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // This should have gone through the encryptor (which we set to be the null encryptor in this test)
             string expectedRepositoryXml = String.Format(@"
                 <key id='3d6d01fd-c0e7-44ae-82dd-013b996b4093' version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                  <creationDate>2014-01-01T00:00:00Z</creationDate>
-                  <activationDate>2014-02-01T00:00:00Z</activationDate>
-                  <expirationDate>2014-03-01T00:00:00Z</expirationDate>
+                  {2}
+                  {3}
+                  {4}
                   <descriptor deserializerType='{0}'>
                     <theElement>
                       <enc:encryptedSecret decryptorType='{1}'>
@@ -256,7 +262,10 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                   </descriptor>
                 </key>",
                 typeof(MyDeserializer).AssemblyQualifiedName,
-                typeof(NullXmlDecryptor).AssemblyQualifiedName);
+                typeof(NullXmlDecryptor).AssemblyQualifiedName,
+                new XElement("creationDate", creationDate),
+                new XElement("activationDate", activationDate),
+                new XElement("expirationDate", expirationDate));
             XmlAssert.Equal(expectedRepositoryXml, elementStoredInRepository);
             Assert.Equal("key-3d6d01fd-c0e7-44ae-82dd-013b996b4093", friendlyNameStoredInRepository);
         }
@@ -660,7 +669,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             var services = serviceCollection.BuildServiceProvider();
             var keyManager = new XmlKeyManager(services);
 
-            var revocationDate = DateTimeOffset.UtcNow;
+            var revocationDate = new DateTimeOffset(2014, 01, 01, 0, 0, 0, TimeSpan.Zero);
 
             // Act & assert
 
@@ -672,19 +681,20 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // and we should've gotten a new CT.
             ((IInternalXmlKeyManager)keyManager).RevokeSingleKey(
                 keyId: new Guid("a11f35fc-1fed-4bd4-b727-056a63b70932"),
-                revocationDate: new DateTimeOffset(2014, 01, 01, 0, 0, 0, TimeSpan.Zero),
+                revocationDate: revocationDate,
                 reason: "Here's some reason text.");
             var secondCancellationToken = keyManager.GetCacheExpirationToken();
             Assert.True(firstCancellationToken.IsCancellationRequested);
             Assert.False(secondCancellationToken.IsCancellationRequested);
 
             // Was the correct element stored in the repository?
-            const string expectedRepositoryXml = @"
+            var expectedRepositoryXml = string.Format(@"
                 <revocation version='1'>
-                  <revocationDate>2014-01-01T00:00:00Z</revocationDate>
+                  {0}
                   <key id='a11f35fc-1fed-4bd4-b727-056a63b70932' />
                   <reason>Here's some reason text.</reason>
-                </revocation>";
+                </revocation>",
+                new XElement("revocationDate", revocationDate));
             XmlAssert.Equal(expectedRepositoryXml, elementStoredInRepository);
             Assert.Equal("revocation-a11f35fc-1fed-4bd4-b727-056a63b70932", friendlyNameStoredInRepository);
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
index cc138e77a6..8fb3dc0d5d 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -5,6 +5,8 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.AspNet.DataProtection.Test.Shared;
+using Microsoft.AspNet.Testing.xunit;
 using Xunit;
 
 namespace Microsoft.AspNet.DataProtection.Managed
@@ -77,7 +79,8 @@ namespace Microsoft.AspNet.DataProtection.Managed
             });
         }
 
-        [Fact]
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_KnownKey()
         {
             // Arrange
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 84e4d85f31..9e5a2d45a0 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -18,15 +18,15 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         public void Encrypt_Decrypt_RoundTrips()
         {
             // Arrange
-            var aes = new AesCryptoServiceProvider();
-            aes.GenerateKey();
+            var symmetricAlgorithm = new TripleDESCryptoServiceProvider();
+            symmetricAlgorithm.GenerateKey();
 
             var serviceCollection = new ServiceCollection();
             var mockInternalEncryptor = new Mock<IInternalCertificateXmlEncryptor>();
             mockInternalEncryptor.Setup(o => o.PerformEncryption(It.IsAny<EncryptedXml>(), It.IsAny<XmlElement>()))
                 .Returns<EncryptedXml, XmlElement>((encryptedXml, element) =>
                 {
-                    encryptedXml.AddKeyNameMapping("theKey", aes); // use symmetric encryption
+                    encryptedXml.AddKeyNameMapping("theKey", symmetricAlgorithm); // use symmetric encryption
                     return encryptedXml.Encrypt(element, "theKey");
                 });
             serviceCollection.AddInstance<IInternalCertificateXmlEncryptor>(mockInternalEncryptor.Object);
@@ -35,7 +35,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             mockInternalDecryptor.Setup(o => o.PerformPreDecryptionSetup(It.IsAny<EncryptedXml>()))
                 .Callback<EncryptedXml>(encryptedXml =>
                 {
-                    encryptedXml.AddKeyNameMapping("theKey", aes); // use symmetric encryption
+                    encryptedXml.AddKeyNameMapping("theKey", symmetricAlgorithm); // use symmetric encryption
                 });
             serviceCollection.AddInstance<IInternalEncryptedXmlDecryptor>(mockInternalDecryptor.Object);
 

From 9fc75d395d917d883c2365d6dc43736aa749e87d Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 7 Oct 2015 17:58:23 -0700
Subject: [PATCH 180/493] Replace NotNullAttribute with thrown exceptions

---
 .../KeyDerivation.cs                          | 13 ++-
 .../project.json                              |  3 +-
 .../DataProtectionExtensions.cs               | 81 ++++++++++++++--
 .../IDataProtectionProvider.cs                |  5 +-
 .../IDataProtector.cs                         |  8 +-
 .../project.json                              |  1 -
 .../DataProtectionExtensions.cs               | 72 ++++++++++++--
 .../DataProtectionProvider.cs                 | 17 +++-
 .../ITimeLimitedDataProtector.cs              |  8 +-
 .../TimeLimitedDataProtector.cs               | 44 ++++++++-
 .../project.json                              |  3 +-
 .../ActivatorExtensions.cs                    |  8 +-
 .../AuthenticatedEncryptorConfiguration.cs    | 12 ++-
 .../AuthenticatedEncryptorDescriptor.cs       | 17 +++-
 ...nticatedEncryptorDescriptorDeserializer.cs |  8 +-
 ...gCbcAuthenticatedEncryptorConfiguration.cs | 10 +-
 .../CngCbcAuthenticatedEncryptorDescriptor.cs | 15 ++-
 ...nticatedEncryptorDescriptorDeserializer.cs |  8 +-
 ...gGcmAuthenticatedEncryptorConfiguration.cs | 10 +-
 .../CngGcmAuthenticatedEncryptorDescriptor.cs | 15 ++-
 ...nticatedEncryptorDescriptorDeserializer.cs |  8 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  4 +-
 ...agedAuthenticatedEncryptorConfiguration.cs | 11 ++-
 ...ManagedAuthenticatedEncryptorDescriptor.cs | 15 ++-
 ...nticatedEncryptorDescriptorDeserializer.cs |  8 +-
 .../ConfigurationModel/XmlExtensions.cs       |  8 +-
 .../XmlSerializedDescriptorInfo.cs            | 13 ++-
 .../DataProtectionConfiguration.cs            | 94 ++++++++++++++++---
 .../DataProtectionProviderFactory.cs          | 25 ++++-
 ...taProtectionServiceCollectionExtensions.cs | 20 +++-
 .../EphemeralDataProtectionProvider.cs        |  8 +-
 .../KeyRingBasedDataProtectionProvider.cs     |  8 +-
 .../KeyRingBasedDataProtector.cs              | 18 +++-
 .../KeyManagement/XmlKeyManager.cs            | 16 +++-
 .../Repositories/EphemeralXmlRepository.cs    |  8 +-
 .../Repositories/FileSystemXmlRepository.cs   | 21 ++++-
 .../Repositories/RegistryXmlRepository.cs     | 21 ++++-
 src/Microsoft.AspNet.DataProtection/Secret.cs | 14 ++-
 .../XmlEncryption/CertificateResolver.cs      |  5 +
 .../XmlEncryption/CertificateXmlEncryptor.cs  | 31 ++++--
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  8 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      | 19 +++-
 .../XmlEncryption/DpapiXmlDecryptor.cs        |  8 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  9 +-
 .../EncryptedXmlDecryptor.core50.cs           |  3 +-
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  8 +-
 .../XmlEncryption/EncryptedXmlInfo.cs         | 13 ++-
 .../XmlEncryption/ICertificateResolver.cs     |  4 +-
 .../XmlEncryption/IXmlDecryptor.cs            |  4 +-
 .../XmlEncryption/IXmlEncryptor.cs            |  5 +-
 .../XmlEncryption/NullXmlDecryptor.cs         |  8 +-
 .../XmlEncryption/NullXmlEncryptor.cs         |  8 +-
 .../project.json                              |  1 -
 53 files changed, 638 insertions(+), 174 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
index badd516b95..e5c6204cec 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
@@ -3,7 +3,6 @@
 
 using System;
 using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.Cryptography.KeyDerivation
 {
@@ -25,8 +24,18 @@ namespace Microsoft.AspNet.Cryptography.KeyDerivation
         /// <remarks>
         /// The PBKDF2 algorithm is specified in RFC 2898.
         /// </remarks>
-        public static byte[] Pbkdf2([NotNull] string password, [NotNull] byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
+        public static byte[] Pbkdf2(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
         {
+            if (password == null)
+            {
+                throw new ArgumentNullException(nameof(password));
+            }
+
+            if (salt == null)
+            {
+                throw new ArgumentNullException(nameof(salt));
+            }
+
             // parameter checking
             if (prf < KeyDerivationPrf.HMACSHA1 || prf > KeyDerivationPrf.HMACSHA512)
             {
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index d6076a7420..581d8c46d9 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -6,8 +6,7 @@
         "url": "git://github.com/aspnet/dataprotection"
     },
     "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.Extensions.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
+        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*"
     },
     "frameworks": {
         "net451": { },
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
index bba0dd3df3..ee2c0fa106 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -5,10 +5,8 @@ using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Diagnostics;
-using System.Security.Cryptography;
 using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.AspNet.DataProtection.Abstractions;
-using Microsoft.Extensions.Internal;
 
 #if DNX451 || DNXCORE50 // [[ISSUE1400]] Replace with DNX_ANY when it becomes available
 using Microsoft.Dnx.Runtime;
@@ -33,8 +31,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <see cref="IDataProtectionProvider.CreateProtector(string)"/>. See that method's
         /// documentation for more information.
         /// </remarks>
-        public static IDataProtector CreateProtector([NotNull] this IDataProtectionProvider provider, [NotNull] IEnumerable<string> purposes)
+        public static IDataProtector CreateProtector(this IDataProtectionProvider provider, IEnumerable<string> purposes)
         {
+            if (provider == null)
+            {
+                throw new ArgumentNullException(nameof(provider));
+            }
+
+            if (purposes == null)
+            {
+                throw new ArgumentNullException(nameof(purposes));
+            }
+
             bool collectionIsEmpty = true;
             IDataProtectionProvider retVal = provider;
             foreach (string purpose in purposes)
@@ -69,8 +77,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <see cref="IDataProtectionProvider.CreateProtector(string)"/>. See that method's
         /// documentation for more information.
         /// </remarks>
-        public static IDataProtector CreateProtector([NotNull] this IDataProtectionProvider provider, [NotNull] string purpose, params string[] subPurposes)
+        public static IDataProtector CreateProtector(this IDataProtectionProvider provider, string purpose, params string[] subPurposes)
         {
+            if (provider == null)
+            {
+                throw new ArgumentNullException(nameof(provider));
+            }
+
+            if (purpose == null)
+            {
+                throw new ArgumentNullException(nameof(purpose));
+            }
+
             // The method signature isn't simply CreateProtector(this IDataProtectionProvider, params string[] purposes)
             // because we don't want the code provider.CreateProtector() [parameterless] to inadvertently compile.
             // The actual signature for this method forces at least one purpose to be provided at the call site.
@@ -127,8 +145,13 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="services">The service provider from which to retrieve the <see cref="IDataProtectionProvider"/>.</param>
         /// <returns>An <see cref="IDataProtectionProvider"/>. This method is guaranteed never to return null.</returns>
         /// <exception cref="InvalidOperationException">If no <see cref="IDataProtectionProvider"/> service exists in <paramref name="services"/>.</exception>
-        public static IDataProtectionProvider GetDataProtectionProvider([NotNull] this IServiceProvider services)
+        public static IDataProtectionProvider GetDataProtectionProvider(this IServiceProvider services)
         {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
             // We have our own implementation of GetRequiredService<T> since we don't want to
             // take a dependency on DependencyInjection.Interfaces.
             IDataProtectionProvider provider = (IDataProtectionProvider)services.GetService(typeof(IDataProtectionProvider));
@@ -152,8 +175,18 @@ namespace Microsoft.AspNet.DataProtection
         /// then <see cref="CreateProtector(IDataProtectionProvider, IEnumerable{string})"/>. See those methods'
         /// documentation for more information.
         /// </remarks>
-        public static IDataProtector GetDataProtector([NotNull] this IServiceProvider services, [NotNull] IEnumerable<string> purposes)
+        public static IDataProtector GetDataProtector(this IServiceProvider services, IEnumerable<string> purposes)
         {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            if (purposes == null)
+            {
+                throw new ArgumentNullException(nameof(purposes));
+            }
+
             return services.GetDataProtectionProvider().CreateProtector(purposes);
         }
 
@@ -171,8 +204,18 @@ namespace Microsoft.AspNet.DataProtection
         /// then <see cref="CreateProtector(IDataProtectionProvider, string, string[])"/>. See those methods'
         /// documentation for more information.
         /// </remarks>
-        public static IDataProtector GetDataProtector([NotNull] this IServiceProvider services, [NotNull] string purpose, params string[] subPurposes)
+        public static IDataProtector GetDataProtector(this IServiceProvider services, string purpose, params string[] subPurposes)
         {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            if (purpose == null)
+            {
+                throw new ArgumentNullException(nameof(purpose));
+            }
+
             return services.GetDataProtectionProvider().CreateProtector(purpose, subPurposes);
         }
 
@@ -182,8 +225,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="protector">The data protector to use for this operation.</param>
         /// <param name="plaintext">The plaintext data to protect.</param>
         /// <returns>The protected form of the plaintext data.</returns>
-        public static string Protect([NotNull] this IDataProtector protector, [NotNull] string plaintext)
+        public static string Protect(this IDataProtector protector, string plaintext)
         {
+            if (protector == null)
+            {
+                throw new ArgumentNullException(nameof(protector));
+            }
+
+            if (plaintext == null)
+            {
+                throw new ArgumentNullException(nameof(plaintext));
+            }
+
             try
             {
                 byte[] plaintextAsBytes = EncodingUtil.SecureUtf8Encoding.GetBytes(plaintext);
@@ -206,8 +259,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <exception cref="CryptographicException">
         /// Thrown if <paramref name="protectedData"/> is invalid or malformed.
         /// </exception>
-        public static string Unprotect([NotNull] this IDataProtector protector, [NotNull] string protectedData)
+        public static string Unprotect(this IDataProtector protector, string protectedData)
         {
+            if (protector == null)
+            {
+                throw new ArgumentNullException(nameof(protector));
+            }
+
+            if (protectedData == null)
+            {
+                throw new ArgumentNullException(nameof(protectedData));
+            }
+
             try
             {
                 byte[] protectedDataAsBytes = WebEncoders.Base64UrlDecode(protectedData);
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
index 3e8a43a1fd..cb57593ada 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
@@ -1,9 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-using Microsoft.Extensions.Internal;
-
 namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
@@ -24,6 +21,6 @@ namespace Microsoft.AspNet.DataProtection
         /// values will not be able to decipher each other's payloads. The <paramref name="purpose"/> parameter
         /// value is not intended to be kept secret.
         /// </remarks>
-        IDataProtector CreateProtector([NotNull] string purpose);
+        IDataProtector CreateProtector(string purpose);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
index 782256425c..22b89cea49 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
@@ -1,10 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-using System.Security.Cryptography;
-using Microsoft.Extensions.Internal;
-
 namespace Microsoft.AspNet.DataProtection
 {
     /// <summary>
@@ -17,7 +13,7 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="plaintext">The plaintext data to protect.</param>
         /// <returns>The protected form of the plaintext data.</returns>
-        byte[] Protect([NotNull] byte[] plaintext);
+        byte[] Protect(byte[] plaintext);
 
         /// <summary>
         /// Cryptographically unprotects a piece of protected data.
@@ -27,6 +23,6 @@ namespace Microsoft.AspNet.DataProtection
         /// <exception cref="CryptographicException">
         /// Thrown if the protected data is invalid or malformed.
         /// </exception>
-        byte[] Unprotect([NotNull] byte[] protectedData);
+        byte[] Unprotect(byte[] protectedData);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index e12d818db3..be542d12ff 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -6,7 +6,6 @@
         "url": "git://github.com/aspnet/dataprotection"
     },
     "dependencies": {
-        "Microsoft.Extensions.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" }
     },
     "frameworks": {
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
index 08e22d6948..208153c820 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
@@ -2,8 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -17,8 +15,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="plaintext">The plaintext data to protect.</param>
         /// <param name="lifetime">The amount of time after which the payload should no longer be unprotectable.</param>
         /// <returns>The protected form of the plaintext data.</returns>
-        public static byte[] Protect([NotNull] this ITimeLimitedDataProtector protector, [NotNull] byte[] plaintext, TimeSpan lifetime)
+        public static byte[] Protect(this ITimeLimitedDataProtector protector, byte[] plaintext, TimeSpan lifetime)
         {
+            if (protector == null)
+            {
+                throw new ArgumentNullException(nameof(protector));
+            }
+
+            if (plaintext == null)
+            {
+                throw new ArgumentNullException(nameof(plaintext));
+            }
+
             return protector.Protect(plaintext, DateTimeOffset.UtcNow + lifetime);
         }
 
@@ -30,8 +38,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="plaintext">The plaintext data to protect.</param>
         /// <param name="expiration">The time when this payload should expire.</param>
         /// <returns>The protected form of the plaintext data.</returns>
-        public static string Protect([NotNull] this ITimeLimitedDataProtector protector, [NotNull] string plaintext, DateTimeOffset expiration)
+        public static string Protect(this ITimeLimitedDataProtector protector, string plaintext, DateTimeOffset expiration)
         {
+            if (protector == null)
+            {
+                throw new ArgumentNullException(nameof(protector));
+            }
+
+            if (plaintext == null)
+            {
+                throw new ArgumentNullException(nameof(plaintext));
+            }
+
             var wrappingProtector = new TimeLimitedWrappingProtector(protector) { Expiration = expiration };
             return wrappingProtector.Protect(plaintext);
         }
@@ -44,8 +62,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="plaintext">The plaintext data to protect.</param>
         /// <param name="lifetime">The amount of time after which the payload should no longer be unprotectable.</param>
         /// <returns>The protected form of the plaintext data.</returns>
-        public static string Protect([NotNull] this ITimeLimitedDataProtector protector, [NotNull] string plaintext, TimeSpan lifetime)
+        public static string Protect(this ITimeLimitedDataProtector protector, string plaintext, TimeSpan lifetime)
         {
+            if (protector == null)
+            {
+                throw new ArgumentNullException(nameof(protector));
+            }
+
+            if (plaintext == null)
+            {
+                throw new ArgumentNullException(nameof(plaintext));
+            }
+
             return Protect(protector, plaintext, DateTimeOffset.Now + lifetime);
         }
 
@@ -55,8 +83,13 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="protector">The <see cref="IDataProtector"/> to convert to a time-limited protector.</param>
         /// <returns>An <see cref="ITimeLimitedDataProtector"/>.</returns>
-        public static ITimeLimitedDataProtector ToTimeLimitedDataProtector([NotNull] this IDataProtector protector)
+        public static ITimeLimitedDataProtector ToTimeLimitedDataProtector(this IDataProtector protector)
         {
+            if (protector == null)
+            {
+                throw new ArgumentNullException(nameof(protector));
+            }
+
             return (protector as ITimeLimitedDataProtector) ?? new TimeLimitedDataProtector(protector);
         }
 
@@ -71,8 +104,18 @@ namespace Microsoft.AspNet.DataProtection
         /// <exception cref="CryptographicException">
         /// Thrown if <paramref name="protectedData"/> is invalid, malformed, or expired.
         /// </exception>
-        public static string Unprotect([NotNull] this ITimeLimitedDataProtector protector, [NotNull] string protectedData, out DateTimeOffset expiration)
+        public static string Unprotect(this ITimeLimitedDataProtector protector, string protectedData, out DateTimeOffset expiration)
         {
+            if (protector == null)
+            {
+                throw new ArgumentNullException(nameof(protector));
+            }
+
+            if (protectedData == null)
+            {
+                throw new ArgumentNullException(nameof(protectedData));
+            }
+
             var wrappingProtector = new TimeLimitedWrappingProtector(protector);
             string retVal = wrappingProtector.Unprotect(protectedData);
             expiration = wrappingProtector.Expiration;
@@ -91,16 +134,31 @@ namespace Microsoft.AspNet.DataProtection
 
             public IDataProtector CreateProtector(string purpose)
             {
+                if (purpose == null)
+                {
+                    throw new ArgumentNullException(nameof(purpose));
+                }
+
                 throw new NotImplementedException();
             }
 
             public byte[] Protect(byte[] plaintext)
             {
+                if (plaintext == null)
+                {
+                    throw new ArgumentNullException(nameof(plaintext));
+                }
+
                 return _innerProtector.Protect(plaintext, Expiration);
             }
 
             public byte[] Unprotect(byte[] protectedData)
             {
+                if (protectedData == null)
+                {
+                    throw new ArgumentNullException(nameof(protectedData));
+                }
+
                 return _innerProtector.Unprotect(protectedData, out Expiration);
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
index b0bb0a3ba3..fe8afe6db6 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
@@ -4,7 +4,6 @@
 using System;
 using System.IO;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -21,7 +20,7 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="keyDirectory">The <see cref="DirectoryInfo"/> in which keys should be stored. This may
         /// represent a directory on a local disk or a UNC share.</param>
-        public DataProtectionProvider([NotNull] DirectoryInfo keyDirectory)
+        public DataProtectionProvider(DirectoryInfo keyDirectory)
             : this(keyDirectory, configure: null)
         {
         }
@@ -34,8 +33,13 @@ namespace Microsoft.AspNet.DataProtection
         /// represent a directory on a local disk or a UNC share.</param>
         /// <param name="configure">An optional callback which provides further configuration of the data protection
         /// system. See <see cref="DataProtectionConfiguration"/> for more information.</param>
-        public DataProtectionProvider([NotNull] DirectoryInfo keyDirectory, Action<DataProtectionConfiguration> configure)
+        public DataProtectionProvider(DirectoryInfo keyDirectory, Action<DataProtectionConfiguration> configure)
         {
+            if (keyDirectory == null)
+            {
+                throw new ArgumentNullException(nameof(keyDirectory));
+            }
+
             // build the service collection
             ServiceCollection serviceCollection = new ServiceCollection();
             serviceCollection.AddDataProtection();
@@ -52,8 +56,13 @@ namespace Microsoft.AspNet.DataProtection
         /// <summary>
         /// Implements <see cref="IDataProtectionProvider.CreateProtector(string)"/>.
         /// </summary>
-        public IDataProtector CreateProtector([NotNull] string purpose)
+        public IDataProtector CreateProtector(string purpose)
         {
+            if (purpose == null)
+            {
+                throw new ArgumentNullException(nameof(purpose));
+            }
+
             return _innerProvider.CreateProtector(purpose);
         }
     }
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
index df29c8039b..d211083729 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
@@ -2,8 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Security.Cryptography;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -31,7 +29,7 @@ namespace Microsoft.AspNet.DataProtection
         /// values will not be able to decipher each other's payloads. The <paramref name="purpose"/> parameter
         /// value is not intended to be kept secret.
         /// </remarks>
-        new ITimeLimitedDataProtector CreateProtector([NotNull] string purpose);
+        new ITimeLimitedDataProtector CreateProtector(string purpose);
 
         /// <summary>
         /// Cryptographically protects a piece of plaintext data, expiring the data at
@@ -40,7 +38,7 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="plaintext">The plaintext data to protect.</param>
         /// <param name="expiration">The time when this payload should expire.</param>
         /// <returns>The protected form of the plaintext data.</returns>
-        byte[] Protect([NotNull] byte[] plaintext, DateTimeOffset expiration);
+        byte[] Protect(byte[] plaintext, DateTimeOffset expiration);
 
         /// <summary>
         /// Cryptographically unprotects a piece of protected data.
@@ -52,6 +50,6 @@ namespace Microsoft.AspNet.DataProtection
         /// <exception cref="CryptographicException">
         /// Thrown if <paramref name="protectedData"/> is invalid, malformed, or expired.
         /// </exception>
-        byte[] Unprotect([NotNull] byte[] protectedData, out DateTimeOffset expiration);
+        byte[] Unprotect(byte[] protectedData, out DateTimeOffset expiration);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
index 0c9aa18126..76c72d0b6f 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
@@ -5,7 +5,6 @@ using System;
 using System.Security.Cryptography;
 using System.Threading;
 using Microsoft.AspNet.DataProtection.Extensions;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -25,8 +24,13 @@ namespace Microsoft.AspNet.DataProtection
             _innerProtector = innerProtector;
         }
 
-        public ITimeLimitedDataProtector CreateProtector([NotNull] string purpose)
+        public ITimeLimitedDataProtector CreateProtector(string purpose)
         {
+            if (purpose == null)
+            {
+                throw new ArgumentNullException(nameof(purpose));
+            }
+
             return new TimeLimitedDataProtector(_innerProtector.CreateProtector(purpose));
         }
 
@@ -42,8 +46,13 @@ namespace Microsoft.AspNet.DataProtection
             return retVal;
         }
 
-        public byte[] Protect([NotNull] byte[] plaintext, DateTimeOffset expiration)
+        public byte[] Protect(byte[] plaintext, DateTimeOffset expiration)
         {
+            if (plaintext == null)
+            {
+                throw new ArgumentNullException(nameof(plaintext));
+            }
+
             // We prepend the expiration time (as a 64-bit UTC tick count) to the unprotected data.
             byte[] plaintextWithHeader = new byte[checked(8 + plaintext.Length)];
             BitHelpers.WriteUInt64(plaintextWithHeader, 0, (ulong)expiration.UtcTicks);
@@ -52,13 +61,23 @@ namespace Microsoft.AspNet.DataProtection
             return GetInnerProtectorWithTimeLimitedPurpose().Protect(plaintextWithHeader);
         }
 
-        public byte[] Unprotect([NotNull] byte[] protectedData, out DateTimeOffset expiration)
+        public byte[] Unprotect(byte[] protectedData, out DateTimeOffset expiration)
         {
+            if (protectedData == null)
+            {
+                throw new ArgumentNullException(nameof(protectedData));
+            }
+
             return UnprotectCore(protectedData, DateTimeOffset.UtcNow, out expiration);
         }
 
-        internal byte[] UnprotectCore([NotNull] byte[] protectedData, DateTimeOffset now, out DateTimeOffset expiration)
+        internal byte[] UnprotectCore(byte[] protectedData, DateTimeOffset now, out DateTimeOffset expiration)
         {
+            if (protectedData == null)
+            {
+                throw new ArgumentNullException(nameof(protectedData));
+            }
+
             try
             {
                 byte[] plaintextWithHeader = GetInnerProtectorWithTimeLimitedPurpose().Unprotect(protectedData);
@@ -97,17 +116,32 @@ namespace Microsoft.AspNet.DataProtection
 
         IDataProtector IDataProtectionProvider.CreateProtector(string purpose)
         {
+            if (purpose == null)
+            {
+                throw new ArgumentNullException(nameof(purpose));
+            }
+
             return CreateProtector(purpose);
         }
 
         byte[] IDataProtector.Protect(byte[] plaintext)
         {
+            if (plaintext == null)
+            {
+                throw new ArgumentNullException(nameof(plaintext));
+            }
+
             // MaxValue essentially means 'no expiration'
             return Protect(plaintext, DateTimeOffset.MaxValue);
         }
 
         byte[] IDataProtector.Unprotect(byte[] protectedData)
         {
+            if (protectedData == null)
+            {
+                throw new ArgumentNullException(nameof(protectedData));
+            }
+
             DateTimeOffset expiration; // unused
             return Unprotect(protectedData, out expiration);
         }
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
index 4634bb8825..5c815caf43 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
@@ -8,8 +8,7 @@
     "dependencies": {
         "Microsoft.AspNet.DataProtection": "1.0.0-*",
         "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
-        "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
-        "Microsoft.Extensions.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" }
+        "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
     },
     "frameworks": {
         "net451": { },
diff --git a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
index ed736020e5..0c9037e247 100644
--- a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
@@ -5,7 +5,6 @@ using System;
 using System.Reflection;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -18,9 +17,14 @@ namespace Microsoft.AspNet.DataProtection
         /// Creates an instance of <paramref name="implementationTypeName"/> and ensures
         /// that it is assignable to <typeparamref name="T"/>.
         /// </summary>
-        public static T CreateInstance<T>(this IActivator activator, [NotNull] string implementationTypeName)
+        public static T CreateInstance<T>(this IActivator activator, string implementationTypeName)
             where T : class
         {
+            if (implementationTypeName == null)
+            {
+                throw new ArgumentNullException(nameof(implementationTypeName));
+            }
+
             return activator.CreateInstance(typeof(T), implementationTypeName) as T
                 ?? CryptoUtil.Fail<T>("CreateInstance returned null.");
         }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index 65f56dc546..408ab869b4 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -13,13 +12,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     {
         private readonly IServiceProvider _services;
 
-        public AuthenticatedEncryptorConfiguration([NotNull] AuthenticatedEncryptionOptions options)
+        public AuthenticatedEncryptorConfiguration(AuthenticatedEncryptionOptions options)
             : this(options, services: null)
         {
         }
 
-        public AuthenticatedEncryptorConfiguration([NotNull] AuthenticatedEncryptionOptions options, IServiceProvider services)
+        public AuthenticatedEncryptorConfiguration(AuthenticatedEncryptionOptions options, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
             Options = options;
             _services = services;
         }
@@ -30,7 +34,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         {
             return this.CreateNewDescriptorCore();
         }
-        
+
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
             return new AuthenticatedEncryptorDescriptor(Options, secret, _services);
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
index 2c8c437ffc..7ff60f6985 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -15,13 +14,23 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     {
         private readonly IServiceProvider _services;
 
-        public AuthenticatedEncryptorDescriptor([NotNull] AuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptionOptions options, ISecret masterKey)
             : this(options, masterKey, services: null)
         {
         }
 
-        public AuthenticatedEncryptorDescriptor([NotNull] AuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey, IServiceProvider services)
+        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptionOptions options, ISecret masterKey, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            if (masterKey == null)
+            {
+                throw new ArgumentNullException(nameof(masterKey));
+            }
+
             Options = options;
             MasterKey = masterKey;
             _services = services;
@@ -30,7 +39,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         internal ISecret MasterKey { get; }
 
         internal AuthenticatedEncryptionOptions Options { get; }
-        
+
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
             return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _services);
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
index 29dccbf92a..c636872214 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
@@ -4,7 +4,6 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -29,8 +28,13 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         /// <summary>
         /// Imports the <see cref="AuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
-        public IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element)
+        public IAuthenticatedEncryptorDescriptor ImportFromXml(XElement element)
         {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
             // <descriptor>
             //   <encryption algorithm="..." />
             //   <validation algorithm="..." /> <!-- only if not GCM -->
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index 3be68f5a6b..54fee95ae8 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -14,13 +13,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     {
         private readonly IServiceProvider _services;
 
-        public CngCbcAuthenticatedEncryptorConfiguration([NotNull] CngCbcAuthenticatedEncryptionOptions options)
+        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptionOptions options)
             : this(options, services: null)
         {
         }
 
-        public CngCbcAuthenticatedEncryptorConfiguration([NotNull] CngCbcAuthenticatedEncryptionOptions options, IServiceProvider services)
+        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptionOptions options, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
             Options = options;
             _services = services;
         }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
index 4ec26a0e61..349ec1777b 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -16,13 +15,23 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     {
         private readonly ILogger _log;
 
-        public CngCbcAuthenticatedEncryptorDescriptor([NotNull] CngCbcAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptionOptions options, ISecret masterKey)
             : this(options, masterKey, services: null)
         {
         }
 
-        public CngCbcAuthenticatedEncryptorDescriptor([NotNull] CngCbcAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey, IServiceProvider services)
+        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptionOptions options, ISecret masterKey, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            if (masterKey == null)
+            {
+                throw new ArgumentNullException(nameof(masterKey));
+            }
+
             Options = options;
             MasterKey = masterKey;
             _log = services.GetLogger<CngCbcAuthenticatedEncryptorDescriptor>();
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
index 9246a80fb1..02972262da 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -28,8 +27,13 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         /// <summary>
         /// Imports the <see cref="CngCbcAuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
-        public IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element)
+        public IAuthenticatedEncryptorDescriptor ImportFromXml(XElement element)
         {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
             // <descriptor>
             //   <!-- Windows CNG-CBC -->
             //   <encryption algorithm="..." keyLength="..." [provider="..."] />
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index 40c9905e85..1e587a0ffb 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -14,13 +13,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     {
         private readonly IServiceProvider _services;
 
-        public CngGcmAuthenticatedEncryptorConfiguration([NotNull] CngGcmAuthenticatedEncryptionOptions options)
+        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptionOptions options)
             : this(options, services: null)
         {
         }
 
-        public CngGcmAuthenticatedEncryptorConfiguration([NotNull] CngGcmAuthenticatedEncryptionOptions options, IServiceProvider services)
+        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptionOptions options, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
             Options = options;
             _services = services;
         }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
index c18c6b3028..27a7eacbdf 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -16,13 +15,23 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     {
         private readonly ILogger _log;
 
-        public CngGcmAuthenticatedEncryptorDescriptor([NotNull] CngGcmAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptionOptions options, ISecret masterKey)
             : this(options, masterKey, services: null)
         {
         }
 
-        public CngGcmAuthenticatedEncryptorDescriptor([NotNull] CngGcmAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey, IServiceProvider services)
+        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptionOptions options, ISecret masterKey, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            if (masterKey == null)
+            {
+                throw new ArgumentNullException(nameof(masterKey));
+            }
+
             Options = options;
             MasterKey = masterKey;
             _log = services.GetLogger<CngGcmAuthenticatedEncryptorDescriptor>();
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
index 513163eed9..b7fc2630c8 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -28,8 +27,13 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         /// <summary>
         /// Imports the <see cref="CngCbcAuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
-        public IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element)
+        public IAuthenticatedEncryptorDescriptor ImportFromXml(XElement element)
         {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
             // <descriptor>
             //   <!-- Windows CNG-GCM -->
             //   <encryption algorithm="..." keyLength="..." [provider="..."] />
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
index ce131098a3..c725f58675 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -1,9 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -17,6 +15,6 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         /// </summary>
         /// <param name="element">The element to deserialize.</param>
         /// <returns>The <see cref="IAuthenticatedEncryptorDescriptor"/> represented by <paramref name="element"/>.</returns>
-        IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element);
+        IAuthenticatedEncryptorDescriptor ImportFromXml(XElement element);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index d58fa121c4..3b5bdd4545 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -2,8 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Extensions.Internal;
-using System.Security.Cryptography;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -15,13 +13,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     {
         private readonly IServiceProvider _services;
 
-        public ManagedAuthenticatedEncryptorConfiguration([NotNull] ManagedAuthenticatedEncryptionOptions options)
+        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptionOptions options)
             : this(options, services: null)
         {
         }
 
-        public ManagedAuthenticatedEncryptorConfiguration([NotNull] ManagedAuthenticatedEncryptionOptions options, IServiceProvider services)
+        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptionOptions options, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
             Options = options;
             _services = services;
         }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
index d7e40021d7..41abf273c7 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
@@ -4,7 +4,6 @@
 using System;
 using System.Security.Cryptography;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -17,13 +16,23 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
     {
         private readonly ILogger _log;
 
-        public ManagedAuthenticatedEncryptorDescriptor([NotNull] ManagedAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey)
+        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptionOptions options, ISecret masterKey)
             : this(options, masterKey, services: null)
         {
         }
 
-        public ManagedAuthenticatedEncryptorDescriptor([NotNull] ManagedAuthenticatedEncryptionOptions options, [NotNull] ISecret masterKey, IServiceProvider services)
+        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptionOptions options, ISecret masterKey, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            if (masterKey == null)
+            {
+                throw new ArgumentNullException(nameof(masterKey));
+            }
+
             Options = options;
             MasterKey = masterKey;
             _log = services.GetLogger<ManagedAuthenticatedEncryptorDescriptor>();
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
index 905275000a..824d6008e9 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -4,7 +4,6 @@
 using System;
 using System.Security.Cryptography;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -29,8 +28,13 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         /// <summary>
         /// Imports the <see cref="ManagedAuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
-        public IAuthenticatedEncryptorDescriptor ImportFromXml([NotNull] XElement element)
+        public IAuthenticatedEncryptorDescriptor ImportFromXml(XElement element)
         {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
             // <descriptor>
             //   <!-- managed implementations -->
             //   <encryption algorithm="..." keyLength="..." />
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
index 0d485fd855..858813161d 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -18,8 +17,13 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         /// Marks the provided <see cref="XElement"/> as requiring encryption before being persisted
         /// to storage. Use when implementing <see cref="IAuthenticatedEncryptorDescriptor.ExportToXml"/>.
         /// </summary>
-        public static void MarkAsRequiresEncryption([NotNull] this XElement element)
+        public static void MarkAsRequiresEncryption(this XElement element)
         {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
             element.SetAttributeValue(XmlConstants.RequiresEncryptionAttributeName, true);
         }
     }
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
index 01a2d24a94..31a770a0d8 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
@@ -4,7 +4,6 @@
 using System;
 using System.Reflection;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -21,8 +20,18 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
         /// <param name="serializedDescriptorElement">The XML-serialized form of the <see cref="IAuthenticatedEncryptorDescriptor"/>.</param>
         /// <param name="deserializerType">The class whose <see cref="IAuthenticatedEncryptorDescriptorDeserializer.ImportFromXml(XElement)"/>
         /// method can be used to deserialize <paramref name="serializedDescriptorElement"/>.</param>
-        public XmlSerializedDescriptorInfo([NotNull] XElement serializedDescriptorElement, [NotNull] Type deserializerType)
+        public XmlSerializedDescriptorInfo(XElement serializedDescriptorElement, Type deserializerType)
         {
+            if (serializedDescriptorElement == null)
+            {
+                throw new ArgumentNullException(nameof(serializedDescriptorElement));
+            }
+
+            if (deserializerType == null)
+            {
+                throw new ArgumentNullException(nameof(deserializerType));
+            }
+
             if (!typeof(IAuthenticatedEncryptorDescriptorDeserializer).IsAssignableFrom(deserializerType))
             {
                 throw new ArgumentException(
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index deb8119b29..e083d1988a 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -9,7 +9,6 @@ using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
-using Microsoft.Extensions.Internal;
 using Microsoft.Win32;
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
@@ -49,8 +48,13 @@ namespace Microsoft.AspNet.DataProtection
         /// <summary>
         /// Creates a new configuration object linked to a <see cref="IServiceCollection"/>.
         /// </summary>
-        public DataProtectionConfiguration([NotNull] IServiceCollection services)
+        public DataProtectionConfiguration(IServiceCollection services)
         {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
             Services = services;
         }
 
@@ -68,8 +72,13 @@ namespace Microsoft.AspNet.DataProtection
         /// <remarks>
         /// Registrations are additive.
         /// </remarks>
-        public DataProtectionConfiguration AddKeyEscrowSink([NotNull] IKeyEscrowSink sink)
+        public DataProtectionConfiguration AddKeyEscrowSink(IKeyEscrowSink sink)
         {
+            if (sink == null)
+            {
+                throw new ArgumentNullException(nameof(sink));
+            }
+
             Services.AddInstance<IKeyEscrowSink>(sink);
             return this;
         }
@@ -97,8 +106,13 @@ namespace Microsoft.AspNet.DataProtection
         /// <remarks>
         /// Registrations are additive. The factory is registered as <see cref="ServiceLifetime.Singleton"/>.
         /// </remarks>
-        public DataProtectionConfiguration AddKeyEscrowSink([NotNull] Func<IServiceProvider, IKeyEscrowSink> factory)
+        public DataProtectionConfiguration AddKeyEscrowSink(Func<IServiceProvider, IKeyEscrowSink> factory)
         {
+            if (factory == null)
+            {
+                throw new ArgumentNullException(nameof(factory));
+            }
+
             Services.AddSingleton<IKeyEscrowSink>(factory);
             return this;
         }
@@ -108,8 +122,13 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="setupAction">A callback that configures the global options.</param>
         /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration ConfigureGlobalOptions([NotNull] Action<DataProtectionOptions> setupAction)
+        public DataProtectionConfiguration ConfigureGlobalOptions(Action<DataProtectionOptions> setupAction)
         {
+            if (setupAction == null)
+            {
+                throw new ArgumentNullException(nameof(setupAction));
+            }
+
             Services.Configure(setupAction);
             return this;
         }
@@ -137,8 +156,13 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="directory">The directory in which to store keys.</param>
         /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration PersistKeysToFileSystem([NotNull] DirectoryInfo directory)
+        public DataProtectionConfiguration PersistKeysToFileSystem(DirectoryInfo directory)
         {
+            if (directory == null)
+            {
+                throw new ArgumentNullException(nameof(directory));
+            }
+
             Use(DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory));
             return this;
         }
@@ -148,8 +172,13 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="registryKey">The location in the registry where keys should be stored.</param>
         /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration PersistKeysToRegistry([NotNull] RegistryKey registryKey)
+        public DataProtectionConfiguration PersistKeysToRegistry(RegistryKey registryKey)
         {
+            if (registryKey == null)
+            {
+                throw new ArgumentNullException(nameof(registryKey));
+            }
+
             Use(DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey));
             return this;
         }
@@ -161,8 +190,13 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="certificate">The certificate to use when encrypting keys.</param>
         /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration ProtectKeysWithCertificate([NotNull] X509Certificate2 certificate)
+        public DataProtectionConfiguration ProtectKeysWithCertificate(X509Certificate2 certificate)
         {
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+
             Use(DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate));
             return this;
         }
@@ -172,8 +206,13 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         /// <param name="thumbprint">The thumbprint of the certificate to use when encrypting keys.</param>
         /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration ProtectKeysWithCertificate([NotNull] string thumbprint)
+        public DataProtectionConfiguration ProtectKeysWithCertificate(string thumbprint)
         {
+            if (thumbprint == null)
+            {
+                throw new ArgumentNullException(nameof(thumbprint));
+            }
+
             // Make sure the thumbprint corresponds to a valid certificate.
             if (new CertificateResolver().ResolveCertificate(thumbprint) == null)
             {
@@ -249,8 +288,13 @@ namespace Microsoft.AspNet.DataProtection
         /// and <paramref name="flags"/> arguments.
         /// This API is only supported on Windows 8 / Windows Server 2012 and higher.
         /// </remarks>
-        public DataProtectionConfiguration ProtectKeysWithDpapiNG([NotNull] string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
+        public DataProtectionConfiguration ProtectKeysWithDpapiNG(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
         {
+            if (protectionDescriptorRule == null)
+            {
+                throw new ArgumentNullException(nameof(protectionDescriptorRule));
+            }
+
             Use(DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags));
             return this;
         }
@@ -287,15 +331,20 @@ namespace Microsoft.AspNet.DataProtection
             });
             return this;
         }
-        
+
         /// <summary>
         /// Configures the data protection system to use the specified cryptographic algorithms
         /// by default when generating protected payloads.
         /// </summary>
         /// <param name="options">Information about what cryptographic algorithms should be used.</param>
         /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration UseCryptographicAlgorithms([NotNull] AuthenticatedEncryptionOptions options)
+        public DataProtectionConfiguration UseCryptographicAlgorithms(AuthenticatedEncryptionOptions options)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
             return UseCryptographicAlgorithmsCore(options);
         }
 
@@ -311,8 +360,13 @@ namespace Microsoft.AspNet.DataProtection
         /// This API is only available on Windows.
         /// </remarks>
         [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public DataProtectionConfiguration UseCustomCryptographicAlgorithms([NotNull] CngCbcAuthenticatedEncryptionOptions options)
+        public DataProtectionConfiguration UseCustomCryptographicAlgorithms(CngCbcAuthenticatedEncryptionOptions options)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
             return UseCryptographicAlgorithmsCore(options);
         }
 
@@ -328,8 +382,13 @@ namespace Microsoft.AspNet.DataProtection
         /// This API is only available on Windows.
         /// </remarks>
         [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public DataProtectionConfiguration UseCustomCryptographicAlgorithms([NotNull] CngGcmAuthenticatedEncryptionOptions options)
+        public DataProtectionConfiguration UseCustomCryptographicAlgorithms(CngGcmAuthenticatedEncryptionOptions options)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
             return UseCryptographicAlgorithmsCore(options);
         }
 
@@ -342,8 +401,13 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="options">Information about what cryptographic algorithms should be used.</param>
         /// <returns>The 'this' instance.</returns>
         [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public DataProtectionConfiguration UseCustomCryptographicAlgorithms([NotNull] ManagedAuthenticatedEncryptionOptions options)
+        public DataProtectionConfiguration UseCustomCryptographicAlgorithms(ManagedAuthenticatedEncryptionOptions options)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
             return UseCryptographicAlgorithmsCore(options);
         }
 
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
index fa50355afb..55fe4fd22d 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
@@ -4,7 +4,6 @@
 using System;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.OptionsModel;
 
 namespace Microsoft.AspNet.DataProtection
@@ -20,13 +19,33 @@ namespace Microsoft.AspNet.DataProtection
         /// <param name="options">The global options to use when creating the provider.</param>
         /// <param name="services">Provides mandatory services for use by the provider.</param>
         /// <returns>An <see cref="IDataProtectionProvider"/>.</returns>
-        public static IDataProtectionProvider GetProviderFromServices([NotNull] DataProtectionOptions options, [NotNull] IServiceProvider services)
+        public static IDataProtectionProvider GetProviderFromServices(DataProtectionOptions options, IServiceProvider services)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
             return GetProviderFromServices(options, services, mustCreateImmediately: false);
         }
 
-        internal static IDataProtectionProvider GetProviderFromServices([NotNull] DataProtectionOptions options, [NotNull] IServiceProvider services, bool mustCreateImmediately)
+        internal static IDataProtectionProvider GetProviderFromServices(DataProtectionOptions options, IServiceProvider services, bool mustCreateImmediately)
         {
+            if (options == null)
+            {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
             IDataProtectionProvider dataProtectionProvider = null;
 
             // If we're being asked to create the provider immediately, then it means that
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index df79eb2b48..ff3d3aaac4 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -4,7 +4,6 @@
 using System;
 using Microsoft.AspNet.DataProtection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.Extensions.DependencyInjection
 {
@@ -18,8 +17,13 @@ namespace Microsoft.Extensions.DependencyInjection
         /// </summary>
         /// <param name="services">The service collection to which to add DataProtection services.</param>
         /// <returns>The <paramref name="services"/> instance.</returns>
-        public static IServiceCollection AddDataProtection([NotNull] this IServiceCollection services)
+        public static IServiceCollection AddDataProtection(this IServiceCollection services)
         {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
             services.AddOptions();
             services.TryAdd(DataProtectionServices.GetDefaultServices());
             return services;
@@ -32,8 +36,18 @@ namespace Microsoft.Extensions.DependencyInjection
         /// <param name="configure">A callback which takes a <see cref="DataProtectionConfiguration"/> parameter.
         /// This callback will be responsible for configuring the system.</param>
         /// <returns>The <paramref name="services"/> instance.</returns>
-        public static IServiceCollection ConfigureDataProtection([NotNull] this IServiceCollection services, [NotNull] Action<DataProtectionConfiguration> configure)
+        public static IServiceCollection ConfigureDataProtection(this IServiceCollection services, Action<DataProtectionConfiguration> configure)
         {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            if (configure == null)
+            {
+                throw new ArgumentNullException(nameof(configure));
+            }
+
             configure(new DataProtectionConfiguration(services));
             return services;
         }
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index 48c5789c50..7ee3de1aca 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -5,7 +5,6 @@ using System;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection
@@ -57,8 +56,13 @@ namespace Microsoft.AspNet.DataProtection
             _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, services);
         }
 
-        public IDataProtector CreateProtector([NotNull] string purpose)
+        public IDataProtector CreateProtector(string purpose)
         {
+            if (purpose == null)
+            {
+                throw new ArgumentNullException(nameof(purpose));
+            }
+
             // just forward to the underlying provider
             return _dataProtectionProvider.CreateProtector(purpose);
         }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index 5892be7f9c..e56337ee29 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
@@ -18,8 +17,13 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             _logger = services.GetLogger<KeyRingBasedDataProtector>(); // note: for protector (not provider!) type, could be null
         }
 
-        public IDataProtector CreateProtector([NotNull] string purpose)
+        public IDataProtector CreateProtector(string purpose)
         {
+            if (purpose == null)
+            {
+                throw new ArgumentNullException(nameof(purpose));
+            }
+
             return new KeyRingBasedDataProtector(
                 logger: _logger,
                 keyRingProvider: _keyRingProvider,
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index 3fcfbe54de..0a29811bde 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -9,7 +9,6 @@ using System.Linq;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
@@ -54,8 +53,13 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             }
         }
 
-        public IDataProtector CreateProtector([NotNull] string purpose)
+        public IDataProtector CreateProtector(string purpose)
         {
+            if (purpose == null)
+            {
+                throw new ArgumentNullException(nameof(purpose));
+            }
+
             return new KeyRingBasedDataProtector(
                 logger: _logger,
                 keyRingProvider: _keyRingProvider,
@@ -86,6 +90,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
         public byte[] Protect(byte[] plaintext)
         {
+            if (plaintext == null)
+            {
+                throw new ArgumentNullException(nameof(plaintext));
+            }
+
             // argument & state checking
             if (plaintext == null)
             {
@@ -177,6 +186,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
         public byte[] Unprotect(byte[] protectedData)
         {
+            if (protectedData == null)
+            {
+                throw new ArgumentNullException(nameof(protectedData));
+            }
+
             // Argument checking will be done by the callee
             bool requiresMigration, wasRevoked; // unused
             return DangerousUnprotect(protectedData,
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index ee58f769a0..f913b7f6a4 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -5,7 +5,6 @@ using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
-using System.Reflection;
 using System.Runtime.CompilerServices;
 using System.Threading;
 using System.Xml;
@@ -15,7 +14,6 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 using static System.FormattableString;
@@ -57,10 +55,20 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         /// <param name="configuration">Configuration for newly-created keys.</param>
         /// <param name="services">A provider of optional services.</param>
         public XmlKeyManager(
-            [NotNull] IXmlRepository repository,
-            [NotNull] IAuthenticatedEncryptorConfiguration configuration,
+            IXmlRepository repository,
+            IAuthenticatedEncryptorConfiguration configuration,
             IServiceProvider services)
         {
+            if (repository == null)
+            {
+                throw new ArgumentNullException(nameof(repository));
+            }
+
+            if (configuration == null)
+            {
+                throw new ArgumentNullException(nameof(configuration));
+            }
+
             KeyEncryptor = services.GetService<IXmlEncryptor>(); // optional
             KeyRepository = repository;
 
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
index a42808c83a..d1baa63b9b 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -5,7 +5,6 @@ using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.Repositories
@@ -45,8 +44,13 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             }
         }
 
-        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        public virtual void StoreElement(XElement element, string friendlyName)
         {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
             XElement cloned = new XElement(element); // makes a deep copy so caller doesn't inadvertently modify it
 
             // under lock for thread safety
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index 3825b72c5b..becb107ac0 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -7,7 +7,6 @@ using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.Repositories
@@ -25,9 +24,13 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         /// Creates a <see cref="FileSystemXmlRepository"/> with keys stored at the given directory.
         /// </summary>
         /// <param name="directory">The directory in which to persist key material.</param>
-        public FileSystemXmlRepository([NotNull] DirectoryInfo directory)
+        public FileSystemXmlRepository(DirectoryInfo directory)
             : this(directory, services: null)
         {
+            if (directory == null)
+            {
+                throw new ArgumentNullException(nameof(directory));
+            }
         }
 
         /// <summary>
@@ -35,8 +38,13 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         /// </summary>
         /// <param name="directory">The directory in which to persist key material.</param>
         /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public FileSystemXmlRepository([NotNull] DirectoryInfo directory, IServiceProvider services)
+        public FileSystemXmlRepository(DirectoryInfo directory, IServiceProvider services)
         {
+            if (directory == null)
+            {
+                throw new ArgumentNullException(nameof(directory));
+            }
+
             Directory = directory;
             Services = services;
             _logger = services?.GetLogger<FileSystemXmlRepository>();
@@ -188,8 +196,13 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             }
         }
 
-        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        public virtual void StoreElement(XElement element, string friendlyName)
         {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
             if (!IsSafeFilename(friendlyName))
             {
                 string newFriendlyName = Guid.NewGuid().ToString();
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index 8006694313..b880a12a80 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -6,7 +6,6 @@ using System.Collections.Generic;
 using System.Linq;
 using System.Security.Principal;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
 
@@ -27,17 +26,26 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         /// Creates a <see cref="RegistryXmlRepository"/> with keys stored in the given registry key.
         /// </summary>
         /// <param name="registryKey">The registry key in which to persist key material.</param>
-        public RegistryXmlRepository([NotNull] RegistryKey registryKey)
+        public RegistryXmlRepository(RegistryKey registryKey)
             : this(registryKey, services: null)
         {
+            if (registryKey == null)
+            {
+                throw new ArgumentNullException(nameof(registryKey));
+            }
         }
 
         /// <summary>
         /// Creates a <see cref="RegistryXmlRepository"/> with keys stored in the given registry key.
         /// </summary>
         /// <param name="registryKey">The registry key in which to persist key material.</param>
-        public RegistryXmlRepository([NotNull] RegistryKey registryKey, IServiceProvider services)
+        public RegistryXmlRepository(RegistryKey registryKey, IServiceProvider services)
         {
+            if (registryKey == null)
+            {
+                throw new ArgumentNullException(nameof(registryKey));
+            }
+
             RegistryKey = registryKey;
             Services = services;
             _logger = services?.GetLogger<RegistryXmlRepository>();
@@ -141,8 +149,13 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             return (!String.IsNullOrEmpty(data)) ? XElement.Parse(data) : null;
         }
 
-        public virtual void StoreElement([NotNull] XElement element, string friendlyName)
+        public virtual void StoreElement(XElement element, string friendlyName)
         {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
             if (!IsSafeRegistryValueName(friendlyName))
             {
                 string newFriendlyName = Guid.NewGuid().ToString();
diff --git a/src/Microsoft.AspNet.DataProtection/Secret.cs b/src/Microsoft.AspNet.DataProtection/Secret.cs
index e87446741b..88a1bc3fda 100644
--- a/src/Microsoft.AspNet.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNet.DataProtection/Secret.cs
@@ -6,7 +6,6 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.Managed;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -37,9 +36,13 @@ namespace Microsoft.AspNet.DataProtection
         /// Creates a new Secret from the provided input value, where the input value
         /// is specified as an array.
         /// </summary>
-        public Secret([NotNull] byte[] value)
+        public Secret(byte[] value)
             : this(new ArraySegment<byte>(value))
         {
+            if (value == null)
+            {
+                throw new ArgumentNullException(nameof(value));
+            }
         }
 
         /// <summary>
@@ -64,8 +67,13 @@ namespace Microsoft.AspNet.DataProtection
         /// <summary>
         /// Creates a new Secret from another secret object.
         /// </summary>
-        public Secret([NotNull] ISecret secret)
+        public Secret(ISecret secret)
         {
+            if (secret == null)
+            {
+                throw new ArgumentNullException(nameof(secret));
+            }
+
             Secret other = secret as Secret;
             if (other != null)
             {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
index 6af1f71ad9..9ae11096bd 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
@@ -21,6 +21,11 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <returns>The resolved <see cref="X509Certificate2"/>, or null if the certificate cannot be found.</returns>
         public virtual X509Certificate2 ResolveCertificate(string thumbprint)
         {
+            if (thumbprint == null)
+            {
+                throw new ArgumentNullException(nameof(thumbprint));
+            }
+
             if (String.IsNullOrEmpty(thumbprint))
             {
                 throw Error.Common_ArgumentCannotBeNullOrEmpty(nameof(thumbprint));
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 6c862bdde0..f2a963d8cd 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -10,7 +10,6 @@ using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
@@ -31,7 +30,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <param name="thumbprint">The thumbprint (as a hex string) of the certificate with which to
         /// encrypt the key material. The certificate must be locatable by <paramref name="certificateResolver"/>.</param>
         /// <param name="certificateResolver">A resolver which can locate <see cref="X509Certificate2"/> objects.</param>
-        public CertificateXmlEncryptor([NotNull] string thumbprint, [NotNull] ICertificateResolver certificateResolver)
+        public CertificateXmlEncryptor(string thumbprint, ICertificateResolver certificateResolver)
             : this(thumbprint, certificateResolver, services: null)
         {
         }
@@ -45,9 +44,19 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// encrypt the key material. The certificate must be locatable by <paramref name="certificateResolver"/>.</param>
         /// <param name="certificateResolver">A resolver which can locate <see cref="X509Certificate2"/> objects.</param>
         /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public CertificateXmlEncryptor([NotNull] string thumbprint, [NotNull] ICertificateResolver certificateResolver, IServiceProvider services)
+        public CertificateXmlEncryptor(string thumbprint, ICertificateResolver certificateResolver, IServiceProvider services)
             : this(services)
         {
+            if (thumbprint == null)
+            {
+                throw new ArgumentNullException(nameof(thumbprint));
+            }
+
+            if (certificateResolver == null)
+            {
+                throw new ArgumentNullException(nameof(certificateResolver));
+            }
+
             _certFactory = CreateCertFactory(thumbprint, certificateResolver);
         }
 
@@ -55,7 +64,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// Creates a <see cref="CertificateXmlEncryptor"/> given an <see cref="X509Certificate2"/> instance.
         /// </summary>
         /// <param name="certificate">The <see cref="X509Certificate2"/> with which to encrypt the key material.</param>
-        public CertificateXmlEncryptor([NotNull] X509Certificate2 certificate)
+        public CertificateXmlEncryptor(X509Certificate2 certificate)
             : this(certificate, services: null)
         {
         }
@@ -66,9 +75,14 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// </summary>
         /// <param name="certificate">The <see cref="X509Certificate2"/> with which to encrypt the key material.</param>
         /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public CertificateXmlEncryptor([NotNull] X509Certificate2 certificate, IServiceProvider services)
+        public CertificateXmlEncryptor(X509Certificate2 certificate, IServiceProvider services)
             : this(services)
         {
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+
             _certFactory = () => certificate;
         }
 
@@ -87,8 +101,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <paramref name="plaintextElement"/> along with information about how to
         /// decrypt it.
         /// </returns>
-        public EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement)
+        public EncryptedXmlInfo Encrypt(XElement plaintextElement)
         {
+            if (plaintextElement == null)
+            {
+                throw new ArgumentNullException(nameof(plaintextElement));
+            }
+
             // <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
             //   ...
             // </EncryptedData>
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index b903ddf48a..d451373e42 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -5,7 +5,6 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
@@ -45,8 +44,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <param name="encryptedElement">An encrypted XML element.</param>
         /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
         /// <remarks>
-        public XElement Decrypt([NotNull] XElement encryptedElement)
+        public XElement Decrypt(XElement encryptedElement)
         {
+            if (encryptedElement == null)
+            {
+                throw new ArgumentNullException(nameof(encryptedElement));
+            }
+
             try
             {
                 // <encryptedKey>
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index d84be70c45..e2c6ee8e11 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -7,7 +7,6 @@ using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 using static System.FormattableString;
@@ -30,7 +29,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// </summary>
         /// <param name="protectionDescriptorRule">The rule string from which to create the protection descriptor.</param>
         /// <param name="flags">Flags controlling the creation of the protection descriptor.</param>
-        public DpapiNGXmlEncryptor([NotNull] string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
+        public DpapiNGXmlEncryptor(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
             : this(protectionDescriptorRule, flags, services: null)
         {
         }
@@ -41,8 +40,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <param name="protectionDescriptorRule">The rule string from which to create the protection descriptor.</param>
         /// <param name="flags">Flags controlling the creation of the protection descriptor.</param>
         /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public DpapiNGXmlEncryptor([NotNull] string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags, IServiceProvider services)
+        public DpapiNGXmlEncryptor(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags, IServiceProvider services)
         {
+            if (protectionDescriptorRule == null)
+            {
+                throw new ArgumentNullException(nameof(protectionDescriptorRule));
+            }
+
             CryptoUtil.AssertPlatformIsWindows8OrLater();
 
             int ntstatus = UnsafeNativeMethods.NCryptCreateProtectionDescriptor(protectionDescriptorRule, (uint)flags, out _protectionDescriptorHandle);
@@ -61,8 +65,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <paramref name="plaintextElement"/> along with information about how to
         /// decrypt it.
         /// </returns>
-        public EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement)
+        public EncryptedXmlInfo Encrypt(XElement plaintextElement)
         {
+            if (plaintextElement == null)
+            {
+                throw new ArgumentNullException(nameof(plaintextElement));
+            }
+
             string protectionDescriptorRuleString = _protectionDescriptorHandle.GetProtectionDescriptorRuleString();
             if (_logger.IsVerboseLevelEnabled())
             {
@@ -92,7 +101,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             //   <!-- rule string -->
             //   <value>{base64}</value>
             // </encryptedKey>
-            
+
             var element = new XElement("encryptedKey",
                 new XComment(" This key is encrypted with Windows DPAPI-NG. "),
                 new XComment(" Rule: " + protectionDescriptorRuleString + " "),
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index 0d897d34fa..ad59ab8260 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -5,7 +5,6 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
@@ -42,8 +41,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <param name="encryptedElement">An encrypted XML element.</param>
         /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
         /// <remarks>
-        public XElement Decrypt([NotNull] XElement encryptedElement)
+        public XElement Decrypt(XElement encryptedElement)
         {
+            if (encryptedElement == null)
+            {
+                throw new ArgumentNullException(nameof(encryptedElement));
+            }
+
             if (_logger.IsVerboseLevelEnabled())
             {
                 _logger.LogVerbose("Decrypting secret element using Windows DPAPI.");
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index c7f4b429b1..c1726eb7b6 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -5,9 +5,7 @@ using System;
 using System.Security.Principal;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
@@ -56,8 +54,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <paramref name="plaintextElement"/> along with information about how to
         /// decrypt it.
         /// </returns>
-        public EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement)
+        public EncryptedXmlInfo Encrypt(XElement plaintextElement)
         {
+            if (plaintextElement == null)
+            {
+                throw new ArgumentNullException(nameof(plaintextElement));
+            }
+
             if (_logger.IsVerboseLevelEnabled())
             {
                 if (_protectToLocalMachine)
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
index a9195d0ef4..5ea97ce76c 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
@@ -9,7 +9,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
@@ -28,7 +27,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             _logger = services.GetLogger<EncryptedXmlDecryptor>();
         }
 
-        public XElement Decrypt([NotNull] XElement encryptedElement)
+        public XElement Decrypt(XElement encryptedElement)
         {
             if (_logger.IsErrorLevelEnabled())
             {
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index e8aeda1287..51fbcefa0d 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -8,7 +8,6 @@ using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
@@ -42,8 +41,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <param name="encryptedElement">An encrypted XML element.</param>
         /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
         /// <remarks>
-        public XElement Decrypt([NotNull] XElement encryptedElement)
+        public XElement Decrypt(XElement encryptedElement)
         {
+            if (encryptedElement == null)
+            {
+                throw new ArgumentNullException(nameof(encryptedElement));
+            }
+
             // <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
             //   ...
             // </EncryptedData>
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
index 237736a0d4..e12016a4e1 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
@@ -4,7 +4,6 @@
 using System;
 using System.Reflection;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
@@ -20,8 +19,18 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <param name="encryptedElement">A piece of encrypted XML.</param>
         /// <param name="decryptorType">The class whose <see cref="IXmlDecryptor.Decrypt(XElement)"/>
         /// method can be used to decrypt <paramref name="encryptedElement"/>.</param>
-        public EncryptedXmlInfo([NotNull] XElement encryptedElement, [NotNull] Type decryptorType)
+        public EncryptedXmlInfo(XElement encryptedElement, Type decryptorType)
         {
+            if (encryptedElement == null)
+            {
+                throw new ArgumentNullException(nameof(encryptedElement));
+            }
+
+            if (decryptorType == null)
+            {
+                throw new ArgumentNullException(nameof(decryptorType));
+            }
+
             if (!typeof(IXmlDecryptor).IsAssignableFrom(decryptorType))
             {
                 throw new ArgumentException(
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
index 9c73d5f9ee..efc7e66b7b 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -3,9 +3,7 @@
 
 #if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
-using System;
 using System.Security.Cryptography.X509Certificates;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
@@ -19,7 +17,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// </summary>
         /// <param name="thumbprint">The thumbprint (as a hex string) of the certificate to resolve.</param>
         /// <returns>The resolved <see cref="X509Certificate2"/>, or null if the certificate cannot be found.</returns>
-        X509Certificate2 ResolveCertificate([NotNull] string thumbprint);
+        X509Certificate2 ResolveCertificate(string thumbprint);
     }
 }
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
index 53cfe278f7..dac3935544 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
@@ -1,9 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
@@ -21,6 +19,6 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// Implementations of this method must not mutate the <see cref="XElement"/>
         /// instance provided by <paramref name="encryptedElement"/>.
         /// </remarks>
-        XElement Decrypt([NotNull] XElement encryptedElement);
+        XElement Decrypt(XElement encryptedElement);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
index 8e503d2548..aea3cbb051 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
@@ -1,10 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
@@ -26,6 +23,6 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// Implementations of this method must not mutate the <see cref="XElement"/>
         /// instance provided by <paramref name="plaintextElement"/>.
         /// </remarks>
-        EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement);
+        EncryptedXmlInfo Encrypt(XElement plaintextElement);
     }
 }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index db699c0146..f5d8fe1cb5 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -4,7 +4,6 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
@@ -19,8 +18,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <param name="encryptedElement">An encrypted XML element.</param>
         /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
         /// <remarks>
-        public XElement Decrypt([NotNull] XElement encryptedElement)
+        public XElement Decrypt(XElement encryptedElement)
         {
+            if (encryptedElement == null)
+            {
+                throw new ArgumentNullException(nameof(encryptedElement));
+            }
+
             // <unencryptedKey>
             //   <!-- This key is not encrypted. -->
             //   <plaintextElement />
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
index 84ada1112d..fd3cc01fd9 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
@@ -42,8 +41,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         /// <paramref name="plaintextElement"/> along with information about how to
         /// decrypt it.
         /// </returns>
-        public EncryptedXmlInfo Encrypt([NotNull] XElement plaintextElement)
+        public EncryptedXmlInfo Encrypt(XElement plaintextElement)
         {
+            if (plaintextElement == null)
+            {
+                throw new ArgumentNullException(nameof(plaintextElement));
+            }
+
             if (_logger.IsWarningLevelEnabled())
             {
                 _logger.LogWarning("Encrypting using a null encryptor; secret information isn't being protected.");
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index a398e7e5e2..4a634c02e7 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -11,7 +11,6 @@
         "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
         "Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-*",
         "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",
-        "Microsoft.Extensions.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
         "Microsoft.Extensions.OptionsModel": "1.0.0-*"
     },
     "frameworks": {

From 950acc99b5c67d668f8946888256afb109760a71 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Thu, 8 Oct 2015 19:00:36 -0700
Subject: [PATCH 181/493] React to aspnet/Universe#290 fix

---
 build.cmd | 25 +++++++++++++------------
 build.sh  | 12 +++++++-----
 2 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/build.cmd b/build.cmd
index 70d974a61f..84dc87e480 100644
--- a/build.cmd
+++ b/build.cmd
@@ -18,22 +18,23 @@ md .nuget
 copy %CACHED_NUGET% .nuget\nuget.exe > nul
 
 :restore
-IF EXIST packages\KoreBuild goto run
+IF EXIST packages\Sake goto getdnx
 IF %BUILDCMD_KOREBUILD_VERSION%=="" (
-	.nuget\nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
+    .nuget\nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 ) ELSE (
-	.nuget\nuget.exe install KoreBuild -version %BUILDCMD_KOREBUILD_VERSION% -ExcludeVersion -o packages -nocache -pre
+    .nuget\nuget.exe install KoreBuild -version %BUILDCMD_KOREBUILD_VERSION% -ExcludeVersion -o packages -nocache -pre
 )
-.nuget\nuget.exe install Sake -ExcludeVersion -Out packages
+.nuget\NuGet.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
 
-IF "%SKIP_DNX_INSTALL%"=="1" goto run
-IF %BUILDCMD_DNX_VERSION%=="" (
-	CALL packages\KoreBuild\build\dnvm upgrade -runtime CLR -arch x86
+:getdnx
+IF "%SKIP_DNX_INSTALL%"=="" (
+    IF "%BUILDCMD_DNX_VERSION%"=="" (
+        BUILDCMD_DNX_VERSION=latest
+    )
+    CALL packages\KoreBuild\build\dnvm install %BUILDCMD_DNX_VERSION% -runtime CoreCLR -arch x86 -alias default
+    CALL packages\KoreBuild\build\dnvm install default -runtime CLR -arch x86 -alias default
 ) ELSE (
-	CALL packages\KoreBuild\build\dnvm install %BUILDCMD_DNX_VERSION% -runtime CLR -arch x86 -alias default
+    CALL packages\KoreBuild\build\dnvm use default -runtime CLR -arch x86
 )
-CALL packages\KoreBuild\build\dnvm install default -runtime CoreCLR -arch x86
 
-:run
-CALL packages\KoreBuild\build\dnvm use default -runtime CLR -arch x86
-packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
\ No newline at end of file
+packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
diff --git a/build.sh b/build.sh
index 0c66139817..da4e3fcd1c 100755
--- a/build.sh
+++ b/build.sh
@@ -24,18 +24,20 @@ if test ! -e .nuget; then
     cp $cachePath .nuget/nuget.exe
 fi
 
-if test ! -d packages/KoreBuild; then
+if test ! -d packages/Sake; then
     mono .nuget/nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
-    mono .nuget/nuget.exe install Sake -ExcludeVersion -Out packages
+    mono .nuget/nuget.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
 fi
 
 if ! type dnvm > /dev/null 2>&1; then
     source packages/KoreBuild/build/dnvm.sh
 fi
 
-if ! type dnx > /dev/null 2>&1; then
-    dnvm upgrade
+if ! type dnx > /dev/null 2>&1 || [ -z "$SKIP_DNX_INSTALL" ]; then
+    dnvm install latest -runtime coreclr -alias default
+    dnvm install default -runtime mono -alias default
+else
+    dnvm use default -runtime mono
 fi
 
 mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"
-

From 79fe094addd82fec19dfb188df678918b0e3bd90 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Mon, 12 Oct 2015 12:50:44 -0700
Subject: [PATCH 182/493] Fix local build break

---
 build.cmd | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/build.cmd b/build.cmd
index 84dc87e480..553e3929a0 100644
--- a/build.cmd
+++ b/build.cmd
@@ -4,8 +4,8 @@ cd %~dp0
 SETLOCAL
 SET NUGET_VERSION=latest
 SET CACHED_NUGET=%LocalAppData%\NuGet\nuget.%NUGET_VERSION%.exe
-SET BUILDCMD_KOREBUILD_VERSION=""
-SET BUILDCMD_DNX_VERSION=""
+SET BUILDCMD_KOREBUILD_VERSION=
+SET BUILDCMD_DNX_VERSION=
 
 IF EXIST %CACHED_NUGET% goto copynuget
 echo Downloading latest version of NuGet.exe...
@@ -19,7 +19,7 @@ copy %CACHED_NUGET% .nuget\nuget.exe > nul
 
 :restore
 IF EXIST packages\Sake goto getdnx
-IF %BUILDCMD_KOREBUILD_VERSION%=="" (
+IF "%BUILDCMD_KOREBUILD_VERSION%"=="" (
     .nuget\nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
 ) ELSE (
     .nuget\nuget.exe install KoreBuild -version %BUILDCMD_KOREBUILD_VERSION% -ExcludeVersion -o packages -nocache -pre
@@ -27,10 +27,10 @@ IF %BUILDCMD_KOREBUILD_VERSION%=="" (
 .nuget\NuGet.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
 
 :getdnx
+IF "%BUILDCMD_DNX_VERSION%"=="" (
+    SET BUILDCMD_DNX_VERSION=latest
+)
 IF "%SKIP_DNX_INSTALL%"=="" (
-    IF "%BUILDCMD_DNX_VERSION%"=="" (
-        BUILDCMD_DNX_VERSION=latest
-    )
     CALL packages\KoreBuild\build\dnvm install %BUILDCMD_DNX_VERSION% -runtime CoreCLR -arch x86 -alias default
     CALL packages\KoreBuild\build\dnvm install default -runtime CLR -arch x86 -alias default
 ) ELSE (

From 4165ee02c1b7c246c02a7c98616d58ae8ed4491e Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesars@microsoft.com>
Date: Fri, 16 Oct 2015 11:15:34 -0700
Subject: [PATCH 183/493] Enable some tests on CoreCLR.

---
 test/Microsoft.AspNet.Cryptography.Internal.Test/project.json  | 3 ++-
 .../project.json                                               | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index 90f9726223..3ad4052791 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -6,7 +6,8 @@
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },
     "frameworks": {
-        "dnx451": { }
+        "dnx451": { },
+        "dnxcore50": { }
     },
     "commands": {
         "test": "xunit.runner.aspnet"
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index 79e645fd53..95dda9a8b7 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -8,7 +8,8 @@
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },
     "frameworks": {
-        "dnx451": { }
+        "dnx451": { },
+        "dnxcore50": { }
     },
     "commands": {
         "test": "xunit.runner.aspnet"

From cea46e7851726fbf508f63ec57efbdc5bbffd06c Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesars@microsoft.com>
Date: Fri, 16 Oct 2015 15:23:50 -0700
Subject: [PATCH 184/493] Disable
 Microsoft.AspNet.Cryptography.KeyDerivation.Test on CoreCLR.

---
 .../project.json                                               | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index 95dda9a8b7..79e645fd53 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -8,8 +8,7 @@
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
     },
     "frameworks": {
-        "dnx451": { },
-        "dnxcore50": { }
+        "dnx451": { }
     },
     "commands": {
         "test": "xunit.runner.aspnet"

From 1a40e7254dcf76de82c838f0bcf48f9e8ff3aa2e Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 21 Oct 2015 18:31:51 -0700
Subject: [PATCH 185/493] Switching to using generations TFM

---
 .../CryptoUtil.cs                             |  4 +-
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |  2 +-
 .../SafeHandles/SafeLibraryHandle.cs          | 16 ++--
 .../SafeHandles/SecureLocalAllocHandle.cs     |  4 +-
 .../UnsafeBufferUtil.cs                       | 24 ++---
 .../UnsafeNativeMethods.cs                    | 10 +--
 .../project.json                              | 48 +++++-----
 .../project.json                              | 47 +++++-----
 .../DataProtectionExtensions.cs               |  8 --
 .../project.json                              | 58 ++++++-------
 .../project.json                              | 40 +++++----
 .../project.json                              | 42 +++++----
 .../project.json                              | 50 +++++------
 .../ManagedAuthenticatedEncryptionOptions.cs  |  2 +-
 .../Cng/DpapiSecretSerializerHelper.cs        |  8 +-
 .../DataProtectionConfiguration.cs            |  4 +-
 .../DataProtectionServiceDescriptors.cs       |  6 +-
 .../DataProtectionServices.cs                 |  2 +-
 .../Managed/ManagedAuthenticatedEncryptor.cs  |  2 +-
 .../Repositories/FileSystemXmlRepository.cs   |  2 +-
 .../StringInterpolation.cs                    |  2 +-
 .../XmlEncryption/CertificateResolver.cs      |  2 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  2 +-
 .../EncryptedXmlDecryptor.core50.cs           |  2 +-
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  2 +-
 .../XmlEncryption/ICertificateResolver.cs     |  2 +-
 .../IInternalCertificateXmlEncryptor.cs       |  2 +-
 .../IInternalEncryptedXmlDecryptor.cs         |  2 +-
 .../XmlEncryption/XmlEncryptionExtensions.cs  |  2 +-
 .../project.json                              | 87 +++++++++----------
 30 files changed, 233 insertions(+), 251 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
index b0a7c95703..fc2bdb9404 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
@@ -9,7 +9,7 @@ using System.Security.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.Internal;
 
-#if !DNXCORE50
+#if !DOTNET5_4
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -73,7 +73,7 @@ namespace Microsoft.AspNet.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint count)
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
index f00b99c2a9..39e3ec7f25 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-#if DNXCORE50
+#if DOTNET5_4
 namespace Microsoft.Win32.SafeHandles
 {
     internal abstract class SafeHandleZeroOrMinusOneIsInvalid : SafeHandle
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index 86c080ca85..4636644297 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -6,7 +6,7 @@ using System.Runtime.InteropServices;
 using System.Security;
 using Microsoft.Win32.SafeHandles;
 
-#if !DNXCORE50
+#if !DOTNET5_4
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -127,12 +127,12 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
             return UnsafeNativeMethods.FreeLibrary(handle);
         }
 
-#if !DNXCORE50
+#if !DOTNET5_4
         [SuppressUnmanagedCodeSecurity]
 #endif
         private static class UnsafeNativeMethods
         {
-#if DNXCORE50
+#if DOTNET5_4
             private const string CORE_LIBRARY_LOADER_LIB = "api-ms-win-core-libraryloader-l1-1-0.dll";
             private const string CORE_LOCALIZATION_LIB = "api-ms-win-core-localization-l1-2-0.dll";
 #else
@@ -140,7 +140,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
 #endif
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx
-#if DNXCORE50
+#if DOTNET5_4
             [DllImport(CORE_LOCALIZATION_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
@@ -157,7 +157,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
 
             // http://msdn.microsoft.com/en-us/library/ms683152(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if DNXCORE50
+#if DOTNET5_4
             [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
 #else
             [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
@@ -167,7 +167,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
 
             // http://msdn.microsoft.com/en-us/library/ms683200(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if DNXCORE50
+#if DOTNET5_4
             [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
@@ -178,7 +178,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
                 [Out] out IntPtr phModule);
 
             // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
-#if DNXCORE50
+#if DOTNET5_4
             [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
@@ -188,7 +188,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
                 [In, MarshalAs(UnmanagedType.LPStr)] string lpProcName);
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx
-#if DNXCORE50
+#if DOTNET5_4
             [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index ea397a0f77..36dc73ea10 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-#if !DNXCORE50
+#if !DOTNET5_4
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -41,7 +41,7 @@ namespace Microsoft.AspNet.Cryptography.SafeHandles
             return newHandle;
         }
 
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         private void AllocateImpl(IntPtr cb)
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
index e302c5d4fd..5f2daef596 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -6,7 +6,7 @@ using System.Runtime.CompilerServices;
 using System.Threading;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 
-#if !DNXCORE50
+#if !DOTNET5_4
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -15,7 +15,7 @@ namespace Microsoft.AspNet.Cryptography
     internal unsafe static class UnsafeBufferUtil
     {
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void BlockCopy(void* from, void* to, int byteCount)
@@ -24,7 +24,7 @@ namespace Microsoft.AspNet.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void BlockCopy(void* from, void* to, uint byteCount)
@@ -35,7 +35,7 @@ namespace Microsoft.AspNet.Cryptography
             }
         }
 
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(LocalAllocHandle from, void* to, uint byteCount)
@@ -55,7 +55,7 @@ namespace Microsoft.AspNet.Cryptography
             }
         }
 
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(void* from, LocalAllocHandle to, uint byteCount)
@@ -75,7 +75,7 @@ namespace Microsoft.AspNet.Cryptography
             }
         }
 
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(LocalAllocHandle from, LocalAllocHandle to, IntPtr length)
@@ -116,7 +116,7 @@ namespace Microsoft.AspNet.Cryptography
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void BlockCopyCore(byte* from, byte* to, uint byteCount)
         {
-#if DNXCORE50
+#if DOTNET5_4
             Buffer.MemoryCopy(from, to, (ulong)byteCount, (ulong)byteCount);
 #else
             while (byteCount-- != 0)
@@ -129,7 +129,7 @@ namespace Microsoft.AspNet.Cryptography
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void BlockCopyCore(byte* from, byte* to, ulong byteCount)
         {
-#if DNXCORE50
+#if DOTNET5_4
             Buffer.MemoryCopy(from, to, byteCount, byteCount);
 #else
             while (byteCount-- != 0)
@@ -143,7 +143,7 @@ namespace Microsoft.AspNet.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, int byteCount)
@@ -155,7 +155,7 @@ namespace Microsoft.AspNet.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, uint byteCount)
@@ -176,7 +176,7 @@ namespace Microsoft.AspNet.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, ulong byteCount)
@@ -196,7 +196,7 @@ namespace Microsoft.AspNet.Cryptography
         /// <summary>
         /// Securely clears a memory buffer.
         /// </summary>
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, IntPtr length)
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
index 7d06df9ff4..514b1fde51 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -12,13 +12,13 @@ using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.Win32.SafeHandles;
 
-#if !DNXCORE50
+#if !DOTNET5_4
 using System.Runtime.ConstrainedExecution;
 #endif
 
 namespace Microsoft.AspNet.Cryptography
 {
-#if !DNXCORE50
+#if !DOTNET5_4
     [SuppressUnmanagedCodeSecurity]
 #endif
     internal unsafe static class UnsafeNativeMethods
@@ -87,7 +87,7 @@ namespace Microsoft.AspNet.Cryptography
             [In] uint dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
@@ -95,7 +95,7 @@ namespace Microsoft.AspNet.Cryptography
             [In] IntPtr hHash);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375404(v=vs.85).aspx
@@ -249,7 +249,7 @@ namespace Microsoft.AspNet.Cryptography
          */
 
         [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !DNXCORE50
+#if !DOTNET5_4
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706799(v=vs.85).aspx
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
index 071b3888dc..e57e13d42b 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -1,27 +1,25 @@
 {
-    "version": "1.0.0-*",
-    "description": "Infrastructure for ASP.NET 5 cryptographic packages. Developers should not reference this package.",
-    "repository": {
-        "type": "git",
-        "url": "git://github.com/aspnet/dataprotection"
-    },
-    "dependencies": {
-    },
-    "frameworks": {
-        "net451": { },
-        "dnx451": { },
-        "dnxcore50": {
-            "dependencies": {
-                "System.Diagnostics.Debug": "4.0.11-beta-*",
-                "System.Runtime.Handles": "4.0.1-beta-*",
-                "System.Runtime.InteropServices": "4.0.21-beta-*",
-                "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
-                "System.Threading": "4.0.11-beta-*"
-            }
-        }
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "warningsAsErrors": true
+  "version": "1.0.0-*",
+  "description": "Infrastructure for ASP.NET 5 cryptographic packages. Developers should not reference this package.",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/aspnet/dataprotection"
+  },
+  "dependencies": {},
+  "frameworks": {
+    "net451": {},
+    "dotnet5.4": {
+      "dependencies": {
+        "System.Diagnostics.Debug": "4.0.11-beta-*",
+        "System.Runtime.Handles": "4.0.1-beta-*",
+        "System.Runtime.InteropServices": "4.0.21-beta-*",
+        "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
+        "System.Threading": "4.0.11-beta-*"
+      }
     }
-}
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true
+  }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 581d8c46d9..4b0e59d4b2 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -1,26 +1,25 @@
 {
-    "version": "1.0.0-*",
-    "description": "ASP.NET 5 utilities for key derivation.",
-    "repository": {
-        "type": "git",
-        "url": "git://github.com/aspnet/dataprotection"
-    },
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*"
-    },
-    "frameworks": {
-        "net451": { },
-        "dnx451": { },
-        "dnxcore50": {
-            "dependencies": {
-                "System.Runtime.Extensions": "4.0.11-beta-*",
-                "System.Security.Cryptography.Algorithms": "4.0.0-beta-*",
-                "System.Text.Encoding.Extensions": "4.0.11-beta-*"
-            }
-        }
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "warningsAsErrors": true
+  "version": "1.0.0-*",
+  "description": "ASP.NET 5 utilities for key derivation.",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/aspnet/dataprotection"
+  },
+  "dependencies": {
+    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*"
+  },
+  "frameworks": {
+    "net451": {},
+    "dotnet5.4": {
+      "dependencies": {
+        "System.Runtime.Extensions": "4.0.11-beta-*",
+        "System.Security.Cryptography.Algorithms": "4.0.0-beta-*",
+        "System.Text.Encoding.Extensions": "4.0.11-beta-*"
+      }
     }
-}
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true
+  }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
index ee2c0fa106..9b4703829b 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -7,10 +7,7 @@ using System.ComponentModel;
 using System.Diagnostics;
 using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.AspNet.DataProtection.Abstractions;
-
-#if DNX451 || DNXCORE50 // [[ISSUE1400]] Replace with DNX_ANY when it becomes available
 using Microsoft.Dnx.Runtime;
-#endif
 
 namespace Microsoft.AspNet.DataProtection
 {
@@ -124,15 +121,10 @@ namespace Microsoft.AspNet.DataProtection
         public static string GetApplicationUniqueIdentifier(this IServiceProvider services)
         {
             string discriminator = (services?.GetService(typeof(IApplicationDiscriminator)) as IApplicationDiscriminator)?.Discriminator;
-#if DNX451 || DNXCORE50 // [[ISSUE1400]] Replace with DNX_ANY when it becomes available
             if (discriminator == null)
             {
                 discriminator = (services?.GetService(typeof(IApplicationEnvironment)) as IApplicationEnvironment)?.ApplicationBasePath;
             }
-#elif NET451 // do nothing
-#else
-#error A new target framework was added to project.json, but it's not accounted for in this #ifdef. Please change the #ifdef accordingly.
-#endif
 
             // Remove whitespace and homogenize empty -> null
             discriminator = discriminator?.Trim();
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index be542d12ff..e5f544bcdb 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -1,33 +1,31 @@
 {
-    "version": "1.0.0-*",
-    "description": "Contains the core IDataProtector and IDataProtectionProvider abstractions for ASP.NET 5 Data Protection.",
-    "repository": {
-        "type": "git",
-        "url": "git://github.com/aspnet/dataprotection"
+  "version": "1.0.0-*",
+  "description": "Contains the core IDataProtector and IDataProtectionProvider abstractions for ASP.NET 5 Data Protection.",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/aspnet/dataprotection"
+  },
+  "dependencies": {
+    "Microsoft.AspNet.DataProtection.Sources": {
+      "type": "build",
+      "version": ""
     },
-    "dependencies": {
-        "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" }
-    },
-    "frameworks": {
-        "net451": { },
-        "dnx451": {
-            "dependencies": {
-                "Microsoft.Dnx.Runtime.Abstractions": "1.0.0-*"
-            }
-        },
-        "dnxcore50": {
-            "dependencies": {
-                "Microsoft.Dnx.Runtime.Abstractions": "1.0.0-*",
-                "System.ComponentModel": "4.0.1-beta-*",
-                "System.Diagnostics.Debug": "4.0.11-beta-*",
-                "System.Reflection": "4.0.11-beta-*",
-                "System.Runtime.Extensions": "4.0.11-beta-*",
-                "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
-                "System.Text.Encoding.Extensions": "4.0.11-beta-*"
-            }
-        }
-    },
-    "compilationOptions": {
-        "warningsAsErrors": true
+    "Microsoft.Dnx.Runtime.Abstractions": "1.0.0-*"
+  },
+  "frameworks": {
+    "net451": {},
+    "dotnet5.4": {
+      "dependencies": {
+        "System.ComponentModel": "4.0.1-beta-*",
+        "System.Diagnostics.Debug": "4.0.11-beta-*",
+        "System.Reflection": "4.0.11-beta-*",
+        "System.Runtime.Extensions": "4.0.11-beta-*",
+        "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
+        "System.Text.Encoding.Extensions": "4.0.11-beta-*"
+      }
     }
-}
+  },
+  "compilationOptions": {
+    "warningsAsErrors": true
+  }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
index 5c815caf43..5070099791 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
@@ -1,21 +1,23 @@
 {
-    "version": "1.0.0-*",
-    "description": "Additional APIs for ASP.NET 5 data protection.",
-    "repository": {
-        "type": "git",
-        "url": "git://github.com/aspnet/dataprotection"
+  "version": "1.0.0-*",
+  "description": "Additional APIs for ASP.NET 5 data protection.",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/aspnet/dataprotection"
+  },
+  "dependencies": {
+    "Microsoft.AspNet.DataProtection": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Sources": {
+      "type": "build",
+      "version": ""
     },
-    "dependencies": {
-        "Microsoft.AspNet.DataProtection": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
-        "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
-    },
-    "frameworks": {
-        "net451": { },
-        "dnx451": { },
-        "dnxcore50": { }
-    },
-    "compilationOptions": {
-        "warningsAsErrors": true
-    }
-}
+    "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
+  },
+  "frameworks": {
+    "net451": {},
+    "dotnet5.4": {}
+  },
+  "compilationOptions": {
+    "warningsAsErrors": true
+  }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/project.json b/src/Microsoft.AspNet.DataProtection.Sources/project.json
index 57c8f34b7c..3417f84587 100644
--- a/src/Microsoft.AspNet.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Sources/project.json
@@ -1,24 +1,22 @@
 {
-    "version": "1.0.0-*",
-    "description": "ASP.NET 5 Data Protection shared code.",
-    "repository": {
-        "type": "git",
-        "url": "git://github.com/aspnet/dataprotection"
-    },
-    "dependencies": {
-    },
-    "frameworks": {
-        "net451": { },
-        "dnx451": { },
-        "dnxcore50": {
-            "dependencies": {
-                "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
-                "System.Text.Encoding.Extensions": "4.0.11-beta-*"
-            }
-        }
-    },
-    "shared": "**\\*.cs",
-    "compilationOptions": {
-        "warningsAsErrors": true
+  "version": "1.0.0-*",
+  "description": "ASP.NET 5 Data Protection shared code.",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/aspnet/dataprotection"
+  },
+  "dependencies": {},
+  "frameworks": {
+    "net451": {},
+    "dotnet5.4": {
+      "dependencies": {
+        "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
+        "System.Text.Encoding.Extensions": "4.0.11-beta-*"
+      }
     }
-}
+  },
+  "shared": "**\\*.cs",
+  "compilationOptions": {
+    "warningsAsErrors": true
+  }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
index 65738ec429..239f6b2ed0 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
@@ -1,27 +1,27 @@
 {
-    "version": "1.0.0-*",
-    "description": "A component to allow the ASP.NET 5 DataProtection stack to work with the ASP.NET 4.x <machineKey> element.",
-    "repository": {
-        "type": "git",
-        "url": "git://github.com/aspnet/dataprotection"
-    },
-    "frameworks": {
-        "net451": {
-            "dependencies": {
-                "Microsoft.AspNet.DataProtection": "1.0.0-*",
-                "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
-            },
-            "frameworkAssemblies": {
-                "System.Configuration": "4.0.0.0",
-                "System.Security": "4.0.0.0",
-                "System.Web": "4.0.0.0"
-            }
-        }
-    },
-    "compilationOptions": {
-        "warningsAsErrors": true
-    },
-    "packInclude": {
-        "content/net451/": "web.config.transform"
+  "version": "1.0.0-*",
+  "description": "A component to allow the ASP.NET 5 DataProtection stack to work with the ASP.NET 4.x <machineKey> element.",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/aspnet/dataprotection"
+  },
+  "frameworks": {
+    "net451": {
+      "dependencies": {
+        "Microsoft.AspNet.DataProtection": "1.0.0-*",
+        "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
+      },
+      "frameworkAssemblies": {
+        "System.Configuration": "4.0.0.0",
+        "System.Security": "4.0.0.0",
+        "System.Web": "4.0.0.0"
+      }
     }
-}
+  },
+  "compilationOptions": {
+    "warningsAsErrors": true
+  },
+  "packInclude": {
+    "content/net451/": "web.config.transform"
+  }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index 4751e893ec..c3bddbe552 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -126,7 +126,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
             if (EncryptionAlgorithmType == typeof(Aes))
             {
                 Func<Aes> factory = null;
-#if !DNXCORE50
+#if !DOTNET5_4
                 if (OSVersionUtil.IsWindows())
                 {
                     // If we're on desktop CLR and running on Windows, use the FIPS-compliant implementation.
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index ffb8a5c9fe..6fd62e9726 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -78,7 +78,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             };
             DATA_BLOB dataOut = default(DATA_BLOB);
 
-#if !DNXCORE50
+#if !DOTNET5_4
             RuntimeHelpers.PrepareConstrainedRegions();
 #endif
             try
@@ -168,7 +168,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
                     fixed (byte* pbRetVal = retVal)
                     {
                         bool handleAcquired = false;
-#if !DNXCORE50
+#if !DOTNET5_4
                         RuntimeHelpers.PrepareConstrainedRegions();
 #endif
                         try
@@ -218,7 +218,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             };
             DATA_BLOB dataOut = default(DATA_BLOB);
 
-#if !DNXCORE50
+#if !DOTNET5_4
             RuntimeHelpers.PrepareConstrainedRegions();
 #endif
             try
@@ -291,7 +291,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             using (unencryptedPayloadHandle)
             {
                 bool handleAcquired = false;
-#if !DNXCORE50
+#if !DOTNET5_4
                 RuntimeHelpers.PrepareConstrainedRegions();
 #endif
                 try
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index e083d1988a..5c53a1fdd1 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -11,7 +11,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Win32;
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 using System.Security.Cryptography.X509Certificates;
 #endif
 
@@ -183,7 +183,7 @@ namespace Microsoft.AspNet.DataProtection
             return this;
         }
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
         /// <summary>
         /// Configures keys to be encrypted to a given certificate before being persisted to storage.
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index 9e08c553a2..0e02d9e5eb 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -13,7 +13,7 @@ using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.OptionsModel;
 using Microsoft.Win32;
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 using System.Security.Cryptography.X509Certificates;
 #endif
 
@@ -69,7 +69,7 @@ namespace Microsoft.Extensions.DependencyInjection
             return ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfiguration>(options.ToConfiguration);
         }
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         /// <summary>
         /// An <see cref="ICertificateResolver"/> backed by the default implementation.
         /// </summary>
@@ -118,7 +118,7 @@ namespace Microsoft.Extensions.DependencyInjection
             return ServiceDescriptor.Singleton<IKeyManager>(services => new XmlKeyManager(services));
         }
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
         /// <summary>
         /// An <see cref="IXmlEncryptor"/> backed by an X.509 certificate.
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 5989631c4c..862aa06998 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -121,7 +121,7 @@ namespace Microsoft.Extensions.DependencyInjection
             yield return DataProtectionServiceDescriptors.IDataProtectionProvider_Default();
 
             // Provide services required for XML encryption
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
             yield return DataProtectionServiceDescriptors.ICertificateResolver_Default();
 #endif
 
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index b9c3724208..03841b485a 100644
--- a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -343,7 +343,7 @@ namespace Microsoft.AspNet.DataProtection.Managed
 
                             using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkey))
                             {
-#if !DNXCORE50
+#if !DOTNET5_4
                                 // As an optimization, avoid duplicating the underlying buffer if we're on desktop CLR.
                                 byte[] underlyingBuffer = outputStream.GetBuffer();
 #else
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index becb107ac0..3cc94174a6 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -101,7 +101,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private static DirectoryInfo GetDefaultKeyStorageDirectory()
         {
-#if !DNXCORE50
+#if !DOTNET5_4
             // Environment.GetFolderPath returns null if the user profile isn't loaded.
             string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
             if (!String.IsNullOrEmpty(folderPath))
diff --git a/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs b/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
index ce40ebed63..16f306bade 100644
--- a/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
+++ b/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DNXCORE50
+#if !DOTNET5_4
 // These classes allow using the C# string interpolation feature from .NET 4.5.1.
 // They're slimmed-down versions of the classes that exist in .NET 4.6.
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
index 9ae11096bd..765e0d4e7f 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.X509Certificates;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index f2a963d8cd..5cdfc505b3 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.X509Certificates;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
index 5ea97ce76c..ce9c8ee9ff 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if DNXCORE50
+#if DOTNET5_4
 // [[ISSUE60]] Remove this entire file when Core CLR gets support for EncryptedXml.
 // This is just a dummy implementation of the class that always throws.
 // The only reason it's here (albeit internal) is to provide a nice error message if key
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index 51fbcefa0d..713f85f06c 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.Xml;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
index efc7e66b7b..5a6f0b9f27 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System.Security.Cryptography.X509Certificates;
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
index c732e08eb4..ec30a73f44 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Xml;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
index 223283de65..afc9a2092c 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DNXCORE50 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.Xml;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index ff2bd57cdd..f1987d1756 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -132,7 +132,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             var memoryStream = new MemoryStream(DEFAULT_BUFFER_SIZE);
             element.Save(memoryStream);
 
-#if !DNXCORE50
+#if !DOTNET5_4
             byte[] underlyingBuffer = memoryStream.GetBuffer();
             fixed (byte* __unused__ = underlyingBuffer) // try to limit this moving around in memory while we allocate
             {
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 4a634c02e7..fa1e0919e8 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -1,50 +1,45 @@
 {
-    "version": "1.0.0-*",
-    "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
-    "repository": {
-        "type": "git",
-        "url": "git://github.com/aspnet/dataprotection"
+  "version": "1.0.0-*",
+  "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/aspnet/dataprotection"
+  },
+  "dependencies": {
+    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Sources": {
+      "type": "build",
+      "version": ""
     },
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Sources": { "type": "build", "version": "" },
-        "Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-*",
-        "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",
-        "Microsoft.Extensions.OptionsModel": "1.0.0-*"
+    "Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-*",
+    "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",
+    "Microsoft.Extensions.OptionsModel": "1.0.0-*"
+  },
+  "frameworks": {
+    "net451": {
+      "frameworkAssemblies": {
+        "System.IO": "",
+        "System.Security": "",
+        "System.Xml": "",
+        "System.Xml.Linq": ""
+      }
     },
-    "frameworks": {
-        "net451": {
-            "frameworkAssemblies": {
-                "System.IO": "",
-                "System.Security": "",
-                "System.Xml": "",
-                "System.Xml.Linq": ""
-            }
-        },
-        "dnx451": {
-            "frameworkAssemblies": {
-                "System.IO": "",
-                "System.Security": "",
-                "System.Xml": "",
-                "System.Xml.Linq": ""
-            }
-        },
-        "dnxcore50": {
-            "dependencies": {
-                "Microsoft.Win32.Registry": "4.0.0-beta-*",
-                "System.Linq": "4.0.1-beta-*",
-                "System.Reflection.Extensions": "4.0.1-beta-*",
-                "System.Reflection.TypeExtensions": "4.0.1-beta-*",
-                "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
-                "System.Security.Claims": "4.0.1-beta-*",
-                "System.Security.Principal.Windows": "4.0.0-beta-*",
-                "System.Xml.XDocument": "4.0.11-beta-*"
-            }
-        }
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "warningsAsErrors": true
+    "dotnet5.4": {
+      "dependencies": {
+        "Microsoft.Win32.Registry": "4.0.0-beta-*",
+        "System.Linq": "4.0.1-beta-*",
+        "System.Reflection.Extensions": "4.0.1-beta-*",
+        "System.Reflection.TypeExtensions": "4.0.1-beta-*",
+        "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
+        "System.Security.Claims": "4.0.1-beta-*",
+        "System.Security.Principal.Windows": "4.0.0-beta-*",
+        "System.Xml.XDocument": "4.0.11-beta-*"
+      }
     }
-}
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true
+  }
+}
\ No newline at end of file

From bc80dab39d506332221bc97b57dd6f4669904a83 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Thu, 22 Oct 2015 16:46:31 -0700
Subject: [PATCH 186/493] Compiles and passes tests

---
 .../DataProtectionExtensions.cs                                 | 2 +-
 src/Microsoft.AspNet.DataProtection.Abstractions/project.json   | 2 +-
 .../DataProtectionExtensionsTests.cs                            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
index 9b4703829b..94f2e3abb1 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -7,7 +7,7 @@ using System.ComponentModel;
 using System.Diagnostics;
 using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.AspNet.DataProtection.Abstractions;
-using Microsoft.Dnx.Runtime;
+using Microsoft.Extensions.PlatformAbstractions;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index e5f544bcdb..bda1b76edd 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -10,7 +10,7 @@
       "type": "build",
       "version": ""
     },
-    "Microsoft.Dnx.Runtime.Abstractions": "1.0.0-*"
+    "Microsoft.Extensions.PlatformAbstractions": "1.0.0-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
index 771f7e5133..3687981ecd 100644
--- a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
@@ -8,7 +8,7 @@ using System.Text;
 using Microsoft.AspNet.DataProtection.Infrastructure;
 using Microsoft.AspNet.DataProtection.Abstractions;
 using Microsoft.AspNet.Testing;
-using Microsoft.Dnx.Runtime;
+using Microsoft.Extensions.PlatformAbstractions;
 using Moq;
 using Xunit;
 

From 1c570ba02b45b4214cbc5c5de99f671055d9de48 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 28 Oct 2015 12:43:04 -0700
Subject: [PATCH 187/493] Updating to release NuGet.config.

---
 NuGet.config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.config b/NuGet.config
index 1707938c61..9db87a421e 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcidev/api/v3/index.json" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcirelease/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file

From acd8d3d44db4e20e81312c92c56bb17dd633917d Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesars@microsoft.com>
Date: Mon, 2 Nov 2015 15:32:44 -0800
Subject: [PATCH 188/493] Strong name everything.

---
 .../Properties/AssemblyInfo.cs                    |  14 +++++++-------
 .../project.json                                  |   3 ++-
 .../Properties/AssemblyInfo.cs                    |   2 +-
 .../project.json                                  |   3 ++-
 .../Properties/AssemblyInfo.cs                    |   2 +-
 .../project.json                                  |   3 ++-
 .../Properties/AssemblyInfo.cs                    |   2 +-
 .../project.json                                  |   3 ++-
 .../project.json                                  |   3 ++-
 .../project.json                                  |   3 ++-
 .../Properties/AssemblyInfo.cs                    |   4 ++--
 src/Microsoft.AspNet.DataProtection/project.json  |   3 ++-
 .../Properties/AssemblyInfo.cs                    |   2 +-
 .../project.json                                  |   3 ++-
 .../Properties/AssemblyInfo.cs                    |   2 +-
 .../project.json                                  |   3 ++-
 .../project.json                                  |   3 ++-
 .../project.json                                  |   3 ++-
 .../Properties/AssemblyInfo.cs                    |   2 +-
 .../project.json                                  |   4 +++-
 tools/Key.snk                                     | Bin 0 -> 596 bytes
 21 files changed, 40 insertions(+), 27 deletions(-)
 create mode 100644 tools/Key.snk

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
index bc9a2929e1..f9bcc24835 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -9,12 +9,12 @@ using System.Runtime.InteropServices;
 // we only ever p/invoke into DLLs known to be in the System32 folder
 [assembly: DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
 
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.Internal.Test")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.Internal.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
index e57e13d42b..88a1331835 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -20,6 +20,7 @@
   },
   "compilationOptions": {
     "allowUnsafe": true,
-    "warningsAsErrors": true
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
index 19dcc92ab2..5a85d1db36 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -5,6 +5,6 @@ using System.Reflection;
 using System.Resources;
 using System.Runtime.CompilerServices;
 
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 4b0e59d4b2..27ec014052 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -20,6 +20,7 @@
   },
   "compilationOptions": {
     "allowUnsafe": true,
-    "warningsAsErrors": true
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
index c1bee7c37f..568d44be98 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
@@ -6,6 +6,6 @@ using System.Resources;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index bda1b76edd..390ca65bed 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -26,6 +26,7 @@
     }
   },
   "compilationOptions": {
-    "warningsAsErrors": true
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
index f1012ed502..b14a9ed7cb 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
@@ -5,6 +5,6 @@ using System.Reflection;
 using System.Resources;
 using System.Runtime.CompilerServices;
 
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
index 5070099791..a77cbdb168 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/project.json
@@ -18,6 +18,7 @@
     "dotnet5.4": {}
   },
   "compilationOptions": {
-    "warningsAsErrors": true
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/project.json b/src/Microsoft.AspNet.DataProtection.Sources/project.json
index 3417f84587..0ac9ef2265 100644
--- a/src/Microsoft.AspNet.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Sources/project.json
@@ -17,6 +17,7 @@
   },
   "shared": "**\\*.cs",
   "compilationOptions": {
-    "warningsAsErrors": true
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
index 239f6b2ed0..a23a97b559 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
@@ -19,7 +19,8 @@
     }
   },
   "compilationOptions": {
-    "warningsAsErrors": true
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
   },
   "packInclude": {
     "content/net451/": "web.config.transform"
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
index a859f1608f..7467d96a44 100644
--- a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
@@ -6,7 +6,7 @@ using System.Resources;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test")]
-[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
+[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index fa1e0919e8..dd62c8981c 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -40,6 +40,7 @@
   },
   "compilationOptions": {
     "allowUnsafe": true,
-    "warningsAsErrors": true
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
   }
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
index aa00750af3..36cdb8d8aa 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
@@ -5,4 +5,4 @@ using System;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index 3ad4052791..e1bf23c336 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -13,6 +13,7 @@
         "test": "xunit.runner.aspnet"
     },
     "compilationOptions": {
-        "allowUnsafe": true
+        "allowUnsafe": true,
+        "keyFile": "../../tools/Key.snk"
     }
 }
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
index aa00750af3..36cdb8d8aa 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
@@ -5,4 +5,4 @@ using System;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index 79e645fd53..d03d6526fd 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -14,6 +14,7 @@
         "test": "xunit.runner.aspnet"
     },
     "compilationOptions": {
-        "allowUnsafe": true
+        "allowUnsafe": true,
+        "keyFile": "../../tools/Key.snk"
     }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
index 5651458299..dd7ede7811 100644
--- a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
@@ -14,6 +14,7 @@
     },
     "compile": "..\\common\\**\\*.cs",
     "compilationOptions": {
-        
+        "warningsAsErrors": true,
+        "keyFile": "../../tools/Key.snk"
     }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
index f839a2023e..1a3581591b 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
@@ -14,6 +14,7 @@
         "test": "xunit.runner.aspnet"
     },
     "compilationOptions": {
-        
+        "warningsAsErrors": true,
+        "keyFile": "../../tools/Key.snk"
     }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
index aa00750af3..36cdb8d8aa 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
@@ -5,4 +5,4 @@ using System;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2")]
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index 380927c2f1..b63e75ac4d 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -14,6 +14,8 @@
         "test": "xunit.runner.aspnet"
     },
     "compilationOptions": {
-        "allowUnsafe": true
+        "allowUnsafe": true,
+        "warningsAsErrors": true,
+        "keyFile": "../../tools/Key.snk"
     }
 }
diff --git a/tools/Key.snk b/tools/Key.snk
new file mode 100644
index 0000000000000000000000000000000000000000..e10e4889c125d3120cd9e81582243d70f7cbb806
GIT binary patch
literal 596
zcmV-a0;~N80ssI2Bme+XQ$aES1ONa50098=Iw=HCsn<ZsvmrW@<$Q#+a>z~#iVhm&
zj%TU(_THUee?3yHBjk$37y<Fzl?uL)9ivSuo;#}B6dD)De)Gj;-CpGdOOelGyF6;R
zKXR)&ujxGx!@@L+c2BRcvA}aZ<rG=2t43G@guk71#NvTux6R^5_>sB?i5#7WD$={H
zV4B!OxRPrb|8)HPg~A}8P>^=#y<)56#=E&NzcjOtPK~<4n6GHt=K$ro*T(lhby_@U
zEk(hLzk1H)0yXj<Uf8HnEtBu!TuA*PmAf$cXle6YkpNq+@Z60ghGtVxe6)1Ajj1}d
ztgvi4bgJz|V`P;etzc8pF-FM#N`%JUpHzaYX*mMNIn*G};u}`O51u$`rvZggFup%y
z5Uu>{A_5>fk-TgNoP|q6(tP2xo8zt8i%212CWM#AeCd?`hS|4~L({h~Moo(~vy&3Z
z1uI}`fd^*>o=rwbAGymj6RM^pZm(*Kfhs+Y1#`-2JPWZMK8@;ZW<LR4v7CQcE4@!q
z)U49ij|+<|%~kIOLZlXjf9x6h%%!xHcL2a{5I|b;$2l^>Ck2+9bX4YP);~fj-BU*R
zQPvW<DAZ8Z6e#YE!zCp+7M)hVxqP}{4}~6lG=>v$89!{R<a!lIoEa{Dc+j_%E<}+-
z!)tmG_q8@!i7JE*V%)C;o#1~$Q2B~A145=eCJ9-fwL>l9wM+zR>_TSkn^voYxA?2G
iKnV#iZ6Ah`K>b=@=IjYJXrxL124zR(38)nxe+&q_$QXwJ

literal 0
HcmV?d00001


From ca2629c00464e8f095d3a3b35f89e2e2869bdf47 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 12 Nov 2015 12:22:57 -0800
Subject: [PATCH 189/493] Remove System beta tag in project.json for coreclr
 packages.

---
 .../project.json                                 | 12 ++++++------
 .../project.json                                 |  8 ++++----
 .../project.json                                 | 14 +++++++-------
 .../project.json                                 |  6 +++---
 src/Microsoft.AspNet.DataProtection/project.json | 16 ++++++++--------
 5 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNet.Cryptography.Internal/project.json
index 88a1331835..deebb4fbca 100644
--- a/src/Microsoft.AspNet.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNet.Cryptography.Internal/project.json
@@ -10,11 +10,11 @@
     "net451": {},
     "dotnet5.4": {
       "dependencies": {
-        "System.Diagnostics.Debug": "4.0.11-beta-*",
-        "System.Runtime.Handles": "4.0.1-beta-*",
-        "System.Runtime.InteropServices": "4.0.21-beta-*",
-        "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
-        "System.Threading": "4.0.11-beta-*"
+        "System.Diagnostics.Debug": "4.0.11-*",
+        "System.Runtime.Handles": "4.0.1-*",
+        "System.Runtime.InteropServices": "4.0.21-*",
+        "System.Security.Cryptography.Primitives": "4.0.0-*",
+        "System.Threading": "4.0.11-*"
       }
     }
   },
@@ -23,4 +23,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 27ec014052..3a4d70c7c1 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -12,9 +12,9 @@
     "net451": {},
     "dotnet5.4": {
       "dependencies": {
-        "System.Runtime.Extensions": "4.0.11-beta-*",
-        "System.Security.Cryptography.Algorithms": "4.0.0-beta-*",
-        "System.Text.Encoding.Extensions": "4.0.11-beta-*"
+        "System.Runtime.Extensions": "4.0.11-*",
+        "System.Security.Cryptography.Algorithms": "4.0.0-*",
+        "System.Text.Encoding.Extensions": "4.0.11-*"
       }
     }
   },
@@ -23,4 +23,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index 390ca65bed..f1e1e2f7cf 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -16,12 +16,12 @@
     "net451": {},
     "dotnet5.4": {
       "dependencies": {
-        "System.ComponentModel": "4.0.1-beta-*",
-        "System.Diagnostics.Debug": "4.0.11-beta-*",
-        "System.Reflection": "4.0.11-beta-*",
-        "System.Runtime.Extensions": "4.0.11-beta-*",
-        "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
-        "System.Text.Encoding.Extensions": "4.0.11-beta-*"
+        "System.ComponentModel": "4.0.1-*",
+        "System.Diagnostics.Debug": "4.0.11-*",
+        "System.Reflection": "4.0.11-*",
+        "System.Runtime.Extensions": "4.0.11-*",
+        "System.Security.Cryptography.Primitives": "4.0.0-*",
+        "System.Text.Encoding.Extensions": "4.0.11-*"
       }
     }
   },
@@ -29,4 +29,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/project.json b/src/Microsoft.AspNet.DataProtection.Sources/project.json
index 0ac9ef2265..e04fdd43ea 100644
--- a/src/Microsoft.AspNet.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Sources/project.json
@@ -10,8 +10,8 @@
     "net451": {},
     "dotnet5.4": {
       "dependencies": {
-        "System.Security.Cryptography.Primitives": "4.0.0-beta-*",
-        "System.Text.Encoding.Extensions": "4.0.11-beta-*"
+        "System.Security.Cryptography.Primitives": "4.0.0-*",
+        "System.Text.Encoding.Extensions": "4.0.11-*"
       }
     }
   },
@@ -20,4 +20,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index dd62c8981c..cc50ae2ec0 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -28,13 +28,13 @@
     "dotnet5.4": {
       "dependencies": {
         "Microsoft.Win32.Registry": "4.0.0-beta-*",
-        "System.Linq": "4.0.1-beta-*",
-        "System.Reflection.Extensions": "4.0.1-beta-*",
-        "System.Reflection.TypeExtensions": "4.0.1-beta-*",
-        "System.Security.Cryptography.X509Certificates": "4.0.0-beta-*",
-        "System.Security.Claims": "4.0.1-beta-*",
-        "System.Security.Principal.Windows": "4.0.0-beta-*",
-        "System.Xml.XDocument": "4.0.11-beta-*"
+        "System.Linq": "4.0.1-*",
+        "System.Reflection.Extensions": "4.0.1-*",
+        "System.Reflection.TypeExtensions": "4.0.1-*",
+        "System.Security.Cryptography.X509Certificates": "4.0.0-*",
+        "System.Security.Claims": "4.0.1-*",
+        "System.Security.Principal.Windows": "4.0.0-*",
+        "System.Xml.XDocument": "4.0.11-*"
       }
     }
   },
@@ -43,4 +43,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
\ No newline at end of file
+}

From 4c97cbb9b206ea7a5af5e92e28e53d236c6674b6 Mon Sep 17 00:00:00 2001
From: Troy Dai <troy.dai@outlook.com>
Date: Thu, 12 Nov 2015 15:28:21 -0800
Subject: [PATCH 190/493] Update Microsoft.Win32.Registry reference's version

---
 src/Microsoft.AspNet.DataProtection/project.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index cc50ae2ec0..4cc07dbbbf 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -27,7 +27,7 @@
     },
     "dotnet5.4": {
       "dependencies": {
-        "Microsoft.Win32.Registry": "4.0.0-beta-*",
+        "Microsoft.Win32.Registry": "4.0.0-*",
         "System.Linq": "4.0.1-*",
         "System.Reflection.Extensions": "4.0.1-*",
         "System.Reflection.TypeExtensions": "4.0.1-*",

From d09551af46f156dc4fbcd01e3944776f7c15a46b Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 13 Nov 2015 10:30:54 -0800
Subject: [PATCH 191/493] Reacting to DependencyInjection changes

---
 .../DataProtectionStartup.cs                  |  2 +-
 .../DataProtectionConfiguration.cs            |  2 +-
 .../ActivatorTests.cs                         |  2 +-
 ...KeyEscrowServiceProviderExtensionsTests.cs |  6 +--
 .../KeyManagement/KeyRingProviderTests.cs     |  4 +-
 .../KeyManagement/XmlKeyManagerTests.cs       | 48 +++++++++----------
 .../CertificateXmlEncryptionTests.cs          |  4 +-
 .../XmlEncryptionExtensionsTests.cs           |  4 +-
 8 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
index 20df0d00d8..e9300f13bf 100644
--- a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
+++ b/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
@@ -60,7 +60,7 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
             // Configure the default implementation, passing in our custom discriminator
             var services = new ServiceCollection();
             services.AddDataProtection();
-            services.AddInstance<IApplicationDiscriminator>(new SystemWebApplicationDiscriminator());
+            services.AddSingleton<IApplicationDiscriminator>(new SystemWebApplicationDiscriminator());
 
             // Run user-specified configuration and get an instance of the provider
             ConfigureServices(services);
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
index 5c53a1fdd1..4c4a8ae129 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
@@ -79,7 +79,7 @@ namespace Microsoft.AspNet.DataProtection
                 throw new ArgumentNullException(nameof(sink));
             }
 
-            Services.AddInstance<IKeyEscrowSink>(sink);
+            Services.AddSingleton<IKeyEscrowSink>(sink);
             return this;
         }
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
index 5535eba438..5bea3ae5b6 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
@@ -72,7 +72,7 @@ namespace Microsoft.AspNet.DataProtection
             // Arrange
             var expectedActivator = new Mock<IActivator>().Object;
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IActivator>(expectedActivator);
+            serviceCollection.AddSingleton<IActivator>(expectedActivator);
 
             // Act
             var actualActivator = serviceCollection.BuildServiceProvider().GetActivator();
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
index 3a0148b33e..989b7aafd5 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
@@ -43,7 +43,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 });
 
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IKeyEscrowSink>(mockKeyEscrowSink.Object);
+            serviceCollection.AddSingleton<IKeyEscrowSink>(mockKeyEscrowSink.Object);
             var services = serviceCollection.BuildServiceProvider();
 
             // Act
@@ -75,8 +75,8 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 });
 
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IKeyEscrowSink>(mockKeyEscrowSink1.Object);
-            serviceCollection.AddInstance<IKeyEscrowSink>(mockKeyEscrowSink2.Object);
+            serviceCollection.AddSingleton<IKeyEscrowSink>(mockKeyEscrowSink1.Object);
+            serviceCollection.AddSingleton<IKeyEscrowSink>(mockKeyEscrowSink2.Object);
             var services = serviceCollection.BuildServiceProvider();
 
             // Act
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index 3cba1f3f58..f136127af4 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -588,7 +588,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         private static KeyRingProvider CreateKeyRingProvider(ICacheableKeyRingProvider cacheableKeyRingProvider)
         {
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<ICacheableKeyRingProvider>(cacheableKeyRingProvider);
+            serviceCollection.AddSingleton<ICacheableKeyRingProvider>(cacheableKeyRingProvider);
             return new KeyRingProvider(
                 keyManager: null,
                 keyManagementOptions: null,
@@ -598,7 +598,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         private static ICacheableKeyRingProvider CreateKeyRingProvider(IKeyManager keyManager, IDefaultKeyResolver defaultKeyResolver, KeyManagementOptions keyManagementOptions= null)
         {
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IDefaultKeyResolver>(defaultKeyResolver);
+            serviceCollection.AddSingleton<IDefaultKeyResolver>(defaultKeyResolver);
             return new KeyRingProvider(
                 keyManager: keyManager,
                 keyManagementOptions: keyManagementOptions,
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 19c8c75460..a0c8e319ee 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -37,8 +37,8 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             mockFallback.Setup(o => o.GetKeyRepository()).Returns(expectedRepository);
 
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IDefaultKeyServices>(mockFallback.Object);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddSingleton<IDefaultKeyServices>(mockFallback.Object);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
             var services = serviceCollection.BuildServiceProvider();
 
             // Act
@@ -58,9 +58,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             mockFallback.Setup(o => o.GetKeyRepository()).Returns(new Mock<IXmlRepository>().Object);
 
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IDefaultKeyServices>(mockFallback.Object);
-            serviceCollection.AddInstance<IXmlEncryptor>(new Mock<IXmlEncryptor>().Object);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddSingleton<IDefaultKeyServices>(mockFallback.Object);
+            serviceCollection.AddSingleton<IXmlEncryptor>(new Mock<IXmlEncryptor>().Object);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
             var services = serviceCollection.BuildServiceProvider();
 
             // Act & assert - we don't care about exception type, only exception message
@@ -97,8 +97,8 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             // Arrange - services
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(mockConfiguration.Object);
+            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(mockConfiguration.Object);
             var services = serviceCollection.BuildServiceProvider();
             var keyManager = new XmlKeyManager(services);
 
@@ -188,9 +188,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             // Arrange - services
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(mockConfiguration.Object);
-            serviceCollection.AddInstance<IKeyEscrowSink>(mockKeyEscrow.Object);
+            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(mockConfiguration.Object);
+            serviceCollection.AddSingleton<IKeyEscrowSink>(mockKeyEscrow.Object);
             serviceCollection.AddSingleton<IXmlEncryptor, NullXmlEncryptor>();
             var services = serviceCollection.BuildServiceProvider();
             var keyManager = new XmlKeyManager(services);
@@ -288,9 +288,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             // Arrange - services
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IXmlRepository>(new Mock<IXmlRepository>().Object);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            serviceCollection.AddInstance<IInternalXmlKeyManager>(mockInternalKeyManager.Object);
+            serviceCollection.AddSingleton<IXmlRepository>(new Mock<IXmlRepository>().Object);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddSingleton<IInternalXmlKeyManager>(mockInternalKeyManager.Object);
             var services = serviceCollection.BuildServiceProvider();
             var keyManager = new XmlKeyManager(services);
 
@@ -584,12 +584,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             // Arrange - services
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddInstance<IActivator>(activator);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddSingleton<IActivator>(activator);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
             if (loggerFactory != null)
             {
-                serviceCollection.AddInstance<ILoggerFactory>(loggerFactory);
+                serviceCollection.AddSingleton<ILoggerFactory>(loggerFactory);
             }
             var services = serviceCollection.BuildServiceProvider();
             var keyManager = new XmlKeyManager(services);
@@ -615,8 +615,8 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             // Arrange - services
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
             var services = serviceCollection.BuildServiceProvider();
             var keyManager = new XmlKeyManager(services);
 
@@ -664,8 +664,8 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             // Arrange - services
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
             var services = serviceCollection.BuildServiceProvider();
             var keyManager = new XmlKeyManager(services);
 
@@ -716,9 +716,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             // Arrange - services
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IXmlRepository>(new Mock<IXmlRepository>().Object);
-            serviceCollection.AddInstance<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            serviceCollection.AddInstance<IInternalXmlKeyManager>(mockInternalKeyManager.Object);
+            serviceCollection.AddSingleton<IXmlRepository>(new Mock<IXmlRepository>().Object);
+            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
+            serviceCollection.AddSingleton<IInternalXmlKeyManager>(mockInternalKeyManager.Object);
             var services = serviceCollection.BuildServiceProvider();
             var keyManager = new XmlKeyManager(services);
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 9e5a2d45a0..bfaf877e89 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -29,7 +29,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                     encryptedXml.AddKeyNameMapping("theKey", symmetricAlgorithm); // use symmetric encryption
                     return encryptedXml.Encrypt(element, "theKey");
                 });
-            serviceCollection.AddInstance<IInternalCertificateXmlEncryptor>(mockInternalEncryptor.Object);
+            serviceCollection.AddSingleton<IInternalCertificateXmlEncryptor>(mockInternalEncryptor.Object);
 
             var mockInternalDecryptor = new Mock<IInternalEncryptedXmlDecryptor>();
             mockInternalDecryptor.Setup(o => o.PerformPreDecryptionSetup(It.IsAny<EncryptedXml>()))
@@ -37,7 +37,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 {
                     encryptedXml.AddKeyNameMapping("theKey", symmetricAlgorithm); // use symmetric encryption
                 });
-            serviceCollection.AddInstance<IInternalEncryptedXmlDecryptor>(mockInternalDecryptor.Object);
+            serviceCollection.AddSingleton<IInternalEncryptedXmlDecryptor>(mockInternalDecryptor.Object);
 
             var services = serviceCollection.BuildServiceProvider();
             var encryptor = new CertificateXmlEncryptor(services);
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
index be0b05dfd9..f6b03eaac6 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
@@ -39,7 +39,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             mockActivator.ReturnDecryptedElementGivenDecryptorTypeNameAndInput("theDecryptor", "<node />", "<newNode />");
 
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IActivator>(mockActivator.Object);
+            serviceCollection.AddSingleton<IActivator>(mockActivator.Object);
             var services = serviceCollection.BuildServiceProvider();
             var activator = services.GetActivator();
 
@@ -89,7 +89,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             mockActivator.Setup(o => o.CreateInstance(typeof(IXmlDecryptor), "myDecryptor")).Returns(mockDecryptor.Object);
 
             var serviceCollection = new ServiceCollection();
-            serviceCollection.AddInstance<IActivator>(mockActivator.Object);
+            serviceCollection.AddSingleton<IActivator>(mockActivator.Object);
             var services = serviceCollection.BuildServiceProvider();
             var activator = services.GetActivator();
 

From 5be19a02fc74b21d4bbe33bb35e4c567d0c75a45 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Fri, 13 Nov 2015 16:40:23 -0800
Subject: [PATCH 192/493] Add script to add AutoGenKeys section and UCL for it

---
 Provision-AutoGenKeys.ps1 | 82 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 Provision-AutoGenKeys.ps1

diff --git a/Provision-AutoGenKeys.ps1 b/Provision-AutoGenKeys.ps1
new file mode 100644
index 0000000000..7c3f671d11
--- /dev/null
+++ b/Provision-AutoGenKeys.ps1
@@ -0,0 +1,82 @@
+param (
+    [Parameter(Mandatory = $True)]
+    [string] $appPoolName
+  )
+
+# Provisions the HKLM registry so that the specified user account can persist auto-generated machine keys.
+function Provision-AutoGenKeys {
+  [CmdletBinding()]
+  param (
+    [ValidateSet("2.0", "4.0")]
+    [Parameter(Mandatory = $True)]
+    [string] $frameworkVersion,
+    [ValidateSet("32", "64")]
+    [Parameter(Mandatory = $True)]
+    [string] $architecture,
+    [Parameter(Mandatory = $True)]
+    [string] $sid
+  )
+  process {
+    # We require administrative permissions to continue.
+    if (-Not (new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)) {
+        Write-Error "This cmdlet requires Administrator permissions."
+        return
+    }
+    # Open HKLM with an appropriate view into the registry
+    if ($architecture -eq "32") {
+        $regView = [Microsoft.Win32.RegistryView]::Registry32;
+    } else {
+        $regView = [Microsoft.Win32.RegistryView]::Registry64;
+    }
+    $baseRegKey = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $regView)
+    # Open ASP.NET base key
+    if ($frameworkVersion -eq "2.0") {
+        $expandedVersion = "2.0.50727.0"
+    } else {
+        $expandedVersion = "4.0.30319.0"
+    }
+    $softwareMicrosoftKey = $baseRegKey.OpenSubKey("SOFTWARE\Microsoft\", $True);
+
+    $aspNetKey = $softwareMicrosoftKey.OpenSubKey("ASP.NET", $True);
+    if ($aspNetKey -eq $null)
+    {
+        $aspNetKey = $softwareMicrosoftKey.CreateSubKey("ASP.NET")
+    }
+
+    $aspNetBaseKey = $softwareMicrosoftKey.OpenSubKey("$expandedVersion", $True);
+    if ($aspNetBaseKey -eq $null)
+    {
+        $aspNetBaseKey = $softwareMicrosoftKey.CreateSubKey("$expandedVersion")
+    }
+
+    # Create AutoGenKeys subkey if it doesn't already exist
+    $autoGenBaseKey = $aspNetBaseKey.OpenSubKey("AutoGenKeys", $True)
+    if ($autoGenBaseKey -eq $null) {
+        $autoGenBaseKey = $aspNetBaseKey.CreateSubKey("AutoGenKeys")
+    }
+    # SYSTEM, ADMINISTRATORS, and the target SID get full access
+    $regSec = New-Object System.Security.AccessControl.RegistrySecurity
+    $regSec.SetSecurityDescriptorSddlForm("D:P(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;$sid)")
+    $userAutoGenKey = $autoGenBaseKey.OpenSubKey($sid, $True)
+    if ($userAutoGenKey -eq $null) {
+        # Subkey didn't exist; create and ACL appropriately
+        $userAutoGenKey = $autoGenBaseKey.CreateSubKey($sid, [Microsoft.Win32.RegistryKeyPermissionCheck]::Default, $regSec)
+    } else {
+        # Subkey existed; make sure ACLs are correct
+        $userAutoGenKey.SetAccessControl($regSec)
+    }
+  }
+}
+
+$ErrorActionPreference = "Stop"
+Try
+{
+    $poolSid = (New-Object System.Security.Principal.NTAccount("IIS APPPOOL\$appPoolName")).Translate([System.Security.Principal.SecurityIdentifier]).Value
+}
+Catch [System.Security.Principal.IdentityNotMappedException]
+{
+    Write-Error "Application pool '$appPoolName' account cannot be resolved."
+}
+
+Provision-AutoGenKeys "4.0" "32" $poolSid 
+Provision-AutoGenKeys "4.0" "64" $poolSid
\ No newline at end of file

From 001a7a6d5a17ab44ed58e82b19d020dc09a97283 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Tue, 17 Nov 2015 10:54:20 -0800
Subject: [PATCH 193/493] Explicitly choose Mono 4.0.5 - avoids future problems
 related to aspnet/External#48   - e.g. when Travis updates default Mono
 version in `csharp` bundle

---
 .travis.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 947bf868ee..dc44c0f660 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,6 @@
 language: csharp
 sudo: false
+mono:
+  - 4.0.5
 script:
   - ./build.sh --quiet verify
\ No newline at end of file

From 5c94e8923a5d3fe2b8ccf8640ae5cf1ca8014f2e Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Tue, 17 Nov 2015 12:34:21 -0800
Subject: [PATCH 194/493] Move Travis to supported Linux distribution - use
 Ubuntu 14.04 (Trusty)   - Travis support for Trusty is in Beta and currently
 requires `sudo` - run `dnu restore` with DNX Core since aspnet/External#49 is
 not fixed in Mono versions we can use - add required dependencies for DNX
 Core to `.travis.yml` - addresses part of aspnet/Universe#290

---
 .travis.yml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index dc44c0f660..2fc624899f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,18 @@
 language: csharp
-sudo: false
+sudo: required
+dist: trusty
+addons:
+  apt:
+    packages:
+    - gettext
+    - libcurl4-openssl-dev
+    - libicu-dev
+    - libssl-dev
+    - libunwind8
+    - zlib1g
+env:
+  - KOREBUILD_DNU_RESTORE_CORECLR=true
 mono:
   - 4.0.5
 script:
-  - ./build.sh --quiet verify
\ No newline at end of file
+  - ./build.sh --quiet verify

From 0b808ca75a54ee83f2b5aca5a077dcb47544fbe9 Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Tue, 17 Nov 2015 13:46:52 -0800
Subject: [PATCH 195/493] ConfigureDP => AddDP

---
 .../DataProtectionProvider.cs                               | 5 ++---
 .../DataProtectionServiceCollectionExtensions.cs            | 6 +++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
index fe8afe6db6..43764a0274 100644
--- a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
@@ -41,9 +41,8 @@ namespace Microsoft.AspNet.DataProtection
             }
 
             // build the service collection
-            ServiceCollection serviceCollection = new ServiceCollection();
-            serviceCollection.AddDataProtection();
-            serviceCollection.ConfigureDataProtection(configurationObject =>
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddDataProtection(configurationObject =>
             {
                 configurationObject.PersistKeysToFileSystem(keyDirectory);
                 configure?.Invoke(configurationObject);
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
index ff3d3aaac4..cd6dbbd571 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -30,13 +30,13 @@ namespace Microsoft.Extensions.DependencyInjection
         }
 
         /// <summary>
-        /// Configures the behavior of the Data Protection system.
+        /// Adds default Data Protection services to an <see cref="IServiceCollection"/> and configures the behavior of the Data Protection system.
         /// </summary>
         /// <param name="services">A service collection to which Data Protection has already been added.</param>
         /// <param name="configure">A callback which takes a <see cref="DataProtectionConfiguration"/> parameter.
         /// This callback will be responsible for configuring the system.</param>
         /// <returns>The <paramref name="services"/> instance.</returns>
-        public static IServiceCollection ConfigureDataProtection(this IServiceCollection services, Action<DataProtectionConfiguration> configure)
+        public static IServiceCollection AddDataProtection(this IServiceCollection services, Action<DataProtectionConfiguration> configure)
         {
             if (services == null)
             {
@@ -49,7 +49,7 @@ namespace Microsoft.Extensions.DependencyInjection
             }
 
             configure(new DataProtectionConfiguration(services));
-            return services;
+            return services.AddDataProtection();
         }
     }
 }

From c48173c9480267dab753eb5c9dc09b57242172f3 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Tue, 17 Nov 2015 13:32:57 -0800
Subject: [PATCH 196/493] Add event ids to all log calls

---
 .../CngCbcAuthenticatedEncryptionOptions.cs   |  11 +-
 .../CngGcmAuthenticatedEncryptionOptions.cs   |   6 +-
 .../ManagedAuthenticatedEncryptionOptions.cs  |  11 +-
 .../EphemeralDataProtectionProvider.cs        |   5 +-
 .../KeyManagement/DefaultKeyResolver.cs       |  24 +-
 .../KeyRingBasedDataProtector.cs              |  19 +-
 .../KeyManagement/KeyRingProvider.cs          |  39 +-
 .../KeyManagement/XmlKeyManager.cs            |  98 +--
 .../LoggingExtensions.cs                      | 640 +++++++++++++++++-
 .../Repositories/EphemeralXmlRepository.cs    |   5 +-
 .../Repositories/FileSystemXmlRepository.cs   |  15 +-
 .../Repositories/RegistryXmlRepository.cs     |  10 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  16 +-
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |   7 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  10 +-
 .../XmlEncryption/DpapiXmlDecryptor.cs        |  10 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  21 +-
 .../XmlEncryption/NullXmlEncryptor.cs         |   5 +-
 18 files changed, 701 insertions(+), 251 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
index bd187df3d8..07819cd5be 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
@@ -111,11 +111,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(HashAlgorithm));
             }
 
-            if (logger.IsVerboseLevelEnabled())
-            {
-                logger.LogVerboseF($"Opening CNG algorithm '{HashAlgorithm}' from provider '{HashAlgorithmProvider}' with HMAC.");
-            }
-
+            logger.OpeningCNGAlgorithmFromProviderWithHMAC(HashAlgorithm, HashAlgorithmProvider);
             BCryptAlgorithmHandle algorithmHandle = null;
 
             // Special-case cached providers
@@ -152,10 +148,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
             }
 
-            if (logger.IsVerboseLevelEnabled())
-            {
-                logger.LogVerboseF($"Opening CNG algorithm '{EncryptionAlgorithm}' from provider '{EncryptionAlgorithmProvider}' with chaining mode CBC.");
-            }
+            logger.OpeningCNGAlgorithmFromProviderWithChainingModeCBC(EncryptionAlgorithm, EncryptionAlgorithmProvider);
 
             BCryptAlgorithmHandle algorithmHandle = null;
 
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
index 99ab80cdfe..1390274b99 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
@@ -92,11 +92,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 
             BCryptAlgorithmHandle algorithmHandle = null;
 
-            if (logger.IsVerboseLevelEnabled())
-            {
-                logger.LogVerboseF($"Opening CNG algorithm '{EncryptionAlgorithm}' from provider '{EncryptionAlgorithmProvider}' with chaining mode GCM.");
-            }
-
+            logger.OpeningCNGAlgorithmFromProviderWithChainingModeGCM(EncryptionAlgorithm, EncryptionAlgorithmProvider);
             // Special-case cached providers
             if (EncryptionAlgorithmProvider == null)
             {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index c3bddbe552..6c8dc804d7 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -86,11 +86,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(ValidationAlgorithmType));
             }
 
-            if (logger.IsVerboseLevelEnabled())
-            {
-                logger.LogVerboseF($"Using managed keyed hash algorithm '{ValidationAlgorithmType.FullName}'.");
-            }
-
+            logger.UsingManagedKeyedHashAlgorithm(ValidationAlgorithmType.FullName);
             if (ValidationAlgorithmType == typeof(HMACSHA256))
             {
                 return () => new HMACSHA256();
@@ -118,10 +114,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
             }
 
-            if (logger.IsVerboseLevelEnabled())
-            {
-                logger.LogVerboseF($"Using managed symmetric algorithm '{EncryptionAlgorithmType.FullName}'.");
-            }
+            logger.UsingManagedSymmetricAlgorithm(EncryptionAlgorithmType.FullName);
 
             if (EncryptionAlgorithmType == typeof(Aes))
             {
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index 7ee3de1aca..ac6f1dc773 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -48,10 +48,7 @@ namespace Microsoft.AspNet.DataProtection
             }
 
             var logger = services.GetLogger<EphemeralDataProtectionProvider>();
-            if (logger.IsWarningLevelEnabled())
-            {
-                logger.LogWarning("Using ephemeral data protection provider. Payloads will be undecipherable upon application shutdown.");
-            }
+            logger.UsingEphemeralDataProtectionProvider();
 
             _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, services);
         }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 242221eb7e..48e9684c3c 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -54,10 +54,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             }
             catch (Exception ex)
             {
-                if (_logger.IsWarningLevelEnabled())
-                {
-                    _logger.LogWarningF(ex, $"Key {key.KeyId:B} is ineligible to be the default key because its {nameof(IKey.CreateEncryptorInstance)} method failed.");
-                }
+                _logger.KeyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(key.KeyId, nameof(IKey.CreateEncryptorInstance), ex);
                 return false;
             }
         }
@@ -72,18 +69,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             if (preferredDefaultKey != null)
             {
-                if (_logger.IsVerboseLevelEnabled())
-                {
-                    _logger.LogVerboseF($"Considering key {preferredDefaultKey.KeyId:B} with expiration date {preferredDefaultKey.ExpirationDate:u} as default key.");
-                }
+                _logger.ConsideringKeyWithExpirationDateAsDefaultKey(preferredDefaultKey.KeyId, preferredDefaultKey.ExpirationDate);
 
                 // if the key has been revoked or is expired, it is no longer a candidate
                 if (preferredDefaultKey.IsRevoked || preferredDefaultKey.IsExpired(now) || !CanCreateAuthenticatedEncryptor(preferredDefaultKey))
                 {
-                    if (_logger.IsVerboseLevelEnabled())
-                    {
-                        _logger.LogVerboseF($"Key {preferredDefaultKey.KeyId:B} is no longer under consideration as default key because it is expired, revoked, or cannot be deciphered.");
-                    }
+                    _logger.KeyIsNoLongerUnderConsiderationAsDefault(preferredDefaultKey.KeyId);
                     preferredDefaultKey = null;
                 }
             }
@@ -104,9 +95,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                    && !key.IsExpired(now + _keyPropagationWindow)
                    && !key.IsRevoked);
 
-                if (callerShouldGenerateNewKey && _logger.IsVerboseLevelEnabled())
+                if (callerShouldGenerateNewKey)
                 {
-                    _logger.LogVerbose("Default key expiration imminent and repository contains no viable successor. Caller should generate a successor.");
+                    _logger.DefaultKeyExpirationImminentAndRepository();
                 }
 
                 fallbackKey = null;
@@ -127,10 +118,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                            where !key.IsRevoked && CanCreateAuthenticatedEncryptor(key)
                            select key).FirstOrDefault();
 
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerbose("Repository contains no viable default key. Caller should generate a key with immediate activation.");
-            }
+            _logger.RepositoryContainsNoViableDefaultKey();
 
             callerShouldGenerateNewKey = true;
             return null;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index 0a29811bde..9e2ef2f280 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -111,7 +111,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
                 if (_logger.IsDebugLevelEnabled())
                 {
-                    _logger.LogDebugF($"Performing protect operation to key {defaultKeyId:B} with purposes {JoinPurposesForLog(Purposes)}.");
+                    _logger.PerformingProtectOperationToKeyWithPurposes(defaultKeyId, JoinPurposesForLog(Purposes));
                 }
 
                 // We'll need to apply the default key id to the template if it hasn't already been applied.
@@ -236,7 +236,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
                 if (_logger.IsDebugLevelEnabled())
                 {
-                    _logger.LogDebugF($"Performing unprotect operation to key {keyIdFromPayload:B} with purposes {JoinPurposesForLog(Purposes)}.");
+                    _logger.PerformingUnprotectOperationToKeyWithPurposes(keyIdFromPayload, JoinPurposesForLog(Purposes));
                 }
 
                 // Find the correct encryptor in the keyring.
@@ -245,10 +245,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 var requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out keyWasRevoked);
                 if (requestedEncryptor == null)
                 {
-                    if (_logger.IsDebugLevelEnabled())
-                    {
-                        _logger.LogDebugF($"Key {keyIdFromPayload:B} was not found in the key ring. Unprotect operation cannot proceed.");
-                    }
+                    _logger.KeyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(keyIdFromPayload);
                     throw Error.Common_KeyNotFound(keyIdFromPayload);
                 }
 
@@ -264,18 +261,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     if (allowOperationsOnRevokedKeys)
                     {
-                        if (_logger.IsVerboseLevelEnabled())
-                        {
-                            _logger.LogVerboseF($"Key {keyIdFromPayload:B} was revoked. Caller requested unprotect operation proceed regardless.");
-                        }
+                        _logger.KeyWasRevokedCallerRequestedUnprotectOperationProceedRegardless(keyIdFromPayload);
                         status = UnprotectStatus.DecryptionKeyWasRevoked;
                     }
                     else
                     {
-                        if (_logger.IsVerboseLevelEnabled())
-                        {
-                            _logger.LogVerboseF($"Key {keyIdFromPayload:B} was revoked. Unprotect operation cannot proceed.");
-                        }
+                        _logger.KeyWasRevokedUnprotectOperationCannotProceed(keyIdFromPayload);
                         throw Error.Common_KeyRevoked(keyIdFromPayload);
                     }
                 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index c5cff61824..c41e45f380 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -45,10 +45,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, defaultKeyPolicy.DefaultKey, allKeys);
             }
 
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerbose("Policy resolution states that a new key should be added to the key ring.");
-            }
+            _logger.PolicyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing();
 
             // We shouldn't call CreateKey more than once, else we risk stack diving. This code path shouldn't
             // get hit unless there was an ineligible key with an activation date slightly later than the one we
@@ -69,18 +66,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 var keyToUse = defaultKeyPolicy.DefaultKey ?? defaultKeyPolicy.FallbackKey;
                 if (keyToUse == null)
                 {
-                    if (_logger.IsErrorLevelEnabled())
-                    {
-                        _logger.LogError("The key ring does not contain a valid default key, and the key manager is configured with auto-generation of keys disabled.");
-                    }
+                    _logger.KeyRingDoesNotContainValidDefaultKey();
                     throw new InvalidOperationException(Resources.KeyRingProvider_NoDefaultKey_AutoGenerateDisabled);
                 }
                 else
                 {
-                    if (_logger.IsWarningLevelEnabled())
-                    {
-                        _logger.LogWarningF($"Policy resolution states that a new key should be added to the key ring, but automatic generation of keys is disabled. Using fallback key {keyToUse.KeyId:B} with expiration {keyToUse.ExpirationDate:u} as default key.");
-                    }
+                    _logger.UsingFallbackKeyWithExpirationAsDefaultKey(keyToUse.KeyId, keyToUse.ExpirationDate);
                     return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, keyToUse, allKeys);
                 }
             }
@@ -109,10 +100,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // Invariant: our caller ensures that CreateEncryptorInstance succeeded at least once
             Debug.Assert(defaultKey.CreateEncryptorInstance() != null);
 
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerboseF($"Using key {defaultKey.KeyId:B} as the default key.");
-            }
+            _logger.UsingKeyAsDefaultKey(defaultKey.KeyId);
 
             DateTimeOffset nextAutoRefreshTime = now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod);
 
@@ -165,9 +153,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                         return existingCacheableKeyRing.KeyRing;
                     }
 
-                    if (existingCacheableKeyRing != null && _logger.IsVerboseLevelEnabled())
+                    if (existingCacheableKeyRing != null)
                     {
-                        _logger.LogVerbose("Existing cached key ring is expired. Refreshing.");
+                        _logger.ExistingCachedKeyRingIsExpired();
                     }
 
                     // It's up to us to refresh the cached keyring.
@@ -180,16 +168,13 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     }
                     catch (Exception ex)
                     {
-                        if (_logger.IsErrorLevelEnabled())
+                        if (existingCacheableKeyRing != null)
                         {
-                            if (existingCacheableKeyRing != null)
-                            {
-                                _logger.LogError(ex, "An error occurred while refreshing the key ring. Will try again in 2 minutes.");
-                            }
-                            else
-                            {
-                                _logger.LogError(ex, "An error occurred while reading the key ring.");
-                            }
+                            _logger.ErrorOccurredWhileRefreshingKeyRing(ex);
+                        }
+                        else
+                        {
+                            _logger.ErrorOccurredWhileReadingKeyRing(ex);
                         }
 
                         // Failures that occur while refreshing the keyring are most likely transient, perhaps due to a
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index f913b7f6a4..a137fef2cb 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -175,10 +175,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 else
                 {
                     // Skip unknown elements.
-                    if (_logger.IsWarningLevelEnabled())
-                    {
-                        _logger.LogWarningF($"Unknown element with name '{element.Name}' found in keyring, skipping.");
-                    }
+                    _logger.UnknownElementWithNameFoundInKeyringSkipping(element.Name);
                 }
             }
 
@@ -192,17 +189,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     if (key != null)
                     {
                         key.SetRevoked();
-                        if (_logger.IsVerboseLevelEnabled())
-                        {
-                            _logger.LogVerboseF($"Marked key {revokedKeyId:B} as revoked in the keyring.");
-                        }
+                        _logger.MarkedKeyAsRevokedInTheKeyring(revokedKeyId);
                     }
                     else
                     {
-                        if (_logger.IsWarningLevelEnabled())
-                        {
-                            _logger.LogWarningF($"Tried to process revocation of key {revokedKeyId:B}, but no such key was found in keyring. Skipping.");
-                        }
+                        _logger.TriedToProcessRevocationOfKeyButNoSuchKeyWasFound(revokedKeyId);
                     }
                 }
             }
@@ -220,10 +211,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     if (key.CreationDate < mostRecentMassRevocationDate)
                     {
                         key.SetRevoked();
-                        if (_logger.IsVerboseLevelEnabled())
-                        {
-                            _logger.LogVerboseF($"Marked key {key.KeyId:B} as revoked in the keyring.");
-                        }
+                        _logger.MarkedKeyAsRevokedInTheKeyring(key.KeyId);
                     }
                 }
             }
@@ -249,10 +237,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 DateTimeOffset activationDate = (DateTimeOffset)keyElement.Element(ActivationDateElementName);
                 DateTimeOffset expirationDate = (DateTimeOffset)keyElement.Element(ExpirationDateElementName);
 
-                if (_logger.IsVerboseLevelEnabled())
-                {
-                    _logger.LogVerboseF($"Found key {keyId:B}.");
-                }
+                _logger.FoundKey(keyId);
 
                 return new DeferredKey(
                     keyId: keyId,
@@ -283,20 +268,14 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     // this is a mass revocation of all keys as of the specified revocation date
                     DateTimeOffset massRevocationDate = (DateTimeOffset)revocationElement.Element(RevocationDateElementName);
-                    if (_logger.IsVerboseLevelEnabled())
-                    {
-                        _logger.LogVerboseF($"Found revocation of all keys created prior to {massRevocationDate:u}.");
-                    }
+                    _logger.FoundRevocationOfAllKeysCreatedPriorTo(massRevocationDate);
                     return massRevocationDate;
                 }
                 else
                 {
                     // only one key is being revoked
                     Guid keyId = XmlConvert.ToGuid(keyIdAsString);
-                    if (_logger.IsVerboseLevelEnabled())
-                    {
-                        _logger.LogVerboseF($"Found revocation of key {keyId:B}.");
-                    }
+                    _logger.FoundRevocationOfKey(keyId);
                     return keyId;
                 }
             }
@@ -304,10 +283,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 // Any exceptions that occur are fatal - we don't want to continue if we cannot process
                 // revocation information.
-                if (_logger.IsErrorLevelEnabled())
-                {
-                    _logger.LogErrorF(ex, $"An exception occurred while processing the revocation element '{revocationElement}'. Cannot continue keyring processing.");
-                }
+                _logger.ExceptionWhileProcessingRevocationElement(revocationElement, ex);
                 throw;
             }
         }
@@ -321,10 +297,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             //   <reason>...</reason>
             // </revocation>
 
-            if (_logger.IsInformationLevelEnabled())
-            {
-                _logger.LogInformationF($"Revoking all keys as of {revocationDate:u} for reason '{reason}'.");
-            }
+            _logger.RevokingAllKeysAsOfForReason(revocationDate, reason);
 
             var revocationElement = new XElement(RevocationElementName,
                 new XAttribute(VersionAttributeName, 1),
@@ -350,9 +323,9 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
         private void TriggerAndResetCacheExpirationToken([CallerMemberName] string opName = null, bool suppressLogging = false)
         {
-            if (!suppressLogging && _logger.IsVerboseLevelEnabled())
+            if (!suppressLogging)
             {
-                _logger.LogVerboseF($"Key cache expiration token triggered by '{opName}' operation.");
+                _logger.KeyCacheExpirationTokenTriggeredByOperation(opName);
             }
 
             Interlocked.Exchange(ref _cacheExpirationTokenSource, new CancellationTokenSource())?.Cancel();
@@ -365,17 +338,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // log and the raw <key> element to the debug log. This works for our out-of-box XML decryptors since they don't
             // include sensitive information in the exception message.
 
-            if (_logger.IsErrorLevelEnabled())
-            {
-                // write sanitized <key> element
-                _logger.LogErrorF(error, $"An exception occurred while processing the key element '{keyElement.WithoutChildNodes()}'.");
-            }
+            // write sanitized <key> element
+            _logger.ExceptionWhileProcessingKeyElement(keyElement.WithoutChildNodes(), error);
+
+            // write full <key> element
+            _logger.AnExceptionOccurredWhileProcessingElementDebug(keyElement, error);
 
-            if (_logger.IsDebugLevelEnabled())
-            {
-                // write full <key> element
-                _logger.LogDebugF(error, $"An exception occurred while processing the key element '{keyElement}'.");
-            }
         }
 
         IKey IInternalXmlKeyManager.CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate)
@@ -389,19 +357,13 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             //   </descriptor>
             // </key>
 
-            if (_logger.IsInformationLevelEnabled())
-            {
-                _logger.LogInformationF($"Creating key {keyId:B} with creation date {creationDate:u}, activation date {activationDate:u}, and expiration date {expirationDate:u}.");
-            }
+            _logger.CreatingKey(keyId, creationDate, activationDate, expirationDate);
 
             var newDescriptor = _authenticatedEncryptorConfiguration.CreateNewDescriptor()
                 ?? CryptoUtil.Fail<IAuthenticatedEncryptorDescriptor>("CreateNewDescriptor returned null.");
             var descriptorXmlInfo = newDescriptor.ExportToXml();
 
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerboseF($"Descriptor deserializer type for key {keyId:B} is '{descriptorXmlInfo.DeserializerType.AssemblyQualifiedName}'.");
-            }
+            _logger.DescriptorDeserializerTypeForKeyIs(keyId, descriptorXmlInfo.DeserializerType.AssemblyQualifiedName);
 
             // build the <key> element
             var keyElement = new XElement(KeyElementName,
@@ -415,23 +377,20 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     descriptorXmlInfo.SerializedDescriptorElement));
 
             // If key escrow policy is in effect, write the *unencrypted* key now.
-            if (_logger.IsVerboseLevelEnabled())
+            if (_keyEscrowSink != null)
             {
-                if (_keyEscrowSink != null)
-                {
-                    _logger.LogVerboseF($"Key escrow sink found. Writing key {keyId:B} to escrow.");
-                }
-                else
-                {
-                    _logger.LogVerboseF($"No key escrow sink found. Not writing key {keyId:B} to escrow.");
-                }
+                _logger.KeyEscrowSinkFoundWritingKeyToEscrow(keyId);
+            }
+            else
+            {
+                _logger.NoKeyEscrowSinkFoundNotWritingKeyToEscrow(keyId);
             }
             _keyEscrowSink?.Store(keyId, keyElement);
 
             // If an XML encryptor has been configured, protect secret key material now.
-            if (KeyEncryptor == null && _logger.IsWarningLevelEnabled())
+            if (KeyEncryptor == null)
             {
-                _logger.LogWarningF($"No XML encryptor configured. Key {keyId:B} may be persisted to storage in unencrypted form.");
+                _logger.NoXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm(keyId);
             }
             var possiblyEncryptedKeyElement = KeyEncryptor?.EncryptIfNecessary(keyElement) ?? keyElement;
 
@@ -479,10 +438,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             //   <reason>...</reason>
             // </revocation>
 
-            if (_logger.IsInformationLevelEnabled())
-            {
-                _logger.LogInformationF($"Revoking key {keyId:B} at {revocationDate:u} for reason '{reason}'.");
-            }
+            _logger.RevokingKeyForReason(keyId, revocationDate, reason);
 
             var revocationElement = new XElement(RevocationElementName,
                 new XAttribute(VersionAttributeName, 1),
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
index 2c8a7dd366..509f1568bb 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
@@ -3,16 +3,368 @@
 
 using System;
 using System.Runtime.CompilerServices;
-using Microsoft.Extensions.Logging.Internal;
+using System.Xml.Linq;
+using Microsoft.Win32;
 
 namespace Microsoft.Extensions.Logging
 {
     /// <summary>
     /// Helpful extension methods on <see cref="ILogger"/>.
-    /// Methods ending in *F take <see cref="FormattableString"/> as a parameter.
     /// </summary>
     internal static class LoggingExtensions
     {
+        private static Action<ILogger, Guid, DateTimeOffset, Exception> _usingFallbackKeyWithExpirationAsDefaultKey;
+
+        private static Action<ILogger, Guid, Exception> _usingKeyAsDefaultKey;
+
+        private static Action<ILogger, string, string, Exception> _openingCNGAlgorithmFromProviderWithHMAC;
+
+        private static Action<ILogger, string, string, Exception> _openingCNGAlgorithmFromProviderWithChainingModeCBC;
+
+        private static Action<ILogger, Guid, string, Exception> _performingUnprotectOperationToKeyWithPurposes;
+
+        private static Action<ILogger, Guid, Exception> _keyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed;
+
+        private static Action<ILogger, Guid, Exception> _keyWasRevokedCallerRequestedUnprotectOperationProceedRegardless;
+
+        private static Action<ILogger, Guid, Exception> _keyWasRevokedUnprotectOperationCannotProceed;
+
+        private static Action<ILogger, string, string, Exception> _openingCNGAlgorithmFromProviderWithChainingModeGCM;
+
+        private static Action<ILogger, string, Exception> _usingManagedKeyedHashAlgorithm;
+
+        private static Action<ILogger, string, Exception> _usingManagedSymmetricAlgorithm;
+
+        private static Action<ILogger, Guid, string, Exception> _keyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed;
+
+        private static Action<ILogger, Guid, DateTimeOffset, Exception> _consideringKeyWithExpirationDateAsDefaultKey;
+
+        private static Action<ILogger, Guid, Exception> _keyIsNoLongerUnderConsiderationAsDefault;
+
+        private static Action<ILogger, XName, Exception> _unknownElementWithNameFoundInKeyringSkipping;
+
+        private static Action<ILogger, Guid, Exception> _markedKeyAsRevokedInTheKeyring;
+
+        private static Action<ILogger, Guid, Exception> _triedToProcessRevocationOfKeyButNoSuchKeyWasFound;
+
+        private static Action<ILogger, Guid, Exception> _foundKey;
+
+        private static Action<ILogger, DateTimeOffset, Exception> _foundRevocationOfAllKeysCreatedPriorTo;
+
+        private static Action<ILogger, Guid, Exception> _foundRevocationOfKey;
+
+        private static Action<ILogger, XElement, Exception> _exceptionWhileProcessingRevocationElement;
+
+        private static Action<ILogger, DateTimeOffset, string, Exception> _revokingAllKeysAsOfForReason;
+
+        private static Action<ILogger, string, Exception> _keyCacheExpirationTokenTriggeredByOperation;
+
+        private static Action<ILogger, XElement, Exception> _anExceptionOccurredWhileProcessingTheKeyElement;
+
+        private static Action<ILogger, XElement, Exception> _anExceptionOccurredWhileProcessingTheKeyElementDebug;
+
+        private static Action<ILogger, string, Exception> _encryptingToWindowsDPAPIForCurrentUserAccount;
+
+        private static Action<ILogger, string, Exception> _encryptingToWindowsDPAPINGUsingProtectionDescriptorRule;
+
+        private static Action<ILogger, string, Exception> _anErrorOccurredWhileEncryptingToX509CertificateWithThumbprint;
+
+        private static Action<ILogger, string, Exception> _encryptingToX509CertificateWithThumbprint;
+
+        private static Action<ILogger, string, Exception> _exceptionOccurredWhileTryingToResolveCertificateWithThumbprint;
+
+        private static Action<ILogger, Guid, string, Exception> _performingProtectOperationToKeyWithPurposes;
+
+        private static Action<ILogger, Guid, DateTimeOffset, DateTimeOffset, DateTimeOffset, Exception> _creatingKey;
+
+        private static Action<ILogger, Guid, string, Exception> _descriptorDeserializerTypeForKeyIs;
+
+        private static Action<ILogger, Guid, Exception> _keyEscrowSinkFoundWritingKeyToEscrow;
+
+        private static Action<ILogger, Guid, Exception> _noKeyEscrowSinkFoundNotWritingKeyToEscrow;
+
+        private static Action<ILogger, Guid, Exception> _noXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm;
+
+        private static Action<ILogger, Guid, DateTimeOffset, string, Exception> _revokingKeyForReason;
+
+        private static Action<ILogger, string, Exception> _readingDataFromFile;
+
+        private static Action<ILogger, string, string, Exception> _nameIsNotSafeFileName;
+
+        private static Action<ILogger, string, Exception> _writingDataToFile;
+
+        private static Action<ILogger, RegistryKey, string, Exception> _readingDataFromRegistryKeyValue;
+
+        private static Action<ILogger, string, string, Exception> _nameIsNotSafeRegistryValueName;
+
+        private static Action<ILogger, string, Exception> _decryptingSecretElementUsingWindowsDPAPING;
+
+        private static Action<ILogger, Exception> _exceptionOccurredTryingToDecryptElement;
+
+        private static Action<ILogger, Exception> _encryptingUsingNullEncryptor;
+
+        private static Action<ILogger, Exception> _usingEphemeralDataProtectionProvider;
+
+        private static Action<ILogger, Exception> _existingCachedKeyRingIsExpiredRefreshing;
+
+        private static Action<ILogger, Exception> _errorOccurredWhileRefreshingKeyRing;
+
+        private static Action<ILogger, Exception> _errorOccurredWhileReadingKeyRing;
+
+        private static Action<ILogger, Exception> _keyRingDoesNotContainValidDefaultKey;
+
+        private static Action<ILogger, Exception> _usingInmemoryRepository;
+
+        private static Action<ILogger, Exception> _decryptingSecretElementUsingWindowsDPAPI;
+
+        private static Action<ILogger, Exception> _defaultKeyExpirationImminentAndRepository;
+
+        private static Action<ILogger, Exception> _repositoryContainsNoViableDefaultKey;
+
+        private static Action<ILogger, Exception> _errorOccurredWhileEncryptingToWindowsDPAPI;
+
+        private static Action<ILogger, Exception> _encryptingToWindowsDPAPIForLocalMachineAccount;
+
+        private static Action<ILogger, Exception> _errorOccurredWhileEncryptingToWindowsDPAPING;
+
+        private static Action<ILogger, Exception> _policyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing;
+
+        static LoggingExtensions()
+        {
+            _usingFallbackKeyWithExpirationAsDefaultKey = LoggerMessage.Define<Guid, DateTimeOffset>(
+                eventId: 1,
+                logLevel: LogLevel.Warning,
+                formatString: "Policy resolution states that a new key should be added to the key ring, but automatic generation of keys is disabled. Using fallback key {KeyId:B} with expiration {ExpirationDate:u} as default key.");
+            _usingKeyAsDefaultKey = LoggerMessage.Define<Guid>(
+                eventId: 2,
+                logLevel: LogLevel.Verbose,
+                formatString: "Using key {KeyId:B} as the default key.");
+            _openingCNGAlgorithmFromProviderWithHMAC = LoggerMessage.Define<string, string>(
+                eventId: 3,
+                logLevel: LogLevel.Verbose,
+                formatString: "Opening CNG algorithm '{HashAlgorithm}' from provider '{HashAlgorithmProvider}' with HMAC.");
+            _openingCNGAlgorithmFromProviderWithChainingModeCBC = LoggerMessage.Define<string, string>(
+                eventId: 4,
+                logLevel: LogLevel.Verbose,
+                formatString: "Opening CNG algorithm '{EncryptionAlgorithm}' from provider '{EncryptionAlgorithmProvider}' with chaining mode CBC.");
+            _performingUnprotectOperationToKeyWithPurposes = LoggerMessage.Define<Guid, string>(
+                eventId: 5,
+                logLevel: LogLevel.Debug,
+                formatString: "Performing unprotect operation to key {KeyId:B} with purposes {Purposes}.");
+            _keyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed = LoggerMessage.Define<Guid>(
+                eventId: 6,
+                logLevel: LogLevel.Debug,
+                formatString: "Key {KeyId:B} was not found in the key ring. Unprotect operation cannot proceed.");
+            _keyWasRevokedCallerRequestedUnprotectOperationProceedRegardless = LoggerMessage.Define<Guid>(
+                eventId: 7,
+                logLevel: LogLevel.Verbose,
+                formatString: "Key {KeyId:B} was revoked. Caller requested unprotect operation proceed regardless.");
+            _keyWasRevokedUnprotectOperationCannotProceed = LoggerMessage.Define<Guid>(
+                eventId: 8,
+                logLevel: LogLevel.Verbose,
+                formatString: "Key {KeyId:B} was revoked. Unprotect operation cannot proceed.");
+            _openingCNGAlgorithmFromProviderWithChainingModeGCM = LoggerMessage.Define<string, string>(
+                eventId: 9,
+                logLevel: LogLevel.Verbose,
+                formatString: "Opening CNG algorithm '{EncryptionAlgorithm}' from provider '{EncryptionAlgorithmProvider}' with chaining mode GCM.");
+            _usingManagedKeyedHashAlgorithm = LoggerMessage.Define<string>(
+                eventId: 10,
+                logLevel: LogLevel.Verbose,
+                formatString: "Using managed keyed hash algorithm '{FullName}'.");
+            _usingManagedSymmetricAlgorithm = LoggerMessage.Define<string>(
+                eventId: 11,
+                logLevel: LogLevel.Verbose,
+                formatString: "Using managed symmetric algorithm '{FullName}'.");
+            _keyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed = LoggerMessage.Define<Guid, string>(
+                eventId: 12,
+                logLevel: LogLevel.Warning,
+                formatString: "Key {KeyId:B} is ineligible to be the default key because its {MethodName} method failed.");
+            _consideringKeyWithExpirationDateAsDefaultKey = LoggerMessage.Define<Guid, DateTimeOffset>(
+                eventId: 13,
+                logLevel: LogLevel.Verbose,
+                formatString: "Considering key {KeyId:B} with expiration date {ExpirationDate:u} as default key.");
+            _keyIsNoLongerUnderConsiderationAsDefault = LoggerMessage.Define<Guid>(
+                eventId: 14,
+                logLevel: LogLevel.Verbose,
+                formatString: "Key {KeyId:B} is no longer under consideration as default key because it is expired, revoked, or cannot be deciphered.");
+            _unknownElementWithNameFoundInKeyringSkipping = LoggerMessage.Define<XName>(
+                eventId: 15,
+                logLevel: LogLevel.Warning,
+                formatString: "Unknown element with name '{Name}' found in keyring, skipping.");
+            _markedKeyAsRevokedInTheKeyring = LoggerMessage.Define<Guid>(
+                eventId: 16,
+                logLevel: LogLevel.Verbose,
+                formatString: "Marked key {KeyId:B} as revoked in the keyring.");
+            _triedToProcessRevocationOfKeyButNoSuchKeyWasFound = LoggerMessage.Define<Guid>(
+                eventId: 17,
+                logLevel: LogLevel.Warning,
+                formatString: "Tried to process revocation of key {KeyId:B}, but no such key was found in keyring. Skipping.");
+            _foundKey = LoggerMessage.Define<Guid>(
+                eventId: 18,
+                logLevel: LogLevel.Verbose,
+                formatString: "Found key {KeyId:B}.");
+            _foundRevocationOfAllKeysCreatedPriorTo = LoggerMessage.Define<DateTimeOffset>(
+                eventId: 19,
+                logLevel: LogLevel.Verbose,
+                formatString: "Found revocation of all keys created prior to {RevocationDate:u}.");
+            _foundRevocationOfKey = LoggerMessage.Define<Guid>(
+                eventId: 20,
+                logLevel: LogLevel.Verbose,
+                formatString: "Found revocation of key {KeyId:B}.");
+            _exceptionWhileProcessingRevocationElement = LoggerMessage.Define<XElement>(
+                eventId: 21,
+                logLevel: LogLevel.Error,
+                formatString: "An exception occurred while processing the revocation element '{RevocationElement}'. Cannot continue keyring processing.");
+            _revokingAllKeysAsOfForReason = LoggerMessage.Define<DateTimeOffset, string>(
+                eventId: 22,
+                logLevel: LogLevel.Information,
+                formatString: "Revoking all keys as of {RevocationDate:u} for reason '{Reason}'.");
+            _keyCacheExpirationTokenTriggeredByOperation = LoggerMessage.Define<string>(
+                eventId: 23,
+                logLevel: LogLevel.Verbose,
+                formatString: "Key cache expiration token triggered by '{OperationName}' operation.");
+            _anExceptionOccurredWhileProcessingTheKeyElement = LoggerMessage.Define<XElement>(
+                eventId: 24,
+                logLevel: LogLevel.Error,
+                formatString: "An exception occurred while processing the key element '{Element}'.");
+            _anExceptionOccurredWhileProcessingTheKeyElementDebug = LoggerMessage.Define<XElement>(
+                eventId: 25,
+                logLevel: LogLevel.Debug,
+                formatString: "An exception occurred while processing the key element '{Element}'.");
+            _encryptingToWindowsDPAPIForCurrentUserAccount = LoggerMessage.Define<string>(
+                eventId: 26,
+                logLevel: LogLevel.Verbose,
+                formatString: "Encrypting to Windows DPAPI for current user account ({Name}).");
+            _encryptingToWindowsDPAPINGUsingProtectionDescriptorRule = LoggerMessage.Define<string>(
+                eventId: 27,
+                logLevel: LogLevel.Verbose,
+                formatString: "Encrypting to Windows DPAPI-NG using protection descriptor rule '{DescriptorRule}'.");
+            _anErrorOccurredWhileEncryptingToX509CertificateWithThumbprint = LoggerMessage.Define<string>(
+                eventId: 28,
+                logLevel: LogLevel.Error,
+                formatString: "An error occurred while encrypting to X.509 certificate with thumbprint '{Thumbprint}'.");
+            _encryptingToX509CertificateWithThumbprint = LoggerMessage.Define<string>(
+                eventId: 29,
+                logLevel: LogLevel.Verbose,
+                formatString: "Encrypting to X.509 certificate with thumbprint '{Thumbprint}'.");
+            _exceptionOccurredWhileTryingToResolveCertificateWithThumbprint = LoggerMessage.Define<string>(
+                eventId: 30,
+                logLevel: LogLevel.Error,
+                formatString: "An exception occurred while trying to resolve certificate with thumbprint '{Thumbprint}'.");
+            _performingProtectOperationToKeyWithPurposes = LoggerMessage.Define<Guid, string>(
+                eventId: 31,
+                logLevel: LogLevel.Debug,
+                formatString: "Performing protect operation to key {KeyId:B} with purposes {Purposes}.");
+            _descriptorDeserializerTypeForKeyIs = LoggerMessage.Define<Guid, string>(
+                eventId: 32,
+                logLevel: LogLevel.Verbose,
+                formatString: "Descriptor deserializer type for key {KeyId:B} is '{AssemblyQualifiedName}'.");
+            _keyEscrowSinkFoundWritingKeyToEscrow = LoggerMessage.Define<Guid>(
+                eventId: 33,
+                logLevel: LogLevel.Verbose,
+                formatString: "Key escrow sink found. Writing key {KeyId:B} to escrow.");
+            _noKeyEscrowSinkFoundNotWritingKeyToEscrow = LoggerMessage.Define<Guid>(
+                eventId: 34,
+                logLevel: LogLevel.Verbose,
+                formatString: "No key escrow sink found. Not writing key {KeyId:B} to escrow.");
+            _noXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm = LoggerMessage.Define<Guid>(
+                eventId: 35,
+                logLevel: LogLevel.Warning,
+                formatString: "No XML encryptor configured. Key {KeyId:B} may be persisted to storage in unencrypted form.");
+            _revokingKeyForReason = LoggerMessage.Define<Guid, DateTimeOffset, string>(
+                eventId: 36,
+                logLevel: LogLevel.Information,
+                formatString: "Revoking key {KeyId:B} at {RevocationDate:u} for reason '{Reason}'.");
+            _readingDataFromFile = LoggerMessage.Define<string>(
+                eventId: 37,
+                logLevel: LogLevel.Verbose,
+                formatString: "Reading data from file '{FullPath}'.");
+            _nameIsNotSafeFileName = LoggerMessage.Define<string, string>(
+                eventId: 38,
+                logLevel: LogLevel.Verbose,
+                formatString: "The name '{FriendlyName}' is not a safe file name, using '{NewFriendlyName}' instead.");
+            _writingDataToFile = LoggerMessage.Define<string>(
+                eventId: 39,
+                logLevel: LogLevel.Information,
+                formatString: "Writing data to file '{FileName}'.");
+            _readingDataFromRegistryKeyValue = LoggerMessage.Define<RegistryKey, string>(
+                eventId: 40,
+                logLevel: LogLevel.Verbose,
+                formatString: "Reading data from registry key '{RegistryKeyName}', value '{Value}'.");
+            _nameIsNotSafeRegistryValueName = LoggerMessage.Define<string, string>(
+                eventId: 41,
+                logLevel: LogLevel.Verbose,
+                formatString: "The name '{FriendlyName}' is not a safe registry value name, using '{NewFriendlyName}' instead.");
+            _decryptingSecretElementUsingWindowsDPAPING = LoggerMessage.Define<string>(
+                eventId: 42,
+                logLevel: LogLevel.Verbose,
+                formatString: "Decrypting secret element using Windows DPAPI-NG with protection descriptor rule '{DescriptorRule}'.");
+            _exceptionOccurredTryingToDecryptElement = LoggerMessage.Define(
+                eventId: 43,
+                logLevel: LogLevel.Error,
+                formatString: "An exception occurred while trying to decrypt the element.");
+            _encryptingUsingNullEncryptor = LoggerMessage.Define(
+                eventId: 44,
+                logLevel: LogLevel.Warning,
+                formatString: "Encrypting using a null encryptor; secret information isn't being protected.");
+            _usingEphemeralDataProtectionProvider = LoggerMessage.Define(
+                eventId: 45,
+                logLevel: LogLevel.Warning,
+                formatString: "Using ephemeral data protection provider. Payloads will be undecipherable upon application shutdown.");
+            _existingCachedKeyRingIsExpiredRefreshing = LoggerMessage.Define(
+                eventId: 46,
+                logLevel: LogLevel.Verbose,
+                formatString: "Existing cached key ring is expired. Refreshing.");
+            _errorOccurredWhileRefreshingKeyRing = LoggerMessage.Define(
+                eventId: 47,
+                logLevel: LogLevel.Error,
+                formatString: "An error occurred while refreshing the key ring. Will try again in 2 minutes.");
+            _errorOccurredWhileReadingKeyRing = LoggerMessage.Define(
+                eventId: 48,
+                logLevel: LogLevel.Error,
+                formatString: "An error occurred while reading the key ring.");
+            _keyRingDoesNotContainValidDefaultKey = LoggerMessage.Define(
+                eventId: 49,
+                logLevel: LogLevel.Error,
+                formatString: "The key ring does not contain a valid default key, and the key manager is configured with auto-generation of keys disabled.");
+            _usingInmemoryRepository = LoggerMessage.Define(
+                eventId: 50,
+                logLevel: LogLevel.Warning,
+                formatString: "Using an in-memory repository. Keys will not be persisted to storage.");
+            _decryptingSecretElementUsingWindowsDPAPI = LoggerMessage.Define(
+                eventId: 51,
+                logLevel: LogLevel.Verbose,
+                formatString: "Decrypting secret element using Windows DPAPI.");
+            _defaultKeyExpirationImminentAndRepository = LoggerMessage.Define(
+                eventId: 52,
+                logLevel: LogLevel.Verbose,
+                formatString: "Default key expiration imminent and repository contains no viable successor. Caller should generate a successor.");
+            _repositoryContainsNoViableDefaultKey = LoggerMessage.Define(
+                eventId: 53,
+                logLevel: LogLevel.Verbose,
+                formatString: "Repository contains no viable default key. Caller should generate a key with immediate activation.");
+            _errorOccurredWhileEncryptingToWindowsDPAPI = LoggerMessage.Define(
+                eventId: 54,
+                logLevel: LogLevel.Error,
+                formatString: "An error occurred while encrypting to Windows DPAPI.");
+            _encryptingToWindowsDPAPIForLocalMachineAccount = LoggerMessage.Define(
+                eventId: 55,
+                logLevel: LogLevel.Verbose,
+                formatString: "Encrypting to Windows DPAPI for local machine account.");
+            _errorOccurredWhileEncryptingToWindowsDPAPING = LoggerMessage.Define(
+                eventId: 56,
+                logLevel: LogLevel.Error,
+                formatString: "An error occurred while encrypting to Windows DPAPI-NG.");
+            _policyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing = LoggerMessage.Define(
+                eventId: 57,
+                logLevel: LogLevel.Verbose,
+                formatString: "Policy resolution states that a new key should be added to the key ring.");
+            _creatingKey = LoggerMessage.Define<Guid, DateTimeOffset, DateTimeOffset, DateTimeOffset>(
+                eventId: 58,
+                logLevel: LogLevel.Information,
+                formatString: "Creating key {KeyId:B} with creation date {CreationDate:u}, activation date {ActivationDate:u}, and expiration date {ExpirationDate:u}.");
+        }
+
         /// <summary>
         /// Returns a value stating whether the 'debug' log level is enabled.
         /// Returns false if the logger instance is null.
@@ -69,44 +421,294 @@ namespace Microsoft.Extensions.Logging
             return (logger != null && logger.IsEnabled(level));
         }
 
-        public static void LogDebugF(this ILogger logger, FormattableString message)
+        public static void UsingFallbackKeyWithExpirationAsDefaultKey(this ILogger logger, Guid keyId, DateTimeOffset expirationDate)
         {
-            logger.LogDebug(message.Format, message.GetArguments());
+            _usingFallbackKeyWithExpirationAsDefaultKey(logger, keyId, expirationDate, null);
         }
 
-        public static void LogDebugF(this ILogger logger, Exception error, FormattableString message)
+        public static void UsingKeyAsDefaultKey(this ILogger logger, Guid keyId)
         {
-            logger.LogDebug(new FormattedLogValues(message.Format, message.GetArguments()), error);
+            _usingKeyAsDefaultKey(logger, keyId, null);
         }
 
-        public static void LogError(this ILogger logger, Exception error, string message)
+        public static void OpeningCNGAlgorithmFromProviderWithHMAC(this ILogger logger, string hashAlgorithm, string hashAlgorithmProvider)
         {
-            logger.LogError(message, error);
+            _openingCNGAlgorithmFromProviderWithHMAC(logger, hashAlgorithm, hashAlgorithmProvider, null);
         }
 
-        public static void LogErrorF(this ILogger logger, Exception error, FormattableString message)
+        public static void OpeningCNGAlgorithmFromProviderWithChainingModeCBC(this ILogger logger, string encryptionAlgorithm, string encryptionAlgorithmProvider)
         {
-            logger.LogError(new FormattedLogValues(message.Format, message.GetArguments()), error);
+            _openingCNGAlgorithmFromProviderWithChainingModeCBC(logger, encryptionAlgorithm, encryptionAlgorithmProvider, null);
         }
 
-        public static void LogInformationF(this ILogger logger, FormattableString message)
+        public static void PerformingUnprotectOperationToKeyWithPurposes(this ILogger logger, Guid keyIdFromPayload, string p0)
         {
-            logger.LogInformation(message.Format, message.GetArguments());
+            _performingUnprotectOperationToKeyWithPurposes(logger, keyIdFromPayload, p0, null);
         }
 
-        public static void LogVerboseF(this ILogger logger, FormattableString message)
+        public static void KeyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(this ILogger logger, Guid keyIdFromPayload)
         {
-            logger.LogVerbose(message.Format, message.GetArguments());
+            _keyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(logger, keyIdFromPayload, null);
         }
 
-        public static void LogWarningF(this ILogger logger, FormattableString message)
+        public static void KeyWasRevokedCallerRequestedUnprotectOperationProceedRegardless(this ILogger logger, Guid keyIdFromPayload)
         {
-            logger.LogWarning(message.Format, message.GetArguments());
+            _keyWasRevokedCallerRequestedUnprotectOperationProceedRegardless(logger, keyIdFromPayload, null);
         }
 
-        public static void LogWarningF(this ILogger logger, Exception error, FormattableString message)
+        public static void KeyWasRevokedUnprotectOperationCannotProceed(this ILogger logger, Guid keyIdFromPayload)
         {
-            logger.LogWarning(new FormattedLogValues(message.Format, message.GetArguments()), error);
+            _keyWasRevokedUnprotectOperationCannotProceed(logger, keyIdFromPayload, null);
+        }
+
+        public static void OpeningCNGAlgorithmFromProviderWithChainingModeGCM(this ILogger logger, string encryptionAlgorithm, string encryptionAlgorithmProvider)
+        {
+            _openingCNGAlgorithmFromProviderWithChainingModeGCM(logger, encryptionAlgorithm, encryptionAlgorithmProvider, null);
+        }
+
+        public static void UsingManagedKeyedHashAlgorithm(this ILogger logger, string fullName)
+        {
+            _usingManagedKeyedHashAlgorithm(logger, fullName, null);
+        }
+
+        public static void UsingManagedSymmetricAlgorithm(this ILogger logger, string fullName)
+        {
+            _usingManagedSymmetricAlgorithm(logger, fullName, null);
+        }
+
+        public static void KeyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(this ILogger logger, Guid keyId, string p0, Exception exception)
+        {
+            _keyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(logger, keyId, p0, exception);
+        }
+
+        public static void ConsideringKeyWithExpirationDateAsDefaultKey(this ILogger logger, Guid keyId, DateTimeOffset expirationDate)
+        {
+            _consideringKeyWithExpirationDateAsDefaultKey(logger, keyId, expirationDate, null);
+        }
+
+        public static void KeyIsNoLongerUnderConsiderationAsDefault(this ILogger logger, Guid keyId)
+        {
+            _keyIsNoLongerUnderConsiderationAsDefault(logger, keyId, null);
+        }
+
+        public static void UnknownElementWithNameFoundInKeyringSkipping(this ILogger logger, XName name)
+        {
+            _unknownElementWithNameFoundInKeyringSkipping(logger, name, null);
+        }
+
+        public static void MarkedKeyAsRevokedInTheKeyring(this ILogger logger, Guid revokedKeyId)
+        {
+            _markedKeyAsRevokedInTheKeyring(logger, revokedKeyId, null);
+        }
+
+        public static void TriedToProcessRevocationOfKeyButNoSuchKeyWasFound(this ILogger logger, Guid revokedKeyId)
+        {
+            _triedToProcessRevocationOfKeyButNoSuchKeyWasFound(logger, revokedKeyId, null);
+        }
+
+        public static void FoundKey(this ILogger logger, Guid keyId)
+        {
+            _foundKey(logger, keyId, null);
+        }
+
+        public static void FoundRevocationOfAllKeysCreatedPriorTo(this ILogger logger, DateTimeOffset massRevocationDate)
+        {
+            _foundRevocationOfAllKeysCreatedPriorTo(logger, massRevocationDate, null);
+        }
+
+        public static void FoundRevocationOfKey(this ILogger logger, Guid keyId)
+        {
+            _foundRevocationOfKey(logger, keyId, null);
+        }
+
+        public static void ExceptionWhileProcessingRevocationElement(this ILogger logger, XElement revocationElement, Exception exception)
+        {
+            _exceptionWhileProcessingRevocationElement(logger, revocationElement, exception);
+        }
+
+        public static void RevokingAllKeysAsOfForReason(this ILogger logger, DateTimeOffset revocationDate, string reason)
+        {
+            _revokingAllKeysAsOfForReason(logger, revocationDate, reason, null);
+        }
+
+        public static void KeyCacheExpirationTokenTriggeredByOperation(this ILogger logger, string opName)
+        {
+            _keyCacheExpirationTokenTriggeredByOperation(logger, opName, null);
+        }
+
+        public static void ExceptionWhileProcessingKeyElement(this ILogger logger, XElement keyElement, Exception exception)
+        {
+            _anExceptionOccurredWhileProcessingTheKeyElement(logger, keyElement, exception);
+        }
+
+        public static void AnExceptionOccurredWhileProcessingElementDebug(this ILogger logger, XElement keyElement, Exception exception)
+        {
+            _anExceptionOccurredWhileProcessingTheKeyElementDebug(logger, keyElement, exception);
+        }
+
+        public static void EncryptingToWindowsDPAPIForCurrentUserAccount(this ILogger logger, string name)
+        {
+            _encryptingToWindowsDPAPIForCurrentUserAccount(logger, name, null);
+        }
+
+        public static void AnErrorOccurredWhileEncryptingToX509CertificateWithThumbprint(this ILogger logger, string thumbprint, Exception exception)
+        {
+            _anErrorOccurredWhileEncryptingToX509CertificateWithThumbprint(logger, thumbprint, exception);
+        }
+
+        public static void EncryptingToX509CertificateWithThumbprint(this ILogger logger, string thumbprint)
+        {
+            _encryptingToX509CertificateWithThumbprint(logger, thumbprint, null);
+        }
+
+        public static void ExceptionWhileTryingToResolveCertificateWithThumbprint(this ILogger logger, string thumbprint, Exception exception)
+        {
+            _exceptionOccurredWhileTryingToResolveCertificateWithThumbprint(logger, thumbprint, exception);
+        }
+
+        public static void PerformingProtectOperationToKeyWithPurposes(this ILogger logger, Guid defaultKeyId, string p0)
+        {
+            _performingProtectOperationToKeyWithPurposes(logger, defaultKeyId, p0, null);
+        }
+
+        public static void DescriptorDeserializerTypeForKeyIs(this ILogger logger, Guid keyId, string assemblyQualifiedName)
+        {
+            _descriptorDeserializerTypeForKeyIs(logger, keyId, assemblyQualifiedName, null);
+        }
+
+        public static void KeyEscrowSinkFoundWritingKeyToEscrow(this ILogger logger, Guid keyId)
+        {
+            _keyEscrowSinkFoundWritingKeyToEscrow(logger, keyId, null);
+        }
+
+        public static void NoKeyEscrowSinkFoundNotWritingKeyToEscrow(this ILogger logger, Guid keyId)
+        {
+            _noKeyEscrowSinkFoundNotWritingKeyToEscrow(logger, keyId, null);
+        }
+
+        public static void NoXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm(this ILogger logger, Guid keyId)
+        {
+            _noXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm(logger, keyId, null);
+        }
+
+        public static void RevokingKeyForReason(this ILogger logger, Guid keyId, DateTimeOffset revocationDate, string reason)
+        {
+            _revokingKeyForReason(logger, keyId, revocationDate, reason, null);
+        }
+
+        public static void ReadingDataFromFile(this ILogger logger, string fullPath)
+        {
+            _readingDataFromFile(logger, fullPath, null);
+        }
+
+        public static void NameIsNotSafeFileName(this ILogger logger, string friendlyName, string newFriendlyName)
+        {
+            _nameIsNotSafeFileName(logger, friendlyName, newFriendlyName, null);
+        }
+
+        public static void WritingDataToFile(this ILogger logger, string finalFilename)
+        {
+            _writingDataToFile(logger, finalFilename, null);
+        }
+
+        public static void ReadingDataFromRegistryKeyValue(this ILogger logger, RegistryKey regKey, string valueName)
+        {
+            _readingDataFromRegistryKeyValue(logger, regKey, valueName, null);
+        }
+
+        public static void NameIsNotSafeRegistryValueName(this ILogger logger, string friendlyName, string newFriendlyName)
+        {
+            _nameIsNotSafeRegistryValueName(logger, friendlyName, newFriendlyName, null);
+        }
+
+        public static void DecryptingSecretElementUsingWindowsDPAPING(this ILogger logger, string protectionDescriptorRule)
+        {
+            _decryptingSecretElementUsingWindowsDPAPING(logger, protectionDescriptorRule, null);
+        }
+
+        public static void EncryptingToWindowsDPAPINGUsingProtectionDescriptorRule(this ILogger logger, string protectionDescriptorRuleString)
+        {
+            _encryptingToWindowsDPAPINGUsingProtectionDescriptorRule(logger, protectionDescriptorRuleString, null);
+        }
+
+        public static void ExceptionOccurredTryingToDecryptElement(this ILogger logger, Exception exception)
+        {
+            _exceptionOccurredTryingToDecryptElement(logger, exception);
+        }
+
+        public static void EncryptingUsingNullEncryptor(this ILogger logger)
+        {
+            _encryptingUsingNullEncryptor(logger, null);
+        }
+
+        public static void UsingEphemeralDataProtectionProvider(this ILogger logger)
+        {
+            _usingEphemeralDataProtectionProvider(logger, null);
+        }
+
+        public static void ExistingCachedKeyRingIsExpired(this ILogger logger)
+        {
+            _existingCachedKeyRingIsExpiredRefreshing(logger, null);
+        }
+
+        public static void ErrorOccurredWhileRefreshingKeyRing(this ILogger logger, Exception exception)
+        {
+            _errorOccurredWhileRefreshingKeyRing(logger, exception);
+        }
+
+        public static void ErrorOccurredWhileReadingKeyRing(this ILogger logger, Exception exception)
+        {
+            _errorOccurredWhileReadingKeyRing(logger, exception);
+        }
+
+        public static void KeyRingDoesNotContainValidDefaultKey(this ILogger logger)
+        {
+            _keyRingDoesNotContainValidDefaultKey(logger, null);
+        }
+
+        public static void UsingInmemoryRepository(this ILogger logger)
+        {
+            _usingInmemoryRepository(logger, null);
+        }
+
+        public static void DecryptingSecretElementUsingWindowsDPAPI(this ILogger logger)
+        {
+            _decryptingSecretElementUsingWindowsDPAPI(logger, null);
+        }
+
+        public static void DefaultKeyExpirationImminentAndRepository(this ILogger logger)
+        {
+            _defaultKeyExpirationImminentAndRepository(logger, null);
+        }
+
+        public static void RepositoryContainsNoViableDefaultKey(this ILogger logger)
+        {
+            _repositoryContainsNoViableDefaultKey(logger, null);
+        }
+
+        public static void ErrorOccurredWhileEncryptingToWindowsDPAPI(this ILogger logger, Exception exception)
+        {
+            _errorOccurredWhileEncryptingToWindowsDPAPI(logger, exception);
+        }
+
+        public static void EncryptingToWindowsDPAPIForLocalMachineAccount(this ILogger logger)
+        {
+            _encryptingToWindowsDPAPIForLocalMachineAccount(logger, null);
+        }
+
+        public static void ErrorOccurredWhileEncryptingToWindowsDPAPING(this ILogger logger, Exception exception)
+        {
+            _errorOccurredWhileEncryptingToWindowsDPAPING(logger, exception);
+        }
+
+        public static void PolicyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing(this ILogger logger)
+        {
+            _policyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing(logger, null);
+        }
+
+        public static void CreatingKey(this ILogger logger, Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate)
+        {
+            _creatingKey(logger, keyId, creationDate, activationDate, expirationDate, null);
         }
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
index d1baa63b9b..1852bafaa3 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -20,10 +20,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         public EphemeralXmlRepository(IServiceProvider services)
         {
             var logger = services?.GetLogger<EphemeralXmlRepository>();
-            if (logger.IsWarningLevelEnabled())
-            {
-                logger.LogWarning("Using an in-memory repository. Keys will not be persisted to storage.");
-            }
+            logger.UsingInmemoryRepository();
         }
 
         public virtual IReadOnlyCollection<XElement> GetAllElements()
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index 3cc94174a6..84e46b24b5 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -185,10 +185,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private XElement ReadElementFromFile(string fullPath)
         {
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerboseF($"Reading data from file '{fullPath}'.");
-            }
+            _logger.ReadingDataFromFile(fullPath);
 
             using (var fileStream = File.OpenRead(fullPath))
             {
@@ -206,10 +203,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             if (!IsSafeFilename(friendlyName))
             {
                 string newFriendlyName = Guid.NewGuid().ToString();
-                if (_logger.IsVerboseLevelEnabled())
-                {
-                    _logger.LogVerboseF($"The name '{friendlyName}' is not a safe file name, using '{newFriendlyName}' instead.");
-                }
+                _logger.NameIsNotSafeFileName(friendlyName, newFriendlyName);
                 friendlyName = newFriendlyName;
             }
 
@@ -235,10 +229,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
                 // Once the file has been fully written, perform the rename.
                 // Renames are atomic operations on the file systems we support.
-                if (_logger.IsInformationLevelEnabled())
-                {
-                    _logger.LogInformationF($"Writing data to file '{finalFilename}'.");
-                }
+                _logger.WritingDataToFile(finalFilename);
                 File.Move(tempFilename, finalFilename);
             }
             finally
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index b880a12a80..baed19aa53 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -140,10 +140,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private XElement ReadElementFromRegKey(RegistryKey regKey, string valueName)
         {
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerboseF($"Reading data from registry key '{regKey}', value '{valueName}'.");
-            }
+            _logger.ReadingDataFromRegistryKeyValue(regKey, valueName);
 
             string data = regKey.GetValue(valueName) as string;
             return (!String.IsNullOrEmpty(data)) ? XElement.Parse(data) : null;
@@ -159,10 +156,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             if (!IsSafeRegistryValueName(friendlyName))
             {
                 string newFriendlyName = Guid.NewGuid().ToString();
-                if (_logger.IsVerboseLevelEnabled())
-                {
-                    _logger.LogVerboseF($"The name '{friendlyName}' is not a safe registry value name, using '{newFriendlyName}' instead.");
-                }
+                _logger.NameIsNotSafeRegistryValueName(friendlyName, newFriendlyName);
                 friendlyName = newFriendlyName;
             }
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 5cdfc505b3..a2e7004095 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -149,10 +149,8 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 }
                 catch (Exception ex)
                 {
-                    if (_logger.IsErrorLevelEnabled())
-                    {
-                        _logger.LogErrorF(ex, $"An exception occurred while trying to resolve certificate with thumbprint '{thumbprint}'.");
-                    }
+                    _logger.ExceptionWhileTryingToResolveCertificateWithThumbprint(thumbprint, ex);
+
                     throw;
                 }
             };
@@ -163,10 +161,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             var cert = _certFactory()
                 ?? CryptoUtil.Fail<X509Certificate2>("Cert factory returned null.");
 
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerboseF($"Encrypting to X.509 certificate with thumbprint '{cert.Thumbprint}'.");
-            }
+            _logger.EncryptingToX509CertificateWithThumbprint(cert.Thumbprint);
 
             try
             {
@@ -174,10 +169,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                if (_logger.IsErrorLevelEnabled())
-                {
-                    _logger.LogErrorF(ex, $"An error occurred while encrypting to X.509 certificate with thumbprint '{cert.Thumbprint}'.");
-                }
+                _logger.AnErrorOccurredWhileEncryptingToX509CertificateWithThumbprint(cert.Thumbprint, ex);
                 throw;
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index d451373e42..c71b0dd220 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -72,7 +72,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                         // swallow all errors - it's just a log
                         protectionDescriptorRule = null;
                     }
-                    _logger.LogVerboseF($"Decrypting secret element using Windows DPAPI-NG with protection descriptor rule '{protectionDescriptorRule}'.");
+                    _logger.DecryptingSecretElementUsingWindowsDPAPING(protectionDescriptorRule);
                 }
 
                 using (Secret secret = DpapiSecretSerializerHelper.UnprotectWithDpapiNG(protectedSecret))
@@ -84,10 +84,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             {
                 // It's OK for us to log the error, as we control the exception, and it doesn't contain
                 // sensitive information.
-                if (_logger.IsErrorLevelEnabled())
-                {
-                    _logger.LogError(ex, "An exception occurred while trying to decrypt the element.");
-                }
+                _logger.ExceptionOccurredTryingToDecryptElement(ex);
                 throw;
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index e2c6ee8e11..6c2b718226 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -73,10 +73,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
 
             string protectionDescriptorRuleString = _protectionDescriptorHandle.GetProtectionDescriptorRuleString();
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerboseF($"Encrypting to Windows DPAPI-NG using protection descriptor rule '{protectionDescriptorRuleString}'.");
-            }
+            _logger.EncryptingToWindowsDPAPINGUsingProtectionDescriptorRule(protectionDescriptorRuleString);
 
             // Convert the XML element to a binary secret so that it can be run through DPAPI
             byte[] cngDpapiEncryptedData;
@@ -89,10 +86,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                if (_logger.IsErrorLevelEnabled())
-                {
-                    _logger.LogError(ex, "An error occurred while encrypting to Windows DPAPI-NG.");
-                }
+                _logger.ErrorOccurredWhileEncryptingToWindowsDPAPING(ex);
                 throw;
             }
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index ad59ab8260..fcdf952d11 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -48,10 +48,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 throw new ArgumentNullException(nameof(encryptedElement));
             }
 
-            if (_logger.IsVerboseLevelEnabled())
-            {
-                _logger.LogVerbose("Decrypting secret element using Windows DPAPI.");
-            }
+            _logger.DecryptingSecretElementUsingWindowsDPAPI();
 
             try
             {
@@ -70,10 +67,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             {
                 // It's OK for us to log the error, as we control the exception, and it doesn't contain
                 // sensitive information.
-                if (_logger.IsErrorLevelEnabled())
-                {
-                    _logger.LogError(ex, "An exception occurred while trying to decrypt the element.");
-                }
+                _logger.AnExceptionOccurredWhileTryingToDecryptElement(ex);
                 throw;
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index c1726eb7b6..192644d8fa 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -60,17 +60,13 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             {
                 throw new ArgumentNullException(nameof(plaintextElement));
             }
-
-            if (_logger.IsVerboseLevelEnabled())
+            if (_protectToLocalMachine)
             {
-                if (_protectToLocalMachine)
-                {
-                    _logger.LogVerbose("Encrypting to Windows DPAPI for local machine account.");
-                }
-                else
-                {
-                    _logger.LogVerboseF($"Encrypting to Windows DPAPI for current user account ({WindowsIdentity.GetCurrent().Name}).");
-                }
+                _logger.EncryptingToWindowsDPAPIForLocalMachineAccount();
+            }
+            else
+            {
+                _logger.EncryptingToWindowsDPAPIForCurrentUserAccount(WindowsIdentity.GetCurrent().Name);
             }
 
             // Convert the XML element to a binary secret so that it can be run through DPAPI
@@ -84,10 +80,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                if (_logger.IsErrorLevelEnabled())
-                {
-                    _logger.LogError(ex, "An error occurred while encrypting to Windows DPAPI.");
-                }
+                _logger.ErrorOccurredWhileEncryptingToWindowsDPAPI(ex);
                 throw;
             }
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
index fd3cc01fd9..5eb4aae2be 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -48,10 +48,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 throw new ArgumentNullException(nameof(plaintextElement));
             }
 
-            if (_logger.IsWarningLevelEnabled())
-            {
-                _logger.LogWarning("Encrypting using a null encryptor; secret information isn't being protected.");
-            }
+            _logger.EncryptingUsingNullEncryptor();
 
             // <unencryptedKey>
             //   <!-- This key is not encrypted. -->

From 09f54d68570a34042d299b8bf6492f9d6580cfae Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Wed, 18 Nov 2015 12:38:28 -0800
Subject: [PATCH 197/493] Fix build

---
 .../CngCbcAuthenticatedEncryptionOptions.cs   |  4 +-
 .../CngGcmAuthenticatedEncryptionOptions.cs   |  2 +-
 .../ManagedAuthenticatedEncryptionOptions.cs  |  4 +-
 .../DataProtectionServices.cs                 | 30 ++++-------
 .../EphemeralDataProtectionProvider.cs        |  2 +-
 .../KeyManagement/DefaultKeyResolver.cs       | 10 ++--
 .../KeyRingBasedDataProtector.cs              |  6 +--
 .../KeyManagement/KeyRingProvider.cs          | 14 +++---
 .../KeyManagement/XmlKeyManager.cs            | 36 ++++++-------
 .../LoggingExtensions.cs                      | 50 +++++++++++++++++++
 .../Repositories/EphemeralXmlRepository.cs    |  2 +-
 .../Repositories/FileSystemXmlRepository.cs   |  6 +--
 .../Repositories/RegistryXmlRepository.cs     |  4 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  6 +--
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  2 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  4 +-
 .../XmlEncryption/DpapiXmlDecryptor.cs        |  4 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  6 +--
 .../XmlEncryption/NullXmlEncryptor.cs         |  2 +-
 19 files changed, 116 insertions(+), 78 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
index 07819cd5be..985bdccdb2 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
@@ -111,7 +111,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(HashAlgorithm));
             }
 
-            logger.OpeningCNGAlgorithmFromProviderWithHMAC(HashAlgorithm, HashAlgorithmProvider);
+            logger?.OpeningCNGAlgorithmFromProviderWithHMAC(HashAlgorithm, HashAlgorithmProvider);
             BCryptAlgorithmHandle algorithmHandle = null;
 
             // Special-case cached providers
@@ -148,7 +148,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
             }
 
-            logger.OpeningCNGAlgorithmFromProviderWithChainingModeCBC(EncryptionAlgorithm, EncryptionAlgorithmProvider);
+            logger?.OpeningCNGAlgorithmFromProviderWithChainingModeCBC(EncryptionAlgorithm, EncryptionAlgorithmProvider);
 
             BCryptAlgorithmHandle algorithmHandle = null;
 
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
index 1390274b99..4a20217bbe 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
@@ -92,7 +92,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
 
             BCryptAlgorithmHandle algorithmHandle = null;
 
-            logger.OpeningCNGAlgorithmFromProviderWithChainingModeGCM(EncryptionAlgorithm, EncryptionAlgorithmProvider);
+            logger?.OpeningCNGAlgorithmFromProviderWithChainingModeGCM(EncryptionAlgorithm, EncryptionAlgorithmProvider);
             // Special-case cached providers
             if (EncryptionAlgorithmProvider == null)
             {
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index 6c8dc804d7..533f843420 100644
--- a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -86,7 +86,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(ValidationAlgorithmType));
             }
 
-            logger.UsingManagedKeyedHashAlgorithm(ValidationAlgorithmType.FullName);
+            logger?.UsingManagedKeyedHashAlgorithm(ValidationAlgorithmType.FullName);
             if (ValidationAlgorithmType == typeof(HMACSHA256))
             {
                 return () => new HMACSHA256();
@@ -114,7 +114,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
                 throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
             }
 
-            logger.UsingManagedSymmetricAlgorithm(EncryptionAlgorithmType.FullName);
+            logger?.UsingManagedSymmetricAlgorithm(EncryptionAlgorithmType.FullName);
 
             if (EncryptionAlgorithmType == typeof(Aes))
             {
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index 862aa06998..e0a9749101 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -42,10 +42,7 @@ namespace Microsoft.Extensions.DependencyInjection
                 var azureWebSitesKeysFolder = FileSystemXmlRepository.GetKeyStorageDirectoryForAzureWebSites();
                 if (azureWebSitesKeysFolder != null)
                 {
-                    if (log.IsInformationLevelEnabled())
-                    {
-                        log.LogInformationF($"Azure Web Sites environment detected. Using '{azureWebSitesKeysFolder.FullName}' as key repository; keys will not be encrypted at rest.");
-                    }
+                    log?.UsingAzureAsKeyRepository(azureWebSitesKeysFolder.FullName);
 
                     // Cloud DPAPI isn't yet available, so we don't encrypt keys at rest.
                     // This isn't all that different than what Azure Web Sites does today, and we can always add this later.
@@ -65,16 +62,13 @@ namespace Microsoft.Extensions.DependencyInjection
                         }
                         keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_FileSystem(localAppDataKeysFolder);
 
-                        if (log.IsInformationLevelEnabled())
+                        if (keyEncryptorDescriptor != null)
                         {
-                            if (keyEncryptorDescriptor != null)
-                            {
-                                log.LogInformationF($"User profile is available. Using '{localAppDataKeysFolder.FullName}' as key repository and Windows DPAPI to encrypt keys at rest.");
-                            }
-                            else
-                            {
-                                log.LogInformationF($"User profile is available. Using '{localAppDataKeysFolder.FullName}' as key repository; keys will not be encrypted at rest.");
-                            }
+                            log?.UsingProfileAsKeyRepositoryWithDPAPI(localAppDataKeysFolder.FullName);
+                        }
+                        else
+                        {
+                            log?.UsingProfileAsKeyRepository(localAppDataKeysFolder.FullName);
                         }
                     }
                     else
@@ -91,10 +85,7 @@ namespace Microsoft.Extensions.DependencyInjection
                             keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: true);
                             keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_Registry(regKeyStorageKey);
 
-                            if (log.IsInformationLevelEnabled())
-                            {
-                                log.LogInformationF($"User profile not available. Using '{regKeyStorageKey.Name}' as key repository and Windows DPAPI to encrypt keys at rest.");
-                            }
+                            log?.UsingRegistryAsKeyRepositoryWithDPAPI(regKeyStorageKey.Name);
                         }
                         else
                         {
@@ -102,10 +93,7 @@ namespace Microsoft.Extensions.DependencyInjection
                             // This can only be used for development scenarios.
                             keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_InMemory();
 
-                            if (log.IsWarningLevelEnabled())
-                            {
-                                log.LogWarning("Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.");
-                            }
+                            log?.UsingEphemeralKeyRepository();
                         }
                     }
                 }
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index ac6f1dc773..faaf687548 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -48,7 +48,7 @@ namespace Microsoft.AspNet.DataProtection
             }
 
             var logger = services.GetLogger<EphemeralDataProtectionProvider>();
-            logger.UsingEphemeralDataProtectionProvider();
+            logger?.UsingEphemeralDataProtectionProvider();
 
             _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, services);
         }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 48e9684c3c..dc721a1331 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -54,7 +54,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             }
             catch (Exception ex)
             {
-                _logger.KeyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(key.KeyId, nameof(IKey.CreateEncryptorInstance), ex);
+                _logger?.KeyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(key.KeyId, nameof(IKey.CreateEncryptorInstance), ex);
                 return false;
             }
         }
@@ -69,12 +69,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
             if (preferredDefaultKey != null)
             {
-                _logger.ConsideringKeyWithExpirationDateAsDefaultKey(preferredDefaultKey.KeyId, preferredDefaultKey.ExpirationDate);
+                _logger?.ConsideringKeyWithExpirationDateAsDefaultKey(preferredDefaultKey.KeyId, preferredDefaultKey.ExpirationDate);
 
                 // if the key has been revoked or is expired, it is no longer a candidate
                 if (preferredDefaultKey.IsRevoked || preferredDefaultKey.IsExpired(now) || !CanCreateAuthenticatedEncryptor(preferredDefaultKey))
                 {
-                    _logger.KeyIsNoLongerUnderConsiderationAsDefault(preferredDefaultKey.KeyId);
+                    _logger?.KeyIsNoLongerUnderConsiderationAsDefault(preferredDefaultKey.KeyId);
                     preferredDefaultKey = null;
                 }
             }
@@ -97,7 +97,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
                 if (callerShouldGenerateNewKey)
                 {
-                    _logger.DefaultKeyExpirationImminentAndRepository();
+                    _logger?.DefaultKeyExpirationImminentAndRepository();
                 }
 
                 fallbackKey = null;
@@ -118,7 +118,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                            where !key.IsRevoked && CanCreateAuthenticatedEncryptor(key)
                            select key).FirstOrDefault();
 
-            _logger.RepositoryContainsNoViableDefaultKey();
+            _logger?.RepositoryContainsNoViableDefaultKey();
 
             callerShouldGenerateNewKey = true;
             return null;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index 9e2ef2f280..c94da05ff7 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -245,7 +245,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 var requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out keyWasRevoked);
                 if (requestedEncryptor == null)
                 {
-                    _logger.KeyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(keyIdFromPayload);
+                    _logger?.KeyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(keyIdFromPayload);
                     throw Error.Common_KeyNotFound(keyIdFromPayload);
                 }
 
@@ -261,12 +261,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     if (allowOperationsOnRevokedKeys)
                     {
-                        _logger.KeyWasRevokedCallerRequestedUnprotectOperationProceedRegardless(keyIdFromPayload);
+                        _logger?.KeyWasRevokedCallerRequestedUnprotectOperationProceedRegardless(keyIdFromPayload);
                         status = UnprotectStatus.DecryptionKeyWasRevoked;
                     }
                     else
                     {
-                        _logger.KeyWasRevokedUnprotectOperationCannotProceed(keyIdFromPayload);
+                        _logger?.KeyWasRevokedUnprotectOperationCannotProceed(keyIdFromPayload);
                         throw Error.Common_KeyRevoked(keyIdFromPayload);
                     }
                 }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index c41e45f380..017319c558 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -45,7 +45,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, defaultKeyPolicy.DefaultKey, allKeys);
             }
 
-            _logger.PolicyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing();
+            _logger?.PolicyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing();
 
             // We shouldn't call CreateKey more than once, else we risk stack diving. This code path shouldn't
             // get hit unless there was an ineligible key with an activation date slightly later than the one we
@@ -66,12 +66,12 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 var keyToUse = defaultKeyPolicy.DefaultKey ?? defaultKeyPolicy.FallbackKey;
                 if (keyToUse == null)
                 {
-                    _logger.KeyRingDoesNotContainValidDefaultKey();
+                    _logger?.KeyRingDoesNotContainValidDefaultKey();
                     throw new InvalidOperationException(Resources.KeyRingProvider_NoDefaultKey_AutoGenerateDisabled);
                 }
                 else
                 {
-                    _logger.UsingFallbackKeyWithExpirationAsDefaultKey(keyToUse.KeyId, keyToUse.ExpirationDate);
+                    _logger?.UsingFallbackKeyWithExpirationAsDefaultKey(keyToUse.KeyId, keyToUse.ExpirationDate);
                     return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, keyToUse, allKeys);
                 }
             }
@@ -100,7 +100,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // Invariant: our caller ensures that CreateEncryptorInstance succeeded at least once
             Debug.Assert(defaultKey.CreateEncryptorInstance() != null);
 
-            _logger.UsingKeyAsDefaultKey(defaultKey.KeyId);
+            _logger?.UsingKeyAsDefaultKey(defaultKey.KeyId);
 
             DateTimeOffset nextAutoRefreshTime = now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod);
 
@@ -155,7 +155,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
 
                     if (existingCacheableKeyRing != null)
                     {
-                        _logger.ExistingCachedKeyRingIsExpired();
+                        _logger?.ExistingCachedKeyRingIsExpired();
                     }
 
                     // It's up to us to refresh the cached keyring.
@@ -170,11 +170,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     {
                         if (existingCacheableKeyRing != null)
                         {
-                            _logger.ErrorOccurredWhileRefreshingKeyRing(ex);
+                            _logger?.ErrorOccurredWhileRefreshingKeyRing(ex);
                         }
                         else
                         {
-                            _logger.ErrorOccurredWhileReadingKeyRing(ex);
+                            _logger?.ErrorOccurredWhileReadingKeyRing(ex);
                         }
 
                         // Failures that occur while refreshing the keyring are most likely transient, perhaps due to a
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index a137fef2cb..f8cf2c8e9f 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -175,7 +175,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 else
                 {
                     // Skip unknown elements.
-                    _logger.UnknownElementWithNameFoundInKeyringSkipping(element.Name);
+                    _logger?.UnknownElementWithNameFoundInKeyringSkipping(element.Name);
                 }
             }
 
@@ -189,11 +189,11 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     if (key != null)
                     {
                         key.SetRevoked();
-                        _logger.MarkedKeyAsRevokedInTheKeyring(revokedKeyId);
+                        _logger?.MarkedKeyAsRevokedInTheKeyring(revokedKeyId);
                     }
                     else
                     {
-                        _logger.TriedToProcessRevocationOfKeyButNoSuchKeyWasFound(revokedKeyId);
+                        _logger?.TriedToProcessRevocationOfKeyButNoSuchKeyWasFound(revokedKeyId);
                     }
                 }
             }
@@ -211,7 +211,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                     if (key.CreationDate < mostRecentMassRevocationDate)
                     {
                         key.SetRevoked();
-                        _logger.MarkedKeyAsRevokedInTheKeyring(key.KeyId);
+                        _logger?.MarkedKeyAsRevokedInTheKeyring(key.KeyId);
                     }
                 }
             }
@@ -237,7 +237,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 DateTimeOffset activationDate = (DateTimeOffset)keyElement.Element(ActivationDateElementName);
                 DateTimeOffset expirationDate = (DateTimeOffset)keyElement.Element(ExpirationDateElementName);
 
-                _logger.FoundKey(keyId);
+                _logger?.FoundKey(keyId);
 
                 return new DeferredKey(
                     keyId: keyId,
@@ -268,14 +268,14 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
                 {
                     // this is a mass revocation of all keys as of the specified revocation date
                     DateTimeOffset massRevocationDate = (DateTimeOffset)revocationElement.Element(RevocationDateElementName);
-                    _logger.FoundRevocationOfAllKeysCreatedPriorTo(massRevocationDate);
+                    _logger?.FoundRevocationOfAllKeysCreatedPriorTo(massRevocationDate);
                     return massRevocationDate;
                 }
                 else
                 {
                     // only one key is being revoked
                     Guid keyId = XmlConvert.ToGuid(keyIdAsString);
-                    _logger.FoundRevocationOfKey(keyId);
+                    _logger?.FoundRevocationOfKey(keyId);
                     return keyId;
                 }
             }
@@ -283,7 +283,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             {
                 // Any exceptions that occur are fatal - we don't want to continue if we cannot process
                 // revocation information.
-                _logger.ExceptionWhileProcessingRevocationElement(revocationElement, ex);
+                _logger?.ExceptionWhileProcessingRevocationElement(revocationElement, ex);
                 throw;
             }
         }
@@ -297,7 +297,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             //   <reason>...</reason>
             // </revocation>
 
-            _logger.RevokingAllKeysAsOfForReason(revocationDate, reason);
+            _logger?.RevokingAllKeysAsOfForReason(revocationDate, reason);
 
             var revocationElement = new XElement(RevocationElementName,
                 new XAttribute(VersionAttributeName, 1),
@@ -325,7 +325,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         {
             if (!suppressLogging)
             {
-                _logger.KeyCacheExpirationTokenTriggeredByOperation(opName);
+                _logger?.KeyCacheExpirationTokenTriggeredByOperation(opName);
             }
 
             Interlocked.Exchange(ref _cacheExpirationTokenSource, new CancellationTokenSource())?.Cancel();
@@ -339,10 +339,10 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // include sensitive information in the exception message.
 
             // write sanitized <key> element
-            _logger.ExceptionWhileProcessingKeyElement(keyElement.WithoutChildNodes(), error);
+            _logger?.ExceptionWhileProcessingKeyElement(keyElement.WithoutChildNodes(), error);
 
             // write full <key> element
-            _logger.AnExceptionOccurredWhileProcessingElementDebug(keyElement, error);
+            _logger?.AnExceptionOccurredWhileProcessingElementDebug(keyElement, error);
 
         }
 
@@ -357,13 +357,13 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             //   </descriptor>
             // </key>
 
-            _logger.CreatingKey(keyId, creationDate, activationDate, expirationDate);
+            _logger?.CreatingKey(keyId, creationDate, activationDate, expirationDate);
 
             var newDescriptor = _authenticatedEncryptorConfiguration.CreateNewDescriptor()
                 ?? CryptoUtil.Fail<IAuthenticatedEncryptorDescriptor>("CreateNewDescriptor returned null.");
             var descriptorXmlInfo = newDescriptor.ExportToXml();
 
-            _logger.DescriptorDeserializerTypeForKeyIs(keyId, descriptorXmlInfo.DeserializerType.AssemblyQualifiedName);
+            _logger?.DescriptorDeserializerTypeForKeyIs(keyId, descriptorXmlInfo.DeserializerType.AssemblyQualifiedName);
 
             // build the <key> element
             var keyElement = new XElement(KeyElementName,
@@ -379,18 +379,18 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // If key escrow policy is in effect, write the *unencrypted* key now.
             if (_keyEscrowSink != null)
             {
-                _logger.KeyEscrowSinkFoundWritingKeyToEscrow(keyId);
+                _logger?.KeyEscrowSinkFoundWritingKeyToEscrow(keyId);
             }
             else
             {
-                _logger.NoKeyEscrowSinkFoundNotWritingKeyToEscrow(keyId);
+                _logger?.NoKeyEscrowSinkFoundNotWritingKeyToEscrow(keyId);
             }
             _keyEscrowSink?.Store(keyId, keyElement);
 
             // If an XML encryptor has been configured, protect secret key material now.
             if (KeyEncryptor == null)
             {
-                _logger.NoXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm(keyId);
+                _logger?.NoXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm(keyId);
             }
             var possiblyEncryptedKeyElement = KeyEncryptor?.EncryptIfNecessary(keyElement) ?? keyElement;
 
@@ -438,7 +438,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             //   <reason>...</reason>
             // </revocation>
 
-            _logger.RevokingKeyForReason(keyId, revocationDate, reason);
+            _logger?.RevokingKeyForReason(keyId, revocationDate, reason);
 
             var revocationElement = new XElement(RevocationElementName,
                 new XAttribute(VersionAttributeName, 1),
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
index 509f1568bb..72ed762ba4 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
@@ -129,6 +129,16 @@ namespace Microsoft.Extensions.Logging
 
         private static Action<ILogger, Exception> _policyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing;
 
+        private static Action<ILogger, Exception> _usingEphemeralKeyRepository;
+
+        private static Action<ILogger, string, Exception> _usingRegistryAsKeyRepositoryWithDPAPI;
+
+        private static Action<ILogger, string, Exception> _usingProfileAsKeyRepository;
+
+        private static Action<ILogger, string, Exception> _usingProfileAsKeyRepositoryWithDPAPI;
+
+        private static Action<ILogger, string, Exception> _usingAzureAsKeyRepository;
+
         static LoggingExtensions()
         {
             _usingFallbackKeyWithExpirationAsDefaultKey = LoggerMessage.Define<Guid, DateTimeOffset>(
@@ -363,6 +373,21 @@ namespace Microsoft.Extensions.Logging
                 eventId: 58,
                 logLevel: LogLevel.Information,
                 formatString: "Creating key {KeyId:B} with creation date {CreationDate:u}, activation date {ActivationDate:u}, and expiration date {ExpirationDate:u}.");
+            _usingEphemeralKeyRepository = LoggerMessage.Define(eventId: 59,
+                logLevel: LogLevel.Warning,
+                formatString: "Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.");
+            _usingRegistryAsKeyRepositoryWithDPAPI = LoggerMessage.Define<string>(eventId: 0,
+                logLevel: LogLevel.Information,
+                formatString: "User profile not available. Using '{Name}' as key repository and Windows DPAPI to encrypt keys at rest.");
+            _usingProfileAsKeyRepository = LoggerMessage.Define<string>(eventId: 0,
+                logLevel: LogLevel.Information,
+                formatString: "User profile is available. Using '{FullName}' as key repository; keys will not be encrypted at rest.");
+            _usingProfileAsKeyRepositoryWithDPAPI = LoggerMessage.Define<string>(eventId: 0,
+                logLevel: LogLevel.Information,
+                formatString: "User profile is available. Using '{FullName}' as key repository and Windows DPAPI to encrypt keys at rest.");
+            _usingAzureAsKeyRepository = LoggerMessage.Define<string>(eventId: 0,
+                logLevel: LogLevel.Information,
+                formatString: "Azure Web Sites environment detected. Using '{FullName}' as key repository; keys will not be encrypted at rest.");
         }
 
         /// <summary>
@@ -710,5 +735,30 @@ namespace Microsoft.Extensions.Logging
         {
             _creatingKey(logger, keyId, creationDate, activationDate, expirationDate, null);
         }
+
+        public static void UsingEphemeralKeyRepository(this ILogger logger)
+        {
+            _usingEphemeralKeyRepository(logger, null);
+        }
+
+        public static void UsingRegistryAsKeyRepositoryWithDPAPI(this ILogger logger, string name)
+        {
+            _usingRegistryAsKeyRepositoryWithDPAPI(logger, name, null);
+        }
+
+        public static void UsingProfileAsKeyRepository(this ILogger logger, string fullName)
+        {
+            _usingProfileAsKeyRepository(logger, fullName, null);
+        }
+
+        public static void UsingProfileAsKeyRepositoryWithDPAPI(this ILogger logger, string fullName)
+        {
+            _usingProfileAsKeyRepositoryWithDPAPI(logger, fullName, null);
+        }
+
+        public static void UsingAzureAsKeyRepository(this ILogger logger, string fullName)
+        {
+            _usingAzureAsKeyRepository(logger, fullName, null);
+        }
     }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
index 1852bafaa3..e277488ca0 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -20,7 +20,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         public EphemeralXmlRepository(IServiceProvider services)
         {
             var logger = services?.GetLogger<EphemeralXmlRepository>();
-            logger.UsingInmemoryRepository();
+            logger?.UsingInmemoryRepository();
         }
 
         public virtual IReadOnlyCollection<XElement> GetAllElements()
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
index 84e46b24b5..a31038deab 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -185,7 +185,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private XElement ReadElementFromFile(string fullPath)
         {
-            _logger.ReadingDataFromFile(fullPath);
+            _logger?.ReadingDataFromFile(fullPath);
 
             using (var fileStream = File.OpenRead(fullPath))
             {
@@ -203,7 +203,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             if (!IsSafeFilename(friendlyName))
             {
                 string newFriendlyName = Guid.NewGuid().ToString();
-                _logger.NameIsNotSafeFileName(friendlyName, newFriendlyName);
+                _logger?.NameIsNotSafeFileName(friendlyName, newFriendlyName);
                 friendlyName = newFriendlyName;
             }
 
@@ -229,7 +229,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
                 // Once the file has been fully written, perform the rename.
                 // Renames are atomic operations on the file systems we support.
-                _logger.WritingDataToFile(finalFilename);
+                _logger?.WritingDataToFile(finalFilename);
                 File.Move(tempFilename, finalFilename);
             }
             finally
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
index baed19aa53..c809cdce79 100644
--- a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -140,7 +140,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private XElement ReadElementFromRegKey(RegistryKey regKey, string valueName)
         {
-            _logger.ReadingDataFromRegistryKeyValue(regKey, valueName);
+            _logger?.ReadingDataFromRegistryKeyValue(regKey, valueName);
 
             string data = regKey.GetValue(valueName) as string;
             return (!String.IsNullOrEmpty(data)) ? XElement.Parse(data) : null;
@@ -156,7 +156,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             if (!IsSafeRegistryValueName(friendlyName))
             {
                 string newFriendlyName = Guid.NewGuid().ToString();
-                _logger.NameIsNotSafeRegistryValueName(friendlyName, newFriendlyName);
+                _logger?.NameIsNotSafeRegistryValueName(friendlyName, newFriendlyName);
                 friendlyName = newFriendlyName;
             }
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index a2e7004095..e38928dbbf 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -149,7 +149,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 }
                 catch (Exception ex)
                 {
-                    _logger.ExceptionWhileTryingToResolveCertificateWithThumbprint(thumbprint, ex);
+                    _logger?.ExceptionWhileTryingToResolveCertificateWithThumbprint(thumbprint, ex);
 
                     throw;
                 }
@@ -161,7 +161,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             var cert = _certFactory()
                 ?? CryptoUtil.Fail<X509Certificate2>("Cert factory returned null.");
 
-            _logger.EncryptingToX509CertificateWithThumbprint(cert.Thumbprint);
+            _logger?.EncryptingToX509CertificateWithThumbprint(cert.Thumbprint);
 
             try
             {
@@ -169,7 +169,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                _logger.AnErrorOccurredWhileEncryptingToX509CertificateWithThumbprint(cert.Thumbprint, ex);
+                _logger?.AnErrorOccurredWhileEncryptingToX509CertificateWithThumbprint(cert.Thumbprint, ex);
                 throw;
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index c71b0dd220..12296ffaac 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -84,7 +84,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             {
                 // It's OK for us to log the error, as we control the exception, and it doesn't contain
                 // sensitive information.
-                _logger.ExceptionOccurredTryingToDecryptElement(ex);
+                _logger?.ExceptionOccurredTryingToDecryptElement(ex);
                 throw;
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index 6c2b718226..ec9eae530b 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -73,7 +73,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
 
             string protectionDescriptorRuleString = _protectionDescriptorHandle.GetProtectionDescriptorRuleString();
-            _logger.EncryptingToWindowsDPAPINGUsingProtectionDescriptorRule(protectionDescriptorRuleString);
+            _logger?.EncryptingToWindowsDPAPINGUsingProtectionDescriptorRule(protectionDescriptorRuleString);
 
             // Convert the XML element to a binary secret so that it can be run through DPAPI
             byte[] cngDpapiEncryptedData;
@@ -86,7 +86,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                _logger.ErrorOccurredWhileEncryptingToWindowsDPAPING(ex);
+                _logger?.ErrorOccurredWhileEncryptingToWindowsDPAPING(ex);
                 throw;
             }
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index fcdf952d11..0a65c22538 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -48,7 +48,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 throw new ArgumentNullException(nameof(encryptedElement));
             }
 
-            _logger.DecryptingSecretElementUsingWindowsDPAPI();
+            _logger?.DecryptingSecretElementUsingWindowsDPAPI();
 
             try
             {
@@ -67,7 +67,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             {
                 // It's OK for us to log the error, as we control the exception, and it doesn't contain
                 // sensitive information.
-                _logger.AnExceptionOccurredWhileTryingToDecryptElement(ex);
+                _logger?.ExceptionOccurredTryingToDecryptElement(ex);
                 throw;
             }
         }
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 192644d8fa..f99ee99c05 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -62,11 +62,11 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
             if (_protectToLocalMachine)
             {
-                _logger.EncryptingToWindowsDPAPIForLocalMachineAccount();
+                _logger?.EncryptingToWindowsDPAPIForLocalMachineAccount();
             }
             else
             {
-                _logger.EncryptingToWindowsDPAPIForCurrentUserAccount(WindowsIdentity.GetCurrent().Name);
+                _logger?.EncryptingToWindowsDPAPIForCurrentUserAccount(WindowsIdentity.GetCurrent().Name);
             }
 
             // Convert the XML element to a binary secret so that it can be run through DPAPI
@@ -80,7 +80,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                _logger.ErrorOccurredWhileEncryptingToWindowsDPAPI(ex);
+                _logger?.ErrorOccurredWhileEncryptingToWindowsDPAPI(ex);
                 throw;
             }
 
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
index 5eb4aae2be..c110ed2d4c 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -48,7 +48,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 throw new ArgumentNullException(nameof(plaintextElement));
             }
 
-            _logger.EncryptingUsingNullEncryptor();
+            _logger?.EncryptingUsingNullEncryptor();
 
             // <unencryptedKey>
             //   <!-- This key is not encrypted. -->

From 7bb3ccf201dde90dc316a0b1bf2f686f24f72708 Mon Sep 17 00:00:00 2001
From: Daniel Kraemer <dkraemer@dkross.org>
Date: Fri, 20 Nov 2015 21:37:08 +0100
Subject: [PATCH 198/493] Fixed possibly wrong registry path

Your version of this script opens/creates registry path "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\4.0.30319.0\AutoGenKeys\$sid"
I think the correct path should be "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\$sid"
---
 Provision-AutoGenKeys.ps1 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Provision-AutoGenKeys.ps1 b/Provision-AutoGenKeys.ps1
index 7c3f671d11..31f060210b 100644
--- a/Provision-AutoGenKeys.ps1
+++ b/Provision-AutoGenKeys.ps1
@@ -43,10 +43,10 @@ function Provision-AutoGenKeys {
         $aspNetKey = $softwareMicrosoftKey.CreateSubKey("ASP.NET")
     }
 
-    $aspNetBaseKey = $softwareMicrosoftKey.OpenSubKey("$expandedVersion", $True);
+    $aspNetBaseKey = $aspNetKey.OpenSubKey("$expandedVersion", $True);
     if ($aspNetBaseKey -eq $null)
     {
-        $aspNetBaseKey = $softwareMicrosoftKey.CreateSubKey("$expandedVersion")
+        $aspNetBaseKey = $aspNetKey.CreateSubKey("$expandedVersion")
     }
 
     # Create AutoGenKeys subkey if it doesn't already exist
@@ -79,4 +79,4 @@ Catch [System.Security.Principal.IdentityNotMappedException]
 }
 
 Provision-AutoGenKeys "4.0" "32" $poolSid 
-Provision-AutoGenKeys "4.0" "64" $poolSid
\ No newline at end of file
+Provision-AutoGenKeys "4.0" "64" $poolSid

From ca3e4669dcddd40dd067b2dee76a47dc9133397e Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 10 Nov 2015 16:31:50 -0800
Subject: [PATCH 199/493] Updating tests to use moq.netcore

---
 .gitignore                                    |  1 +
 .../ActivatorExtensions.cs                    |  1 +
 .../Cng/CbcAuthenticatedEncryptor.cs          |  1 +
 .../Cng/GcmAuthenticatedEncryptor.cs          |  1 +
 .../CngAuthenticatedEncryptorBase.cs          |  4 +-
 .../DataProtectionServices.cs                 |  1 +
 .../EphemeralDataProtectionProvider.cs        |  1 +
 .../{ => Internal}/IActivator.cs              |  4 +-
 .../KeyManagement/DefaultKeyResolver.cs       |  1 +
 .../KeyManagement/DefaultKeyServices.cs       |  1 +
 .../KeyManagement/DeferredKey.cs              |  9 +++-
 .../{ => Internal}/CacheableKeyRing.cs        |  4 +-
 .../{ => Internal}/DefaultKeyResolution.cs    |  4 +-
 .../ICacheableKeyRingProvider.cs              |  4 +-
 .../{ => Internal}/IDefaultKeyResolver.cs     |  4 +-
 .../{ => Internal}/IDefaultKeyServices.cs     |  4 +-
 .../{ => Internal}/IInternalXmlKeyManager.cs  |  5 +--
 .../KeyManagement/{ => Internal}/IKeyRing.cs  |  4 +-
 .../{ => Internal}/IKeyRingProvider.cs        |  6 +--
 .../KeyManagement/KeyRing.cs                  |  1 +
 .../KeyRingBasedDataProtectionProvider.cs     |  1 +
 .../KeyRingBasedDataProtector.cs              |  1 +
 .../KeyManagement/KeyRingProvider.cs          |  1 +
 .../KeyManagement/XmlKeyManager.cs            |  2 +
 .../XmlEncryption/XmlEncryptionExtensions.cs  |  1 +
 .../project.json                              | 36 +++++++++-------
 .../project.json                              | 37 ++++++++--------
 .../project.json                              | 40 ++++++++++-------
 .../DataProtectionProviderTests.cs            |  2 +-
 .../project.json                              | 41 +++++++++++-------
 .../project.json                              | 20 +++------
 .../ActivatorTests.cs                         |  1 +
 .../AnonymousImpersonation.cs                 |  2 +
 .../AuthenticatedEncryptorDescriptorTests.cs  | 27 ++++++++----
 ...tedEncryptorDescriptorDeserializerTests.cs |  4 +-
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs |  4 +-
 .../KeyManagement/CacheableKeyRingTests.cs    |  1 +
 .../KeyManagement/DefaultKeyResolverTests.cs  |  1 +
 .../KeyManagement/DeferredKeyTests.cs         |  1 +
 .../KeyRingBasedDataProtectorTests.cs         |  2 +
 .../KeyManagement/KeyRingProviderTests.cs     |  1 +
 .../KeyManagement/XmlKeyManagerTests.cs       |  2 +
 .../MockExtensions.cs                         |  1 +
 .../RegistryPolicyResolverTests.cs            |  4 +-
 .../FileSystemXmlRepositoryTests.cs           |  4 +-
 .../CertificateXmlEncryptionTests.cs          |  3 ++
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |  2 +
 .../XmlEncryptionExtensionsTests.cs           |  1 +
 .../project.json                              | 43 ++++++++++++-------
 49 files changed, 209 insertions(+), 138 deletions(-)
 rename src/Microsoft.AspNet.DataProtection/Cng/{ => Internal}/CngAuthenticatedEncryptorBase.cs (96%)
 rename src/Microsoft.AspNet.DataProtection/{ => Internal}/IActivator.cs (89%)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{ => Internal}/CacheableKeyRing.cs (94%)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{ => Internal}/DefaultKeyResolution.cs (92%)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{ => Internal}/ICacheableKeyRingProvider.cs (70%)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{ => Internal}/IDefaultKeyResolver.cs (83%)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{ => Internal}/IDefaultKeyServices.cs (88%)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{ => Internal}/IInternalXmlKeyManager.cs (82%)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{ => Internal}/IKeyRing.cs (93%)
 rename src/Microsoft.AspNet.DataProtection/KeyManagement/{ => Internal}/IKeyRingProvider.cs (66%)

diff --git a/.gitignore b/.gitignore
index ac82da7568..0d01a992a1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@ nuget.exe
 *.ipch
 *.sln.ide
 project.lock.json
+.vs
\ No newline at end of file
diff --git a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
index 0c9037e247..5004cd0745 100644
--- a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Reflection;
 using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNet.DataProtection
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index 37a8413a3a..f54d9f6eb2 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -6,6 +6,7 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.Cng.Internal;
 using Microsoft.AspNet.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.DataProtection.Cng
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index 953fb05106..027f5c1da1 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -6,6 +6,7 @@ using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.Cryptography.SafeHandles;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.Cng.Internal;
 using Microsoft.AspNet.DataProtection.SP800_108;
 
 namespace Microsoft.AspNet.DataProtection.Cng
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNet.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
similarity index 96%
rename from src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
rename to src/Microsoft.AspNet.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
index 968a31cd0b..68f933fded 100644
--- a/src/Microsoft.AspNet.DataProtection/Cng/CngAuthenticatedEncryptorBase.cs
+++ b/src/Microsoft.AspNet.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
@@ -4,12 +4,12 @@
 using System;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng.Internal
 {
     /// <summary>
     /// Base class used for all CNG-related authentication encryption operations.
     /// </summary>
-    internal unsafe abstract class CngAuthenticatedEncryptorBase : IOptimizedAuthenticatedEncryptor, IDisposable
+    public unsafe abstract class CngAuthenticatedEncryptorBase : IOptimizedAuthenticatedEncryptor, IDisposable
     {
         public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
         {
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
index e0a9749101..efef3fe5ca 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
@@ -8,6 +8,7 @@ using Microsoft.AspNet.DataProtection;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNet.DataProtection.Cng;
 using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
index faaf687548..4ad566865e 100644
--- a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
@@ -5,6 +5,7 @@ using System;
 using Microsoft.AspNet.Cryptography.Cng;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection
diff --git a/src/Microsoft.AspNet.DataProtection/IActivator.cs b/src/Microsoft.AspNet.DataProtection/Internal/IActivator.cs
similarity index 89%
rename from src/Microsoft.AspNet.DataProtection/IActivator.cs
rename to src/Microsoft.AspNet.DataProtection/Internal/IActivator.cs
index 012510869c..2adb8efa37 100644
--- a/src/Microsoft.AspNet.DataProtection/IActivator.cs
+++ b/src/Microsoft.AspNet.DataProtection/Internal/IActivator.cs
@@ -3,13 +3,13 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNet.DataProtection.Internal
 {
     /// <summary>
     /// An interface into <see cref="Activator.CreateInstance{T}"/> that also supports
     /// limited dependency injection (of <see cref="IServiceProvider"/>).
     /// </summary>
-    internal interface IActivator
+    public interface IActivator
     {
         /// <summary>
         /// Creates an instance of <paramref name="implementationTypeName"/> and ensures
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
index dc721a1331..cd3945505d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -6,6 +6,7 @@ using System.Collections.Generic;
 using System.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
index 7d7b79bad3..591c9bd68d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
index 559d9030ba..18c795d165 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
@@ -5,6 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
@@ -15,7 +16,13 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
     /// </summary>
     internal sealed class DeferredKey : KeyBase
     {
-        public DeferredKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IInternalXmlKeyManager keyManager, XElement keyElement)
+        public DeferredKey(
+            Guid keyId,
+            DateTimeOffset creationDate,
+            DateTimeOffset activationDate,
+            DateTimeOffset expirationDate,
+            IInternalXmlKeyManager keyManager,
+            XElement keyElement)
             : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptor>(GetLazyEncryptorDelegate(keyManager, keyElement)))
         {
         }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
similarity index 94%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
index b3bde5d737..090c150949 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
@@ -5,12 +5,12 @@ using System;
 using System.Collections.Generic;
 using System.Threading;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Wraps both a keyring and its expiration policy.
     /// </summary>
-    internal sealed class CacheableKeyRing
+    public sealed class CacheableKeyRing
     {
         private readonly CancellationToken _expirationToken;
 
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
similarity index 92%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
index a60aa9bf25..8a4a536665 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolution.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
@@ -3,9 +3,9 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
-    internal struct DefaultKeyResolution
+    public struct DefaultKeyResolution
     {
         /// <summary>
         /// The default key, may be null if no key is a good default candidate.
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
similarity index 70%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
index ccdb39ccba..1b5feb6c7a 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/ICacheableKeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
@@ -3,9 +3,9 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
-    internal interface ICacheableKeyRingProvider
+    public interface ICacheableKeyRingProvider
     {
         CacheableKeyRing GetCacheableKeyRing(DateTimeOffset now);
     }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
similarity index 83%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
index 99178eb07a..8c3e2381da 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyResolver.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
@@ -4,12 +4,12 @@
 using System;
 using System.Collections.Generic;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Implements policy for resolving the default key from a candidate keyring.
     /// </summary>
-    internal interface IDefaultKeyResolver
+    public interface IDefaultKeyResolver
     {
         /// <summary>
         /// Locates the default key from the keyring.
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
similarity index 88%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
index faccf9554b..dd5d9bb012 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IDefaultKeyServices.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
@@ -5,12 +5,12 @@ using System;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Provides default implementations of the services required by an <see cref="IKeyManager"/>.
     /// </summary>
-    internal interface IDefaultKeyServices
+    public interface IDefaultKeyServices
     {
         /// <summary>
         /// Gets the default <see cref="IXmlEncryptor"/> service (could return null).
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
similarity index 82%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
index f94d40e8a8..47f419f340 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IInternalXmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
@@ -5,10 +5,9 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
-    // Used for unit testing
-    internal interface IInternalXmlKeyManager
+    public interface IInternalXmlKeyManager
     {
         IKey CreateNewKey(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate);
 
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRing.cs
similarity index 93%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRing.cs
index 6b7f0e6045..e5b144c9d8 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRing.cs
@@ -4,12 +4,12 @@
 using System;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// The basic interface for accessing a read-only keyring.
     /// </summary>
-    internal interface IKeyRing
+    public interface IKeyRing
     {
         /// <summary>
         /// The authenticated encryptor that shall be used for new encryption operations.
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
similarity index 66%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
rename to src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
index 966328fc77..e532d024a8 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
@@ -1,11 +1,9 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
 {
-    internal interface IKeyRingProvider
+    public interface IKeyRingProvider
     {
         IKeyRing GetCurrentKeyRing();
     }
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
index bb5610077b..f8cc2d106d 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Threading;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
 {
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index e56337ee29..cecf9c1bfc 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index c94da05ff7..b14819ec80 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -9,6 +9,7 @@ using System.Linq;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNet.DataProtection.KeyManagement
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
index 017319c558..0ac3579b2c 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -6,6 +6,7 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.Threading;
 using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
index f8cf2c8e9f..0ced2fea20 100644
--- a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -11,6 +11,8 @@ using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Internal;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index f1987d1756..44ec3abe0c 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -9,6 +9,7 @@ using System.Linq;
 using System.Xml.Linq;
 using Microsoft.AspNet.Cryptography;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Internal;
 
 namespace Microsoft.AspNet.DataProtection.XmlEncryption
 {
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index e1bf23c336..741892fb6b 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -1,19 +1,23 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  "dependencies": {
+    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Test.Shared": {
+      "type": "build",
+      "version": ""
     },
-    "frameworks": {
-        "dnx451": { },
-        "dnxcore50": { }
-    },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "keyFile": "../../tools/Key.snk"
-    }
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": { },
+    "dnxcore50": { }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "keyFile": "../../tools/Key.snk",
+    "warningsAsErrors": true
+  }
 }
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index d03d6526fd..09cf034660 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -1,20 +1,21 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Test.Shared": "",
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
-    },
-    "frameworks": {
-        "dnx451": { }
-    },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "keyFile": "../../tools/Key.snk"
-    }
+  "dependencies": {
+    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Test.Shared": "",
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": { },
+    "dnxcore50": { }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
index dd7ede7811..8ceb6a391c 100644
--- a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
@@ -1,20 +1,28 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  "dependencies": {
+    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": {
+      "dependencies": {
+        "Moq": "4.2.1312.1622"
+      }
     },
-    "frameworks": {
-        "dnx451": { }
-    },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compile": "..\\common\\**\\*.cs",
-    "compilationOptions": {
-        "warningsAsErrors": true,
-        "keyFile": "../../tools/Key.snk"
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8"
+      }
     }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compile": "../common/**/*.cs",
+  "compilationOptions": {
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 7bfc8b0d6c..0724799fa8 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -86,7 +86,7 @@ namespace Microsoft.AspNet.DataProtection
 
         private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => (Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) != null);
+            public bool IsMet => Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%") != null;
 
             public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
index 1a3581591b..2f098cd064 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
@@ -1,20 +1,31 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Extensions": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  "dependencies": {
+    "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Extensions": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Test.Shared": {
+      "type": "build",
+      "version": ""
     },
-    "frameworks": {
-        "dnx451": { }
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": {
+      "dependencies": {
+        "Moq": "4.2.1312.1622"
+      }
     },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compilationOptions": {
-        "warningsAsErrors": true,
-        "keyFile": "../../tools/Key.snk"
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8"
+      }
     }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compilationOptions": {
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
index 266a312c09..70fcad2714 100644
--- a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
@@ -1,17 +1,7 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
-    },
-    "frameworks": {
-        "dnx451": { },
-        "dnxcore50": { }
-    },
-    "commands": {
-        
-    },
-    "compilationOptions": {
-    },
-    "shared": "**\\*.cs"
+  "frameworks": {
+    "dnx451": { },
+    "dnxcore50": { }
+  },
+  "shared": "**/*.cs"
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
index 5bea3ae5b6..d5b96c0f17 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNet.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
index 35b2eaf8ae..cd76849191 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+#if DNX451
 using System;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
@@ -85,3 +86,4 @@ namespace Microsoft.AspNet.DataProtection
         }
     }
 }
+#endif
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index bdfdf504b2..183af245a7 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -74,14 +74,23 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             Assert.Equal(plaintext, roundTripPlaintext);
         }
 
+        public static TheoryData CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementationData
+            => new TheoryData<EncryptionAlgorithm, ValidationAlgorithm, Func<HMAC>>
+            {
+                { EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256, () => new HMACSHA256() },
+                { EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA256, () => new HMACSHA256() },
+                { EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA256, () => new HMACSHA256() },
+                { EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA512, () => new HMACSHA512() },
+                { EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, () => new HMACSHA512() },
+                { EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA512, () => new HMACSHA512() },
+            };
+
         [Theory]
-        [InlineData(EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
-        [InlineData(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA256)]
-        [InlineData(EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA256)]
-        [InlineData(EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA512)]
-        [InlineData(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512)]
-        [InlineData(EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA512)]
-        public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm)
+        [MemberData(nameof(CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementationData))]
+        public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(
+            EncryptionAlgorithm encryptionAlgorithm,
+            ValidationAlgorithm validationAlgorithm,
+            Func<HMAC> validationAlgorithmFactory)
         {
             // Parse test input
             int keyLengthInBits = Int32.Parse(Regex.Match(encryptionAlgorithm.ToString(), @"^AES_(?<keyLength>\d{3})_CBC$").Groups["keyLength"].Value, CultureInfo.InvariantCulture);
@@ -90,9 +99,9 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             var masterKey = Secret.Random(512 / 8);
             var control = new ManagedAuthenticatedEncryptor(
                 keyDerivationKey: masterKey,
-                symmetricAlgorithmFactory: () => new AesCryptoServiceProvider(),
+                symmetricAlgorithmFactory: () => Aes.Create(),
                 symmetricAlgorithmKeySizeInBytes: keyLengthInBits / 8,
-                validationAlgorithmFactory: () => KeyedHashAlgorithm.Create(validationAlgorithm.ToString()));
+                validationAlgorithmFactory: validationAlgorithmFactory);
             var test = CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey).CreateEncryptorInstance();
 
             // Act & assert - data round trips properly from control to test
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 0a6c668364..270ed2dcfb 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -53,7 +53,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
             var control = new ManagedAuthenticatedEncryptorDescriptor(
                 new ManagedAuthenticatedEncryptionOptions()
                 {
-                    EncryptionAlgorithmType = typeof(AesCryptoServiceProvider),
+                    EncryptionAlgorithmType = typeof(Aes),
                     EncryptionAlgorithmKeySize = 192,
                     ValidationAlgorithmType = typeof(HMACSHA384)
                 },
@@ -67,7 +67,7 @@ namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationM
                     <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
                   </masterKey>
                 </descriptor>",
-                 typeof(AesCryptoServiceProvider).AssemblyQualifiedName, typeof(HMACSHA384).AssemblyQualifiedName);
+                 typeof(Aes).AssemblyQualifiedName, typeof(HMACSHA384).AssemblyQualifiedName);
             var test = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
 
             // Act & assert
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
index 4a47c64b29..db24e9b387 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -7,7 +7,7 @@ using Microsoft.AspNet.Testing.xunit;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNet.DataProtection.Cng.Internal
 {
     public unsafe class CngAuthenticatedEncryptorBaseTests
     {
@@ -89,7 +89,7 @@ namespace Microsoft.AspNet.DataProtection.Cng
             Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
         }
 
-        internal abstract class MockableEncryptor : CngAuthenticatedEncryptorBase
+        public abstract class MockableEncryptor : CngAuthenticatedEncryptorBase
         {
             public override void Dispose()
             {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
index 5e4e5b82fd..8d8c81a510 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Threading;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index 93bd512972..38eb189734 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Globalization;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Moq;
 using Xunit;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
index fd41a98ff8..5dd7f0437a 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.Testing;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 12676b836d..8c03d91c5f 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -5,9 +5,11 @@ using System;
 using System.IO;
 using System.Linq;
 using System.Net;
+using System.Reflection;
 using System.Text;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.Testing;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index f136127af4..f3be5939ff 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -7,6 +7,7 @@ using System.Globalization;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.Testing;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index a0c8e319ee..2d4aa76feb 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -8,6 +8,8 @@ using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Internal;
+using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs b/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
index a0e1d411a7..ff4646a2ae 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
@@ -5,6 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNet.DataProtection.Internal;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
 using Moq;
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index 450c778c57..79bb5ee555 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -195,7 +195,7 @@ namespace Microsoft.AspNet.DataProtection
                 ["EncryptionType"] = "managed",
                 ["EncryptionAlgorithmType"] = typeof(TripleDES).AssemblyQualifiedName,
                 ["EncryptionAlgorithmKeySize"] = 2048,
-                ["ValidationAlgorithmType"] = typeof(HMACMD5).AssemblyQualifiedName
+                ["ValidationAlgorithmType"] = typeof(HMACSHA1).AssemblyQualifiedName
             });
 
             var services = serviceCollection.BuildServiceProvider();
@@ -203,7 +203,7 @@ namespace Microsoft.AspNet.DataProtection
             {
                 EncryptionAlgorithmType = typeof(TripleDES),
                 EncryptionAlgorithmKeySize = 2048,
-                ValidationAlgorithmType = typeof(HMACMD5)
+                ValidationAlgorithmType = typeof(HMACSHA1)
             });
             var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
 
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index a09f77bbd7..a0f76c8795 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -21,7 +21,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
             // Assert
             Assert.Equal(defaultDirInfo.FullName,
-                new DirectoryInfo(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "ASP.NET", "DataProtection-Keys")).FullName);
+                new DirectoryInfo(Path.Combine(Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%"), "ASP.NET", "DataProtection-Keys")).FullName);
         }
 
         [Fact]
@@ -158,7 +158,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => (Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) != null);
+            public bool IsMet => Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%") != null;
 
             public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index bfaf877e89..7e013de0c0 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+#if !DNXCORE50
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
@@ -58,3 +59,5 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
         }
     }
 }
+#endif
+
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index d2ae16a7cd..3a0f6e520c 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -33,6 +33,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
+#if !DNXCORE50
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
@@ -51,5 +52,6 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
             ExceptionAssert2.ThrowsCryptographicException(() =>
                 AnonymousImpersonation.Run(() => decryptor.Decrypt(encryptedXmlInfo.EncryptedElement)));
         }
+#endif
     }
 }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
index f6b03eaac6..7364fdad4e 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNet.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index b63e75ac4d..7970ff1eca 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -1,21 +1,32 @@
 {
-    "dependencies": {
-        "Microsoft.AspNet.DataProtection": "1.0.0-*",
-        "Microsoft.AspNet.DataProtection.Test.Shared": { "type": "build", "version": "" },
-        "Microsoft.AspNet.Testing": "1.0.0-*",
-        "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  "dependencies": {
+    "Microsoft.AspNet.DataProtection": "1.0.0-*",
+    "Microsoft.AspNet.DataProtection.Test.Shared": {
+      "type": "build",
+      "version": ""
     },
-    "frameworks": {
-        "dnx451": { }
+    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
+    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+  },
+  "frameworks": {
+    "dnx451": {
+      "dependencies": {
+        "Moq": "4.2.1312.1622"
+      }
     },
-    "commands": {
-        "test": "xunit.runner.aspnet"
-    },
-    "compilationOptions": {
-        "allowUnsafe": true,
-        "warningsAsErrors": true,
-        "keyFile": "../../tools/Key.snk"
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8"
+      }
     }
+  },
+  "commands": {
+    "test": "xunit.runner.aspnet"
+  },
+  "compilationOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
 }

From 5f44e8540d1679794d4f537f030c146e9202af26 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 23 Nov 2015 11:31:50 -0800
Subject: [PATCH 200/493] Ensure Microsoft.AspNet.DataProtection.Test.Shared
 can compile in dnxcore50

---
 .../project.json                                            | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
index 70fcad2714..33e2b1875f 100644
--- a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
@@ -1,7 +1,11 @@
 {
   "frameworks": {
     "dnx451": { },
-    "dnxcore50": { }
+    "dnxcore50": {
+      "dependencies": {
+        "System.Runtime": "4.0.21-*"
+      }
+    }
   },
   "shared": "**/*.cs"
 }

From 79fca22b3bdceef7d735319aeb9ef86c8b35c01d Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Tue, 1 Dec 2015 14:46:22 -0800
Subject: [PATCH 201/493] Reacting to verbose rename

---
 .../LoggingExtensions.cs                      | 78 +++++++++----------
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  2 +-
 .../KeyManagement/XmlKeyManagerTests.cs       | 50 ++++++------
 3 files changed, 65 insertions(+), 65 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
index 72ed762ba4..b7667b503c 100644
--- a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
+++ b/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
@@ -147,43 +147,43 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Policy resolution states that a new key should be added to the key ring, but automatic generation of keys is disabled. Using fallback key {KeyId:B} with expiration {ExpirationDate:u} as default key.");
             _usingKeyAsDefaultKey = LoggerMessage.Define<Guid>(
                 eventId: 2,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Using key {KeyId:B} as the default key.");
             _openingCNGAlgorithmFromProviderWithHMAC = LoggerMessage.Define<string, string>(
                 eventId: 3,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Opening CNG algorithm '{HashAlgorithm}' from provider '{HashAlgorithmProvider}' with HMAC.");
             _openingCNGAlgorithmFromProviderWithChainingModeCBC = LoggerMessage.Define<string, string>(
                 eventId: 4,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Opening CNG algorithm '{EncryptionAlgorithm}' from provider '{EncryptionAlgorithmProvider}' with chaining mode CBC.");
             _performingUnprotectOperationToKeyWithPurposes = LoggerMessage.Define<Guid, string>(
                 eventId: 5,
-                logLevel: LogLevel.Debug,
+                logLevel: LogLevel.Trace,
                 formatString: "Performing unprotect operation to key {KeyId:B} with purposes {Purposes}.");
             _keyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed = LoggerMessage.Define<Guid>(
                 eventId: 6,
-                logLevel: LogLevel.Debug,
+                logLevel: LogLevel.Trace,
                 formatString: "Key {KeyId:B} was not found in the key ring. Unprotect operation cannot proceed.");
             _keyWasRevokedCallerRequestedUnprotectOperationProceedRegardless = LoggerMessage.Define<Guid>(
                 eventId: 7,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Key {KeyId:B} was revoked. Caller requested unprotect operation proceed regardless.");
             _keyWasRevokedUnprotectOperationCannotProceed = LoggerMessage.Define<Guid>(
                 eventId: 8,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Key {KeyId:B} was revoked. Unprotect operation cannot proceed.");
             _openingCNGAlgorithmFromProviderWithChainingModeGCM = LoggerMessage.Define<string, string>(
                 eventId: 9,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Opening CNG algorithm '{EncryptionAlgorithm}' from provider '{EncryptionAlgorithmProvider}' with chaining mode GCM.");
             _usingManagedKeyedHashAlgorithm = LoggerMessage.Define<string>(
                 eventId: 10,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Using managed keyed hash algorithm '{FullName}'.");
             _usingManagedSymmetricAlgorithm = LoggerMessage.Define<string>(
                 eventId: 11,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Using managed symmetric algorithm '{FullName}'.");
             _keyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed = LoggerMessage.Define<Guid, string>(
                 eventId: 12,
@@ -191,11 +191,11 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Key {KeyId:B} is ineligible to be the default key because its {MethodName} method failed.");
             _consideringKeyWithExpirationDateAsDefaultKey = LoggerMessage.Define<Guid, DateTimeOffset>(
                 eventId: 13,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Considering key {KeyId:B} with expiration date {ExpirationDate:u} as default key.");
             _keyIsNoLongerUnderConsiderationAsDefault = LoggerMessage.Define<Guid>(
                 eventId: 14,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Key {KeyId:B} is no longer under consideration as default key because it is expired, revoked, or cannot be deciphered.");
             _unknownElementWithNameFoundInKeyringSkipping = LoggerMessage.Define<XName>(
                 eventId: 15,
@@ -203,7 +203,7 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Unknown element with name '{Name}' found in keyring, skipping.");
             _markedKeyAsRevokedInTheKeyring = LoggerMessage.Define<Guid>(
                 eventId: 16,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Marked key {KeyId:B} as revoked in the keyring.");
             _triedToProcessRevocationOfKeyButNoSuchKeyWasFound = LoggerMessage.Define<Guid>(
                 eventId: 17,
@@ -211,15 +211,15 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Tried to process revocation of key {KeyId:B}, but no such key was found in keyring. Skipping.");
             _foundKey = LoggerMessage.Define<Guid>(
                 eventId: 18,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Found key {KeyId:B}.");
             _foundRevocationOfAllKeysCreatedPriorTo = LoggerMessage.Define<DateTimeOffset>(
                 eventId: 19,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Found revocation of all keys created prior to {RevocationDate:u}.");
             _foundRevocationOfKey = LoggerMessage.Define<Guid>(
                 eventId: 20,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Found revocation of key {KeyId:B}.");
             _exceptionWhileProcessingRevocationElement = LoggerMessage.Define<XElement>(
                 eventId: 21,
@@ -231,7 +231,7 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Revoking all keys as of {RevocationDate:u} for reason '{Reason}'.");
             _keyCacheExpirationTokenTriggeredByOperation = LoggerMessage.Define<string>(
                 eventId: 23,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Key cache expiration token triggered by '{OperationName}' operation.");
             _anExceptionOccurredWhileProcessingTheKeyElement = LoggerMessage.Define<XElement>(
                 eventId: 24,
@@ -239,15 +239,15 @@ namespace Microsoft.Extensions.Logging
                 formatString: "An exception occurred while processing the key element '{Element}'.");
             _anExceptionOccurredWhileProcessingTheKeyElementDebug = LoggerMessage.Define<XElement>(
                 eventId: 25,
-                logLevel: LogLevel.Debug,
+                logLevel: LogLevel.Trace,
                 formatString: "An exception occurred while processing the key element '{Element}'.");
             _encryptingToWindowsDPAPIForCurrentUserAccount = LoggerMessage.Define<string>(
                 eventId: 26,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Encrypting to Windows DPAPI for current user account ({Name}).");
             _encryptingToWindowsDPAPINGUsingProtectionDescriptorRule = LoggerMessage.Define<string>(
                 eventId: 27,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Encrypting to Windows DPAPI-NG using protection descriptor rule '{DescriptorRule}'.");
             _anErrorOccurredWhileEncryptingToX509CertificateWithThumbprint = LoggerMessage.Define<string>(
                 eventId: 28,
@@ -255,7 +255,7 @@ namespace Microsoft.Extensions.Logging
                 formatString: "An error occurred while encrypting to X.509 certificate with thumbprint '{Thumbprint}'.");
             _encryptingToX509CertificateWithThumbprint = LoggerMessage.Define<string>(
                 eventId: 29,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Encrypting to X.509 certificate with thumbprint '{Thumbprint}'.");
             _exceptionOccurredWhileTryingToResolveCertificateWithThumbprint = LoggerMessage.Define<string>(
                 eventId: 30,
@@ -263,19 +263,19 @@ namespace Microsoft.Extensions.Logging
                 formatString: "An exception occurred while trying to resolve certificate with thumbprint '{Thumbprint}'.");
             _performingProtectOperationToKeyWithPurposes = LoggerMessage.Define<Guid, string>(
                 eventId: 31,
-                logLevel: LogLevel.Debug,
+                logLevel: LogLevel.Trace,
                 formatString: "Performing protect operation to key {KeyId:B} with purposes {Purposes}.");
             _descriptorDeserializerTypeForKeyIs = LoggerMessage.Define<Guid, string>(
                 eventId: 32,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Descriptor deserializer type for key {KeyId:B} is '{AssemblyQualifiedName}'.");
             _keyEscrowSinkFoundWritingKeyToEscrow = LoggerMessage.Define<Guid>(
                 eventId: 33,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Key escrow sink found. Writing key {KeyId:B} to escrow.");
             _noKeyEscrowSinkFoundNotWritingKeyToEscrow = LoggerMessage.Define<Guid>(
                 eventId: 34,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "No key escrow sink found. Not writing key {KeyId:B} to escrow.");
             _noXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm = LoggerMessage.Define<Guid>(
                 eventId: 35,
@@ -287,11 +287,11 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Revoking key {KeyId:B} at {RevocationDate:u} for reason '{Reason}'.");
             _readingDataFromFile = LoggerMessage.Define<string>(
                 eventId: 37,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Reading data from file '{FullPath}'.");
             _nameIsNotSafeFileName = LoggerMessage.Define<string, string>(
                 eventId: 38,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "The name '{FriendlyName}' is not a safe file name, using '{NewFriendlyName}' instead.");
             _writingDataToFile = LoggerMessage.Define<string>(
                 eventId: 39,
@@ -299,15 +299,15 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Writing data to file '{FileName}'.");
             _readingDataFromRegistryKeyValue = LoggerMessage.Define<RegistryKey, string>(
                 eventId: 40,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Reading data from registry key '{RegistryKeyName}', value '{Value}'.");
             _nameIsNotSafeRegistryValueName = LoggerMessage.Define<string, string>(
                 eventId: 41,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "The name '{FriendlyName}' is not a safe registry value name, using '{NewFriendlyName}' instead.");
             _decryptingSecretElementUsingWindowsDPAPING = LoggerMessage.Define<string>(
                 eventId: 42,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Decrypting secret element using Windows DPAPI-NG with protection descriptor rule '{DescriptorRule}'.");
             _exceptionOccurredTryingToDecryptElement = LoggerMessage.Define(
                 eventId: 43,
@@ -323,7 +323,7 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Using ephemeral data protection provider. Payloads will be undecipherable upon application shutdown.");
             _existingCachedKeyRingIsExpiredRefreshing = LoggerMessage.Define(
                 eventId: 46,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Existing cached key ring is expired. Refreshing.");
             _errorOccurredWhileRefreshingKeyRing = LoggerMessage.Define(
                 eventId: 47,
@@ -343,15 +343,15 @@ namespace Microsoft.Extensions.Logging
                 formatString: "Using an in-memory repository. Keys will not be persisted to storage.");
             _decryptingSecretElementUsingWindowsDPAPI = LoggerMessage.Define(
                 eventId: 51,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Decrypting secret element using Windows DPAPI.");
             _defaultKeyExpirationImminentAndRepository = LoggerMessage.Define(
                 eventId: 52,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Default key expiration imminent and repository contains no viable successor. Caller should generate a successor.");
             _repositoryContainsNoViableDefaultKey = LoggerMessage.Define(
                 eventId: 53,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Repository contains no viable default key. Caller should generate a key with immediate activation.");
             _errorOccurredWhileEncryptingToWindowsDPAPI = LoggerMessage.Define(
                 eventId: 54,
@@ -359,7 +359,7 @@ namespace Microsoft.Extensions.Logging
                 formatString: "An error occurred while encrypting to Windows DPAPI.");
             _encryptingToWindowsDPAPIForLocalMachineAccount = LoggerMessage.Define(
                 eventId: 55,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Encrypting to Windows DPAPI for local machine account.");
             _errorOccurredWhileEncryptingToWindowsDPAPING = LoggerMessage.Define(
                 eventId: 56,
@@ -367,7 +367,7 @@ namespace Microsoft.Extensions.Logging
                 formatString: "An error occurred while encrypting to Windows DPAPI-NG.");
             _policyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing = LoggerMessage.Define(
                 eventId: 57,
-                logLevel: LogLevel.Verbose,
+                logLevel: LogLevel.Debug,
                 formatString: "Policy resolution states that a new key should be added to the key ring.");
             _creatingKey = LoggerMessage.Define<Guid, DateTimeOffset, DateTimeOffset, DateTimeOffset>(
                 eventId: 58,
@@ -421,13 +421,13 @@ namespace Microsoft.Extensions.Logging
         }
 
         /// <summary>
-        /// Returns a value stating whether the 'verbose' log level is enabled.
+        /// Returns a value stating whether the 'trace' log level is enabled.
         /// Returns false if the logger instance is null.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        public static bool IsVerboseLevelEnabled(this ILogger logger)
+        public static bool IsTraceLevelEnabled(this ILogger logger)
         {
-            return IsLogLevelEnabledCore(logger, LogLevel.Verbose);
+            return IsLogLevelEnabledCore(logger, LogLevel.Trace);
         }
 
         /// <summary>
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index 12296ffaac..8062968e57 100644
--- a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -60,7 +60,7 @@ namespace Microsoft.AspNet.DataProtection.XmlEncryption
                 // </encryptedKey>
 
                 byte[] protectedSecret = Convert.FromBase64String((string)encryptedElement.Element("value"));
-                if (_logger.IsVerboseLevelEnabled())
+                if (_logger.IsDebugLevelEnabled())
                 {
                     string protectionDescriptorRule;
                     try
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 2d4aa76feb..1e15316555 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -514,31 +514,7 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
         }
 
         [Fact]
-        public void GetAllKeys_WithKeyDeserializationError_LogLevelVerbose_DoesNotWriteSensitiveInformation()
-        {
-            // Arrange
-            const string xml = @"
-                <root>
-                  <!-- The below key will throw an exception when deserializing. -->
-                  <key id='78cd498e-9375-4e55-ac0d-d79527ecd09d' version='1'>
-                    <creationDate>2015-01-01T00:00:00Z</creationDate>
-                    <activationDate>2015-02-01T00:00:00Z</activationDate>
-                    <expirationDate>NOT A VALID DATE</expirationDate>
-                    <!-- Secret information: 1A2B3C4D -->
-                  </key>
-                </root>";
-
-            var loggerFactory = new StringLoggerFactory(LogLevel.Verbose);
-
-            // Act
-            RunGetAllKeysCore(xml, new Mock<IActivator>().Object, loggerFactory).ToArray();
-
-            // Assert
-            Assert.False(loggerFactory.ToString().Contains("1A2B3C4D"), "The secret '1A2B3C4D' should not have been logged.");
-        }
-
-        [Fact]
-        public void GetAllKeys_WithKeyDeserializationError_LogLevelDebug_WritesSensitiveInformation()
+        public void GetAllKeys_WithKeyDeserializationError_LogLevelDebug_DoesNotWriteSensitiveInformation()
         {
             // Arrange
             const string xml = @"
@@ -557,6 +533,30 @@ namespace Microsoft.AspNet.DataProtection.KeyManagement
             // Act
             RunGetAllKeysCore(xml, new Mock<IActivator>().Object, loggerFactory).ToArray();
 
+            // Assert
+            Assert.False(loggerFactory.ToString().Contains("1A2B3C4D"), "The secret '1A2B3C4D' should not have been logged.");
+        }
+
+        [Fact]
+        public void GetAllKeys_WithKeyDeserializationError_LogLevelTrace_WritesSensitiveInformation()
+        {
+            // Arrange
+            const string xml = @"
+                <root>
+                  <!-- The below key will throw an exception when deserializing. -->
+                  <key id='78cd498e-9375-4e55-ac0d-d79527ecd09d' version='1'>
+                    <creationDate>2015-01-01T00:00:00Z</creationDate>
+                    <activationDate>2015-02-01T00:00:00Z</activationDate>
+                    <expirationDate>NOT A VALID DATE</expirationDate>
+                    <!-- Secret information: 1A2B3C4D -->
+                  </key>
+                </root>";
+
+            var loggerFactory = new StringLoggerFactory(LogLevel.Trace);
+
+            // Act
+            RunGetAllKeysCore(xml, new Mock<IActivator>().Object, loggerFactory).ToArray();
+
             // Assert
             Assert.True(loggerFactory.ToString().Contains("1A2B3C4D"), "The secret '1A2B3C4D' should have been logged.");
         }

From 6fabd6f064608093773091d6f75ada6148428b87 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 7 Dec 2015 19:09:28 -0800
Subject: [PATCH 202/493] Removing unused dependencies

---
 .../project.json                                           | 7 +------
 src/Microsoft.AspNet.DataProtection/project.json           | 3 ---
 2 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index f1e1e2f7cf..459b511e85 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -16,12 +16,7 @@
     "net451": {},
     "dotnet5.4": {
       "dependencies": {
-        "System.ComponentModel": "4.0.1-*",
-        "System.Diagnostics.Debug": "4.0.11-*",
-        "System.Reflection": "4.0.11-*",
-        "System.Runtime.Extensions": "4.0.11-*",
-        "System.Security.Cryptography.Primitives": "4.0.0-*",
-        "System.Text.Encoding.Extensions": "4.0.11-*"
+        "System.Diagnostics.Debug": "4.0.11-*"
       }
     }
   },
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index 4cc07dbbbf..e5685ebebc 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -28,9 +28,6 @@
     "dotnet5.4": {
       "dependencies": {
         "Microsoft.Win32.Registry": "4.0.0-*",
-        "System.Linq": "4.0.1-*",
-        "System.Reflection.Extensions": "4.0.1-*",
-        "System.Reflection.TypeExtensions": "4.0.1-*",
         "System.Security.Cryptography.X509Certificates": "4.0.0-*",
         "System.Security.Claims": "4.0.1-*",
         "System.Security.Principal.Windows": "4.0.0-*",

From 0cbd6838253ecbf439f5abf4287b90be931cc149 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Mon, 7 Dec 2015 16:21:57 -0800
Subject: [PATCH 203/493] nix does not have %LOCALAPPDATA%, use
 SpecialFolder.LocalApplicationData instead

---
 .../Repositories/FileSystemXmlRepositoryTests.cs              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index a0f76c8795..c563dcc17d 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -21,7 +21,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
             // Assert
             Assert.Equal(defaultDirInfo.FullName,
-                new DirectoryInfo(Path.Combine(Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%"), "ASP.NET", "DataProtection-Keys")).FullName);
+                new DirectoryInfo(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "ASP.NET", "DataProtection-Keys")).FullName);
         }
 
         [Fact]
@@ -158,7 +158,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%") != null;
+            public bool IsMet => Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) != null;
 
             public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
         }

From df3ba7e427984cff51fe71409aa5d43a1db93c7a Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Thu, 10 Dec 2015 09:37:19 -0800
Subject: [PATCH 204/493] Fix build

---
 .../Repositories/FileSystemXmlRepositoryTests.cs   | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index c563dcc17d..7a56490ea2 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -16,12 +16,13 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         public void DefaultKeyStorageDirectory_Property()
         {
+
             // Act
             var defaultDirInfo = FileSystemXmlRepository.DefaultKeyStorageDirectory;
 
             // Assert
             Assert.Equal(defaultDirInfo.FullName,
-                new DirectoryInfo(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "ASP.NET", "DataProtection-Keys")).FullName);
+                new DirectoryInfo(Path.Combine(GetLocalApplicationData(), "ASP.NET", "DataProtection-Keys")).FullName);
         }
 
         [Fact]
@@ -156,9 +157,18 @@ namespace Microsoft.AspNet.DataProtection.Repositories
             }
         }
 
+        private static string GetLocalApplicationData()
+        {
+#if DNXCORE50
+            return Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%");
+#else
+            return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+#endif
+        }
+
         private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) != null;
+            public bool IsMet => GetLocalApplicationData() != null;
 
             public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
         }

From cc6b4b28fa7afd31c4d25e63a5ae1a76ab8f3fe0 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 11 Dec 2015 12:22:24 -0800
Subject: [PATCH 205/493] Updating to release NuGet.config.

---
 NuGet.config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.config b/NuGet.config
index 1707938c61..9db87a421e 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcidev/api/v3/index.json" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcirelease/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file

From 29e87e314aa51ebdcc20232ae96d2c6bad598a9c Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Mon, 14 Dec 2015 14:32:55 -0800
Subject: [PATCH 206/493] Fix coreclr registry and file system related tests

---
 .../RegistryPolicyResolverTests.cs                             | 3 ++-
 .../Repositories/FileSystemXmlRepositoryTests.cs               | 3 +--
 .../Repositories/RegistryXmlRepositoryTests.cs                 | 3 ++-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index 79bb5ee555..91811515d6 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -13,6 +13,7 @@ using Microsoft.AspNet.Testing.xunit;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.OptionsModel;
+using Microsoft.Extensions.PlatformAbstractions;
 using Microsoft.Win32;
 using Xunit;
 
@@ -259,7 +260,7 @@ namespace Microsoft.AspNet.DataProtection
 
         private class ConditionalRunTestOnlyIfHkcuRegistryAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => (LazyHkcuTempKey.Value != null);
+            public bool IsMet => (PlatformServices.Default.Runtime.OperatingSystem == "Windows" && LazyHkcuTempKey.Value != null);
 
             public string SkipReason { get; } = "HKCU registry couldn't be opened.";
         }
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 7a56490ea2..f175b00283 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -16,7 +16,6 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         public void DefaultKeyStorageDirectory_Property()
         {
-
             // Act
             var defaultDirInfo = FileSystemXmlRepository.DefaultKeyStorageDirectory;
 
@@ -160,7 +159,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
         private static string GetLocalApplicationData()
         {
 #if DNXCORE50
-            return Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%");
+            return Environment.GetEnvironmentVariable("LOCALAPPDATA");
 #else
             return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
 #endif
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
index 206b804fab..3e5cfae000 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Linq;
 using System.Xml.Linq;
 using Microsoft.AspNet.Testing.xunit;
+using Microsoft.Extensions.PlatformAbstractions;
 using Microsoft.Win32;
 using Xunit;
 
@@ -158,7 +159,7 @@ namespace Microsoft.AspNet.DataProtection.Repositories
 
         private class ConditionalRunTestOnlyIfHkcuRegistryAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => (LazyHkcuTempKey.Value != null);
+            public bool IsMet => (PlatformServices.Default.Runtime.OperatingSystem == "Windows" && LazyHkcuTempKey.Value != null);
 
             public string SkipReason { get; } = "HKCU registry couldn't be opened.";
         }

From 38096136184862b04e3f16eee48bd6c66067837c Mon Sep 17 00:00:00 2001
From: Chris R <Tratcher@outlook.com>
Date: Thu, 17 Dec 2015 15:37:20 -0800
Subject: [PATCH 207/493] Add missing System.ComponentModel dependency.

---
 src/Microsoft.AspNet.DataProtection.Abstractions/project.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
index 459b511e85..f96c056086 100644
--- a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNet.DataProtection.Abstractions/project.json
@@ -16,6 +16,7 @@
     "net451": {},
     "dotnet5.4": {
       "dependencies": {
+        "System.ComponentModel": "4.0.1-*",
         "System.Diagnostics.Debug": "4.0.11-*"
       }
     }

From f073d0556b504294192652fa0840aa2a9871981c Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Mon, 21 Dec 2015 14:47:58 -0800
Subject: [PATCH 208/493] React to OptionsModel => Options

---
 .../DataProtectionProviderFactory.cs                            | 2 +-
 .../DataProtectionServiceDescriptors.cs                         | 2 +-
 src/Microsoft.AspNet.DataProtection/project.json                | 2 +-
 .../RegistryPolicyResolverTests.cs                              | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
index 55fe4fd22d..2beea59828 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.OptionsModel;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNet.DataProtection
 {
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
index 0e02d9e5eb..67cb036f1f 100644
--- a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
@@ -10,7 +10,7 @@ using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
 using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.DataProtection.Repositories;
 using Microsoft.AspNet.DataProtection.XmlEncryption;
-using Microsoft.Extensions.OptionsModel;
+using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
 #if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNet.DataProtection/project.json
index e5685ebebc..5ef1f6ead8 100644
--- a/src/Microsoft.AspNet.DataProtection/project.json
+++ b/src/Microsoft.AspNet.DataProtection/project.json
@@ -14,7 +14,7 @@
     },
     "Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-*",
     "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",
-    "Microsoft.Extensions.OptionsModel": "1.0.0-*"
+    "Microsoft.Extensions.Options": "1.0.0-*"
   },
   "frameworks": {
     "net451": {
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
index 91811515d6..5513d6c7f0 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -12,7 +12,7 @@ using Microsoft.AspNet.DataProtection.KeyManagement;
 using Microsoft.AspNet.Testing.xunit;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
-using Microsoft.Extensions.OptionsModel;
+using Microsoft.Extensions.Options;
 using Microsoft.Extensions.PlatformAbstractions;
 using Microsoft.Win32;
 using Xunit;

From 4a9990a83c9040de99e6f07dd1f583d2c1a567b3 Mon Sep 17 00:00:00 2001
From: Victor Hurdugaci <victor.hurdugaci@microsoft.com>
Date: Wed, 6 Jan 2016 13:35:29 -0800
Subject: [PATCH 209/493] Build with dotnet

---
 .gitattributes                                |  2 +
 .gitignore                                    |  4 +-
 .travis.yml                                   |  8 +-
 appveyor.yml                                  |  2 +-
 build.cmd                                     | 68 +++++++-------
 build.sh                                      | 47 +++++-----
 makefile.shade                                | 90 ++++---------------
 .../project.json                              | 15 +++-
 .../project.json                              | 15 +++-
 .../project.json                              |  9 +-
 .../project.json                              |  9 +-
 .../project.json                              |  9 +-
 12 files changed, 128 insertions(+), 150 deletions(-)

diff --git a/.gitattributes b/.gitattributes
index bdaa5ba982..c2f0f84273 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -48,3 +48,5 @@
 *.fsproj text=auto
 *.dbproj text=auto
 *.sln text=auto eol=crlf
+
+*.sh eol=lf
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 0d01a992a1..0fb89cd896 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,4 +25,6 @@ nuget.exe
 *.ipch
 *.sln.ide
 project.lock.json
-.vs
\ No newline at end of file
+.vs
+.build/
+.testPublish/
\ No newline at end of file
diff --git a/.travis.yml b/.travis.yml
index 2fc624899f..bf811dc26a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -10,9 +10,11 @@ addons:
     - libssl-dev
     - libunwind8
     - zlib1g
-env:
-  - KOREBUILD_DNU_RESTORE_CORECLR=true
 mono:
   - 4.0.5
+os:
+  - linux
+  - osx
+osx_image: xcode7.1
 script:
-  - ./build.sh --quiet verify
+  - ./build.sh verify
\ No newline at end of file
diff --git a/appveyor.yml b/appveyor.yml
index 636a7618d3..3fab83e134 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,7 +1,7 @@
 init:
   - git config --global core.autocrlf true
 build_script:
-  - build.cmd --quiet verify
+  - build.cmd verify
 clone_depth: 1
 test: off
 deploy: off
\ No newline at end of file
diff --git a/build.cmd b/build.cmd
index 553e3929a0..ebb619e737 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,40 +1,40 @@
-@echo off
-cd %~dp0
-
+@ECHO off
 SETLOCAL
+
+SET REPO_FOLDER=%~dp0
+CD %REPO_FOLDER%
+
+SET BUILD_FOLDER=.build
+SET KOREBUILD_FOLDER=%BUILD_FOLDER%\KoreBuild-dotnet
+SET KOREBUILD_VERSION=
+
+SET NUGET_PATH=%BUILD_FOLDER%\NuGet.exe
 SET NUGET_VERSION=latest
 SET CACHED_NUGET=%LocalAppData%\NuGet\nuget.%NUGET_VERSION%.exe
-SET BUILDCMD_KOREBUILD_VERSION=
-SET BUILDCMD_DNX_VERSION=
 
-IF EXIST %CACHED_NUGET% goto copynuget
-echo Downloading latest version of NuGet.exe...
-IF NOT EXIST %LocalAppData%\NuGet md %LocalAppData%\NuGet
-@powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://dist.nuget.org/win-x86-commandline/%NUGET_VERSION%/nuget.exe' -OutFile '%CACHED_NUGET%'"
-
-:copynuget
-IF EXIST .nuget\nuget.exe goto restore
-md .nuget
-copy %CACHED_NUGET% .nuget\nuget.exe > nul
-
-:restore
-IF EXIST packages\Sake goto getdnx
-IF "%BUILDCMD_KOREBUILD_VERSION%"=="" (
-    .nuget\nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
-) ELSE (
-    .nuget\nuget.exe install KoreBuild -version %BUILDCMD_KOREBUILD_VERSION% -ExcludeVersion -o packages -nocache -pre
-)
-.nuget\NuGet.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
-
-:getdnx
-IF "%BUILDCMD_DNX_VERSION%"=="" (
-    SET BUILDCMD_DNX_VERSION=latest
-)
-IF "%SKIP_DNX_INSTALL%"=="" (
-    CALL packages\KoreBuild\build\dnvm install %BUILDCMD_DNX_VERSION% -runtime CoreCLR -arch x86 -alias default
-    CALL packages\KoreBuild\build\dnvm install default -runtime CLR -arch x86 -alias default
-) ELSE (
-    CALL packages\KoreBuild\build\dnvm use default -runtime CLR -arch x86
+IF NOT EXIST %BUILD_FOLDER% (
+    md %BUILD_FOLDER%
 )
 
-packages\Sake\tools\Sake.exe -I packages\KoreBuild\build -f makefile.shade %*
+IF NOT EXIST %NUGET_PATH% (
+    IF NOT EXIST %CACHED_NUGET% (
+        echo Downloading latest version of NuGet.exe...
+        IF NOT EXIST %LocalAppData%\NuGet ( 
+            md %LocalAppData%\NuGet
+        )
+        @powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://dist.nuget.org/win-x86-commandline/%NUGET_VERSION%/nuget.exe' -OutFile '%CACHED_NUGET%'"
+    )
+
+    copy %CACHED_NUGET% %NUGET_PATH% > nul
+)
+
+IF NOT EXIST %KOREBUILD_FOLDER% (
+    SET KOREBUILD_DOWNLOAD_ARGS=
+    IF NOT "%KOREBUILD_VERSION%"=="" (
+        SET KOREBUILD_DOWNLOAD_ARGS=-version %KOREBUILD_VERSION%
+    )
+    
+    %BUILD_FOLDER%\nuget.exe install KoreBuild-dotnet -ExcludeVersion -o %BUILD_FOLDER% -nocache -pre %KOREBUILD_DOWNLOAD_ARGS%
+)
+
+"%KOREBUILD_FOLDER%\build\KoreBuild.cmd" %*
diff --git a/build.sh b/build.sh
index da4e3fcd1c..7b5e25e3a8 100755
--- a/build.sh
+++ b/build.sh
@@ -1,5 +1,18 @@
 #!/usr/bin/env bash
 
+SOURCE="${BASH_SOURCE[0]}"
+while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+  DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+  SOURCE="$(readlink "$SOURCE")"
+  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+done
+repoFolder="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+
+buildFolder=.build
+koreBuildFolder=$buildFolder/KoreBuild-dotnet
+
+nugetPath=$buildFolder/nuget.exe
+
 if test `uname` = Darwin; then
     cachedir=~/Library/Caches/KBuild
 else
@@ -11,33 +24,25 @@ else
 fi
 mkdir -p $cachedir
 nugetVersion=latest
-cachePath=$cachedir/nuget.$nugetVersion.exe
+cacheNuget=$cachedir/nuget.$nugetVersion.exe
 
-url=https://dist.nuget.org/win-x86-commandline/$nugetVersion/nuget.exe
+nugetUrl=https://dist.nuget.org/win-x86-commandline/$nugetVersion/nuget.exe
 
-if test ! -f $cachePath; then
-    wget -O $cachePath $url 2>/dev/null || curl -o $cachePath --location $url /dev/null
+if test ! -d $buildFolder; then
+    mkdir $buildFolder
 fi
 
-if test ! -e .nuget; then
-    mkdir .nuget
-    cp $cachePath .nuget/nuget.exe
+if test ! -f $nugetPath; then
+    if test ! -f $cacheNuget; then
+        wget -O $cacheNuget $nugetUrl 2>/dev/null || curl -o $cacheNuget --location $nugetUrl /dev/null
+    fi
+
+    cp $cacheNuget $nugetPath
 fi
 
-if test ! -d packages/Sake; then
-    mono .nuget/nuget.exe install KoreBuild -ExcludeVersion -o packages -nocache -pre
-    mono .nuget/nuget.exe install Sake -ExcludeVersion -Source https://www.nuget.org/api/v2/ -Out packages
+if test ! -d $koreBuildFolder; then
+    mono $nugetPath install KoreBuild-dotnet -ExcludeVersion -o $buildFolder -nocache -pre
 fi
 
-if ! type dnvm > /dev/null 2>&1; then
-    source packages/KoreBuild/build/dnvm.sh
-fi
+source $koreBuildFolder/build/KoreBuild.sh
 
-if ! type dnx > /dev/null 2>&1 || [ -z "$SKIP_DNX_INSTALL" ]; then
-    dnvm install latest -runtime coreclr -alias default
-    dnvm install default -runtime mono -alias default
-else
-    dnvm use default -runtime mono
-fi
-
-mono packages/Sake/tools/Sake.exe -I packages/KoreBuild/build -f makefile.shade "$@"
diff --git a/makefile.shade b/makefile.shade
index 2364f26b21..46e9653763 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -1,5 +1,3 @@
-use assembly='WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'
-use namespace='System.IO.Packaging'
 use import="Environment"
 
 var VERSION='0.1'
@@ -9,78 +7,20 @@ var AUTHORS='Microsoft Open Technologies, Inc.'
 use-standard-lifecycle
 k-standard-goals
 
-var Configuration2='${E("Configuration")}'
-var ROOT = '${Directory.GetCurrentDirectory()}'
-var BUILD_DIR2 = '${Path.Combine(ROOT, "build")}'
+var Configuration_Local = '${E("Configuration")}'
+var ROOT_Local = '${Directory.GetCurrentDirectory()}'
+var BUILD_DIR_Local = '${Path.Combine(ROOT_Local, "build")}'
 
-#build-compile target='compile' if='!IsWindows && !IsBuildV2 && Directory.Exists("src")'
-    @{
-        var projectFiles = Files.Include("src/**/project.json")
-            .Exclude("src/Microsoft.AspNet.DataProtection.SystemWeb/project.json")
-            .ToList();
-
-        if (ShouldRunInParallel)
-        {
-            Parallel.ForEach(projectFiles, projectFile => DnuPack(projectFile, BUILD_DIR2, Configuration2));
-        }
-        else
-        {
-            projectFiles.ForEach(projectFile => DnuPack(projectFile, BUILD_DIR2, Configuration2));
-        }
-
-        foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR2, "*/*.nupkg")))
-        {
-            File.Copy(nupkg, Path.Combine(BUILD_DIR2, Path.GetFileName(nupkg)), true);
-        }
+#build-compile target='compile' if='IsLinux'
+  @{
+    var projectFiles = Files.Include("src/**/project.json")
+        .Exclude("src/Microsoft.AspNet.DataProtection.SystemWeb/project.json")
+        .ToList();
+        
+    projectFiles.ForEach(projectFile => DotnetPack(projectFile, BUILD_DIR_Local, Configuration_Local));
+    
+    foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR_Local, "*/*.nupkg")))
+    {
+        File.Copy(nupkg, Path.Combine(BUILD_DIR_Local, Path.GetFileName(nupkg)), true);
     }
-
-#build-compile target='compile' if='!IsWindows && IsBuildV2'
-    @{
-        if (Directory.Exists("src"))
-        {
-            var projects = Files.Include("src/*")
-                .Exclude("src/Microsoft.AspNet.DataProtection.SystemWeb")
-                .ToList();
-
-            DnuPack(string.Join(";", projects), BUILD_DIR2, Configuration2);
-
-            foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR2, "*/*.nupkg")))
-            {
-                File.Copy(nupkg, Path.Combine(BUILD_DIR2, Path.GetFileName(nupkg)), true);
-            }
-        }
-
-        if (Directory.Exists("test"))
-        {
-            DnuBuild("test/*", Configuration2);
-        }
-    }
-
-functions
-    @{
-        PackagePart CreatePartFromFile(
-            Package destination,
-            string sourceFileName,
-            string partUriString)
-        {
-            var partUri = PackUriHelper.CreatePartUri(new Uri(partUriString, UriKind.Relative));
-            var packagePart = destination.CreatePart(partUri, "application/octet", CompressionOption.Maximum);
-
-            using (var sourceStream = File.OpenRead(sourceFileName))
-            using (var stream = packagePart.GetStream())
-            {
-                sourceStream.CopyTo(stream);
-            }
-
-            return packagePart;
-        }
-
-        bool IsWindows
-        {
-            get
-            {
-                var p = (int)Environment.OSVersion.Platform;
-                return (p != 4) && (p != 6) && (p != 128);
-            }
-        }
-    }
\ No newline at end of file
+  }
\ No newline at end of file
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
index 741892fb6b..96f149e31c 100644
--- a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
@@ -6,12 +6,21 @@
       "version": ""
     },
     "Microsoft.AspNet.Testing": "1.0.0-*",
-    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+    "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnx451": { },
-    "dnxcore50": { }
+    "dnx451": {
+      "dependencies": {
+        "xunit.runner.console": "2.1.0"
+      }
+    },
+    "dnxcore50": { 
+      "dependencies": {
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+      }
+    }
   },
+  "testRunner": "xunit",
   "commands": {
     "test": "xunit.runner.aspnet"
   },
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
index 09cf034660..61c2870baf 100644
--- a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
@@ -4,12 +4,21 @@
     "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
     "Microsoft.AspNet.DataProtection.Test.Shared": "",
     "Microsoft.AspNet.Testing": "1.0.0-*",
-    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+    "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnx451": { },
-    "dnxcore50": { }
+    "dnx451": {
+      "dependencies": {
+        "xunit.runner.console": "2.1.0"
+      }
+    },
+    "dnxcore50": { 
+      "dependencies": {
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+      }
+    }
   },
+  "testRunner": "xunit",
   "commands": {
     "test": "xunit.runner.aspnet"
   },
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
index 8ceb6a391c..793a08beeb 100644
--- a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
@@ -3,20 +3,23 @@
     "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNet.Testing": "1.0.0-*",
-    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+    "xunit": "2.1.0"
   },
   "frameworks": {
     "dnx451": {
       "dependencies": {
-        "Moq": "4.2.1312.1622"
+        "Moq": "4.2.1312.1622",
+        "xunit.runner.console": "2.1.0"
       }
     },
     "dnxcore50": {
       "dependencies": {
-        "moq.netcore": "4.4.0-beta8"
+        "moq.netcore": "4.4.0-beta8",
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
       }
     }
   },
+  "testRunner": "xunit",
   "commands": {
     "test": "xunit.runner.aspnet"
   },
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
index 2f098cd064..d0159eb435 100644
--- a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
@@ -7,20 +7,23 @@
       "version": ""
     },
     "Microsoft.AspNet.Testing": "1.0.0-*",
-    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+    "xunit": "2.1.0"
   },
   "frameworks": {
     "dnx451": {
       "dependencies": {
-        "Moq": "4.2.1312.1622"
+        "Moq": "4.2.1312.1622",
+        "xunit.runner.console": "2.1.0"
       }
     },
     "dnxcore50": {
       "dependencies": {
-        "moq.netcore": "4.4.0-beta8"
+        "moq.netcore": "4.4.0-beta8",
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
       }
     }
   },
+  "testRunner": "xunit",
   "commands": {
     "test": "xunit.runner.aspnet"
   },
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNet.DataProtection.Test/project.json
index 7970ff1eca..4d06843dbb 100644
--- a/test/Microsoft.AspNet.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNet.DataProtection.Test/project.json
@@ -7,20 +7,23 @@
     },
     "Microsoft.AspNet.Testing": "1.0.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
-    "xunit.runner.aspnet": "2.0.0-aspnet-*"
+    "xunit": "2.1.0"
   },
   "frameworks": {
     "dnx451": {
       "dependencies": {
-        "Moq": "4.2.1312.1622"
+        "Moq": "4.2.1312.1622",
+        "xunit.runner.console": "2.1.0"
       }
     },
     "dnxcore50": {
       "dependencies": {
-        "moq.netcore": "4.4.0-beta8"
+        "moq.netcore": "4.4.0-beta8",
+        "xunit.runner.aspnet": "2.0.0-aspnet-*"
       }
     }
   },
+  "testRunner": "xunit",
   "commands": {
     "test": "xunit.runner.aspnet"
   },

From cec205115143e5f2bfab8cdde91bab7ba601cb8a Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 14 Jan 2016 16:41:14 -0800
Subject: [PATCH 210/493] Updating build script

---
 build.sh | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/build.sh b/build.sh
index 7b5e25e3a8..263fb667a8 100755
--- a/build.sh
+++ b/build.sh
@@ -1,13 +1,5 @@
 #!/usr/bin/env bash
 
-SOURCE="${BASH_SOURCE[0]}"
-while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
-  DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-  SOURCE="$(readlink "$SOURCE")"
-  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
-done
-repoFolder="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
-
 buildFolder=.build
 koreBuildFolder=$buildFolder/KoreBuild-dotnet
 
@@ -42,7 +34,12 @@ fi
 
 if test ! -d $koreBuildFolder; then
     mono $nugetPath install KoreBuild-dotnet -ExcludeVersion -o $buildFolder -nocache -pre
+    chmod +x $koreBuildFolder/build/KoreBuild.sh
 fi
 
-source $koreBuildFolder/build/KoreBuild.sh
+makeFile=makefile.shade
+if [ ! -e $makeFile ]; then
+    makeFile=$koreBuildFolder/build/makefile.shade
+fi
 
+./$koreBuildFolder/build/KoreBuild.sh -n $nugetPath -m $makeFile "$@"

From c8aa4c2c51e44bae6f455d3797b3366c43a5cc3d Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 20 Jan 2016 20:39:57 -0800
Subject: [PATCH 211/493] Reacting to CoreCLR version changes

---
 src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
index 3a4d70c7c1..179a389151 100644
--- a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
@@ -12,7 +12,7 @@
     "net451": {},
     "dotnet5.4": {
       "dependencies": {
-        "System.Runtime.Extensions": "4.0.11-*",
+        "System.Runtime.Extensions": "4.1.0-*",
         "System.Security.Cryptography.Algorithms": "4.0.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
       }

From b87a8001fee8972fd400364afe57010271c08675 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Fri, 22 Jan 2016 12:16:08 -0800
Subject: [PATCH 212/493] Rename AspNet 5 folders and files.

See https://github.com/aspnet/Announcements/issues/144 for more information.
---
 .../Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs                  | 0
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs                              | 0
 .../Cng/BCryptBuffer.cs                                           | 0
 .../Cng/BCryptBufferDesc.cs                                       | 0
 .../Cng/BCryptEncryptFlags.cs                                     | 0
 .../Cng/BCryptGenRandomFlags.cs                                   | 0
 .../Cng/BCryptKeyDerivationBufferType.cs                          | 0
 .../Cng/BCryptUtil.cs                                             | 0
 .../Cng/CachedAlgorithmHandles.cs                                 | 0
 .../Cng/NCryptEncryptFlags.cs                                     | 0
 .../Cng/OSVersionUtil.cs                                          | 0
 .../Constants.cs                                                  | 0
 .../CryptoUtil.cs                                                 | 0
 .../DATA_BLOB.cs                                                  | 0
 .../Microsoft.AspNetCore.Cryptography.Internal.xproj}             | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../Properties/Resources.Designer.cs                              | 0
 .../Resources.resx                                                | 0
 .../SafeHandles/BCryptAlgorithmHandle.cs                          | 0
 .../SafeHandles/BCryptHandle.cs                                   | 0
 .../SafeHandles/BCryptHashHandle.cs                               | 0
 .../SafeHandles/BCryptKeyHandle.cs                                | 0
 .../SafeHandles/LocalAllocHandle.cs                               | 0
 .../SafeHandles/NCryptDescriptorHandle.cs                         | 0
 .../SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs              | 0
 .../SafeHandles/SafeLibraryHandle.cs                              | 0
 .../SafeHandles/SecureLocalAllocHandle.cs                         | 0
 .../UnsafeBufferUtil.cs                                           | 0
 .../UnsafeNativeMethods.cs                                        | 0
 .../WeakReferenceHelpers.cs                                       | 0
 .../project.json                                                  | 0
 .../KeyDerivation.cs                                              | 0
 .../KeyDerivationPrf.cs                                           | 0
 .../Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj}        | 0
 .../PBKDF2/IPbkdf2Provider.cs                                     | 0
 .../PBKDF2/ManagedPbkdf2Provider.cs                               | 0
 .../PBKDF2/Pbkdf2Util.cs                                          | 0
 .../PBKDF2/Win7Pbkdf2Provider.cs                                  | 0
 .../PBKDF2/Win8Pbkdf2Provider.cs                                  | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../project.json                                                  | 0
 .../CryptoUtil.cs                                                 | 0
 .../DataProtectionExtensions.cs                                   | 0
 .../Error.cs                                                      | 0
 .../IDataProtectionProvider.cs                                    | 0
 .../IDataProtector.cs                                             | 0
 .../Infrastructure/IApplicationDiscriminator.cs                   | 0
 .../Microsoft.AspNetCore.DataProtection.Abstractions.xproj}       | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../Properties/Resources.Designer.cs                              | 0
 .../Resources.resx                                                | 0
 .../WebEncoders.cs                                                | 0
 .../project.json                                                  | 0
 .../BitHelpers.cs                                                 | 0
 .../DataProtectionExtensions.cs                                   | 0
 .../DataProtectionProvider.cs                                     | 0
 .../ITimeLimitedDataProtector.cs                                  | 0
 .../Microsoft.AspNetCore.DataProtection.Extensions.xproj}         | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../Properties/Resources.Designer.cs                              | 0
 .../Resources.resx                                                | 0
 .../TimeLimitedDataProtector.cs                                   | 0
 .../project.json                                                  | 0
 .../EncodingUtil.cs                                               | 0
 .../ExceptionExtensions.cs                                        | 0
 .../Microsoft.AspNetCore.DataProtection.Sources.xproj}            | 0
 .../project.json                                                  | 0
 .../CompatibilityDataProtector.cs                                 | 0
 .../DataProtectionStartup.cs                                      | 0
 .../Microsoft.AspNetCore.DataProtection.SystemWeb.xproj}          | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../Properties/Resources.Designer.cs                              | 0
 .../Resources.resx                                                | 0
 .../project.json                                                  | 0
 .../web.config.transform                                          | 0
 .../ActivatorExtensions.cs                                        | 0
 .../ApplyPolicyAttribute.cs                                       | 0
 .../ArraySegmentExtensions.cs                                     | 0
 .../AuthenticatedEncryption/AlgorithmAssert.cs                    | 0
 .../AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs     | 0
 .../AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs   | 0
 .../CngCbcAuthenticatedEncryptionOptions.cs                       | 0
 .../CngGcmAuthenticatedEncryptionOptions.cs                       | 0
 .../ConfigurationModel/AuthenticatedEncryptorConfiguration.cs     | 0
 .../ConfigurationModel/AuthenticatedEncryptorDescriptor.cs        | 0
 .../AuthenticatedEncryptorDescriptorDeserializer.cs               | 0
 .../CngCbcAuthenticatedEncryptorConfiguration.cs                  | 0
 .../ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs  | 0
 .../CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs         | 0
 .../CngGcmAuthenticatedEncryptorConfiguration.cs                  | 0
 .../ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs  | 0
 .../CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs         | 0
 .../ConfigurationModel/ConfigurationCommon.cs                     | 0
 .../ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs    | 0
 .../ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs       | 0
 .../IAuthenticatedEncryptorDescriptorDeserializer.cs              | 0
 .../IInternalAuthenticatedEncryptorConfiguration.cs               | 0
 .../ManagedAuthenticatedEncryptorConfiguration.cs                 | 0
 .../ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs | 0
 .../ManagedAuthenticatedEncryptorDescriptorDeserializer.cs        | 0
 .../ConfigurationModel/SecretExtensions.cs                        | 0
 .../AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs   | 0
 .../ConfigurationModel/XmlSerializedDescriptorInfo.cs             | 0
 .../AuthenticatedEncryption/EncryptionAlgorithm.cs                | 0
 .../AuthenticatedEncryption/IAuthenticatedEncryptor.cs            | 0
 .../IInternalAuthenticatedEncryptionOptions.cs                    | 0
 .../AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs   | 0
 .../ManagedAuthenticatedEncryptionOptions.cs                      | 0
 .../AuthenticatedEncryption/ValidationAlgorithm.cs                | 0
 .../BitHelpers.cs                                                 | 0
 .../Cng/BCryptGenRandomImpl.cs                                    | 0
 .../Cng/CbcAuthenticatedEncryptor.cs                              | 0
 .../Cng/DpapiSecretSerializerHelper.cs                            | 0
 .../Cng/GcmAuthenticatedEncryptor.cs                              | 0
 .../Cng/IBCryptGenRandom.cs                                       | 0
 .../Cng/Internal/CngAuthenticatedEncryptorBase.cs                 | 0
 .../DataProtectionConfiguration.cs                                | 0
 .../DataProtectionOptions.cs                                      | 0
 .../DataProtectionProviderFactory.cs                              | 0
 .../DataProtectionServiceCollectionExtensions.cs                  | 0
 .../DataProtectionServiceDescriptors.cs                           | 0
 .../DataProtectionServices.cs                                     | 0
 .../EphemeralDataProtectionProvider.cs                            | 0
 .../Error.cs                                                      | 0
 .../IPersistedDataProtector.cs                                    | 0
 .../ISecret.cs                                                    | 0
 .../Internal/IActivator.cs                                        | 0
 .../KeyManagement/DefaultKeyResolver.cs                           | 0
 .../KeyManagement/DefaultKeyServices.cs                           | 0
 .../KeyManagement/DeferredKey.cs                                  | 0
 .../KeyManagement/IKey.cs                                         | 0
 .../KeyManagement/IKeyEscrowSink.cs                               | 0
 .../KeyManagement/IKeyManager.cs                                  | 0
 .../KeyManagement/Internal/CacheableKeyRing.cs                    | 0
 .../KeyManagement/Internal/DefaultKeyResolution.cs                | 0
 .../KeyManagement/Internal/ICacheableKeyRingProvider.cs           | 0
 .../KeyManagement/Internal/IDefaultKeyResolver.cs                 | 0
 .../KeyManagement/Internal/IDefaultKeyServices.cs                 | 0
 .../KeyManagement/Internal/IInternalXmlKeyManager.cs              | 0
 .../KeyManagement/Internal/IKeyRing.cs                            | 0
 .../KeyManagement/Internal/IKeyRingProvider.cs                    | 0
 .../KeyManagement/Key.cs                                          | 0
 .../KeyManagement/KeyBase.cs                                      | 0
 .../KeyManagement/KeyEscrowServiceProviderExtensions.cs           | 0
 .../KeyManagement/KeyExtensions.cs                                | 0
 .../KeyManagement/KeyManagementOptions.cs                         | 0
 .../KeyManagement/KeyRing.cs                                      | 0
 .../KeyManagement/KeyRingBasedDataProtectionProvider.cs           | 0
 .../KeyManagement/KeyRingBasedDataProtector.cs                    | 0
 .../KeyManagement/KeyRingProvider.cs                              | 0
 .../KeyManagement/XmlKeyManager.cs                                | 0
 .../LoggingExtensions.cs                                          | 0
 .../LoggingServiceProviderExtensions.cs                           | 0
 .../Managed/HashAlgorithmExtensions.cs                            | 0
 .../Managed/IManagedGenRandom.cs                                  | 0
 .../Managed/ManagedAuthenticatedEncryptor.cs                      | 0
 .../Managed/ManagedGenRandomImpl.cs                               | 0
 .../Managed/SymmetricAlgorithmExtensions.cs                       | 0
 .../MemoryProtection.cs                                           | 0
 .../Microsoft.AspNetCore.DataProtection.xproj}                    | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../Properties/Resources.Designer.cs                              | 0
 .../RegistryPolicyResolver.cs                                     | 0
 .../Repositories/EphemeralXmlRepository.cs                        | 0
 .../Repositories/FileSystemXmlRepository.cs                       | 0
 .../Repositories/IXmlRepository.cs                                | 0
 .../Repositories/RegistryXmlRepository.cs                         | 0
 .../Resources.resx                                                | 0
 .../SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs                | 0
 .../SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs                  | 0
 .../SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs               | 0
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs                     | 0
 .../SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs             | 0
 .../SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs             | 0
 .../Secret.cs                                                     | 0
 .../StringInterpolation.cs                                        | 0
 .../TypeExtensions.cs                                             | 0
 .../XmlConstants.cs                                               | 0
 .../XmlEncryption/CertificateResolver.cs                          | 0
 .../XmlEncryption/CertificateXmlEncryptor.cs                      | 0
 .../XmlEncryption/DpapiNGProtectionDescriptorFlags.cs             | 0
 .../XmlEncryption/DpapiNGXmlDecryptor.cs                          | 0
 .../XmlEncryption/DpapiNGXmlEncryptor.cs                          | 0
 .../XmlEncryption/DpapiXmlDecryptor.cs                            | 0
 .../XmlEncryption/DpapiXmlEncryptor.cs                            | 0
 .../XmlEncryption/EncryptedXmlDecryptor.core50.cs                 | 0
 .../XmlEncryption/EncryptedXmlDecryptor.cs                        | 0
 .../XmlEncryption/EncryptedXmlInfo.cs                             | 0
 .../XmlEncryption/ICertificateResolver.cs                         | 0
 .../XmlEncryption/IInternalCertificateXmlEncryptor.cs             | 0
 .../XmlEncryption/IInternalEncryptedXmlDecryptor.cs               | 0
 .../XmlEncryption/IXmlDecryptor.cs                                | 0
 .../XmlEncryption/IXmlEncryptor.cs                                | 0
 .../XmlEncryption/NullXmlDecryptor.cs                             | 0
 .../XmlEncryption/NullXmlEncryptor.cs                             | 0
 .../XmlEncryption/XmlEncryptionExtensions.cs                      | 0
 .../XmlExtensions.cs                                              | 0
 .../project.json                                                  | 0
 .../Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs            | 0
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs                        | 0
 .../Cng/BCryptUtilTests.cs                                        | 0
 .../Cng/CachedAlgorithmHandlesTests.cs                            | 0
 .../CryptoUtilTests.cs                                            | 0
 .../Microsoft.AspNetCore.Cryptography.Internal.Test.xproj}        | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../SafeHandles/SecureLocalAllocHandleTests.cs                    | 0
 .../UnsafeBufferUtilTests.cs                                      | 0
 .../WeakReferenceHelpersTests.cs                                  | 0
 .../project.json                                                  | 0
 .../Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj}   | 0
 .../Pbkdf2Tests.cs                                                | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../project.json                                                  | 0
 .../DataProtectionExtensionsTests.cs                              | 0
 .../Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj}  | 0
 .../project.json                                                  | 0
 .../DataProtectionExtensionsTests.cs                              | 0
 .../DataProtectionProviderTests.cs                                | 0
 .../Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj}    | 0
 .../TimeLimitedDataProtectorTests.cs                              | 0
 .../project.json                                                  | 0
 .../ConditionalRunTestOnlyWindows8OrLaterAttribute.cs             | 0
 .../ConditionalRunTestOnlyWindowsAttribute.cs                     | 0
 .../ExceptionAssert2.cs                                           | 0
 .../Microsoft.AspNetCore.DataProtection.Test.Shared.xproj}        | 0
 .../project.json                                                  | 0
 .../ActivatorTests.cs                                             | 0
 .../AnonymousImpersonation.cs                                     | 0
 .../AuthenticatedEncryptorDescriptorDeserializerTests.cs          | 0
 .../ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs   | 0
 .../CngCbcAuthenticatedEncryptorConfigurationTests.cs             | 0
 .../CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs    | 0
 .../CngCbcAuthenticatedEncryptorDescriptorTests.cs                | 0
 .../CngGcmAuthenticatedEncryptorConfigurationTests.cs             | 0
 .../CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs    | 0
 .../CngGcmAuthenticatedEncryptorDescriptorTests.cs                | 0
 .../ManagedAuthenticatedEncryptorConfigurationTests.cs            | 0
 .../ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs   | 0
 .../ManagedAuthenticatedEncryptorDescriptorTests.cs               | 0
 .../Cng/CbcAuthenticatedEncryptorTests.cs                         | 0
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs                     | 0
 .../Cng/GcmAuthenticatedEncryptorTests.cs                         | 0
 .../EphemeralDataProtectionProviderTests.cs                       | 0
 .../KeyManagement/CacheableKeyRingTests.cs                        | 0
 .../KeyManagement/DefaultKeyResolverTests.cs                      | 0
 .../KeyManagement/DeferredKeyTests.cs                             | 0
 .../KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs      | 0
 .../KeyManagement/KeyRingBasedDataProtectorTests.cs               | 0
 .../KeyManagement/KeyRingProviderTests.cs                         | 0
 .../KeyManagement/KeyRingTests.cs                                 | 0
 .../KeyManagement/KeyTests.cs                                     | 0
 .../KeyManagement/XmlKeyManagerTests.cs                           | 0
 .../Managed/ManagedAuthenticatedEncryptorTests.cs                 | 0
 .../Microsoft.AspNetCore.DataProtection.Test.xproj}               | 0
 .../MockExtensions.cs                                             | 0
 .../Properties/AssemblyInfo.cs                                    | 0
 .../RegistryPolicyResolverTests.cs                                | 0
 .../Repositories/EphemeralXmlRepositoryTests.cs                   | 0
 .../Repositories/FileSystemXmlRepositoryTests.cs                  | 0
 .../Repositories/RegistryXmlRepositoryTests.cs                    | 0
 .../SP800_108/SP800_108Tests.cs                                   | 0
 .../SecretAssert.cs                                               | 0
 .../SecretTests.cs                                                | 0
 .../SequentialGenRandom.cs                                        | 0
 .../StringLoggerFactory.cs                                        | 0
 .../XmlAssert.cs                                                  | 0
 .../XmlEncryption/CertificateXmlEncryptionTests.cs                | 0
 .../XmlEncryption/DpapiNGXmlEncryptionTests.cs                    | 0
 .../XmlEncryption/DpapiXmlEncryptionTests.cs                      | 0
 .../XmlEncryption/NullXmlEncryptionTests.cs                       | 0
 .../XmlEncryption/XmlEncryptionExtensionsTests.cs                 | 0
 .../project.json                                                  | 0
 272 files changed, 0 insertions(+), 0 deletions(-)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/BCryptBuffer.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/BCryptBufferDesc.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/BCryptEncryptFlags.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/BCryptGenRandomFlags.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/BCryptKeyDerivationBufferType.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/BCryptUtil.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/CachedAlgorithmHandles.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/NCryptEncryptFlags.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Cng/OSVersionUtil.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Constants.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/CryptoUtil.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/DATA_BLOB.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj => Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj} (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Properties/AssemblyInfo.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Properties/Resources.Designer.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/Resources.resx (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/BCryptAlgorithmHandle.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/BCryptHandle.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/BCryptHashHandle.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/BCryptKeyHandle.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/LocalAllocHandle.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/NCryptDescriptorHandle.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/SafeLibraryHandle.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/SafeHandles/SecureLocalAllocHandle.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/UnsafeBufferUtil.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/UnsafeNativeMethods.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/WeakReferenceHelpers.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.Internal => Microsoft.AspNetCore.Cryptography.Internal}/project.json (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/KeyDerivation.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/KeyDerivationPrf.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj => Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj} (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/PBKDF2/IPbkdf2Provider.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/PBKDF2/ManagedPbkdf2Provider.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/PBKDF2/Pbkdf2Util.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/PBKDF2/Win7Pbkdf2Provider.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/PBKDF2/Win8Pbkdf2Provider.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/Properties/AssemblyInfo.cs (100%)
 rename src/{Microsoft.AspNet.Cryptography.KeyDerivation => Microsoft.AspNetCore.Cryptography.KeyDerivation}/project.json (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/CryptoUtil.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/DataProtectionExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/Error.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/IDataProtectionProvider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/IDataProtector.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/Infrastructure/IApplicationDiscriminator.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions/Microsoft.AspNet.DataProtection.Abstractions.xproj => Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj} (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/Properties/AssemblyInfo.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/Properties/Resources.Designer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/Resources.resx (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/WebEncoders.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Abstractions => Microsoft.AspNetCore.DataProtection.Abstractions}/project.json (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/BitHelpers.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/DataProtectionExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/DataProtectionProvider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/ITimeLimitedDataProtector.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj => Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj} (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/Properties/AssemblyInfo.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/Properties/Resources.Designer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/Resources.resx (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/TimeLimitedDataProtector.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Extensions => Microsoft.AspNetCore.DataProtection.Extensions}/project.json (100%)
 rename src/{Microsoft.AspNet.DataProtection.Sources => Microsoft.AspNetCore.DataProtection.Sources}/EncodingUtil.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Sources => Microsoft.AspNetCore.DataProtection.Sources}/ExceptionExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.Sources/Microsoft.AspNet.DataProtection.Sources.xproj => Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj} (100%)
 rename src/{Microsoft.AspNet.DataProtection.Sources => Microsoft.AspNetCore.DataProtection.Sources}/project.json (100%)
 rename src/{Microsoft.AspNet.DataProtection.SystemWeb => Microsoft.AspNetCore.DataProtection.SystemWeb}/CompatibilityDataProtector.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.SystemWeb => Microsoft.AspNetCore.DataProtection.SystemWeb}/DataProtectionStartup.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj => Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj} (100%)
 rename src/{Microsoft.AspNet.DataProtection.SystemWeb => Microsoft.AspNetCore.DataProtection.SystemWeb}/Properties/AssemblyInfo.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.SystemWeb => Microsoft.AspNetCore.DataProtection.SystemWeb}/Properties/Resources.Designer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection.SystemWeb => Microsoft.AspNetCore.DataProtection.SystemWeb}/Resources.resx (100%)
 rename src/{Microsoft.AspNet.DataProtection.SystemWeb => Microsoft.AspNetCore.DataProtection.SystemWeb}/project.json (100%)
 rename src/{Microsoft.AspNet.DataProtection.SystemWeb => Microsoft.AspNetCore.DataProtection.SystemWeb}/web.config.transform (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/ActivatorExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/ApplyPolicyAttribute.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/ArraySegmentExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/AlgorithmAssert.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/EncryptionAlgorithm.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/IAuthenticatedEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/AuthenticatedEncryption/ValidationAlgorithm.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/BitHelpers.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Cng/BCryptGenRandomImpl.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Cng/CbcAuthenticatedEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Cng/DpapiSecretSerializerHelper.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Cng/GcmAuthenticatedEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Cng/IBCryptGenRandom.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Cng/Internal/CngAuthenticatedEncryptorBase.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/DataProtectionConfiguration.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/DataProtectionOptions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/DataProtectionProviderFactory.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/DataProtectionServiceCollectionExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/DataProtectionServiceDescriptors.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/DataProtectionServices.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/EphemeralDataProtectionProvider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Error.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/IPersistedDataProtector.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/ISecret.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Internal/IActivator.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/DefaultKeyResolver.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/DefaultKeyServices.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/DeferredKey.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/IKey.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/IKeyEscrowSink.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/IKeyManager.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Internal/CacheableKeyRing.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Internal/DefaultKeyResolution.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Internal/ICacheableKeyRingProvider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Internal/IDefaultKeyResolver.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Internal/IDefaultKeyServices.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Internal/IInternalXmlKeyManager.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Internal/IKeyRing.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Internal/IKeyRingProvider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/Key.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/KeyBase.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/KeyEscrowServiceProviderExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/KeyExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/KeyManagementOptions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/KeyRing.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/KeyRingBasedDataProtectionProvider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/KeyRingBasedDataProtector.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/KeyRingProvider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/KeyManagement/XmlKeyManager.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/LoggingExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/LoggingServiceProviderExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Managed/HashAlgorithmExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Managed/IManagedGenRandom.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Managed/ManagedAuthenticatedEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Managed/ManagedGenRandomImpl.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Managed/SymmetricAlgorithmExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/MemoryProtection.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj => Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj} (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Properties/AssemblyInfo.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Properties/Resources.Designer.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/RegistryPolicyResolver.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Repositories/EphemeralXmlRepository.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Repositories/FileSystemXmlRepository.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Repositories/IXmlRepository.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Repositories/RegistryXmlRepository.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Resources.resx (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/SP800_108/SP800_108_CTR_HMACSHA512Util.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/Secret.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/StringInterpolation.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/TypeExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlConstants.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/CertificateResolver.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/CertificateXmlEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/DpapiNGXmlDecryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/DpapiNGXmlEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/DpapiXmlDecryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/DpapiXmlEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/EncryptedXmlDecryptor.core50.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/EncryptedXmlDecryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/EncryptedXmlInfo.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/ICertificateResolver.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/IInternalCertificateXmlEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/IInternalEncryptedXmlDecryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/IXmlDecryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/IXmlEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/NullXmlDecryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/NullXmlEncryptor.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlEncryption/XmlEncryptionExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/XmlExtensions.cs (100%)
 rename src/{Microsoft.AspNet.DataProtection => Microsoft.AspNetCore.DataProtection}/project.json (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/Cng/BCryptUtilTests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/Cng/CachedAlgorithmHandlesTests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/CryptoUtilTests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj => Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj} (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/Properties/AssemblyInfo.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/SafeHandles/SecureLocalAllocHandleTests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/UnsafeBufferUtilTests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/WeakReferenceHelpersTests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.Internal.Test => Microsoft.AspNetCore.Cryptography.Internal.Test}/project.json (100%)
 rename test/{Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj => Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj} (100%)
 rename test/{Microsoft.AspNet.Cryptography.KeyDerivation.Test => Microsoft.AspNetCore.Cryptography.KeyDerivation.Test}/Pbkdf2Tests.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.KeyDerivation.Test => Microsoft.AspNetCore.Cryptography.KeyDerivation.Test}/Properties/AssemblyInfo.cs (100%)
 rename test/{Microsoft.AspNet.Cryptography.KeyDerivation.Test => Microsoft.AspNetCore.Cryptography.KeyDerivation.Test}/project.json (100%)
 rename test/{Microsoft.AspNet.DataProtection.Abstractions.Test => Microsoft.AspNetCore.DataProtection.Abstractions.Test}/DataProtectionExtensionsTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Abstractions.Test/Microsoft.AspNet.DataProtection.Abstractions.Test.xproj => Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj} (100%)
 rename test/{Microsoft.AspNet.DataProtection.Abstractions.Test => Microsoft.AspNetCore.DataProtection.Abstractions.Test}/project.json (100%)
 rename test/{Microsoft.AspNet.DataProtection.Extensions.Test => Microsoft.AspNetCore.DataProtection.Extensions.Test}/DataProtectionExtensionsTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Extensions.Test => Microsoft.AspNetCore.DataProtection.Extensions.Test}/DataProtectionProviderTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj => Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj} (100%)
 rename test/{Microsoft.AspNet.DataProtection.Extensions.Test => Microsoft.AspNetCore.DataProtection.Extensions.Test}/TimeLimitedDataProtectorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Extensions.Test => Microsoft.AspNetCore.DataProtection.Extensions.Test}/project.json (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test.Shared => Microsoft.AspNetCore.DataProtection.Test.Shared}/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test.Shared => Microsoft.AspNetCore.DataProtection.Test.Shared}/ConditionalRunTestOnlyWindowsAttribute.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test.Shared => Microsoft.AspNetCore.DataProtection.Test.Shared}/ExceptionAssert2.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj => Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj} (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test.Shared => Microsoft.AspNetCore.DataProtection.Test.Shared}/project.json (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/ActivatorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AnonymousImpersonation.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/Cng/CbcAuthenticatedEncryptorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/Cng/CngAuthenticatedEncryptorBaseTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/Cng/GcmAuthenticatedEncryptorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/EphemeralDataProtectionProviderTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/CacheableKeyRingTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/DefaultKeyResolverTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/DeferredKeyTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/KeyRingBasedDataProtectorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/KeyRingProviderTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/KeyRingTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/KeyTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/KeyManagement/XmlKeyManagerTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/Managed/ManagedAuthenticatedEncryptorTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj => Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj} (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/MockExtensions.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/Properties/AssemblyInfo.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/RegistryPolicyResolverTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/Repositories/EphemeralXmlRepositoryTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/Repositories/FileSystemXmlRepositoryTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/Repositories/RegistryXmlRepositoryTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/SP800_108/SP800_108Tests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/SecretAssert.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/SecretTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/SequentialGenRandom.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/StringLoggerFactory.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/XmlAssert.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/XmlEncryption/CertificateXmlEncryptionTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/XmlEncryption/DpapiNGXmlEncryptionTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/XmlEncryption/DpapiXmlEncryptionTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/XmlEncryption/NullXmlEncryptionTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/XmlEncryption/XmlEncryptionExtensionsTests.cs (100%)
 rename test/{Microsoft.AspNet.DataProtection.Test => Microsoft.AspNetCore.DataProtection.Test}/project.json (100%)

diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBuffer.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptBufferDesc.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/BCryptUtil.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Cng/OSVersionUtil.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Constants.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Constants.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/CryptoUtil.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/DATA_BLOB.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Microsoft.AspNet.Cryptography.Internal.xproj
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Properties/Resources.Designer.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/Resources.resx b/src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/Resources.resx
rename to src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHandle.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/UnsafeBufferUtil.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/UnsafeNativeMethods.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/WeakReferenceHelpers.cs
rename to src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
diff --git a/src/Microsoft.AspNet.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.Internal/project.json
rename to src/Microsoft.AspNetCore.Cryptography.Internal/project.json
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivation.cs
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/KeyDerivationPrf.cs
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/Microsoft.AspNet.Cryptography.KeyDerivation.xproj
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
similarity index 100%
rename from src/Microsoft.AspNet.Cryptography.KeyDerivation/project.json
rename to src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/CryptoUtil.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/DataProtectionExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/Error.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtectionProvider.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/IDataProtector.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Microsoft.AspNet.DataProtection.Abstractions.xproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/Microsoft.AspNet.DataProtection.Abstractions.xproj
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/Properties/Resources.Designer.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/Resources.resx b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/Resources.resx
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/WebEncoders.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Abstractions/project.json
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/BitHelpers.cs
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/DataProtectionProvider.cs
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/ITimeLimitedDataProtector.cs
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/Microsoft.AspNet.DataProtection.Extensions.xproj
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/Properties/Resources.Designer.cs
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/Resources.resx b/src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/Resources.resx
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/TimeLimitedDataProtector.cs
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Extensions/project.json
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/EncodingUtil.cs b/src/Microsoft.AspNetCore.DataProtection.Sources/EncodingUtil.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Sources/EncodingUtil.cs
rename to src/Microsoft.AspNetCore.DataProtection.Sources/EncodingUtil.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/ExceptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Sources/ExceptionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Sources/ExceptionExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection.Sources/ExceptionExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/Microsoft.AspNet.DataProtection.Sources.xproj b/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Sources/Microsoft.AspNet.DataProtection.Sources.xproj
rename to src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.Sources/project.json
rename to src/Microsoft.AspNetCore.DataProtection.Sources/project.json
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/CompatibilityDataProtector.cs
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/DataProtectionStartup.cs
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/Microsoft.AspNet.DataProtection.SystemWeb.xproj
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/Properties/Resources.Designer.cs
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/Resources.resx b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/Resources.resx
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/project.json
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
diff --git a/src/Microsoft.AspNet.DataProtection.SystemWeb/web.config.transform b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection.SystemWeb/web.config.transform
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
diff --git a/src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/ActivatorExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs b/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/ApplyPolicyAttribute.cs
rename to src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
diff --git a/src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/ArraySegmentExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
diff --git a/src/Microsoft.AspNet.DataProtection/BitHelpers.cs b/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/BitHelpers.cs
rename to src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Cng/BCryptGenRandomImpl.cs
rename to src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Cng/DpapiSecretSerializerHelper.cs
rename to src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Cng/IBCryptGenRandom.cs
rename to src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
rename to src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/DataProtectionConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/DataProtectionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/DataProtectionProviderFactory.cs
rename to src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/DataProtectionServiceCollectionExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/DataProtectionServiceDescriptors.cs
rename to src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
diff --git a/src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/DataProtectionServices.cs
rename to src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
diff --git a/src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/EphemeralDataProtectionProvider.cs
rename to src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Error.cs b/src/Microsoft.AspNetCore.DataProtection/Error.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Error.cs
rename to src/Microsoft.AspNetCore.DataProtection/Error.cs
diff --git a/src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/IPersistedDataProtector.cs
rename to src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
diff --git a/src/Microsoft.AspNet.DataProtection/ISecret.cs b/src/Microsoft.AspNetCore.DataProtection/ISecret.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/ISecret.cs
rename to src/Microsoft.AspNetCore.DataProtection/ISecret.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Internal/IActivator.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Internal/IActivator.cs
rename to src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyResolver.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/DefaultKeyServices.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/DeferredKey.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IKey.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyEscrowSink.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/IKeyManager.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRing.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/Key.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyBase.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyManagementOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRing.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/KeyRingProvider.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
diff --git a/src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/KeyManagement/XmlKeyManager.cs
rename to src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/LoggingExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/LoggingServiceProviderExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Managed/HashAlgorithmExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Managed/IManagedGenRandom.cs
rename to src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Managed/ManagedGenRandomImpl.cs
rename to src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/MemoryProtection.cs b/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/MemoryProtection.cs
rename to src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Microsoft.AspNet.DataProtection.xproj
rename to src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Properties/Resources.Designer.cs
rename to src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/RegistryPolicyResolver.cs
rename to src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Repositories/EphemeralXmlRepository.cs
rename to src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Repositories/FileSystemXmlRepository.cs
rename to src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Repositories/IXmlRepository.cs
rename to src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Repositories/RegistryXmlRepository.cs
rename to src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Resources.resx b/src/Microsoft.AspNetCore.DataProtection/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Resources.resx
rename to src/Microsoft.AspNetCore.DataProtection/Resources.resx
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
rename to src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
rename to src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
rename to src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
rename to src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
rename to src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNet.DataProtection/Secret.cs b/src/Microsoft.AspNetCore.DataProtection/Secret.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/Secret.cs
rename to src/Microsoft.AspNetCore.DataProtection/Secret.cs
diff --git a/src/Microsoft.AspNet.DataProtection/StringInterpolation.cs b/src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/StringInterpolation.cs
rename to src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs
diff --git a/src/Microsoft.AspNet.DataProtection/TypeExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/TypeExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlConstants.cs b/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlConstants.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateResolver.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/ICertificateResolver.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlDecryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/IXmlEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlDecryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/NullXmlEncryptor.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/XmlExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/XmlExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
diff --git a/src/Microsoft.AspNet.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
similarity index 100%
rename from src/Microsoft.AspNet.DataProtection/project.json
rename to src/Microsoft.AspNetCore.DataProtection/project.json
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/CryptoUtilTests.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/Microsoft.AspNet.Cryptography.Internal.Test.xproj
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.Internal.Test/project.json
rename to test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj
rename to test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
rename to test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
rename to test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
similarity index 100%
rename from test/Microsoft.AspNet.Cryptography.KeyDerivation.Test/project.json
rename to test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/Microsoft.AspNet.DataProtection.Abstractions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Abstractions.Test/Microsoft.AspNet.DataProtection.Abstractions.Test.xproj
rename to test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
diff --git a/test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Abstractions.Test/project.json
rename to test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Extensions.Test/Microsoft.AspNet.DataProtection.Extensions.Test.xproj
rename to test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Extensions.Test/project.json
rename to test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test.Shared/ExceptionAssert2.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test.Shared/Microsoft.AspNet.DataProtection.Test.Shared.xproj
rename to test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
diff --git a/test/Microsoft.AspNet.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test.Shared/project.json
rename to test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
diff --git a/test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/ActivatorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AnonymousImpersonation.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyRingTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/KeyTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Microsoft.AspNet.DataProtection.Test.xproj
rename to test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
diff --git a/test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs b/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/MockExtensions.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Properties/AssemblyInfo.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/RegistryPolicyResolverTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/SP800_108/SP800_108Tests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/SecretAssert.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/SecretTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/SequentialGenRandom.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/StringLoggerFactory.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/XmlAssert.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
diff --git a/test/Microsoft.AspNet.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
similarity index 100%
rename from test/Microsoft.AspNet.DataProtection.Test/project.json
rename to test/Microsoft.AspNetCore.DataProtection.Test/project.json

From 43dfd15a010540324d149c44a349c6c887926172 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Fri, 22 Jan 2016 12:16:20 -0800
Subject: [PATCH 213/493] Rename AspNet 5 file contents.

See https://github.com/aspnet/Announcements/issues/144 for more information.
---
 DataProtection.sln                            | 28 +++++++++----------
 NuGetPackageVerifier.json                     | 14 +++++-----
 makefile.shade                                |  2 +-
 .../BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs  |  2 +-
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs          |  4 +--
 .../Cng/BCryptBuffer.cs                       |  2 +-
 .../Cng/BCryptBufferDesc.cs                   |  2 +-
 .../Cng/BCryptEncryptFlags.cs                 |  2 +-
 .../Cng/BCryptGenRandomFlags.cs               |  2 +-
 .../Cng/BCryptKeyDerivationBufferType.cs      |  2 +-
 .../Cng/BCryptUtil.cs                         |  2 +-
 .../Cng/CachedAlgorithmHandles.cs             |  4 +--
 .../Cng/NCryptEncryptFlags.cs                 |  2 +-
 .../Cng/OSVersionUtil.cs                      |  4 +--
 .../Constants.cs                              |  2 +-
 .../CryptoUtil.cs                             |  6 ++--
 .../DATA_BLOB.cs                              |  2 +-
 .../Properties/AssemblyInfo.cs                | 14 +++++-----
 .../Properties/Resources.Designer.cs          |  4 +--
 .../SafeHandles/BCryptAlgorithmHandle.cs      |  6 ++--
 .../SafeHandles/BCryptHandle.cs               |  2 +-
 .../SafeHandles/BCryptHashHandle.cs           |  2 +-
 .../SafeHandles/BCryptKeyHandle.cs            |  2 +-
 .../SafeHandles/LocalAllocHandle.cs           |  2 +-
 .../SafeHandles/NCryptDescriptorHandle.cs     |  2 +-
 .../SafeHandles/SafeLibraryHandle.cs          |  2 +-
 .../SafeHandles/SecureLocalAllocHandle.cs     |  2 +-
 .../UnsafeBufferUtil.cs                       |  4 +--
 .../UnsafeNativeMethods.cs                    |  6 ++--
 .../WeakReferenceHelpers.cs                   |  2 +-
 .../KeyDerivation.cs                          |  4 +--
 .../KeyDerivationPrf.cs                       |  2 +-
 .../PBKDF2/IPbkdf2Provider.cs                 |  2 +-
 .../PBKDF2/ManagedPbkdf2Provider.cs           |  2 +-
 .../PBKDF2/Pbkdf2Util.cs                      |  4 +--
 .../PBKDF2/Win7Pbkdf2Provider.cs              |  6 ++--
 .../PBKDF2/Win8Pbkdf2Provider.cs              |  6 ++--
 .../Properties/AssemblyInfo.cs                |  2 +-
 .../project.json                              |  2 +-
 .../CryptoUtil.cs                             |  2 +-
 .../DataProtectionExtensions.cs               |  6 ++--
 .../Error.cs                                  |  4 +--
 .../IDataProtectionProvider.cs                |  2 +-
 .../IDataProtector.cs                         |  2 +-
 .../IApplicationDiscriminator.cs              |  2 +-
 .../Properties/AssemblyInfo.cs                |  2 +-
 .../Properties/Resources.Designer.cs          |  4 +--
 .../WebEncoders.cs                            |  2 +-
 .../project.json                              |  2 +-
 .../BitHelpers.cs                             |  2 +-
 .../DataProtectionExtensions.cs               |  2 +-
 .../DataProtectionProvider.cs                 |  2 +-
 .../ITimeLimitedDataProtector.cs              |  2 +-
 .../Properties/AssemblyInfo.cs                |  2 +-
 .../Properties/Resources.Designer.cs          |  4 +--
 .../TimeLimitedDataProtector.cs               |  6 ++--
 .../project.json                              |  4 +--
 .../EncodingUtil.cs                           |  2 +-
 .../ExceptionExtensions.cs                    |  2 +-
 .../CompatibilityDataProtector.cs             |  2 +-
 .../DataProtectionStartup.cs                  |  4 +--
 .../Properties/Resources.Designer.cs          |  4 +--
 .../project.json                              |  2 +-
 .../web.config.transform                      |  6 ++--
 .../ActivatorExtensions.cs                    |  6 ++--
 .../ApplyPolicyAttribute.cs                   |  2 +-
 .../ArraySegmentExtensions.cs                 |  2 +-
 .../AlgorithmAssert.cs                        |  4 +--
 .../AuthenticatedEncryptionOptions.cs         |  8 +++---
 .../AuthenticatedEncryptorExtensions.cs       |  4 +--
 .../CngCbcAuthenticatedEncryptionOptions.cs   | 12 ++++----
 .../CngGcmAuthenticatedEncryptionOptions.cs   | 12 ++++----
 .../AuthenticatedEncryptorConfiguration.cs    |  2 +-
 .../AuthenticatedEncryptorDescriptor.cs       |  2 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  2 +-
 ...gCbcAuthenticatedEncryptorConfiguration.cs |  2 +-
 .../CngCbcAuthenticatedEncryptorDescriptor.cs |  2 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  2 +-
 ...gGcmAuthenticatedEncryptorConfiguration.cs |  2 +-
 .../CngGcmAuthenticatedEncryptorDescriptor.cs |  2 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  2 +-
 .../ConfigurationModel/ConfigurationCommon.cs |  2 +-
 .../IAuthenticatedEncryptorConfiguration.cs   |  2 +-
 .../IAuthenticatedEncryptorDescriptor.cs      |  2 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  2 +-
 ...rnalAuthenticatedEncryptorConfiguration.cs |  2 +-
 ...agedAuthenticatedEncryptorConfiguration.cs |  2 +-
 ...ManagedAuthenticatedEncryptorDescriptor.cs |  2 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  2 +-
 .../ConfigurationModel/SecretExtensions.cs    |  2 +-
 .../ConfigurationModel/XmlExtensions.cs       |  2 +-
 .../XmlSerializedDescriptorInfo.cs            |  2 +-
 .../EncryptionAlgorithm.cs                    |  2 +-
 .../IAuthenticatedEncryptor.cs                |  2 +-
 ...IInternalAuthenticatedEncryptionOptions.cs |  4 +--
 .../IOptimizedAuthenticatedEncryptor.cs       |  2 +-
 .../ManagedAuthenticatedEncryptionOptions.cs  |  8 +++---
 .../ValidationAlgorithm.cs                    |  2 +-
 .../BitHelpers.cs                             |  2 +-
 .../Cng/BCryptGenRandomImpl.cs                |  4 +--
 .../Cng/CbcAuthenticatedEncryptor.cs          | 14 +++++-----
 .../Cng/DpapiSecretSerializerHelper.cs        |  6 ++--
 .../Cng/GcmAuthenticatedEncryptor.cs          | 14 +++++-----
 .../Cng/IBCryptGenRandom.cs                   |  2 +-
 .../Internal/CngAuthenticatedEncryptorBase.cs |  4 +--
 .../DataProtectionConfiguration.cs            |  8 +++---
 .../DataProtectionOptions.cs                  |  2 +-
 .../DataProtectionProviderFactory.cs          |  4 +--
 ...taProtectionServiceCollectionExtensions.cs |  2 +-
 .../DataProtectionServiceDescriptors.cs       | 14 +++++-----
 .../DataProtectionServices.cs                 | 14 +++++-----
 .../EphemeralDataProtectionProvider.cs        | 10 +++----
 .../Error.cs                                  |  2 +-
 .../IPersistedDataProtector.cs                |  2 +-
 .../ISecret.cs                                |  2 +-
 .../Internal/IActivator.cs                    |  2 +-
 .../KeyManagement/DefaultKeyResolver.cs       |  8 +++---
 .../KeyManagement/DefaultKeyServices.cs       | 10 +++----
 .../KeyManagement/DeferredKey.cs              | 10 +++----
 .../KeyManagement/IKey.cs                     |  4 +--
 .../KeyManagement/IKeyEscrowSink.cs           |  4 +--
 .../KeyManagement/IKeyManager.cs              |  2 +-
 .../Internal/CacheableKeyRing.cs              |  2 +-
 .../Internal/DefaultKeyResolution.cs          |  2 +-
 .../Internal/ICacheableKeyRingProvider.cs     |  2 +-
 .../Internal/IDefaultKeyResolver.cs           |  2 +-
 .../Internal/IDefaultKeyServices.cs           |  6 ++--
 .../Internal/IInternalXmlKeyManager.cs        |  4 +--
 .../KeyManagement/Internal/IKeyRing.cs        |  4 +--
 .../Internal/IKeyRingProvider.cs              |  2 +-
 .../KeyManagement/Key.cs                      |  6 ++--
 .../KeyManagement/KeyBase.cs                  |  4 +--
 .../KeyEscrowServiceProviderExtensions.cs     |  2 +-
 .../KeyManagement/KeyExtensions.cs            |  2 +-
 .../KeyManagement/KeyManagementOptions.cs     |  2 +-
 .../KeyManagement/KeyRing.cs                  |  6 ++--
 .../KeyRingBasedDataProtectionProvider.cs     |  4 +--
 .../KeyRingBasedDataProtector.cs              |  8 +++---
 .../KeyManagement/KeyRingProvider.cs          |  6 ++--
 .../KeyManagement/XmlKeyManager.cs            | 14 +++++-----
 .../Managed/HashAlgorithmExtensions.cs        |  4 +--
 .../Managed/IManagedGenRandom.cs              |  2 +-
 .../Managed/ManagedAuthenticatedEncryptor.cs  |  8 +++---
 .../Managed/ManagedGenRandomImpl.cs           |  2 +-
 .../Managed/SymmetricAlgorithmExtensions.cs   |  4 +--
 .../MemoryProtection.cs                       |  4 +--
 .../Properties/AssemblyInfo.cs                |  2 +-
 .../Properties/Resources.Designer.cs          |  4 +--
 .../RegistryPolicyResolver.cs                 | 10 +++----
 .../Repositories/EphemeralXmlRepository.cs    |  2 +-
 .../Repositories/FileSystemXmlRepository.cs   |  2 +-
 .../Repositories/IXmlRepository.cs            |  2 +-
 .../Repositories/RegistryXmlRepository.cs     |  2 +-
 .../ISP800_108_CTR_HMACSHA512Provider.cs      |  2 +-
 .../ManagedSP800_108_CTR_HMACSHA512.cs        |  6 ++--
 .../SP800_108_CTR_HMACSHA512Extensions.cs     |  4 +--
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |  6 ++--
 .../Win7SP800_108_CTR_HMACSHA512Provider.cs   |  8 +++---
 .../Win8SP800_108_CTR_HMACSHA512Provider.cs   |  8 +++---
 .../Secret.cs                                 | 10 +++----
 .../TypeExtensions.cs                         |  2 +-
 .../XmlConstants.cs                           |  2 +-
 .../XmlEncryption/CertificateResolver.cs      |  2 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  4 +--
 .../DpapiNGProtectionDescriptorFlags.cs       |  2 +-
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  6 ++--
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  8 +++---
 .../XmlEncryption/DpapiXmlDecryptor.cs        |  6 ++--
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  6 ++--
 .../EncryptedXmlDecryptor.core50.cs           |  2 +-
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  2 +-
 .../XmlEncryption/EncryptedXmlInfo.cs         |  2 +-
 .../XmlEncryption/ICertificateResolver.cs     |  2 +-
 .../IInternalCertificateXmlEncryptor.cs       |  2 +-
 .../IInternalEncryptedXmlDecryptor.cs         |  2 +-
 .../XmlEncryption/IXmlDecryptor.cs            |  2 +-
 .../XmlEncryption/IXmlEncryptor.cs            |  2 +-
 .../XmlEncryption/NullXmlDecryptor.cs         |  2 +-
 .../XmlEncryption/NullXmlEncryptor.cs         |  2 +-
 .../XmlEncryption/XmlEncryptionExtensions.cs  |  8 +++---
 .../XmlExtensions.cs                          |  2 +-
 .../project.json                              |  6 ++--
 ...PT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs |  2 +-
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs    |  6 ++--
 .../Cng/BCryptUtilTests.cs                    |  6 ++--
 .../Cng/CachedAlgorithmHandlesTests.cs        |  8 +++---
 .../CryptoUtilTests.cs                        |  2 +-
 .../SecureLocalAllocHandleTests.cs            |  2 +-
 .../UnsafeBufferUtilTests.cs                  |  4 +--
 .../WeakReferenceHelpersTests.cs              |  2 +-
 .../project.json                              |  6 ++--
 .../Pbkdf2Tests.cs                            |  8 +++---
 .../project.json                              |  8 +++---
 .../DataProtectionExtensionsTests.cs          |  8 +++---
 .../project.json                              |  6 ++--
 .../DataProtectionExtensionsTests.cs          |  2 +-
 .../DataProtectionProviderTests.cs            |  6 ++--
 .../TimeLimitedDataProtectorTests.cs          |  6 ++--
 .../project.json                              |  8 +++---
 ...onalRunTestOnlyWindows8OrLaterAttribute.cs |  6 ++--
 .../ConditionalRunTestOnlyWindowsAttribute.cs |  6 ++--
 .../ExceptionAssert2.cs                       |  2 +-
 .../ActivatorTests.cs                         |  4 +--
 .../AnonymousImpersonation.cs                 |  4 +--
 ...tedEncryptorDescriptorDeserializerTests.cs |  2 +-
 .../AuthenticatedEncryptorDescriptorTests.cs  | 14 +++++-----
 ...uthenticatedEncryptorConfigurationTests.cs |  2 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |  8 +++---
 ...bcAuthenticatedEncryptorDescriptorTests.cs |  2 +-
 ...uthenticatedEncryptorConfigurationTests.cs |  2 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |  8 +++---
 ...cmAuthenticatedEncryptorDescriptorTests.cs |  2 +-
 ...uthenticatedEncryptorConfigurationTests.cs |  2 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |  2 +-
 ...edAuthenticatedEncryptorDescriptorTests.cs |  2 +-
 .../Cng/CbcAuthenticatedEncryptorTests.cs     |  8 +++---
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs |  6 ++--
 .../Cng/GcmAuthenticatedEncryptorTests.cs     |  8 +++---
 .../EphemeralDataProtectionProviderTests.cs   |  2 +-
 .../KeyManagement/CacheableKeyRingTests.cs    |  4 +--
 .../KeyManagement/DefaultKeyResolverTests.cs  |  6 ++--
 .../KeyManagement/DeferredKeyTests.cs         | 10 +++----
 ...KeyEscrowServiceProviderExtensionsTests.cs |  2 +-
 .../KeyRingBasedDataProtectorTests.cs         | 10 +++----
 .../KeyManagement/KeyRingProviderTests.cs     |  8 +++---
 .../KeyManagement/KeyRingTests.cs             |  4 +--
 .../KeyManagement/KeyTests.cs                 |  6 ++--
 .../KeyManagement/XmlKeyManagerTests.cs       | 14 +++++-----
 .../ManagedAuthenticatedEncryptorTests.cs     |  6 ++--
 .../MockExtensions.cs                         | 10 +++----
 .../RegistryPolicyResolverTests.cs            | 10 +++----
 .../EphemeralXmlRepositoryTests.cs            |  2 +-
 .../FileSystemXmlRepositoryTests.cs           |  4 +--
 .../RegistryXmlRepositoryTests.cs             |  4 +--
 .../SP800_108/SP800_108Tests.cs               |  6 ++--
 .../SecretAssert.cs                           |  2 +-
 .../SecretTests.cs                            |  4 +--
 .../SequentialGenRandom.cs                    |  6 ++--
 .../StringLoggerFactory.cs                    |  2 +-
 .../XmlAssert.cs                              |  2 +-
 .../CertificateXmlEncryptionTests.cs          |  2 +-
 .../DpapiNGXmlEncryptionTests.cs              |  6 ++--
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |  8 +++---
 .../XmlEncryption/NullXmlEncryptionTests.cs   |  2 +-
 .../XmlEncryptionExtensionsTests.cs           |  4 +--
 .../project.json                              |  6 ++--
 246 files changed, 534 insertions(+), 534 deletions(-)

diff --git a/DataProtection.sln b/DataProtection.sln
index b88d341b6c..684647bcdc 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,37 +1,37 @@
-
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 14
 VisualStudioVersion = 14.0.22710.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection", "src\Microsoft.AspNet.DataProtection\Microsoft.AspNet.DataProtection.xproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection", "src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.xproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test", "test\Microsoft.AspNet.DataProtection.Test\Microsoft.AspNet.DataProtection.Test.xproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Test", "test\Microsoft.AspNetCore.DataProtection.Test\Microsoft.AspNetCore.DataProtection.Test.xproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal", "src\Microsoft.AspNet.Cryptography.Internal\Microsoft.AspNet.Cryptography.Internal.xproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.Cryptography.Internal", "src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.xproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation", "src\Microsoft.AspNet.Cryptography.KeyDerivation\Microsoft.AspNet.Cryptography.KeyDerivation.xproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation", "src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNet.Cryptography.KeyDerivation.Test\Microsoft.AspNet.Cryptography.KeyDerivation.Test.xproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.Cryptography.Internal.Test", "test\Microsoft.AspNet.Cryptography.Internal.Test\Microsoft.AspNet.Cryptography.Internal.Test.xproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.Cryptography.Internal.Test", "test\Microsoft.AspNetCore.Cryptography.Internal.Test\Microsoft.AspNetCore.Cryptography.Internal.Test.xproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Abstractions", "src\Microsoft.AspNet.DataProtection.Abstractions\Microsoft.AspNet.DataProtection.Abstractions.xproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Abstractions", "src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.xproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Abstractions.Test", "test\Microsoft.AspNet.DataProtection.Abstractions.Test\Microsoft.AspNet.DataProtection.Abstractions.Test.xproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Abstractions.Test", "test\Microsoft.AspNetCore.DataProtection.Abstractions.Test\Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Test.Shared", "test\Microsoft.AspNet.DataProtection.Test.Shared\Microsoft.AspNet.DataProtection.Test.Shared.xproj", "{4F14BA2A-4F04-4676-8586-EC380977EE2E}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Test.Shared", "test\Microsoft.AspNetCore.DataProtection.Test.Shared\Microsoft.AspNetCore.DataProtection.Test.Shared.xproj", "{4F14BA2A-4F04-4676-8586-EC380977EE2E}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Sources", "src\Microsoft.AspNet.DataProtection.Sources\Microsoft.AspNet.DataProtection.Sources.xproj", "{3277BB22-033F-4010-8131-A515B910CAAD}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Sources", "src\Microsoft.AspNetCore.DataProtection.Sources\Microsoft.AspNetCore.DataProtection.Sources.xproj", "{3277BB22-033F-4010-8131-A515B910CAAD}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.SystemWeb", "src\Microsoft.AspNet.DataProtection.SystemWeb\Microsoft.AspNet.DataProtection.SystemWeb.xproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.SystemWeb", "src\Microsoft.AspNetCore.DataProtection.SystemWeb\Microsoft.AspNetCore.DataProtection.SystemWeb.xproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Extensions.Test", "test\Microsoft.AspNet.DataProtection.Extensions.Test\Microsoft.AspNet.DataProtection.Extensions.Test.xproj", "{04AA8E60-A053-4D50-89FE-E76C3DF45200}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Extensions.Test", "test\Microsoft.AspNetCore.DataProtection.Extensions.Test\Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj", "{04AA8E60-A053-4D50-89FE-E76C3DF45200}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNet.DataProtection.Extensions", "src\Microsoft.AspNet.DataProtection.Extensions\Microsoft.AspNet.DataProtection.Extensions.xproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Extensions", "src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.xproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
index 1a8e5da220..ba44824cf4 100644
--- a/NuGetPackageVerifier.json
+++ b/NuGetPackageVerifier.json
@@ -9,18 +9,18 @@
             "StrictSemanticVersionValidationRule"
         ],
         "packages": {
-            "Microsoft.AspNet.Cryptography.Internal": { },
-            "Microsoft.AspNet.Cryptography.KeyDerivation": { },
-            "Microsoft.AspNet.DataProtection": { },
-            "Microsoft.AspNet.DataProtection.Abstractions": { },
-            "Microsoft.AspNet.DataProtection.Extensions": { },
-            "Microsoft.AspNet.DataProtection.SystemWeb": { }
+            "Microsoft.AspNetCore.Cryptography.Internal": { },
+            "Microsoft.AspNetCore.Cryptography.KeyDerivation": { },
+            "Microsoft.AspNetCore.DataProtection": { },
+            "Microsoft.AspNetCore.DataProtection.Abstractions": { },
+            "Microsoft.AspNetCore.DataProtection.Extensions": { },
+            "Microsoft.AspNetCore.DataProtection.SystemWeb": { }
         }
     },
     "adx-nonshipping": {
         "rules": [],
         "packages": {
-            "Microsoft.AspNet.DataProtection.Sources": { }
+            "Microsoft.AspNetCore.DataProtection.Sources": { }
         }
     },
     "Default": { // Rules to run for packages not listed in any other set.
diff --git a/makefile.shade b/makefile.shade
index 46e9653763..5a3caf4c44 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -14,7 +14,7 @@ var BUILD_DIR_Local = '${Path.Combine(ROOT_Local, "build")}'
 #build-compile target='compile' if='IsLinux'
   @{
     var projectFiles = Files.Include("src/**/project.json")
-        .Exclude("src/Microsoft.AspNet.DataProtection.SystemWeb/project.json")
+        .Exclude("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json")
         .ToList();
         
     projectFiles.ForEach(projectFile => DotnetPack(projectFile, BUILD_DIR_Local, Configuration_Local));
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
index fb0fef9476..0c074b8280 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/cc562981(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
index 42826a01b9..0d4139018f 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Runtime.InteropServices;
-using Microsoft.AspNet.Cryptography.Internal;
+using Microsoft.AspNetCore.Cryptography.Internal;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375525(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
index 5ab8708f2e..c091859729 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375368(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
index 84661f6b0b..8fd699643e 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375370(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
index 8f6eaf89a2..81ae0105cc 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     [Flags]
     internal enum BCryptEncryptFlags
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
index 604b7401f3..ed20fec309 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     // from bcrypt.h
     [Flags]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
index eeae8a6c1b..a68569e799 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     // from bcrypt.h
     internal enum BCryptKeyDerivationBufferType
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
index 3da19bd054..86c86c64a8 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     /// <summary>
     /// Wraps utility BCRYPT APIs that don't work directly with handles.
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
index 8c958844c2..48e63685fd 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     /// <summary>
     /// Provides cached CNG algorithm provider instances, as calling BCryptOpenAlgorithmProvider is expensive.
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
index f51e53c653..a0c1bc0fc4 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     [Flags]
     internal enum NCryptEncryptFlags
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
index 5903624dc5..0d09a0b6f8 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     internal static class OSVersionUtil
     {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
index de480bb536..44b0568aa8 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
     // The majority of these are from bcrypt.h
     internal static class Constants
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
index fc2bdb9404..bc8bc56d54 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
@@ -6,14 +6,14 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.Internal;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.Internal;
 
 #if !DOTNET5_4
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
     internal unsafe static class CryptoUtil
     {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
index 8222f4f23a..3c307bebce 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
     // http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx
     [StructLayout(LayoutKind.Sequential)]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
index f9bcc24835..4263ed47d2 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -9,12 +9,12 @@ using System.Runtime.InteropServices;
 // we only ever p/invoke into DLLs known to be in the System32 folder
 [assembly: DefaultDllImportSearchPaths(DllImportSearchPath.System32)]
 
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.Internal.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.Cryptography.Internal.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.Cryptography.KeyDerivation, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.Cryptography.KeyDerivation.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
index 3732eae0dc..8d910ded82 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
@@ -1,5 +1,5 @@
 // <auto-generated />
-namespace Microsoft.AspNet.Cryptography.Internal
+namespace Microsoft.AspNetCore.Cryptography.Internal
 {
     using System.Globalization;
     using System.Reflection;
@@ -8,7 +8,7 @@ namespace Microsoft.AspNet.Cryptography.Internal
     internal static class Resources
     {
         private static readonly ResourceManager _resourceManager
-            = new ResourceManager("Microsoft.AspNet.Cryptography.Internal.Resources", typeof(Resources).GetTypeInfo().Assembly);
+            = new ResourceManager("Microsoft.AspNetCore.Cryptography.Internal.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
         /// <summary>
         /// A provider could not be found for algorithm '{0}'.
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
index 209eafb182..45f4c4e041 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
@@ -5,10 +5,10 @@ using System;
 using System.Diagnostics;
 using System.Globalization;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.Internal;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.Internal;
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle to a BCrypt algorithm provider from which keys and hashes can be created.
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
index d27d85f599..66b2c1dbd4 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     internal unsafe abstract class BCryptHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
index e7875c2e0c..dace0f23ae 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     internal unsafe sealed class BCryptHashHandle : BCryptHandle
     {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
index 4b8e0a406a..cd7d05f8e3 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     internal sealed class BCryptKeyHandle : BCryptHandle
     {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
index e048f45ec6..852c5d1594 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
@@ -5,7 +5,7 @@ using System;
 using System.Runtime.InteropServices;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle returned by LocalAlloc.
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
index 33032dfef5..3a181cf06b 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     internal unsafe sealed class NCryptDescriptorHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index 4636644297..28920c4fc8 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -10,7 +10,7 @@ using Microsoft.Win32.SafeHandles;
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle to a Windows module (DLL).
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index 36dc73ea10..527c26d33d 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -8,7 +8,7 @@ using System.Runtime.InteropServices;
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     /// <summary>
     /// Represents a handle returned by LocalAlloc.
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
index 5f2daef596..3645878af1 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -4,13 +4,13 @@
 using System;
 using System.Runtime.CompilerServices;
 using System.Threading;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
 #if !DOTNET5_4
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
     internal unsafe static class UnsafeBufferUtil
     {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
index 514b1fde51..1de8dbc200 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -8,15 +8,15 @@ using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.Cryptography;
 using System.Threading;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Microsoft.Win32.SafeHandles;
 
 #if !DOTNET5_4
 using System.Runtime.ConstrainedExecution;
 #endif
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
 #if !DOTNET5_4
     [SuppressUnmanagedCodeSecurity]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
index 55769de2c4..71b77a58e5 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
@@ -5,7 +5,7 @@ using System;
 using System.Diagnostics;
 using System.Threading;
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
     internal static class WeakReferenceHelpers
     {
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
index e5c6204cec..67ff1ca420 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
+using Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2;
 
-namespace Microsoft.AspNet.Cryptography.KeyDerivation
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation
 {
     /// <summary>
     /// Provides algorithms for performing key derivation.
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
index 83ed7419e4..fdd2f4881c 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography.KeyDerivation
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation
 {
     /// <summary>
     /// Specifies the PRF which should be used for the key derivation algorithm.
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
index 9614a735f5..8be8a5e809 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// Internal interface used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
index b7e6a21d41..bf81ae65c5 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
@@ -6,7 +6,7 @@ using System.Diagnostics;
 using System.Security.Cryptography;
 using System.Text;
 
-namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the managed hash algorithm classes as PRFs.
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
index ffa721e1fd..dbe5a4120d 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.Cng;
 
-namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// Internal base class used for abstracting away the PBKDF2 implementation since the implementation is OS-specific.
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
index 9219d1b509..4c359b80f4 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
@@ -4,10 +4,10 @@
 using System;
 using System.Diagnostics;
 using System.Text;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the Win7 API BCryptDeriveKeyPBKDF2.
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
index e00906ba22..296e85b7dd 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
@@ -5,10 +5,10 @@ using System;
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Text;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2
 {
     /// <summary>
     /// A PBKDF2 provider which utilizes the Win8 API BCryptKeyDerivation.
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
index 5a85d1db36..f23a5a16ff 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -5,6 +5,6 @@ using System.Reflection;
 using System.Resources;
 using System.Runtime.CompilerServices;
 
-[assembly: InternalsVisibleTo("Microsoft.AspNet.Cryptography.KeyDerivation.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.Cryptography.KeyDerivation.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index 179a389151..e589a39619 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -6,7 +6,7 @@
     "url": "git://github.com/aspnet/dataprotection"
   },
   "dependencies": {
-    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*"
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
index 80d51df898..e3e361a3a8 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
@@ -6,7 +6,7 @@ using System.Diagnostics;
 using System.Runtime.CompilerServices;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal static class CryptoUtil
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
index 94f2e3abb1..6946dbeaaa 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -5,11 +5,11 @@ using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Diagnostics;
-using Microsoft.AspNet.DataProtection.Infrastructure;
-using Microsoft.AspNet.DataProtection.Abstractions;
+using Microsoft.AspNetCore.DataProtection.Infrastructure;
+using Microsoft.AspNetCore.DataProtection.Abstractions;
 using Microsoft.Extensions.PlatformAbstractions;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Helpful extension methods for data protection APIs.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
index a72ace32ca..18b93c0ac7 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.AspNet.DataProtection.Abstractions;
+using Microsoft.AspNetCore.DataProtection.Abstractions;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal static class Error
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
index cb57593ada..603fad789f 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// An interface that can be used to create <see cref="IDataProtector"/> instances.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
index 22b89cea49..2cea1c2732 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// An interface that can provide data protection services.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
index 09421199e2..d8c3af376f 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
@@ -4,7 +4,7 @@
 using System;
 using System.ComponentModel;
 
-namespace Microsoft.AspNet.DataProtection.Infrastructure
+namespace Microsoft.AspNetCore.DataProtection.Infrastructure
 {
     /// <summary>
     /// Provides information used to discriminate applications.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
index 568d44be98..b90d989663 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
@@ -6,6 +6,6 @@ using System.Resources;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
index c89ea1509b..b8bfe383ee 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
@@ -1,5 +1,5 @@
 // <auto-generated />
-namespace Microsoft.AspNet.DataProtection.Abstractions
+namespace Microsoft.AspNetCore.DataProtection.Abstractions
 {
     using System.Globalization;
     using System.Reflection;
@@ -8,7 +8,7 @@ namespace Microsoft.AspNet.DataProtection.Abstractions
     internal static class Resources
     {
         private static readonly ResourceManager _resourceManager
-            = new ResourceManager("Microsoft.AspNet.DataProtection.Abstractions.Resources", typeof(Resources).GetTypeInfo().Assembly);
+            = new ResourceManager("Microsoft.AspNetCore.DataProtection.Abstractions.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
         /// <summary>
         /// The payload was invalid.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs
index 00d27cc48f..607fc7e35e 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Diagnostics;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     // Internal copy of HttpAbstractions functionality.
     internal static class WebEncoders
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index f96c056086..9b3e55b1bd 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -6,7 +6,7 @@
     "url": "git://github.com/aspnet/dataprotection"
   },
   "dependencies": {
-    "Microsoft.AspNet.DataProtection.Sources": {
+    "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
       "version": ""
     },
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
index 077df9cebd..eb2063fbd8 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal static class BitHelpers
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
index 208153c820..85ae629d69 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public static class DataProtectionExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
index 43764a0274..0ccb6eb22d 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
@@ -5,7 +5,7 @@ using System;
 using System.IO;
 using Microsoft.Extensions.DependencyInjection;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// A simple implementation of an <see cref="IDataProtectionProvider"/> where keys are stored
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
index d211083729..fe8904be6f 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// An interface that can provide data protection services where payloads have
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
index b14a9ed7cb..83dac2932b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
@@ -5,6 +5,6 @@ using System.Reflection;
 using System.Resources;
 using System.Runtime.CompilerServices;
 
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
index 76aaef653d..12a8e114f3 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
@@ -1,5 +1,5 @@
 // <auto-generated />
-namespace Microsoft.AspNet.DataProtection.Extensions
+namespace Microsoft.AspNetCore.DataProtection.Extensions
 {
     using System.Globalization;
     using System.Reflection;
@@ -8,7 +8,7 @@ namespace Microsoft.AspNet.DataProtection.Extensions
     internal static class Resources
     {
         private static readonly ResourceManager _resourceManager
-            = new ResourceManager("Microsoft.AspNet.DataProtection.Extensions.Resources", typeof(Resources).GetTypeInfo().Assembly);
+            = new ResourceManager("Microsoft.AspNetCore.DataProtection.Extensions.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
         /// <summary>
         /// An error occurred during a cryptographic operation.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
index 76c72d0b6f..2037ce5f05 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
@@ -4,9 +4,9 @@
 using System;
 using System.Security.Cryptography;
 using System.Threading;
-using Microsoft.AspNet.DataProtection.Extensions;
+using Microsoft.AspNetCore.DataProtection.Extensions;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Wraps an existing <see cref="IDataProtector"/> and appends a purpose that allows
@@ -14,7 +14,7 @@ namespace Microsoft.AspNet.DataProtection
     /// </summary>
     internal sealed class TimeLimitedDataProtector : ITimeLimitedDataProtector
     {
-        private const string MyPurposeString = "Microsoft.AspNet.DataProtection.TimeLimitedDataProtector.v1";
+        private const string MyPurposeString = "Microsoft.AspNetCore.DataProtection.TimeLimitedDataProtector.v1";
 
         private readonly IDataProtector _innerProtector;
         private IDataProtector _innerProtectorWithTimeLimitedPurpose; // created on-demand
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index a77cbdb168..373bb0dd26 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -6,8 +6,8 @@
     "url": "git://github.com/aspnet/dataprotection"
   },
   "dependencies": {
-    "Microsoft.AspNet.DataProtection": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Sources": {
+    "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
       "version": ""
     },
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/EncodingUtil.cs b/src/Microsoft.AspNetCore.DataProtection.Sources/EncodingUtil.cs
index 060ab88b26..67b99eac3b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/EncodingUtil.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/EncodingUtil.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Text;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal static class EncodingUtil
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/ExceptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Sources/ExceptionExtensions.cs
index 44e7d05ede..f441935d13 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/ExceptionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/ExceptionExtensions.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal static class ExceptionExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
index c352ad5eb0..f6d238152e 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
@@ -6,7 +6,7 @@ using System.ComponentModel;
 using System.Configuration;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection.SystemWeb
+namespace Microsoft.AspNetCore.DataProtection.SystemWeb
 {
     /// <summary>
     /// A <see cref="DataProtector"/> that can be used by ASP.NET 4.x to interact with ASP.NET 5's
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
index e9300f13bf..80904b9b75 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
@@ -5,10 +5,10 @@ using System;
 using System.Configuration;
 using System.Web;
 using System.Web.Configuration;
-using Microsoft.AspNet.DataProtection.Infrastructure;
+using Microsoft.AspNetCore.DataProtection.Infrastructure;
 using Microsoft.Extensions.DependencyInjection;
 
-namespace Microsoft.AspNet.DataProtection.SystemWeb
+namespace Microsoft.AspNetCore.DataProtection.SystemWeb
 {
     /// <summary>
     /// Allows controlling the configuration of the ASP.NET 5 Data Protection system.
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
index 2a33533a17..802e2366d7 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
@@ -1,5 +1,5 @@
 // <auto-generated />
-namespace Microsoft.AspNet.DataProtection.SystemWeb
+namespace Microsoft.AspNetCore.DataProtection.SystemWeb
 {
     using System.Globalization;
     using System.Reflection;
@@ -8,7 +8,7 @@ namespace Microsoft.AspNet.DataProtection.SystemWeb
     internal static class Resources
     {
         private static readonly ResourceManager _resourceManager
-            = new ResourceManager("Microsoft.AspNet.DataProtection.SystemWeb.Resources", typeof(Resources).GetTypeInfo().Assembly);
+            = new ResourceManager("Microsoft.AspNetCore.DataProtection.SystemWeb.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
         /// <summary>
         /// A call to Protect failed. This most likely means that the data protection system is misconfigured. See the inner exception for more information.
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
index a23a97b559..39b2a10314 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
@@ -8,7 +8,7 @@
   "frameworks": {
     "net451": {
       "dependencies": {
-        "Microsoft.AspNet.DataProtection": "1.0.0-*",
+        "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
         "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
       },
       "frameworkAssemblies": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
index 470f2ca79c..9ac2268152 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
@@ -1,14 +1,14 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8" ?>
 <configuration>
   <appSettings>
     <!--
     If you want to customize the behavior of the ASP.NET 5 Data Protection stack, set the
     "aspnet:dataProtectionStartupType" switch below to be the fully-qualified name of a
-    type which subclasses Microsoft.AspNet.DataProtection.SystemWeb.DataProtectionStartup.
+    type which subclasses Microsoft.AspNetCore.DataProtection.SystemWeb.DataProtectionStartup.
     -->
     <add key="aspnet:dataProtectionStartupType" value="" />
   </appSettings>
   <system.web>
-    <machineKey compatibilityMode="Framework45" dataProtectorType="Microsoft.AspNet.DataProtection.SystemWeb.CompatibilityDataProtector, Microsoft.AspNet.DataProtection.SystemWeb" />
+    <machineKey compatibilityMode="Framework45" dataProtectorType="Microsoft.AspNetCore.DataProtection.SystemWeb.CompatibilityDataProtector, Microsoft.AspNetCore.DataProtection.SystemWeb" />
   </system.web>
 </configuration>
diff --git a/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
index 5004cd0745..3f1000ae2f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.Reflection;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.Internal;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Extension methods for working with <see cref="IActivator"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs b/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
index 1d237d124e..f73a745b1e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Signifies that the <see cref="RegistryPolicyResolver"/> should bind this property from the registry.
diff --git a/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
index f4f0ccb0d2..6f3e5bb99c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal static class ArraySegmentExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
index 0e92a60cf9..cd3dd8432e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     internal static class AlgorithmAssert
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
index 5692ed2488..994c54ca65 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
@@ -3,12 +3,12 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Options for configuring authenticated encryption algorithms.
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
index 5ffb4ec4a1..02de8effda 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     internal static class AuthenticatedEncryptorExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
index 985bdccdb2..53e5585992 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
@@ -2,14 +2,14 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Options for configuring an authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
index 4a20217bbe..c38097d011 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
@@ -2,14 +2,14 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Options for configuring an authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index 408ab869b4..0538419756 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// Represents a generalized authenticated encryption mechanism.
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
index 7ff60f6985..381fd064ab 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
index c636872214..02e982d5b4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
@@ -5,7 +5,7 @@ using System;
 using System.Linq;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A class that can deserialize an <see cref="XElement"/> that represents the serialized version
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index 54fee95ae8..a8a809ca3e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// Represents a configured authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
index 349ec1777b..dee72f1e72 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
@@ -5,7 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
index 02972262da..a0169396cb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A class that can deserialize an <see cref="XElement"/> that represents the serialized version
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index 1e587a0ffb..68663261e3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// Represents a configured authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
index 27a7eacbdf..28c293bce6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -5,7 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
index b7fc2630c8..270bd7908b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A class that can deserialize an <see cref="XElement"/> that represents the serialized version
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
index f43cba9103..359e0a19e4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     internal static class ConfigurationCommon
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
index e22e5974a0..0d863bf7ab 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// The basic configuration that serves as a factory for types related to authenticated encryption.
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
index 7f46726652..f4c5128483 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A self-contained descriptor that wraps all information (including secret key
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
index c725f58675..c1db3bcc91 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -3,7 +3,7 @@
 
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// The basic interface for deserializing an XML element into an <see cref="IAuthenticatedEncryptorDescriptor"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
index 238214fde5..bd5ba204dd 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
@@ -4,7 +4,7 @@
 using System;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     // This type is not public because we don't want to lock ourselves into a contract stating
     // that a descriptor is simply a configuration plus a single serializable, reproducible secret.
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index 3b5bdd4545..94d53bb3f1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// Represents a configured authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
index 41abf273c7..6913a7ac12 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
index 824d6008e9..757af298b1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -5,7 +5,7 @@ using System;
 using System.Security.Cryptography;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A class that can deserialize an <see cref="XElement"/> that represents the serialized version
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
index 19a08ed92b..c8d3364101 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     internal unsafe static class SecretExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
index 858813161d..572a0cba59 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public static class XmlExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
index 31a770a0d8..1b935d8e15 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
@@ -5,7 +5,7 @@ using System;
 using System.Reflection;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// Wraps an <see cref="XElement"/> that contains the XML-serialized representation of an
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
index f1410fd162..20eec3eccd 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Specifies a symmetric encryption algorithm to use for providing confidentiality
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
index c6f53788f5..5ec2fa8444 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// The basic interface for providing an authenticated encryption and decryption routine.
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
index f89afefa78..ba9c7b25e8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Implemented by our options classes to generalize creating configuration objects.
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
index 6a57c66357..3cc0a7ca92 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// An optimized encryptor that can avoid buffer allocations in common code paths.
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index 533f843420..038680fe6b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -3,12 +3,12 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.Managed;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Managed;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Options for configuring an authenticated encryption mechanism which uses
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
index 394e0a898d..520cb707a4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
     /// Specifies a message authentication algorithm to use for providing tamper-proofing
diff --git a/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs b/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
index 9356507d77..65e7415008 100644
--- a/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.CompilerServices;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal unsafe static class BitHelpers
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
index 73b0658d55..5bdceabb6d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.Cng;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNetCore.DataProtection.Cng
 {
     internal unsafe sealed class BCryptGenRandomImpl : IBCryptGenRandom
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index f54d9f6eb2..f9648ed28a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -2,14 +2,14 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.Cng.Internal;
-using Microsoft.AspNet.DataProtection.SP800_108;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Cng.Internal;
+using Microsoft.AspNetCore.DataProtection.SP800_108;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNetCore.DataProtection.Cng
 {
     // An encryptor which does Encrypt(CBC) + HMAC using the Windows CNG (BCrypt*) APIs.
     // The payloads produced by this encryptor should be compatible with the payloads
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index 6fd62e9726..48e4ff4476 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -7,10 +7,10 @@ using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNetCore.DataProtection.Cng
 {
     internal unsafe static class DpapiSecretSerializerHelper
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index 027f5c1da1..b751437f26 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -2,14 +2,14 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.Cng.Internal;
-using Microsoft.AspNet.DataProtection.SP800_108;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Cng.Internal;
+using Microsoft.AspNetCore.DataProtection.SP800_108;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNetCore.DataProtection.Cng
 {
     // GCM is defined in NIST SP 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf).
     // Heed closely the uniqueness requirements called out in Sec. 8: the probability that the GCM encryption
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
index d46194422f..e1cf9b7dbe 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNetCore.DataProtection.Cng
 {
     internal unsafe interface IBCryptGenRandom
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
index 68f933fded..7b7e3e2d79 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.DataProtection.Cng.Internal
+namespace Microsoft.AspNetCore.DataProtection.Cng.Internal
 {
     /// <summary>
     /// Base class used for all CNG-related authentication encryption operations.
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
index 4c4a8ae129..81541c22e4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
@@ -4,9 +4,9 @@
 using System;
 using System.ComponentModel;
 using System.IO;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Win32;
@@ -15,7 +15,7 @@ using Microsoft.Win32;
 using System.Security.Cryptography.X509Certificates;
 #endif
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Provides access to configuration for the data protection system, which allows the
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
index 10ecb56b40..c8707da1c3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Provides global options for the Data Protection system.
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
index 2beea59828..d9ec04dded 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
@@ -2,11 +2,11 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Contains static factory methods for creating <see cref="IDataProtectionProvider"/> instances.
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index cd6dbbd571..3e967c0397 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 
 namespace Microsoft.Extensions.DependencyInjection
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
index 67cb036f1f..d21e1e095d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
@@ -3,13 +3,13 @@
 
 using System;
 using System.IO;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.AspNet.DataProtection.Repositories;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
index efef3fe5ca..a76e46dfd9 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
@@ -3,13 +3,13 @@
 
 using System;
 using System.Collections.Generic;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.DataProtection;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
index 4ad566865e..a7fd46f37d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
@@ -2,13 +2,13 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// An <see cref="IDataProtectionProvider"/> that is transient.
diff --git a/src/Microsoft.AspNetCore.DataProtection/Error.cs b/src/Microsoft.AspNetCore.DataProtection/Error.cs
index 846cb09bc0..740fb7c5d3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Error.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Error.cs
@@ -5,7 +5,7 @@ using System;
 using System.Globalization;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal static class Error
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
index 2004cef3d2..0e0310cd1d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// An interface that can provide data protection services for data which has been persisted
diff --git a/src/Microsoft.AspNetCore.DataProtection/ISecret.cs b/src/Microsoft.AspNetCore.DataProtection/ISecret.cs
index 6972dc72bf..4010bc6445 100644
--- a/src/Microsoft.AspNetCore.DataProtection/ISecret.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/ISecret.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Represents a secret value.
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
index 2adb8efa37..189e2ab303 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.Internal
+namespace Microsoft.AspNetCore.DataProtection.Internal
 {
     /// <summary>
     /// An interface into <see cref="Activator.CreateInstance{T}"/> that also supports
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
index cd3945505d..687b1de048 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -4,12 +4,12 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// Implements policy for resolving the default key from a candidate keyring.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs
index 591c9bd68d..1fe5f0a5d3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs
@@ -2,13 +2,13 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNet.DataProtection.Repositories;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     internal sealed class DefaultKeyServices : IDefaultKeyServices
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
index 18c795d165..36b7bb0d7d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
@@ -3,12 +3,12 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic implementation of <see cref="IKey"/>, where the incoming XML element
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
index fd0f736ffb..f9ef009f7a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic interface for representing an authenticated encryption key.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
index 5ce6fbcbdb..64b94e844e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.Repositories;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic interface for implementing a key escrow sink.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
index 21ed28c40f..6debf4ac96 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
@@ -5,7 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Threading;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic interface for performing key management operations.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
index 090c150949..58b31f61a8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
@@ -5,7 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Threading;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Wraps both a keyring and its expiration policy.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
index 8a4a536665..f458092b5f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
     public struct DefaultKeyResolution
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
index 1b5feb6c7a..367080f2b8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
     public interface ICacheableKeyRingProvider
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
index 8c3e2381da..f891d0d4fb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Collections.Generic;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Implements policy for resolving the default key from a candidate keyring.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
index dd5d9bb012..0552187f58 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.Repositories;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// Provides default implementations of the services required by an <see cref="IKeyManager"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
index 47f419f340..9ebaa4c63c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
     public interface IInternalXmlKeyManager
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
index e5b144c9d8..60ff02f2ed 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
     /// <summary>
     /// The basic interface for accessing a read-only keyring.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
index e532d024a8..3a507f1250 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement.Internal
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
     public interface IKeyRingProvider
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
index 2bc5efc253..5e5b9766b0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic implementation of <see cref="IKey"/>, where the <see cref="IAuthenticatedEncryptorDescriptor"/>
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
index 9429573ade..1afc6237b3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// The basic implementation of <see cref="IKey"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
index e6431c50a4..85f1f62451 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
@@ -7,7 +7,7 @@ using System.Linq;
 using System.Xml.Linq;
 using Microsoft.Extensions.DependencyInjection;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     internal static class KeyEscrowServiceProviderExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
index 748c4f1185..5cd05bdb9b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     internal static class KeyExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
index c78409a1be..65652ea0cb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// Options that control how an <see cref="IKeyManager"/> should behave.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
index f8cc2d106d..8ebcdb8c45 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
@@ -4,10 +4,10 @@
 using System;
 using System.Collections.Generic;
 using System.Threading;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// A basic implementation of <see cref="IKeyRing"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index cecf9c1bfc..7ed4124f9f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     internal unsafe sealed class KeyRingBasedDataProtectionProvider : IDataProtectionProvider
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index b14819ec80..59c48e75a9 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -7,12 +7,12 @@ using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Threading;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     internal unsafe sealed class KeyRingBasedDataProtector : IDataProtector, IPersistedDataProtector
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
index 0ac3579b2c..93a8a4b29b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -5,12 +5,12 @@ using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Threading;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     internal sealed class KeyRingProvider : ICacheableKeyRingProvider, IKeyRingProvider
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
index 0ced2fea20..43d8757b67 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -9,18 +9,18 @@ using System.Runtime.CompilerServices;
 using System.Threading;
 using System.Xml;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.Internal;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNet.DataProtection.Repositories;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Internal;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
 using static System.FormattableString;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     /// <summary>
     /// A key manager backed by an <see cref="IXmlRepository"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
index 43c2cd1448..af854158ec 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection.Managed
+namespace Microsoft.AspNetCore.DataProtection.Managed
 {
     internal static class HashAlgorithmExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
index a96511b94b..1d08f1e7d8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.Managed
+namespace Microsoft.AspNetCore.DataProtection.Managed
 {
     internal interface IManagedGenRandom
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 03841b485a..b381eb0ee4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -4,11 +4,11 @@
 using System;
 using System.IO;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.SP800_108;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.SP800_108;
 
-namespace Microsoft.AspNet.DataProtection.Managed
+namespace Microsoft.AspNetCore.DataProtection.Managed
 {
     // An encryptor which does Encrypt(CBC) + HMAC using SymmetricAlgorithm and HashAlgorithm.
     // The payloads produced by this encryptor should be compatible with the payloads
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
index 4b94c473dc..31100a0ef0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Security.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection.Managed
+namespace Microsoft.AspNetCore.DataProtection.Managed
 {
     internal unsafe sealed class ManagedGenRandomImpl : IManagedGenRandom
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
index aa31f58288..d411ce26c0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection.Managed
+namespace Microsoft.AspNetCore.DataProtection.Managed
 {
     internal static class SymmetricAlgorithmExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs b/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
index 885b71f570..be87e3cde5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Runtime.InteropServices;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Wrappers around CryptProtectMemory / CryptUnprotectMemory.
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
index 7467d96a44..441f834f11 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
@@ -6,7 +6,7 @@ using System.Resources;
 using System.Runtime.CompilerServices;
 
 // for unit testing
-[assembly: InternalsVisibleTo("Microsoft.AspNet.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
index 2d88c5206c..1b9830d44b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
@@ -1,5 +1,5 @@
 // <auto-generated />
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     using System.Globalization;
     using System.Reflection;
@@ -8,7 +8,7 @@ namespace Microsoft.AspNet.DataProtection
     internal static class Resources
     {
         private static readonly ResourceManager _resourceManager
-            = new ResourceManager("Microsoft.AspNet.DataProtection.Resources", typeof(Resources).GetTypeInfo().Assembly);
+            = new ResourceManager("Microsoft.AspNetCore.DataProtection.Resources", typeof(Resources).GetTypeInfo().Assembly);
 
         /// <summary>
         /// An error occurred during a cryptographic operation.
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
index bd5447d172..5fd5188953 100644
--- a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
@@ -6,13 +6,13 @@ using System.Collections.Generic;
 using System.Globalization;
 using System.Linq;
 using System.Reflection;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Win32;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// A type which allows reading policy from the system registry.
@@ -85,7 +85,7 @@ namespace Microsoft.AspNet.DataProtection
         /// </summary>
         public static ServiceDescriptor[] ResolveDefaultPolicy()
         {
-            RegistryKey subKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNet.DataProtection");
+            RegistryKey subKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection");
             if (subKey != null)
             {
                 using (subKey)
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
index e277488ca0..35ebca2067 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -7,7 +7,7 @@ using System.Linq;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.Repositories
+namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     /// <summary>
     /// An ephemeral XML repository backed by process memory. This class must not be used for
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index a31038deab..6e2eb99992 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -9,7 +9,7 @@ using System.Linq;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.Repositories
+namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     /// <summary>
     /// An XML repository backed by a file system.
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
index fa8301e7e8..d62422d55e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
@@ -5,7 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.Repositories
+namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     /// <summary>
     /// The basic interface for storing and retrieving XML elements.
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
index c809cdce79..63263223e7 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -11,7 +11,7 @@ using Microsoft.Win32;
 
 using static System.FormattableString;
 
-namespace Microsoft.AspNet.DataProtection.Repositories
+namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     /// <summary>
     /// An XML repository backed by the Windows registry.
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
index bc4fc9f82a..f7e6aecdb1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.SP800_108
+namespace Microsoft.AspNetCore.DataProtection.SP800_108
 {
     internal unsafe interface ISP800_108_CTR_HMACSHA512Provider : IDisposable
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
index 0e5ce8fb5f..4991121eb2 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -3,10 +3,10 @@
 
 using System;
 using System.Security.Cryptography;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.Managed;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Managed;
 
-namespace Microsoft.AspNet.DataProtection.SP800_108
+namespace Microsoft.AspNetCore.DataProtection.SP800_108
 {
     internal static class ManagedSP800_108_CTR_HMACSHA512
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
index 82bfa56efc..8900bed9ed 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -2,9 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 
-namespace Microsoft.AspNet.DataProtection.SP800_108
+namespace Microsoft.AspNetCore.DataProtection.SP800_108
 {
     internal unsafe static class SP800_108_CTR_HMACSHA512Extensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index 770fa36a28..b55d5cf9af 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
 
-namespace Microsoft.AspNet.DataProtection.SP800_108
+namespace Microsoft.AspNetCore.DataProtection.SP800_108
 {
     /// <summary>
     /// Provides an implementation of the SP800-108-CTR-HMACSHA512 key derivation function.
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
index 3df74326ca..063d3c8ad8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
@@ -2,11 +2,11 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.DataProtection.SP800_108
+namespace Microsoft.AspNetCore.DataProtection.SP800_108
 {
     internal unsafe sealed class Win7SP800_108_CTR_HMACSHA512Provider : ISP800_108_CTR_HMACSHA512Provider
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
index 846fb525f0..f57c5a7a27 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
@@ -2,11 +2,11 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-namespace Microsoft.AspNet.DataProtection.SP800_108
+namespace Microsoft.AspNetCore.DataProtection.SP800_108
 {
     internal unsafe sealed class Win8SP800_108_CTR_HMACSHA512Provider : ISP800_108_CTR_HMACSHA512Provider
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Secret.cs b/src/Microsoft.AspNetCore.DataProtection/Secret.cs
index 88a1bc3fda..15daf4fac5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Secret.cs
@@ -2,12 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.Managed;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.Managed;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Represents a secret value stored in memory.
diff --git a/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
index 178df37159..0e35c06a6b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Reflection;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Helpful extension methods on <see cref="Type"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs b/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
index 57a396903d..9908e8e138 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Contains XLinq constants.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
index 765e0d4e7f..00f19f090f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
@@ -6,7 +6,7 @@
 using System;
 using System.Security.Cryptography.X509Certificates;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A default implementation of <see cref="ICertificateResolver"/> that looks in the current user
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index e38928dbbf..09c64ab976 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -8,11 +8,11 @@ using System.Security.Cryptography.X509Certificates;
 using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// An <see cref="IXmlEncryptor"/> that can perform XML encryption by using an X.509 certificate.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
index 1b2d523267..e0d3fafe62 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// Flags used to control the creation of protection descriptors.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index 8062968e57..af35d69bd8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// An <see cref="IXmlDecryptor"/> that decrypts XML elements that were encrypted with <see cref="DpapiNGXmlEncryptor"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index ec9eae530b..cc303bec31 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -4,14 +4,14 @@
 using System;
 using System.Security.Principal;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.Extensions.Logging;
 
 using static System.FormattableString;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// A class that can encrypt XML elements using Windows DPAPI:NG.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index 0a65c22538..6b331f9626 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// An <see cref="IXmlDecryptor"/> that decrypts XML elements that were encrypted with <see cref="DpapiXmlEncryptor"/>.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index f99ee99c05..54d52c39aa 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -4,11 +4,11 @@
 using System;
 using System.Security.Principal;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.Cng;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// An <see cref="IXmlEncryptor"/> that encrypts XML by using Windows DPAPI.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
index ce9c8ee9ff..ac3edc0e3c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
@@ -11,7 +11,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     internal sealed class EncryptedXmlDecryptor : IXmlDecryptor
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index 713f85f06c..5690ca8569 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -9,7 +9,7 @@ using System.Xml;
 using System.Xml.Linq;
 using Microsoft.Extensions.DependencyInjection;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// An <see cref="IXmlDecryptor"/> that decrypts XML elements by using the <see cref="EncryptedXml"/> class.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
index e12016a4e1..17e2a01e4e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
@@ -5,7 +5,7 @@ using System;
 using System.Reflection;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// Wraps an <see cref="XElement"/> that contains a blob of encrypted XML
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
index 5a6f0b9f27..d87a1ec2dc 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -5,7 +5,7 @@
 
 using System.Security.Cryptography.X509Certificates;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// Provides services for locating <see cref="X509Certificate2"/> instances.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
index ec30a73f44..5507b6856c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
@@ -7,7 +7,7 @@ using System;
 using System.Xml;
 using System.Security.Cryptography.Xml;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// Internal implementation details of <see cref="CertificateXmlEncryptor"/> for unit testing.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
index afc9a2092c..b54bbcd8f8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
@@ -6,7 +6,7 @@
 using System;
 using System.Security.Cryptography.Xml;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// Internal implementation details of <see cref="EncryptedXmlDecryptor"/> for unit testing.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
index dac3935544..1ada323d21 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
@@ -3,7 +3,7 @@
 
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// The basic interface for decrypting an XML element.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
index aea3cbb051..40a87d1a8d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
@@ -3,7 +3,7 @@
 
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// The basic interface for encrypting XML elements.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index f5d8fe1cb5..f8de45f23d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -5,7 +5,7 @@ using System;
 using System.Linq;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// An <see cref="IXmlDecryptor"/> that decrypts XML elements with a null decryptor.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
index c110ed2d4c..0f3100b859 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
@@ -5,7 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
     /// An <see cref="IXmlEncryptor"/> that encrypts XML elements with a null encryptor.
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index 44ec3abe0c..6505412959 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -7,11 +7,11 @@ using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.Internal;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Internal;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     internal unsafe static class XmlEncryptionExtensions
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
index 7340baf281..bc08eb2b3d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Xml.Linq;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Contains helpers to work with XElement objects.
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 5ef1f6ead8..5964da758c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -6,9 +6,9 @@
     "url": "git://github.com/aspnet/dataprotection"
   },
   "dependencies": {
-    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Sources": {
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
       "version": ""
     },
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
index fec6abeaee..a455fd571f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     public unsafe class BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests
     {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
index a678158a0e..34192eb758 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
@@ -2,11 +2,11 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.Internal;
-using Microsoft.AspNet.Testing;
+using Microsoft.AspNetCore.Cryptography.Internal;
+using Microsoft.AspNetCore.Testing;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     public class BCRYPT_KEY_LENGTHS_STRUCT_Tests
     {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
index c33dfede4c..286bca18f4 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.Linq;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     public unsafe class BCryptUtilTests
     {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
index 0fb5f0d6cb..de601a12d5 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
@@ -3,12 +3,12 @@
 
 using System;
 using System.Text;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography.Cng
+namespace Microsoft.AspNetCore.Cryptography.Cng
 {
     // This class tests both the properties and the output of hash algorithms.
     // It only tests the properties of the encryption algorithms.
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
index 7ce884177f..b911ab065a 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
     public unsafe class CryptoUtilTests
     {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
index 068f729806..cf5b8f9384 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography.SafeHandles
+namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     public unsafe class SecureLocalAllocHandleTests
     {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
index 845922bc6c..359835db7e 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
@@ -4,10 +4,10 @@
 using System;
 using System.Reflection;
 using System.Runtime.InteropServices;
-using Microsoft.AspNet.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
     public unsafe class UnsafeBufferUtilTests
     {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
index 288cbd6f51..8bdfddc030 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography
+namespace Microsoft.AspNetCore.Cryptography
 {
     public class WeakReferenceHelpersTests
     {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 96f149e31c..afc7c45f3f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -1,11 +1,11 @@
 {
   "dependencies": {
-    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Test.Shared": {
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": ""
     },
-    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
index c2209dd6af..2ded2300ab 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
@@ -3,12 +3,12 @@
 
 using System;
 using System.Text;
-using Microsoft.AspNet.Cryptography.KeyDerivation.PBKDF2;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.Cryptography.KeyDerivation
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation
 {
     public class Pbkdf2Tests
     {
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 61c2870baf..8ea16005b1 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -1,9 +1,9 @@
 {
   "dependencies": {
-    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-    "Microsoft.AspNet.Cryptography.KeyDerivation": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Test.Shared": "",
-    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Test.Shared": "",
+    "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
index 3687981ecd..ab4294c607 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
@@ -5,14 +5,14 @@ using System;
 using System.Collections.Generic;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.DataProtection.Infrastructure;
-using Microsoft.AspNet.DataProtection.Abstractions;
-using Microsoft.AspNet.Testing;
+using Microsoft.AspNetCore.DataProtection.Infrastructure;
+using Microsoft.AspNetCore.DataProtection.Abstractions;
+using Microsoft.AspNetCore.Testing;
 using Microsoft.Extensions.PlatformAbstractions;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public class DataProtectionExtensionsTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 793a08beeb..ab59434a25 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -1,8 +1,8 @@
 {
   "dependencies": {
-    "Microsoft.AspNet.Cryptography.Internal": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
index 80866a6bf7..b4eafed6fe 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
@@ -7,7 +7,7 @@ using System.Text;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public class DataProtectionExtensionsTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 0724799fa8..3bac377de8 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.IO;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public class DataProtectionProviderTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
index 5a54b3c7f9..be9b19c27a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
@@ -4,15 +4,15 @@
 using System;
 using System.Globalization;
 using System.Security.Cryptography;
-using Microsoft.AspNet.DataProtection.Extensions;
+using Microsoft.AspNetCore.DataProtection.Extensions;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public class TimeLimitedDataProtectorTests
     {
-        private const string TimeLimitedPurposeString = "Microsoft.AspNet.DataProtection.TimeLimitedDataProtector.v1";
+        private const string TimeLimitedPurposeString = "Microsoft.AspNetCore.DataProtection.TimeLimitedDataProtector.v1";
 
         [Fact]
         public void Protect_LifetimeSpecified()
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index d0159eb435..2a36563fc5 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -1,12 +1,12 @@
 {
   "dependencies": {
-    "Microsoft.AspNet.DataProtection.Abstractions": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Extensions": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Test.Shared": {
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Extensions": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": ""
     },
-    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
index 1799324f80..d5ef4730f6 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Testing.xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test.Shared
+namespace Microsoft.AspNetCore.DataProtection.Test.Shared
 {
     public class ConditionalRunTestOnlyOnWindows8OrLaterAttribute : Attribute, ITestCondition
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
index 5071921f05..5033b3e38e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Testing.xunit;
 
-namespace Microsoft.AspNet.DataProtection.Test.Shared
+namespace Microsoft.AspNetCore.DataProtection.Test.Shared
 {
     public class ConditionalRunTestOnlyOnWindowsAttribute : Attribute, ITestCondition
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
index cf365f42a4..36eab6e08d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
@@ -5,7 +5,7 @@ using System;
 using System.Security.Cryptography;
 using Xunit;
 
-namespace Microsoft.AspNet.Testing
+namespace Microsoft.AspNetCore.Testing
 {
     internal static class ExceptionAssert2
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
index d5b96c0f17..a249162706 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
@@ -2,12 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.Internal;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public class ActivatorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
index cd76849191..25d983c6fd 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
@@ -5,10 +5,10 @@
 using System;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
-using Microsoft.AspNet.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 using Microsoft.Win32.SafeHandles;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Helpers for working with the anonymous Windows identity.
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
index a808113e78..59beb7da02 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -5,7 +5,7 @@ using System;
 using System.Xml.Linq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class AuthenticatedEncryptorDescriptorDeserializerTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index 183af245a7..82acb2f0af 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -5,15 +5,15 @@ using System;
 using System.Globalization;
 using System.Security.Cryptography;
 using System.Text.RegularExpressions;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.Cryptography.SafeHandles;
-using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.AspNet.DataProtection.Managed;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.Managed;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class AuthenticatedEncryptorDescriptorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
index 815658f4bf..daf29693f6 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class CngCbcAuthenticatedEncryptorConfigurationTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 317758dfef..3f7814d65e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -3,12 +3,12 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class CngCbcAuthenticatedEncryptorDescriptorDeserializerTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
index a20da3b086..50a20bd522 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class CngCbcAuthenticatedEncryptorDescriptorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
index 348eb3d0a5..f38edc6040 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class CngGcmAuthenticatedEncryptorConfigurationTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
index c07cd32029..13dc84ba7d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -3,12 +3,12 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.Cryptography;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class CngGcmAuthenticatedEncryptorDescriptorDeserializerTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
index 3d6b98f0d5..678855b7bd 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class CngGcmAuthenticatedEncryptorDescriptorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
index d6aca0f4dc..ca18f1f172 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class ManagedAuthenticatedEncryptorConfigurationTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 270ed2dcfb..e405ca94c5 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using System.Xml.Linq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class ManagedAuthenticatedEncryptorDescriptorDeserializerTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
index 04882ffabd..8a207ffa5e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
@@ -5,7 +5,7 @@ using System;
 using System.Security.Cryptography;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     public class ManagedAuthenticatedEncryptorDescriptorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
index 1ca46ab2b2..97e7d7a96d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -5,12 +5,12 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNetCore.DataProtection.Cng
 {
     public class CbcAuthenticatedEncryptorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
index db24e9b387..a67d410f4f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -2,12 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Cng.Internal
+namespace Microsoft.AspNetCore.DataProtection.Cng.Internal
 {
     public unsafe class CngAuthenticatedEncryptorBaseTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
index b94041b79f..b01058e5b4 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -5,12 +5,12 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.Cryptography.Cng;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Cng
+namespace Microsoft.AspNetCore.DataProtection.Cng
 {
     public class GcmAuthenticatedEncryptorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
index e0c856cf26..45a51e2224 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
@@ -6,7 +6,7 @@ using System.Security.Cryptography;
 using System.Text;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public class EphemeralDataProtectionProviderTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
index 8d8c81a510..27eaa3bf31 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.Threading;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class CacheableKeyRingTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index 38eb189734..dec696bfcc 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -4,12 +4,12 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class DefaultKeyResolverTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
index 5dd7f0437a..53ec59402c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
@@ -3,14 +3,14 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNet.Testing;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Testing;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class DeferredKeyTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
index 989b7aafd5..bd90f3740f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
@@ -9,7 +9,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class KeyEscrowServiceProviderExtensionsTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 8c03d91c5f..c2b54f30de 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -7,14 +7,14 @@ using System.Linq;
 using System.Net;
 using System.Reflection;
 using System.Text;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNet.Testing;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Testing;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class KeyRingBasedDataProtectorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index f3be5939ff..2f7517c86b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -6,16 +6,16 @@ using System.Collections.Generic;
 using System.Globalization;
 using System.Threading;
 using System.Threading.Tasks;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNet.Testing;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Testing;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
 using static System.FormattableString;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class KeyRingProviderTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
index df03475f7a..f973af9c42 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
@@ -2,11 +2,11 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class KeyRingTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
index 6514a61293..e42632dd1d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
@@ -2,12 +2,12 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class KeyTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 1e15316555..ff991bf34e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -6,18 +6,18 @@ using System.Collections.Generic;
 using System.Linq;
 using System.Xml;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.Internal;
-using Microsoft.AspNet.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNet.DataProtection.Repositories;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Internal;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.KeyManagement
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class XmlKeyManagerTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
index 8fb3dc0d5d..4e5f67fc65 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -5,11 +5,11 @@ using System;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Managed
+namespace Microsoft.AspNetCore.DataProtection.Managed
 {
     public class ManagedAuthenticatedEncryptorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs b/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
index ff4646a2ae..40a34afca6 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
@@ -3,13 +3,13 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.Internal;
-using Microsoft.AspNet.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Internal;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Moq;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal static class MockExtensions
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
index 5513d6c7f0..f2ec6310e0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -6,10 +6,10 @@ using System.Collections.Generic;
 using System.Linq;
 using System.Security.Cryptography;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNet.DataProtection.KeyManagement;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.Testing.xunit;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
@@ -17,7 +17,7 @@ using Microsoft.Extensions.PlatformAbstractions;
 using Microsoft.Win32;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public class RegistryPolicyResolverTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
index dadcfbbf42..2690da8254 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
@@ -5,7 +5,7 @@ using System;
 using System.Xml.Linq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Repositories
+namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     public class EphemeralXmlRepositoryTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index f175b00283..236f98cff0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -5,10 +5,10 @@ using System;
 using System.IO;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Repositories
+namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     public class FileSystemXmlRepositoryTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
index 3e5cfae000..e7d7e62a86 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
@@ -4,12 +4,12 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.Testing.xunit;
 using Microsoft.Extensions.PlatformAbstractions;
 using Microsoft.Win32;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.Repositories
+namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     public class RegistryXmlRepositoryTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
index e8751c0cea..871ca83f5b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
@@ -4,11 +4,11 @@
 using System;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.SP800_108
+namespace Microsoft.AspNetCore.DataProtection.SP800_108
 {
     public unsafe class SP800_108Tests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
index 2f92d1c33f..d3fb1cbc70 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
@@ -4,7 +4,7 @@
 using System;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Helpful ISecret-based assertions.
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
index a1dd672cff..0d3ab20696 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.Testing;
+using Microsoft.AspNetCore.Testing;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     public unsafe class SecretTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
index a86ea44d75..c37462ef97 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
@@ -2,10 +2,10 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNet.DataProtection.Cng;
-using Microsoft.AspNet.DataProtection.Managed;
+using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.Managed;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal unsafe class SequentialGenRandom : IBCryptGenRandom, IManagedGenRandom
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
index ef97826d13..c15cc1ac9d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
@@ -6,7 +6,7 @@ using System.Globalization;
 using System.Text;
 using Microsoft.Extensions.Logging;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     internal sealed class StringLoggerFactory : ILoggerFactory
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
index a0481a3f29..e33bc0d84c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
@@ -7,7 +7,7 @@ using System.Linq;
 using System.Xml.Linq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Helpful XML-based assertions.
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 7e013de0c0..79e2b2d664 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -11,7 +11,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     public class CertificateXmlEncryptorTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
index cc717c62d9..2a4f19dfab 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
@@ -3,11 +3,11 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     public class DpapiNGXmlEncryptionTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 3a0f6e520c..8929ae9d3f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -3,12 +3,12 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.Test.Shared;
-using Microsoft.AspNet.Testing;
-using Microsoft.AspNet.Testing.xunit;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing;
+using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     public class DpapiXmlEncryptionTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
index 238b78bd6c..8f4433d78c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
@@ -5,7 +5,7 @@ using System;
 using System.Xml.Linq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     public class NullXmlEncryptionTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
index 7364fdad4e..d03fee0c09 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
@@ -4,12 +4,12 @@
 using System;
 using System.Linq;
 using System.Xml.Linq;
-using Microsoft.AspNet.DataProtection.Internal;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNet.DataProtection.XmlEncryption
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     public class XmlEncryptionExtensionsTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 4d06843dbb..e20687b0a4 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -1,11 +1,11 @@
 {
   "dependencies": {
-    "Microsoft.AspNet.DataProtection": "1.0.0-*",
-    "Microsoft.AspNet.DataProtection.Test.Shared": {
+    "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": ""
     },
-    "Microsoft.AspNet.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
     "xunit": "2.1.0"
   },

From 342676925ff23cf823b9234772e77c6b9565f542 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Fri, 22 Jan 2016 12:39:12 -0800
Subject: [PATCH 214/493] Update ASP.NET 5 versions for ASP.NET Core.

See https://github.com/aspnet/Announcements/issues/144 for more information.
---
 .../project.json                                            | 4 ++--
 .../project.json                                            | 2 +-
 src/Microsoft.AspNetCore.DataProtection/project.json        | 4 ++--
 .../project.json                                            | 6 +++---
 .../project.json                                            | 6 +++---
 .../project.json                                            | 4 ++--
 test/Microsoft.AspNetCore.DataProtection.Test/project.json  | 4 ++--
 7 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index 9b3e55b1bd..5d1109f732 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -8,7 +8,7 @@
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": ""
+      "version": "1.0.0-*"
     },
     "Microsoft.Extensions.PlatformAbstractions": "1.0.0-*"
   },
@@ -25,4 +25,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index 373bb0dd26..f43d531b73 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -9,7 +9,7 @@
     "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": ""
+      "version": "1.0.0-*"
     },
     "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
   },
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 5964da758c..3932a1f275 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -10,7 +10,7 @@
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": ""
+      "version": "1.0.0-*"
     },
     "Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-*",
     "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",
@@ -40,4 +40,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index afc7c45f3f..fe8adbea67 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -3,7 +3,7 @@
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
-      "version": ""
+      "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "xunit": "2.1.0"
@@ -14,7 +14,7 @@
         "xunit.runner.console": "2.1.0"
       }
     },
-    "dnxcore50": { 
+    "dnxcore50": {
       "dependencies": {
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
       }
@@ -29,4 +29,4 @@
     "keyFile": "../../tools/Key.snk",
     "warningsAsErrors": true
   }
-}
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 8ea16005b1..621c4eece2 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -2,7 +2,7 @@
   "dependencies": {
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.0.0-*",
-    "Microsoft.AspNetCore.DataProtection.Test.Shared": "",
+    "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "xunit": "2.1.0"
   },
@@ -12,7 +12,7 @@
         "xunit.runner.console": "2.1.0"
       }
     },
-    "dnxcore50": { 
+    "dnxcore50": {
       "dependencies": {
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
       }
@@ -27,4 +27,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 2a36563fc5..dc33df753e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -4,7 +4,7 @@
     "Microsoft.AspNetCore.DataProtection.Extensions": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
-      "version": ""
+      "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "xunit": "2.1.0"
@@ -31,4 +31,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index e20687b0a4..261d48378b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -3,7 +3,7 @@
     "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
-      "version": ""
+      "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
@@ -32,4 +32,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
+}
\ No newline at end of file

From 2d2e71e2c82eb3cb5c6e9b71f65fa0b9815958f9 Mon Sep 17 00:00:00 2001
From: Brennan <brecon@microsoft.com>
Date: Thu, 21 Jan 2016 09:39:53 -0800
Subject: [PATCH 215/493] React to Logging API changes

---
 .../StringLoggerFactory.cs                                      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
index c15cc1ac9d..f36f0c2af8 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
@@ -59,7 +59,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 return (logLevel >= _factory.MinimumLevel);
             }
 
-            public void Log(LogLevel logLevel, int eventId, object state, Exception exception, Func<object, Exception, string> formatter)
+            public void Log<TState>(LogLevel logLevel, EventId eventId, TState state, Exception exception, Func<TState, Exception, string> formatter)
             {
                 string message = String.Format(CultureInfo.InvariantCulture,
                     "Provider: {0}" + Environment.NewLine +

From 0d4fe3ba7229fa9ca14f7acb05a4092f58d668ec Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Mon, 1 Feb 2016 18:52:41 -0800
Subject: [PATCH 216/493] Updating to new CLI

---
 .../project.json                                              | 4 +++-
 .../project.json                                              | 4 +++-
 .../project.json                                              | 4 +++-
 .../project.json                                              | 4 +++-
 test/Microsoft.AspNetCore.DataProtection.Test/project.json    | 4 +++-
 5 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index fe8adbea67..649606c5c6 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -6,6 +6,7 @@
       "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
@@ -17,7 +18,8 @@
     "dnxcore50": {
       "dependencies": {
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
-      }
+      },
+      "imports": "portable-net451+win8"
     }
   },
   "testRunner": "xunit",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 621c4eece2..cb5c2f28d1 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -4,6 +4,7 @@
     "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
@@ -15,7 +16,8 @@
     "dnxcore50": {
       "dependencies": {
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
-      }
+      },
+      "imports": "portable-net451+win8"
     }
   },
   "testRunner": "xunit",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index ab59434a25..bf911fedf5 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -3,6 +3,7 @@
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
@@ -16,7 +17,8 @@
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
-      }
+      },
+      "imports": "portable-net451+win8"
     }
   },
   "testRunner": "xunit",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index dc33df753e..039a719936 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -7,6 +7,7 @@
       "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
@@ -20,7 +21,8 @@
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
-      }
+      },
+      "imports": "portable-net451+win8"
     }
   },
   "testRunner": "xunit",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 261d48378b..2a6680fc04 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -7,6 +7,7 @@
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
@@ -20,7 +21,8 @@
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
         "xunit.runner.aspnet": "2.0.0-aspnet-*"
-      }
+      },
+      "imports": "portable-net451+win8"
     }
   },
   "testRunner": "xunit",

From 46d7d8988e5c313e6d811e959dc7a62ec0b3a044 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Fri, 5 Feb 2016 17:21:45 -0800
Subject: [PATCH 217/493] Update project.json to remove redundant
 System.Runtime dependency.

- This package is pulled in transitively.
---
 .../Microsoft.AspNetCore.DataProtection.Test.Shared/project.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index 33e2b1875f..cab6184cad 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -3,7 +3,6 @@
     "dnx451": { },
     "dnxcore50": {
       "dependencies": {
-        "System.Runtime": "4.0.21-*"
       }
     }
   },

From 42890042a324f265e9c2ed81697bcc2de38a1d3a Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Fri, 5 Feb 2016 17:50:53 -0800
Subject: [PATCH 218/493] Update shared project system.runtime dependency.

---
 .../Microsoft.AspNetCore.DataProtection.Test.Shared/project.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index cab6184cad..eacbd61b43 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -3,6 +3,7 @@
     "dnx451": { },
     "dnxcore50": {
       "dependencies": {
+        "System.Runtime": "4.1.0-*"
       }
     }
   },

From 7190b704b103d57215e16a9dba27d95f2f956be5 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Sat, 6 Feb 2016 15:08:27 -0800
Subject: [PATCH 219/493] Temporary build test fixes.

---
 .../project.json                                               | 3 ++-
 .../project.json                                               | 3 ++-
 .../project.json                                               | 3 ++-
 .../project.json                                               | 3 ++-
 .../project.json                                               | 2 +-
 test/Microsoft.AspNetCore.DataProtection.Test/project.json     | 3 ++-
 6 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 649606c5c6..a3c93adde2 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -17,7 +17,8 @@
     },
     "dnxcore50": {
       "dependencies": {
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*",
+        "System.Runtime": "4.0.21-*"
       },
       "imports": "portable-net451+win8"
     }
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index cb5c2f28d1..5dd067a099 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -15,7 +15,8 @@
     },
     "dnxcore50": {
       "dependencies": {
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*",
+        "System.Runtime": "4.0.21-*"
       },
       "imports": "portable-net451+win8"
     }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index bf911fedf5..2aba8ab2df 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -16,7 +16,8 @@
     "dnxcore50": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*",
+        "System.Runtime": "4.0.21-*"
       },
       "imports": "portable-net451+win8"
     }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 039a719936..33d9c7c915 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -20,7 +20,8 @@
     "dnxcore50": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*",
+        "System.Runtime": "4.0.21-*"
       },
       "imports": "portable-net451+win8"
     }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index eacbd61b43..33e2b1875f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -3,7 +3,7 @@
     "dnx451": { },
     "dnxcore50": {
       "dependencies": {
-        "System.Runtime": "4.1.0-*"
+        "System.Runtime": "4.0.21-*"
       }
     }
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 2a6680fc04..49af17ddfe 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -20,7 +20,8 @@
     "dnxcore50": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*"
+        "xunit.runner.aspnet": "2.0.0-aspnet-*",
+        "System.Runtime": "4.0.21-*"
       },
       "imports": "portable-net451+win8"
     }

From 4e68e8f3abcbeb837e5212d8c56cbc475ef03a63 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 8 Feb 2016 09:33:41 -0800
Subject: [PATCH 220/493] Reacting to CoreCLR package version changes

---
 src/Microsoft.AspNetCore.Cryptography.Internal/project.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index deebb4fbca..ea24ed56f6 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -12,7 +12,7 @@
       "dependencies": {
         "System.Diagnostics.Debug": "4.0.11-*",
         "System.Runtime.Handles": "4.0.1-*",
-        "System.Runtime.InteropServices": "4.0.21-*",
+        "System.Runtime.InteropServices": "4.1.0-*",
         "System.Security.Cryptography.Primitives": "4.0.0-*",
         "System.Threading": "4.0.11-*"
       }

From 85b1ac37bfd60da4cdbe3234a5373565e895cedd Mon Sep 17 00:00:00 2001
From: Kiran Challa <kichalla@microsoft.com>
Date: Tue, 9 Feb 2016 21:40:22 -0800
Subject: [PATCH 221/493] Enable tests to run using donet xunit test runner

---
 .../project.json                              | 15 +++++-------
 .../project.json                              | 15 +++++-------
 .../project.json                              | 23 ++++++++-----------
 .../project.json                              | 21 ++++++++---------
 .../project.json                              | 13 +++++++----
 .../project.json                              | 21 ++++++++---------
 6 files changed, 48 insertions(+), 60 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index a3c93adde2..b4661a5537 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -10,23 +10,20 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnx451": {
-      "dependencies": {
-        "xunit.runner.console": "2.1.0"
-      }
-    },
     "dnxcore50": {
       "dependencies": {
-        "xunit.runner.aspnet": "2.0.0-aspnet-*",
+        "dotnet-test-xunit": "1.0.0-dev-*",
         "System.Runtime": "4.0.21-*"
       },
       "imports": "portable-net451+win8"
+    },
+    "dnx451": {
+      "dependencies": {
+        "xunit.runner.console": "2.1.0"
+    }
     }
   },
   "testRunner": "xunit",
-  "commands": {
-    "test": "xunit.runner.aspnet"
-  },
   "compilationOptions": {
     "allowUnsafe": true,
     "keyFile": "../../tools/Key.snk",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 5dd067a099..7133275a83 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -8,23 +8,20 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnx451": {
-      "dependencies": {
-        "xunit.runner.console": "2.1.0"
-      }
-    },
     "dnxcore50": {
       "dependencies": {
-        "xunit.runner.aspnet": "2.0.0-aspnet-*",
+        "dotnet-test-xunit": "1.0.0-dev-*",
         "System.Runtime": "4.0.21-*"
       },
       "imports": "portable-net451+win8"
+    },
+    "dnx451": {
+      "dependencies": {
+        "xunit.runner.console": "2.1.0"
+    }
     }
   },
   "testRunner": "xunit",
-  "commands": {
-    "test": "xunit.runner.aspnet"
-  },
   "compilationOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 2aba8ab2df..96406b831d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -7,28 +7,25 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8",
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "System.Runtime": "4.0.21-*"
+      },
+      "imports": "portable-net451+win8"
+    },
     "dnx451": {
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"
-      }
-    },
-    "dnxcore50": {
-      "dependencies": {
-        "moq.netcore": "4.4.0-beta8",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*",
-        "System.Runtime": "4.0.21-*"
-      },
-      "imports": "portable-net451+win8"
+    }
     }
   },
   "testRunner": "xunit",
-  "commands": {
-    "test": "xunit.runner.aspnet"
-  },
   "compile": "../common/**/*.cs",
   "compilationOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 33d9c7c915..d663d03bc3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -11,25 +11,22 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8",
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "System.Runtime": "4.0.21-*"
+      },
+      "imports": "portable-net451+win8"
+    },
     "dnx451": {
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"
-      }
-    },
-    "dnxcore50": {
-      "dependencies": {
-        "moq.netcore": "4.4.0-beta8",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*",
-        "System.Runtime": "4.0.21-*"
-      },
-      "imports": "portable-net451+win8"
+    }
     }
   },
   "testRunner": "xunit",
-  "commands": {
-    "test": "xunit.runner.aspnet"
-  },
   "compilationOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index 33e2b1875f..79dc1c3472 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -1,11 +1,14 @@
 {
   "frameworks": {
-    "dnx451": { },
     "dnxcore50": {
       "dependencies": {
-        "System.Runtime": "4.0.21-*"
-      }
-    }
+        "System.Runtime": "4.0.21-*",
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "Microsoft.NETCore.Platforms": "1.0.1-*"
+      },
+      "imports": "portable-net451+win8"
+    },
+    "dnx451": {}
   },
   "shared": "**/*.cs"
-}
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 49af17ddfe..5b000e9138 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -11,25 +11,22 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
+    "dnxcore50": {
+      "dependencies": {
+        "moq.netcore": "4.4.0-beta8",
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "System.Runtime": "4.0.21-*"
+      },
+      "imports": "portable-net451+win8"
+    },
     "dnx451": {
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"
-      }
-    },
-    "dnxcore50": {
-      "dependencies": {
-        "moq.netcore": "4.4.0-beta8",
-        "xunit.runner.aspnet": "2.0.0-aspnet-*",
-        "System.Runtime": "4.0.21-*"
-      },
-      "imports": "portable-net451+win8"
+    }
     }
   },
   "testRunner": "xunit",
-  "commands": {
-    "test": "xunit.runner.aspnet"
-  },
   "compilationOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,

From 314bc214138e161105744e8ad40ea13331ba2653 Mon Sep 17 00:00:00 2001
From: Brennan <brecon@microsoft.com>
Date: Thu, 11 Feb 2016 13:29:58 -0800
Subject: [PATCH 222/493] Add missing framework assemblies

---
 .../project.json                                            | 6 +++++-
 .../project.json                                            | 6 +++++-
 .../project.json                                            | 6 +++++-
 .../project.json                                            | 6 +++++-
 test/Microsoft.AspNetCore.DataProtection.Test/project.json  | 6 +++++-
 5 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index b4661a5537..813d943a1d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -20,7 +20,11 @@
     "dnx451": {
       "dependencies": {
         "xunit.runner.console": "2.1.0"
-    }
+      },
+      "frameworkAssemblies": {
+        "System.Runtime": "",
+        "System.Threading.Tasks": ""
+      }
     }
   },
   "testRunner": "xunit",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 7133275a83..50b51e8de2 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -18,7 +18,11 @@
     "dnx451": {
       "dependencies": {
         "xunit.runner.console": "2.1.0"
-    }
+      },
+      "frameworkAssemblies": {
+        "System.Runtime": "",
+        "System.Threading.Tasks": ""
+      }
     }
   },
   "testRunner": "xunit",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 96406b831d..c0af6a9b47 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -19,7 +19,11 @@
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"
-    }
+      },
+      "frameworkAssemblies": {
+        "System.Runtime": "",
+        "System.Threading.Tasks": ""
+      }
     }
   },
   "testRunner": "xunit",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index d663d03bc3..eab04dbdd0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -23,7 +23,11 @@
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"
-    }
+      },
+      "frameworkAssemblies": {
+        "System.Runtime": "",
+        "System.Threading.Tasks": ""
+      }
     }
   },
   "testRunner": "xunit",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 5b000e9138..d952ddc84e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -23,7 +23,11 @@
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"
-    }
+      },
+      "frameworkAssemblies": {
+        "System.Runtime": "",
+        "System.Threading.Tasks": ""
+      }
     }
   },
   "testRunner": "xunit",

From 3b4b3b8ca270aa613eb7894025461b3316d15fb5 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Sat, 13 Feb 2016 22:05:25 -0800
Subject: [PATCH 223/493] Remove System.Runtime dependency.

- This dependency is now pulled in transitively.
- It was temporarily re-added due to a DNX bug.
---
 .../project.json                                               | 3 +--
 .../project.json                                               | 3 +--
 .../project.json                                               | 3 +--
 .../project.json                                               | 3 +--
 .../project.json                                               | 1 -
 test/Microsoft.AspNetCore.DataProtection.Test/project.json     | 3 +--
 6 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 813d943a1d..c59d052b87 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -12,8 +12,7 @@
   "frameworks": {
     "dnxcore50": {
       "dependencies": {
-        "dotnet-test-xunit": "1.0.0-dev-*",
-        "System.Runtime": "4.0.21-*"
+        "dotnet-test-xunit": "1.0.0-dev-*"
       },
       "imports": "portable-net451+win8"
     },
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 50b51e8de2..4890f97d94 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -10,8 +10,7 @@
   "frameworks": {
     "dnxcore50": {
       "dependencies": {
-        "dotnet-test-xunit": "1.0.0-dev-*",
-        "System.Runtime": "4.0.21-*"
+        "dotnet-test-xunit": "1.0.0-dev-*"
       },
       "imports": "portable-net451+win8"
     },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index c0af6a9b47..19a40be6b1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -10,8 +10,7 @@
     "dnxcore50": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*",
-        "System.Runtime": "4.0.21-*"
+        "dotnet-test-xunit": "1.0.0-dev-*"
       },
       "imports": "portable-net451+win8"
     },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index eab04dbdd0..9e9837614a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -14,8 +14,7 @@
     "dnxcore50": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*",
-        "System.Runtime": "4.0.21-*"
+        "dotnet-test-xunit": "1.0.0-dev-*"
       },
       "imports": "portable-net451+win8"
     },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index 79dc1c3472..480e2a26fe 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -2,7 +2,6 @@
   "frameworks": {
     "dnxcore50": {
       "dependencies": {
-        "System.Runtime": "4.0.21-*",
         "dotnet-test-xunit": "1.0.0-dev-*",
         "Microsoft.NETCore.Platforms": "1.0.1-*"
       },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index d952ddc84e..3bb294137b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -14,8 +14,7 @@
     "dnxcore50": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*",
-        "System.Runtime": "4.0.21-*"
+        "dotnet-test-xunit": "1.0.0-dev-*"
       },
       "imports": "portable-net451+win8"
     },

From ec5808f8b6a2b36e189ac967f98353c5e0c29e12 Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Thu, 18 Feb 2016 15:02:27 -0800
Subject: [PATCH 224/493] Updating test TFMs for custom test discovery

---
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../AnonymousImpersonation.cs                                   | 2 +-
 test/Microsoft.AspNetCore.DataProtection.Test/project.json      | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index c59d052b87..308877a873 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -16,7 +16,7 @@
       },
       "imports": "portable-net451+win8"
     },
-    "dnx451": {
+    "net451": {
       "dependencies": {
         "xunit.runner.console": "2.1.0"
       },
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 4890f97d94..4263161dd4 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -14,7 +14,7 @@
       },
       "imports": "portable-net451+win8"
     },
-    "dnx451": {
+    "net451": {
       "dependencies": {
         "xunit.runner.console": "2.1.0"
       },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 19a40be6b1..0c2f5f6377 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -14,7 +14,7 @@
       },
       "imports": "portable-net451+win8"
     },
-    "dnx451": {
+    "net451": {
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 9e9837614a..f892ec3110 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -18,7 +18,7 @@
       },
       "imports": "portable-net451+win8"
     },
-    "dnx451": {
+    "net451": {
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index 480e2a26fe..69ab8c7d84 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -7,7 +7,7 @@
       },
       "imports": "portable-net451+win8"
     },
-    "dnx451": {}
+    "net451": {}
   },
   "shared": "**/*.cs"
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
index 25d983c6fd..f9b4ddde0e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if DNX451
+#if NET451
 using System;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 3bb294137b..5622521c2d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -18,7 +18,7 @@
       },
       "imports": "portable-net451+win8"
     },
-    "dnx451": {
+    "net451": {
       "dependencies": {
         "Moq": "4.2.1312.1622",
         "xunit.runner.console": "2.1.0"

From 3007398648d7fb3ddb6dcdcebbba2f731dda20b3 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Wed, 17 Feb 2016 16:30:00 -0800
Subject: [PATCH 225/493] Enabled xml doc generation

---
 NuGetPackageVerifier.json                     | 14 ++-------
 .../project.json                              |  4 ++-
 .../project.json                              |  4 ++-
 .../DataProtectionExtensions.cs               |  2 +-
 .../IDataProtectionProvider.cs                |  2 +-
 .../IDataProtector.cs                         |  2 +-
 .../project.json                              |  4 ++-
 .../DataProtectionExtensions.cs               |  2 +-
 .../ITimeLimitedDataProtector.cs              |  4 +--
 .../project.json                              |  4 ++-
 .../project.json                              |  4 ++-
 ...agedAuthenticatedEncryptorConfiguration.cs |  3 +-
 .../DataProtectionConfiguration.cs            | 30 +++++++++++++++++--
 .../RegistryPolicyResolver.cs                 |  2 +-
 .../Repositories/RegistryXmlRepository.cs     |  1 +
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  1 -
 .../XmlEncryption/DpapiXmlDecryptor.cs        |  1 -
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  1 -
 .../XmlEncryption/NullXmlDecryptor.cs         |  1 -
 .../project.json                              |  4 ++-
 20 files changed, 58 insertions(+), 32 deletions(-)

diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
index ba44824cf4..f5a8168e06 100644
--- a/NuGetPackageVerifier.json
+++ b/NuGetPackageVerifier.json
@@ -1,12 +1,7 @@
 {
     "adx": { // Packages written by the ADX team and that ship on NuGet.org
         "rules": [
-            "AssemblyHasDocumentFileRule",
-            "AssemblyHasVersionAttributesRule",
-            "AssemblyHasServicingAttributeRule",
-            "AssemblyHasNeutralResourcesLanguageAttributeRule",
-            "SatellitePackageRule",
-            "StrictSemanticVersionValidationRule"
+            "AdxVerificationCompositeRule"
         ],
         "packages": {
             "Microsoft.AspNetCore.Cryptography.Internal": { },
@@ -25,12 +20,7 @@
     },
     "Default": { // Rules to run for packages not listed in any other set.
         "rules": [
-            "AssemblyHasDocumentFileRule",
-            "AssemblyHasVersionAttributesRule",
-            "AssemblyHasServicingAttributeRule",
-            "AssemblyHasNeutralResourcesLanguageAttributeRule",
-            "SatellitePackageRule",
-            "StrictSemanticVersionValidationRule"
+            "DefaultCompositeRule"
         ]
     }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index ea24ed56f6..8c53951240 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -21,6 +21,8 @@
   "compilationOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "nowarn": [ "CS1591" ],
+    "xmlDoc": true
   }
 }
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index e589a39619..0f1ff14744 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -21,6 +21,8 @@
   "compilationOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "nowarn": [ "CS1591" ],
+    "xmlDoc": true
   }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
index 6946dbeaaa..9096a871d7 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -248,7 +248,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <param name="protector">The data protector to use for this operation.</param>
         /// <param name="protectedData">The protected data to unprotect.</param>
         /// <returns>The plaintext form of the protected data.</returns>
-        /// <exception cref="CryptographicException">
+        /// <exception cref="System.Security.Cryptography.CryptographicException">
         /// Thrown if <paramref name="protectedData"/> is invalid or malformed.
         /// </exception>
         public static string Unprotect(this IDataProtector protector, string protectedData)
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
index 603fad789f..02f772724b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <summary>
         /// Creates an <see cref="IDataProtector"/> given a purpose.
         /// </summary>
-        /// <param name="purposes">
+        /// <param name="purpose">
         /// The purpose to be assigned to the newly-created <see cref="IDataProtector"/>.
         /// </param>
         /// <returns>An IDataProtector tied to the provided purpose.</returns>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
index 2cea1c2732..1d9c8c3946 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
@@ -20,7 +20,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// </summary>
         /// <param name="protectedData">The protected data to unprotect.</param>
         /// <returns>The plaintext form of the protected data.</returns>
-        /// <exception cref="CryptographicException">
+        /// <exception cref="System.Security.Cryptography.CryptographicException">
         /// Thrown if the protected data is invalid or malformed.
         /// </exception>
         byte[] Unprotect(byte[] protectedData);
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index 5d1109f732..36738186db 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -23,6 +23,8 @@
   },
   "compilationOptions": {
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "nowarn": [ "CS1591" ],
+    "xmlDoc": true
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
index 85ae629d69..0529a1c15a 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
@@ -101,7 +101,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <param name="expiration">An 'out' parameter which upon a successful unprotect
         /// operation receives the expiration date of the payload.</param>
         /// <returns>The plaintext form of the protected data.</returns>
-        /// <exception cref="CryptographicException">
+        /// <exception cref="System.Security.Cryptography.CryptographicException">
         /// Thrown if <paramref name="protectedData"/> is invalid, malformed, or expired.
         /// </exception>
         public static string Unprotect(this ITimeLimitedDataProtector protector, string protectedData, out DateTimeOffset expiration)
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
index fe8904be6f..71fa609f21 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
@@ -19,7 +19,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <summary>
         /// Creates an <see cref="ITimeLimitedDataProtector"/> given a purpose.
         /// </summary>
-        /// <param name="purposes">
+        /// <param name="purpose">
         /// The purpose to be assigned to the newly-created <see cref="ITimeLimitedDataProtector"/>.
         /// </param>
         /// <returns>An <see cref="ITimeLimitedDataProtector"/> tied to the provided purpose.</returns>
@@ -47,7 +47,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <param name="expiration">An 'out' parameter which upon a successful unprotect
         /// operation receives the expiration date of the payload.</param>
         /// <returns>The plaintext form of the protected data.</returns>
-        /// <exception cref="CryptographicException">
+        /// <exception cref="System.Security.Cryptography.CryptographicException">
         /// Thrown if <paramref name="protectedData"/> is invalid, malformed, or expired.
         /// </exception>
         byte[] Unprotect(byte[] protectedData, out DateTimeOffset expiration);
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index f43d531b73..cbdf080737 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -19,6 +19,8 @@
   },
   "compilationOptions": {
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "nowarn": [ "CS1591" ],
+    "xmlDoc": true
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
index 39b2a10314..e2ecac0519 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
@@ -20,7 +20,9 @@
   },
   "compilationOptions": {
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "nowarn": [ "CS1591" ],
+    "xmlDoc": true
   },
   "packInclude": {
     "content/net451/": "web.config.transform"
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index 94d53bb3f1..50130013f4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -7,7 +7,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 {
     /// <summary>
     /// Represents a configured authenticated encryption mechanism which uses
-    /// managed <see cref="SymmetricAlgorithm"/> and <see cref="KeyedHashAlgorithm"/> types.
+    /// managed <see cref="System.Security.Cryptography.SymmetricAlgorithm"/> and
+    /// <see cref="System.Security.Cryptography.KeyedHashAlgorithm"/> types.
     /// </summary>
     public sealed class ManagedAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
index 81541c22e4..c9f4e8df0a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
@@ -17,6 +17,7 @@ using System.Security.Cryptography.X509Certificates;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
+#if !DOTNET5_4
     /// <summary>
     /// Provides access to configuration for the data protection system, which allows the
     /// developer to configure default cryptographic algorithms, key storage locations,
@@ -26,7 +27,7 @@ namespace Microsoft.AspNetCore.DataProtection
     /// <para>
     /// If the developer changes the at-rest key protection mechanism, it is intended that
     /// he also change the key storage location, and vice versa. For instance, a call to
-    /// <see cref="ProtectKeysWithCertificate(string)"/> should generally be accompanied by
+    /// <see cref="ProtectKeysWithCertificate(string)" /> should generally be accompanied by
     /// a call to <see cref="PersistKeysToFileSystem(DirectoryInfo)"/>, or exceptions may
     /// occur at runtime due to the data protection system not knowing where to persist keys.
     /// </para>
@@ -43,6 +44,31 @@ namespace Microsoft.AspNetCore.DataProtection
     /// contain existing keys that use older algorithms or protection mechanisms.
     /// </para>
     /// </remarks>
+#else
+    /// <summary>
+    /// Provides access to configuration for the data protection system, which allows the
+    /// developer to configure default cryptographic algorithms, key storage locations,
+    /// and the mechanism by which keys are protected at rest.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// If the developer changes the at-rest key protection mechanism, it is intended that
+    /// he also change the key storage location, and vice versa.
+    /// </para>
+    /// <para>
+    /// Similarly, when a developer modifies the default protected payload cryptographic
+    /// algorithms, it is intended that he also select an explitiy key storage location.
+    /// A call to <see cref="UseCryptographicAlgorithms(AuthenticatedEncryptionOptions)"/>
+    /// should therefore generally be paired with a call to <see cref="PersistKeysToFileSystem(DirectoryInfo)"/>,
+    /// for example.
+    /// </para>
+    /// <para>
+    /// When the default cryptographic algorithms or at-rest key protection mechanisms are
+    /// changed, they only affect <strong>new</strong> keys in the repository. The repository may
+    /// contain existing keys that use older algorithms or protection mechanisms.
+    /// </para>
+    /// </remarks>
+#endif
     public class DataProtectionConfiguration
     {
         /// <summary>
@@ -284,7 +310,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <remarks>
         /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx
         /// and https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx
-        /// for more information on valid values for the the <paramref name="descriptor"/>
+        /// for more information on valid values for the the <paramref name="protectionDescriptorRule"/>
         /// and <paramref name="flags"/> arguments.
         /// This API is only supported on Windows 8 / Windows Server 2012 and higher.
         /// </remarks>
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
index 5fd5188953..6169bd1fb4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
@@ -81,7 +81,7 @@ namespace Microsoft.AspNetCore.DataProtection
         }
 
         /// <summary>
-        /// Returns a <see cref="Policy"/> object from the default registry location.
+        /// Returns an array of <see cref="ServiceDescriptor"/>s from the default registry location.
         /// </summary>
         public static ServiceDescriptor[] ResolveDefaultPolicy()
         {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
index 63263223e7..b0fbc3a347 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -39,6 +39,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         /// Creates a <see cref="RegistryXmlRepository"/> with keys stored in the given registry key.
         /// </summary>
         /// <param name="registryKey">The registry key in which to persist key material.</param>
+        /// <param name="services">The <see cref="IServiceProvider"/> used to resolve services.</param>
         public RegistryXmlRepository(RegistryKey registryKey, IServiceProvider services)
         {
             if (registryKey == null)
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index af35d69bd8..cab86abdbf 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -43,7 +43,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         /// </summary>
         /// <param name="encryptedElement">An encrypted XML element.</param>
         /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
-        /// <remarks>
         public XElement Decrypt(XElement encryptedElement)
         {
             if (encryptedElement == null)
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index 6b331f9626..28fc289dbb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -40,7 +40,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         /// </summary>
         /// <param name="encryptedElement">An encrypted XML element.</param>
         /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
-        /// <remarks>
         public XElement Decrypt(XElement encryptedElement)
         {
             if (encryptedElement == null)
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index 5690ca8569..6a7d639552 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -40,7 +40,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         /// </summary>
         /// <param name="encryptedElement">An encrypted XML element.</param>
         /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
-        /// <remarks>
         public XElement Decrypt(XElement encryptedElement)
         {
             if (encryptedElement == null)
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
index f8de45f23d..a63c0f2963 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
@@ -17,7 +17,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         /// </summary>
         /// <param name="encryptedElement">An encrypted XML element.</param>
         /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
-        /// <remarks>
         public XElement Decrypt(XElement encryptedElement)
         {
             if (encryptedElement == null)
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 3932a1f275..9372a62be1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -38,6 +38,8 @@
   "compilationOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "nowarn": [ "CS1591" ],
+    "xmlDoc": true
   }
 }
\ No newline at end of file

From f344d798c15cdc2177587ab1fa300836435f053b Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Wed, 24 Feb 2016 12:34:44 -0800
Subject: [PATCH 226/493] Update `build.cmd` to match latest template -
 aspnet/Universe#347 - `%KOREBUILD_VERSION%` doesn't work without this fix

---
 build.cmd | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/build.cmd b/build.cmd
index ebb619e737..95b049cf63 100644
--- a/build.cmd
+++ b/build.cmd
@@ -2,7 +2,7 @@
 SETLOCAL
 
 SET REPO_FOLDER=%~dp0
-CD %REPO_FOLDER%
+CD "%REPO_FOLDER%"
 
 SET BUILD_FOLDER=.build
 SET KOREBUILD_FOLDER=%BUILD_FOLDER%\KoreBuild-dotnet
@@ -28,12 +28,11 @@ IF NOT EXIST %NUGET_PATH% (
     copy %CACHED_NUGET% %NUGET_PATH% > nul
 )
 
+SET KOREBUILD_DOWNLOAD_ARGS=
+IF NOT "%KOREBUILD_VERSION%"=="" (
+    SET KOREBUILD_DOWNLOAD_ARGS=-version %KOREBUILD_VERSION%
+)
 IF NOT EXIST %KOREBUILD_FOLDER% (
-    SET KOREBUILD_DOWNLOAD_ARGS=
-    IF NOT "%KOREBUILD_VERSION%"=="" (
-        SET KOREBUILD_DOWNLOAD_ARGS=-version %KOREBUILD_VERSION%
-    )
-    
     %BUILD_FOLDER%\nuget.exe install KoreBuild-dotnet -ExcludeVersion -o %BUILD_FOLDER% -nocache -pre %KOREBUILD_DOWNLOAD_ARGS%
 )
 

From 99e7d5e56e5ee0a8da2a35fb6d67743ba833f539 Mon Sep 17 00:00:00 2001
From: Victor Hurdugaci <victor.hurdugaci@microsoft.com>
Date: Sat, 27 Feb 2016 12:51:09 -0800
Subject: [PATCH 227/493] Update the build scripts

---
 build.cmd | 41 ++-----------------------------------
 build.ps1 | 36 +++++++++++++++++++++++++++++++++
 build.sh  | 60 +++++++++++++++++++++++--------------------------------
 3 files changed, 63 insertions(+), 74 deletions(-)
 create mode 100644 build.ps1

diff --git a/build.cmd b/build.cmd
index 95b049cf63..2fa024b15e 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,39 +1,2 @@
-@ECHO off
-SETLOCAL
-
-SET REPO_FOLDER=%~dp0
-CD "%REPO_FOLDER%"
-
-SET BUILD_FOLDER=.build
-SET KOREBUILD_FOLDER=%BUILD_FOLDER%\KoreBuild-dotnet
-SET KOREBUILD_VERSION=
-
-SET NUGET_PATH=%BUILD_FOLDER%\NuGet.exe
-SET NUGET_VERSION=latest
-SET CACHED_NUGET=%LocalAppData%\NuGet\nuget.%NUGET_VERSION%.exe
-
-IF NOT EXIST %BUILD_FOLDER% (
-    md %BUILD_FOLDER%
-)
-
-IF NOT EXIST %NUGET_PATH% (
-    IF NOT EXIST %CACHED_NUGET% (
-        echo Downloading latest version of NuGet.exe...
-        IF NOT EXIST %LocalAppData%\NuGet ( 
-            md %LocalAppData%\NuGet
-        )
-        @powershell -NoProfile -ExecutionPolicy unrestricted -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://dist.nuget.org/win-x86-commandline/%NUGET_VERSION%/nuget.exe' -OutFile '%CACHED_NUGET%'"
-    )
-
-    copy %CACHED_NUGET% %NUGET_PATH% > nul
-)
-
-SET KOREBUILD_DOWNLOAD_ARGS=
-IF NOT "%KOREBUILD_VERSION%"=="" (
-    SET KOREBUILD_DOWNLOAD_ARGS=-version %KOREBUILD_VERSION%
-)
-IF NOT EXIST %KOREBUILD_FOLDER% (
-    %BUILD_FOLDER%\nuget.exe install KoreBuild-dotnet -ExcludeVersion -o %BUILD_FOLDER% -nocache -pre %KOREBUILD_DOWNLOAD_ARGS%
-)
-
-"%KOREBUILD_FOLDER%\build\KoreBuild.cmd" %*
+@ECHO OFF
+PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0build.ps1' %*"
\ No newline at end of file
diff --git a/build.ps1 b/build.ps1
new file mode 100644
index 0000000000..4fd24a30d5
--- /dev/null
+++ b/build.ps1
@@ -0,0 +1,36 @@
+cd $PSScriptRoot
+
+$repoFolder = $PSScriptRoot
+$env:REPO_FOLDER = $repoFolder
+
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+if ($env:KOREBUILD_ZIP)
+{
+    $koreBuildZip=$env:KOREBUILD_ZIP
+}
+
+$buildFolder = ".build"
+$buildFile="$buildFolder\KoreBuild.ps1"
+
+if (!(Test-Path $buildFolder)) {
+    Write-Host "Downloading KoreBuild from $koreBuildZip"    
+    
+    $tempFolder=$env:TEMP + "\KoreBuild-" + [guid]::NewGuid()
+    New-Item -Path "$tempFolder" -Type directory | Out-Null
+
+    $localZipFile="$tempFolder\korebuild.zip"
+    
+    Invoke-WebRequest $koreBuildZip -OutFile $localZipFile
+    Add-Type -AssemblyName System.IO.Compression.FileSystem
+    [System.IO.Compression.ZipFile]::ExtractToDirectory($localZipFile, $tempFolder)
+    
+    New-Item -Path "$buildFolder" -Type directory | Out-Null
+    copy-item "$tempFolder\**\build\*" $buildFolder -Recurse
+
+    # Cleanup
+    if (Test-Path $tempFolder) {
+        Remove-Item -Recurse -Force $tempFolder
+    }
+}
+
+&"$buildFile" $args
\ No newline at end of file
diff --git a/build.sh b/build.sh
index 263fb667a8..79638d06b6 100755
--- a/build.sh
+++ b/build.sh
@@ -1,45 +1,35 @@
 #!/usr/bin/env bash
+repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd $repoFolder
 
-buildFolder=.build
-koreBuildFolder=$buildFolder/KoreBuild-dotnet
-
-nugetPath=$buildFolder/nuget.exe
-
-if test `uname` = Darwin; then
-    cachedir=~/Library/Caches/KBuild
-else
-    if [ -z $XDG_DATA_HOME ]; then
-        cachedir=$HOME/.local/share
-    else
-        cachedir=$XDG_DATA_HOME;
-    fi
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+if [ ! -z $KOREBUILD_ZIP ]; then
+    koreBuildZip=$KOREBUILD_ZIP
 fi
-mkdir -p $cachedir
-nugetVersion=latest
-cacheNuget=$cachedir/nuget.$nugetVersion.exe
 
-nugetUrl=https://dist.nuget.org/win-x86-commandline/$nugetVersion/nuget.exe
+buildFolder=".build"
+buildFile="$buildFolder/KoreBuild.sh"
 
 if test ! -d $buildFolder; then
+    echo "Downloading KoreBuild from $koreBuildZip"
+    
+    tempFolder="/tmp/KoreBuild-$(uuidgen)"    
+    mkdir $tempFolder
+    
+    localZipFile="$tempFolder/korebuild.zip"
+    
+    wget -O $localZipFile $koreBuildZip 2>/dev/null || curl -o $localZipFile --location $koreBuildZip /dev/null
+    unzip -q -d $tempFolder $localZipFile
+  
     mkdir $buildFolder
-fi
-
-if test ! -f $nugetPath; then
-    if test ! -f $cacheNuget; then
-        wget -O $cacheNuget $nugetUrl 2>/dev/null || curl -o $cacheNuget --location $nugetUrl /dev/null
+    cp -r $tempFolder/**/build/** $buildFolder
+    
+    chmod +x $buildFile
+    
+    # Cleanup
+    if test ! -d $tempFolder; then
+        rm -rf $tempFolder  
     fi
-
-    cp $cacheNuget $nugetPath
 fi
 
-if test ! -d $koreBuildFolder; then
-    mono $nugetPath install KoreBuild-dotnet -ExcludeVersion -o $buildFolder -nocache -pre
-    chmod +x $koreBuildFolder/build/KoreBuild.sh
-fi
-
-makeFile=makefile.shade
-if [ ! -e $makeFile ]; then
-    makeFile=$koreBuildFolder/build/makefile.shade
-fi
-
-./$koreBuildFolder/build/KoreBuild.sh -n $nugetPath -m $makeFile "$@"
+$buildFile -r $repoFolder "$@"

From 5cf18e31e709a73c413a428c2a850dceda0ea76a Mon Sep 17 00:00:00 2001
From: Victor Hurdugaci <victor.hurdugaci@microsoft.com>
Date: Sun, 28 Feb 2016 10:12:12 -0800
Subject: [PATCH 228/493] Return the error code from build.cmd

---
 build.cmd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.cmd b/build.cmd
index 2fa024b15e..7d4894cb4a 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,2 +1,2 @@
 @ECHO OFF
-PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0build.ps1' %*"
\ No newline at end of file
+PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0build.ps1' %*; exit $LASTEXITCODE"
\ No newline at end of file

From d33c2ac37733a6f97b3c390788405ea81f0db315 Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Tue, 1 Mar 2016 13:31:31 -0800
Subject: [PATCH 229/493] Transition to netstandard.

- dotnet5.X => netstandard1.y (where y = x-1).
- DNXCore50 => netstandardapp1.5.
- Applied the same changes to ifdefs.
---
 .../CryptoUtil.cs                             |  4 ++--
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |  2 +-
 .../SafeHandles/SafeLibraryHandle.cs          | 16 ++++++-------
 .../SafeHandles/SecureLocalAllocHandle.cs     |  4 ++--
 .../UnsafeBufferUtil.cs                       | 24 +++++++++----------
 .../UnsafeNativeMethods.cs                    | 10 ++++----
 .../project.json                              | 13 ++++++----
 .../project.json                              | 13 ++++++----
 .../project.json                              | 11 ++++++---
 .../project.json                              | 10 ++++++--
 .../project.json                              |  9 ++++---
 .../ManagedAuthenticatedEncryptionOptions.cs  |  2 +-
 .../Cng/DpapiSecretSerializerHelper.cs        |  8 +++----
 .../DataProtectionConfiguration.cs            |  6 ++---
 .../DataProtectionServiceDescriptors.cs       |  6 ++---
 .../DataProtectionServices.cs                 |  2 +-
 .../Managed/ManagedAuthenticatedEncryptor.cs  |  2 +-
 .../Repositories/FileSystemXmlRepository.cs   |  2 +-
 .../StringInterpolation.cs                    |  2 +-
 .../XmlEncryption/CertificateResolver.cs      |  2 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  2 +-
 .../EncryptedXmlDecryptor.core50.cs           |  2 +-
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  2 +-
 .../XmlEncryption/ICertificateResolver.cs     |  2 +-
 .../IInternalCertificateXmlEncryptor.cs       |  2 +-
 .../IInternalEncryptedXmlDecryptor.cs         |  2 +-
 .../XmlEncryption/XmlEncryptionExtensions.cs  |  2 +-
 .../project.json                              | 11 ++++++---
 .../project.json                              |  7 ++++--
 .../project.json                              |  7 ++++--
 .../project.json                              |  7 ++++--
 .../project.json                              |  7 ++++--
 .../project.json                              |  7 ++++--
 .../FileSystemXmlRepositoryTests.cs           |  2 +-
 .../CertificateXmlEncryptionTests.cs          |  2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |  2 +-
 .../project.json                              |  7 ++++--
 37 files changed, 134 insertions(+), 87 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
index bc8bc56d54..8a268af986 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
@@ -9,7 +9,7 @@ using System.Security.Cryptography;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.Internal;
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -73,7 +73,7 @@ namespace Microsoft.AspNetCore.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint count)
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
index 39e3ec7f25..2c7ca7eb33 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-#if DOTNET5_4
+#if NETSTANDARD1_3
 namespace Microsoft.Win32.SafeHandles
 {
     internal abstract class SafeHandleZeroOrMinusOneIsInvalid : SafeHandle
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index 28920c4fc8..c6ed16428b 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -6,7 +6,7 @@ using System.Runtime.InteropServices;
 using System.Security;
 using Microsoft.Win32.SafeHandles;
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -127,12 +127,12 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             return UnsafeNativeMethods.FreeLibrary(handle);
         }
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [SuppressUnmanagedCodeSecurity]
 #endif
         private static class UnsafeNativeMethods
         {
-#if DOTNET5_4
+#if NETSTANDARD1_3
             private const string CORE_LIBRARY_LOADER_LIB = "api-ms-win-core-libraryloader-l1-1-0.dll";
             private const string CORE_LOCALIZATION_LIB = "api-ms-win-core-localization-l1-2-0.dll";
 #else
@@ -140,7 +140,7 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 #endif
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx
-#if DOTNET5_4
+#if NETSTANDARD1_3
             [DllImport(CORE_LOCALIZATION_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
@@ -157,7 +157,7 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 
             // http://msdn.microsoft.com/en-us/library/ms683152(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if DOTNET5_4
+#if NETSTANDARD1_3
             [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
 #else
             [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
@@ -167,7 +167,7 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 
             // http://msdn.microsoft.com/en-us/library/ms683200(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if DOTNET5_4
+#if NETSTANDARD1_3
             [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
@@ -178,7 +178,7 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
                 [Out] out IntPtr phModule);
 
             // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
-#if DOTNET5_4
+#if NETSTANDARD1_3
             [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
@@ -188,7 +188,7 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
                 [In, MarshalAs(UnmanagedType.LPStr)] string lpProcName);
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx
-#if DOTNET5_4
+#if NETSTANDARD1_3
             [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
 #else
             [DllImport(KERNEL32_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index 527c26d33d..9c7faeed90 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -4,7 +4,7 @@
 using System;
 using System.Runtime.InteropServices;
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -41,7 +41,7 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             return newHandle;
         }
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         private void AllocateImpl(IntPtr cb)
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
index 3645878af1..247812f020 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -6,7 +6,7 @@ using System.Runtime.CompilerServices;
 using System.Threading;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
 using System.Runtime.ConstrainedExecution;
 #endif
 
@@ -15,7 +15,7 @@ namespace Microsoft.AspNetCore.Cryptography
     internal unsafe static class UnsafeBufferUtil
     {
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void BlockCopy(void* from, void* to, int byteCount)
@@ -24,7 +24,7 @@ namespace Microsoft.AspNetCore.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void BlockCopy(void* from, void* to, uint byteCount)
@@ -35,7 +35,7 @@ namespace Microsoft.AspNetCore.Cryptography
             }
         }
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(LocalAllocHandle from, void* to, uint byteCount)
@@ -55,7 +55,7 @@ namespace Microsoft.AspNetCore.Cryptography
             }
         }
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(void* from, LocalAllocHandle to, uint byteCount)
@@ -75,7 +75,7 @@ namespace Microsoft.AspNetCore.Cryptography
             }
         }
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
 #endif
         public static void BlockCopy(LocalAllocHandle from, LocalAllocHandle to, IntPtr length)
@@ -116,7 +116,7 @@ namespace Microsoft.AspNetCore.Cryptography
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void BlockCopyCore(byte* from, byte* to, uint byteCount)
         {
-#if DOTNET5_4
+#if NETSTANDARD1_3
             Buffer.MemoryCopy(from, to, (ulong)byteCount, (ulong)byteCount);
 #else
             while (byteCount-- != 0)
@@ -129,7 +129,7 @@ namespace Microsoft.AspNetCore.Cryptography
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void BlockCopyCore(byte* from, byte* to, ulong byteCount)
         {
-#if DOTNET5_4
+#if NETSTANDARD1_3
             Buffer.MemoryCopy(from, to, byteCount, byteCount);
 #else
             while (byteCount-- != 0)
@@ -143,7 +143,7 @@ namespace Microsoft.AspNetCore.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, int byteCount)
@@ -155,7 +155,7 @@ namespace Microsoft.AspNetCore.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, uint byteCount)
@@ -176,7 +176,7 @@ namespace Microsoft.AspNetCore.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, ulong byteCount)
@@ -196,7 +196,7 @@ namespace Microsoft.AspNetCore.Cryptography
         /// <summary>
         /// Securely clears a memory buffer.
         /// </summary>
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         public static void SecureZeroMemory(byte* buffer, IntPtr length)
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
index 1de8dbc200..73cf4e91bd 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -12,13 +12,13 @@ using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Microsoft.Win32.SafeHandles;
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
 using System.Runtime.ConstrainedExecution;
 #endif
 
 namespace Microsoft.AspNetCore.Cryptography
 {
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
     [SuppressUnmanagedCodeSecurity]
 #endif
     internal unsafe static class UnsafeNativeMethods
@@ -87,7 +87,7 @@ namespace Microsoft.AspNetCore.Cryptography
             [In] uint dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
@@ -95,7 +95,7 @@ namespace Microsoft.AspNetCore.Cryptography
             [In] IntPtr hHash);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375404(v=vs.85).aspx
@@ -249,7 +249,7 @@ namespace Microsoft.AspNetCore.Cryptography
          */
 
         [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706799(v=vs.85).aspx
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index 8c53951240..ebd11d61dd 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -8,21 +8,26 @@
   "dependencies": {},
   "frameworks": {
     "net451": {},
-    "dotnet5.4": {
+    "netstandard1.3": {
       "dependencies": {
         "System.Diagnostics.Debug": "4.0.11-*",
         "System.Runtime.Handles": "4.0.1-*",
         "System.Runtime.InteropServices": "4.1.0-*",
         "System.Security.Cryptography.Primitives": "4.0.0-*",
         "System.Threading": "4.0.11-*"
-      }
+      },
+      "imports": [
+        "dotnet5.4"
+      ]
     }
   },
   "compilationOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
-    "nowarn": [ "CS1591" ],
+    "nowarn": [
+      "CS1591"
+    ],
     "xmlDoc": true
   }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index 0f1ff14744..1ba9922aaf 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -10,19 +10,24 @@
   },
   "frameworks": {
     "net451": {},
-    "dotnet5.4": {
+    "netstandard1.3": {
       "dependencies": {
         "System.Runtime.Extensions": "4.1.0-*",
         "System.Security.Cryptography.Algorithms": "4.0.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
-      }
+      },
+      "imports": [
+        "dotnet5.4"
+      ]
     }
   },
   "compilationOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
-    "nowarn": [ "CS1591" ],
+    "nowarn": [
+      "CS1591"
+    ],
     "xmlDoc": true
   }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index 36738186db..eb8ade7d18 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -14,17 +14,22 @@
   },
   "frameworks": {
     "net451": {},
-    "dotnet5.4": {
+    "netstandard1.3": {
       "dependencies": {
         "System.ComponentModel": "4.0.1-*",
         "System.Diagnostics.Debug": "4.0.11-*"
-      }
+      },
+      "imports": [
+        "dotnet5.4"
+      ]
     }
   },
   "compilationOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
-    "nowarn": [ "CS1591" ],
+    "nowarn": [
+      "CS1591"
+    ],
     "xmlDoc": true
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index cbdf080737..14d7784c55 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -15,12 +15,18 @@
   },
   "frameworks": {
     "net451": {},
-    "dotnet5.4": {}
+    "netstandard1.3": {
+      "imports": [
+        "dotnet5.4"
+      ]
+    }
   },
   "compilationOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
-    "nowarn": [ "CS1591" ],
+    "nowarn": [
+      "CS1591"
+    ],
     "xmlDoc": true
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
index e04fdd43ea..b205184280 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
@@ -8,11 +8,14 @@
   "dependencies": {},
   "frameworks": {
     "net451": {},
-    "dotnet5.4": {
+    "netstandard1.3": {
       "dependencies": {
         "System.Security.Cryptography.Primitives": "4.0.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
-      }
+      },
+      "imports": [
+        "dotnet5.4"
+      ]
     }
   },
   "shared": "**\\*.cs",
@@ -20,4 +23,4 @@
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
index 038680fe6b..622e37d2b2 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
@@ -119,7 +119,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
             if (EncryptionAlgorithmType == typeof(Aes))
             {
                 Func<Aes> factory = null;
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
                 if (OSVersionUtil.IsWindows())
                 {
                     // If we're on desktop CLR and running on Windows, use the FIPS-compliant implementation.
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index 48e4ff4476..ba0bd83ea4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -78,7 +78,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             };
             DATA_BLOB dataOut = default(DATA_BLOB);
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
             RuntimeHelpers.PrepareConstrainedRegions();
 #endif
             try
@@ -168,7 +168,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                     fixed (byte* pbRetVal = retVal)
                     {
                         bool handleAcquired = false;
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
                         RuntimeHelpers.PrepareConstrainedRegions();
 #endif
                         try
@@ -218,7 +218,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             };
             DATA_BLOB dataOut = default(DATA_BLOB);
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
             RuntimeHelpers.PrepareConstrainedRegions();
 #endif
             try
@@ -291,7 +291,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             using (unencryptedPayloadHandle)
             {
                 bool handleAcquired = false;
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
                 RuntimeHelpers.PrepareConstrainedRegions();
 #endif
                 try
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
index c9f4e8df0a..a71f59bcdd 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
@@ -11,13 +11,13 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Win32;
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 using System.Security.Cryptography.X509Certificates;
 #endif
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
     /// <summary>
     /// Provides access to configuration for the data protection system, which allows the
     /// developer to configure default cryptographic algorithms, key storage locations,
@@ -209,7 +209,7 @@ namespace Microsoft.AspNetCore.DataProtection
             return this;
         }
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
         /// <summary>
         /// Configures keys to be encrypted to a given certificate before being persisted to storage.
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
index d21e1e095d..9c4b268364 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
@@ -13,7 +13,7 @@ using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 using System.Security.Cryptography.X509Certificates;
 #endif
 
@@ -69,7 +69,7 @@ namespace Microsoft.Extensions.DependencyInjection
             return ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfiguration>(options.ToConfiguration);
         }
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         /// <summary>
         /// An <see cref="ICertificateResolver"/> backed by the default implementation.
         /// </summary>
@@ -118,7 +118,7 @@ namespace Microsoft.Extensions.DependencyInjection
             return ServiceDescriptor.Singleton<IKeyManager>(services => new XmlKeyManager(services));
         }
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
         /// <summary>
         /// An <see cref="IXmlEncryptor"/> backed by an X.509 certificate.
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
index a76e46dfd9..14c9bb9df2 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
@@ -110,7 +110,7 @@ namespace Microsoft.Extensions.DependencyInjection
             yield return DataProtectionServiceDescriptors.IDataProtectionProvider_Default();
 
             // Provide services required for XML encryption
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
             yield return DataProtectionServiceDescriptors.ICertificateResolver_Default();
 #endif
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index b381eb0ee4..b3190b8f58 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -343,7 +343,7 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
 
                             using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkey))
                             {
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
                                 // As an optimization, avoid duplicating the underlying buffer if we're on desktop CLR.
                                 byte[] underlyingBuffer = outputStream.GetBuffer();
 #else
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index 6e2eb99992..9969a8b22f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -101,7 +101,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static DirectoryInfo GetDefaultKeyStorageDirectory()
         {
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
             // Environment.GetFolderPath returns null if the user profile isn't loaded.
             string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
             if (!String.IsNullOrEmpty(folderPath))
diff --git a/src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs b/src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs
index 16f306bade..cb6120c647 100644
--- a/src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
 // These classes allow using the C# string interpolation feature from .NET 4.5.1.
 // They're slimmed-down versions of the classes that exist in .NET 4.6.
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
index 00f19f090f..1116fd4c10 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.X509Certificates;
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 09c64ab976..03c784cb72 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.X509Certificates;
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
index ac3edc0e3c..565c30e297 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if DOTNET5_4
+#if NETSTANDARD1_3
 // [[ISSUE60]] Remove this entire file when Core CLR gets support for EncryptedXml.
 // This is just a dummy implementation of the class that always throws.
 // The only reason it's here (albeit internal) is to provide a nice error message if key
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index 6a7d639552..eb8d163d45 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.Xml;
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
index d87a1ec2dc..9834687d8d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System.Security.Cryptography.X509Certificates;
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
index 5507b6856c..1e3cfeaee0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Xml;
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
index b54bbcd8f8..0bdf6680d6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.Xml;
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index 6505412959..2d155ef62a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -133,7 +133,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             var memoryStream = new MemoryStream(DEFAULT_BUFFER_SIZE);
             element.Save(memoryStream);
 
-#if !DOTNET5_4
+#if !NETSTANDARD1_3
             byte[] underlyingBuffer = memoryStream.GetBuffer();
             fixed (byte* __unused__ = underlyingBuffer) // try to limit this moving around in memory while we allocate
             {
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 9372a62be1..cd44733b13 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -25,21 +25,26 @@
         "System.Xml.Linq": ""
       }
     },
-    "dotnet5.4": {
+    "netstandard1.3": {
       "dependencies": {
         "Microsoft.Win32.Registry": "4.0.0-*",
         "System.Security.Cryptography.X509Certificates": "4.0.0-*",
         "System.Security.Claims": "4.0.1-*",
         "System.Security.Principal.Windows": "4.0.0-*",
         "System.Xml.XDocument": "4.0.11-*"
-      }
+      },
+      "imports": [
+        "dotnet5.4"
+      ]
     }
   },
   "compilationOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
-    "nowarn": [ "CS1591" ],
+    "nowarn": [
+      "CS1591"
+    ],
     "xmlDoc": true
   }
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 308877a873..ffa391f84f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -10,11 +10,14 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnxcore50": {
+    "netstandardapp1.5": {
       "dependencies": {
         "dotnet-test-xunit": "1.0.0-dev-*"
       },
-      "imports": "portable-net451+win8"
+      "imports": [
+        "dnxcore50",
+        "portable-net451+win8"
+      ]
     },
     "net451": {
       "dependencies": {
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 4263161dd4..b6446bebbb 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -8,11 +8,14 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnxcore50": {
+    "netstandardapp1.5": {
       "dependencies": {
         "dotnet-test-xunit": "1.0.0-dev-*"
       },
-      "imports": "portable-net451+win8"
+      "imports": [
+        "dnxcore50",
+        "portable-net451+win8"
+      ]
     },
     "net451": {
       "dependencies": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 0c2f5f6377..f0676e9f8e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -7,12 +7,15 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnxcore50": {
+    "netstandardapp1.5": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
         "dotnet-test-xunit": "1.0.0-dev-*"
       },
-      "imports": "portable-net451+win8"
+      "imports": [
+        "dnxcore50",
+        "portable-net451+win8"
+      ]
     },
     "net451": {
       "dependencies": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index f892ec3110..d5fddc8339 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -11,12 +11,15 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnxcore50": {
+    "netstandardapp1.5": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
         "dotnet-test-xunit": "1.0.0-dev-*"
       },
-      "imports": "portable-net451+win8"
+      "imports": [
+        "dnxcore50",
+        "portable-net451+win8"
+      ]
     },
     "net451": {
       "dependencies": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index 69ab8c7d84..fbbb894846 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -1,11 +1,14 @@
 {
   "frameworks": {
-    "dnxcore50": {
+    "netstandardapp1.5": {
       "dependencies": {
         "dotnet-test-xunit": "1.0.0-dev-*",
         "Microsoft.NETCore.Platforms": "1.0.1-*"
       },
-      "imports": "portable-net451+win8"
+      "imports": [
+        "dnxcore50",
+        "portable-net451+win8"
+      ]
     },
     "net451": {}
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 236f98cff0..2ed3f84d0a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -158,7 +158,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static string GetLocalApplicationData()
         {
-#if DNXCORE50
+#if NETSTANDARDAPP1_5
             return Environment.GetEnvironmentVariable("LOCALAPPDATA");
 #else
             return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 79e2b2d664..4655d87138 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !DNXCORE50
+#if !NETSTANDARDAPP1_5
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 8929ae9d3f..775c63b3eb 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
-#if !DNXCORE50
+#if !NETSTANDARDAPP1_5
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 5622521c2d..9897b9b521 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -11,12 +11,15 @@
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "dnxcore50": {
+    "netstandardapp1.5": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
         "dotnet-test-xunit": "1.0.0-dev-*"
       },
-      "imports": "portable-net451+win8"
+      "imports": [
+        "dnxcore50",
+        "portable-net451+win8"
+      ]
     },
     "net451": {
       "dependencies": {

From a424475be786fbbaead1227ec45b6493cd31cf49 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Wed, 2 Mar 2016 16:36:52 -0800
Subject: [PATCH 230/493] Remove project name from output path -
 aspnet/Coherence-Signed#187 - remove `<RootNamespace>` settings but maintain
 other unique aspects e.g. `<DnxInvisibleContent ... />` - in a few cases,
 standardize on VS version `14.0` and not something more specific

---
 .../Microsoft.AspNetCore.Cryptography.Internal.xproj            | 2 +-
 .../Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj       | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Abstractions.xproj      | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Extensions.xproj        | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Sources.xproj           | 2 +-
 .../Microsoft.AspNetCore.DataProtection.SystemWeb.xproj         | 2 +-
 .../Microsoft.AspNetCore.DataProtection.xproj                   | 2 +-
 .../Microsoft.AspNetCore.Cryptography.Internal.Test.xproj       | 2 +-
 .../Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj  | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj   | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Test.Shared.xproj       | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Test.xproj              | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
index dc81e9f0a7..015fc69c62 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>E2779976-A28C-4365-A4BB-4AD854FAF23E</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
index be90ea0857..d9fd79b375 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>421F0383-34B1-402D-807B-A94542513ABA</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
index 6c3aba85d2..bb6971f855 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>4b115bde-b253-46a6-97bf-a8b37b344ff2</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
index 772fd0d3ca..329df80e63 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>bf8681db-c28b-441f-bd92-0dcfe9537a9f</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj b/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
index 29f937796f..ffb77951d6 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>3277bb22-033f-4010-8131-a515b910caad</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
index 8ac91a07c5..172403c6fb 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>e3552deb-4173-43ae-bf69-3c10dff3bab6</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
index 4a0c8dd84d..8addcac57a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>1e570cd4-6f12-44f4-961e-005ee2002bc2</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
index eff850ff50..82a36e7ec3 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>37053d5f-5b61-47ce-8b72-298ce007ffb0</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
index e81126fdab..b86a806385 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>42c97f52-8d56-46bd-a712-4f22bed157a7</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
index 20fb10d4b3..7f9123069f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>ff650a69-dee4-4b36-9e30-264ee7cfb478</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
index 177bce8e44..dc11b53c0c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>04aa8e60-a053-4d50-89fe-e76c3df45200</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
index f67c2328f8..40e0d14aba 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>4f14ba2a-4f04-4676-8586-ec380977ee2e</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
index da168e5304..948a9508e5 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
@@ -8,7 +8,7 @@
   <PropertyGroup Label="Globals">
     <ProjectGuid>7a637185-2ba1-437d-9d4c-7cc4f94cf7bf</ProjectGuid>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>

From 73cf5b3f843ec2753ccb0d9fba1a232bdb97e84e Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 2 Mar 2016 17:07:03 -0800
Subject: [PATCH 231/493] Fixing build break

---
 src/Microsoft.AspNetCore.DataProtection/project.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index cd44733b13..3de43d75f1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -20,6 +20,7 @@
     "net451": {
       "frameworkAssemblies": {
         "System.IO": "",
+        "System.Runtime": "",
         "System.Security": "",
         "System.Xml": "",
         "System.Xml.Linq": ""

From 078cbb5d7811b2dc403d1afea3a15c6e435a1dc6 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Thu, 3 Mar 2016 17:32:02 -0800
Subject: [PATCH 232/493] Added Company, Copyright and Product attributes to
 AssemblyInfo

---
 .../Properties/AssemblyInfo.cs                                 | 3 +++
 .../Properties/AssemblyInfo.cs                                 | 3 +++
 .../Properties/AssemblyInfo.cs                                 | 3 +++
 .../Properties/AssemblyInfo.cs                                 | 3 +++
 .../Properties/AssemblyInfo.cs                                 | 3 +++
 .../Properties/AssemblyInfo.cs                                 | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
index 4263ed47d2..ede18c9302 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -18,3 +18,6 @@ using System.Runtime.InteropServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
+[assembly: AssemblyCompany("Microsoft Corporation.")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
index f23a5a16ff..a4ad1bb0a0 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -8,3 +8,6 @@ using System.Runtime.CompilerServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.Cryptography.KeyDerivation.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
+[assembly: AssemblyCompany("Microsoft Corporation.")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
index b90d989663..78e1538ee5 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
@@ -9,3 +9,6 @@ using System.Runtime.CompilerServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
+[assembly: AssemblyCompany("Microsoft Corporation.")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
index 83dac2932b..88c1dd9455 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
@@ -8,3 +8,6 @@ using System.Runtime.CompilerServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
+[assembly: AssemblyCompany("Microsoft Corporation.")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
index 3f4a3b62e0..e3ae91c58b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
@@ -6,3 +6,6 @@ using System.Resources;
 
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
+[assembly: AssemblyCompany("Microsoft Corporation.")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
index 441f834f11..6bb7a99e85 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
@@ -10,3 +10,6 @@ using System.Runtime.CompilerServices;
 [assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
 [assembly: AssemblyMetadata("Serviceable", "True")]
 [assembly: NeutralResourcesLanguage("en-US")]
+[assembly: AssemblyCompany("Microsoft Corporation.")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyProduct("Microsoft ASP.NET Core")]

From eeff404a24634f46e5ecb0d8cf064cf84b3a453f Mon Sep 17 00:00:00 2001
From: Victor Hurdugaci <victor.hurdugaci@microsoft.com>
Date: Mon, 7 Mar 2016 20:54:56 -0800
Subject: [PATCH 233/493] Update the build scripts to the latest version

---
 build.ps1 | 33 ++++++++++++++++++++++++++++++++-
 build.sh  | 15 +++++++++++++--
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/build.ps1 b/build.ps1
index 4fd24a30d5..8f2f99691a 100644
--- a/build.ps1
+++ b/build.ps1
@@ -1,3 +1,33 @@
+$ErrorActionPreference = "Stop"
+
+function DownloadWithRetry([string] $url, [string] $downloadLocation, [int] $retries) 
+{
+    while($true)
+    {
+        try
+        {
+            Invoke-WebRequest $url -OutFile $downloadLocation
+            break
+        }
+        catch
+        {
+            $exceptionMessage = $_.Exception.Message
+            Write-Host "Failed to download '$url': $exceptionMessage"
+            if ($retries -gt 0) {
+                $retries--
+                Write-Host "Waiting 10 seconds before retrying. Retries left: $retries"
+                Start-Sleep -Seconds 10
+
+            }
+            else 
+            {
+                $exception = $_.Exception
+                throw $exception
+            }
+        }
+    }
+}
+
 cd $PSScriptRoot
 
 $repoFolder = $PSScriptRoot
@@ -20,7 +50,8 @@ if (!(Test-Path $buildFolder)) {
 
     $localZipFile="$tempFolder\korebuild.zip"
     
-    Invoke-WebRequest $koreBuildZip -OutFile $localZipFile
+    DownloadWithRetry -url $koreBuildZip -downloadLocation $localZipFile -retries 6
+
     Add-Type -AssemblyName System.IO.Compression.FileSystem
     [System.IO.Compression.ZipFile]::ExtractToDirectory($localZipFile, $tempFolder)
     
diff --git a/build.sh b/build.sh
index 79638d06b6..f4208100eb 100755
--- a/build.sh
+++ b/build.sh
@@ -18,7 +18,18 @@ if test ! -d $buildFolder; then
     
     localZipFile="$tempFolder/korebuild.zip"
     
-    wget -O $localZipFile $koreBuildZip 2>/dev/null || curl -o $localZipFile --location $koreBuildZip /dev/null
+    retries=6
+    until (wget -O $localZipFile $koreBuildZip 2>/dev/null || curl -o $localZipFile --location $koreBuildZip 2>/dev/null)
+    do
+        echo "Failed to download '$koreBuildZip'"
+        if [ "$retries" -le 0 ]; then
+            exit 1
+        fi
+        retries=$((retries - 1))
+        echo "Waiting 10 seconds before retrying. Retries left: $retries"
+        sleep 10s
+    done
+    
     unzip -q -d $tempFolder $localZipFile
   
     mkdir $buildFolder
@@ -32,4 +43,4 @@ if test ! -d $buildFolder; then
     fi
 fi
 
-$buildFile -r $repoFolder "$@"
+$buildFile -r $repoFolder "$@"
\ No newline at end of file

From a317760000c996a604d6ddbdd2b526de1a46cfcf Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 9 Mar 2016 16:35:07 -0800
Subject: [PATCH 234/493] Limit the branches that build on our public CI. [ci
 skip]

---
 .travis.yml  | 6 ++++++
 appveyor.yml | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index bf811dc26a..dd4686f39c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,5 +16,11 @@ os:
   - linux
   - osx
 osx_image: xcode7.1
+branches:
+  only:
+    - master
+    - release
+    - dev
+    - /^(.*\\/)?ci-.*$/
 script:
   - ./build.sh verify
\ No newline at end of file
diff --git a/appveyor.yml b/appveyor.yml
index 3fab83e134..c6d5f7d997 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,5 +1,11 @@
 init:
   - git config --global core.autocrlf true
+branches:
+  only:
+    - master
+    - release
+    - dev
+    - /^(.*\\/)?ci-.*$/
 build_script:
   - build.cmd verify
 clone_depth: 1

From a82ce85f66892946c1b4dcaaee5619ebe8668e38 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 9 Mar 2016 17:44:48 -0800
Subject: [PATCH 235/493] Fix backslashes in yml config.

[ci skip]
---
 .travis.yml  | 2 +-
 appveyor.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index dd4686f39c..df22f7a880 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -21,6 +21,6 @@ branches:
     - master
     - release
     - dev
-    - /^(.*\\/)?ci-.*$/
+    - /^(.*\/)?ci-.*$/
 script:
   - ./build.sh verify
\ No newline at end of file
diff --git a/appveyor.yml b/appveyor.yml
index c6d5f7d997..b9a9bcd1e6 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -5,7 +5,7 @@ branches:
     - master
     - release
     - dev
-    - /^(.*\\/)?ci-.*$/
+    - /^(.*\/)?ci-.*$/
 build_script:
   - build.cmd verify
 clone_depth: 1

From 9750924973bd1f99841cde7c801c4d0888e195fb Mon Sep 17 00:00:00 2001
From: Brice Lambson <bricelam@microsoft.com>
Date: Thu, 10 Mar 2016 10:24:52 -0800
Subject: [PATCH 236/493] Don't reference facades

---
 src/Microsoft.AspNetCore.DataProtection/project.json | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 3de43d75f1..55fb22e14b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -19,8 +19,6 @@
   "frameworks": {
     "net451": {
       "frameworkAssemblies": {
-        "System.IO": "",
-        "System.Runtime": "",
         "System.Security": "",
         "System.Xml": "",
         "System.Xml.Linq": ""

From 3d4e0d41c8d9167abfca48f9d08ca288e46ba64f Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 11 Mar 2016 13:44:34 -0800
Subject: [PATCH 237/493] Fixing CI build failure

---
 src/Microsoft.AspNetCore.DataProtection/project.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 55fb22e14b..82d53594db 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -19,6 +19,7 @@
   "frameworks": {
     "net451": {
       "frameworkAssemblies": {
+        "System.Runtime": { "type": "build" },
         "System.Security": "",
         "System.Xml": "",
         "System.Xml.Linq": ""

From 89a7fe8c8170202a45e8291ec9779fade57d6e4b Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesarbs@gmail.com>
Date: Mon, 14 Mar 2016 21:46:27 -0700
Subject: [PATCH 238/493] ASP.NET 5 -> ASP.NET Core

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index cf91ed9152..1560deffee 100644
--- a/README.md
+++ b/README.md
@@ -6,4 +6,4 @@ Travis:   [![Travis](https://travis-ci.org/aspnet/DataProtection.svg?branch=dev)
 
 Data Protection APIs 
 
-This project is part of ASP.NET 5. You can find documentation for Data Protection in the [ASP.NET 5 Documentation](http://docs.asp.net/en/latest/security/data-protection/index.html). You can find samples, documentation and getting started instructions for ASP.NET 5 at the [Home](https://github.com/aspnet/home) repo. 
+This project is part of ASP.NET Core. You can find documentation for Data Protection in the [ASP.NET Core Documentation](http://docs.asp.net/en/latest/security/data-protection/index.html). You can find samples, documentation and getting started instructions for ASP.NET Core at the [Home](https://github.com/aspnet/home) repo. 

From 64f7eff3225565d296915df2656fe7a9b1b15bc1 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 15 Mar 2016 12:39:38 -0700
Subject: [PATCH 239/493] Fixing CI build break

---
 .../project.json                                      |  3 ++-
 .../project.json                                      |  3 ++-
 .../project.json                                      |  3 ++-
 .../project.json                                      |  3 ++-
 .../project.json                                      | 11 ++++-------
 .../project.json                                      |  3 ++-
 6 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index ffa391f84f..275ddd9910 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -12,7 +12,8 @@
   "frameworks": {
     "netstandardapp1.5": {
       "dependencies": {
-        "dotnet-test-xunit": "1.0.0-dev-*"
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index b6446bebbb..dbeaf4e74f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -10,7 +10,8 @@
   "frameworks": {
     "netstandardapp1.5": {
       "dependencies": {
-        "dotnet-test-xunit": "1.0.0-dev-*"
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index f0676e9f8e..3e077c2823 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -10,7 +10,8 @@
     "netstandardapp1.5": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*"
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index d5fddc8339..8a1c50c1a2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -14,7 +14,8 @@
     "netstandardapp1.5": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*"
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index fbbb894846..86a03356af 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -1,16 +1,13 @@
 {
   "frameworks": {
-    "netstandardapp1.5": {
+    "netstandard1.1": {
       "dependencies": {
-        "dotnet-test-xunit": "1.0.0-dev-*",
-        "Microsoft.NETCore.Platforms": "1.0.1-*"
+        "System.Runtime": "4.1.0-*"
       },
       "imports": [
-        "dnxcore50",
-        "portable-net451+win8"
+        "dotnet5.2"
       ]
-    },
-    "net451": {}
+    }
   },
   "shared": "**/*.cs"
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 9897b9b521..c551926e27 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -14,7 +14,8 @@
     "netstandardapp1.5": {
       "dependencies": {
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*"
+        "dotnet-test-xunit": "1.0.0-dev-*",
+        "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
         "dnxcore50",

From aa1495deb05d4e524ef81b9a6c2393def2babac9 Mon Sep 17 00:00:00 2001
From: jacalvar <jacalvar@microsoft.com>
Date: Thu, 25 Feb 2016 09:09:01 -0800
Subject: [PATCH 240/493] [Fixes #120, Fixes #121, Fixes #122] Make data
 protection follow the options model

* Add an IDataProtectionBuilder interface and move methods on DataProtectionConfiguration
  to extension methods on IDataProtectionBuilder.
* Make AddDataProtection return an IDataProtectionBuilder instance for further configuration.
* Make AddDataProtection take in an action with a GlobalConfigurationOptions parameter instead
  of a DataProtectionConfiguration parameter.
* Make DataProtectionProvider static
* Remove ConfigureGlobalOptions
* Change Option suffix in classes that are not actually options to Settings.
* Add extension method for configuring key management options.
* Cleanups.
---
 .../DataProtectionProvider.cs                 |  55 +-
 ....cs => AuthenticatedEncryptionSettings.cs} |  16 +-
 ... CngCbcAuthenticatedEncryptionSettings.cs} |   8 +-
 ... CngGcmAuthenticatedEncryptionSettings.cs} |   8 +-
 .../AuthenticatedEncryptorConfiguration.cs    |  16 +-
 .../AuthenticatedEncryptorDescriptor.cs       |  24 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  10 +-
 ...gCbcAuthenticatedEncryptorConfiguration.cs |  16 +-
 .../CngCbcAuthenticatedEncryptorDescriptor.cs |  32 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  14 +-
 ...gGcmAuthenticatedEncryptorConfiguration.cs |  16 +-
 .../CngGcmAuthenticatedEncryptorDescriptor.cs |  26 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  10 +-
 ...agedAuthenticatedEncryptorConfiguration.cs |  16 +-
 ...ManagedAuthenticatedEncryptorDescriptor.cs |  24 +-
 ...nticatedEncryptorDescriptorDeserializer.cs |  10 +-
 ...nternalAuthenticatedEncryptionSettings.cs} |   8 +-
 ...ManagedAuthenticatedEncryptionSettings.cs} |   8 +-
 .../DataProtectionBuilderExtensions.cs        | 546 ++++++++++++++++++
 .../DataProtectionConfiguration.cs            | 484 ----------------
 ...taProtectionServiceCollectionExtensions.cs |  33 +-
 .../DataProtectionServiceDescriptors.cs       |   6 +-
 .../EphemeralDataProtectionProvider.cs        |   6 +-
 .../IDataProtectionBuilder.cs                 |  69 +++
 .../Internal/DataProtectionBuilder.cs         |  41 ++
 .../Properties/Resources.Designer.cs          |  16 +
 .../RegistryPolicyResolver.cs                 |  10 +-
 .../Resources.resx                            |   3 +
 .../DataProtectionProviderTests.cs            |   4 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |   2 +-
 .../AuthenticatedEncryptorDescriptorTests.cs  |   2 +-
 ...uthenticatedEncryptorConfigurationTests.cs |   6 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |   2 +-
 ...bcAuthenticatedEncryptorDescriptorTests.cs |   4 +-
 ...uthenticatedEncryptorConfigurationTests.cs |   6 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |   2 +-
 ...cmAuthenticatedEncryptorDescriptorTests.cs |   4 +-
 ...uthenticatedEncryptorConfigurationTests.cs |   6 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |   4 +-
 ...edAuthenticatedEncryptorDescriptorTests.cs |   4 +-
 .../KeyRingBasedDataProtectorTests.cs         |   2 +-
 .../RegistryPolicyResolverTests.cs            |  56 +-
 42 files changed, 911 insertions(+), 724 deletions(-)
 rename src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/{AuthenticatedEncryptionOptions.cs => AuthenticatedEncryptionSettings.cs} (92%)
 rename src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/{CngCbcAuthenticatedEncryptionOptions.cs => CngCbcAuthenticatedEncryptionSettings.cs} (96%)
 rename src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/{CngGcmAuthenticatedEncryptionOptions.cs => CngGcmAuthenticatedEncryptionSettings.cs} (94%)
 rename src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/{IInternalAuthenticatedEncryptionOptions.cs => IInternalAuthenticatedEncryptionSettings.cs} (78%)
 rename src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/{ManagedAuthenticatedEncryptionOptions.cs => ManagedAuthenticatedEncryptionSettings.cs} (95%)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
index 0ccb6eb22d..cedcc2bded 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
@@ -8,21 +8,20 @@ using Microsoft.Extensions.DependencyInjection;
 namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
-    /// A simple implementation of an <see cref="IDataProtectionProvider"/> where keys are stored
+    /// Contains factory methods for creating an <see cref="IDataProtectionProvider"/> where keys are stored
     /// at a particular location on the file system.
     /// </summary>
-    public sealed class DataProtectionProvider : IDataProtectionProvider
+    /// <remarks>Use these methods when not using dependency injection to provide the service to the application.</remarks>
+    public static class DataProtectionProvider
     {
-        private readonly IDataProtectionProvider _innerProvider;
-
         /// <summary>
         /// Creates an <see cref="DataProtectionProvider"/> given a location at which to store keys.
         /// </summary>
         /// <param name="keyDirectory">The <see cref="DirectoryInfo"/> in which keys should be stored. This may
         /// represent a directory on a local disk or a UNC share.</param>
-        public DataProtectionProvider(DirectoryInfo keyDirectory)
-            : this(keyDirectory, configure: null)
+        public static IDataProtectionProvider Create(DirectoryInfo keyDirectory)
         {
+            return Create(keyDirectory, setupAction: builder => { });
         }
 
         /// <summary>
@@ -31,38 +30,34 @@ namespace Microsoft.AspNetCore.DataProtection
         /// </summary>
         /// <param name="keyDirectory">The <see cref="DirectoryInfo"/> in which keys should be stored. This may
         /// represent a directory on a local disk or a UNC share.</param>
-        /// <param name="configure">An optional callback which provides further configuration of the data protection
-        /// system. See <see cref="DataProtectionConfiguration"/> for more information.</param>
-        public DataProtectionProvider(DirectoryInfo keyDirectory, Action<DataProtectionConfiguration> configure)
+        /// <param name="setupAction">An optional callback which provides further configuration of the data protection
+        /// system. See <see cref="IDataProtectionBuilder"/> for more information.</param>
+        public static IDataProtectionProvider Create(
+            DirectoryInfo keyDirectory,
+            Action<IDataProtectionBuilder> setupAction)
         {
             if (keyDirectory == null)
             {
                 throw new ArgumentNullException(nameof(keyDirectory));
             }
 
-            // build the service collection
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddDataProtection(configurationObject =>
+            if (setupAction == null)
             {
-                configurationObject.PersistKeysToFileSystem(keyDirectory);
-                configure?.Invoke(configurationObject);
-            });
-
-            // extract the provider instance from the service collection
-            _innerProvider = serviceCollection.BuildServiceProvider().GetRequiredService<IDataProtectionProvider>();
-        }
-
-        /// <summary>
-        /// Implements <see cref="IDataProtectionProvider.CreateProtector(string)"/>.
-        /// </summary>
-        public IDataProtector CreateProtector(string purpose)
-        {
-            if (purpose == null)
-            {
-                throw new ArgumentNullException(nameof(purpose));
+                throw new ArgumentNullException(nameof(setupAction));
             }
 
-            return _innerProvider.CreateProtector(purpose);
+            // build the service collection
+            var serviceCollection = new ServiceCollection();
+            var builder = serviceCollection.AddDataProtection();
+            builder.PersistKeysToFileSystem(keyDirectory);
+
+            if (setupAction != null)
+            {
+                setupAction(builder);
+            }
+
+            // extract the provider instance from the service collection
+            return serviceCollection.BuildServiceProvider().GetRequiredService<IDataProtectionProvider>();
         }
     }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionSettings.cs
similarity index 92%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionSettings.cs
index 994c54ca65..093dc3e1e5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionSettings.cs
@@ -11,9 +11,9 @@ using Microsoft.Extensions.Logging;
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
-    /// Options for configuring authenticated encryption algorithms.
+    /// Settings for configuring authenticated encryption algorithms.
     /// </summary>
-    public sealed class AuthenticatedEncryptionOptions : IInternalAuthenticatedEncryptionOptions
+    public sealed class AuthenticatedEncryptionSettings : IInternalAuthenticatedEncryptionSettings
     {
         /// <summary>
         /// The algorithm to use for symmetric encryption (confidentiality).
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
         public ValidationAlgorithm ValidationAlgorithm { get; set; } = ValidationAlgorithm.HMACSHA256;
 
         /// <summary>
-        /// Validates that this <see cref="AuthenticatedEncryptionOptions"/> is well-formed, i.e.,
+        /// Validates that this <see cref="AuthenticatedEncryptionSettings"/> is well-formed, i.e.,
         /// that the specified algorithms actually exist and that they can be instantiated properly.
         /// An exception will be thrown if validation fails.
         /// </summary>
@@ -63,7 +63,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                 .CreateEncryptorInstance();
         }
 
-        private IInternalAuthenticatedEncryptionOptions CreateImplementationOptions()
+        private IInternalAuthenticatedEncryptionSettings CreateImplementationOptions()
         {
             if (IsGcmAlgorithm(EncryptionAlgorithm))
             {
@@ -72,7 +72,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                 {
                     throw new PlatformNotSupportedException(Resources.Platform_WindowsRequiredForGcm);
                 }
-                return new CngGcmAuthenticatedEncryptionOptions()
+                return new CngGcmAuthenticatedEncryptionSettings()
                 {
                     EncryptionAlgorithm = GetBCryptAlgorithmName(EncryptionAlgorithm),
                     EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm)
@@ -83,7 +83,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                 if (OSVersionUtil.IsWindows())
                 {
                     // CNG preferred over managed implementations if running on Windows
-                    return new CngCbcAuthenticatedEncryptionOptions()
+                    return new CngCbcAuthenticatedEncryptionSettings()
                     {
                         EncryptionAlgorithm = GetBCryptAlgorithmName(EncryptionAlgorithm),
                         EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm),
@@ -93,7 +93,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                 else
                 {
                     // Use managed implementations as a fallback
-                    return new ManagedAuthenticatedEncryptionOptions()
+                    return new ManagedAuthenticatedEncryptionSettings()
                     {
                         EncryptionAlgorithmType = GetManagedTypeForAlgorithm(EncryptionAlgorithm),
                         EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm),
@@ -193,7 +193,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
             return (EncryptionAlgorithm.AES_128_GCM <= algorithm && algorithm <= EncryptionAlgorithm.AES_256_GCM);
         }
 
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration(IServiceProvider services)
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionSettings.ToConfiguration(IServiceProvider services)
         {
             return new AuthenticatedEncryptorConfiguration(this, services);
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
similarity index 96%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
index 53e5585992..1b85f58009 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
@@ -12,10 +12,10 @@ using Microsoft.Extensions.Logging;
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
-    /// Options for configuring an authenticated encryption mechanism which uses
+    /// Settings for configuring an authenticated encryption mechanism which uses
     /// Windows CNG algorithms in CBC encryption + HMAC authentication modes.
     /// </summary>
-    public sealed class CngCbcAuthenticatedEncryptionOptions : IInternalAuthenticatedEncryptionOptions
+    public sealed class CngCbcAuthenticatedEncryptionSettings : IInternalAuthenticatedEncryptionSettings
     {
         /// <summary>
         /// The name of the algorithm to use for symmetric encryption.
@@ -77,7 +77,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
         public string HashAlgorithmProvider { get; set; } = null;
 
         /// <summary>
-        /// Validates that this <see cref="CngCbcAuthenticatedEncryptionOptions"/> is well-formed, i.e.,
+        /// Validates that this <see cref="CngCbcAuthenticatedEncryptionSettings"/> is well-formed, i.e.,
         /// that the specified algorithms actually exist and that they can be instantiated properly.
         /// An exception will be thrown if validation fails.
         /// </summary>
@@ -176,7 +176,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
             return algorithmHandle;
         }
 
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration(IServiceProvider services)
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionSettings.ToConfiguration(IServiceProvider services)
         {
             return new CngCbcAuthenticatedEncryptorConfiguration(this, services);
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionSettings.cs
similarity index 94%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionSettings.cs
index c38097d011..4c3f33d903 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionSettings.cs
@@ -12,10 +12,10 @@ using Microsoft.Extensions.Logging;
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
-    /// Options for configuring an authenticated encryption mechanism which uses
+    /// Settings for configuring an authenticated encryption mechanism which uses
     /// Windows CNG algorithms in GCM encryption + authentication modes.
     /// </summary>
-    public sealed class CngGcmAuthenticatedEncryptionOptions : IInternalAuthenticatedEncryptionOptions
+    public sealed class CngGcmAuthenticatedEncryptionSettings : IInternalAuthenticatedEncryptionSettings
     {
         /// <summary>
         /// The name of the algorithm to use for symmetric encryption.
@@ -53,7 +53,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
         public int EncryptionAlgorithmKeySize { get; set; } = 256;
 
         /// <summary>
-        /// Validates that this <see cref="CngGcmAuthenticatedEncryptionOptions"/> is well-formed, i.e.,
+        /// Validates that this <see cref="CngGcmAuthenticatedEncryptionSettings"/> is well-formed, i.e.,
         /// that the specified algorithm actually exists and can be instantiated properly.
         /// An exception will be thrown if validation fails.
         /// </summary>
@@ -117,7 +117,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
             return algorithmHandle;
         }
 
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration(IServiceProvider services)
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionSettings.ToConfiguration(IServiceProvider services)
         {
             return new CngGcmAuthenticatedEncryptorConfiguration(this, services);
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index 0538419756..61aaa082e3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -12,23 +12,23 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     {
         private readonly IServiceProvider _services;
 
-        public AuthenticatedEncryptorConfiguration(AuthenticatedEncryptionOptions options)
-            : this(options, services: null)
+        public AuthenticatedEncryptorConfiguration(AuthenticatedEncryptionSettings settings)
+            : this(settings, services: null)
         {
         }
 
-        public AuthenticatedEncryptorConfiguration(AuthenticatedEncryptionOptions options, IServiceProvider services)
+        public AuthenticatedEncryptorConfiguration(AuthenticatedEncryptionSettings settings, IServiceProvider services)
         {
-            if (options == null)
+            if (settings == null)
             {
-                throw new ArgumentNullException(nameof(options));
+                throw new ArgumentNullException(nameof(settings));
             }
 
-            Options = options;
+            Settings = settings;
             _services = services;
         }
 
-        public AuthenticatedEncryptionOptions Options { get; }
+        public AuthenticatedEncryptionSettings Settings { get; }
 
         public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
@@ -37,7 +37,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            return new AuthenticatedEncryptorDescriptor(Options, secret, _services);
+            return new AuthenticatedEncryptorDescriptor(Settings, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
index 381fd064ab..bed3a894da 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
@@ -8,22 +8,22 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
-    /// configuration provided by an <see cref="AuthenticatedEncryptionOptions"/> object.
+    /// configuration provided by an <see cref="AuthenticatedEncryptionSettings"/> object.
     /// </summary>
     public sealed class AuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
         private readonly IServiceProvider _services;
 
-        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptionOptions options, ISecret masterKey)
-            : this(options, masterKey, services: null)
+        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptionSettings settings, ISecret masterKey)
+            : this(settings, masterKey, services: null)
         {
         }
 
-        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptionOptions options, ISecret masterKey, IServiceProvider services)
+        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptionSettings settings, ISecret masterKey, IServiceProvider services)
         {
-            if (options == null)
+            if (settings == null)
             {
-                throw new ArgumentNullException(nameof(options));
+                throw new ArgumentNullException(nameof(settings));
             }
 
             if (masterKey == null)
@@ -31,18 +31,18 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 throw new ArgumentNullException(nameof(masterKey));
             }
 
-            Options = options;
+            Settings = settings;
             MasterKey = masterKey;
             _services = services;
         }
 
         internal ISecret MasterKey { get; }
 
-        internal AuthenticatedEncryptionOptions Options { get; }
+        internal AuthenticatedEncryptionSettings Settings { get; }
 
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _services);
+            return Settings.CreateAuthenticatedEncryptorInstance(MasterKey, _services);
         }
 
         public XmlSerializedDescriptorInfo ExportToXml()
@@ -54,12 +54,12 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", Options.EncryptionAlgorithm));
+                new XAttribute("algorithm", Settings.EncryptionAlgorithm));
 
-            var validationElement = (AuthenticatedEncryptionOptions.IsGcmAlgorithm(Options.EncryptionAlgorithm))
+            var validationElement = (AuthenticatedEncryptionSettings.IsGcmAlgorithm(Settings.EncryptionAlgorithm))
                 ? (object)new XComment(" AES-GCM includes a 128-bit authentication tag, no extra validation algorithm required. ")
                 : (object)new XElement("validation",
-                    new XAttribute("algorithm", Options.ValidationAlgorithm));
+                    new XAttribute("algorithm", Settings.ValidationAlgorithm));
 
             var outerElement = new XElement("descriptor",
                 encryptionElement,
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
index 02e982d5b4..1628cd28e0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
@@ -41,20 +41,20 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             //   <masterKey requiresEncryption="true">...</masterKey>
             // </descriptor>
 
-            var options = new AuthenticatedEncryptionOptions();
+            var settings = new AuthenticatedEncryptionSettings();
 
             var encryptionElement = element.Element("encryption");
-            options.EncryptionAlgorithm = (EncryptionAlgorithm)Enum.Parse(typeof(EncryptionAlgorithm), (string)encryptionElement.Attribute("algorithm"));
+            settings.EncryptionAlgorithm = (EncryptionAlgorithm)Enum.Parse(typeof(EncryptionAlgorithm), (string)encryptionElement.Attribute("algorithm"));
 
             // only read <validation> if not GCM
-            if (!AuthenticatedEncryptionOptions.IsGcmAlgorithm(options.EncryptionAlgorithm))
+            if (!AuthenticatedEncryptionSettings.IsGcmAlgorithm(settings.EncryptionAlgorithm))
             {
                 var validationElement = element.Element("validation");
-                options.ValidationAlgorithm = (ValidationAlgorithm)Enum.Parse(typeof(ValidationAlgorithm), (string)validationElement.Attribute("algorithm"));
+                settings.ValidationAlgorithm = (ValidationAlgorithm)Enum.Parse(typeof(ValidationAlgorithm), (string)validationElement.Attribute("algorithm"));
             }
 
             Secret masterKey = ((string)element.Elements("masterKey").Single()).ToSecret();
-            return new AuthenticatedEncryptorDescriptor(options, masterKey, _services);
+            return new AuthenticatedEncryptorDescriptor(settings, masterKey, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index a8a809ca3e..712404513b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -13,23 +13,23 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     {
         private readonly IServiceProvider _services;
 
-        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptionOptions options)
-            : this(options, services: null)
+        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptionSettings settings)
+            : this(settings, services: null)
         {
         }
 
-        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptionOptions options, IServiceProvider services)
+        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptionSettings settings, IServiceProvider services)
         {
-            if (options == null)
+            if (settings == null)
             {
-                throw new ArgumentNullException(nameof(options));
+                throw new ArgumentNullException(nameof(settings));
             }
 
-            Options = options;
+            Settings = settings;
             _services = services;
         }
 
-        public CngCbcAuthenticatedEncryptionOptions Options { get; }
+        public CngCbcAuthenticatedEncryptionSettings Settings { get; }
 
         public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
@@ -38,7 +38,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            return new CngCbcAuthenticatedEncryptorDescriptor(Options, secret, _services);
+            return new CngCbcAuthenticatedEncryptorDescriptor(Settings, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
index dee72f1e72..acc6525e35 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
@@ -9,22 +9,22 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
-    /// configuration provided by an <see cref="CngCbcAuthenticatedEncryptionOptions"/> object.
+    /// configuration provided by an <see cref="CngCbcAuthenticatedEncryptionSettings"/> object.
     /// </summary>
     public sealed class CngCbcAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
         private readonly ILogger _log;
 
-        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptionOptions options, ISecret masterKey)
-            : this(options, masterKey, services: null)
+        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptionSettings settings, ISecret masterKey)
+            : this(settings, masterKey, services: null)
         {
         }
 
-        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptionOptions options, ISecret masterKey, IServiceProvider services)
+        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptionSettings settings, ISecret masterKey, IServiceProvider services)
         {
-            if (options == null)
+            if (settings == null)
             {
-                throw new ArgumentNullException(nameof(options));
+                throw new ArgumentNullException(nameof(settings));
             }
 
             if (masterKey == null)
@@ -32,18 +32,18 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 throw new ArgumentNullException(nameof(masterKey));
             }
 
-            Options = options;
+            Settings = settings;
             MasterKey = masterKey;
             _log = services.GetLogger<CngCbcAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
 
-        internal CngCbcAuthenticatedEncryptionOptions Options { get; }
+        internal CngCbcAuthenticatedEncryptionSettings Settings { get; }
 
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
+            return Settings.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
         }
 
         public XmlSerializedDescriptorInfo ExportToXml()
@@ -56,18 +56,18 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", Options.EncryptionAlgorithm),
-                new XAttribute("keyLength", Options.EncryptionAlgorithmKeySize));
-            if (Options.EncryptionAlgorithmProvider != null)
+                new XAttribute("algorithm", Settings.EncryptionAlgorithm),
+                new XAttribute("keyLength", Settings.EncryptionAlgorithmKeySize));
+            if (Settings.EncryptionAlgorithmProvider != null)
             {
-                encryptionElement.SetAttributeValue("provider", Options.EncryptionAlgorithmProvider);
+                encryptionElement.SetAttributeValue("provider", Settings.EncryptionAlgorithmProvider);
             }
 
             var hashElement = new XElement("hash",
-                new XAttribute("algorithm", Options.HashAlgorithm));
-            if (Options.HashAlgorithmProvider != null)
+                new XAttribute("algorithm", Settings.HashAlgorithm));
+            if (Settings.HashAlgorithmProvider != null)
             {
-                hashElement.SetAttributeValue("provider", Options.HashAlgorithmProvider);
+                hashElement.SetAttributeValue("provider", Settings.HashAlgorithmProvider);
             }
 
             var rootElement = new XElement("descriptor",
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
index a0169396cb..b06659c969 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -41,20 +41,20 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             //   <masterKey>...</masterKey>
             // </descriptor>
 
-            var options = new CngCbcAuthenticatedEncryptionOptions();
+            var settings = new CngCbcAuthenticatedEncryptionSettings();
 
             var encryptionElement = element.Element("encryption");
-            options.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
-            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
-            options.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
+            settings.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
+            settings.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+            settings.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
 
             var hashElement = element.Element("hash");
-            options.HashAlgorithm = (string)hashElement.Attribute("algorithm");
-            options.HashAlgorithmProvider = (string)hashElement.Attribute("provider"); // could be null
+            settings.HashAlgorithm = (string)hashElement.Attribute("algorithm");
+            settings.HashAlgorithmProvider = (string)hashElement.Attribute("provider"); // could be null
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new CngCbcAuthenticatedEncryptorDescriptor(options, masterKey, _services);
+            return new CngCbcAuthenticatedEncryptorDescriptor(settings, masterKey, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index 68663261e3..980feff34c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -13,23 +13,23 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     {
         private readonly IServiceProvider _services;
 
-        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptionOptions options)
-            : this(options, services: null)
+        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptionSettings settings)
+            : this(settings, services: null)
         {
         }
 
-        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptionOptions options, IServiceProvider services)
+        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptionSettings settings, IServiceProvider services)
         {
-            if (options == null)
+            if (settings == null)
             {
-                throw new ArgumentNullException(nameof(options));
+                throw new ArgumentNullException(nameof(settings));
             }
 
-            Options = options;
+            Settings = settings;
             _services = services;
         }
 
-        public CngGcmAuthenticatedEncryptionOptions Options { get; }
+        public CngGcmAuthenticatedEncryptionSettings Settings { get; }
 
         public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
@@ -38,7 +38,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            return new CngGcmAuthenticatedEncryptorDescriptor(Options, secret, _services);
+            return new CngGcmAuthenticatedEncryptorDescriptor(Settings, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
index 28c293bce6..fe631d9480 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -9,22 +9,22 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
-    /// configuration provided by an <see cref="CngGcmAuthenticatedEncryptionOptions"/> object.
+    /// configuration provided by an <see cref="CngGcmAuthenticatedEncryptionSettings"/> object.
     /// </summary>
     public sealed class CngGcmAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
         private readonly ILogger _log;
 
-        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptionOptions options, ISecret masterKey)
-            : this(options, masterKey, services: null)
+        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptionSettings settings, ISecret masterKey)
+            : this(settings, masterKey, services: null)
         {
         }
 
-        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptionOptions options, ISecret masterKey, IServiceProvider services)
+        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptionSettings settings, ISecret masterKey, IServiceProvider services)
         {
-            if (options == null)
+            if (settings == null)
             {
-                throw new ArgumentNullException(nameof(options));
+                throw new ArgumentNullException(nameof(settings));
             }
 
             if (masterKey == null)
@@ -32,18 +32,18 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 throw new ArgumentNullException(nameof(masterKey));
             }
 
-            Options = options;
+            Settings = settings;
             MasterKey = masterKey;
             _log = services.GetLogger<CngGcmAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
 
-        internal CngGcmAuthenticatedEncryptionOptions Options { get; }
+        internal CngGcmAuthenticatedEncryptionSettings Settings { get; }
 
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
+            return Settings.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
         }
 
         public XmlSerializedDescriptorInfo ExportToXml()
@@ -55,11 +55,11 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", Options.EncryptionAlgorithm),
-                new XAttribute("keyLength", Options.EncryptionAlgorithmKeySize));
-            if (Options.EncryptionAlgorithmProvider != null)
+                new XAttribute("algorithm", Settings.EncryptionAlgorithm),
+                new XAttribute("keyLength", Settings.EncryptionAlgorithmKeySize));
+            if (Settings.EncryptionAlgorithmProvider != null)
             {
-                encryptionElement.SetAttributeValue("provider", Options.EncryptionAlgorithmProvider);
+                encryptionElement.SetAttributeValue("provider", Settings.EncryptionAlgorithmProvider);
             }
 
             var rootElement = new XElement("descriptor",
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
index 270bd7908b..1a980dfebf 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -40,16 +40,16 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             //   <masterKey>...</masterKey>
             // </descriptor>
 
-            var options = new CngGcmAuthenticatedEncryptionOptions();
+            var settings = new CngGcmAuthenticatedEncryptionSettings();
 
             var encryptionElement = element.Element("encryption");
-            options.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
-            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
-            options.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
+            settings.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
+            settings.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+            settings.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new CngGcmAuthenticatedEncryptorDescriptor(options, masterKey, _services);
+            return new CngGcmAuthenticatedEncryptorDescriptor(settings, masterKey, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index 50130013f4..077b4f6ef9 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -14,23 +14,23 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     {
         private readonly IServiceProvider _services;
 
-        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptionOptions options)
-            : this(options, services: null)
+        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptionSettings settings)
+            : this(settings, services: null)
         {
         }
 
-        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptionOptions options, IServiceProvider services)
+        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptionSettings settings, IServiceProvider services)
         {
-            if (options == null)
+            if (settings == null)
             {
-                throw new ArgumentNullException(nameof(options));
+                throw new ArgumentNullException(nameof(settings));
             }
 
-            Options = options;
+            Settings = settings;
             _services = services;
         }
 
-        public ManagedAuthenticatedEncryptionOptions Options { get; }
+        public ManagedAuthenticatedEncryptionSettings Settings { get; }
 
         public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
@@ -39,7 +39,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            return new ManagedAuthenticatedEncryptorDescriptor(Options, secret, _services);
+            return new ManagedAuthenticatedEncryptorDescriptor(Settings, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
index 6913a7ac12..62d2bae71a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
@@ -10,22 +10,22 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
-    /// configuration provided by an <see cref="ManagedAuthenticatedEncryptionOptions"/> object.
+    /// configuration provided by an <see cref="ManagedAuthenticatedEncryptionSettings"/> object.
     /// </summary>
     public sealed class ManagedAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
         private readonly ILogger _log;
 
-        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptionOptions options, ISecret masterKey)
-            : this(options, masterKey, services: null)
+        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptionSettings settings, ISecret masterKey)
+            : this(settings, masterKey, services: null)
         {
         }
 
-        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptionOptions options, ISecret masterKey, IServiceProvider services)
+        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptionSettings settings, ISecret masterKey, IServiceProvider services)
         {
-            if (options == null)
+            if (settings == null)
             {
-                throw new ArgumentNullException(nameof(options));
+                throw new ArgumentNullException(nameof(settings));
             }
 
             if (masterKey == null)
@@ -33,18 +33,18 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 throw new ArgumentNullException(nameof(masterKey));
             }
 
-            Options = options;
+            Settings = settings;
             MasterKey = masterKey;
             _log = services.GetLogger<ManagedAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
 
-        internal ManagedAuthenticatedEncryptionOptions Options { get; }
+        internal ManagedAuthenticatedEncryptionSettings Settings { get; }
 
         public IAuthenticatedEncryptor CreateEncryptorInstance()
         {
-            return Options.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
+            return Settings.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
         }
 
         public XmlSerializedDescriptorInfo ExportToXml()
@@ -57,11 +57,11 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", TypeToFriendlyName(Options.EncryptionAlgorithmType)),
-                new XAttribute("keyLength", Options.EncryptionAlgorithmKeySize));
+                new XAttribute("algorithm", TypeToFriendlyName(Settings.EncryptionAlgorithmType)),
+                new XAttribute("keyLength", Settings.EncryptionAlgorithmKeySize));
 
             var validationElement = new XElement("validation",
-                new XAttribute("algorithm", TypeToFriendlyName(Options.ValidationAlgorithmType)));
+                new XAttribute("algorithm", TypeToFriendlyName(Settings.ValidationAlgorithmType)));
 
             var rootElement = new XElement("descriptor",
                 new XComment(" Algorithms provided by specified SymmetricAlgorithm and KeyedHashAlgorithm "),
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
index 757af298b1..5766051b1e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -42,18 +42,18 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             //   <masterKey>...</masterKey>
             // </descriptor>
 
-            var options = new ManagedAuthenticatedEncryptionOptions();
+            var settings = new ManagedAuthenticatedEncryptionSettings();
 
             var encryptionElement = element.Element("encryption");
-            options.EncryptionAlgorithmType = FriendlyNameToType((string)encryptionElement.Attribute("algorithm"));
-            options.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+            settings.EncryptionAlgorithmType = FriendlyNameToType((string)encryptionElement.Attribute("algorithm"));
+            settings.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
 
             var validationElement = element.Element("validation");
-            options.ValidationAlgorithmType = FriendlyNameToType((string)validationElement.Attribute("algorithm"));
+            settings.ValidationAlgorithmType = FriendlyNameToType((string)validationElement.Attribute("algorithm"));
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new ManagedAuthenticatedEncryptorDescriptor(options, masterKey, _services);
+            return new ManagedAuthenticatedEncryptorDescriptor(settings, masterKey, _services);
         }
 
         // Any changes to this method should also be be reflected
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionSettings.cs
similarity index 78%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionSettings.cs
index ba9c7b25e8..30c2113cb0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionSettings.cs
@@ -7,18 +7,18 @@ using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationM
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
-    /// Implemented by our options classes to generalize creating configuration objects.
+    /// Implemented by our settings classes to generalize creating configuration objects.
     /// </summary>
-    internal interface IInternalAuthenticatedEncryptionOptions
+    internal interface IInternalAuthenticatedEncryptionSettings
     {
         /// <summary>
         /// Creates a <see cref="IInternalAuthenticatedEncryptorConfiguration"/> object
-        /// from the given options.
+        /// from the given settings.
         /// </summary>
         IInternalAuthenticatedEncryptorConfiguration ToConfiguration(IServiceProvider services);
 
         /// <summary>
-        /// Performs a self-test of the algorithm specified by the options object.
+        /// Performs a self-test of the algorithm specified by the settings object.
         /// </summary>
         void Validate();
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionSettings.cs
similarity index 95%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionSettings.cs
index 622e37d2b2..70bc7aa9f6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionSettings.cs
@@ -11,10 +11,10 @@ using Microsoft.Extensions.Logging;
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
-    /// Options for configuring an authenticated encryption mechanism which uses
+    /// Settings for configuring an authenticated encryption mechanism which uses
     /// managed SymmetricAlgorithm and KeyedHashAlgorithm implementations.
     /// </summary>
-    public sealed class ManagedAuthenticatedEncryptionOptions : IInternalAuthenticatedEncryptionOptions
+    public sealed class ManagedAuthenticatedEncryptionSettings : IInternalAuthenticatedEncryptionSettings
     {
         /// <summary>
         /// The type of the algorithm to use for symmetric encryption.
@@ -52,7 +52,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
         public Type ValidationAlgorithmType { get; set; } = typeof(HMACSHA256);
 
         /// <summary>
-        /// Validates that this <see cref="ManagedAuthenticatedEncryptionOptions"/> is well-formed, i.e.,
+        /// Validates that this <see cref="ManagedAuthenticatedEncryptionSettings"/> is well-formed, i.e.,
         /// that the specified algorithms actually exist and can be instantiated properly.
         /// An exception will be thrown if validation fails.
         /// </summary>
@@ -134,7 +134,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
             }
         }
 
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionOptions.ToConfiguration(IServiceProvider services)
+        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionSettings.ToConfiguration(IServiceProvider services)
         {
             return new ManagedAuthenticatedEncryptorConfiguration(this, services);
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
new file mode 100644
index 0000000000..c11d463ee1
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -0,0 +1,546 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel;
+using System.IO;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Win32;
+
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+using System.Security.Cryptography.X509Certificates;
+#endif
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    /// <summary>
+    /// Extensions for configuring data protection using an <see cref="IDataProtectionBuilder"/>.
+    /// </summary>
+    public static class DataProtectionBuilderExtensions
+    {
+        /// <summary>
+        /// Sets the unique name of this application within the data protection system.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="applicationName">The application name.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// This API corresponds to setting the <see cref="DataProtectionOptions.ApplicationDiscriminator"/> property
+        /// to the value of <paramref name="applicationName"/>.
+        /// </remarks>
+        public static IDataProtectionBuilder SetApplicationName(this IDataProtectionBuilder builder, string applicationName)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            builder.Services.Configure<DataProtectionOptions>(options =>
+            {
+                options.ApplicationDiscriminator = applicationName;
+            });
+
+            return builder;
+        }
+
+        /// <summary>
+        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="sink">The instance of the <see cref="IKeyEscrowSink"/> to register.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// Registrations are additive.
+        /// </remarks>
+        public static IDataProtectionBuilder AddKeyEscrowSink(this IDataProtectionBuilder builder, IKeyEscrowSink sink)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (sink == null)
+            {
+                throw new ArgumentNullException(nameof(sink));
+            }
+
+            builder.Services.AddSingleton<IKeyEscrowSink>(sink);
+            return builder;
+        }
+
+        /// <summary>
+        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
+        /// </summary>
+        /// <typeparam name="TImplementation">The concrete type of the <see cref="IKeyEscrowSink"/> to register.</typeparam>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// Registrations are additive. The factory is registered as <see cref="ServiceLifetime.Singleton"/>.
+        /// </remarks>
+        public static IDataProtectionBuilder AddKeyEscrowSink<TImplementation>(this IDataProtectionBuilder builder)
+            where TImplementation : class, IKeyEscrowSink
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            builder.Services.AddSingleton<IKeyEscrowSink, TImplementation>();
+            return builder;
+        }
+
+        /// <summary>
+        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="factory">A factory that creates the <see cref="IKeyEscrowSink"/> instance.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// Registrations are additive. The factory is registered as <see cref="ServiceLifetime.Singleton"/>.
+        /// </remarks>
+        public static IDataProtectionBuilder AddKeyEscrowSink(this IDataProtectionBuilder builder, Func<IServiceProvider, IKeyEscrowSink> factory)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (factory == null)
+            {
+                throw new ArgumentNullException(nameof(factory));
+            }
+
+            builder.Services.AddSingleton<IKeyEscrowSink>(factory);
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures the key management options for the data protection system.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="setupAction">An <see cref="Action{KeyManagementOptions}"/> to configure the provided<see cref="KeyManagementOptions"/>.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder AddKeyManagementOptions(this IDataProtectionBuilder builder, Action<KeyManagementOptions> setupAction)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (setupAction == null)
+            {
+                throw new ArgumentNullException(nameof(setupAction));
+            }
+
+            builder.Services.Configure(setupAction);
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures the data protection system not to generate new keys automatically.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// Calling this API corresponds to setting <see cref="KeyManagementOptions.AutoGenerateKeys"/>
+        /// to 'false'. See that property's documentation for more information.
+        /// </remarks>
+        public static IDataProtectionBuilder DisableAutomaticKeyGeneration(this IDataProtectionBuilder builder)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            builder.Services.Configure<KeyManagementOptions>(options =>
+            {
+                options.AutoGenerateKeys = false;
+            });
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the specified directory.
+        /// This path may be on the local machine or may point to a UNC share.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="directory">The directory in which to store keys.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder PersistKeysToFileSystem(this IDataProtectionBuilder builder, DirectoryInfo directory)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (directory == null)
+            {
+                throw new ArgumentNullException(nameof(directory));
+            }
+
+            Use(builder.Services, DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory));
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the Windows registry.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="registryKey">The location in the registry where keys should be stored.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder PersistKeysToRegistry(this IDataProtectionBuilder builder, RegistryKey registryKey)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (registryKey == null)
+            {
+                throw new ArgumentNullException(nameof(registryKey));
+            }
+
+            Use(builder.Services, DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey));
+            return builder;
+        }
+
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+
+        /// <summary>
+        /// Configures keys to be encrypted to a given certificate before being persisted to storage.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="certificate">The certificate to use when encrypting keys.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder ProtectKeysWithCertificate(this IDataProtectionBuilder builder, X509Certificate2 certificate)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+
+            Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate));
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures keys to be encrypted to a given certificate before being persisted to storage.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="thumbprint">The thumbprint of the certificate to use when encrypting keys.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder ProtectKeysWithCertificate(this IDataProtectionBuilder builder, string thumbprint)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (thumbprint == null)
+            {
+                throw new ArgumentNullException(nameof(thumbprint));
+            }
+
+            // Make sure the thumbprint corresponds to a valid certificate.
+            if (new CertificateResolver().ResolveCertificate(thumbprint) == null)
+            {
+                throw Error.CertificateXmlEncryptor_CertificateNotFound(thumbprint);
+            }
+
+            var services = builder.Services;
+
+            // ICertificateResolver is necessary for this type to work correctly, so register it
+            // if it doesn't already exist.
+            services.TryAdd(DataProtectionServiceDescriptors.ICertificateResolver_Default());
+            Use(services, DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(thumbprint));
+            return builder;
+        }
+
+#endif
+
+        /// <summary>
+        /// Configures keys to be encrypted with Windows DPAPI before being persisted to
+        /// storage. The encrypted key will only be decryptable by the current Windows user account.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// This API is only supported on Windows platforms.
+        /// </remarks>
+        public static IDataProtectionBuilder ProtectKeysWithDpapi(this IDataProtectionBuilder builder)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            return builder.ProtectKeysWithDpapi(protectToLocalMachine: false);
+        }
+
+        /// <summary>
+        /// Configures keys to be encrypted with Windows DPAPI before being persisted to
+        /// storage.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="protectToLocalMachine">'true' if the key should be decryptable by any
+        /// use on the local machine, 'false' if the key should only be decryptable by the current
+        /// Windows user account.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// This API is only supported on Windows platforms.
+        /// </remarks>
+        public static IDataProtectionBuilder ProtectKeysWithDpapi(this IDataProtectionBuilder builder, bool protectToLocalMachine)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToLocalMachine));
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures keys to be encrypted with Windows CNG DPAPI before being persisted
+        /// to storage. The keys will be decryptable by the current Windows user account.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh706794(v=vs.85).aspx
+        /// for more information on DPAPI-NG. This API is only supported on Windows 8 / Windows Server 2012 and higher.
+        /// </remarks>
+        public static IDataProtectionBuilder ProtectKeysWithDpapiNG(this IDataProtectionBuilder builder)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            return builder.ProtectKeysWithDpapiNG(
+                protectionDescriptorRule: DpapiNGXmlEncryptor.GetDefaultProtectionDescriptorString(),
+                flags: DpapiNGProtectionDescriptorFlags.None);
+        }
+
+        /// <summary>
+        /// Configures keys to be encrypted with Windows CNG DPAPI before being persisted to storage.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="protectionDescriptorRule">The descriptor rule string with which to protect the key material.</param>
+        /// <param name="flags">Flags that should be passed to the call to 'NCryptCreateProtectionDescriptor'.
+        /// The default value of this parameter is <see cref="DpapiNGProtectionDescriptorFlags.None"/>.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx
+        /// and https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx
+        /// for more information on valid values for the the <paramref name="protectionDescriptorRule"/>
+        /// and <paramref name="flags"/> arguments.
+        /// This API is only supported on Windows 8 / Windows Server 2012 and higher.
+        /// </remarks>
+        public static IDataProtectionBuilder ProtectKeysWithDpapiNG(this IDataProtectionBuilder builder, string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (protectionDescriptorRule == null)
+            {
+                throw new ArgumentNullException(nameof(protectionDescriptorRule));
+            }
+
+            Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags));
+            return builder;
+        }
+
+        /// <summary>
+        /// Sets the default lifetime of keys created by the data protection system.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="lifetime">The lifetime (time before expiration) for newly-created keys.
+        /// See <see cref="KeyManagementOptions.NewKeyLifetime"/> for more information and
+        /// usage notes.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder SetDefaultKeyLifetime(this IDataProtectionBuilder builder, TimeSpan lifetime)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (lifetime < TimeSpan.Zero)
+            {
+                throw new ArgumentOutOfRangeException(Resources.FormatLifetimeMustNotBeNegative(nameof(lifetime)));
+            }
+
+            builder.Services.Configure<KeyManagementOptions>(options =>
+            {
+                options.NewKeyLifetime = lifetime;
+            });
+
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use the specified cryptographic algorithms
+        /// by default when generating protected payloads.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="settings">Information about what cryptographic algorithms should be used.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder UseCryptographicAlgorithms(this IDataProtectionBuilder builder, AuthenticatedEncryptionSettings settings)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (settings == null)
+            {
+                throw new ArgumentNullException(nameof(settings));
+            }
+
+            return UseCryptographicAlgorithmsCore(builder, settings);
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use custom Windows CNG algorithms.
+        /// This API is intended for advanced scenarios where the developer cannot use the
+        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
+        /// <see cref="ValidationAlgorithm"/> enumerations.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="settings">Information about what cryptographic algorithms should be used.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// This API is only available on Windows.
+        /// </remarks>
+        [EditorBrowsable(EditorBrowsableState.Advanced)]
+        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, CngCbcAuthenticatedEncryptionSettings settings)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (settings == null)
+            {
+                throw new ArgumentNullException(nameof(settings));
+            }
+
+            return UseCryptographicAlgorithmsCore(builder, settings);
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use custom Windows CNG algorithms.
+        /// This API is intended for advanced scenarios where the developer cannot use the
+        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
+        /// <see cref="ValidationAlgorithm"/> enumerations.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="settings">Information about what cryptographic algorithms should be used.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// This API is only available on Windows.
+        /// </remarks>
+        [EditorBrowsable(EditorBrowsableState.Advanced)]
+        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, CngGcmAuthenticatedEncryptionSettings settings)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (settings == null)
+            {
+                throw new ArgumentNullException(nameof(settings));
+            }
+
+            return UseCryptographicAlgorithmsCore(builder, settings);
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use custom algorithms.
+        /// This API is intended for advanced scenarios where the developer cannot use the
+        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
+        /// <see cref="ValidationAlgorithm"/> enumerations.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="settings">Information about what cryptographic algorithms should be used.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        [EditorBrowsable(EditorBrowsableState.Advanced)]
+        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, ManagedAuthenticatedEncryptionSettings settings)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (settings == null)
+            {
+                throw new ArgumentNullException(nameof(settings));
+            }
+
+            return UseCryptographicAlgorithmsCore(builder, settings);
+        }
+
+        private static IDataProtectionBuilder UseCryptographicAlgorithmsCore(IDataProtectionBuilder builder, IInternalAuthenticatedEncryptionSettings settings)
+        {
+            settings.Validate(); // perform self-test
+            Use(builder.Services, DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(settings));
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to use the <see cref="EphemeralDataProtectionProvider"/>
+        /// for data protection services.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        /// <remarks>
+        /// If this option is used, payloads protected by the data protection system will
+        /// be permanently undecipherable after the application exits.
+        /// </remarks>
+        public static IDataProtectionBuilder UseEphemeralDataProtectionProvider(this IDataProtectionBuilder builder)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            Use(builder.Services, DataProtectionServiceDescriptors.IDataProtectionProvider_Ephemeral());
+            return builder;
+        }
+
+        /*
+         * UTILITY ISERVICECOLLECTION METHODS
+         */
+
+        private static void RemoveAllServicesOfType(IServiceCollection services, Type serviceType)
+        {
+            // We go backward since we're modifying the collection in-place.
+            for (int i = services.Count - 1; i >= 0; i--)
+            {
+                if (services[i]?.ServiceType == serviceType)
+                {
+                    services.RemoveAt(i);
+                }
+            }
+        }
+
+        private static void Use(IServiceCollection services, ServiceDescriptor descriptor)
+        {
+            RemoveAllServicesOfType(services, descriptor.ServiceType);
+            services.Add(descriptor);
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
deleted file mode 100644
index a71f59bcdd..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionConfiguration.cs
+++ /dev/null
@@ -1,484 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.ComponentModel;
-using System.IO;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.AspNetCore.DataProtection.XmlEncryption;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.DependencyInjection.Extensions;
-using Microsoft.Win32;
-
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-using System.Security.Cryptography.X509Certificates;
-#endif
-
-namespace Microsoft.AspNetCore.DataProtection
-{
-#if !NETSTANDARD1_3
-    /// <summary>
-    /// Provides access to configuration for the data protection system, which allows the
-    /// developer to configure default cryptographic algorithms, key storage locations,
-    /// and the mechanism by which keys are protected at rest.
-    /// </summary>
-    /// <remarks>
-    /// <para>
-    /// If the developer changes the at-rest key protection mechanism, it is intended that
-    /// he also change the key storage location, and vice versa. For instance, a call to
-    /// <see cref="ProtectKeysWithCertificate(string)" /> should generally be accompanied by
-    /// a call to <see cref="PersistKeysToFileSystem(DirectoryInfo)"/>, or exceptions may
-    /// occur at runtime due to the data protection system not knowing where to persist keys.
-    /// </para>
-    /// <para>
-    /// Similarly, when a developer modifies the default protected payload cryptographic
-    /// algorithms, it is intended that he also select an explitiy key storage location.
-    /// A call to <see cref="UseCryptographicAlgorithms(AuthenticatedEncryptionOptions)"/>
-    /// should therefore generally be paired with a call to <see cref="PersistKeysToFileSystem(DirectoryInfo)"/>,
-    /// for example.
-    /// </para>
-    /// <para>
-    /// When the default cryptographic algorithms or at-rest key protection mechanisms are
-    /// changed, they only affect <strong>new</strong> keys in the repository. The repository may
-    /// contain existing keys that use older algorithms or protection mechanisms.
-    /// </para>
-    /// </remarks>
-#else
-    /// <summary>
-    /// Provides access to configuration for the data protection system, which allows the
-    /// developer to configure default cryptographic algorithms, key storage locations,
-    /// and the mechanism by which keys are protected at rest.
-    /// </summary>
-    /// <remarks>
-    /// <para>
-    /// If the developer changes the at-rest key protection mechanism, it is intended that
-    /// he also change the key storage location, and vice versa.
-    /// </para>
-    /// <para>
-    /// Similarly, when a developer modifies the default protected payload cryptographic
-    /// algorithms, it is intended that he also select an explitiy key storage location.
-    /// A call to <see cref="UseCryptographicAlgorithms(AuthenticatedEncryptionOptions)"/>
-    /// should therefore generally be paired with a call to <see cref="PersistKeysToFileSystem(DirectoryInfo)"/>,
-    /// for example.
-    /// </para>
-    /// <para>
-    /// When the default cryptographic algorithms or at-rest key protection mechanisms are
-    /// changed, they only affect <strong>new</strong> keys in the repository. The repository may
-    /// contain existing keys that use older algorithms or protection mechanisms.
-    /// </para>
-    /// </remarks>
-#endif
-    public class DataProtectionConfiguration
-    {
-        /// <summary>
-        /// Creates a new configuration object linked to a <see cref="IServiceCollection"/>.
-        /// </summary>
-        public DataProtectionConfiguration(IServiceCollection services)
-        {
-            if (services == null)
-            {
-                throw new ArgumentNullException(nameof(services));
-            }
-
-            Services = services;
-        }
-
-        /// <summary>
-        /// Provides access to the <see cref="IServiceCollection"/> passed to this object's constructor.
-        /// </summary>
-        [EditorBrowsable(EditorBrowsableState.Never)]
-        public IServiceCollection Services { get; }
-
-        /// <summary>
-        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
-        /// </summary>
-        /// <param name="sink">The instance of the <see cref="IKeyEscrowSink"/> to register.</param>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// Registrations are additive.
-        /// </remarks>
-        public DataProtectionConfiguration AddKeyEscrowSink(IKeyEscrowSink sink)
-        {
-            if (sink == null)
-            {
-                throw new ArgumentNullException(nameof(sink));
-            }
-
-            Services.AddSingleton<IKeyEscrowSink>(sink);
-            return this;
-        }
-
-        /// <summary>
-        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
-        /// </summary>
-        /// <typeparam name="TImplementation">The concrete type of the <see cref="IKeyEscrowSink"/> to register.</typeparam>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// Registrations are additive. The factory is registered as <see cref="ServiceLifetime.Singleton"/>.
-        /// </remarks>
-        public DataProtectionConfiguration AddKeyEscrowSink<TImplementation>()
-            where TImplementation : class, IKeyEscrowSink
-        {
-            Services.AddSingleton<IKeyEscrowSink, TImplementation>();
-            return this;
-        }
-
-        /// <summary>
-        /// Registers a <see cref="IKeyEscrowSink"/> to perform escrow before keys are persisted to storage.
-        /// </summary>
-        /// <param name="factory">A factory that creates the <see cref="IKeyEscrowSink"/> instance.</param>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// Registrations are additive. The factory is registered as <see cref="ServiceLifetime.Singleton"/>.
-        /// </remarks>
-        public DataProtectionConfiguration AddKeyEscrowSink(Func<IServiceProvider, IKeyEscrowSink> factory)
-        {
-            if (factory == null)
-            {
-                throw new ArgumentNullException(nameof(factory));
-            }
-
-            Services.AddSingleton<IKeyEscrowSink>(factory);
-            return this;
-        }
-
-        /// <summary>
-        /// Configures miscellaneous global options.
-        /// </summary>
-        /// <param name="setupAction">A callback that configures the global options.</param>
-        /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration ConfigureGlobalOptions(Action<DataProtectionOptions> setupAction)
-        {
-            if (setupAction == null)
-            {
-                throw new ArgumentNullException(nameof(setupAction));
-            }
-
-            Services.Configure(setupAction);
-            return this;
-        }
-
-        /// <summary>
-        /// Configures the data protection system not to generate new keys automatically.
-        /// </summary>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// Calling this API corresponds to setting <see cref="KeyManagementOptions.AutoGenerateKeys"/>
-        /// to 'false'. See that property's documentation for more information.
-        /// </remarks>
-        public DataProtectionConfiguration DisableAutomaticKeyGeneration()
-        {
-            Services.Configure<KeyManagementOptions>(options =>
-            {
-                options.AutoGenerateKeys = false;
-            });
-            return this;
-        }
-
-        /// <summary>
-        /// Configures the data protection system to persist keys to the specified directory.
-        /// This path may be on the local machine or may point to a UNC share.
-        /// </summary>
-        /// <param name="directory">The directory in which to store keys.</param>
-        /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration PersistKeysToFileSystem(DirectoryInfo directory)
-        {
-            if (directory == null)
-            {
-                throw new ArgumentNullException(nameof(directory));
-            }
-
-            Use(DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory));
-            return this;
-        }
-
-        /// <summary>
-        /// Configures the data protection system to persist keys to the Windows registry.
-        /// </summary>
-        /// <param name="registryKey">The location in the registry where keys should be stored.</param>
-        /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration PersistKeysToRegistry(RegistryKey registryKey)
-        {
-            if (registryKey == null)
-            {
-                throw new ArgumentNullException(nameof(registryKey));
-            }
-
-            Use(DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey));
-            return this;
-        }
-
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
-        /// <summary>
-        /// Configures keys to be encrypted to a given certificate before being persisted to storage.
-        /// </summary>
-        /// <param name="certificate">The certificate to use when encrypting keys.</param>
-        /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration ProtectKeysWithCertificate(X509Certificate2 certificate)
-        {
-            if (certificate == null)
-            {
-                throw new ArgumentNullException(nameof(certificate));
-            }
-
-            Use(DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate));
-            return this;
-        }
-
-        /// <summary>
-        /// Configures keys to be encrypted to a given certificate before being persisted to storage.
-        /// </summary>
-        /// <param name="thumbprint">The thumbprint of the certificate to use when encrypting keys.</param>
-        /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration ProtectKeysWithCertificate(string thumbprint)
-        {
-            if (thumbprint == null)
-            {
-                throw new ArgumentNullException(nameof(thumbprint));
-            }
-
-            // Make sure the thumbprint corresponds to a valid certificate.
-            if (new CertificateResolver().ResolveCertificate(thumbprint) == null)
-            {
-                throw Error.CertificateXmlEncryptor_CertificateNotFound(thumbprint);
-            }
-
-            // ICertificateResolver is necessary for this type to work correctly, so register it
-            // if it doesn't already exist.
-            Services.TryAdd(DataProtectionServiceDescriptors.ICertificateResolver_Default());
-            Use(DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(thumbprint));
-            return this;
-        }
-
-#endif
-
-        /// <summary>
-        /// Configures keys to be encrypted with Windows DPAPI before being persisted to
-        /// storage. The encrypted key will only be decryptable by the current Windows user account.
-        /// </summary>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// This API is only supported on Windows platforms.
-        /// </remarks>
-        public DataProtectionConfiguration ProtectKeysWithDpapi()
-        {
-            return ProtectKeysWithDpapi(protectToLocalMachine: false);
-        }
-
-        /// <summary>
-        /// Configures keys to be encrypted with Windows DPAPI before being persisted to
-        /// storage.
-        /// </summary>
-        /// <param name="protectToLocalMachine">'true' if the key should be decryptable by any
-        /// use on the local machine, 'false' if the key should only be decryptable by the current
-        /// Windows user account.</param>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// This API is only supported on Windows platforms.
-        /// </remarks>
-        public DataProtectionConfiguration ProtectKeysWithDpapi(bool protectToLocalMachine)
-        {
-            Use(DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToLocalMachine));
-            return this;
-        }
-
-        /// <summary>
-        /// Configures keys to be encrypted with Windows CNG DPAPI before being persisted
-        /// to storage. The keys will be decryptable by the current Windows user account.
-        /// </summary>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh706794(v=vs.85).aspx
-        /// for more information on DPAPI-NG. This API is only supported on Windows 8 / Windows Server 2012 and higher.
-        /// </remarks>
-        public DataProtectionConfiguration ProtectKeysWithDpapiNG()
-        {
-            return ProtectKeysWithDpapiNG(
-                protectionDescriptorRule: DpapiNGXmlEncryptor.GetDefaultProtectionDescriptorString(),
-                flags: DpapiNGProtectionDescriptorFlags.None);
-        }
-
-        /// <summary>
-        /// Configures keys to be encrypted with Windows CNG DPAPI before being persisted to storage.
-        /// </summary>
-        /// <param name="protectionDescriptorRule">The descriptor rule string with which to protect the key material.</param>
-        /// <param name="flags">Flags that should be passed to the call to 'NCryptCreateProtectionDescriptor'.
-        /// The default value of this parameter is <see cref="DpapiNGProtectionDescriptorFlags.None"/>.</param>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx
-        /// and https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx
-        /// for more information on valid values for the the <paramref name="protectionDescriptorRule"/>
-        /// and <paramref name="flags"/> arguments.
-        /// This API is only supported on Windows 8 / Windows Server 2012 and higher.
-        /// </remarks>
-        public DataProtectionConfiguration ProtectKeysWithDpapiNG(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
-        {
-            if (protectionDescriptorRule == null)
-            {
-                throw new ArgumentNullException(nameof(protectionDescriptorRule));
-            }
-
-            Use(DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags));
-            return this;
-        }
-
-        /// <summary>
-        /// Sets the unique name of this application within the data protection system.
-        /// </summary>
-        /// <param name="applicationName">The application name.</param>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// This API corresponds to setting the <see cref="DataProtectionOptions.ApplicationDiscriminator"/> property
-        /// to the value of <paramref name="applicationName"/>.
-        /// </remarks>
-        public DataProtectionConfiguration SetApplicationName(string applicationName)
-        {
-            return ConfigureGlobalOptions(options =>
-            {
-                options.ApplicationDiscriminator = applicationName;
-            });
-        }
-
-        /// <summary>
-        /// Sets the default lifetime of keys created by the data protection system.
-        /// </summary>
-        /// <param name="lifetime">The lifetime (time before expiration) for newly-created keys.
-        /// See <see cref="KeyManagementOptions.NewKeyLifetime"/> for more information and
-        /// usage notes.</param>
-        /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration SetDefaultKeyLifetime(TimeSpan lifetime)
-        {
-            Services.Configure<KeyManagementOptions>(options =>
-            {
-                options.NewKeyLifetime = lifetime;
-            });
-            return this;
-        }
-
-        /// <summary>
-        /// Configures the data protection system to use the specified cryptographic algorithms
-        /// by default when generating protected payloads.
-        /// </summary>
-        /// <param name="options">Information about what cryptographic algorithms should be used.</param>
-        /// <returns>The 'this' instance.</returns>
-        public DataProtectionConfiguration UseCryptographicAlgorithms(AuthenticatedEncryptionOptions options)
-        {
-            if (options == null)
-            {
-                throw new ArgumentNullException(nameof(options));
-            }
-
-            return UseCryptographicAlgorithmsCore(options);
-        }
-
-        /// <summary>
-        /// Configures the data protection system to use custom Windows CNG algorithms.
-        /// This API is intended for advanced scenarios where the developer cannot use the
-        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
-        /// <see cref="ValidationAlgorithm"/> enumerations.
-        /// </summary>
-        /// <param name="options">Information about what cryptographic algorithms should be used.</param>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// This API is only available on Windows.
-        /// </remarks>
-        [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public DataProtectionConfiguration UseCustomCryptographicAlgorithms(CngCbcAuthenticatedEncryptionOptions options)
-        {
-            if (options == null)
-            {
-                throw new ArgumentNullException(nameof(options));
-            }
-
-            return UseCryptographicAlgorithmsCore(options);
-        }
-
-        /// <summary>
-        /// Configures the data protection system to use custom Windows CNG algorithms.
-        /// This API is intended for advanced scenarios where the developer cannot use the
-        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
-        /// <see cref="ValidationAlgorithm"/> enumerations.
-        /// </summary>
-        /// <param name="options">Information about what cryptographic algorithms should be used.</param>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// This API is only available on Windows.
-        /// </remarks>
-        [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public DataProtectionConfiguration UseCustomCryptographicAlgorithms(CngGcmAuthenticatedEncryptionOptions options)
-        {
-            if (options == null)
-            {
-                throw new ArgumentNullException(nameof(options));
-            }
-
-            return UseCryptographicAlgorithmsCore(options);
-        }
-
-        /// <summary>
-        /// Configures the data protection system to use custom algorithms.
-        /// This API is intended for advanced scenarios where the developer cannot use the
-        /// algorithms specified in the <see cref="EncryptionAlgorithm"/> and
-        /// <see cref="ValidationAlgorithm"/> enumerations.
-        /// </summary>
-        /// <param name="options">Information about what cryptographic algorithms should be used.</param>
-        /// <returns>The 'this' instance.</returns>
-        [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public DataProtectionConfiguration UseCustomCryptographicAlgorithms(ManagedAuthenticatedEncryptionOptions options)
-        {
-            if (options == null)
-            {
-                throw new ArgumentNullException(nameof(options));
-            }
-
-            return UseCryptographicAlgorithmsCore(options);
-        }
-
-        private DataProtectionConfiguration UseCryptographicAlgorithmsCore(IInternalAuthenticatedEncryptionOptions options)
-        {
-            options.Validate(); // perform self-test
-            Use(DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromOptions(options));
-            return this;
-        }
-
-        /// <summary>
-        /// Configures the data protection system to use the <see cref="EphemeralDataProtectionProvider"/>
-        /// for data protection services.
-        /// </summary>
-        /// <returns>The 'this' instance.</returns>
-        /// <remarks>
-        /// If this option is used, payloads protected by the data protection system will
-        /// be permanently undecipherable after the application exits.
-        /// </remarks>
-        public DataProtectionConfiguration UseEphemeralDataProtectionProvider()
-        {
-            Use(DataProtectionServiceDescriptors.IDataProtectionProvider_Ephemeral());
-            return this;
-        }
-
-        /*
-         * UTILITY ISERVICECOLLECTION METHODS
-         */
-
-        private void RemoveAllServicesOfType(Type serviceType)
-        {
-            // We go backward since we're modifying the collection in-place.
-            for (int i = Services.Count - 1; i >= 0; i--)
-            {
-                if (Services[i]?.ServiceType == serviceType)
-                {
-                    Services.RemoveAt(i);
-                }
-            }
-        }
-
-        private void Use(ServiceDescriptor descriptor)
-        {
-            RemoveAllServicesOfType(descriptor.ServiceType);
-            Services.Add(descriptor);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 3e967c0397..2f8a3ea225 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -3,21 +3,21 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 
 namespace Microsoft.Extensions.DependencyInjection
 {
     /// <summary>
-    /// Allows registering and configuring Data Protection in the application.
+    /// Extension methods for setting up data protection services in an <see cref="IServiceCollection" />.
     /// </summary>
     public static class DataProtectionServiceCollectionExtensions
     {
         /// <summary>
-        /// Adds default Data Protection services to an <see cref="IServiceCollection"/>.
+        /// Adds data protection services to the specified <see cref="IServiceCollection" />.
         /// </summary>
-        /// <param name="services">The service collection to which to add DataProtection services.</param>
-        /// <returns>The <paramref name="services"/> instance.</returns>
-        public static IServiceCollection AddDataProtection(this IServiceCollection services)
+        /// <param name="services">The <see cref="IServiceCollection" /> to add services to.</param>
+        public static IDataProtectionBuilder AddDataProtection(this IServiceCollection services)
         {
             if (services == null)
             {
@@ -26,30 +26,31 @@ namespace Microsoft.Extensions.DependencyInjection
 
             services.AddOptions();
             services.TryAdd(DataProtectionServices.GetDefaultServices());
-            return services;
+
+            return new DataProtectionBuilder(services);
         }
 
         /// <summary>
-        /// Adds default Data Protection services to an <see cref="IServiceCollection"/> and configures the behavior of the Data Protection system.
+        /// Adds data protection services to the specified <see cref="IServiceCollection" />.
         /// </summary>
-        /// <param name="services">A service collection to which Data Protection has already been added.</param>
-        /// <param name="configure">A callback which takes a <see cref="DataProtectionConfiguration"/> parameter.
-        /// This callback will be responsible for configuring the system.</param>
-        /// <returns>The <paramref name="services"/> instance.</returns>
-        public static IServiceCollection AddDataProtection(this IServiceCollection services, Action<DataProtectionConfiguration> configure)
+        /// <param name="services">The <see cref="IServiceCollection" /> to add services to.</param>
+        /// <param name="setupAction">An <see cref="Action{DataProtectionOptions}"/> to configure the provided <see cref="DataProtectionOptions"/>.</param>
+        /// <returns>A reference to this instance after the operation has completed.</returns>
+        public static IDataProtectionBuilder AddDataProtection(this IServiceCollection services, Action<DataProtectionOptions> setupAction)
         {
             if (services == null)
             {
                 throw new ArgumentNullException(nameof(services));
             }
 
-            if (configure == null)
+            if (setupAction == null)
             {
-                throw new ArgumentNullException(nameof(configure));
+                throw new ArgumentNullException(nameof(setupAction));
             }
 
-            configure(new DataProtectionConfiguration(services));
-            return services.AddDataProtection();
+            var builder = services.AddDataProtection();
+            services.Configure(setupAction);
+            return builder;
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
index 9c4b268364..6727730c92 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
@@ -58,13 +58,13 @@ namespace Microsoft.Extensions.DependencyInjection
         /// </summary>
         public static ServiceDescriptor IAuthenticatedEncryptorConfiguration_Default()
         {
-            return IAuthenticatedEncryptorConfiguration_FromOptions(new AuthenticatedEncryptionOptions());
+            return IAuthenticatedEncryptorConfiguration_FromSettings(new AuthenticatedEncryptionSettings());
         }
 
         /// <summary>
-        /// An <see cref="IAuthenticatedEncryptorConfiguration"/> backed by an <see cref="IInternalAuthenticatedEncryptionOptions"/>.
+        /// An <see cref="IAuthenticatedEncryptorConfiguration"/> backed by an <see cref="IInternalAuthenticatedEncryptionSettings"/>.
         /// </summary>
-        public static ServiceDescriptor IAuthenticatedEncryptorConfiguration_FromOptions(IInternalAuthenticatedEncryptionOptions options)
+        public static ServiceDescriptor IAuthenticatedEncryptorConfiguration_FromSettings(IInternalAuthenticatedEncryptionSettings options)
         {
             return ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfiguration>(options.ToConfiguration);
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
index a7fd46f37d..6b30fd136d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
@@ -40,12 +40,12 @@ namespace Microsoft.AspNetCore.DataProtection
             if (OSVersionUtil.IsWindows())
             {
                 // Fastest implementation: AES-256-GCM [CNG]
-                keyringProvider = new EphemeralKeyRing<CngGcmAuthenticatedEncryptionOptions>();
+                keyringProvider = new EphemeralKeyRing<CngGcmAuthenticatedEncryptionSettings>();
             }
             else
             {
                 // Slowest implementation: AES-256-CBC + HMACSHA256 [Managed]
-                keyringProvider = new EphemeralKeyRing<ManagedAuthenticatedEncryptionOptions>();
+                keyringProvider = new EphemeralKeyRing<ManagedAuthenticatedEncryptionSettings>();
             }
 
             var logger = services.GetLogger<EphemeralDataProtectionProvider>();
@@ -66,7 +66,7 @@ namespace Microsoft.AspNetCore.DataProtection
         }
 
         private sealed class EphemeralKeyRing<T> : IKeyRing, IKeyRingProvider
-            where T : IInternalAuthenticatedEncryptionOptions, new()
+            where T : IInternalAuthenticatedEncryptionSettings, new()
         {
             // Currently hardcoded to a 512-bit KDK.
             private const int NUM_BYTES_IN_KDK = 512 / 8;
diff --git a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs b/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
new file mode 100644
index 0000000000..55348b7501
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
@@ -0,0 +1,69 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using System.IO;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+#if !NETSTANDARD1_3
+    /// <summary>
+    /// Provides access to configuration for the data protection system, which allows the
+    /// developer to configure default cryptographic algorithms, key storage locations,
+    /// and the mechanism by which keys are protected at rest.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// If the developer changes the at-rest key protection mechanism, it is intended that
+    /// he also change the key storage location, and vice versa. For instance, a call to
+    /// <see cref="DataProtectionBuilderExtensions.ProtectKeysWithCertificate(IDataProtectionBuilder,string)" /> should generally be accompanied by
+    /// a call to <see cref="DataProtectionBuilderExtensions.PersistKeysToFileSystem(IDataProtectionBuilder,DirectoryInfo)"/>, or exceptions may
+    /// occur at runtime due to the data protection system not knowing where to persist keys.
+    /// </para>
+    /// <para>
+    /// Similarly, when a developer modifies the default protected payload cryptographic
+    /// algorithms, it is intended that he also select an explitiy key storage location.
+    /// A call to <see cref="DataProtectionBuilderExtensions.UseCryptographicAlgorithms(IDataProtectionBuilder,AuthenticatedEncryptionSettings)"/>
+    /// should therefore generally be paired with a call to <see cref="DataProtectionBuilderExtensions.PersistKeysToFileSystem(IDataProtectionBuilder,DirectoryInfo)"/>,
+    /// for example.
+    /// </para>
+    /// <para>
+    /// When the default cryptographic algorithms or at-rest key protection mechanisms are
+    /// changed, they only affect <strong>new</strong> keys in the repository. The repository may
+    /// contain existing keys that use older algorithms or protection mechanisms.
+    /// </para>
+    /// </remarks>
+#else
+    /// <summary>
+    /// Provides access to configuration for the data protection system, which allows the
+    /// developer to configure default cryptographic algorithms, key storage locations,
+    /// and the mechanism by which keys are protected at rest.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// If the developer changes the at-rest key protection mechanism, it is intended that
+    /// he also change the key storage location, and vice versa.
+    /// </para>
+    /// <para>
+    /// Similarly, when a developer modifies the default protected payload cryptographic
+    /// algorithms, it is intended that he also select an explitiy key storage location.
+    /// A call to <see cref="DataProtectionBuilderExtensions.UseCryptographicAlgorithms(IDataProtectionBuilder,AuthenticatedEncryptionSettings)"/>
+    /// should therefore generally be paired with a call to <see cref="DataProtectionBuilderExtensions.PersistKeysToFileSystem(IDataProtectionBuilder,DirectoryInfo)"/>,
+    /// for example.
+    /// </para>
+    /// <para>
+    /// When the default cryptographic algorithms or at-rest key protection mechanisms are
+    /// changed, they only affect <strong>new</strong> keys in the repository. The repository may
+    /// contain existing keys that use older algorithms or protection mechanisms.
+    /// </para>
+    /// </remarks>
+#endif
+    public interface IDataProtectionBuilder
+    {
+        /// <summary>
+        /// Provides access to the <see cref="IServiceCollection"/> passed to this object's constructor.
+        /// </summary>
+        IServiceCollection Services { get; }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
new file mode 100644
index 0000000000..3ab488b8db
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
@@ -0,0 +1,41 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel;
+using System.IO;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Win32;
+
+#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+using System.Security.Cryptography.X509Certificates;
+#endif
+
+namespace Microsoft.AspNetCore.DataProtection.Internal
+{
+    /// <summary>
+    /// Default implementation of <see cref="IDataProtectionBuilder"/>.
+    /// </summary>
+    public class DataProtectionBuilder : IDataProtectionBuilder
+    {
+        /// <summary>
+        /// Creates a new configuration object linked to a <see cref="IServiceCollection"/>.
+        /// </summary>
+        public DataProtectionBuilder(IServiceCollection services)
+        {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            Services = services;
+        }
+
+        /// <inheritdoc />
+        public IServiceCollection Services { get; }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
index 1b9830d44b..287746ea82 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
@@ -378,6 +378,22 @@ namespace Microsoft.AspNetCore.DataProtection
             return GetString("KeyRingProvider_NoDefaultKey_AutoGenerateDisabled");
         }
 
+        /// <summary>
+        /// {0} must not be negative
+        /// </summary>
+        internal static string LifetimeMustNotBeNegative
+        {
+            get { return GetString("LifetimeMustNotBeNegative"); }
+        }
+
+        /// <summary>
+        /// {0} must not be negative
+        /// </summary>
+        internal static string FormatLifetimeMustNotBeNegative(object p0)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("LifetimeMustNotBeNegative"), p0);
+        }
+
         private static string GetString(string name, params string[] formatterNames)
         {
             var value = _resourceManager.GetString(name);
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
index 6169bd1fb4..d4d96a101a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
@@ -107,19 +107,19 @@ namespace Microsoft.AspNetCore.DataProtection
         private IEnumerable<ServiceDescriptor> ResolvePolicyCore()
         {
             // Read the encryption options type: CNG-CBC, CNG-GCM, Managed
-            IInternalAuthenticatedEncryptionOptions options = null;
+            IInternalAuthenticatedEncryptionSettings options = null;
             string encryptionType = (string)_policyRegKey.GetValue("EncryptionType");
             if (String.Equals(encryptionType, "CNG-CBC", StringComparison.OrdinalIgnoreCase))
             {
-                options = new CngCbcAuthenticatedEncryptionOptions();
+                options = new CngCbcAuthenticatedEncryptionSettings();
             }
             else if (String.Equals(encryptionType, "CNG-GCM", StringComparison.OrdinalIgnoreCase))
             {
-                options = new CngGcmAuthenticatedEncryptionOptions();
+                options = new CngGcmAuthenticatedEncryptionSettings();
             }
             else if (String.Equals(encryptionType, "Managed", StringComparison.OrdinalIgnoreCase))
             {
-                options = new ManagedAuthenticatedEncryptionOptions();
+                options = new ManagedAuthenticatedEncryptionSettings();
             }
             else if (!String.IsNullOrEmpty(encryptionType))
             {
@@ -128,7 +128,7 @@ namespace Microsoft.AspNetCore.DataProtection
             if (options != null)
             {
                 PopulateOptions(options, _policyRegKey);
-                yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromOptions(options);
+                yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(options);
             }
 
             // Read ancillary data
diff --git a/src/Microsoft.AspNetCore.DataProtection/Resources.resx b/src/Microsoft.AspNetCore.DataProtection/Resources.resx
index 80b564e98d..e45b22742d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNetCore.DataProtection/Resources.resx
@@ -186,4 +186,7 @@
   <data name="KeyRingProvider_NoDefaultKey_AutoGenerateDisabled" xml:space="preserve">
     <value>The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.</value>
   </data>
+  <data name="LifetimeMustNotBeNegative" xml:space="preserve">
+    <value>{0} must not be negative</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 3bac377de8..5e882c70c8 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -22,7 +22,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 Assert.Empty(directory.GetFiles());
 
                 // Step 2: instantiate the system and round-trip a payload
-                var protector = new DataProtectionProvider(directory).CreateProtector("purpose");
+                var protector = DataProtectionProvider.Create(directory).CreateProtector("purpose");
                 Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
 
                 // Step 3: validate that there's now a single key in the directory and that it's not protected
@@ -47,7 +47,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 Assert.Empty(directory.GetFiles());
 
                 // Step 2: instantiate the system and round-trip a payload
-                var protector = new DataProtectionProvider(directory, configure =>
+                var protector = DataProtectionProvider.Create(directory, configure =>
                 {
                     configure.ProtectKeysWithDpapi();
                 }).CreateProtector("purpose");
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
index 59beb7da02..ad79a1e2ec 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -14,7 +14,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var control = new AuthenticatedEncryptorDescriptor(
-                new AuthenticatedEncryptionOptions()
+                new AuthenticatedEncryptionSettings()
                 {
                     EncryptionAlgorithm = EncryptionAlgorithm.AES_192_CBC,
                     ValidationAlgorithm = ValidationAlgorithm.HMACSHA512
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index 82acb2f0af..96a16dcc73 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -160,7 +160,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         private static AuthenticatedEncryptorDescriptor CreateDescriptor(EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm, ISecret masterKey)
         {
-            return new AuthenticatedEncryptorDescriptor(new AuthenticatedEncryptionOptions()
+            return new AuthenticatedEncryptorDescriptor(new AuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithm = encryptionAlgorithm,
                 ValidationAlgorithm = validationAlgorithm
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
index daf29693f6..d3e125010e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
         {
             // Arrange
-            var configuration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionOptions());
+            var configuration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionSettings());
 
             // Act
             var masterKey1 = ((CngCbcAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
@@ -28,13 +28,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_PropagatesOptions()
         {
             // Arrange
-            var configuration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionOptions());
+            var configuration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionSettings());
 
             // Act
             var descriptor = (CngCbcAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
 
             // Assert
-            Assert.Equal(configuration.Options, descriptor.Options);
+            Assert.Equal(configuration.Settings, descriptor.Settings);
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 3f7814d65e..cffbb27908 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -18,7 +18,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var control = new CngCbcAuthenticatedEncryptorDescriptor(
-                new CngCbcAuthenticatedEncryptionOptions()
+                new CngCbcAuthenticatedEncryptionSettings()
                 {
                     EncryptionAlgorithm = Constants.BCRYPT_AES_ALGORITHM,
                     EncryptionAlgorithmKeySize = 192,
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
index 50a20bd522..beb176d589 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
@@ -13,7 +13,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptionOptions()
+            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
@@ -43,7 +43,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptionOptions()
+            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
index f38edc6040..a5b84d7d3f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
         {
             // Arrange
-            var configuration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionOptions());
+            var configuration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionSettings());
 
             // Act
             var masterKey1 = ((CngGcmAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
@@ -28,13 +28,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_PropagatesOptions()
         {
             // Arrange
-            var configuration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionOptions());
+            var configuration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionSettings());
 
             // Act
             var descriptor = (CngGcmAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
 
             // Assert
-            Assert.Equal(configuration.Options, descriptor.Options);
+            Assert.Equal(configuration.Settings, descriptor.Settings);
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 13dc84ba7d..cbb10767ed 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -18,7 +18,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var control = new CngGcmAuthenticatedEncryptorDescriptor(
-                new CngGcmAuthenticatedEncryptionOptions()
+                new CngGcmAuthenticatedEncryptionSettings()
                 {
                     EncryptionAlgorithm = Constants.BCRYPT_AES_ALGORITHM,
                     EncryptionAlgorithmKeySize = 192,
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
index 678855b7bd..57334b35ac 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
@@ -13,7 +13,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptionOptions()
+            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
@@ -40,7 +40,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptionOptions()
+            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
index ca18f1f172..d851234bf6 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
         {
             // Arrange
-            var configuration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions());
+            var configuration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionSettings());
 
             // Act
             var masterKey1 = ((ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
@@ -28,13 +28,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_PropagatesOptions()
         {
             // Arrange
-            var configuration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions());
+            var configuration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionSettings());
 
             // Act
             var descriptor = (ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
 
             // Assert
-            Assert.Equal(configuration.Options, descriptor.Options);
+            Assert.Equal(configuration.Settings, descriptor.Settings);
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
index e405ca94c5..a79fc1c613 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -19,7 +19,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var control = new ManagedAuthenticatedEncryptorDescriptor(
-                new ManagedAuthenticatedEncryptionOptions()
+                new ManagedAuthenticatedEncryptionSettings()
                 {
                     EncryptionAlgorithmType = encryptionAlgorithmType,
                     EncryptionAlgorithmKeySize = 192,
@@ -51,7 +51,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var control = new ManagedAuthenticatedEncryptorDescriptor(
-                new ManagedAuthenticatedEncryptionOptions()
+                new ManagedAuthenticatedEncryptionSettings()
                 {
                     EncryptionAlgorithmType = typeof(Aes),
                     EncryptionAlgorithmKeySize = 192,
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
index 8a207ffa5e..6383b7e70b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
@@ -14,7 +14,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptionOptions()
+            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithmType = typeof(MySymmetricAlgorithm),
                 EncryptionAlgorithmKeySize = 2048,
@@ -47,7 +47,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptionOptions()
+            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithmType = encryptionAlgorithmType,
                 EncryptionAlgorithmKeySize = 2048,
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index c2b54f30de..e85f52759a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -400,7 +400,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             byte[] plaintext = new byte[] { 0x10, 0x20, 0x30, 0x40, 0x50 };
-            Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration(new AuthenticatedEncryptionOptions()).CreateNewDescriptor());
+            Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration(new AuthenticatedEncryptionSettings()).CreateNewDescriptor());
             var keyRing = new KeyRing(key, new[] { key });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
index f2ec6310e0..667f443e14 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -78,14 +78,14 @@ namespace Microsoft.AspNetCore.DataProtection
             });
 
             var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionOptions());
+            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionSettings());
             var actualConfiguration = (CngCbcAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
 
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithm, actualConfiguration.Options.EncryptionAlgorithm);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmProvider, actualConfiguration.Options.EncryptionAlgorithmProvider);
-            Assert.Equal(expectedConfiguration.Options.HashAlgorithm, actualConfiguration.Options.HashAlgorithm);
-            Assert.Equal(expectedConfiguration.Options.HashAlgorithmProvider, actualConfiguration.Options.HashAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithm, actualConfiguration.Settings.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmProvider, actualConfiguration.Settings.EncryptionAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.Settings.HashAlgorithm, actualConfiguration.Settings.HashAlgorithm);
+            Assert.Equal(expectedConfiguration.Settings.HashAlgorithmProvider, actualConfiguration.Settings.HashAlgorithmProvider);
         }
 
         [ConditionalFact]
@@ -104,7 +104,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
 
             var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionOptions()
+            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
@@ -114,11 +114,11 @@ namespace Microsoft.AspNetCore.DataProtection
             });
             var actualConfiguration = (CngCbcAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
 
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithm, actualConfiguration.Options.EncryptionAlgorithm);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmProvider, actualConfiguration.Options.EncryptionAlgorithmProvider);
-            Assert.Equal(expectedConfiguration.Options.HashAlgorithm, actualConfiguration.Options.HashAlgorithm);
-            Assert.Equal(expectedConfiguration.Options.HashAlgorithmProvider, actualConfiguration.Options.HashAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithm, actualConfiguration.Settings.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmProvider, actualConfiguration.Settings.EncryptionAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.Settings.HashAlgorithm, actualConfiguration.Settings.HashAlgorithm);
+            Assert.Equal(expectedConfiguration.Settings.HashAlgorithmProvider, actualConfiguration.Settings.HashAlgorithmProvider);
         }
 
         [ConditionalFact]
@@ -132,12 +132,12 @@ namespace Microsoft.AspNetCore.DataProtection
             });
 
             var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionOptions());
+            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionSettings());
             var actualConfiguration = (CngGcmAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
 
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithm, actualConfiguration.Options.EncryptionAlgorithm);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmProvider, actualConfiguration.Options.EncryptionAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithm, actualConfiguration.Settings.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmProvider, actualConfiguration.Settings.EncryptionAlgorithmProvider);
         }
 
         [ConditionalFact]
@@ -154,7 +154,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
 
             var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionOptions()
+            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
@@ -162,9 +162,9 @@ namespace Microsoft.AspNetCore.DataProtection
             });
             var actualConfiguration = (CngGcmAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
 
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithm, actualConfiguration.Options.EncryptionAlgorithm);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmProvider, actualConfiguration.Options.EncryptionAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithm, actualConfiguration.Settings.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmProvider, actualConfiguration.Settings.EncryptionAlgorithmProvider);
         }
 
         [ConditionalFact]
@@ -178,12 +178,12 @@ namespace Microsoft.AspNetCore.DataProtection
             });
 
             var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions());
+            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionSettings());
             var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
 
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmType, actualConfiguration.Options.EncryptionAlgorithmType);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Options.ValidationAlgorithmType, actualConfiguration.Options.ValidationAlgorithmType);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmType, actualConfiguration.Settings.EncryptionAlgorithmType);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Settings.ValidationAlgorithmType, actualConfiguration.Settings.ValidationAlgorithmType);
         }
 
         [ConditionalFact]
@@ -200,7 +200,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
 
             var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions()
+            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionSettings()
             {
                 EncryptionAlgorithmType = typeof(TripleDES),
                 EncryptionAlgorithmKeySize = 2048,
@@ -208,9 +208,9 @@ namespace Microsoft.AspNetCore.DataProtection
             });
             var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
 
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmType, actualConfiguration.Options.EncryptionAlgorithmType);
-            Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Options.ValidationAlgorithmType, actualConfiguration.Options.ValidationAlgorithmType);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmType, actualConfiguration.Settings.EncryptionAlgorithmType);
+            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.Settings.ValidationAlgorithmType, actualConfiguration.Settings.ValidationAlgorithmType);
         }
 
         private static void RunTestWithRegValues(IServiceCollection services, Dictionary<string, object> regValues)

From f46b3a2db654fda71c831caa2423487c6b2587aa Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesars@microsoft.com>
Date: Tue, 15 Mar 2016 04:47:10 -0700
Subject: [PATCH 241/493] Build only if src directory exists.

---
 makefile.shade | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makefile.shade b/makefile.shade
index 5a3caf4c44..7b7b2396d9 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -11,7 +11,7 @@ var Configuration_Local = '${E("Configuration")}'
 var ROOT_Local = '${Directory.GetCurrentDirectory()}'
 var BUILD_DIR_Local = '${Path.Combine(ROOT_Local, "build")}'
 
-#build-compile target='compile' if='IsLinux'
+#build-compile target='compile' if='IsLinux && Directory.Exists("src")'
   @{
     var projectFiles = Files.Include("src/**/project.json")
         .Exclude("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json")
@@ -23,4 +23,4 @@ var BUILD_DIR_Local = '${Path.Combine(ROOT_Local, "build")}'
     {
         File.Copy(nupkg, Path.Combine(BUILD_DIR_Local, Path.GetFileName(nupkg)), true);
     }
-  }
\ No newline at end of file
+  }

From 6ad27bb705a9f4e6533625a6113562e491b522bd Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 15 Mar 2016 11:12:03 -0700
Subject: [PATCH 242/493] * Remove xunit.runner.console reference * Replace
 ExceptionAssert2.ThrowsArgumentNull with  ExceptionAssert.ThrowsArgumentNull

---
 .../project.json                                   |  3 ---
 .../project.json                                   |  3 ---
 .../project.json                                   |  3 +--
 .../project.json                                   |  3 +--
 .../ExceptionAssert2.cs                            | 14 --------------
 .../KeyRingBasedDataProtectorTests.cs              |  4 ++--
 .../SecretTests.cs                                 |  4 ++--
 .../project.json                                   |  3 +--
 8 files changed, 7 insertions(+), 30 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 275ddd9910..1eac69a003 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -21,9 +21,6 @@
       ]
     },
     "net451": {
-      "dependencies": {
-        "xunit.runner.console": "2.1.0"
-      },
       "frameworkAssemblies": {
         "System.Runtime": "",
         "System.Threading.Tasks": ""
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index dbeaf4e74f..8a78b832fd 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -19,9 +19,6 @@
       ]
     },
     "net451": {
-      "dependencies": {
-        "xunit.runner.console": "2.1.0"
-      },
       "frameworkAssemblies": {
         "System.Runtime": "",
         "System.Threading.Tasks": ""
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 3e077c2823..2452daa441 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -20,8 +20,7 @@
     },
     "net451": {
       "dependencies": {
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.console": "2.1.0"
+        "Moq": "4.2.1312.1622"
       },
       "frameworkAssemblies": {
         "System.Runtime": "",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 8a1c50c1a2..a030268267 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -24,8 +24,7 @@
     },
     "net451": {
       "dependencies": {
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.console": "2.1.0"
+        "Moq": "4.2.1312.1622"
       },
       "frameworkAssemblies": {
         "System.Runtime": "",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
index 36eab6e08d..ccc596b48c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
@@ -9,20 +9,6 @@ namespace Microsoft.AspNetCore.Testing
 {
     internal static class ExceptionAssert2
     {
-        /// <summary>
-        /// Verifies that the code throws an <see cref="ArgumentNullException"/>.
-        /// </summary>
-        /// <param name="testCode">A delegate to the code to be tested</param>
-        /// <param name="paramName">The name of the parameter that should throw the exception</param>
-        /// <returns>The <see cref="ArgumentNullException"/> that was thrown, when successful</returns>
-        /// <exception>Thrown when an exception was not thrown, or when an exception of the incorrect type is thrown</exception>
-        public static ArgumentNullException ThrowsArgumentNull(Action testCode, string paramName)
-        {
-            var ex = Assert.Throws<ArgumentNullException>(testCode);
-            Assert.Equal(paramName, ex.ParamName);
-            return ex;
-        }
-
         /// <summary>
         /// Verifies that the code throws a <see cref="CryptographicException"/>.
         /// </summary>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index e85f52759a..2e510d5ccf 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -29,7 +29,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 newPurpose: "purpose");
 
             // Act & assert
-            ExceptionAssert2.ThrowsArgumentNull(() => protector.Protect(plaintext: null), "plaintext");
+            ExceptionAssert.ThrowsArgumentNull(() => protector.Protect(plaintext: null), "plaintext");
         }
 
         [Fact]
@@ -134,7 +134,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 newPurpose: "purpose");
 
             // Act & assert
-            ExceptionAssert2.ThrowsArgumentNull(() => protector.Unprotect(protectedData: null), "protectedData");
+            ExceptionAssert.ThrowsArgumentNull(() => protector.Unprotect(protectedData: null), "protectedData");
         }
 
         [Fact]
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
index 0d3ab20696..b9342ad765 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
@@ -90,7 +90,7 @@ namespace Microsoft.AspNetCore.DataProtection
         public void Ctor_Pointer_WithNullPointer_ThrowsArgumentNull()
         {
             // Act & assert
-            ExceptionAssert2.ThrowsArgumentNull(
+            ExceptionAssert.ThrowsArgumentNull(
                 testCode: () => new Secret(null, 0),
                 paramName: "secret");
         }
@@ -228,7 +228,7 @@ namespace Microsoft.AspNetCore.DataProtection
             var secret = Secret.Random(16);
 
             // Act & assert
-            ExceptionAssert2.ThrowsArgumentNull(
+            ExceptionAssert.ThrowsArgumentNull(
                 testCode: () => secret.WriteSecretIntoBuffer(null, 100),
                 paramName: "buffer");
         }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index c551926e27..d879702159 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -24,8 +24,7 @@
     },
     "net451": {
       "dependencies": {
-        "Moq": "4.2.1312.1622",
-        "xunit.runner.console": "2.1.0"
+        "Moq": "4.2.1312.1622"
       },
       "frameworkAssemblies": {
         "System.Runtime": "",

From 8503e161d061fa230b00ba58d6801d7f906356ce Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Sat, 19 Mar 2016 11:43:51 -0700
Subject: [PATCH 243/493] Reacting to CoreCLR package changes

---
 src/Microsoft.AspNetCore.Cryptography.Internal/project.json | 1 +
 test/Microsoft.AspNetCore.DataProtection.Test/project.json  | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index ebd11d61dd..68e7e1fb10 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -11,6 +11,7 @@
     "netstandard1.3": {
       "dependencies": {
         "System.Diagnostics.Debug": "4.0.11-*",
+        "System.Resources.ResourceManager": "4.0.1-*",
         "System.Runtime.Handles": "4.0.1-*",
         "System.Runtime.InteropServices": "4.1.0-*",
         "System.Security.Cryptography.Primitives": "4.0.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index d879702159..d57f47f5f7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -27,7 +27,6 @@
         "Moq": "4.2.1312.1622"
       },
       "frameworkAssemblies": {
-        "System.Runtime": "",
         "System.Threading.Tasks": ""
       }
     }

From be1b128dbf1212b152a4772c0e90f49ac9146239 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 23 Mar 2016 08:36:30 -0700
Subject: [PATCH 244/493] Use build-compile from KoreBuild

---
 makefile.shade | 58 ++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 47 insertions(+), 11 deletions(-)

diff --git a/makefile.shade b/makefile.shade
index 7b7b2396d9..e41996d498 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -8,19 +8,55 @@ use-standard-lifecycle
 k-standard-goals
 
 var Configuration_Local = '${E("Configuration")}'
-var ROOT_Local = '${Directory.GetCurrentDirectory()}'
-var BUILD_DIR_Local = '${Path.Combine(ROOT_Local, "build")}'
+default BASE_DIR_LOCAL='${Directory.GetCurrentDirectory()}'
+default TARGET_DIR_LOCAL='${Path.Combine(BASE_DIR_LOCAL, "artifacts")}'
+default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
 
-#build-compile target='compile' if='IsLinux && Directory.Exists("src")'
+#build-compile target='compile' if='Directory.Exists("src")'
   @{
-    var projectFiles = Files.Include("src/**/project.json")
-        .Exclude("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json")
-        .ToList();
-        
-    projectFiles.ForEach(projectFile => DotnetPack(projectFile, BUILD_DIR_Local, Configuration_Local));
-    
-    foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR_Local, "*/*.nupkg")))
+
+    Directory.CreateDirectory(TARGET_DIR_LOCAL);
+
+    string commitHash = null;
+    if (AddAssemblyInfo)
     {
-        File.Copy(nupkg, Path.Combine(BUILD_DIR_Local, Path.GetFileName(nupkg)), true);
+        var commitHashFile = Path.Combine(TARGET_DIR_LOCAL, "commit");
+        GitCommand("rev-parse HEAD >> " + commitHashFile);
+        commitHash = File.ReadAllLines(commitHashFile)[0];
+    }
+
+    var projectFiles = Files.Include("src/*/project.json").ToList();
+    if (IsLinux)
+    {
+        projectFiles.Remove("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json");
+    }
+
+    projectFiles.ForEach(projectFile =>
+    {
+        if (AddAssemblyInfo)
+        {
+            var projectText = File.ReadAllText(projectFile);
+            var project = (JsonObject)Json.Deserialize(projectText);
+            var isSharedProject = project.Keys.Contains("shared");
+
+            // We don't want to embed the commit hash in it because
+            // the consumers would get that file
+            if (!isSharedProject)
+            {
+                Console.WriteLine("Embedding commit hash in assembly");
+                var projectFolder = Path.GetDirectoryName(projectFile);
+                var commitHashAttribute = String.Format("[assembly: System.Reflection.AssemblyMetadata(\"CommitHash\", \"{0}\")]", commitHash);
+
+                var buildInfoFile = Path.Combine(projectFolder, "BuildInfo.generated.cs");
+                File.WriteAllText(buildInfoFile, commitHashAttribute);
+            }
+        }
+
+        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local);
+    });
+
+    foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR_LOCAL, "*/" + Configuration_Local + "/*.nupkg")))
+    {
+        File.Copy(nupkg, Path.Combine(BUILD_DIR_LOCAL, Path.GetFileName(nupkg)), true);
     }
   }

From f2a42d1f712a3ae11ea2b3a57db4d4f0752d6889 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 23 Mar 2016 12:59:11 -0700
Subject: [PATCH 245/493] Reacting to CoreCLR package changes

---
 .../project.json                                                | 2 +-
 src/Microsoft.AspNetCore.DataProtection/project.json            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index 1ba9922aaf..be60e95200 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -13,7 +13,7 @@
     "netstandard1.3": {
       "dependencies": {
         "System.Runtime.Extensions": "4.1.0-*",
-        "System.Security.Cryptography.Algorithms": "4.0.0-*",
+        "System.Security.Cryptography.Algorithms": "4.1.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
       },
       "imports": [
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 82d53594db..aeb0427585 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -28,7 +28,7 @@
     "netstandard1.3": {
       "dependencies": {
         "Microsoft.Win32.Registry": "4.0.0-*",
-        "System.Security.Cryptography.X509Certificates": "4.0.0-*",
+        "System.Security.Cryptography.X509Certificates": "4.1.0-*",
         "System.Security.Claims": "4.0.1-*",
         "System.Security.Principal.Windows": "4.0.0-*",
         "System.Xml.XDocument": "4.0.11-*"

From 7cace9a7fe8ded736d39fc6d7a6d0c175d48c4d7 Mon Sep 17 00:00:00 2001
From: Eilon Lipton <elipton@microsoft.com>
Date: Thu, 24 Mar 2016 23:50:57 -0700
Subject: [PATCH 246/493] Fix package metadata

---
 README.md                                              |  3 ++-
 .../project.json                                       | 10 +++++++---
 .../project.json                                       |  8 ++++++--
 .../project.json                                       |  8 ++++++--
 .../project.json                                       |  8 ++++++--
 .../project.json                                       | 10 +++++++---
 .../CompatibilityDataProtector.cs                      |  2 +-
 .../DataProtectionStartup.cs                           |  2 +-
 .../project.json                                       |  7 ++++++-
 .../web.config.transform                               |  2 +-
 src/Microsoft.AspNetCore.DataProtection/project.json   |  6 +++++-
 11 files changed, 48 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 1560deffee..622d2e229d 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@ AppVeyor: [![AppVeyor](https://ci.appveyor.com/api/projects/status/4mki61bux5vby
 
 Travis:   [![Travis](https://travis-ci.org/aspnet/DataProtection.svg?branch=dev)](https://travis-ci.org/aspnet/DataProtection)
 
-Data Protection APIs 
+Data Protection APIs for protecting and unprotecting data.
+
 
 This project is part of ASP.NET Core. You can find documentation for Data Protection in the [ASP.NET Core Documentation](http://docs.asp.net/en/latest/security/data-protection/index.html). You can find samples, documentation and getting started instructions for ASP.NET Core at the [Home](https://github.com/aspnet/home) repo. 
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index 68e7e1fb10..1399e0f8c2 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -1,13 +1,17 @@
 {
   "version": "1.0.0-*",
-  "description": "Infrastructure for ASP.NET 5 cryptographic packages. Developers should not reference this package.",
+  "description": "Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.",
+  "tags": [
+    "aspnetcore",
+    "dataprotection"
+  ],
   "repository": {
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"
   },
-  "dependencies": {},
+  "dependencies": { },
   "frameworks": {
-    "net451": {},
+    "net451": { },
     "netstandard1.3": {
       "dependencies": {
         "System.Diagnostics.Debug": "4.0.11-*",
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index be60e95200..6c6a70466d 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -1,6 +1,10 @@
 {
   "version": "1.0.0-*",
-  "description": "ASP.NET 5 utilities for key derivation.",
+  "description": "ASP.NET Core utilities for key derivation.",
+  "tags": [
+    "aspnetcore",
+    "dataprotection"
+  ],
   "repository": {
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"
@@ -9,7 +13,7 @@
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*"
   },
   "frameworks": {
-    "net451": {},
+    "net451": { },
     "netstandard1.3": {
       "dependencies": {
         "System.Runtime.Extensions": "4.1.0-*",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index eb8ade7d18..ff8a8bac00 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -1,6 +1,10 @@
 {
   "version": "1.0.0-*",
-  "description": "Contains the core IDataProtector and IDataProtectionProvider abstractions for ASP.NET 5 Data Protection.",
+  "description": "ASP.NET Core data protection abstractions.\r\nCommonly used types:\r\nMicrosoft.AspNetCore.DataProtection.IDataProtectionProvider\r\nMicrosoft.AspNetCore.DataProtection.IDataProtector",
+  "tags": [
+    "aspnetcore",
+    "dataprotection"
+  ],
   "repository": {
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"
@@ -13,7 +17,7 @@
     "Microsoft.Extensions.PlatformAbstractions": "1.0.0-*"
   },
   "frameworks": {
-    "net451": {},
+    "net451": { },
     "netstandard1.3": {
       "dependencies": {
         "System.ComponentModel": "4.0.1-*",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index 14d7784c55..4911d3a0d5 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -1,6 +1,10 @@
 {
   "version": "1.0.0-*",
-  "description": "Additional APIs for ASP.NET 5 data protection.",
+  "description": "Additional APIs for ASP.NET Core data protection.",
+  "tags": [
+    "aspnetcore",
+    "dataprotection"
+  ],
   "repository": {
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"
@@ -14,7 +18,7 @@
     "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
   },
   "frameworks": {
-    "net451": {},
+    "net451": { },
     "netstandard1.3": {
       "imports": [
         "dotnet5.4"
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
index b205184280..2f7b3bf22f 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
@@ -1,13 +1,17 @@
 {
   "version": "1.0.0-*",
-  "description": "ASP.NET 5 Data Protection shared code.",
+  "description": "ASP.NET Core data protection shared code.",
+  "tags": [
+    "aspnetcore",
+    "dataprotection"
+  ],
   "repository": {
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"
   },
-  "dependencies": {},
+  "dependencies": { },
   "frameworks": {
-    "net451": {},
+    "net451": { },
     "netstandard1.3": {
       "dependencies": {
         "System.Security.Cryptography.Primitives": "4.0.0-*",
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
index f6d238152e..739afe83bd 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
@@ -9,7 +9,7 @@ using System.Security.Cryptography;
 namespace Microsoft.AspNetCore.DataProtection.SystemWeb
 {
     /// <summary>
-    /// A <see cref="DataProtector"/> that can be used by ASP.NET 4.x to interact with ASP.NET 5's
+    /// A <see cref="DataProtector"/> that can be used by ASP.NET 4.x to interact with ASP.NET Core's
     /// DataProtection stack. This type is for internal use only and shouldn't be directly used by
     /// developers.
     /// </summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
index 80904b9b75..f3760df207 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
@@ -11,7 +11,7 @@ using Microsoft.Extensions.DependencyInjection;
 namespace Microsoft.AspNetCore.DataProtection.SystemWeb
 {
     /// <summary>
-    /// Allows controlling the configuration of the ASP.NET 5 Data Protection system.
+    /// Allows controlling the configuration of the ASP.NET Core Data Protection system.
     /// </summary>
     /// <remarks>
     /// Developers should not call these APIs directly. Instead, developers should subclass
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
index e2ecac0519..415a9ad9de 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
@@ -1,6 +1,11 @@
 {
   "version": "1.0.0-*",
-  "description": "A component to allow the ASP.NET 5 DataProtection stack to work with the ASP.NET 4.x <machineKey> element.",
+  "description": "A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x <machineKey> element.",
+  "tags": [
+    "aspnet",
+    "aspnetcore",
+    "dataprotection"
+  ],
   "repository": {
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
index 9ac2268152..8d5a699252 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
@@ -2,7 +2,7 @@
 <configuration>
   <appSettings>
     <!--
-    If you want to customize the behavior of the ASP.NET 5 Data Protection stack, set the
+    If you want to customize the behavior of the ASP.NET Core Data Protection stack, set the
     "aspnet:dataProtectionStartupType" switch below to be the fully-qualified name of a
     type which subclasses Microsoft.AspNetCore.DataProtection.SystemWeb.DataProtectionStartup.
     -->
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index aeb0427585..1d9ff4b2e5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -1,6 +1,10 @@
 {
   "version": "1.0.0-*",
-  "description": "ASP.NET 5 logic to protect and unprotect data, similar to DPAPI.",
+  "description": "ASP.NET Core logic to protect and unprotect data, similar to DPAPI.",
+  "tags": [
+    "aspnetcore",
+    "dataprotection"
+  ],
   "repository": {
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"

From f540174114ecc42c3c0a07acb60a46affc3929a7 Mon Sep 17 00:00:00 2001
From: Victor Hurdugaci <victor.hurdugaci@microsoft.com>
Date: Wed, 30 Mar 2016 15:01:44 -0700
Subject: [PATCH 247/493] Webhook notifications

---
 .travis.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index df22f7a880..6ca11de268 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -23,4 +23,10 @@ branches:
     - dev
     - /^(.*\/)?ci-.*$/
 script:
-  - ./build.sh verify
\ No newline at end of file
+  - ./build.sh verify
+notifications:
+  webhooks:
+    secure: "QLltxzNQ+TUgMurX3FuWB37LVsRx6kZBTXk4JG/BELqO5/Xuwzf8ChElW29d4AbwOeYv5ONYyrvdnLtel8MJCMs8rCxZ2kZZtmUtGdUpPeMavmrvDYQeNqHhFYpLu+bEjxuilGoVI2qonI29S3Q9fC+grXsktGPwPmhyulHbwkk="
+  on_success: always
+  on_failure: always
+  on_start: always
\ No newline at end of file

From f5944178e25b15a7672eb3959ce3e8059e430757 Mon Sep 17 00:00:00 2001
From: BrennanConroy <brecon@microsoft.com>
Date: Fri, 1 Apr 2016 11:58:24 -0700
Subject: [PATCH 248/493] React to logging changes

---
 .../StringLoggerFactory.cs                                      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
index f36f0c2af8..7a7596cc7f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
@@ -49,7 +49,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 _factory = factory;
             }
 
-            public IDisposable BeginScopeImpl(object state)
+            public IDisposable BeginScope<TState>(TState state)
             {
                 return new DummyDisposable();
             }

From 8a592d1bee89acf9e4cf7c3db416f592604e4c89 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 6 Apr 2016 09:46:14 -0700
Subject: [PATCH 249/493] Updating to release.

---
 NuGet.config | 2 +-
 build.ps1    | 2 +-
 build.sh     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 1707938c61..9db87a421e 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcidev/api/v3/index.json" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcirelease/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file
diff --git a/build.ps1 b/build.ps1
index 8f2f99691a..cf8bff13bb 100644
--- a/build.ps1
+++ b/build.ps1
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/release.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
diff --git a/build.sh b/build.sh
index f4208100eb..f88fe4052e 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/release.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi

From 5654310a68e276992e1e9f3b0e835816bce1f7f3 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Thu, 31 Mar 2016 15:41:24 -0700
Subject: [PATCH 250/493] [Fixes #130] Added few DataProtectionProvider.Create
 overloads

---
 .../DataProtectionProvider.cs                 | 129 +++++++++++++++++-
 .../DataProtectionProviderTests.cs            | 109 +++++++++++++++
 .../TestFiles/TestCert.pfx                    | Bin 0 -> 2486 bytes
 3 files changed, 233 insertions(+), 5 deletions(-)
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx

diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
index cedcc2bded..58972aa4d9 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.IO;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.DataProtection
@@ -14,6 +15,25 @@ namespace Microsoft.AspNetCore.DataProtection
     /// <remarks>Use these methods when not using dependency injection to provide the service to the application.</remarks>
     public static class DataProtectionProvider
     {
+        /// <summary>
+        /// Creates a <see cref="DataProtectionProvider"/> that store keys in a location based on
+        /// the platform and operating system.
+        /// </summary>
+        /// <param name="applicationName">An identifier that uniquely discriminates this application from all other
+        /// applications on the machine.</param>
+        public static IDataProtectionProvider Create(string applicationName)
+        {
+            if (string.IsNullOrEmpty(applicationName))
+            {
+                throw new ArgumentNullException(nameof(applicationName));
+            }
+
+            return CreateProvider(
+                keyDirectory: null,
+                setupAction: builder => { builder.SetApplicationName(applicationName); },
+                certificate: null);
+        }
+
         /// <summary>
         /// Creates an <see cref="DataProtectionProvider"/> given a location at which to store keys.
         /// </summary>
@@ -21,7 +41,12 @@ namespace Microsoft.AspNetCore.DataProtection
         /// represent a directory on a local disk or a UNC share.</param>
         public static IDataProtectionProvider Create(DirectoryInfo keyDirectory)
         {
-            return Create(keyDirectory, setupAction: builder => { });
+            if (keyDirectory == null)
+            {
+                throw new ArgumentNullException(nameof(keyDirectory));
+            }
+
+            return CreateProvider(keyDirectory, setupAction: builder => { }, certificate: null);
         }
 
         /// <summary>
@@ -40,22 +65,116 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 throw new ArgumentNullException(nameof(keyDirectory));
             }
-
             if (setupAction == null)
             {
                 throw new ArgumentNullException(nameof(setupAction));
             }
 
+            return CreateProvider(keyDirectory, setupAction, certificate: null);
+        }
+
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+        /// <summary>
+        /// Creates a <see cref="DataProtectionProvider"/> that store keys in a location based on
+        /// the platform and operating system and uses the given <see cref="X509Certificate2"/> to encrypt the keys.
+        /// </summary>
+        /// <param name="applicationName">An identifier that uniquely discriminates this application from all other
+        /// applications on the machine.</param>
+        /// <param name="certificate">The <see cref="X509Certificate2"/> to be used for encryption.</param>
+        public static IDataProtectionProvider Create(string applicationName, X509Certificate2 certificate)
+        {
+            if (string.IsNullOrEmpty(applicationName))
+            {
+                throw new ArgumentNullException(nameof(applicationName));
+            }
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+
+            return CreateProvider(
+                keyDirectory: null,
+                setupAction: builder => { builder.SetApplicationName(applicationName); },
+                certificate: certificate);
+        }
+
+        /// <summary>
+        /// Creates an <see cref="DataProtectionProvider"/> given a location at which to store keys
+        /// and a <see cref="X509Certificate2"/> used to encrypt the keys.
+        /// </summary>
+        /// <param name="keyDirectory">The <see cref="DirectoryInfo"/> in which keys should be stored. This may
+        /// represent a directory on a local disk or a UNC share.</param>
+        /// <param name="certificate">The <see cref="X509Certificate2"/> to be used for encryption.</param>
+        public static IDataProtectionProvider Create(
+            DirectoryInfo keyDirectory,
+            X509Certificate2 certificate)
+        {
+            if (keyDirectory == null)
+            {
+                throw new ArgumentNullException(nameof(keyDirectory));
+            }
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+
+            return CreateProvider(keyDirectory, setupAction: builder => { }, certificate: certificate);
+        }
+
+        /// <summary>
+        /// Creates an <see cref="DataProtectionProvider"/> given a location at which to store keys, an
+        /// optional configuration callback and a <see cref="X509Certificate2"/> used to encrypt the keys.
+        /// </summary>
+        /// <param name="keyDirectory">The <see cref="DirectoryInfo"/> in which keys should be stored. This may
+        /// represent a directory on a local disk or a UNC share.</param>
+        /// <param name="setupAction">An optional callback which provides further configuration of the data protection
+        /// system. See <see cref="IDataProtectionBuilder"/> for more information.</param>
+        /// <param name="certificate">The <see cref="X509Certificate2"/> to be used for encryption.</param>
+        public static IDataProtectionProvider Create(
+            DirectoryInfo keyDirectory,
+            Action<IDataProtectionBuilder> setupAction,
+            X509Certificate2 certificate)
+        {
+            if (keyDirectory == null)
+            {
+                throw new ArgumentNullException(nameof(keyDirectory));
+            }
+            if (setupAction == null)
+            {
+                throw new ArgumentNullException(nameof(setupAction));
+            }
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+
+            return CreateProvider(keyDirectory, setupAction, certificate);
+        }
+#endif
+
+        private static IDataProtectionProvider CreateProvider(
+            DirectoryInfo keyDirectory,
+            Action<IDataProtectionBuilder> setupAction,
+            X509Certificate2 certificate)
+        {
             // build the service collection
             var serviceCollection = new ServiceCollection();
             var builder = serviceCollection.AddDataProtection();
-            builder.PersistKeysToFileSystem(keyDirectory);
 
-            if (setupAction != null)
+            if (keyDirectory != null)
             {
-                setupAction(builder);
+                builder.PersistKeysToFileSystem(keyDirectory);
             }
 
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+            if (certificate != null)
+            {
+                builder.ProtectKeysWithCertificate(certificate);
+            }
+#endif
+
+            setupAction(builder);
+
             // extract the provider instance from the service collection
             return serviceCollection.BuildServiceProvider().GetRequiredService<IDataProtectionProvider>();
         }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 5e882c70c8..baf03a742f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -3,6 +3,8 @@
 
 using System;
 using System.IO;
+using System.Reflection;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
@@ -35,6 +37,47 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
+        [ConditionalRunTestOnlyOnWindows]
+        public void System_NoKeysDirectoryProvided_UsesDefaultKeysDirectory()
+        {
+            var keysPath = Path.Combine(Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%"), "ASP.NET", "DataProtection-Keys");
+            var tempPath = Path.Combine(Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%"), "ASP.NET", "DataProtection-KeysTemp");
+
+            try
+            {
+                // Step 1: Move the current contents, if any, to a temporary directory.
+                if (Directory.Exists(keysPath))
+                {
+                    Directory.Move(keysPath, tempPath);
+                }
+
+                // Step 2: Instantiate the system and round-trip a payload
+                var protector = DataProtectionProvider.Create("TestApplication").CreateProtector("purpose");
+                Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
+
+                // Step 3: Validate that there's now a single key in the directory and that it's protected using Windows DPAPI.
+                var newFileName = Assert.Single(Directory.GetFiles(keysPath));
+                var file = new FileInfo(newFileName);
+                Assert.StartsWith("key-", file.Name, StringComparison.OrdinalIgnoreCase);
+                var fileText = File.ReadAllText(file.FullName);
+                Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                Assert.Contains("This key is encrypted with Windows DPAPI.", fileText, StringComparison.Ordinal);
+            }
+            finally
+            {
+                if (Directory.Exists(keysPath))
+                {
+                    Directory.Delete(keysPath, recursive: true);
+                }
+                if (Directory.Exists(tempPath))
+                {
+                    Directory.Move(tempPath, keysPath);
+                }
+            }
+        }
+
         [ConditionalFact]
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         [ConditionalRunTestOnlyOnWindows]
@@ -63,6 +106,51 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
+#if !NETSTANDARDAPP1_5 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
+        [ConditionalRunTestOnlyOnWindows]
+        public void System_UsesProvidedDirectoryAndCertificate()
+        {
+            var filePath = Path.Combine(GetTestFilesPath(), "TestCert.pfx");
+            var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
+            store.Open(OpenFlags.ReadWrite);
+            store.Add(new X509Certificate2(filePath, "password"));
+            store.Close();
+
+            WithUniqueTempDirectory(directory =>
+            {
+                var certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
+                certificateStore.Open(OpenFlags.ReadWrite);
+                var certificate = certificateStore.Certificates.Find(X509FindType.FindBySubjectName, "TestCert", false)[0];
+
+                try
+                {
+                    // Step 1: directory should be completely empty
+                    directory.Create();
+                    Assert.Empty(directory.GetFiles());
+
+                    // Step 2: instantiate the system and round-trip a payload
+                    var protector = DataProtectionProvider.Create(directory, certificate).CreateProtector("purpose");
+                    Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
+
+                    // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate
+                    var allFiles = directory.GetFiles();
+                    Assert.Equal(1, allFiles.Length);
+                    Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
+                    string fileText = File.ReadAllText(allFiles[0].FullName);
+                    Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                    Assert.Contains("X509Certificate", fileText, StringComparison.Ordinal);
+                }
+                finally
+                {
+                    certificateStore.Remove(certificate);
+                    certificateStore.Close();
+                }
+            });
+        }
+#endif
+
         /// <summary>
         /// Runs a test and cleans up the temp directory afterward.
         /// </summary>
@@ -90,5 +178,26 @@ namespace Microsoft.AspNetCore.DataProtection
 
             public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
         }
+
+        private static string GetTestFilesPath()
+        {
+            var projectName = typeof(DataProtectionProviderTests).GetTypeInfo().Assembly.GetName().Name;
+            var projectPath = RecursiveFind(projectName, Path.GetFullPath("."));
+
+            return Path.Combine(projectPath, projectName, "TestFiles");
+        }
+
+        private static string RecursiveFind(string path, string start)
+        {
+            var test = Path.Combine(start, path);
+            if (Directory.Exists(test))
+            {
+                return start;
+            }
+            else
+            {
+                return RecursiveFind(path, new DirectoryInfo(start).Parent.FullName);
+            }
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..266754e8eeb5830fa41d542dc12c9d1b46766212
GIT binary patch
literal 2486
zcmaJ@2{=^m8b7l#mWhyEZgq!<&J06n5h~deN|u_8t+MZ1e{(RBLW%rQ_GFFlFXEEK
zWXqNYk+D^>jCCx@J$3Kx{_perpZlEip6`8s@B91S?|IMneD4QBxTi=23WRX(Seyb~
zpU&Y&a3L}w+(k5mvw`7rAcO_}$AwuyLzr0*!hC^c63hE<79S4+nF*m+K?uDFN@02a
z1H+T!(cGd+V~lq`1~ep+s|yXGyDU}jafb?be$G%__vQK{X;R%_&zfXsrDW`OgbJ_1
zN9eaRv$RCh%EORQYlmy!bVlxT?#^l17+pP9!d!`YcCM=vL=VW4OPdSQcgB#7E(_Fb
zNot8yX~)ESEh8EC*6fCBWg8h2egVZN@FYnCyTx{gD_N5-z2xb7rqgPufs&0vLie;T
zJ$F<X0s7g>5h6ja>&l-pNza>`qiHEVbFr%@H0z>?`>Ngv7v5OB?b2T?cUB;7caH7Z
zJi=7VIQ0It27`ahVcA-yGo2O3Wv%0Wy)xQ+?5?-J;8Fs~Atpr47XOHfDP)>hzx7#c
zQ$I!xPkCafPn159ctlR<?WIFX_dQ?gDo8!yRLu$*HLR_(dad`D%d*byjWPl#yhmjm
zXN4YIzOz5p1t(jbaX7tqgctJ?TY{}%9E*;^+#$@CB}uzbrW{l{DWM!!A=>bzA!2fJ
zz{x%CS_yZ8uktP_>}buD6>ep=t}wUfw61=>Ywz(T^;D4cbweZmv6U~I&7w8F-`(2F
zgByd`CrN&OuRnxt<Hh^6!-o6CR(qD?7joAKM@qXQqV0q26IfGgiZzz8$?`9lEu*<n
zMTA%nKeK_wrkP%J(n{E=O1tbDirDQf8Ll?u{5VYu<!OGx$V7R^2;;6|vOBY$zVgkG
zM|{RMf#@w%p6Vjg*jyM&IsS=oetaV)Ith}#^6r4tc^T(aFSDx>P6{V0=~Bjyk2$Yg
z=D{H&@05)c@fUI-Bg0!06!t5<!<!ex{M{#d$RoQw_kuQj`H(ztYAg2~vCyx;{lH+?
z`om^qen-nuZ(2{|c$<DbZ4!zo7+?-^q?Eg~n1;cB5X$B)Ip*<}?iR@e!GVIee7cN*
z`BG6)zZ-A9X4YJ*$k|lJOApI9ckm>CXX4yLRO%GB&srunX>{}DI0y7IX7rvFpJ=sl
z{@DHZjwp@w12>J`YHgbMB2)5w7h3XOi+qYNsu+~u`uM=<OuTt+Y?8_NT<azKJTpxG
zYK%-t(7+%a|3P_(O}hn6#qg@SJDmPD#(mKx-&V|#+J5ZfR^OvWs!1g~LWyq0Hfs$w
zKmWNtsD7OCj-8?;w`>@gzSD-4knQ%=I5e!GV5zbHb9xCUs5r}1)nmwKjl^}25m6{o
z^jUE?hARH~XlQ88M)QF{o<PYP=6r%V(uuvqj4W(9-i?ypC!HBNN)nUncYXV8bA0)k
z(+4lkt67!BI!)2j;{BbavW{`AVRbtW|9&huY~3g3hLdMams9TQtWTIfR=C$hf;vjt
zSdSYE%ABX0%t*`fVLM%;{BGPm809GGgX{KWrT3gV*qo8zrIKYr)ZF>#9@owArNQ3R
z)}eUwH&hY%8Tb2FGhgPNNH#kh(M93J+-j<m#0fBV;QYs-g_RX|n|{}r%ioQ~ugFJC
z9LEZIl(x3pmCa?H$qS#q5#_dzkmG#KagV<F^Z4P`earI{p2EDEZcIL_xVrF^>c+A9
zHub)D_Az_LpUy??Eg49#s9q?k_B6;F-@o(mtbB*hX_qnmGxsGjI1yvUI-kOdYM<cf
z26~nfxrZlqDJ!Nw91(N679WroJMpMD%wd6FyU#5Qihk~7&(7p}NiHgFsVtLfs9IAv
zH)r6rY9vAZU57{;0)>7ZlQ<C~7L7&#007!yaf(<38Ud*bB8X-(CV(;E3OE4XfCu0M
zixc1r$O32K?+?TsaE2{iSPud`Vax-zy#WfWyZmIy0%kws{9%g<I0D|F<9~As6VJ<7
z!2$ljRlovpgGriz2As+X4pf6Dae^Num_~v{1J+al71&FKH41PDw#cyN01$!8KhewZ
z=me<4ehT0KLMYQ;iGH*Plr|bd9fsjUu&DmI2cTdl9}IH;>HxT1Faf!ShLFo3gk*yd
z;zK41i9jL+^lQU5LK^lyF}-Ns{N~L~I*7w!6!9peGzI{Lh=Sk_EXop%65_US^zqeo
z^!5d1MEQwopejfvseo##Y8OQLRWyhs75F7<kTov+H3>rO0r`Ke9)Z9BC<w6wfY-r;
zgb)ZIy)4-3n?b2aGxZ__tck{DpX$lPd*P@$x8;ob8p;eb4TpxUHd{7#oHpxHtUXil
z?tOrI6(hU)ci}*`Gtb*3IrPDTF8pLg7H>)awry6WtO<wpRe0U5?dHSX!SV{ZSlbKP
z^cs~^(|l(wyhH0r@mn0)ljxkZZUKUGabt7xss+-cJ4oRU-(>o7a!+1gT$&W~0pV|W
znF-pi_4bhbLFqW@UMuvu7ge&hM<f2hTLNb6B0r2Yy+2X!R+Tzhu`&{FwKStiniyTZ
z6RDz<${*`Jg_=$BPE!r*nCB04J^HjGb>YibeYV9dkZBwf-Z=F1gD<jSXl69g)Kmb<
zL!uA>B1a!Q3F^W1mPVkDfLh@KsyuqWBs=Zy7v|1G%k+5TERnygF7*F?B3x$#AhA7q
zJ*_`1kbL(`Qb5OIZn!9W_WahRi;7S!cPam-X?e9$Vaupaz02t$qY}Y5o~+P(HJz>d
zQ-SS+d?p7f&ctq4B!_h#$1K<_TxqgaSUgly&G(4d8@pAuGCeid1C25-(LFhl_~6SM
zbqXhYWXUzMEn7_vcp8)ZcB|Rt>dJdB*FE7DtlU`Apy9gHxj?>l8?i^a@As0Yr8dYO
zj36BQB|`v54jYL+EuM<It)9R!snYu(QU{guj7Bdkg@~B)Jq)D!XIF$~(3(ZHC8vTL
zbrcI-hl?a{38m~xk$98nG;?nF0i%5*l9R|U?#J_6h-I5ZZ@-2mp|0N2jtCd-*Y5k%
z!Jq~12D$#V-zCt(n-T1_^y2eTyA$z<$<^blR4zqTwD6$LtDx-*1Hs4r(?+g^3^JLA
K^n!lep#BM}O*{$!

literal 0
HcmV?d00001


From 31732c3d91d067f973185c6cb8ad40bbf74a8bd6 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 7 Apr 2016 15:28:23 -0700
Subject: [PATCH 251/493] Removing imports from src projects

---
 .../project.json                                         | 9 +++------
 .../project.json                                         | 7 ++-----
 .../project.json                                         | 7 ++-----
 .../project.json                                         | 8 ++------
 .../project.json                                         | 9 +++------
 src/Microsoft.AspNetCore.DataProtection/project.json     | 9 ++++-----
 6 files changed, 16 insertions(+), 33 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index 1399e0f8c2..c130048d88 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -9,9 +9,9 @@
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"
   },
-  "dependencies": { },
+  "dependencies": {},
   "frameworks": {
-    "net451": { },
+    "net451": {},
     "netstandard1.3": {
       "dependencies": {
         "System.Diagnostics.Debug": "4.0.11-*",
@@ -20,10 +20,7 @@
         "System.Runtime.InteropServices": "4.1.0-*",
         "System.Security.Cryptography.Primitives": "4.0.0-*",
         "System.Threading": "4.0.11-*"
-      },
-      "imports": [
-        "dotnet5.4"
-      ]
+      }
     }
   },
   "compilationOptions": {
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index 6c6a70466d..7a0db920f3 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -13,16 +13,13 @@
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*"
   },
   "frameworks": {
-    "net451": { },
+    "net451": {},
     "netstandard1.3": {
       "dependencies": {
         "System.Runtime.Extensions": "4.1.0-*",
         "System.Security.Cryptography.Algorithms": "4.1.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
-      },
-      "imports": [
-        "dotnet5.4"
-      ]
+      }
     }
   },
   "compilationOptions": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index ff8a8bac00..f043edf9ae 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -17,15 +17,12 @@
     "Microsoft.Extensions.PlatformAbstractions": "1.0.0-*"
   },
   "frameworks": {
-    "net451": { },
+    "net451": {},
     "netstandard1.3": {
       "dependencies": {
         "System.ComponentModel": "4.0.1-*",
         "System.Diagnostics.Debug": "4.0.11-*"
-      },
-      "imports": [
-        "dotnet5.4"
-      ]
+      }
     }
   },
   "compilationOptions": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index 4911d3a0d5..ed0f52f15c 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -18,12 +18,8 @@
     "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
   },
   "frameworks": {
-    "net451": { },
-    "netstandard1.3": {
-      "imports": [
-        "dotnet5.4"
-      ]
-    }
+    "net451": {},
+    "netstandard1.3": {}
   },
   "compilationOptions": {
     "warningsAsErrors": true,
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
index 2f7b3bf22f..533e0da564 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
@@ -9,17 +9,14 @@
     "type": "git",
     "url": "git://github.com/aspnet/dataprotection"
   },
-  "dependencies": { },
+  "dependencies": {},
   "frameworks": {
-    "net451": { },
+    "net451": {},
     "netstandard1.3": {
       "dependencies": {
         "System.Security.Cryptography.Primitives": "4.0.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
-      },
-      "imports": [
-        "dotnet5.4"
-      ]
+      }
     }
   },
   "shared": "**\\*.cs",
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 1d9ff4b2e5..de143d2eb5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -23,7 +23,9 @@
   "frameworks": {
     "net451": {
       "frameworkAssemblies": {
-        "System.Runtime": { "type": "build" },
+        "System.Runtime": {
+          "type": "build"
+        },
         "System.Security": "",
         "System.Xml": "",
         "System.Xml.Linq": ""
@@ -36,10 +38,7 @@
         "System.Security.Claims": "4.0.1-*",
         "System.Security.Principal.Windows": "4.0.0-*",
         "System.Xml.XDocument": "4.0.11-*"
-      },
-      "imports": [
-        "dotnet5.4"
-      ]
+      }
     }
   },
   "compilationOptions": {

From 6aca37fe5e99292d10cd7202cff591cbdd9b75d9 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Mon, 18 Apr 2016 08:37:56 -0700
Subject: [PATCH 252/493] Migrate tests, tools and samples to portable

---
 .../project.json                                       |  7 +++++--
 .../project.json                                       |  7 +++++--
 .../project.json                                       | 10 +++++++---
 .../DataProtectionProviderTests.cs                     |  2 +-
 .../project.json                                       | 10 +++++++---
 .../Repositories/FileSystemXmlRepositoryTests.cs       |  2 +-
 .../XmlEncryption/CertificateXmlEncryptionTests.cs     |  2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs           |  2 +-
 .../project.json                                       | 10 +++++++---
 9 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 1eac69a003..3d065ea62a 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -6,12 +6,15 @@
       "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "netstandardapp1.5": {
+    "netcoreapp1.0": {
       "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        },
         "dotnet-test-xunit": "1.0.0-dev-*",
         "System.Diagnostics.Process": "4.1.0-*"
       },
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 8a78b832fd..8110093833 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -4,12 +4,15 @@
     "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "netstandardapp1.5": {
+    "netcoreapp1.0": {
       "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        },
         "dotnet-test-xunit": "1.0.0-dev-*",
         "System.Diagnostics.Process": "4.1.0-*"
       },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 2452daa441..157464c18f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -3,15 +3,19 @@
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "netstandardapp1.5": {
+    "netcoreapp1.0": {
       "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        },
         "moq.netcore": "4.4.0-beta8",
         "dotnet-test-xunit": "1.0.0-dev-*",
-        "System.Diagnostics.Process": "4.1.0-*"
+        "System.Diagnostics.Process": "4.1.0-*",
+        "System.Diagnostics.TraceSource": "4.0.0-*"
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index baf03a742f..3f1080188a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -106,7 +106,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-#if !NETSTANDARDAPP1_5 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETCOREAPP1_0 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         [ConditionalFact]
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         [ConditionalRunTestOnlyOnWindows]
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index a030268267..b2c2f7f57e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -7,15 +7,19 @@
       "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "netstandardapp1.5": {
+    "netcoreapp1.0": {
       "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        },
         "moq.netcore": "4.4.0-beta8",
         "dotnet-test-xunit": "1.0.0-dev-*",
-        "System.Diagnostics.Process": "4.1.0-*"
+        "System.Diagnostics.Process": "4.1.0-*",
+        "System.Diagnostics.TraceSource": "4.0.0-*"
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 2ed3f84d0a..0213d96b59 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -158,7 +158,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static string GetLocalApplicationData()
         {
-#if NETSTANDARDAPP1_5
+#if NETCOREAPP1_0
             return Environment.GetEnvironmentVariable("LOCALAPPDATA");
 #else
             return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 4655d87138..ea8c939b5b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETSTANDARDAPP1_5
+#if !NETCOREAPP1_0
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 775c63b3eb..128e563403 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
-#if !NETSTANDARDAPP1_5
+#if !NETCOREAPP1_0
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index d57f47f5f7..1fea59f981 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -7,15 +7,19 @@
     },
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
-    "netstandardapp1.5": {
+    "netcoreapp1.0": {
       "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        },
         "moq.netcore": "4.4.0-beta8",
         "dotnet-test-xunit": "1.0.0-dev-*",
-        "System.Diagnostics.Process": "4.1.0-*"
+        "System.Diagnostics.Process": "4.1.0-*",
+        "System.Diagnostics.TraceSource": "4.0.0-*"
       },
       "imports": [
         "dnxcore50",

From a20299eeeb82135b8c56eed3172b5577eaa3b829 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Mon, 18 Apr 2016 16:47:48 -0700
Subject: [PATCH 253/493] Bring Microsoft.NETCore.Platforms dependency back

---
 .../Microsoft.AspNetCore.Cryptography.Internal.Test/project.json | 1 +
 .../project.json                                                 | 1 +
 .../project.json                                                 | 1 +
 .../project.json                                                 | 1 +
 test/Microsoft.AspNetCore.DataProtection.Test/project.json       | 1 +
 5 files changed, 5 insertions(+)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 3d065ea62a..92f8c3ba86 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 8110093833..c90c564ddb 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 157464c18f..e4839630ee 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index b2c2f7f57e..a099857e63 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Extensions": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 1fea59f981..950aa77e62 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",

From 36d84468fa6e9181cfba379f6929202b96b084af Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 19 Apr 2016 14:53:54 -0700
Subject: [PATCH 254/493] Use latest build of dotnet-test-xunit

---
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 test/Microsoft.AspNetCore.DataProtection.Test/project.json      | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 92f8c3ba86..0d0cbf03b7 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -16,7 +16,7 @@
           "version": "1.0.0-*",
           "type": "platform"
         },
-        "dotnet-test-xunit": "1.0.0-dev-*",
+        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index c90c564ddb..7e0b8a8d5d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -14,7 +14,7 @@
           "version": "1.0.0-*",
           "type": "platform"
         },
-        "dotnet-test-xunit": "1.0.0-dev-*",
+        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index e4839630ee..29ad6f9ee3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -14,7 +14,7 @@
           "type": "platform"
         },
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*",
+        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index a099857e63..c21da3d77e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -18,7 +18,7 @@
           "type": "platform"
         },
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*",
+        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 950aa77e62..d9b0c56857 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -18,7 +18,7 @@
           "type": "platform"
         },
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-dev-*",
+        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },

From 5e81b893785fde37b5c91f0228288f12b3bdfd3b Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 25 Apr 2016 14:07:53 -0700
Subject: [PATCH 255/493] Replace IApplicationEnvironment with
 IHostingEnvironment

---
 .../DataProtectionExtensions.cs               | 36 -------------
 .../project.json                              |  7 +--
 .../DataProtectionExtensions.cs               | 51 +++++++++++++++++++
 .../project.json                              |  3 ++
 .../DataProtectionExtensionsTests.cs          | 32 ------------
 .../DataProtectionExtensionsTests.cs          | 44 ++++++++++++++++
 6 files changed, 102 insertions(+), 71 deletions(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/DataProtectionExtensions.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionExtensionsTests.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
index 9096a871d7..78c72193e2 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
@@ -3,11 +3,8 @@
 
 using System;
 using System.Collections.Generic;
-using System.ComponentModel;
 using System.Diagnostics;
-using Microsoft.AspNetCore.DataProtection.Infrastructure;
 using Microsoft.AspNetCore.DataProtection.Abstractions;
-using Microsoft.Extensions.PlatformAbstractions;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
@@ -98,39 +95,6 @@ namespace Microsoft.AspNetCore.DataProtection
             return protector ?? CryptoUtil.Fail<IDataProtector>("CreateProtector returned null.");
         }
 
-        /// <summary>
-        /// Returns a unique identifier for this application.
-        /// </summary>
-        /// <param name="services">The application-level <see cref="IServiceProvider"/>.</param>
-        /// <returns>A unique application identifier, or null if <paramref name="services"/> is null
-        /// or cannot provide a unique application identifier.</returns>
-        /// <remarks>
-        /// <para>
-        /// The returned identifier should be stable for repeated runs of this same application on
-        /// this machine. Additionally, the identifier is only unique within the scope of a single
-        /// machine, e.g., two different applications on two different machines may return the same
-        /// value.
-        /// </para>
-        /// <para>
-        /// This identifier may contain security-sensitive information such as physical file paths,
-        /// configuration settings, or other machine-specific information. Callers should take
-        /// special care not to disclose this information to untrusted entities.
-        /// </para>
-        /// </remarks>
-        [EditorBrowsable(EditorBrowsableState.Never)]
-        public static string GetApplicationUniqueIdentifier(this IServiceProvider services)
-        {
-            string discriminator = (services?.GetService(typeof(IApplicationDiscriminator)) as IApplicationDiscriminator)?.Discriminator;
-            if (discriminator == null)
-            {
-                discriminator = (services?.GetService(typeof(IApplicationEnvironment)) as IApplicationEnvironment)?.ApplicationBasePath;
-            }
-
-            // Remove whitespace and homogenize empty -> null
-            discriminator = discriminator?.Trim();
-            return (String.IsNullOrEmpty(discriminator)) ? null : discriminator;
-        }
-
         /// <summary>
         /// Retrieves an <see cref="IDataProtectionProvider"/> from an <see cref="IServiceProvider"/>.
         /// </summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index f043edf9ae..34fe5048c7 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -13,15 +13,16 @@
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
       "version": "1.0.0-*"
-    },
-    "Microsoft.Extensions.PlatformAbstractions": "1.0.0-*"
+    }
   },
   "frameworks": {
     "net451": {},
     "netstandard1.3": {
       "dependencies": {
         "System.ComponentModel": "4.0.1-*",
-        "System.Diagnostics.Debug": "4.0.11-*"
+        "System.Diagnostics.Debug": "4.0.11-*",
+        "System.Resources.ResourceManager": "4.0.1-*",
+        "System.Runtime.Extensions": "4.1.0-*"
       }
     }
   },
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionExtensions.cs
new file mode 100644
index 0000000000..2624a5220e
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionExtensions.cs
@@ -0,0 +1,51 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel;
+using Microsoft.AspNetCore.DataProtection.Infrastructure;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    public static class DataProtectionExtensions
+    {
+        /// <summary>
+        /// Returns a unique identifier for this application.
+        /// </summary>
+        /// <param name="services">The application-level <see cref="IServiceProvider"/>.</param>
+        /// <returns>A unique application identifier, or null if <paramref name="services"/> is null
+        /// or cannot provide a unique application identifier.</returns>
+        /// <remarks>
+        /// <para>
+        /// The returned identifier should be stable for repeated runs of this same application on
+        /// this machine. Additionally, the identifier is only unique within the scope of a single
+        /// machine, e.g., two different applications on two different machines may return the same
+        /// value.
+        /// </para>
+        /// <para>
+        /// This identifier may contain security-sensitive information such as physical file paths,
+        /// configuration settings, or other machine-specific information. Callers should take
+        /// special care not to disclose this information to untrusted entities.
+        /// </para>
+        /// </remarks>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public static string GetApplicationUniqueIdentifier(this IServiceProvider services)
+        {
+            string discriminator = null;
+            if (services != null)
+            {
+                discriminator = services.GetService<IApplicationDiscriminator>()?.Discriminator;
+                if (discriminator == null)
+                {
+                    discriminator = services.GetService<IHostingEnvironment>()?.ContentRootPath;
+                }
+            }
+
+            // Remove whitespace and homogenize empty -> null
+            discriminator = discriminator?.Trim();
+            return (string.IsNullOrEmpty(discriminator)) ? null : discriminator;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index de143d2eb5..72904cc78f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -16,6 +16,7 @@
       "type": "build",
       "version": "1.0.0-*"
     },
+    "Microsoft.AspNetCore.Hosting.Abstractions": "1.0.0-*",
     "Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-*",
     "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",
     "Microsoft.Extensions.Options": "1.0.0-*"
@@ -34,6 +35,8 @@
     "netstandard1.3": {
       "dependencies": {
         "Microsoft.Win32.Registry": "4.0.0-*",
+        "System.IO.FileSystem": "4.0.1-*",
+        "System.Reflection.Extensions": "4.0.1-*",
         "System.Security.Cryptography.X509Certificates": "4.1.0-*",
         "System.Security.Claims": "4.0.1-*",
         "System.Security.Principal.Windows": "4.0.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
index ab4294c607..dba42bc903 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
@@ -5,10 +5,8 @@ using System;
 using System.Collections.Generic;
 using System.Security.Cryptography;
 using System.Text;
-using Microsoft.AspNetCore.DataProtection.Infrastructure;
 using Microsoft.AspNetCore.DataProtection.Abstractions;
 using Microsoft.AspNetCore.Testing;
-using Microsoft.Extensions.PlatformAbstractions;
 using Moq;
 using Xunit;
 
@@ -108,36 +106,6 @@ namespace Microsoft.AspNetCore.DataProtection
             Assert.Same(finalExpectedProtector, retVal);
         }
 
-        [Theory]
-        [InlineData(" discriminator", "app-path ", "discriminator")] // normalized trim
-        [InlineData("", "app-path", null)] // app discriminator not null -> overrides app base path
-        [InlineData(null, "app-path ", "app-path")] // normalized trim
-        [InlineData(null, "  ", null)] // normalized whitespace -> null
-        [InlineData(null, null, null)] // nothing provided at all
-        public void GetApplicationUniqueIdentifier(string appDiscriminator, string appBasePath, string expected)
-        {
-            // Arrange
-            var mockAppDiscriminator = new Mock<IApplicationDiscriminator>();
-            mockAppDiscriminator.Setup(o => o.Discriminator).Returns(appDiscriminator);
-            var mockAppEnvironment = new Mock<IApplicationEnvironment>();
-            mockAppEnvironment.Setup(o => o.ApplicationBasePath).Returns(appBasePath);
-            var mockServiceProvider = new Mock<IServiceProvider>();
-            mockServiceProvider.Setup(o => o.GetService(typeof(IApplicationDiscriminator))).Returns(mockAppDiscriminator.Object);
-            mockServiceProvider.Setup(o => o.GetService(typeof(IApplicationEnvironment))).Returns(mockAppEnvironment.Object);
-
-            // Act
-            string actual = mockServiceProvider.Object.GetApplicationUniqueIdentifier();
-
-            // Assert
-            Assert.Equal(expected, actual);
-        }
-
-        [Fact]
-        public void GetApplicationUniqueIdentifier_NoServiceProvider_ReturnsNull()
-        {
-            Assert.Null(((IServiceProvider)null).GetApplicationUniqueIdentifier());
-        }
-
         [Fact]
         public void GetDataProtectionProvider_NoServiceFound_Throws()
         {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionExtensionsTests.cs
new file mode 100644
index 0000000000..364d37ccac
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionExtensionsTests.cs
@@ -0,0 +1,44 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.DataProtection.Infrastructure;
+using Microsoft.AspNetCore.Hosting;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    public class DataProtectionExtensionsTests
+    {
+        [Theory]
+        [InlineData(" discriminator", "app-path ", "discriminator")] // normalized trim
+        [InlineData("", "app-path", null)] // app discriminator not null -> overrides app base path
+        [InlineData(null, "app-path ", "app-path")] // normalized trim
+        [InlineData(null, "  ", null)] // normalized whitespace -> null
+        [InlineData(null, null, null)] // nothing provided at all
+        public void GetApplicationUniqueIdentifier(string appDiscriminator, string appBasePath, string expected)
+        {
+            // Arrange
+            var mockAppDiscriminator = new Mock<IApplicationDiscriminator>();
+            mockAppDiscriminator.Setup(o => o.Discriminator).Returns(appDiscriminator);
+            var mockEnvironment = new Mock<IHostingEnvironment>();
+            mockEnvironment.Setup(o => o.ContentRootPath).Returns(appBasePath);
+            var mockServiceProvider = new Mock<IServiceProvider>();
+            mockServiceProvider.Setup(o => o.GetService(typeof(IApplicationDiscriminator))).Returns(mockAppDiscriminator.Object);
+            mockServiceProvider.Setup(o => o.GetService(typeof(IHostingEnvironment))).Returns(mockEnvironment.Object);
+
+            // Act
+            string actual = mockServiceProvider.Object.GetApplicationUniqueIdentifier();
+
+            // Assert
+            Assert.Equal(expected, actual);
+        }
+
+        [Fact]
+        public void GetApplicationUniqueIdentifier_NoServiceProvider_ReturnsNull()
+        {
+            Assert.Null(((IServiceProvider)null).GetApplicationUniqueIdentifier());
+        }
+    }
+}

From 5abd3bf0765e5981b7a153734503677981db2c51 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 2 May 2016 11:27:08 -0700
Subject: [PATCH 256/493] Fix build warnings

---
 .../project.json                              | 18 ++++++-----
 .../project.json                              | 18 ++++++-----
 .../project.json                              | 18 ++++++-----
 .../project.json                              | 18 ++++++-----
 .../project.json                              | 18 ++++++-----
 .../project.json                              | 32 +++++++++++--------
 .../project.json                              | 18 ++++++-----
 .../project.json                              |  4 +--
 .../project.json                              |  4 +--
 .../project.json                              |  4 +--
 .../project.json                              |  4 +--
 .../project.json                              |  4 +--
 12 files changed, 89 insertions(+), 71 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index c130048d88..933534b542 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -1,13 +1,15 @@
 {
   "version": "1.0.0-*",
   "description": "Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.",
-  "tags": [
-    "aspnetcore",
-    "dataprotection"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/aspnet/dataprotection"
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnetcore",
+      "dataprotection"
+    ]
   },
   "dependencies": {},
   "frameworks": {
@@ -23,7 +25,7 @@
       }
     }
   },
-  "compilationOptions": {
+  "buildOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index 7a0db920f3..5379778b82 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -1,13 +1,15 @@
 {
   "version": "1.0.0-*",
   "description": "ASP.NET Core utilities for key derivation.",
-  "tags": [
-    "aspnetcore",
-    "dataprotection"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/aspnet/dataprotection"
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnetcore",
+      "dataprotection"
+    ]
   },
   "dependencies": {
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*"
@@ -22,7 +24,7 @@
       }
     }
   },
-  "compilationOptions": {
+  "buildOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index 34fe5048c7..994d8b9ab8 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -1,13 +1,15 @@
 {
   "version": "1.0.0-*",
   "description": "ASP.NET Core data protection abstractions.\r\nCommonly used types:\r\nMicrosoft.AspNetCore.DataProtection.IDataProtectionProvider\r\nMicrosoft.AspNetCore.DataProtection.IDataProtector",
-  "tags": [
-    "aspnetcore",
-    "dataprotection"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/aspnet/dataprotection"
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnetcore",
+      "dataprotection"
+    ]
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection.Sources": {
@@ -26,7 +28,7 @@
       }
     }
   },
-  "compilationOptions": {
+  "buildOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
     "nowarn": [
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index ed0f52f15c..8c5d11472b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -1,13 +1,15 @@
 {
   "version": "1.0.0-*",
   "description": "Additional APIs for ASP.NET Core data protection.",
-  "tags": [
-    "aspnetcore",
-    "dataprotection"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/aspnet/dataprotection"
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnetcore",
+      "dataprotection"
+    ]
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
@@ -21,7 +23,7 @@
     "net451": {},
     "netstandard1.3": {}
   },
-  "compilationOptions": {
+  "buildOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
     "nowarn": [
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
index 533e0da564..cdb516ffad 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
@@ -1,13 +1,15 @@
 {
   "version": "1.0.0-*",
   "description": "ASP.NET Core data protection shared code.",
-  "tags": [
-    "aspnetcore",
-    "dataprotection"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/aspnet/dataprotection"
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnetcore",
+      "dataprotection"
+    ]
   },
   "dependencies": {},
   "frameworks": {
@@ -20,7 +22,7 @@
     }
   },
   "shared": "**\\*.cs",
-  "compilationOptions": {
+  "buildOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
index 415a9ad9de..7c9efdf9cc 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
@@ -1,14 +1,21 @@
 {
   "version": "1.0.0-*",
   "description": "A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x <machineKey> element.",
-  "tags": [
-    "aspnet",
-    "aspnetcore",
-    "dataprotection"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/aspnet/dataprotection"
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnet",
+      "aspnetcore",
+      "dataprotection"
+    ],
+    "files": {
+      "mappings": {
+        "content/net451/": "web.config.transform"
+      }
+    }
   },
   "frameworks": {
     "net451": {
@@ -23,13 +30,12 @@
       }
     }
   },
-  "compilationOptions": {
+  "buildOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
-    "nowarn": [ "CS1591" ],
+    "nowarn": [
+      "CS1591"
+    ],
     "xmlDoc": true
-  },
-  "packInclude": {
-    "content/net451/": "web.config.transform"
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 72904cc78f..bb7cc6e09e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -1,13 +1,15 @@
 {
   "version": "1.0.0-*",
   "description": "ASP.NET Core logic to protect and unprotect data, similar to DPAPI.",
-  "tags": [
-    "aspnetcore",
-    "dataprotection"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/aspnet/dataprotection"
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnetcore",
+      "dataprotection"
+    ]
   },
   "dependencies": {
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
@@ -44,7 +46,7 @@
       }
     }
   },
-  "compilationOptions": {
+  "buildOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk",
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 0d0cbf03b7..5c89cd3072 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "dotnet-test-xunit": "1.0.0-*",
     "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
@@ -16,7 +17,6 @@
           "version": "1.0.0-*",
           "type": "platform"
         },
-        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
@@ -32,7 +32,7 @@
     }
   },
   "testRunner": "xunit",
-  "compilationOptions": {
+  "buildOptions": {
     "allowUnsafe": true,
     "keyFile": "../../tools/Key.snk",
     "warningsAsErrors": true
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 7e0b8a8d5d..8437396cb8 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "dotnet-test-xunit": "1.0.0-*",
     "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.0.0-*",
@@ -14,7 +15,6 @@
           "version": "1.0.0-*",
           "type": "platform"
         },
-        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*"
       },
       "imports": [
@@ -30,7 +30,7 @@
     }
   },
   "testRunner": "xunit",
-  "compilationOptions": {
+  "buildOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 29ad6f9ee3..8c0e4f1af1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "dotnet-test-xunit": "1.0.0-*",
     "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
@@ -14,7 +15,6 @@
           "type": "platform"
         },
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },
@@ -35,7 +35,7 @@
   },
   "testRunner": "xunit",
   "compile": "../common/**/*.cs",
-  "compilationOptions": {
+  "buildOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index c21da3d77e..dca0f8c3af 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "dotnet-test-xunit": "1.0.0-*",
     "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Extensions": "1.0.0-*",
@@ -18,7 +19,6 @@
           "type": "platform"
         },
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },
@@ -38,7 +38,7 @@
     }
   },
   "testRunner": "xunit",
-  "compilationOptions": {
+  "buildOptions": {
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"
   }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index d9b0c56857..78bc5b2c7d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "dotnet-test-xunit": "1.0.0-*",
     "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
@@ -18,7 +19,6 @@
           "type": "platform"
         },
         "moq.netcore": "4.4.0-beta8",
-        "dotnet-test-xunit": "1.0.0-*",
         "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },
@@ -37,7 +37,7 @@
     }
   },
   "testRunner": "xunit",
-  "compilationOptions": {
+  "buildOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
     "keyFile": "../../tools/Key.snk"

From f0ddc81e07363e0dc4679344a7528cfea2457a8a Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Wed, 4 May 2016 09:30:27 -0700
Subject: [PATCH 257/493] Fix DataProtection after build globbing changes will
 go in

---
 makefile.shade | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/makefile.shade b/makefile.shade
index e41996d498..4d60e2fd1f 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -11,27 +11,27 @@ var Configuration_Local = '${E("Configuration")}'
 default BASE_DIR_LOCAL='${Directory.GetCurrentDirectory()}'
 default TARGET_DIR_LOCAL='${Path.Combine(BASE_DIR_LOCAL, "artifacts")}'
 default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
+default SRC_PROJECT_GLOB_LOCAL="src/*/project.json"
+default TEST_PROJECT_GLOB_LOCAL="test/*/project.json"
 
-#build-compile target='compile' if='Directory.Exists("src")'
+#build-compile target='compile'
   @{
-
     Directory.CreateDirectory(TARGET_DIR_LOCAL);
 
     string commitHash = null;
     if (AddAssemblyInfo)
     {
-        var commitHashFile = Path.Combine(TARGET_DIR_LOCAL, "commit");
-        GitCommand("rev-parse HEAD >> " + commitHashFile);
-        commitHash = File.ReadAllLines(commitHashFile)[0];
+      var commitHashFile = Path.Combine(TARGET_DIR_LOCAL, "commit");
+      GitCommand("rev-parse HEAD >> " + commitHashFile);
+      commitHash = File.ReadAllLines(commitHashFile)[0];
     }
 
-    var projectFiles = Files.Include("src/*/project.json").ToList();
+    var srcProjects = Files.Include(SRC_PROJECT_GLOB_LOCAL).ToList();
     if (IsLinux)
     {
-        projectFiles.Remove("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json");
+        srcProjects.Remove("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json");
     }
-
-    projectFiles.ForEach(projectFile =>
+    srcProjects.ForEach(projectFile =>
     {
         if (AddAssemblyInfo)
         {
@@ -39,24 +39,24 @@ default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
             var project = (JsonObject)Json.Deserialize(projectText);
             var isSharedProject = project.Keys.Contains("shared");
 
-            // We don't want to embed the commit hash in it because
+            // We don't want to embed the commit hash in it because 
             // the consumers would get that file
             if (!isSharedProject)
             {
-                Console.WriteLine("Embedding commit hash in assembly");
-                var projectFolder = Path.GetDirectoryName(projectFile);
-                var commitHashAttribute = String.Format("[assembly: System.Reflection.AssemblyMetadata(\"CommitHash\", \"{0}\")]", commitHash);
+              Console.WriteLine("Embedding commit hash in assembly");
+              var projectFolder = Path.GetDirectoryName(projectFile);
+              var commitHashAttribute = String.Format("[assembly: System.Reflection.AssemblyMetadata(\"CommitHash\", \"{0}\")]", commitHash);
 
-                var buildInfoFile = Path.Combine(projectFolder, "BuildInfo.generated.cs");
-                File.WriteAllText(buildInfoFile, commitHashAttribute);
+              var buildInfoFile = Path.Combine(projectFolder, "BuildInfo.generated.cs");
+              File.WriteAllText(buildInfoFile, commitHashAttribute);
             }
         }
-
-        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local);
+        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local, " --no-build");
     });
+    DotnetBuild(TEST_PROJECT_GLOB_LOCAL, Configuration_Local, BuildFramework);
 
     foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR_LOCAL, "*/" + Configuration_Local + "/*.nupkg")))
     {
         File.Copy(nupkg, Path.Combine(BUILD_DIR_LOCAL, Path.GetFileName(nupkg)), true);
     }
-  }
+  }
\ No newline at end of file

From 95d86a3070792f1d9ce90942217e576b7dbfe553 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Wed, 4 May 2016 12:20:59 -0700
Subject: [PATCH 258/493] Fix issue with build script producing empty packages

---
 makefile.shade | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makefile.shade b/makefile.shade
index 4d60e2fd1f..d188794bba 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -51,7 +51,7 @@ default TEST_PROJECT_GLOB_LOCAL="test/*/project.json"
               File.WriteAllText(buildInfoFile, commitHashAttribute);
             }
         }
-        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local, " --no-build");
+        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local, "");
     });
     DotnetBuild(TEST_PROJECT_GLOB_LOCAL, Configuration_Local, BuildFramework);
 

From 0216221e50f7235231276e490143e0f080de8233 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 5 May 2016 07:14:25 -0700
Subject: [PATCH 259/493] Revert "Fix DataProtection after build globbing
 changes will go in"

This reverts commit f0ddc81e07363e0dc4679344a7528cfea2457a8a.
---
 makefile.shade | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/makefile.shade b/makefile.shade
index d188794bba..e41996d498 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -11,27 +11,27 @@ var Configuration_Local = '${E("Configuration")}'
 default BASE_DIR_LOCAL='${Directory.GetCurrentDirectory()}'
 default TARGET_DIR_LOCAL='${Path.Combine(BASE_DIR_LOCAL, "artifacts")}'
 default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
-default SRC_PROJECT_GLOB_LOCAL="src/*/project.json"
-default TEST_PROJECT_GLOB_LOCAL="test/*/project.json"
 
-#build-compile target='compile'
+#build-compile target='compile' if='Directory.Exists("src")'
   @{
+
     Directory.CreateDirectory(TARGET_DIR_LOCAL);
 
     string commitHash = null;
     if (AddAssemblyInfo)
     {
-      var commitHashFile = Path.Combine(TARGET_DIR_LOCAL, "commit");
-      GitCommand("rev-parse HEAD >> " + commitHashFile);
-      commitHash = File.ReadAllLines(commitHashFile)[0];
+        var commitHashFile = Path.Combine(TARGET_DIR_LOCAL, "commit");
+        GitCommand("rev-parse HEAD >> " + commitHashFile);
+        commitHash = File.ReadAllLines(commitHashFile)[0];
     }
 
-    var srcProjects = Files.Include(SRC_PROJECT_GLOB_LOCAL).ToList();
+    var projectFiles = Files.Include("src/*/project.json").ToList();
     if (IsLinux)
     {
-        srcProjects.Remove("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json");
+        projectFiles.Remove("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json");
     }
-    srcProjects.ForEach(projectFile =>
+
+    projectFiles.ForEach(projectFile =>
     {
         if (AddAssemblyInfo)
         {
@@ -39,24 +39,24 @@ default TEST_PROJECT_GLOB_LOCAL="test/*/project.json"
             var project = (JsonObject)Json.Deserialize(projectText);
             var isSharedProject = project.Keys.Contains("shared");
 
-            // We don't want to embed the commit hash in it because 
+            // We don't want to embed the commit hash in it because
             // the consumers would get that file
             if (!isSharedProject)
             {
-              Console.WriteLine("Embedding commit hash in assembly");
-              var projectFolder = Path.GetDirectoryName(projectFile);
-              var commitHashAttribute = String.Format("[assembly: System.Reflection.AssemblyMetadata(\"CommitHash\", \"{0}\")]", commitHash);
+                Console.WriteLine("Embedding commit hash in assembly");
+                var projectFolder = Path.GetDirectoryName(projectFile);
+                var commitHashAttribute = String.Format("[assembly: System.Reflection.AssemblyMetadata(\"CommitHash\", \"{0}\")]", commitHash);
 
-              var buildInfoFile = Path.Combine(projectFolder, "BuildInfo.generated.cs");
-              File.WriteAllText(buildInfoFile, commitHashAttribute);
+                var buildInfoFile = Path.Combine(projectFolder, "BuildInfo.generated.cs");
+                File.WriteAllText(buildInfoFile, commitHashAttribute);
             }
         }
-        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local, "");
+
+        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local);
     });
-    DotnetBuild(TEST_PROJECT_GLOB_LOCAL, Configuration_Local, BuildFramework);
 
     foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR_LOCAL, "*/" + Configuration_Local + "/*.nupkg")))
     {
         File.Copy(nupkg, Path.Combine(BUILD_DIR_LOCAL, Path.GetFileName(nupkg)), true);
     }
-  }
\ No newline at end of file
+  }

From b7be616f83d909c27a42128918bc74f350dd2e1b Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Tue, 17 May 2016 15:45:07 -0700
Subject: [PATCH 260/493] React to updated CoreCLR packages

https://github.com/aspnet/Coherence/issues/97
---
 .../project.json                                                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index 5379778b82..c6c580da0b 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -19,7 +19,7 @@
     "netstandard1.3": {
       "dependencies": {
         "System.Runtime.Extensions": "4.1.0-*",
-        "System.Security.Cryptography.Algorithms": "4.1.0-*",
+        "System.Security.Cryptography.Algorithms": "4.2.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
       }
     }

From 297c5d3ac0b269e65d280ac1b73c8e4da1dd7be6 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 18 May 2016 09:44:03 -0700
Subject: [PATCH 261/493] Revert "React to updated CoreCLR packages"

This reverts commit b7be616f83d909c27a42128918bc74f350dd2e1b.
---
 .../project.json                                                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index c6c580da0b..5379778b82 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -19,7 +19,7 @@
     "netstandard1.3": {
       "dependencies": {
         "System.Runtime.Extensions": "4.1.0-*",
-        "System.Security.Cryptography.Algorithms": "4.2.0-*",
+        "System.Security.Cryptography.Algorithms": "4.1.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
       }
     }

From e8faec59f001a93fea0776924dfd69305885527d Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 18 May 2016 19:09:57 -0700
Subject: [PATCH 262/493] Fixing schema change warnings

---
 .../project.json                                            | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 8c0e4f1af1..961287ce99 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -34,9 +34,11 @@
     }
   },
   "testRunner": "xunit",
-  "compile": "../common/**/*.cs",
   "buildOptions": {
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "compile": {
+      "include": "../common/**/*.cs"
+    }
   }
 }
\ No newline at end of file

From a4118e75aa89c2d502fafcde9cfdc01b2511c8a6 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Tue, 24 May 2016 15:33:28 -0700
Subject: [PATCH 263/493] Fix DataProtection after build globbing changes will
 go in

---
 makefile.shade | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/makefile.shade b/makefile.shade
index e41996d498..d188794bba 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -11,27 +11,27 @@ var Configuration_Local = '${E("Configuration")}'
 default BASE_DIR_LOCAL='${Directory.GetCurrentDirectory()}'
 default TARGET_DIR_LOCAL='${Path.Combine(BASE_DIR_LOCAL, "artifacts")}'
 default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
+default SRC_PROJECT_GLOB_LOCAL="src/*/project.json"
+default TEST_PROJECT_GLOB_LOCAL="test/*/project.json"
 
-#build-compile target='compile' if='Directory.Exists("src")'
+#build-compile target='compile'
   @{
-
     Directory.CreateDirectory(TARGET_DIR_LOCAL);
 
     string commitHash = null;
     if (AddAssemblyInfo)
     {
-        var commitHashFile = Path.Combine(TARGET_DIR_LOCAL, "commit");
-        GitCommand("rev-parse HEAD >> " + commitHashFile);
-        commitHash = File.ReadAllLines(commitHashFile)[0];
+      var commitHashFile = Path.Combine(TARGET_DIR_LOCAL, "commit");
+      GitCommand("rev-parse HEAD >> " + commitHashFile);
+      commitHash = File.ReadAllLines(commitHashFile)[0];
     }
 
-    var projectFiles = Files.Include("src/*/project.json").ToList();
+    var srcProjects = Files.Include(SRC_PROJECT_GLOB_LOCAL).ToList();
     if (IsLinux)
     {
-        projectFiles.Remove("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json");
+        srcProjects.Remove("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json");
     }
-
-    projectFiles.ForEach(projectFile =>
+    srcProjects.ForEach(projectFile =>
     {
         if (AddAssemblyInfo)
         {
@@ -39,24 +39,24 @@ default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
             var project = (JsonObject)Json.Deserialize(projectText);
             var isSharedProject = project.Keys.Contains("shared");
 
-            // We don't want to embed the commit hash in it because
+            // We don't want to embed the commit hash in it because 
             // the consumers would get that file
             if (!isSharedProject)
             {
-                Console.WriteLine("Embedding commit hash in assembly");
-                var projectFolder = Path.GetDirectoryName(projectFile);
-                var commitHashAttribute = String.Format("[assembly: System.Reflection.AssemblyMetadata(\"CommitHash\", \"{0}\")]", commitHash);
+              Console.WriteLine("Embedding commit hash in assembly");
+              var projectFolder = Path.GetDirectoryName(projectFile);
+              var commitHashAttribute = String.Format("[assembly: System.Reflection.AssemblyMetadata(\"CommitHash\", \"{0}\")]", commitHash);
 
-                var buildInfoFile = Path.Combine(projectFolder, "BuildInfo.generated.cs");
-                File.WriteAllText(buildInfoFile, commitHashAttribute);
+              var buildInfoFile = Path.Combine(projectFolder, "BuildInfo.generated.cs");
+              File.WriteAllText(buildInfoFile, commitHashAttribute);
             }
         }
-
-        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local);
+        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local, "");
     });
+    DotnetBuild(TEST_PROJECT_GLOB_LOCAL, Configuration_Local, BuildFramework);
 
     foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR_LOCAL, "*/" + Configuration_Local + "/*.nupkg")))
     {
         File.Copy(nupkg, Path.Combine(BUILD_DIR_LOCAL, Path.GetFileName(nupkg)), true);
     }
-  }
+  }
\ No newline at end of file

From d45cfd872faadab65f7b1efda700a10c1a6f3aba Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesars@microsoft.com>
Date: Wed, 25 May 2016 21:07:54 -0700
Subject: [PATCH 264/493] Don't break the CI.

---
 makefile.shade | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/makefile.shade b/makefile.shade
index d188794bba..a9def6f11d 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -14,7 +14,8 @@ default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
 default SRC_PROJECT_GLOB_LOCAL="src/*/project.json"
 default TEST_PROJECT_GLOB_LOCAL="test/*/project.json"
 
-#build-compile target='compile'
+// Don't remove the if clause - removing it will break the CI test runs.
+#build-compile target='compile' if='Directory.Exists("src")'
   @{
     Directory.CreateDirectory(TARGET_DIR_LOCAL);
 

From d1bacbf41ea35593ff1ee1f49a52286e7a3bce1b Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesars@microsoft.com>
Date: Wed, 25 May 2016 21:27:49 -0700
Subject: [PATCH 265/493] Fix makefile.

---
 makefile.shade | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/makefile.shade b/makefile.shade
index a9def6f11d..2db83b1923 100644
--- a/makefile.shade
+++ b/makefile.shade
@@ -14,9 +14,10 @@ default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
 default SRC_PROJECT_GLOB_LOCAL="src/*/project.json"
 default TEST_PROJECT_GLOB_LOCAL="test/*/project.json"
 
-// Don't remove the if clause - removing it will break the CI test runs.
 #build-compile target='compile' if='Directory.Exists("src")'
   @{
+    // Don't remove the if clause in the target above - removing it will break CI test runs.
+
     Directory.CreateDirectory(TARGET_DIR_LOCAL);
 
     string commitHash = null;

From cc9873ae6c71fc613851e9999b50edeec5dc9e3e Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 26 May 2016 10:31:13 -0700
Subject: [PATCH 266/493] Unique-ify extension types to not be ambiguous.

- Also updated test class names to reflect new extension naming.

#148
---
 ...tectionExtensions.cs => DataProtectionCommonExtensions.cs} | 2 +-
 ...ctionExtensions.cs => DataProtectionAdvancedExtensions.cs} | 2 +-
 ...ectionExtensions.cs => DataProtectionUtilityExtensions.cs} | 2 +-
 ...ensionsTests.cs => DataProtectionCommonExtensionsTests.cs} | 4 ++--
 ...sionsTests.cs => DataProtectionAdvancedExtensionsTests.cs} | 2 +-
 ...nsionsTests.cs => DataProtectionUtilityExtensionsTests.cs} | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)
 rename src/Microsoft.AspNetCore.DataProtection.Abstractions/{DataProtectionExtensions.cs => DataProtectionCommonExtensions.cs} (99%)
 rename src/Microsoft.AspNetCore.DataProtection.Extensions/{DataProtectionExtensions.cs => DataProtectionAdvancedExtensions.cs} (99%)
 rename src/Microsoft.AspNetCore.DataProtection/{DataProtectionExtensions.cs => DataProtectionUtilityExtensions.cs} (97%)
 rename test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/{DataProtectionExtensionsTests.cs => DataProtectionCommonExtensionsTests.cs} (98%)
 rename test/Microsoft.AspNetCore.DataProtection.Extensions.Test/{DataProtectionExtensionsTests.cs => DataProtectionAdvancedExtensionsTests.cs} (98%)
 rename test/Microsoft.AspNetCore.DataProtection.Test/{DataProtectionExtensionsTests.cs => DataProtectionUtilityExtensionsTests.cs} (97%)

diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
similarity index 99%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
index 78c72193e2..97b1377abe 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNetCore.DataProtection
     /// <summary>
     /// Helpful extension methods for data protection APIs.
     /// </summary>
-    public static class DataProtectionExtensions
+    public static class DataProtectionCommonExtensions
     {
         /// <summary>
         /// Creates an <see cref="IDataProtector"/> given a list of purposes.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
similarity index 99%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
index 0529a1c15a..cb452164df 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
@@ -5,7 +5,7 @@ using System;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-    public static class DataProtectionExtensions
+    public static class DataProtectionAdvancedExtensions
     {
         /// <summary>
         /// Cryptographically protects a piece of plaintext data, expiring the data after
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
similarity index 97%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
index 2624a5220e..0b72c11864 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
@@ -9,7 +9,7 @@ using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-    public static class DataProtectionExtensions
+    public static class DataProtectionUtilityExtensions
     {
         /// <summary>
         /// Returns a unique identifier for this application.
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
similarity index 98%
rename from test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
index dba42bc903..c6eee2eddc 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
@@ -12,7 +12,7 @@ using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-    public class DataProtectionExtensionsTests
+    public class DataProtectionCommonExtensionsTests
     {
         [Theory]
         [InlineData(new object[] { new string[0] })]
@@ -304,7 +304,7 @@ namespace Microsoft.AspNetCore.DataProtection
             mockProtector.Setup(p => p.Unprotect(new byte[] { 0x01, 0x02, 0x03, 0x04, 0x05 })).Returns(new byte[] { 0x48, 0x65, 0x6c, 0x6c, 0x6f });
 
             // Act
-            string retVal = DataProtectionExtensions.Unprotect(mockProtector.Object, "AQIDBAU");
+            string retVal = DataProtectionCommonExtensions.Unprotect(mockProtector.Object, "AQIDBAU");
 
             // Assert
             Assert.Equal("Hello", retVal);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
similarity index 98%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
index b4eafed6fe..11fa056a4b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
@@ -9,7 +9,7 @@ using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-    public class DataProtectionExtensionsTests
+    public class DataProtectionAdvancedExtensionsTests
     {
         private const string SampleEncodedString = "AQI"; // = WebEncoders.Base64UrlEncode({ 0x01, 0x02 })
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
similarity index 97%
rename from test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionExtensionsTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
index 364d37ccac..8e2cbd71d9 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
@@ -9,7 +9,7 @@ using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-    public class DataProtectionExtensionsTests
+    public class DataProtectionUtilityExtensionsTests
     {
         [Theory]
         [InlineData(" discriminator", "app-path ", "discriminator")] // normalized trim

From 5095594cd3029b3ca9de91c5ee6481547966823b Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Thu, 26 May 2016 18:26:02 -0700
Subject: [PATCH 267/493] React to updated CoreCLR packages

https://github.com/aspnet/Coherence/issues/97
---
 .../project.json                                                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index 5379778b82..c6c580da0b 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -19,7 +19,7 @@
     "netstandard1.3": {
       "dependencies": {
         "System.Runtime.Extensions": "4.1.0-*",
-        "System.Security.Cryptography.Algorithms": "4.1.0-*",
+        "System.Security.Cryptography.Algorithms": "4.2.0-*",
         "System.Text.Encoding.Extensions": "4.0.11-*"
       }
     }

From 20a365b778393d2b4c8124cfb42e6792ffcae981 Mon Sep 17 00:00:00 2001
From: Cesar Blum Silveira <cesars@microsoft.com>
Date: Fri, 27 May 2016 11:37:15 -0700
Subject: [PATCH 268/493] Fix OSX build on Travis.

---
 .travis.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 6ca11de268..1d38d49d13 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,6 +22,8 @@ branches:
     - release
     - dev
     - /^(.*\/)?ci-.*$/
+before_install:
+  - if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; brew link --force openssl; fi
 script:
   - ./build.sh verify
 notifications:

From acb8732ffd515df0ab36d422950b93156b291a43 Mon Sep 17 00:00:00 2001
From: BrennanConroy <brecon@microsoft.com>
Date: Fri, 27 May 2016 13:43:32 -0700
Subject: [PATCH 269/493] Replace PlatformAbstractions with RuntimeInformation

---
 .../RegistryPolicyResolverTests.cs                            | 4 ++--
 .../Repositories/RegistryXmlRepositoryTests.cs                | 4 ++--
 test/Microsoft.AspNetCore.DataProtection.Test/project.json    | 1 +
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
index 667f443e14..1bf706dda2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
@@ -13,7 +14,6 @@ using Microsoft.AspNetCore.Testing.xunit;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
-using Microsoft.Extensions.PlatformAbstractions;
 using Microsoft.Win32;
 using Xunit;
 
@@ -260,7 +260,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
         private class ConditionalRunTestOnlyIfHkcuRegistryAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => (PlatformServices.Default.Runtime.OperatingSystem == "Windows" && LazyHkcuTempKey.Value != null);
+            public bool IsMet => (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && LazyHkcuTempKey.Value != null);
 
             public string SkipReason { get; } = "HKCU registry couldn't be opened.";
         }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
index e7d7e62a86..92c16a782c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
@@ -3,9 +3,9 @@
 
 using System;
 using System.Linq;
+using System.Runtime.InteropServices;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Testing.xunit;
-using Microsoft.Extensions.PlatformAbstractions;
 using Microsoft.Win32;
 using Xunit;
 
@@ -159,7 +159,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private class ConditionalRunTestOnlyIfHkcuRegistryAvailable : Attribute, ITestCondition
         {
-            public bool IsMet => (PlatformServices.Default.Runtime.OperatingSystem == "Windows" && LazyHkcuTempKey.Value != null);
+            public bool IsMet => (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && LazyHkcuTempKey.Value != null);
 
             public string SkipReason { get; } = "HKCU registry couldn't be opened.";
         }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 78bc5b2c7d..d7e723dcce 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -1,5 +1,6 @@
 {
   "dependencies": {
+    "System.Runtime.InteropServices.RuntimeInformation": "4.0.0-*",
     "dotnet-test-xunit": "1.0.0-*",
     "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.DataProtection": "1.0.0-*",

From 47d3ffdddce7bb87b4e5614bc04427d1148b505e Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Thu, 2 Jun 2016 10:00:09 -0700
Subject: [PATCH 270/493] Add activator fallback to support rc1 keys

---
 .../ActivatorExtensions.cs                    | 48 ----------------
 ...taProtectionServiceCollectionExtensions.cs |  1 +
 .../RC1ForwardingActivator.cs                 | 42 ++++++++++++++
 .../SimpleActivator.cs                        | 56 +++++++++++++++++++
 .../RC1ForwardingActivatorTests.cs            | 49 ++++++++++++++++
 5 files changed, 148 insertions(+), 48 deletions(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/RC1ForwardingActivatorTests.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
index 3f1000ae2f..a485958fc9 100644
--- a/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Reflection;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.Extensions.DependencyInjection;
@@ -40,52 +39,5 @@ namespace Microsoft.AspNetCore.DataProtection
                 ? (serviceProvider.GetService<IActivator>() ?? new SimpleActivator(serviceProvider))
                 : SimpleActivator.DefaultWithoutServices;
         }
-
-        /// <summary>
-        /// A simplified default implementation of <see cref="IActivator"/> that understands
-        /// how to call ctors which take <see cref="IServiceProvider"/>.
-        /// </summary>
-        private sealed class SimpleActivator : IActivator
-        {
-            /// <summary>
-            /// A default <see cref="SimpleActivator"/> whose wrapped <see cref="IServiceProvider"/> is null.
-            /// </summary>
-            internal static readonly SimpleActivator DefaultWithoutServices = new SimpleActivator(null);
-
-            private readonly IServiceProvider _services;
-
-            public SimpleActivator(IServiceProvider services)
-            {
-                _services = services;
-            }
-
-            public object CreateInstance(Type expectedBaseType, string implementationTypeName)
-            {
-                // Would the assignment even work?
-                var implementationType = Type.GetType(implementationTypeName, throwOnError: true);
-                expectedBaseType.AssertIsAssignableFrom(implementationType);
-
-                // If no IServiceProvider was specified, prefer .ctor() [if it exists]
-                if (_services == null)
-                {
-                    var ctorParameterless = implementationType.GetConstructor(Type.EmptyTypes);
-                    if (ctorParameterless != null)
-                    {
-                        return Activator.CreateInstance(implementationType);
-                    }
-                }
-
-                // If an IServiceProvider was specified or if .ctor() doesn't exist, prefer .ctor(IServiceProvider) [if it exists]
-                var ctorWhichTakesServiceProvider = implementationType.GetConstructor(new Type[] { typeof(IServiceProvider) });
-                if (ctorWhichTakesServiceProvider != null)
-                {
-                    return ctorWhichTakesServiceProvider.Invoke(new[] { _services });
-                }
-
-                // Finally, prefer .ctor() as an ultimate fallback.
-                // This will throw if the ctor cannot be called.
-                return Activator.CreateInstance(implementationType);
-            }
-        }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 2f8a3ea225..36b4eabe98 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -24,6 +24,7 @@ namespace Microsoft.Extensions.DependencyInjection
                 throw new ArgumentNullException(nameof(services));
             }
 
+            services.AddSingleton<IActivator, RC1ForwardingActivator>();
             services.AddOptions();
             services.TryAdd(DataProtectionServices.GetDefaultServices());
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs b/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
new file mode 100644
index 0000000000..10c936b6ba
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
@@ -0,0 +1,42 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    internal class RC1ForwardingActivator: SimpleActivator
+    {
+        private const string From = "Microsoft.AspNet.DataProtection";
+        private const string To = "Microsoft.AspNetCore.DataProtection";
+        private readonly ILogger _logger;
+
+        public RC1ForwardingActivator(IServiceProvider services) : this(services, null)
+        {
+        }
+
+        public RC1ForwardingActivator(IServiceProvider services, ILoggerFactory loggerFactory) : base(services)
+        {
+            _logger = loggerFactory?.CreateLogger(typeof(RC1ForwardingActivator));
+        }
+
+        public override object CreateInstance(Type expectedBaseType, string implementationTypeName)
+        {
+            if (implementationTypeName.Contains(From))
+            {
+                var forwardedImplementationTypeName = implementationTypeName.Replace(From, To);
+                var type = Type.GetType(forwardedImplementationTypeName, false);
+                if (type != null)
+                {
+                    _logger?.LogDebug("Forwarded activator type request from {FromType} to {ToType}",
+                        implementationTypeName,
+                        forwardedImplementationTypeName);
+
+                    implementationTypeName = forwardedImplementationTypeName;
+                }
+            }
+            return base.CreateInstance(expectedBaseType, implementationTypeName);
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs b/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
new file mode 100644
index 0000000000..54eac601bb
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
@@ -0,0 +1,56 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Reflection;
+using Microsoft.AspNetCore.DataProtection.Internal;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    /// <summary>
+    /// A simplified default implementation of <see cref="IActivator"/> that understands
+    /// how to call ctors which take <see cref="IServiceProvider"/>.
+    /// </summary>
+    internal class SimpleActivator : IActivator
+    {
+        /// <summary>
+        /// A default <see cref="SimpleActivator"/> whose wrapped <see cref="IServiceProvider"/> is null.
+        /// </summary>
+        internal static readonly SimpleActivator DefaultWithoutServices = new SimpleActivator(null);
+
+        private readonly IServiceProvider _services;
+
+        public SimpleActivator(IServiceProvider services)
+        {
+            _services = services;
+        }
+
+        public virtual object CreateInstance(Type expectedBaseType, string implementationTypeName)
+        {
+            // Would the assignment even work?
+            var implementationType = Type.GetType(implementationTypeName, throwOnError: true);
+            expectedBaseType.AssertIsAssignableFrom(implementationType);
+
+            // If no IServiceProvider was specified, prefer .ctor() [if it exists]
+            if (_services == null)
+            {
+                var ctorParameterless = implementationType.GetConstructor(Type.EmptyTypes);
+                if (ctorParameterless != null)
+                {
+                    return Activator.CreateInstance(implementationType);
+                }
+            }
+
+            // If an IServiceProvider was specified or if .ctor() doesn't exist, prefer .ctor(IServiceProvider) [if it exists]
+            var ctorWhichTakesServiceProvider = implementationType.GetConstructor(new Type[] { typeof(IServiceProvider) });
+            if (ctorWhichTakesServiceProvider != null)
+            {
+                return ctorWhichTakesServiceProvider.Invoke(new[] { _services });
+            }
+
+            // Finally, prefer .ctor() as an ultimate fallback.
+            // This will throw if the ctor cannot be called.
+            return Activator.CreateInstance(implementationType);
+        }
+    }
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RC1ForwardingActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RC1ForwardingActivatorTests.cs
new file mode 100644
index 0000000000..d0f01533b7
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/RC1ForwardingActivatorTests.cs
@@ -0,0 +1,49 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Extensions.DependencyInjection;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    public class RC1ForwardingActivatorTests
+    {
+        [Fact]
+        public void CreateInstance_ForwardsToNewNamespaceIfExists()
+        {
+            // Arrange
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddDataProtection();
+            var services = serviceCollection.BuildServiceProvider();
+            var activator = services.GetActivator();
+            
+            // Act
+            var name = "Microsoft.AspNet.DataProtection.RC1ForwardingActivatorTests+ClassWithParameterlessCtor, Microsoft.AspNet.DataProtection.Test";
+            var instance = activator.CreateInstance<object>(name);
+
+            // Assert
+            Assert.IsType<ClassWithParameterlessCtor>(instance);
+        }
+
+        [Fact]
+        public void CreateInstance_DoesNotForwardIfClassDoesNotExist()
+        {
+            // Arrange
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddDataProtection();
+            var services = serviceCollection.BuildServiceProvider();
+            var activator = services.GetActivator();
+
+            // Act & Assert
+            var name = "Microsoft.AspNet.DataProtection.RC1ForwardingActivatorTests+NonExistentClassWithParameterlessCtor, Microsoft.AspNet.DataProtection.Test";
+            var exception = Assert.ThrowsAny<Exception>(()=> activator.CreateInstance<object>(name));
+
+            Assert.Contains("Microsoft.AspNet.DataProtection.Test", exception.Message);
+        }
+
+        private class ClassWithParameterlessCtor
+        {
+        }
+    }
+}
\ No newline at end of file

From b8b0d3894c5536e8c2d62230def43073e5ebfcb8 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Thu, 9 Jun 2016 14:54:03 -0700
Subject: [PATCH 271/493] Try disabling running tests in parallel to fix
 DataProtectionProviderTests.System_UsesProvidedDirectoryAndCertificate
 failures

---
 .../Properties/AssemblyInfo.cs                            | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs

diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..a613784a32
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs
@@ -0,0 +1,8 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Xunit;
+
+// Workaround for DataProtectionProviderTests.System_UsesProvidedDirectoryAndCertificate
+// https://github.com/aspnet/DataProtection/issues/160
+[assembly: CollectionBehavior(CollectionBehavior.CollectionPerAssembly)]
\ No newline at end of file

From ed4862dc4011167cea98bfe3b114ee73a56cc89f Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Mon, 13 Jun 2016 15:28:27 -0700
Subject: [PATCH 272/493] Remove direct Microsoft.NETCore.Platforms dependency.

- Microsoft.NETCore.App now pulls this package in.

aspnet/Coherence-Signed#344
---
 .../Microsoft.AspNetCore.Cryptography.Internal.Test/project.json | 1 -
 .../project.json                                                 | 1 -
 .../project.json                                                 | 1 -
 .../project.json                                                 | 1 -
 test/Microsoft.AspNetCore.DataProtection.Test/project.json       | 1 -
 5 files changed, 5 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 5c89cd3072..5bd7909cd3 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -1,7 +1,6 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 8437396cb8..424d2c1e21 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -1,7 +1,6 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 961287ce99..9f57390253 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -1,7 +1,6 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.0.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index dca0f8c3af..15d6f39371 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -1,7 +1,6 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Extensions": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index d7e723dcce..b6dd0842f7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -2,7 +2,6 @@
   "dependencies": {
     "System.Runtime.InteropServices.RuntimeInformation": "4.0.0-*",
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.NETCore.Platforms": "1.0.1-*",
     "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",

From 13620507c9de12d3141f04113ff59af09a46d3b4 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 14 Jun 2016 16:22:21 -0700
Subject: [PATCH 273/493] Updating to release.

---
 NuGet.config | 2 +-
 build.ps1    | 2 +-
 build.sh     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 1707938c61..9db87a421e 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcidev/api/v3/index.json" />
+    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcirelease/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file
diff --git a/build.ps1 b/build.ps1
index 8f2f99691a..cf8bff13bb 100644
--- a/build.ps1
+++ b/build.ps1
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/release.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
diff --git a/build.sh b/build.sh
index f4208100eb..f88fe4052e 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/release.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi

From 69fa8215220efdead2201718b73587443b3d28cf Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 16 Jun 2016 10:17:40 -0700
Subject: [PATCH 274/493] Updating to dev versions

---
 .../project.json                                 |  2 +-
 .../project.json                                 |  4 ++--
 .../project.json                                 |  4 ++--
 .../project.json                                 |  8 ++++----
 .../project.json                                 |  2 +-
 .../project.json                                 |  6 +++---
 .../project.json                                 | 16 ++++++++--------
 .../project.json                                 |  4 ++--
 .../project.json                                 |  6 +++---
 .../project.json                                 |  6 +++---
 .../project.json                                 |  6 +++---
 .../project.json                                 |  6 +++---
 12 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index 933534b542..d8c2e9a180 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.0-*",
+  "version": "1.1.0-*",
   "description": "Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.",
   "packOptions": {
     "repository": {
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index c6c580da0b..d4ef1fdd5a 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.0-*",
+  "version": "1.1.0-*",
   "description": "ASP.NET Core utilities for key derivation.",
   "packOptions": {
     "repository": {
@@ -12,7 +12,7 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*"
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index 994d8b9ab8..b5e4591fd8 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.0-*",
+  "version": "1.1.0-*",
   "description": "ASP.NET Core data protection abstractions.\r\nCommonly used types:\r\nMicrosoft.AspNetCore.DataProtection.IDataProtectionProvider\r\nMicrosoft.AspNetCore.DataProtection.IDataProtector",
   "packOptions": {
     "repository": {
@@ -14,7 +14,7 @@
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": "1.0.0-*"
+      "version": "1.1.0-*"
     }
   },
   "frameworks": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index 8c5d11472b..8df076b1a2 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.0-*",
+  "version": "1.1.0-*",
   "description": "Additional APIs for ASP.NET Core data protection.",
   "packOptions": {
     "repository": {
@@ -12,12 +12,12 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": "1.0.0-*"
+      "version": "1.1.0-*"
     },
-    "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
+    "Microsoft.Extensions.DependencyInjection": "1.1.0-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
index cdb516ffad..13438d9650 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.0-*",
+  "version": "1.1.0-*",
   "description": "ASP.NET Core data protection shared code.",
   "packOptions": {
     "repository": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
index 7c9efdf9cc..8ebdf3740a 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.0-*",
+  "version": "1.1.0-*",
   "description": "A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x <machineKey> element.",
   "packOptions": {
     "repository": {
@@ -20,8 +20,8 @@
   "frameworks": {
     "net451": {
       "dependencies": {
-        "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
-        "Microsoft.Extensions.DependencyInjection": "1.0.0-*"
+        "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+        "Microsoft.Extensions.DependencyInjection": "1.1.0-*"
       },
       "frameworkAssemblies": {
         "System.Configuration": "4.0.0.0",
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index bb7cc6e09e..138e50b5d8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.0-*",
+  "version": "1.1.0-*",
   "description": "ASP.NET Core logic to protect and unprotect data, similar to DPAPI.",
   "packOptions": {
     "repository": {
@@ -12,16 +12,16 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": "1.0.0-*"
+      "version": "1.1.0-*"
     },
-    "Microsoft.AspNetCore.Hosting.Abstractions": "1.0.0-*",
-    "Microsoft.Extensions.DependencyInjection.Abstractions": "1.0.0-*",
-    "Microsoft.Extensions.Logging.Abstractions": "1.0.0-*",
-    "Microsoft.Extensions.Options": "1.0.0-*"
+    "Microsoft.AspNetCore.Hosting.Abstractions": "1.1.0-*",
+    "Microsoft.Extensions.DependencyInjection.Abstractions": "1.1.0-*",
+    "Microsoft.Extensions.Logging.Abstractions": "1.1.0-*",
+    "Microsoft.Extensions.Options": "1.1.0-*"
   },
   "frameworks": {
     "net451": {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 5bd7909cd3..72f189dd08 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -1,12 +1,12 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": "1.0.0-*"
     },
-    "Microsoft.AspNetCore.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 424d2c1e21..71bdf8e127 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -1,10 +1,10 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
-    "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.0.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
+    "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
-    "Microsoft.AspNetCore.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 9f57390253..50cb652ae0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -1,9 +1,9 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.0.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
-    "Microsoft.AspNetCore.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 15d6f39371..304748b77d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -1,13 +1,13 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.0.0-*",
-    "Microsoft.AspNetCore.DataProtection.Extensions": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Extensions": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": "1.0.0-*"
     },
-    "Microsoft.AspNetCore.Testing": "1.0.0-*",
+    "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index b6dd0842f7..8891a88599 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -2,13 +2,13 @@
   "dependencies": {
     "System.Runtime.InteropServices.RuntimeInformation": "4.0.0-*",
     "dotnet-test-xunit": "1.0.0-*",
-    "Microsoft.AspNetCore.DataProtection": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": "1.0.0-*"
     },
-    "Microsoft.AspNetCore.Testing": "1.0.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.0.0-*",
+    "Microsoft.AspNetCore.Testing": "1.1.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
     "xunit": "2.1.0"
   },
   "frameworks": {

From 12c0f10147c0edaaf51f9b886972c5abb778c66c Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 29 Jun 2016 16:04:56 -0700
Subject: [PATCH 275/493] Updating to RTM builds of dotnet-test-xunit and Moq

---
 .../project.json                              |  7 +++---
 .../project.json                              | 20 +++++------------
 .../project.json                              | 22 +++++--------------
 .../project.json                              | 22 +++++--------------
 .../project.json                              |  5 +----
 .../project.json                              | 21 +++++-------------
 6 files changed, 24 insertions(+), 73 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 72f189dd08..bebcb11214 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -1,13 +1,13 @@
 {
   "dependencies": {
-    "dotnet-test-xunit": "1.0.0-*",
+    "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "xunit": "2.1.0"
+    "xunit": "2.2.0-*"
   },
   "frameworks": {
     "netcoreapp1.0": {
@@ -15,8 +15,7 @@
         "Microsoft.NETCore.App": {
           "version": "1.0.0-*",
           "type": "platform"
-        },
-        "System.Diagnostics.Process": "4.1.0-*"
+        }
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 71bdf8e127..189bf61634 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -1,11 +1,11 @@
 {
   "dependencies": {
-    "dotnet-test-xunit": "1.0.0-*",
+    "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
     "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "xunit": "2.1.0"
+    "xunit": "2.2.0-*"
   },
   "frameworks": {
     "netcoreapp1.0": {
@@ -13,20 +13,10 @@
         "Microsoft.NETCore.App": {
           "version": "1.0.0-*",
           "type": "platform"
-        },
-        "System.Diagnostics.Process": "4.1.0-*"
-      },
-      "imports": [
-        "dnxcore50",
-        "portable-net451+win8"
-      ]
-    },
-    "net451": {
-      "frameworkAssemblies": {
-        "System.Runtime": "",
-        "System.Threading.Tasks": ""
+        }
       }
-    }
+    },
+    "net451": {}
   },
   "testRunner": "xunit",
   "buildOptions": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 50cb652ae0..0fba881c20 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -1,10 +1,11 @@
 {
   "dependencies": {
-    "dotnet-test-xunit": "1.0.0-*",
+    "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "xunit": "2.1.0"
+    "Moq": "4.6.25-*",
+    "xunit": "2.2.0-*"
   },
   "frameworks": {
     "netcoreapp1.0": {
@@ -13,24 +14,11 @@
           "version": "1.0.0-*",
           "type": "platform"
         },
-        "moq.netcore": "4.4.0-beta8",
-        "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },
-      "imports": [
-        "dnxcore50",
-        "portable-net451+win8"
-      ]
+      "imports": "dotnet5.4"
     },
-    "net451": {
-      "dependencies": {
-        "Moq": "4.2.1312.1622"
-      },
-      "frameworkAssemblies": {
-        "System.Runtime": "",
-        "System.Threading.Tasks": ""
-      }
-    }
+    "net451": {}
   },
   "testRunner": "xunit",
   "buildOptions": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 304748b77d..e54428104e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -1,6 +1,6 @@
 {
   "dependencies": {
-    "dotnet-test-xunit": "1.0.0-*",
+    "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Extensions": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
@@ -8,7 +8,8 @@
       "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "xunit": "2.1.0"
+    "Moq":  "4.6.25-*",
+    "xunit": "2.2.0-*"
   },
   "frameworks": {
     "netcoreapp1.0": {
@@ -17,24 +18,11 @@
           "version": "1.0.0-*",
           "type": "platform"
         },
-        "moq.netcore": "4.4.0-beta8",
-        "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },
-      "imports": [
-        "dnxcore50",
-        "portable-net451+win8"
-      ]
+      "imports": "dotnet5.4"
     },
-    "net451": {
-      "dependencies": {
-        "Moq": "4.2.1312.1622"
-      },
-      "frameworkAssemblies": {
-        "System.Runtime": "",
-        "System.Threading.Tasks": ""
-      }
-    }
+    "net451": {}
   },
   "testRunner": "xunit",
   "buildOptions": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index 86a03356af..73f8bafccc 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -3,10 +3,7 @@
     "netstandard1.1": {
       "dependencies": {
         "System.Runtime": "4.1.0-*"
-      },
-      "imports": [
-        "dotnet5.2"
-      ]
+      }
     }
   },
   "shared": "**/*.cs"
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 8891a88599..81d1700afe 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -1,7 +1,7 @@
 {
   "dependencies": {
     "System.Runtime.InteropServices.RuntimeInformation": "4.0.0-*",
-    "dotnet-test-xunit": "1.0.0-*",
+    "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
@@ -9,7 +9,8 @@
     },
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
-    "xunit": "2.1.0"
+    "Moq": "4.6.25-*",
+    "xunit": "2.2.0-*"
   },
   "frameworks": {
     "netcoreapp1.0": {
@@ -18,23 +19,11 @@
           "version": "1.0.0-*",
           "type": "platform"
         },
-        "moq.netcore": "4.4.0-beta8",
-        "System.Diagnostics.Process": "4.1.0-*",
         "System.Diagnostics.TraceSource": "4.0.0-*"
       },
-      "imports": [
-        "dnxcore50",
-        "portable-net451+win8"
-      ]
+      "imports": "dotnet5.4"
     },
-    "net451": {
-      "dependencies": {
-        "Moq": "4.2.1312.1622"
-      },
-      "frameworkAssemblies": {
-        "System.Threading.Tasks": ""
-      }
-    }
+    "net451": {}
   },
   "testRunner": "xunit",
   "buildOptions": {

From 332e0a0b87f14a2d8d484c854eb8386b28bfa9d7 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Wed, 6 Jul 2016 22:03:23 -0700
Subject: [PATCH 276/493] One build to rule them all - well, at least VS and
 command-line builds will share output - part of aspnet/Coherence-Signed#277

---
 .../Microsoft.AspNetCore.Cryptography.Internal.xproj          | 4 ++--
 .../Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj     | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.Abstractions.xproj    | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.Extensions.xproj      | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.Sources.xproj         | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.SystemWeb.xproj       | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.xproj                 | 4 ++--
 .../Microsoft.AspNetCore.Cryptography.Internal.Test.xproj     | 4 ++--
 ...Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj | 4 ++--
 ...icrosoft.AspNetCore.DataProtection.Abstractions.Test.xproj | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.Test.Shared.xproj     | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.Test.xproj            | 4 ++--
 13 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
index 015fc69c62..87e2204bd2 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>E2779976-A28C-4365-A4BB-4AD854FAF23E</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
index d9fd79b375..efcdd4aa36 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>421F0383-34B1-402D-807B-A94542513ABA</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
index bb6971f855..d9b66793bf 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>4b115bde-b253-46a6-97bf-a8b37b344ff2</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
index 329df80e63..3db92cd84b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>bf8681db-c28b-441f-bd92-0dcfe9537a9f</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj b/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
index ffb77951d6..9efcc1390d 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>3277bb22-033f-4010-8131-a515b910caad</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
index 172403c6fb..cbfe0341c9 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>e3552deb-4173-43ae-bf69-3c10dff3bab6</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
index 8addcac57a..462d2323b6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>1e570cd4-6f12-44f4-961e-005ee2002bc2</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
index 82a36e7ec3..b2ff65481f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>37053d5f-5b61-47ce-8b72-298ce007ffb0</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
index b86a806385..b4f9d422bc 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>42c97f52-8d56-46bd-a712-4f22bed157a7</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
index 7f9123069f..9c681869bd 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>ff650a69-dee4-4b36-9e30-264ee7cfb478</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
index dc11b53c0c..aca61d6a38 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>04aa8e60-a053-4d50-89fe-e76c3df45200</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
index 40e0d14aba..3ba41bf1fd 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>4f14ba2a-4f04-4676-8586-ec380977ee2e</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
index 948a9508e5..6fc457862f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
@@ -7,8 +7,8 @@
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>7a637185-2ba1-437d-9d4c-7cc4f94cf7bf</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\</OutputPath>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>

From 4f30dddb14595e8f6dec40494483be93b96da377 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Mon, 11 Jul 2016 16:18:07 -0700
Subject: [PATCH 277/493] To de-dupe, we must remove - part of aspnet/Common#93
 - use `WebEncoders` from Common repo

Also let VS have its way w/ test `.xproj` files
---
 .../DataProtectionCommonExtensions.cs         |   1 +
 .../WebEncoders.cs                            | 133 ------------------
 .../project.json                              |   4 +
 ...spNetCore.Cryptography.Internal.Test.xproj |   3 +
 ...Core.Cryptography.KeyDerivation.Test.xproj |   3 +
 ...ore.DataProtection.Abstractions.Test.xproj |   3 +
 ...tCore.DataProtection.Extensions.Test.xproj |   3 +
 ...osoft.AspNetCore.DataProtection.Test.xproj |   3 +
 8 files changed, 20 insertions(+), 133 deletions(-)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
index 97b1377abe..f4fd8801ae 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
@@ -5,6 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using Microsoft.AspNetCore.DataProtection.Abstractions;
+using Microsoft.Extensions.Internal;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs
deleted file mode 100644
index 607fc7e35e..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/WebEncoders.cs
+++ /dev/null
@@ -1,133 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Diagnostics;
-
-namespace Microsoft.AspNetCore.DataProtection
-{
-    // Internal copy of HttpAbstractions functionality.
-    internal static class WebEncoders
-    {
-        /// <summary>
-        /// Decodes a base64url-encoded string.
-        /// </summary>
-        /// <param name="input">The base64url-encoded input to decode.</param>
-        /// <returns>The base64url-decoded form of the input.</returns>
-        /// <remarks>
-        /// The input must not contain any whitespace or padding characters.
-        /// Throws FormatException if the input is malformed.
-        /// </remarks>
-        public static byte[] Base64UrlDecode(string input)
-        {
-            // Assumption: input is base64url encoded without padding and contains no whitespace.
-
-            // First, we need to add the padding characters back.
-            int numPaddingCharsToAdd = GetNumBase64PaddingCharsToAddForDecode(input.Length);
-            char[] completeBase64Array = new char[checked(input.Length + numPaddingCharsToAdd)];
-            Debug.Assert(completeBase64Array.Length % 4 == 0, "Invariant: Array length must be a multiple of 4.");
-            input.CopyTo(0, completeBase64Array, 0, input.Length);
-            for (int i = 1; i <= numPaddingCharsToAdd; i++)
-            {
-                completeBase64Array[completeBase64Array.Length - i] = '=';
-            }
-
-            // Next, fix up '-' -> '+' and '_' -> '/'
-            for (int i = 0; i < completeBase64Array.Length; i++)
-            {
-                char c = completeBase64Array[i];
-                if (c == '-')
-                {
-                    completeBase64Array[i] = '+';
-                }
-                else if (c == '_')
-                {
-                    completeBase64Array[i] = '/';
-                }
-            }
-
-            // Finally, decode.
-            // If the caller provided invalid base64 chars, they'll be caught here.
-            return Convert.FromBase64CharArray(completeBase64Array, 0, completeBase64Array.Length);
-        }
-
-        /// <summary>
-        /// Encodes an input using base64url encoding.
-        /// </summary>
-        /// <param name="input">The binary input to encode.</param>
-        /// <returns>The base64url-encoded form of the input.</returns>
-        public static string Base64UrlEncode(byte[] input)
-        {
-            // Special-case empty input
-            if (input.Length == 0)
-            {
-                return String.Empty;
-            }
-
-            // We're going to use base64url encoding with no padding characters.
-            // See RFC 4648, Sec. 5.
-            char[] buffer = new char[GetNumBase64CharsRequiredForInput(input.Length)];
-            int numBase64Chars = Convert.ToBase64CharArray(input, 0, input.Length, buffer, 0);
-
-            // Fix up '+' -> '-' and '/' -> '_'
-            for (int i = 0; i < numBase64Chars; i++)
-            {
-                char ch = buffer[i];
-                if (ch == '+')
-                {
-                    buffer[i] = '-';
-                }
-                else if (ch == '/')
-                {
-                    buffer[i] = '_';
-                }
-                else if (ch == '=')
-                {
-                    // We've reached a padding character: truncate the string from this point
-                    return new String(buffer, 0, i);
-                }
-            }
-
-            // If we got this far, the buffer didn't contain any padding chars, so turn
-            // it directly into a string.
-            return new String(buffer, 0, numBase64Chars);
-        }
-
-        private static int GetNumBase64CharsRequiredForInput(int inputLength)
-        {
-            int numWholeOrPartialInputBlocks = checked(inputLength + 2) / 3;
-            return checked(numWholeOrPartialInputBlocks * 4);
-        }
-
-        private static int GetNumBase64PaddingCharsInString(string str)
-        {
-            // Assumption: input contains a well-formed base64 string with no whitespace.
-
-            // base64 guaranteed have 0 - 2 padding characters.
-            if (str[str.Length - 1] == '=')
-            {
-                if (str[str.Length - 2] == '=')
-                {
-                    return 2;
-                }
-                return 1;
-            }
-            return 0;
-        }
-
-        private static int GetNumBase64PaddingCharsToAddForDecode(int inputLength)
-        {
-            switch (inputLength % 4)
-            {
-                case 0:
-                    return 0;
-                case 2:
-                    return 2;
-                case 3:
-                    return 1;
-                default:
-                    throw Error.CryptCommon_PayloadInvalid(); // not valid base64
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index b5e4591fd8..8a46ae5517 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -15,6 +15,10 @@
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
       "version": "1.1.0-*"
+    },
+    "Microsoft.Extensions.WebEncoders.Sources": {
+      "type": "build",
+      "version": "1.1.0-*"
     }
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
index b2ff65481f..2cef9ca48f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
@@ -13,5 +13,8 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
index b4f9d422bc..4dc21f6e52 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
@@ -13,5 +13,8 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
index 9c681869bd..d3ab9d6ae6 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
@@ -13,5 +13,8 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
index aca61d6a38..e3f8006626 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
@@ -13,5 +13,8 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
index 6fc457862f..4673904cc3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
@@ -13,5 +13,8 @@
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
   <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file

From 3733b5370055d9c93d7bedf6117da1976c5fe78c Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Thu, 28 Jul 2016 17:17:27 -0700
Subject: [PATCH 278/493] Removed unnecessary methods in
 DataProtectionServiceDescriptors

---
 .../DataProtectionServiceDescriptors.cs       | 50 -------------------
 .../DataProtectionServices.cs                 | 25 ++++++++--
 2 files changed, 20 insertions(+), 55 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
index 6727730c92..388454fc01 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
@@ -24,20 +24,6 @@ namespace Microsoft.Extensions.DependencyInjection
     /// </summary>
     internal static class DataProtectionServiceDescriptors
     {
-        /// <summary>
-        /// An <see cref="IConfigureOptions{DataProtectionOptions}"/> backed by the host-provided defaults.
-        /// </summary>
-        public static ServiceDescriptor ConfigureOptions_DataProtectionOptions()
-        {
-            return ServiceDescriptor.Transient<IConfigureOptions<DataProtectionOptions>>(services =>
-            {
-                return new ConfigureOptions<DataProtectionOptions>(options =>
-                {
-                    options.ApplicationDiscriminator = services.GetApplicationUniqueIdentifier();
-                });
-            });
-        }
-
         /// <summary>
         /// An <see cref="IConfigureOptions{KeyManagementOptions}"/> where the key lifetime is specified explicitly.
         /// </summary>
@@ -53,14 +39,6 @@ namespace Microsoft.Extensions.DependencyInjection
             });
         }
 
-        /// <summary>
-        /// An <see cref="IAuthenticatedEncryptorConfiguration"/> backed by default algorithmic options.
-        /// </summary>
-        public static ServiceDescriptor IAuthenticatedEncryptorConfiguration_Default()
-        {
-            return IAuthenticatedEncryptorConfiguration_FromSettings(new AuthenticatedEncryptionSettings());
-        }
-
         /// <summary>
         /// An <see cref="IAuthenticatedEncryptorConfiguration"/> backed by an <see cref="IInternalAuthenticatedEncryptionSettings"/>.
         /// </summary>
@@ -79,18 +57,6 @@ namespace Microsoft.Extensions.DependencyInjection
         }
 #endif
 
-        /// <summary>
-        /// An <see cref="IDataProtectionProvider"/> backed by the default keyring.
-        /// </summary>
-        public static ServiceDescriptor IDataProtectionProvider_Default()
-        {
-            return ServiceDescriptor.Singleton<IDataProtectionProvider>(
-                services => DataProtectionProviderFactory.GetProviderFromServices(
-                    options: services.GetRequiredService<IOptions<DataProtectionOptions>>().Value,
-                    services: services,
-                    mustCreateImmediately: true /* this is the ultimate fallback */));
-        }
-
         /// <summary>
         /// An ephemeral <see cref="IDataProtectionProvider"/>.
         /// </summary>
@@ -110,14 +76,6 @@ namespace Microsoft.Extensions.DependencyInjection
             return ServiceDescriptor.Singleton<IKeyEscrowSink>(services => services.GetActivator().CreateInstance<IKeyEscrowSink>(implementationTypeName));
         }
 
-        /// <summary>
-        /// An <see cref="IKeyManager"/> backed by the default XML key manager.
-        /// </summary>
-        public static ServiceDescriptor IKeyManager_Default()
-        {
-            return ServiceDescriptor.Singleton<IKeyManager>(services => new XmlKeyManager(services));
-        }
-
 #if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
         /// <summary>
@@ -167,14 +125,6 @@ namespace Microsoft.Extensions.DependencyInjection
             return ServiceDescriptor.Singleton<IXmlRepository>(services => new FileSystemXmlRepository(directory, services));
         }
 
-        /// <summary>
-        /// An <see cref="IXmlRepository"/> backed by volatile in-process memory.
-        /// </summary>
-        public static ServiceDescriptor IXmlRepository_InMemory()
-        {
-            return ServiceDescriptor.Singleton<IXmlRepository>(services => new EphemeralXmlRepository(services));
-        }
-
         /// <summary>
         /// An <see cref="IXmlRepository"/> backed by the Windows registry.
         /// </summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
index 14c9bb9df2..1eca20601e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
@@ -5,12 +5,14 @@ using System;
 using System.Collections.Generic;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
 namespace Microsoft.Extensions.DependencyInjection
@@ -92,7 +94,8 @@ namespace Microsoft.Extensions.DependencyInjection
                         {
                             // Final fallback - use an ephemeral repository since we don't know where else to go.
                             // This can only be used for development scenarios.
-                            keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_InMemory();
+                            keyRepositoryDescriptor = ServiceDescriptor.Singleton<IXmlRepository>(
+                                s => new EphemeralXmlRepository(s));
 
                             log?.UsingEphemeralKeyRepository();
                         }
@@ -106,8 +109,13 @@ namespace Microsoft.Extensions.DependencyInjection
             });
 
             // Provide root key management and data protection services
-            yield return DataProtectionServiceDescriptors.IKeyManager_Default();
-            yield return DataProtectionServiceDescriptors.IDataProtectionProvider_Default();
+            yield return ServiceDescriptor.Singleton<IKeyManager>(services => new XmlKeyManager(services));
+
+            yield return ServiceDescriptor.Singleton<IDataProtectionProvider>(
+                services => DataProtectionProviderFactory.GetProviderFromServices(
+                    options: services.GetRequiredService<IOptions<DataProtectionOptions>>().Value,
+                    services: services,
+                    mustCreateImmediately: true /* this is the ultimate fallback */));
 
             // Provide services required for XML encryption
 #if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
@@ -115,7 +123,13 @@ namespace Microsoft.Extensions.DependencyInjection
 #endif
 
             // Hook up the logic which allows populating default options
-            yield return DataProtectionServiceDescriptors.ConfigureOptions_DataProtectionOptions();
+            yield return ServiceDescriptor.Transient<IConfigureOptions<DataProtectionOptions>>(services =>
+            {
+                return new ConfigureOptions<DataProtectionOptions>(options =>
+                {
+                    options.ApplicationDiscriminator = services.GetApplicationUniqueIdentifier();
+                });
+            });
 
             // Read and apply policy from the registry, overriding any other defaults.
             bool encryptorConfigurationReadFromRegistry = false;
@@ -134,7 +148,8 @@ namespace Microsoft.Extensions.DependencyInjection
             // Finally, provide a fallback encryptor configuration if one wasn't already specified.
             if (!encryptorConfigurationReadFromRegistry)
             {
-                yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_Default();
+                yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(
+                    new AuthenticatedEncryptionSettings());;
             }
         }
     }

From 1ad5d0e3177daa1f7148f9354c0822dd701f34d8 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Thu, 28 Jul 2016 17:29:06 -0700
Subject: [PATCH 279/493] var cleanup

---
 .../ArraySegmentExtensions.cs                 |  2 +-
 .../AuthenticatedEncryptorExtensions.cs       | 16 ++++----
 .../CngCbcAuthenticatedEncryptionSettings.cs  |  2 +-
 .../ConfigurationModel/SecretExtensions.cs    |  2 +-
 .../Cng/CbcAuthenticatedEncryptor.cs          | 26 ++++++------
 .../Cng/DpapiSecretSerializerHelper.cs        | 40 +++++++++----------
 .../Cng/GcmAuthenticatedEncryptor.cs          | 14 +++----
 .../DataProtectionBuilderExtensions.cs        |  2 +-
 .../DataProtectionServices.cs                 |  4 +-
 .../Error.cs                                  | 16 ++++----
 .../KeyManagement/DefaultKeyResolver.cs       |  2 +-
 .../Internal/CacheableKeyRing.cs              |  2 +-
 .../KeyManagement/KeyRing.cs                  |  2 +-
 .../KeyRingBasedDataProtector.cs              | 12 +++---
 .../KeyManagement/KeyRingProvider.cs          |  4 +-
 .../KeyManagement/XmlKeyManager.cs            | 14 +++----
 .../Managed/ManagedAuthenticatedEncryptor.cs  | 38 +++++++++---------
 .../Managed/ManagedGenRandomImpl.cs           |  2 +-
 .../RegistryPolicyResolver.cs                 |  6 +--
 .../Repositories/EphemeralXmlRepository.cs    |  2 +-
 .../Repositories/FileSystemXmlRepository.cs   | 10 ++---
 .../Repositories/RegistryXmlRepository.cs     |  8 ++--
 .../ManagedSP800_108_CTR_HMACSHA512.cs        | 16 ++++----
 .../SP800_108_CTR_HMACSHA512Extensions.cs     |  2 +-
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |  2 +-
 .../Win7SP800_108_CTR_HMACSHA512Provider.cs   |  2 +-
 .../Win8SP800_108_CTR_HMACSHA512Provider.cs   |  4 +-
 .../Secret.cs                                 | 14 +++----
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  2 +-
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |  4 +-
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  8 ++--
 .../XmlEncryption/DpapiXmlDecryptor.cs        |  4 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  2 +-
 .../XmlEncryption/XmlEncryptionExtensions.cs  |  6 +--
 34 files changed, 146 insertions(+), 146 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
index 6f3e5bb99c..f468560f77 100644
--- a/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
@@ -15,7 +15,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 return arraySegment.Array;
             }
 
-            byte[] retVal = new byte[arraySegment.Count];
+            var retVal = new byte[arraySegment.Count];
             Buffer.BlockCopy(arraySegment.Array, arraySegment.Offset, retVal, 0, retVal.Length);
             return retVal;
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
index 02de8effda..31f31a9a28 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
         public static byte[] Encrypt(this IAuthenticatedEncryptor encryptor, ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
         {
             // Can we call the optimized version?
-            IOptimizedAuthenticatedEncryptor optimizedEncryptor = encryptor as IOptimizedAuthenticatedEncryptor;
+            var optimizedEncryptor = encryptor as IOptimizedAuthenticatedEncryptor;
             if (optimizedEncryptor != null)
             {
                 return optimizedEncryptor.Encrypt(plaintext, additionalAuthenticatedData, preBufferSize, postBufferSize);
@@ -25,8 +25,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
             }
             else
             {
-                byte[] temp = encryptor.Encrypt(plaintext, additionalAuthenticatedData);
-                byte[] retVal = new byte[checked(preBufferSize + temp.Length + postBufferSize)];
+                var temp = encryptor.Encrypt(plaintext, additionalAuthenticatedData);
+                var retVal = new byte[checked(preBufferSize + temp.Length + postBufferSize)];
                 Buffer.BlockCopy(temp, 0, retVal, checked((int)preBufferSize), temp.Length);
                 return retVal;
             }
@@ -39,13 +39,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
         public static void PerformSelfTest(this IAuthenticatedEncryptor encryptor)
         {
             // Arrange
-            Guid plaintextAsGuid = Guid.NewGuid();
-            byte[] plaintextAsBytes = plaintextAsGuid.ToByteArray();
-            byte[] aad = Guid.NewGuid().ToByteArray();
+            var plaintextAsGuid = Guid.NewGuid();
+            var plaintextAsBytes = plaintextAsGuid.ToByteArray();
+            var aad = Guid.NewGuid().ToByteArray();
 
             // Act
-            byte[] protectedData = encryptor.Encrypt(new ArraySegment<byte>(plaintextAsBytes), new ArraySegment<byte>(aad));
-            byte[] roundTrippedData = encryptor.Decrypt(new ArraySegment<byte>(protectedData), new ArraySegment<byte>(aad));
+            var protectedData = encryptor.Encrypt(new ArraySegment<byte>(plaintextAsBytes), new ArraySegment<byte>(aad));
+            var roundTrippedData = encryptor.Decrypt(new ArraySegment<byte>(protectedData), new ArraySegment<byte>(aad));
 
             // Assert
             CryptoUtil.Assert(roundTrippedData != null && roundTrippedData.Length == plaintextAsBytes.Length && plaintextAsGuid == new Guid(roundTrippedData),
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
index 1b85f58009..d9d4cd1aad 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
@@ -129,7 +129,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
             }
 
             // Make sure we're using a hash algorithm. We require a minimum 128-bit digest.
-            uint digestSize = algorithmHandle.GetHashDigestLength();
+            var digestSize = algorithmHandle.GetHashDigestLength();
             AlgorithmAssert.IsAllowableValidationAlgorithmDigestSize(checked(digestSize * 8));
 
             // all good!
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
index c8d3364101..75444140c8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 }
             }
 
-            XElement masterKeyElement = new XElement("masterKey",
+            var masterKeyElement = new XElement("masterKey",
                 new XComment(" Warning: the key below is in an unencrypted form. "),
                 new XElement("value", unprotectedSecretAsBase64String));
             masterKeyElement.MarkAsRequiresEncryption();
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
index f9648ed28a..c8840beff4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
@@ -58,7 +58,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
 
         private byte[] CreateContextHeader()
         {
-            byte[] retVal = new byte[checked(
+            var retVal = new byte[checked(
                 1 /* KDF alg */
                 + 1 /* chaining mode */
                 + sizeof(uint) /* sym alg key size */
@@ -85,7 +85,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                 BitHelpers.WriteTo(ref ptr, _hmacAlgorithmDigestLengthInBytes);
 
                 // See the design document for an explanation of the following code.
-                byte[] tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes];
+                var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes];
                 fixed (byte* pbTempKeys = tempKeys)
                 {
                     byte dummy;
@@ -151,7 +151,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
 
             // Assumption: pbCipherText := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
 
-            uint cbEncryptedData = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes));
+            var cbEncryptedData = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes));
 
             // Calculate offsets
             byte* pbKeyModifier = pbCiphertext;
@@ -161,7 +161,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
 
             // Use the KDF to recreate the symmetric encryption and HMAC subkeys
             // We'll need a temporary buffer to hold them
-            uint cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
+            var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
             byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
             try
             {
@@ -224,7 +224,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             // assume PKCS#7). So unfortunately we're stuck with the temporary buffer.
             // (Querying the output size won't mutate the IV.)
             uint dwEstimatedDecryptedByteCount;
-            int ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+            var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
                 hKey: symmetricKeyHandle,
                 pbInput: pbInput,
                 cbInput: cbInput,
@@ -237,7 +237,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                 dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
             UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
 
-            byte[] decryptedPayload = new byte[dwEstimatedDecryptedByteCount];
+            var decryptedPayload = new byte[dwEstimatedDecryptedByteCount];
             uint dwActualDecryptedByteCount;
             fixed (byte* pbDecryptedPayload = decryptedPayload)
             {
@@ -268,7 +268,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             else
             {
                 // payload takes up only a partial buffer
-                byte[] resizedDecryptedPayload = new byte[dwActualDecryptedByteCount];
+                var resizedDecryptedPayload = new byte[dwActualDecryptedByteCount];
                 Buffer.BlockCopy(decryptedPayload, 0, resizedDecryptedPayload, 0, resizedDecryptedPayload.Length);
                 return resizedDecryptedPayload;
             }
@@ -282,7 +282,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             UnsafeBufferUtil.BlockCopy(from: pbIV, to: pbClonedIV, byteCount: _symmetricAlgorithmBlockSizeInBytes);
 
             uint dwEncryptedBytes;
-            int ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+            var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
                 hKey: symmetricKeyHandle,
                 pbInput: pbInput,
                 cbInput: cbInput,
@@ -303,13 +303,13 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
         {
             // This buffer will be used to hold the symmetric encryption and HMAC subkeys
             // used in the generation of this payload.
-            uint cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
+            var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
             byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
 
             try
             {
                 // Randomly generate the key modifier and IV.
-                uint cbKeyModifierAndIV = checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes);
+                var cbKeyModifierAndIV = checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes);
                 byte* pbKeyModifierAndIV = stackalloc byte[checked((int)cbKeyModifierAndIV)];
                 _genRandom.GenRandom(pbKeyModifierAndIV, cbKeyModifierAndIV);
 
@@ -335,10 +335,10 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                 {
                     // We can't assume PKCS#7 padding (maybe the underlying provider is really using CTS),
                     // so we need to query the padded output size before we can allocate the return value array.
-                    uint cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, cbPlaintext);
+                    var cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, cbPlaintext);
 
                     // Allocate return value array and start copying some data
-                    byte[] retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext + _hmacAlgorithmDigestLengthInBytes + cbPostBuffer)];
+                    var retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext + _hmacAlgorithmDigestLengthInBytes + cbPostBuffer)];
                     fixed (byte* pbRetVal = retVal)
                     {
                         // Calculate offsets
@@ -395,7 +395,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             // Calling BCryptEncrypt with a null output pointer will cause it to return the total number
             // of bytes required for the output buffer.
             uint dwResult;
-            int ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+            var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
                 hKey: symmetricKeyHandle,
                 pbInput: pbInput,
                 cbInput: cbInput,
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index ba0bd83ea4..d007ca4412 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -43,7 +43,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
         {
             Debug.Assert(secret != null);
 
-            byte[] plaintextSecret = new byte[secret.Length];
+            var plaintextSecret = new byte[secret.Length];
             fixed (byte* pbPlaintextSecret = plaintextSecret)
             {
                 try
@@ -66,24 +66,24 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
         {
             byte dummy; // provides a valid memory address if the secret or entropy has zero length
 
-            DATA_BLOB dataIn = new DATA_BLOB()
+            var dataIn = new DATA_BLOB()
             {
                 cbData = cbSecret,
                 pbData = (pbSecret != null) ? pbSecret : &dummy
             };
-            DATA_BLOB entropy = new DATA_BLOB()
+            var entropy = new DATA_BLOB()
             {
                 cbData = cbOptionalEntropy,
                 pbData = (pbOptionalEntropy != null) ? pbOptionalEntropy : &dummy
             };
-            DATA_BLOB dataOut = default(DATA_BLOB);
+            var dataOut = default(DATA_BLOB);
 
 #if !NETSTANDARD1_3
             RuntimeHelpers.PrepareConstrainedRegions();
 #endif
             try
             {
-                bool success = UnsafeNativeMethods.CryptProtectData(
+                var success = UnsafeNativeMethods.CryptProtectData(
                     pDataIn: &dataIn,
                     szDataDescr: IntPtr.Zero,
                     pOptionalEntropy: &entropy,
@@ -93,12 +93,12 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                     pDataOut: out dataOut);
                 if (!success)
                 {
-                    int errorCode = Marshal.GetLastWin32Error();
+                    var errorCode = Marshal.GetLastWin32Error();
                     throw new CryptographicException(errorCode);
                 }
 
-                int dataLength = checked((int)dataOut.cbData);
-                byte[] retVal = new byte[dataLength];
+                var dataLength = checked((int)dataOut.cbData);
+                var retVal = new byte[dataLength];
                 Marshal.Copy((IntPtr)dataOut.pbData, retVal, 0, dataLength);
                 return retVal;
             }
@@ -118,7 +118,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             Debug.Assert(secret != null);
             Debug.Assert(protectionDescriptorHandle != null);
 
-            byte[] plaintextSecret = new byte[secret.Length];
+            var plaintextSecret = new byte[secret.Length];
             fixed (byte* pbPlaintextSecret = plaintextSecret)
             {
                 try
@@ -147,7 +147,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             // Perform the encryption operation, putting the protected data into LocalAlloc-allocated memory.
             LocalAllocHandle protectedData;
             uint cbProtectedData;
-            int ntstatus = UnsafeNativeMethods.NCryptProtectSecret(
+            var ntstatus = UnsafeNativeMethods.NCryptProtectSecret(
                 hDescriptor: protectionDescriptorHandle,
                 dwFlags: NCRYPT_SILENT_FLAG,
                 pbData: pbData,
@@ -162,12 +162,12 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             // Copy the data from LocalAlloc-allocated memory into a managed memory buffer.
             using (protectedData)
             {
-                byte[] retVal = new byte[cbProtectedData];
+                var retVal = new byte[cbProtectedData];
                 if (cbProtectedData > 0)
                 {
                     fixed (byte* pbRetVal = retVal)
                     {
-                        bool handleAcquired = false;
+                        var handleAcquired = false;
 #if !NETSTANDARD1_3
                         RuntimeHelpers.PrepareConstrainedRegions();
 #endif
@@ -206,24 +206,24 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
         {
             byte dummy; // provides a valid memory address if the secret or entropy has zero length
 
-            DATA_BLOB dataIn = new DATA_BLOB()
+            var dataIn = new DATA_BLOB()
             {
                 cbData = cbProtectedData,
                 pbData = (pbProtectedData != null) ? pbProtectedData : &dummy
             };
-            DATA_BLOB entropy = new DATA_BLOB()
+            var entropy = new DATA_BLOB()
             {
                 cbData = cbOptionalEntropy,
                 pbData = (pbOptionalEntropy != null) ? pbOptionalEntropy : &dummy
             };
-            DATA_BLOB dataOut = default(DATA_BLOB);
+            var dataOut = default(DATA_BLOB);
 
 #if !NETSTANDARD1_3
             RuntimeHelpers.PrepareConstrainedRegions();
 #endif
             try
             {
-                bool success = UnsafeNativeMethods.CryptUnprotectData(
+                var success = UnsafeNativeMethods.CryptUnprotectData(
                     pDataIn: &dataIn,
                     ppszDataDescr: IntPtr.Zero,
                     pOptionalEntropy: &entropy,
@@ -233,7 +233,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                     pDataOut: out dataOut);
                 if (!success)
                 {
-                    int errorCode = Marshal.GetLastWin32Error();
+                    var errorCode = Marshal.GetLastWin32Error();
                     throw new CryptographicException(errorCode);
                 }
 
@@ -271,7 +271,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             // First, decrypt the payload into LocalAlloc-allocated memory.
             LocalAllocHandle unencryptedPayloadHandle;
             uint cbUnencryptedPayload;
-            int ntstatus = UnsafeNativeMethods.NCryptUnprotectSecret(
+            var ntstatus = UnsafeNativeMethods.NCryptUnprotectSecret(
                 phDescriptor: IntPtr.Zero,
                 dwFlags: NCRYPT_SILENT_FLAG,
                 pbProtectedBlob: pbData,
@@ -290,7 +290,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             // the window is extremely small and AppDomain unloads should not happen here in practice.
             using (unencryptedPayloadHandle)
             {
-                bool handleAcquired = false;
+                var handleAcquired = false;
 #if !NETSTANDARD1_3
                 RuntimeHelpers.PrepareConstrainedRegions();
 #endif
@@ -331,7 +331,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             NCryptDescriptorHandle descriptorHandle;
             LocalAllocHandle unprotectedDataHandle;
             uint cbUnprotectedData;
-            int ntstatus = UnsafeNativeMethods.NCryptUnprotectSecret(
+            var ntstatus = UnsafeNativeMethods.NCryptUnprotectSecret(
                 phDescriptor: out descriptorHandle,
                 dwFlags: NCRYPT_UNPROTECT_NO_DECRYPT,
                 pbProtectedBlob: pbData,
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
index b751437f26..2e9b4ad31c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
@@ -53,7 +53,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
 
         private byte[] CreateContextHeader()
         {
-            byte[] retVal = new byte[checked(
+            var retVal = new byte[checked(
                 1 /* KDF alg */
                 + 1 /* chaining mode */
                 + sizeof(uint) /* sym alg key size */
@@ -77,7 +77,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                 BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES);
 
                 // See the design document for an explanation of the following code.
-                byte[] tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+                var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
                 fixed (byte* pbTempKeys = tempKeys)
                 {
                     byte dummy;
@@ -125,9 +125,9 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
 
             // Assumption: pbCipherText := { keyModifier || nonce || encryptedData || authenticationTag }
 
-            uint cbPlaintext = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
+            var cbPlaintext = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
 
-            byte[] retVal = new byte[cbPlaintext];
+            var retVal = new byte[cbPlaintext];
             fixed (byte* pbRetVal = retVal)
             {
                 // Calculate offsets
@@ -166,7 +166,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
 
                         // The call to BCryptDecrypt will also validate the authentication tag
                         uint cbDecryptedBytesWritten;
-                        int ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+                        var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
                             hKey: decryptionSubkeyHandle,
                             pbInput: pbEncryptedData,
                             cbInput: cbPlaintext,
@@ -216,7 +216,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             using (var keyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbKey, cbKey))
             {
                 uint cbResult;
-                int ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+                var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
                     hKey: keyHandle,
                     pbInput: pbPlaintextData,
                     cbInput: cbPlaintextData,
@@ -236,7 +236,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
         {
             // Allocate a buffer to hold the key modifier, nonce, encrypted data, and tag.
             // In GCM, the encrypted output will be the same length as the plaintext input.
-            byte[] retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + cbPlaintext + TAG_SIZE_IN_BYTES + cbPostBuffer)];
+            var retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + cbPlaintext + TAG_SIZE_IN_BYTES + cbPostBuffer)];
             fixed (byte* pbRetVal = retVal)
             {
                 // Calculate offsets
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
index c11d463ee1..74084f9d90 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -528,7 +528,7 @@ namespace Microsoft.AspNetCore.DataProtection
         private static void RemoveAllServicesOfType(IServiceCollection services, Type serviceType)
         {
             // We go backward since we're modifying the collection in-place.
-            for (int i = services.Count - 1; i >= 0; i--)
+            for (var i = services.Count - 1; i >= 0; i--)
             {
                 if (services[i]?.ServiceType == serviceType)
                 {
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
index 1eca20601e..424f4bad6e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
@@ -36,7 +36,7 @@ namespace Microsoft.Extensions.DependencyInjection
             // we'll not use the fallback at all.
             yield return ServiceDescriptor.Singleton<IDefaultKeyServices>(services =>
             {
-                ILogger log = services.GetLogger(typeof(DataProtectionServices));
+                var log = services.GetLogger(typeof(DataProtectionServices));
 
                 ServiceDescriptor keyEncryptorDescriptor = null;
                 ServiceDescriptor keyRepositoryDescriptor = null;
@@ -132,7 +132,7 @@ namespace Microsoft.Extensions.DependencyInjection
             });
 
             // Read and apply policy from the registry, overriding any other defaults.
-            bool encryptorConfigurationReadFromRegistry = false;
+            var encryptorConfigurationReadFromRegistry = false;
             if (OSVersionUtil.IsWindows())
             {
                 foreach (var descriptor in RegistryPolicyResolver.ResolveDefaultPolicy())
diff --git a/src/Microsoft.AspNetCore.DataProtection/Error.cs b/src/Microsoft.AspNetCore.DataProtection/Error.cs
index 740fb7c5d3..8bd8d21c37 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Error.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Error.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNetCore.DataProtection
     {
         public static InvalidOperationException CertificateXmlEncryptor_CertificateNotFound(string thumbprint)
         {
-            string message = Resources.FormatCertificateXmlEncryptor_CertificateNotFound(thumbprint);
+            var message = Resources.FormatCertificateXmlEncryptor_CertificateNotFound(thumbprint);
             return new InvalidOperationException(message);
         }
 
@@ -22,7 +22,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
         public static ArgumentException Common_BufferIncorrectlySized(string parameterName, int actualSize, int expectedSize)
         {
-            string message = Resources.FormatCommon_BufferIncorrectlySized(actualSize, expectedSize);
+            var message = Resources.FormatCommon_BufferIncorrectlySized(actualSize, expectedSize);
             return new ArgumentException(message, parameterName);
         }
 
@@ -33,19 +33,19 @@ namespace Microsoft.AspNetCore.DataProtection
 
         public static CryptographicException CryptCommon_PayloadInvalid()
         {
-            string message = Resources.CryptCommon_PayloadInvalid;
+            var message = Resources.CryptCommon_PayloadInvalid;
             return new CryptographicException(message);
         }
 
         public static InvalidOperationException Common_PropertyCannotBeNullOrEmpty(string propertyName)
         {
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyCannotBeNullOrEmpty, propertyName);
+            var message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyCannotBeNullOrEmpty, propertyName);
             return new InvalidOperationException(message);
         }
 
         public static InvalidOperationException Common_PropertyMustBeNonNegative(string propertyName)
         {
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyMustBeNonNegative, propertyName);
+            var message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyMustBeNonNegative, propertyName);
             return new InvalidOperationException(message);
         }
 
@@ -56,13 +56,13 @@ namespace Microsoft.AspNetCore.DataProtection
 
         public static CryptographicException Common_KeyNotFound(Guid id)
         {
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_KeyNotFound, id);
+            var message = String.Format(CultureInfo.CurrentCulture, Resources.Common_KeyNotFound, id);
             return new CryptographicException(message);
         }
 
         public static CryptographicException Common_KeyRevoked(Guid id)
         {
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.Common_KeyRevoked, id);
+            var message = String.Format(CultureInfo.CurrentCulture, Resources.Common_KeyRevoked, id);
             return new CryptographicException(message);
         }
 
@@ -88,7 +88,7 @@ namespace Microsoft.AspNetCore.DataProtection
         
         public static InvalidOperationException XmlKeyManager_DuplicateKey(Guid keyId)
         {
-            string message = String.Format(CultureInfo.CurrentCulture, Resources.XmlKeyManager_DuplicateKey, keyId);
+            var message = String.Format(CultureInfo.CurrentCulture, Resources.XmlKeyManager_DuplicateKey, keyId);
             return new InvalidOperationException(message);
         }
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 687b1de048..6f2af2409b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -127,7 +127,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
         public DefaultKeyResolution ResolveDefaultKeyPolicy(DateTimeOffset now, IEnumerable<IKey> allKeys)
         {
-            DefaultKeyResolution retVal = default(DefaultKeyResolution);
+            var retVal = default(DefaultKeyResolution);
             retVal.DefaultKey = FindDefaultKey(now, allKeys, out retVal.FallbackKey, out retVal.ShouldGenerateNewKey);
             return retVal;
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
index 58b31f61a8..cd522e74af 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
@@ -44,7 +44,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
         /// </summary>
         internal CacheableKeyRing WithTemporaryExtendedLifetime(DateTimeOffset now)
         {
-            TimeSpan extension = TimeSpan.FromMinutes(2);
+            var extension = TimeSpan.FromMinutes(2);
             return new CacheableKeyRing(CancellationToken.None, now + extension, KeyRing);
         }
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
index 8ebcdb8c45..2a180afd04 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
@@ -71,7 +71,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             {
                 // simple double-check lock pattern
                 // we can't use LazyInitializer<T> because we don't have a simple value factory
-                IAuthenticatedEncryptor encryptor = Volatile.Read(ref _encryptor);
+                var encryptor = Volatile.Read(ref _encryptor);
                 if (encryptor == null)
                 {
                     lock (this)
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index 59c48e75a9..12888f8b3f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -43,7 +43,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             if (originalPurposes != null && originalPurposes.Length > 0)
             {
-                string[] newPurposes = new string[originalPurposes.Length + 1];
+                var newPurposes = new string[originalPurposes.Length + 1];
                 Array.Copy(originalPurposes, 0, newPurposes, 0, originalPurposes.Length);
                 newPurposes[originalPurposes.Length] = newPurpose;
                 return newPurposes;
@@ -83,7 +83,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             }
 
             UnprotectStatus status;
-            byte[] retVal = UnprotectCore(protectedData, ignoreRevocationErrors, status: out status);
+            var retVal = UnprotectCore(protectedData, ignoreRevocationErrors, status: out status);
             requiresMigration = (status != UnprotectStatus.Ok);
             wasRevoked = (status == UnprotectStatus.DecryptionKeyWasRevoked);
             return retVal;
@@ -117,10 +117,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
                 // We'll need to apply the default key id to the template if it hasn't already been applied.
                 // If the default key id has been updated since the last call to Protect, also write back the updated template.
-                byte[] aad = _aadTemplate.GetAadForKey(defaultKeyId, isProtecting: true);
+                var aad = _aadTemplate.GetAadForKey(defaultKeyId, isProtecting: true);
 
                 // We allocate a 20-byte pre-buffer so that we can inject the magic header and key id into the return value.
-                byte[] retVal = defaultEncryptorInstance.Encrypt(
+                var retVal = defaultEncryptorInstance.Encrypt(
                     plaintext: new ArraySegment<byte>(plaintext),
                     additionalAuthenticatedData: new ArraySegment<byte>(aad),
                     preBufferSize: (uint)(sizeof(uint) + sizeof(Guid)),
@@ -324,7 +324,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 {
                     writer.WriteBigEndian(MAGIC_HEADER_V0);
                     Debug.Assert(ms.Position == sizeof(uint));
-                    long posPurposeCount = writer.Seek(sizeof(Guid), SeekOrigin.Current); // skip over where the key id will be stored; we'll fill it in later
+                    var posPurposeCount = writer.Seek(sizeof(Guid), SeekOrigin.Current); // skip over where the key id will be stored; we'll fill it in later
                     writer.Seek(sizeof(uint), SeekOrigin.Current); // skip over where the purposeCount will be stored; we'll fill it in later
 
                     uint purposeCount = 0;
@@ -347,7 +347,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             {
                 // Multiple threads might be trying to read and write the _aadTemplate field
                 // simultaneously. We need to make sure all accesses to it are thread-safe.
-                byte[] existingTemplate = Volatile.Read(ref _aadTemplate);
+                var existingTemplate = Volatile.Read(ref _aadTemplate);
                 Debug.Assert(existingTemplate.Length >= sizeof(uint) /* MAGIC_HEADER */ + sizeof(Guid) /* keyId */);
 
                 // If the template is already initialized to this key id, return it.
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
index 93a8a4b29b..6dbca4d9b6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -103,7 +103,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
             _logger?.UsingKeyAsDefaultKey(defaultKey.KeyId);
 
-            DateTimeOffset nextAutoRefreshTime = now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod);
+            var nextAutoRefreshTime = now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod);
 
             // The cached keyring should expire at the earliest of (default key expiration, next auto-refresh time).
             // Since the refresh period and safety window are not user-settable, we can guarantee that there's at
@@ -139,7 +139,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // update the keyring, and all other threads will continue to use the existing cached
             // keyring while the first thread performs the update. There is an exception: if there
             // is no usable existing cached keyring, all callers must block until the keyring exists.
-            bool acquiredLock = false;
+            var acquiredLock = false;
             try
             {
                 Monitor.TryEnter(_cacheableKeyRingLockObj, (existingCacheableKeyRing != null) ? 0 : Timeout.Infinite, ref acquiredLock);
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
index 43d8757b67..64a84a51d8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -142,7 +142,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 {
                     // ProcessKeyElement can return null in the case of failure, and if this happens we'll move on.
                     // Still need to throw if we see duplicate keys with the same id.
-                    KeyBase key = ProcessKeyElement(element);
+                    var key = ProcessKeyElement(element);
                     if (key != null)
                     {
                         if (keyIdToKeyMap.ContainsKey(key.KeyId))
@@ -154,7 +154,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 }
                 else if (element.Name == RevocationElementName)
                 {
-                    object revocationInfo = ProcessRevocationElement(element);
+                    var revocationInfo = ProcessRevocationElement(element);
                     if (revocationInfo is Guid)
                     {
                         // a single key was revoked
@@ -276,7 +276,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 else
                 {
                     // only one key is being revoked
-                    Guid keyId = XmlConvert.ToGuid(keyIdAsString);
+                    var keyId = XmlConvert.ToGuid(keyIdAsString);
                     _logger?.FoundRevocationOfKey(keyId);
                     return keyId;
                 }
@@ -397,7 +397,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var possiblyEncryptedKeyElement = KeyEncryptor?.EncryptIfNecessary(keyElement) ?? keyElement;
 
             // Persist it to the underlying repository and trigger the cancellation token.
-            string friendlyName = Invariant($"key-{keyId:D}");
+            var friendlyName = Invariant($"key-{keyId:D}");
             KeyRepository.StoreElement(possiblyEncryptedKeyElement, friendlyName);
             TriggerAndResetCacheExpirationToken();
 
@@ -415,11 +415,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             try
             {
                 // Figure out who will be deserializing this
-                XElement descriptorElement = keyElement.Element(DescriptorElementName);
+                var descriptorElement = keyElement.Element(DescriptorElementName);
                 string descriptorDeserializerTypeName = (string)descriptorElement.Attribute(DeserializerTypeAttributeName);
 
                 // Decrypt the descriptor element and pass it to the descriptor for consumption
-                XElement unencryptedInputToDeserializer = descriptorElement.Elements().Single().DecryptElement(_activator);
+                var unencryptedInputToDeserializer = descriptorElement.Elements().Single().DecryptElement(_activator);
                 var deserializerInstance = _activator.CreateInstance<IAuthenticatedEncryptorDescriptorDeserializer>(descriptorDeserializerTypeName);
                 var descriptorInstance = deserializerInstance.ImportFromXml(unencryptedInputToDeserializer);
 
@@ -450,7 +450,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 new XElement(ReasonElementName, reason));
 
             // Persist it to the underlying repository and trigger the cancellation token
-            string friendlyName = Invariant($"revocation-{keyId:D}");
+            var friendlyName = Invariant($"revocation-{keyId:D}");
             KeyRepository.StoreElement(revocationElement, friendlyName);
             TriggerAndResetCacheExpirationToken();
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index b3190b8f58..917d01f190 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -72,7 +72,7 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
             var EMPTY_ARRAY = new byte[0];
             var EMPTY_ARRAY_SEGMENT = new ArraySegment<byte>(EMPTY_ARRAY);
 
-            byte[] retVal = new byte[checked(
+            var retVal = new byte[checked(
                 1 /* KDF alg */
                 + 1 /* chaining mode */
                 + sizeof(uint) /* sym alg key size */
@@ -82,7 +82,7 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
                 + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
                 + _validationAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
 
-            int idx = 0;
+            var idx = 0;
 
             // First is the two-byte header
             retVal[idx++] = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
@@ -97,7 +97,7 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
             BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmDigestLengthInBytes);
 
             // See the design document for an explanation of the following code.
-            byte[] tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _validationAlgorithmSubkeyLengthInBytes];
+            var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _validationAlgorithmSubkeyLengthInBytes];
             ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
                 kdk: EMPTY_ARRAY,
                 label: EMPTY_ARRAY_SEGMENT,
@@ -114,7 +114,7 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
                     rgbKey: new ArraySegment<byte>(tempKeys, 0, _symmetricAlgorithmSubkeyLengthInBytes).AsStandaloneArray(),
                     rgbIV: new byte[_symmetricAlgorithmBlockSizeInBytes]))
                 {
-                    byte[] ciphertext = cryptoTransform.TransformFinalBlock(EMPTY_ARRAY, 0, 0);
+                    var ciphertext = cryptoTransform.TransformFinalBlock(EMPTY_ARRAY, 0, 0);
                     CryptoUtil.Assert(ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes, "ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes");
                     Buffer.BlockCopy(ciphertext, 0, retVal, idx, ciphertext.Length);
                 }
@@ -125,7 +125,7 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
             // MAC a zero-length input string and copy the digest to the return buffer.
             using (var hashAlg = CreateValidationAlgorithm(new ArraySegment<byte>(tempKeys, _symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes).AsStandaloneArray()))
             {
-                byte[] digest = hashAlg.ComputeHash(EMPTY_ARRAY);
+                var digest = hashAlg.ComputeHash(EMPTY_ARRAY);
                 CryptoUtil.Assert(digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes, "digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes");
                 Buffer.BlockCopy(digest, 0, retVal, idx, digest.Length);
             }
@@ -187,16 +187,16 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
                 }
 
                 ArraySegment<byte> keyModifier = new ArraySegment<byte>(protectedPayload.Array, keyModifierOffset, ivOffset - keyModifierOffset);
-                byte[] iv = new byte[_symmetricAlgorithmBlockSizeInBytes];
+                var iv = new byte[_symmetricAlgorithmBlockSizeInBytes];
                 Buffer.BlockCopy(protectedPayload.Array, ivOffset, iv, 0, iv.Length);
 
                 // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
                 // We pin all unencrypted keys to limit their exposure via GC relocation.
 
-                byte[] decryptedKdk = new byte[_keyDerivationKey.Length];
-                byte[] decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-                byte[] validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
-                byte[] derivedKeysBuffer = new byte[checked(decryptionSubkey.Length + validationSubkey.Length)];
+                var decryptedKdk = new byte[_keyDerivationKey.Length];
+                var decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+                var validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
+                var derivedKeysBuffer = new byte[checked(decryptionSubkey.Length + validationSubkey.Length)];
 
                 fixed (byte* __unused__1 = decryptedKdk)
                 fixed (byte* __unused__2 = decryptionSubkey)
@@ -289,8 +289,8 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
                 // Step 1: Generate a random key modifier and IV for this operation.
                 // Both will be equal to the block size of the block cipher algorithm.
 
-                byte[] keyModifier = _genRandom.GenRandom(KEY_MODIFIER_SIZE_IN_BYTES);
-                byte[] iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
+                var keyModifier = _genRandom.GenRandom(KEY_MODIFIER_SIZE_IN_BYTES);
+                var iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
 
                 // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.
 
@@ -302,10 +302,10 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
                 // Step 3: Decrypt the KDK, and use it to generate new encryption and HMAC keys.
                 // We pin all unencrypted keys to limit their exposure via GC relocation.
 
-                byte[] decryptedKdk = new byte[_keyDerivationKey.Length];
-                byte[] encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-                byte[] validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
-                byte[] derivedKeysBuffer = new byte[checked(encryptionSubkey.Length + validationSubkey.Length)];
+                var decryptedKdk = new byte[_keyDerivationKey.Length];
+                var encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+                var validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
+                var derivedKeysBuffer = new byte[checked(encryptionSubkey.Length + validationSubkey.Length)];
 
                 fixed (byte* __unused__1 = decryptedKdk)
                 fixed (byte* __unused__2 = encryptionSubkey)
@@ -345,12 +345,12 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
                             {
 #if !NETSTANDARD1_3
                                 // As an optimization, avoid duplicating the underlying buffer if we're on desktop CLR.
-                                byte[] underlyingBuffer = outputStream.GetBuffer();
+                                var underlyingBuffer = outputStream.GetBuffer();
 #else
-                                byte[] underlyingBuffer = outputStream.ToArray();
+                                var underlyingBuffer = outputStream.ToArray();
 #endif
 
-                                byte[] mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
+                                var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
                                 outputStream.Write(mac, 0, mac.Length);
 
                                 // At this point, outputStream := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) } 
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
index 31100a0ef0..d334f36672 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
@@ -17,7 +17,7 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
 
         public byte[] GenRandom(int numBytes)
         {
-            byte[] bytes = new byte[numBytes];
+            var bytes = new byte[numBytes];
             _rng.GetBytes(bytes);
             return bytes;
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
index d4d96a101a..31c44f66ea 100644
--- a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 if (propInfo.IsDefined(typeof(ApplyPolicyAttribute)))
                 {
-                    object valueFromRegistry = key.GetValue(propInfo.Name);
+                    var valueFromRegistry = key.GetValue(propInfo.Name);
                     if (valueFromRegistry != null)
                     {
                         if (propInfo.PropertyType == typeof(string))
@@ -68,7 +68,7 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 foreach (string sinkFromRegistry in sinksFromRegistry.Split(';'))
                 {
-                    string candidate = sinkFromRegistry.Trim();
+                    var candidate = sinkFromRegistry.Trim();
                     if (!String.IsNullOrEmpty(candidate))
                     {
                         typeof(IKeyEscrowSink).AssertIsAssignableFrom(Type.GetType(candidate, throwOnError: true));
@@ -85,7 +85,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// </summary>
         public static ServiceDescriptor[] ResolveDefaultPolicy()
         {
-            RegistryKey subKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection");
+            var subKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection");
             if (subKey != null)
             {
                 using (subKey)
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
index 35ebca2067..e5f0f9379b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -48,7 +48,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
                 throw new ArgumentNullException(nameof(element));
             }
 
-            XElement cloned = new XElement(element); // makes a deep copy so caller doesn't inadvertently modify it
+            var cloned = new XElement(element); // makes a deep copy so caller doesn't inadvertently modify it
 
             // under lock for thread safety
             lock (_storedElements)
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index 9969a8b22f..fc47f43778 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -103,7 +103,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         {
 #if !NETSTANDARD1_3
             // Environment.GetFolderPath returns null if the user profile isn't loaded.
-            string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+            var folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
             if (!String.IsNullOrEmpty(folderPath))
             {
                 return GetKeyStorageDirectoryFromBaseAppDataPath(folderPath);
@@ -161,7 +161,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             // the %HOME% variable to build up our base key storage path.
             if (!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("WEBSITE_INSTANCE_ID")))
             {
-                string homeEnvVar = Environment.GetEnvironmentVariable("HOME");
+                var homeEnvVar = Environment.GetEnvironmentVariable("HOME");
                 if (!String.IsNullOrEmpty(homeEnvVar))
                 {
                     return GetKeyStorageDirectoryFromBaseAppDataPath(homeEnvVar);
@@ -202,7 +202,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
             if (!IsSafeFilename(friendlyName))
             {
-                string newFriendlyName = Guid.NewGuid().ToString();
+                var newFriendlyName = Guid.NewGuid().ToString();
                 _logger?.NameIsNotSafeFileName(friendlyName, newFriendlyName);
                 friendlyName = newFriendlyName;
             }
@@ -217,8 +217,8 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             // crashes mid-write, we won't end up with a corrupt .xml file.
 
             Directory.Create(); // won't throw if the directory already exists
-            string tempFilename = Path.Combine(Directory.FullName, Guid.NewGuid().ToString() + ".tmp");
-            string finalFilename = Path.Combine(Directory.FullName, filename + ".xml");
+            var tempFilename = Path.Combine(Directory.FullName, Guid.NewGuid().ToString() + ".tmp");
+            var finalFilename = Path.Combine(Directory.FullName, filename + ".xml");
 
             try
             {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
index b0fbc3a347..fa237c6f7e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -88,7 +88,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
             foreach (string valueName in RegistryKey.GetValueNames())
             {
-                XElement element = ReadElementFromRegKey(RegistryKey, valueName);
+                var element = ReadElementFromRegKey(RegistryKey, valueName);
                 if (element != null)
                 {
                     yield return element;
@@ -107,7 +107,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
                     // Even though this is in HKLM, WAS ensures that applications hosted in IIS are properly isolated.
                     // See APP_POOL::EnsureSharedMachineKeyStorage in WAS source for more info.
                     // The version number will need to change if IIS hosts Core CLR directly.
-                    string aspnetAutoGenKeysBaseKeyName = Invariant($@"SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{WindowsIdentity.GetCurrent().User.Value}");
+                    var aspnetAutoGenKeysBaseKeyName = Invariant($@"SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{WindowsIdentity.GetCurrent().User.Value}");
                     var aspnetBaseKey = hklmBaseKey.OpenSubKey(aspnetAutoGenKeysBaseKeyName, writable: true);
                     if (aspnetBaseKey != null)
                     {
@@ -143,7 +143,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         {
             _logger?.ReadingDataFromRegistryKeyValue(regKey, valueName);
 
-            string data = regKey.GetValue(valueName) as string;
+            var data = regKey.GetValue(valueName) as string;
             return (!String.IsNullOrEmpty(data)) ? XElement.Parse(data) : null;
         }
 
@@ -156,7 +156,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
             if (!IsSafeRegistryValueName(friendlyName))
             {
-                string newFriendlyName = Guid.NewGuid().ToString();
+                var newFriendlyName = Guid.NewGuid().ToString();
                 _logger?.NameIsNotSafeRegistryValueName(friendlyName, newFriendlyName);
                 friendlyName = newFriendlyName;
             }
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
index 4991121eb2..57e8f0472c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -13,13 +13,13 @@ namespace Microsoft.AspNetCore.DataProtection.SP800_108
         public static void DeriveKeys(byte[] kdk, ArraySegment<byte> label, ArraySegment<byte> context, Func<byte[], HashAlgorithm> prfFactory, ArraySegment<byte> output)
         {
             // make copies so we can mutate these local vars
-            int outputOffset = output.Offset;
-            int outputCount = output.Count;
+            var outputOffset = output.Offset;
+            var outputCount = output.Count;
 
-            using (HashAlgorithm prf = prfFactory(kdk))
+            using (var prf = prfFactory(kdk))
             {
                 // See SP800-108, Sec. 5.1 for the format of the input to the PRF routine.
-                byte[] prfInput = new byte[checked(sizeof(uint) /* [i]_2 */ + label.Count + 1 /* 0x00 */ + context.Count + sizeof(uint) /* [K]_2 */)];
+                var prfInput = new byte[checked(sizeof(uint) /* [i]_2 */ + label.Count + 1 /* 0x00 */ + context.Count + sizeof(uint) /* [K]_2 */)];
 
                 // Copy [L]_2 to prfInput since it's stable over all iterations
                 uint outputSizeInBits = (uint)checked((int)outputCount * 8);
@@ -32,7 +32,7 @@ namespace Microsoft.AspNetCore.DataProtection.SP800_108
                 Buffer.BlockCopy(label.Array, label.Offset, prfInput, sizeof(uint), label.Count);
                 Buffer.BlockCopy(context.Array, context.Offset, prfInput, sizeof(int) + label.Count + 1, context.Count);
 
-                int prfOutputSizeInBytes = prf.GetDigestSizeInBytes();
+                var prfOutputSizeInBytes = prf.GetDigestSizeInBytes();
                 for (uint i = 1; outputCount > 0; i++)
                 {
                     // Copy [i]_2 to prfInput since it mutates with each iteration
@@ -42,9 +42,9 @@ namespace Microsoft.AspNetCore.DataProtection.SP800_108
                     prfInput[3] = (byte)(i);
 
                     // Run the PRF and copy the results to the output buffer
-                    byte[] prfOutput = prf.ComputeHash(prfInput);
+                    var prfOutput = prf.ComputeHash(prfInput);
                     CryptoUtil.Assert(prfOutputSizeInBytes == prfOutput.Length, "prfOutputSizeInBytes == prfOutput.Length");
-                    int numBytesToCopyThisIteration = Math.Min(prfOutputSizeInBytes, outputCount);
+                    var numBytesToCopyThisIteration = Math.Min(prfOutputSizeInBytes, outputCount);
                     Buffer.BlockCopy(prfOutput, 0, output.Array, outputOffset, numBytesToCopyThisIteration);
                     Array.Clear(prfOutput, 0, prfOutput.Length); // contains key material, so delete it
 
@@ -57,7 +57,7 @@ namespace Microsoft.AspNetCore.DataProtection.SP800_108
 
         public static void DeriveKeysWithContextHeader(byte[] kdk, ArraySegment<byte> label, byte[] contextHeader, ArraySegment<byte> context, Func<byte[], HashAlgorithm> prfFactory, ArraySegment<byte> output)
         {
-            byte[] combinedContext = new byte[checked(contextHeader.Length + context.Count)];
+            var combinedContext = new byte[checked(contextHeader.Length + context.Count)];
             Buffer.BlockCopy(contextHeader, 0, combinedContext, 0, contextHeader.Length);
             Buffer.BlockCopy(context.Array, context.Offset, combinedContext, contextHeader.Length, context.Count);
             DeriveKeys(kdk, label, new ArraySegment<byte>(combinedContext), prfFactory, output);
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
index 8900bed9ed..adb084a0c9 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -10,7 +10,7 @@ namespace Microsoft.AspNetCore.DataProtection.SP800_108
     {
         public static void DeriveKeyWithContextHeader(this ISP800_108_CTR_HMACSHA512Provider provider, byte* pbLabel, uint cbLabel, byte[] contextHeader, byte* pbContext, uint cbContext, byte* pbDerivedKey, uint cbDerivedKey)
         {
-            uint cbCombinedContext = checked((uint)contextHeader.Length + cbContext);
+            var cbCombinedContext = checked((uint)contextHeader.Length + cbContext);
 
             // Try allocating the combined context on the stack to avoid temporary managed objects; only fall back to heap if buffers are too large.
             byte[] heapAllocatedCombinedContext = (cbCombinedContext > Constants.MAX_STACKALLOC_BYTES) ? new byte[cbCombinedContext] : null;
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
index b55d5cf9af..c28af6f0a3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
@@ -39,7 +39,7 @@ namespace Microsoft.AspNetCore.DataProtection.SP800_108
         // Creates a provider from the given secret.
         public static ISP800_108_CTR_HMACSHA512Provider CreateProvider(Secret kdk)
         {
-            uint secretLengthInBytes = checked((uint)kdk.Length);
+            var secretLengthInBytes = checked((uint)kdk.Length);
             if (secretLengthInBytes == 0)
             {
                 return CreateEmptyProvider();
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
index 063d3c8ad8..a2143ff872 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
@@ -25,7 +25,7 @@ namespace Microsoft.AspNetCore.DataProtection.SP800_108
             // NOTE: pbDerivedKey and cbDerivedKey are modified as data is copied to the output buffer.
 
             // this will be zero-inited
-            byte[] tempInputBuffer = new byte[checked(
+            var tempInputBuffer = new byte[checked(
                 sizeof(int) /* [i] */
                 + cbLabel /* Label */
                 + 1 /* 0x00 */
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
index f57c5a7a27..be7fe7c917 100644
--- a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
@@ -45,14 +45,14 @@ namespace Microsoft.AspNetCore.DataProtection.SP800_108
             pBuffers[2].cbBuffer = checked(SHA512_ALG_CHAR_COUNT * sizeof(char));
 
             // Add the header which points to the buffers
-            BCryptBufferDesc bufferDesc = default(BCryptBufferDesc);
+            var bufferDesc = default(BCryptBufferDesc);
             BCryptBufferDesc.Initialize(ref bufferDesc);
             bufferDesc.cBuffers = 3;
             bufferDesc.pBuffers = pBuffers;
 
             // Finally, invoke the KDF 
             uint numBytesDerived;
-            int ntstatus = UnsafeNativeMethods.BCryptKeyDerivation(
+            var ntstatus = UnsafeNativeMethods.BCryptKeyDerivation(
                 hKey: _keyHandle,
                 pParameterList: &bufferDesc,
                 pbDerivedKey: pbDerivedKey,
diff --git a/src/Microsoft.AspNetCore.DataProtection/Secret.cs b/src/Microsoft.AspNetCore.DataProtection/Secret.cs
index 15daf4fac5..05c1c212bd 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Secret.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Secret.cs
@@ -74,7 +74,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(secret));
             }
 
-            Secret other = secret as Secret;
+            var other = secret as Secret;
             if (other != null)
             {
                 // Fast-track: simple deep copy scenario.
@@ -85,7 +85,7 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 // Copy the secret to a temporary managed buffer, then protect the buffer.
                 // We pin the temp buffer and zero it out when we're finished to limit exposure of the secret.
-                byte[] tempPlaintextBuffer = new byte[secret.Length];
+                var tempPlaintextBuffer = new byte[secret.Length];
                 fixed (byte* pbTempPlaintextBuffer = tempPlaintextBuffer)
                 {
                     try
@@ -136,14 +136,14 @@ namespace Microsoft.AspNetCore.DataProtection
             // mark this memory page as non-pageable, but this is fraught with peril.
             if (!OSVersionUtil.IsWindows())
             {
-                SecureLocalAllocHandle handle = SecureLocalAllocHandle.Allocate((IntPtr)checked((int)cbPlaintext));
+                var handle = SecureLocalAllocHandle.Allocate((IntPtr)checked((int)cbPlaintext));
                 UnsafeBufferUtil.BlockCopy(from: pbPlaintext, to: handle, byteCount: cbPlaintext);
                 return handle;
             }
 
             // We need to make sure we're a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE.
-            uint numTotalBytesToAllocate = cbPlaintext;
-            uint numBytesPaddingRequired = CRYPTPROTECTMEMORY_BLOCK_SIZE - (numTotalBytesToAllocate % CRYPTPROTECTMEMORY_BLOCK_SIZE);
+            var numTotalBytesToAllocate = cbPlaintext;
+            var numBytesPaddingRequired = CRYPTPROTECTMEMORY_BLOCK_SIZE - (numTotalBytesToAllocate % CRYPTPROTECTMEMORY_BLOCK_SIZE);
             if (numBytesPaddingRequired == CRYPTPROTECTMEMORY_BLOCK_SIZE)
             {
                 numBytesPaddingRequired = 0; // we're already a proper multiple of the block size
@@ -152,7 +152,7 @@ namespace Microsoft.AspNetCore.DataProtection
             CryptoUtil.Assert(numTotalBytesToAllocate % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0, "numTotalBytesToAllocate % CRYPTPROTECTMEMORY_BLOCK_SIZE == 0");
 
             // Allocate and copy plaintext data; padding is uninitialized / undefined.
-            SecureLocalAllocHandle encryptedMemoryHandle = SecureLocalAllocHandle.Allocate((IntPtr)numTotalBytesToAllocate);
+            var encryptedMemoryHandle = SecureLocalAllocHandle.Allocate((IntPtr)numTotalBytesToAllocate);
             UnsafeBufferUtil.BlockCopy(from: pbPlaintext, to: encryptedMemoryHandle, byteCount: cbPlaintext);
 
             // Finally, CryptProtectMemory the whole mess.
@@ -187,7 +187,7 @@ namespace Microsoft.AspNetCore.DataProtection
                     return new Secret(ManagedGenRandomImpl.Instance.GenRandom(numBytes));
                 }
 
-                byte[] bytes = new byte[numBytes];
+                var bytes = new byte[numBytes];
                 fixed (byte* pbBytes = bytes)
                 {
                     try
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 03c784cb72..4e7a538ea0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -112,7 +112,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             //   ...
             // </EncryptedData>
 
-            XElement encryptedElement = EncryptElement(plaintextElement);
+            var encryptedElement = EncryptElement(plaintextElement);
             return new EncryptedXmlInfo(encryptedElement, typeof(EncryptedXmlDecryptor));
         }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
index cab86abdbf..653beffad1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
@@ -58,7 +58,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                 //   <value>{base64}</value>
                 // </encryptedKey>
 
-                byte[] protectedSecret = Convert.FromBase64String((string)encryptedElement.Element("value"));
+                var protectedSecret = Convert.FromBase64String((string)encryptedElement.Element("value"));
                 if (_logger.IsDebugLevelEnabled())
                 {
                     string protectionDescriptorRule;
@@ -74,7 +74,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                     _logger.DecryptingSecretElementUsingWindowsDPAPING(protectionDescriptorRule);
                 }
 
-                using (Secret secret = DpapiSecretSerializerHelper.UnprotectWithDpapiNG(protectedSecret))
+                using (var secret = DpapiSecretSerializerHelper.UnprotectWithDpapiNG(protectedSecret))
                 {
                     return secret.ToXElement();
                 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index cc303bec31..3ec4325edd 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -49,7 +49,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 
             CryptoUtil.AssertPlatformIsWindows8OrLater();
 
-            int ntstatus = UnsafeNativeMethods.NCryptCreateProtectionDescriptor(protectionDescriptorRule, (uint)flags, out _protectionDescriptorHandle);
+            var ntstatus = UnsafeNativeMethods.NCryptCreateProtectionDescriptor(protectionDescriptorRule, (uint)flags, out _protectionDescriptorHandle);
             UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
             CryptoUtil.AssertSafeHandleIsValid(_protectionDescriptorHandle);
 
@@ -72,14 +72,14 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                 throw new ArgumentNullException(nameof(plaintextElement));
             }
 
-            string protectionDescriptorRuleString = _protectionDescriptorHandle.GetProtectionDescriptorRuleString();
+            var protectionDescriptorRuleString = _protectionDescriptorHandle.GetProtectionDescriptorRuleString();
             _logger?.EncryptingToWindowsDPAPINGUsingProtectionDescriptorRule(protectionDescriptorRuleString);
 
             // Convert the XML element to a binary secret so that it can be run through DPAPI
             byte[] cngDpapiEncryptedData;
             try
             {
-                using (Secret plaintextElementAsSecret = plaintextElement.ToSecret())
+                using (var plaintextElementAsSecret = plaintextElement.ToSecret())
                 {
                     cngDpapiEncryptedData = DpapiSecretSerializerHelper.ProtectWithDpapiNG(plaintextElementAsSecret, _protectionDescriptorHandle);
                 }
@@ -115,7 +115,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 
             // Creates a SID=... protection descriptor string for the current user.
             // Reminder: DPAPI:NG provides only encryption, not authentication.
-            using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
+            using (var currentIdentity = WindowsIdentity.GetCurrent())
             {
                 // use the SID to create an SDDL string
                 return Invariant($"SID={currentIdentity.User.Value}");
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
index 28fc289dbb..6241263350 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
@@ -56,8 +56,8 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                 //   <value>{base64}</value>
                 // </encryptedKey>
 
-                byte[] protectedSecret = Convert.FromBase64String((string)encryptedElement.Element("value"));
-                using (Secret secret = DpapiSecretSerializerHelper.UnprotectWithDpapi(protectedSecret))
+                var protectedSecret = Convert.FromBase64String((string)encryptedElement.Element("value"));
+                using (var secret = DpapiSecretSerializerHelper.UnprotectWithDpapi(protectedSecret))
                 {
                     return secret.ToXElement();
                 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 54d52c39aa..5b216ec581 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -73,7 +73,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             byte[] dpapiEncryptedData;
             try
             {
-                using (Secret plaintextElementAsSecret = plaintextElement.ToSecret())
+                using (var plaintextElementAsSecret = plaintextElement.ToSecret())
                 {
                     dpapiEncryptedData = DpapiSecretSerializerHelper.ProtectWithDpapi(plaintextElementAsSecret, protectToLocalMachine: _protectToLocalMachine);
                 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index 2d155ef62a..073b82386d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -134,7 +134,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             element.Save(memoryStream);
 
 #if !NETSTANDARD1_3
-            byte[] underlyingBuffer = memoryStream.GetBuffer();
+            var underlyingBuffer = memoryStream.GetBuffer();
             fixed (byte* __unused__ = underlyingBuffer) // try to limit this moving around in memory while we allocate
             {
                 try
@@ -168,13 +168,13 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         /// </summary>
         public static XElement ToXElement(this Secret secret)
         {
-            byte[] plaintextSecret = new byte[secret.Length];
+            var plaintextSecret = new byte[secret.Length];
             fixed (byte* __unused__ = plaintextSecret) // try to keep the GC from moving it around
             {
                 try
                 {
                     secret.WriteSecretIntoBuffer(new ArraySegment<byte>(plaintextSecret));
-                    MemoryStream memoryStream = new MemoryStream(plaintextSecret, writable: false);
+                    var memoryStream = new MemoryStream(plaintextSecret, writable: false);
                     return XElement.Load(memoryStream);
                 }
                 finally

From c7074a42e7354e7cfb7372611a636fe28ee55612 Mon Sep 17 00:00:00 2001
From: BrennanConroy <brecon@microsoft.com>
Date: Tue, 2 Aug 2016 13:11:14 -0700
Subject: [PATCH 280/493] Update .travis.yml

---
 .travis.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 1d38d49d13..ada231a672 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -23,7 +23,7 @@ branches:
     - dev
     - /^(.*\/)?ci-.*$/
 before_install:
-  - if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; brew link --force openssl; fi
+  - if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/; fi
 script:
   - ./build.sh verify
 notifications:
@@ -31,4 +31,4 @@ notifications:
     secure: "QLltxzNQ+TUgMurX3FuWB37LVsRx6kZBTXk4JG/BELqO5/Xuwzf8ChElW29d4AbwOeYv5ONYyrvdnLtel8MJCMs8rCxZ2kZZtmUtGdUpPeMavmrvDYQeNqHhFYpLu+bEjxuilGoVI2qonI29S3Q9fC+grXsktGPwPmhyulHbwkk="
   on_success: always
   on_failure: always
-  on_start: always
\ No newline at end of file
+  on_start: always

From 8691686dd87f9270c759f676415e0a9e2f164b35 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 8 Aug 2016 12:35:41 -0700
Subject: [PATCH 281/493] Updating to Moq \ Castle.Core that does not require
 imports

---
 .../project.json                                             | 5 ++---
 .../project.json                                             | 5 ++---
 test/Microsoft.AspNetCore.DataProtection.Test/project.json   | 5 ++---
 3 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 0fba881c20..2c510e4d62 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -4,7 +4,7 @@
     "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "Moq": "4.6.25-*",
+    "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },
   "frameworks": {
@@ -15,8 +15,7 @@
           "type": "platform"
         },
         "System.Diagnostics.TraceSource": "4.0.0-*"
-      },
-      "imports": "dotnet5.4"
+      }
     },
     "net451": {}
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index e54428104e..10e9f2f86f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -8,7 +8,7 @@
       "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "Moq":  "4.6.25-*",
+    "Moq":  "4.6.36-*",
     "xunit": "2.2.0-*"
   },
   "frameworks": {
@@ -19,8 +19,7 @@
           "type": "platform"
         },
         "System.Diagnostics.TraceSource": "4.0.0-*"
-      },
-      "imports": "dotnet5.4"
+      }
     },
     "net451": {}
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 81d1700afe..8f207a4c81 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -9,7 +9,7 @@
     },
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
-    "Moq": "4.6.25-*",
+    "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },
   "frameworks": {
@@ -20,8 +20,7 @@
           "type": "platform"
         },
         "System.Diagnostics.TraceSource": "4.0.0-*"
-      },
-      "imports": "dotnet5.4"
+      }
     },
     "net451": {}
   },

From cb68dd8cd360bc91a8ac4ea7527f72a1b65831d2 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 9 Aug 2016 14:57:36 -0700
Subject: [PATCH 282/493] Switching to dotnet.myget.org feed

---
 NuGet.config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 1707938c61..826a1f9035 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetVNext" value="https://www.myget.org/F/aspnetcidev/api/v3/index.json" />
+    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file

From b876319379248788100e0dec3ed54ff9076bc752 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Tue, 9 Aug 2016 15:23:40 -0700
Subject: [PATCH 283/493] Detect pool user in script

---
 Provision-AutoGenKeys.ps1 | 39 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)

diff --git a/Provision-AutoGenKeys.ps1 b/Provision-AutoGenKeys.ps1
index 31f060210b..9be7e1601d 100644
--- a/Provision-AutoGenKeys.ps1
+++ b/Provision-AutoGenKeys.ps1
@@ -69,14 +69,49 @@ function Provision-AutoGenKeys {
 }
 
 $ErrorActionPreference = "Stop"
+if (Get-Command Get-IISAppPool -errorAction SilentlyContinue)
+{
+    $processModel = (Get-IISAppPool $appPoolName).processModel
+}
+else
+{
+    Import-Module WebAdministration
+    $processModel = Get-ItemProperty -Path "IIS:\AppPools\$appPoolName" -Name "processModel"
+}
+
+$identityType = $processModel.identityType
+Write-Output "Pool process model: '$identityType'"
+
+Switch ($identityType)
+{
+    "LocalService" {
+        $userName = "LocalService";
+    }
+    "LocalSystem" {
+        $userName = "System";
+    }
+    "NetworkService" {
+        $userName = "NetworkService";
+    }
+    "ApplicationPoolIdentity" {
+        $userName = "IIS APPPOOL\$appPoolName";
+    }
+    "SpecificUser" {
+        $userName = $processModel.userName;
+    }
+}
+Write-Output "Pool user name: '$userName'"
+
 Try
 {
-    $poolSid = (New-Object System.Security.Principal.NTAccount("IIS APPPOOL\$appPoolName")).Translate([System.Security.Principal.SecurityIdentifier]).Value
+    $poolSid = (New-Object System.Security.Principal.NTAccount($userName)).Translate([System.Security.Principal.SecurityIdentifier]).Value
 }
 Catch [System.Security.Principal.IdentityNotMappedException]
 {
     Write-Error "Application pool '$appPoolName' account cannot be resolved."
 }
 
-Provision-AutoGenKeys "4.0" "32" $poolSid 
+Write-Output "Pool SID: '$poolSid'"
+
+Provision-AutoGenKeys "4.0" "32" $poolSid
 Provision-AutoGenKeys "4.0" "64" $poolSid

From b340b0f0f73db72045b3c6577eaff60b5772906d Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Fri, 2 Sep 2016 11:56:47 -0700
Subject: [PATCH 284/493] Add Redis IXmlRepository implementation (#173)

---
 DataProtection.sln                            | 38 +++++++++-
 NuGetPackageVerifier.json                     |  1 +
 samples/Redis/Program.cs                      | 33 ++++++++
 samples/Redis/Redis.xproj                     | 19 +++++
 samples/Redis/project.json                    | 16 ++++
 ...soft.AspNetCore.DataProtection.Redis.xproj | 19 +++++
 .../RedisDataProtectionBuilderExtensions.cs   | 76 +++++++++++++++++++
 .../RedisXmlRepository.cs                     | 59 ++++++++++++++
 .../project.json                              | 31 ++++++++
 .../DataProtectionRedisTests.cs               | 59 ++++++++++++++
 ...AspNetCore.DataProtection.Redis.Test.xproj | 19 +++++
 .../project.json                              | 21 +++++
 12 files changed, 389 insertions(+), 2 deletions(-)
 create mode 100644 samples/Redis/Program.cs
 create mode 100644 samples/Redis/Redis.xproj
 create mode 100644 samples/Redis/project.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.xproj
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/project.json
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json

diff --git a/DataProtection.sln b/DataProtection.sln
index 684647bcdc..462c11dab8 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,7 +1,6 @@
-
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 14
-VisualStudioVersion = 14.0.22710.0
+VisualStudioVersion = 14.0.25420.1
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
@@ -33,6 +32,14 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataPr
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Extensions", "src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.xproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
 EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.xproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Redis", "samples\Redis\Redis.xproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "sample", "sample", "{3A6C77DB-FD3D-4B20-A52B-34F7A7E1AED2}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Redis.Test", "test\Microsoft.AspNetCore.DataProtection.Redis.Test\Microsoft.AspNetCore.DataProtection.Redis.Test.xproj", "{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -141,6 +148,30 @@ Global
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|Any CPU.Build.0 = Release|Any CPU
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|x86.ActiveCfg = Release|Any CPU
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|x86.Build.0 = Release|Any CPU
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Debug|x86.Build.0 = Debug|Any CPU
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|x86.ActiveCfg = Release|Any CPU
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|x86.Build.0 = Release|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|x86.Build.0 = Debug|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|x86.ActiveCfg = Release|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|x86.Build.0 = Release|Any CPU
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|x86.Build.0 = Debug|Any CPU
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|Any CPU.Build.0 = Release|Any CPU
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|x86.ActiveCfg = Release|Any CPU
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -159,5 +190,8 @@ Global
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{04AA8E60-A053-4D50-89FE-E76C3DF45200} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9} = {3A6C77DB-FD3D-4B20-A52B-34F7A7E1AED2}
+		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 	EndGlobalSection
 EndGlobal
diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
index f5a8168e06..af9e7d025d 100644
--- a/NuGetPackageVerifier.json
+++ b/NuGetPackageVerifier.json
@@ -9,6 +9,7 @@
             "Microsoft.AspNetCore.DataProtection": { },
             "Microsoft.AspNetCore.DataProtection.Abstractions": { },
             "Microsoft.AspNetCore.DataProtection.Extensions": { },
+            "Microsoft.AspNetCore.DataProtection.Redis": { },
             "Microsoft.AspNetCore.DataProtection.SystemWeb": { }
         }
     },
diff --git a/samples/Redis/Program.cs b/samples/Redis/Program.cs
new file mode 100644
index 0000000000..6bc61bdb70
--- /dev/null
+++ b/samples/Redis/Program.cs
@@ -0,0 +1,33 @@
+using System;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.AspNetCore.DataProtection.Redis;
+using StackExchange.Redis;
+
+namespace Redis
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            // Connect
+            var redis = ConnectionMultiplexer.Connect("localhost:6379");
+
+            // Configure
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddLogging();
+            serviceCollection.AddDataProtection()
+                .PersistKeysToRedis(redis, "DataProtection-Keys");
+
+            var services = serviceCollection.BuildServiceProvider();
+            var loggerFactory = services.GetService<ILoggerFactory>();
+            loggerFactory.AddConsole(LogLevel.Trace);
+
+            // Run a sample payload
+            var protector = services.GetDataProtector("sample-purpose");
+            var protectedData = protector.Protect("Hello world!");
+            Console.WriteLine(protectedData);
+        }
+    }
+}
\ No newline at end of file
diff --git a/samples/Redis/Redis.xproj b/samples/Redis/Redis.xproj
new file mode 100644
index 0000000000..29ab6c0dc5
--- /dev/null
+++ b/samples/Redis/Redis.xproj
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>24aaec96-df46-4f61-b2ff-3d5e056685d9</ProjectGuid>
+    <RootNamespace>Redis</RootNamespace>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/samples/Redis/project.json b/samples/Redis/project.json
new file mode 100644
index 0000000000..a09b7bda3a
--- /dev/null
+++ b/samples/Redis/project.json
@@ -0,0 +1,16 @@
+{
+  "version": "1.0.0-*",
+  "buildOptions": {
+    "debugType": "portable",
+    "emitEntryPoint": true
+  },
+  "dependencies": {
+    "Microsoft.AspNetCore.DataProtection.Redis": "1.1.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
+    "Microsoft.Extensions.Logging": "1.1.0-*",
+    "Microsoft.Extensions.Logging.Console": "1.1.0-*"
+  },
+  "frameworks": {
+    "net451": { }
+  }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.xproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.xproj
new file mode 100644
index 0000000000..ed52548f61
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.xproj
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>0508adb0-9d2e-4506-9aa3-c15d7beae7c9</ProjectGuid>
+    <RootNamespace>Microsoft.AspNetCore.DataProtection.Redis</RootNamespace>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
new file mode 100644
index 0000000000..2974d23ce9
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
@@ -0,0 +1,76 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using StackExchange.Redis;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    /// <summary>
+    /// Contains Redis-specific extension methods for modifying a <see cref="IDataProtectionBuilder"/>.
+    /// </summary>
+    public static class RedisDataProtectionBuilderExtensions
+    {
+        private const string DataProtectionKeysName = "DataProtection-Keys";
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to specified key in Redis database
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="databaseFactory">The delegate used to create <see cref="IDatabase"/> instances.</param>
+        /// <param name="key">The <see cref="RedisKey"/> used to store key list.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder PersistKeysToRedis(this IDataProtectionBuilder builder, Func<IDatabase> databaseFactory, RedisKey key)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+            if (databaseFactory == null)
+            {
+                throw new ArgumentNullException(nameof(databaseFactory));
+            }
+            return PersistKeysToRedisInternal(builder, databaseFactory, key);
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the default key ('DataProtection-Keys') in Redis database
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="connectionMultiplexer">The <see cref="IConnectionMultiplexer"/> for database access.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder PersistKeysToRedis(this IDataProtectionBuilder builder, IConnectionMultiplexer connectionMultiplexer)
+        {
+            return PersistKeysToRedis(builder, connectionMultiplexer, DataProtectionKeysName);
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the specified key in Redis database
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="connectionMultiplexer">The <see cref="IConnectionMultiplexer"/> for database access.</param>
+        /// <param name="key">The <see cref="RedisKey"/> used to store key list.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder PersistKeysToRedis(this IDataProtectionBuilder builder, IConnectionMultiplexer connectionMultiplexer, RedisKey key)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+            if (connectionMultiplexer == null)
+            {
+                throw new ArgumentNullException(nameof(connectionMultiplexer));
+            }
+            return PersistKeysToRedisInternal(builder, () => connectionMultiplexer.GetDatabase(), key);
+        }
+
+        private static IDataProtectionBuilder PersistKeysToRedisInternal(IDataProtectionBuilder config, Func<IDatabase> databaseFactory, RedisKey key)
+        {
+            config.Services.TryAddSingleton<IXmlRepository>(services => new RedisXmlRepository(databaseFactory, key));
+            return config;
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs
new file mode 100644
index 0000000000..87a9338f64
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs
@@ -0,0 +1,59 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Xml.Linq;
+using StackExchange.Redis;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    /// <summary>
+    /// An XML repository backed by a Redis list entry.
+    /// </summary>
+    public class RedisXmlRepository: IXmlRepository
+    {
+        private readonly Func<IDatabase> _databaseFactory;
+        private readonly RedisKey _key;
+
+        /// <summary>
+        /// Creates a <see cref="RedisXmlRepository"/> with keys stored at the given directory.
+        /// </summary>
+        /// <param name="databaseFactory">The delegate used to create <see cref="IDatabase"/> instances.</param>
+        /// <param name="key">The <see cref="RedisKey"/> used to store key list.</param>
+        public RedisXmlRepository(Func<IDatabase> databaseFactory, RedisKey key)
+        {
+            _databaseFactory = databaseFactory;
+            _key = key;
+        }
+
+        /// <inheritdoc />
+        public IReadOnlyCollection<XElement> GetAllElements()
+        {
+            return GetAllElementsCore().ToList().AsReadOnly();
+        }
+
+        private IEnumerable<XElement> GetAllElementsCore()
+        {
+            // Note: Inability to read any value is considered a fatal error (since the file may contain
+            // revocation information), and we'll fail the entire operation rather than return a partial
+            // set of elements. If a value contains well-formed XML but its contents are meaningless, we
+            // won't fail that operation here. The caller is responsible for failing as appropriate given
+            // that scenario.
+            var database = _databaseFactory();
+            foreach (var value in database.ListRange(_key))
+            {
+                yield return XElement.Parse(value);
+            }
+        }
+
+        /// <inheritdoc />
+        public void StoreElement(XElement element, string friendlyName)
+        {
+            var database = _databaseFactory();
+            database.ListRightPush(_key, element.ToString(SaveOptions.DisableFormatting));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
new file mode 100644
index 0000000000..b4aa251e99
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
@@ -0,0 +1,31 @@
+{
+  "version": "0.1.0-*",
+  "description": "Redis storrage support as key store.",
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnetcore",
+      "dataprotection",
+      "redis"
+    ]
+  },
+  "dependencies": {
+    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "StackExchange.Redis.StrongName": "1.1.603"
+  },
+  "frameworks": {
+    "net451": {}
+  },
+  "buildOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk",
+    "nowarn": [
+      "CS1591"
+    ],
+    "xmlDoc": true
+  }
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
new file mode 100644
index 0000000000..9e010090f8
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
@@ -0,0 +1,59 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Linq;
+using System.Xml;
+using System.Xml.Linq;
+using Moq;
+using StackExchange.Redis;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    public class DataProtectionRedisTests
+    {
+        [Fact]
+        public void GetAllElements_ReturnsAllXmlValuesForGivenKey()
+        {
+            var database = new Mock<IDatabase>();
+            database.Setup(d => d.ListRange("Key", 0, -1, CommandFlags.None)).Returns(new RedisValue[]
+            {
+                "<Element1/>",
+                "<Element2/>",
+            }).Verifiable();
+            var repo = new RedisXmlRepository(() => database.Object, "Key");
+
+            var elements = repo.GetAllElements().ToArray();
+
+            database.Verify();
+            Assert.Equal(new XElement("Element1").ToString(), elements[0].ToString());
+            Assert.Equal(new XElement("Element2").ToString(), elements[1].ToString());
+        }
+
+        [Fact]
+        public void GetAllElements_ThrowsParsingException()
+        {
+            var database = new Mock<IDatabase>();
+            database.Setup(d => d.ListRange("Key", 0, -1, CommandFlags.None)).Returns(new RedisValue[]
+            {
+                "<Element1/>",
+                "<Element2",
+            }).Verifiable();
+            var repo = new RedisXmlRepository(() => database.Object, "Key");
+
+            Assert.Throws<XmlException>(() => repo.GetAllElements());
+        }
+
+        [Fact]
+        public void StoreElement_PushesValueToList()
+        {
+            var database = new Mock<IDatabase>();
+            database.Setup(d => d.ListRightPush("Key", "<Element2 />", When.Always, CommandFlags.None)).Verifiable();
+            var repo = new RedisXmlRepository(() => database.Object, "Key");
+
+            repo.StoreElement(new XElement("Element2"), null);
+
+            database.Verify();
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
new file mode 100644
index 0000000000..123ca898a3
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>abcf00e5-5b2f-469c-90dc-908c5a04c08d</ProjectGuid>
+    <RootNamespace>Microsoft.AspNetCore.DataProtection.Redis.Test</RootNamespace>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
new file mode 100644
index 0000000000..32f76c1230
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
@@ -0,0 +1,21 @@
+{
+  "dependencies": {
+    "dotnet-test-xunit": "2.2.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Redis": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.1.0-*",
+    "Moq": "4.6.36-*",
+    "xunit": "2.2.0-*"
+  },
+  "frameworks": {
+    "net451": {}
+  },
+  "testRunner": "xunit",
+  "buildOptions": {
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk",
+    "compile": {
+      "include": "../common/**/*.cs"
+    }
+  }
+}
\ No newline at end of file

From 8f8152f910f726aa5e6964d4001f2142bf750137 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Fri, 2 Sep 2016 16:16:41 -0700
Subject: [PATCH 285/493] Fix build error

---
 .../Properties/AssemblyInfo.cs                        | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/Properties/AssemblyInfo.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Redis/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..e3ae91c58b
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Properties/AssemblyInfo.cs
@@ -0,0 +1,11 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Reflection;
+using System.Resources;
+
+[assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: NeutralResourcesLanguage("en-US")]
+[assembly: AssemblyCompany("Microsoft Corporation.")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyProduct("Microsoft ASP.NET Core")]

From 0e210dadea7f7089dc01a0aa736290cc5dc164df Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Tue, 6 Sep 2016 08:09:13 -0700
Subject: [PATCH 286/493] Port DataProtection blob XmlRepository (#163)

---
 DataProtection.sln                            |  61 +++-
 NuGetPackageVerifier.json                     |   1 +
 samples/AzureBlob/AzureBlob.xproj             |  21 ++
 samples/AzureBlob/Program.cs                  |  42 +++
 samples/AzureBlob/project.json                |  26 ++
 .../AzureBlobXmlRepository.cs                 | 295 ++++++++++++++++++
 .../AzureDataProtectionBuilderExtensions.cs   | 171 ++++++++++
 ...AspNetCore.DataProtection.Azure.Blob.xproj |  19 ++
 .../Properties/AssemblyInfo.cs                |  12 +
 .../project.json                              |  35 +++
 .../AzureBlobXmlRepositoryTests.cs            | 112 +++++++
 ...tCore.DataProtection.Azure.Blob.Test.xproj |  21 ++
 .../project.json                              |  38 +++
 ...AspNetCore.DataProtection.Redis.Test.xproj |   4 +-
 14 files changed, 846 insertions(+), 12 deletions(-)
 create mode 100644 samples/AzureBlob/AzureBlob.xproj
 create mode 100644 samples/AzureBlob/Program.cs
 create mode 100644 samples/AzureBlob/project.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureBlobXmlRepository.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureDataProtectionBuilderExtensions.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Properties/AssemblyInfo.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Azure.Blob/project.json
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/AzureBlobXmlRepositoryTests.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json

diff --git a/DataProtection.sln b/DataProtection.sln
index 462c11dab8..20808113c9 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -34,12 +34,24 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataPr
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.xproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Redis", "samples\Redis\Redis.xproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Azure.Blob", "src\Microsoft.AspNetCore.DataProtection.Azure.Blob\Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
 EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "sample", "sample", "{3A6C77DB-FD3D-4B20-A52B-34F7A7E1AED2}"
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5A3A5DE3-49AD-431C-971D-B01B62D94AE2}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "AzureBlob", "samples\AzureBlob\AzureBlob.xproj", "{B07435B3-CD81-4E3B-88A5-6384821E1C01}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Redis.Test", "test\Microsoft.AspNetCore.DataProtection.Redis.Test\Microsoft.AspNetCore.DataProtection.Redis.Test.xproj", "{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{E1D86B1B-41D8-43C9-97FD-C2BF65C414E2}"
+	ProjectSection(SolutionItems) = preProject
+		global.json = global.json
+		NuGet.config = NuGet.config
+	EndProjectSection
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Azure.Blob.Test", "test\Microsoft.AspNetCore.DataProtection.Azure.Blob.Test\Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
+EndProject
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Redis", "samples\Redis\Redis.xproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -156,14 +168,22 @@ Global
 		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|Any CPU.Build.0 = Release|Any CPU
 		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|x86.ActiveCfg = Release|Any CPU
 		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|x86.Build.0 = Release|Any CPU
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|x86.Build.0 = Debug|Any CPU
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|Any CPU.Build.0 = Release|Any CPU
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|x86.ActiveCfg = Release|Any CPU
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|x86.Build.0 = Release|Any CPU
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Debug|x86.Build.0 = Debug|Any CPU
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Release|x86.ActiveCfg = Release|Any CPU
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Release|x86.Build.0 = Release|Any CPU
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Debug|x86.Build.0 = Debug|Any CPU
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Release|x86.ActiveCfg = Release|Any CPU
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Release|x86.Build.0 = Release|Any CPU
 		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|x86.ActiveCfg = Debug|Any CPU
@@ -172,6 +192,22 @@ Global
 		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|Any CPU.Build.0 = Release|Any CPU
 		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|x86.ActiveCfg = Release|Any CPU
 		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|x86.Build.0 = Release|Any CPU
+		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Debug|x86.Build.0 = Debug|Any CPU
+		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Release|Any CPU.Build.0 = Release|Any CPU
+		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Release|x86.ActiveCfg = Release|Any CPU
+		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Release|x86.Build.0 = Release|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Debug|x86.Build.0 = Debug|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|x86.ActiveCfg = Release|Any CPU
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -191,7 +227,10 @@ Global
 		{04AA8E60-A053-4D50-89FE-E76C3DF45200} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
-		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9} = {3A6C77DB-FD3D-4B20-A52B-34F7A7E1AED2}
+		{CC799B57-81E2-4F45-8A32-0D5F49753C3F} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{B07435B3-CD81-4E3B-88A5-6384821E1C01} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{8C41240E-48F8-402F-9388-74CFE27F4D76} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 	EndGlobalSection
 EndGlobal
diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
index af9e7d025d..96174b2f82 100644
--- a/NuGetPackageVerifier.json
+++ b/NuGetPackageVerifier.json
@@ -8,6 +8,7 @@
             "Microsoft.AspNetCore.Cryptography.KeyDerivation": { },
             "Microsoft.AspNetCore.DataProtection": { },
             "Microsoft.AspNetCore.DataProtection.Abstractions": { },
+            "Microsoft.AspNetCore.DataProtection.Azure.Blob": { },
             "Microsoft.AspNetCore.DataProtection.Extensions": { },
             "Microsoft.AspNetCore.DataProtection.Redis": { },
             "Microsoft.AspNetCore.DataProtection.SystemWeb": { }
diff --git a/samples/AzureBlob/AzureBlob.xproj b/samples/AzureBlob/AzureBlob.xproj
new file mode 100644
index 0000000000..52a7e78b7e
--- /dev/null
+++ b/samples/AzureBlob/AzureBlob.xproj
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>b07435b3-cd81-4e3b-88a5-6384821e1c01</ProjectGuid>
+    <RootNamespace>AzureBlob</RootNamespace>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
+    <TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
diff --git a/samples/AzureBlob/Program.cs b/samples/AzureBlob/Program.cs
new file mode 100644
index 0000000000..45a69fb10c
--- /dev/null
+++ b/samples/AzureBlob/Program.cs
@@ -0,0 +1,42 @@
+using System;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.WindowsAzure.Storage;
+using Microsoft.AspNetCore.DataProtection.Azure.Blob;
+
+namespace AzureBlob
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            var storageAccount = CloudStorageAccount.DevelopmentStorageAccount;
+            var client = storageAccount.CreateCloudBlobClient();
+            var container = client.GetContainerReference("key-container");
+
+            // The container must exist before calling the DataProtection APIs.
+            // The specific file within the container does not have to exist,
+            // as it will be created on-demand.
+
+            container.CreateIfNotExistsAsync().GetAwaiter().GetResult();
+
+            // Configure
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddLogging();
+            serviceCollection.AddDataProtection()
+                .PersistKeysToAzureBlobStorage(container, "keys.xml");
+
+            var services = serviceCollection.BuildServiceProvider();
+            var loggerFactory = services.GetService<ILoggerFactory>();
+            loggerFactory.AddConsole(Microsoft.Extensions.Logging.LogLevel.Trace);
+
+            // Run a sample payload
+
+            var protector = services.GetDataProtector("sample-purpose");
+            var protectedData = protector.Protect("Hello world!");
+            Console.WriteLine(protectedData);
+        }
+    }
+}
diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
new file mode 100644
index 0000000000..2294f4df5f
--- /dev/null
+++ b/samples/AzureBlob/project.json
@@ -0,0 +1,26 @@
+{
+  "version": "1.0.0-*",
+  "buildOptions": {
+    "emitEntryPoint": true
+  },
+
+  "dependencies": {
+    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Azure.Blob": "1.1.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
+    "Microsoft.Extensions.Logging": "1.1.0-*",
+    "Microsoft.Extensions.Logging.Console": "1.1.0-*",
+    "Microsoft.NETCore.App": {
+      "type": "platform",
+      "version": "1.0.0"
+    }
+  },
+
+  "frameworks": {
+    "netcoreapp1.0": {
+      "imports": [
+        "portable-net45+win8+wp8+wpa81"
+      ]
+    }
+  }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureBlobXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureBlobXmlRepository.cs
new file mode 100644
index 0000000000..0020fdc693
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureBlobXmlRepository.cs
@@ -0,0 +1,295 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Collections.ObjectModel;
+using System.IO;
+using System.Linq;
+using System.Runtime.ExceptionServices;
+using System.Threading;
+using System.Threading.Tasks;
+using System.Xml;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.WindowsAzure.Storage;
+using Microsoft.WindowsAzure.Storage.Blob;
+
+namespace Microsoft.AspNetCore.DataProtection.Azure.Blob
+{
+    /// <summary>
+    /// An <see cref="IXmlRepository"/> which is backed by Azure Blob Storage.
+    /// </summary>
+    /// <remarks>
+    /// Instances of this type are thread-safe.
+    /// </remarks>
+    public sealed class AzureBlobXmlRepository : IXmlRepository
+    {
+        private const int ConflictMaxRetries = 5;
+        private static readonly TimeSpan ConflictBackoffPeriod = TimeSpan.FromMilliseconds(200);
+
+        private static readonly XName RepositoryElementName = "repository";
+
+        private readonly Func<ICloudBlob> _blobRefFactory;
+        private readonly Random _random;
+        private BlobData _cachedBlobData;
+
+        /// <summary>
+        /// Creates a new instance of the <see cref="AzureBlobXmlRepository"/>.
+        /// </summary>
+        /// <param name="blobRefFactory">A factory which can create <see cref="ICloudBlob"/>
+        /// instances. The factory must be thread-safe for invocation by multiple
+        /// concurrent threads, and each invocation must return a new object.</param>
+        public AzureBlobXmlRepository(Func<ICloudBlob> blobRefFactory)
+        {
+            if (blobRefFactory == null)
+            {
+                throw new ArgumentNullException(nameof(blobRefFactory));
+            }
+
+            _blobRefFactory = blobRefFactory;
+            _random = new Random();
+        }
+
+        public IReadOnlyCollection<XElement> GetAllElements()
+        {
+            var blobRef = CreateFreshBlobRef();
+
+            // Shunt the work onto a ThreadPool thread so that it's independent of any
+            // existing sync context or other potentially deadlock-causing items.
+
+            var elements = Task.Run(() => GetAllElementsAsync(blobRef)).GetAwaiter().GetResult();
+            return new ReadOnlyCollection<XElement>(elements);
+        }
+
+        public void StoreElement(XElement element, string friendlyName)
+        {
+            if (element == null)
+            {
+                throw new ArgumentNullException(nameof(element));
+            }
+
+            var blobRef = CreateFreshBlobRef();
+
+            // Shunt the work onto a ThreadPool thread so that it's independent of any
+            // existing sync context or other potentially deadlock-causing items.
+
+            Task.Run(() => StoreElementAsync(blobRef, element)).GetAwaiter().GetResult();
+        }
+
+        private XDocument CreateDocumentFromBlob(byte[] blob)
+        {
+            using (var memoryStream = new MemoryStream(blob))
+            {
+                var xmlReaderSettings = new XmlReaderSettings()
+                {
+                    DtdProcessing = DtdProcessing.Prohibit, IgnoreProcessingInstructions = true
+                };
+
+                using (var xmlReader = XmlReader.Create(memoryStream, xmlReaderSettings))
+                {
+                    return XDocument.Load(xmlReader);
+                }
+            }
+        }
+
+        private ICloudBlob CreateFreshBlobRef()
+        {
+            // ICloudBlob instances aren't thread-safe, so we need to make sure we're working
+            // with a fresh instance that won't be mutated by another thread.
+
+            var blobRef = _blobRefFactory();
+            if (blobRef == null)
+            {
+                throw new InvalidOperationException("The ICloudBlob factory method returned null.");
+            }
+
+            return blobRef;
+        }
+
+        private async Task<IList<XElement>> GetAllElementsAsync(ICloudBlob blobRef)
+        {
+            var data = await GetLatestDataAsync(blobRef);
+
+            if (data == null)
+            {
+                // no data in blob storage
+                return new XElement[0];
+            }
+
+            // The document will look like this:
+            //
+            // <root>
+            //   <child />
+            //   <child />
+            //   ...
+            // </root>
+            //
+            // We want to return the first-level child elements to our caller.
+
+            var doc = CreateDocumentFromBlob(data.BlobContents);
+            return doc.Root.Elements().ToList();
+        }
+
+        private async Task<BlobData> GetLatestDataAsync(ICloudBlob blobRef)
+        {
+            // Set the appropriate AccessCondition based on what we believe the latest
+            // file contents to be, then make the request.
+
+            var latestCachedData = Volatile.Read(ref _cachedBlobData); // local ref so field isn't mutated under our feet
+            var accessCondition = (latestCachedData != null)
+                ? AccessCondition.GenerateIfNoneMatchCondition(latestCachedData.ETag)
+                : null;
+
+            try
+            {
+                using (var memoryStream = new MemoryStream())
+                {
+                    await blobRef.DownloadToStreamAsync(
+                        target: memoryStream,
+                        accessCondition: accessCondition,
+                        options: null,
+                        operationContext: null);
+
+                    // At this point, our original cache either didn't exist or was outdated.
+                    // We'll update it now and return the updated value;
+
+                    latestCachedData = new BlobData()
+                    {
+                        BlobContents = memoryStream.ToArray(),
+                        ETag = blobRef.Properties.ETag
+                    };
+
+                }
+                Volatile.Write(ref _cachedBlobData, latestCachedData);
+            }
+            catch (StorageException ex) when (ex.RequestInformation.HttpStatusCode == 304)
+            {
+                // 304 Not Modified
+                // Thrown when we already have the latest cached data.
+                // This isn't an error; we'll return our cached copy of the data.
+            }
+            catch (StorageException ex) when (ex.RequestInformation.HttpStatusCode == 404)
+            {
+                // 404 Not Found
+                // Thrown when no file exists in storage.
+                // This isn't an error; we'll delete our cached copy of data.
+
+                latestCachedData = null;
+                Volatile.Write(ref _cachedBlobData, latestCachedData);
+            }
+
+            return latestCachedData;
+        }
+
+        private int GetRandomizedBackoffPeriod()
+        {
+            // returns a TimeSpan in the range [0.8, 1.0) * ConflictBackoffPeriod
+            // not used for crypto purposes
+            var multiplier = 0.8 + (_random.NextDouble() * 0.2);
+            return (int) (multiplier * ConflictBackoffPeriod.Ticks);
+        }
+
+        private async Task StoreElementAsync(ICloudBlob blobRef, XElement element)
+        {
+            // holds the last error in case we need to rethrow it
+            ExceptionDispatchInfo lastError = null;
+
+            for (var i = 0; i < ConflictMaxRetries; i++)
+            {
+                if (i > 1)
+                {
+                    // If multiple conflicts occurred, wait a small period of time before retrying
+                    // the operation so that other writers can make forward progress.
+                    await Task.Delay(GetRandomizedBackoffPeriod());
+                }
+
+                if (i > 0)
+                {
+                    // If at least one conflict occurred, make sure we have an up-to-date
+                    // view of the blob contents.
+                    await GetLatestDataAsync(blobRef);
+                }
+
+                // Merge the new element into the document. If no document exists,
+                // create a new default document and inject this element into it.
+
+                var latestData = Volatile.Read(ref _cachedBlobData);
+                var doc = (latestData != null)
+                    ? CreateDocumentFromBlob(latestData.BlobContents)
+                    : new XDocument(new XElement(RepositoryElementName));
+                doc.Root.Add(element);
+
+                // Turn this document back into a byte[].
+
+                var serializedDoc = new MemoryStream();
+                doc.Save(serializedDoc, SaveOptions.DisableFormatting);
+
+                // Generate the appropriate precondition header based on whether or not
+                // we believe data already exists in storage.
+
+                AccessCondition accessCondition;
+                if (latestData != null)
+                {
+                    accessCondition = AccessCondition.GenerateIfMatchCondition(blobRef.Properties.ETag);
+                }
+                else
+                {
+                    accessCondition = AccessCondition.GenerateIfNotExistsCondition();
+                    blobRef.Properties.ContentType = "application/xml; charset=utf-8"; // set content type on first write
+                }
+
+                try
+                {
+                    // Send the request up to the server.
+
+                    var serializedDocAsByteArray = serializedDoc.ToArray();
+
+                    await blobRef.UploadFromByteArrayAsync(
+                        buffer: serializedDocAsByteArray,
+                        index: 0,
+                        count: serializedDocAsByteArray.Length,
+                        accessCondition: accessCondition,
+                        options: null,
+                        operationContext: null);
+
+                    // If we got this far, success!
+                    // We can update the cached view of the remote contents.
+
+                    Volatile.Write(ref _cachedBlobData, new BlobData()
+                    {
+                        BlobContents = serializedDocAsByteArray,
+                        ETag = blobRef.Properties.ETag // was updated by Upload routine
+                    });
+
+                    return;
+                }
+                catch (StorageException ex)
+                    when (ex.RequestInformation.HttpStatusCode == 409 || ex.RequestInformation.HttpStatusCode == 412)
+                {
+                    // 409 Conflict
+                    // This error is rare but can be thrown in very special circumstances,
+                    // such as if the blob in the process of being created. We treat it
+                    // as equivalent to 412 for the purposes of retry logic.
+
+                    // 412 Precondition Failed
+                    // We'll get this error if another writer updated the repository and we
+                    // have an outdated view of its contents. If this occurs, we'll just
+                    // refresh our view of the remote contents and try again up to the max
+                    // retry limit.
+
+                    lastError = ExceptionDispatchInfo.Capture(ex);
+                }
+            }
+
+            // if we got this far, something went awry
+            lastError.Throw();
+        }
+
+        private sealed class BlobData
+        {
+            internal byte[] BlobContents;
+            internal string ETag;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureDataProtectionBuilderExtensions.cs
new file mode 100644
index 0000000000..0c5ac7299c
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureDataProtectionBuilderExtensions.cs
@@ -0,0 +1,171 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.WindowsAzure.Storage;
+using Microsoft.WindowsAzure.Storage.Auth;
+using Microsoft.WindowsAzure.Storage.Blob;
+
+namespace Microsoft.AspNetCore.DataProtection.Azure.Blob
+{
+    /// <summary>
+    /// Contains Azure-specific extension methods for modifying a
+    /// <see cref="IDataProtectionBuilder"/>.
+    /// </summary>
+    public static class AzureDataProtectionBuilderExtensions
+    {
+        /// <summary>
+        /// Configures the data protection system to persist keys to the specified path
+        /// in Azure Blob Storage.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="storageAccount">The <see cref="CloudStorageAccount"/> which
+        /// should be utilized.</param>
+        /// <param name="relativePath">A relative path where the key file should be
+        /// stored, generally specified as "/containerName/[subDir/]keys.xml".</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        /// <remarks>
+        /// The container referenced by <paramref name="relativePath"/> must already exist.
+        /// </remarks>
+        public static IDataProtectionBuilder PersistKeysToAzureBlobStorage(this IDataProtectionBuilder builder, CloudStorageAccount storageAccount, string relativePath)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+            if (storageAccount == null)
+            {
+                throw new ArgumentNullException(nameof(storageAccount));
+            }
+            if (relativePath == null)
+            {
+                throw new ArgumentNullException(nameof(relativePath));
+            }
+
+            // Simply concatenate the root storage endpoint with the relative path,
+            // which includes the container name and blob name.
+
+            var uriBuilder = new UriBuilder(storageAccount.BlobEndpoint);
+            uriBuilder.Path = uriBuilder.Path.TrimEnd('/') + "/" + relativePath.TrimStart('/');
+
+            // We can create a CloudBlockBlob from the storage URI and the creds.
+
+            var blobAbsoluteUri = uriBuilder.Uri;
+            var credentials = storageAccount.Credentials;
+
+            return PersistKeystoAzureBlobStorageInternal(builder, () => new CloudBlockBlob(blobAbsoluteUri, credentials));
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the specified path
+        /// in Azure Blob Storage.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="blobUri">The full URI where the key file should be stored.
+        /// The URI must contain the SAS token as a query string parameter.</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        /// <remarks>
+        /// The container referenced by <paramref name="blobUri"/> must already exist.
+        /// </remarks>
+        public static IDataProtectionBuilder PersistKeysToAzureBlobStorage(this IDataProtectionBuilder builder, Uri blobUri)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+            if (blobUri == null)
+            {
+                throw new ArgumentNullException(nameof(blobUri));
+            }
+
+            var uriBuilder = new UriBuilder(blobUri);
+
+            // The SAS token is present in the query string.
+
+            if (string.IsNullOrEmpty(uriBuilder.Query))
+            {
+                throw new ArgumentException(
+                    message: "URI does not have a SAS token in the query string.",
+                    paramName: nameof(blobUri));
+            }
+
+            var credentials = new StorageCredentials(uriBuilder.Query);
+            uriBuilder.Query = null; // no longer needed
+            var blobAbsoluteUri = uriBuilder.Uri;
+
+            return PersistKeystoAzureBlobStorageInternal(builder, () => new CloudBlockBlob(blobAbsoluteUri, credentials));
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the specified path
+        /// in Azure Blob Storage.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="blobReference">The <see cref="CloudBlockBlob"/> where the
+        /// key file should be stored.</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        /// <remarks>
+        /// The container referenced by <paramref name="blobReference"/> must already exist.
+        /// </remarks>
+        public static IDataProtectionBuilder PersistKeysToAzureBlobStorage(this IDataProtectionBuilder builder, CloudBlockBlob blobReference)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+            if (blobReference == null)
+            {
+                throw new ArgumentNullException(nameof(blobReference));
+            }
+
+            // We're basically just going to make a copy of this blob.
+            // Use (container, blobName) instead of (storageuri, creds) since the container
+            // is tied to an existing service client, which contains user-settable defaults
+            // like retry policy and secondary connection URIs.
+
+            var container = blobReference.Container;
+            var blobName = blobReference.Name;
+
+            return PersistKeystoAzureBlobStorageInternal(builder, () => container.GetBlockBlobReference(blobName));
+        }
+
+        /// <summary>
+        /// Configures the data protection system to persist keys to the specified path
+        /// in Azure Blob Storage.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="container">The <see cref="CloudBlobContainer"/> in which the
+        /// key file should be stored.</param>
+        /// <param name="blobName">The name of the key file, generally specified
+        /// as "[subdir/]keys.xml"</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        /// <remarks>
+        /// The container referenced by <paramref name="container"/> must already exist.
+        /// </remarks>
+        public static IDataProtectionBuilder PersistKeysToAzureBlobStorage(this IDataProtectionBuilder builder, CloudBlobContainer container, string blobName)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+            if (container == null)
+            {
+                throw new ArgumentNullException(nameof(container));
+            }
+            if (blobName == null)
+            {
+                throw new ArgumentNullException(nameof(blobName));
+            }
+            return PersistKeystoAzureBlobStorageInternal(builder, () => container.GetBlockBlobReference(blobName));
+        }
+
+        // important: the Func passed into this method must return a new instance with each call
+        private static IDataProtectionBuilder PersistKeystoAzureBlobStorageInternal(IDataProtectionBuilder config, Func<CloudBlockBlob> blobRefFactory)
+        {
+            config.Services.AddSingleton<IXmlRepository>(services => new AzureBlobXmlRepository(blobRefFactory));
+            return config;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj
new file mode 100644
index 0000000000..10f72048c6
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>cc799b57-81e2-4f45-8a32-0d5f49753c3f</ProjectGuid>
+    <RootNamespace>Microsoft.AspNetCore.DataProtection.Azure</RootNamespace>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..8c1d02d738
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Properties/AssemblyInfo.cs
@@ -0,0 +1,12 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Reflection;
+using System.Resources;
+using System.Runtime.CompilerServices;
+
+[assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: NeutralResourcesLanguage("en-US")]
+[assembly: AssemblyCompany("Microsoft Corporation.")]
+[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
+[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/project.json b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/project.json
new file mode 100644
index 0000000000..27d11056c3
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/project.json
@@ -0,0 +1,35 @@
+{
+  "version": "0.1.0-*",
+  "description": "Microsoft Azure Blob storrage support as key store.",
+  "packOptions": {
+    "repository": {
+      "type": "git",
+      "url": "git://github.com/aspnet/dataprotection"
+    },
+    "tags": [
+      "aspnetcore",
+      "dataprotection",
+      "azure",
+      "blob"
+    ]
+  },
+  "dependencies": {
+    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "WindowsAzure.Storage": "7.0.2-preview"
+  },
+  "frameworks": {
+    "net451": {},
+    "netstandard1.5": {
+      "imports": "portable-net45+win8+wp8+wpa81"
+    }
+  },
+  "buildOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk",
+    "nowarn": [
+      "CS1591"
+    ],
+    "xmlDoc": true
+  }
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/AzureBlobXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/AzureBlobXmlRepositoryTests.cs
new file mode 100644
index 0000000000..fefee2dad1
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/AzureBlobXmlRepositoryTests.cs
@@ -0,0 +1,112 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.Azure.Blob;
+using Microsoft.WindowsAzure.Storage;
+using Microsoft.WindowsAzure.Storage.Blob;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.Azure.Test
+{
+    public class AzureBlobXmlRepositoryTests
+    {
+        [Fact]
+        public void StoreCreatesBlobWhenNotExist()
+        {
+            AccessCondition downloadCondition = null;
+            AccessCondition uploadCondition = null;
+            byte[] bytes = null;
+            BlobProperties properties = new BlobProperties();
+
+            var mock = new Mock<ICloudBlob>();
+            mock.SetupGet(c => c.Properties).Returns(properties);
+            mock.Setup(c => c.UploadFromByteArrayAsync(
+                    It.IsAny<byte[]>(),
+                    It.IsAny<int>(),
+                    It.IsAny<int>(),
+                    It.IsAny<AccessCondition>(),
+                    It.IsAny<BlobRequestOptions>(),
+                    It.IsAny<OperationContext>()))
+                .Returns(async (byte[] buffer, int index, int count, AccessCondition accessCondition, BlobRequestOptions options, OperationContext operationContext) =>
+                {
+                    bytes = buffer.Skip(index).Take(count).ToArray();
+                    uploadCondition = accessCondition;
+                    await Task.Yield();
+                });
+
+            var repository = new AzureBlobXmlRepository(() => mock.Object);
+            repository.StoreElement(new XElement("Element"), null);
+
+            Assert.Null(downloadCondition);
+            Assert.Equal("*", uploadCondition.IfNoneMatchETag);
+            Assert.Equal("application/xml; charset=utf-8", properties.ContentType);
+            var element = "<Element />";
+
+            Assert.Equal(bytes, GetEnvelopedContent(element));
+        }
+
+        [Fact]
+        public void StoreUpdatesWhenExistsAndNewerExists()
+        {
+            AccessCondition downloadCondition = null;
+            byte[] bytes = null;
+            BlobProperties properties = new BlobProperties();
+
+            var mock = new Mock<ICloudBlob>();
+            mock.SetupGet(c => c.Properties).Returns(properties);
+            mock.Setup(c => c.DownloadToStreamAsync(
+                    It.IsAny<Stream>(),
+                    It.IsAny<AccessCondition>(),
+                    null,
+                    null))
+                .Returns(async (Stream target, AccessCondition condition, BlobRequestOptions options, OperationContext context) =>
+                {
+                    var data = GetEnvelopedContent("<Element1 />");
+                    await target.WriteAsync(data, 0, data.Length);
+                })
+                .Verifiable();
+
+            mock.Setup(c => c.UploadFromByteArrayAsync(
+                    It.IsAny<byte[]>(),
+                    It.IsAny<int>(),
+                    It.IsAny<int>(),
+                    It.Is((AccessCondition cond) => cond.IfNoneMatchETag == "*"),
+                    It.IsAny<BlobRequestOptions>(),
+                    It.IsAny<OperationContext>()))
+                .Throws(new StorageException(new RequestResult { HttpStatusCode = 412 }, null, null))
+                .Verifiable();
+
+            mock.Setup(c => c.UploadFromByteArrayAsync(
+                    It.IsAny<byte[]>(),
+                    It.IsAny<int>(),
+                    It.IsAny<int>(),
+                    It.Is((AccessCondition cond) => cond.IfNoneMatchETag != "*"),
+                    It.IsAny<BlobRequestOptions>(),
+                    It.IsAny<OperationContext>()))
+                .Returns(async (byte[] buffer, int index, int count, AccessCondition accessCondition, BlobRequestOptions options, OperationContext operationContext) =>
+                {
+                    bytes = buffer.Skip(index).Take(count).ToArray();
+                    await Task.Yield();
+                })
+                .Verifiable();
+
+            var repository = new AzureBlobXmlRepository(() => mock.Object);
+            repository.StoreElement(new XElement("Element2"), null);
+
+            mock.Verify();
+            Assert.Null(downloadCondition);
+            Assert.Equal(bytes, GetEnvelopedContent("<Element1 /><Element2 />"));
+        }
+
+        private static byte[] GetEnvelopedContent(string element)
+        {
+            return Encoding.UTF8.GetBytes($"<?xml version=\"1.0\" encoding=\"utf-8\"?><repository>{element}</repository>");
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj
new file mode 100644
index 0000000000..5f0d8f3acc
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
+  </PropertyGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>8c41240e-48f8-402f-9388-74cfe27f4d76</ProjectGuid>
+    <RootNamespace>Microsoft.AspNetCore.DataProtection.Azure.Test</RootNamespace>
+    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
+    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
+  </PropertyGroup>
+  <PropertyGroup>
+    <SchemaVersion>2.0</SchemaVersion>
+  </PropertyGroup>
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
+  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
+</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json
new file mode 100644
index 0000000000..4f8f44d11b
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json
@@ -0,0 +1,38 @@
+{
+  "dependencies": {
+    "dotnet-test-xunit": "2.2.0-*",
+    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Azure.Blob": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.1.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
+    "xunit": "2.2.0-*",
+    "Moq": "4.6.36-*"
+  },
+  "frameworks": {
+    "netcoreapp1.0": {
+      "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        },
+        "System.Diagnostics.Process": "4.1.0-*",
+        "System.Diagnostics.TraceSource": "4.0.0-*"
+      },
+      "imports": [
+        "dnxcore50",
+        "portable-net451+win8"
+      ]
+    },
+    "net451": {
+      "frameworkAssemblies": {
+        "System.Threading.Tasks": ""
+      }
+    }
+  },
+  "testRunner": "xunit",
+  "buildOptions": {
+    "allowUnsafe": true,
+    "warningsAsErrors": true,
+    "keyFile": "../../tools/Key.snk"
+  }
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
index 123ca898a3..723cb30927 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
@@ -11,9 +11,11 @@
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
-
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
   <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>
\ No newline at end of file

From 4cfdc2ecda8f465f573c82ab9148b25b702280c6 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Sat, 3 Sep 2016 22:24:04 -0700
Subject: [PATCH 287/493] Increase .travis.yml consistency between repos -
 aspnet/Universe#349 - minimize `dotnet` setup time; no need for caching -
 build with `--quiet`

---
 .travis.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index ada231a672..a446a333d2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -10,6 +10,10 @@ addons:
     - libssl-dev
     - libunwind8
     - zlib1g
+env:
+  global:
+    - DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+    - DOTNET_CLI_TELEMETRY_OPTOUT: 1
 mono:
   - 4.0.5
 os:
@@ -25,7 +29,7 @@ branches:
 before_install:
   - if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/; fi
 script:
-  - ./build.sh verify
+  - ./build.sh --quiet verify
 notifications:
   webhooks:
     secure: "QLltxzNQ+TUgMurX3FuWB37LVsRx6kZBTXk4JG/BELqO5/Xuwzf8ChElW29d4AbwOeYv5ONYyrvdnLtel8MJCMs8rCxZ2kZZtmUtGdUpPeMavmrvDYQeNqHhFYpLu+bEjxuilGoVI2qonI29S3Q9fC+grXsktGPwPmhyulHbwkk="

From 7dcbb27b6f78b9a17c556ae0a76c2f7c355ddd45 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Tue, 6 Sep 2016 14:10:13 -0700
Subject: [PATCH 288/493] Updated Redis repository project to support .NET Core
 (#175)

---
 samples/Redis/project.json                             |  2 +-
 .../project.json                                       |  5 +++--
 .../project.json                                       | 10 +++++++++-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/samples/Redis/project.json b/samples/Redis/project.json
index a09b7bda3a..54f5b9aee3 100644
--- a/samples/Redis/project.json
+++ b/samples/Redis/project.json
@@ -5,7 +5,7 @@
     "emitEntryPoint": true
   },
   "dependencies": {
-    "Microsoft.AspNetCore.DataProtection.Redis": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Redis": "0.1.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
     "Microsoft.Extensions.Logging": "1.1.0-*",
     "Microsoft.Extensions.Logging.Console": "1.1.0-*"
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
index b4aa251e99..399c52adc5 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
@@ -14,10 +14,11 @@
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "StackExchange.Redis.StrongName": "1.1.603"
+    "StackExchange.Redis.StrongName": "1.1.604-alpha"
   },
   "frameworks": {
-    "net451": {}
+    "net451": {},
+    "netstandard1.5": {}
   },
   "buildOptions": {
     "allowUnsafe": true,
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
index 32f76c1230..65e1c2bdca 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
@@ -2,12 +2,20 @@
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Redis": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Redis": "0.1.0-*",
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },
   "frameworks": {
+    "netcoreapp1.0": {
+      "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        }
+      }
+    },
     "net451": {}
   },
   "testRunner": "xunit",

From f7c28fe47f15752a74348acbbc1fce3acd683fe4 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Wed, 7 Sep 2016 08:29:37 -0700
Subject: [PATCH 289/493] Fix Microsoft.AspNetCore.DataProtection.Azure.Blob
 dependency version in sample and test

---
 samples/AzureBlob/project.json                                  | 2 +-
 .../project.json                                                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index 2294f4df5f..d4b49083a1 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -6,7 +6,7 @@
 
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Azure.Blob": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Azure.Blob": "0.1.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
     "Microsoft.Extensions.Logging": "1.1.0-*",
     "Microsoft.Extensions.Logging.Console": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json
index 4f8f44d11b..8ca8ffc9fa 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json
@@ -2,7 +2,7 @@
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Azure.Blob": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Azure.Blob": "0.1.0-*",
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
     "xunit": "2.2.0-*",

From 00d593f1f29884f88c5e630a18dff96b7134e1c9 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Wed, 7 Sep 2016 10:33:16 -0700
Subject: [PATCH 290/493] Fix build error in samples

---
 samples/Redis/Program.cs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/samples/Redis/Program.cs b/samples/Redis/Program.cs
index 6bc61bdb70..a3401c86a2 100644
--- a/samples/Redis/Program.cs
+++ b/samples/Redis/Program.cs
@@ -2,7 +2,6 @@
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
-using Microsoft.AspNetCore.DataProtection.Redis;
 using StackExchange.Redis;
 
 namespace Redis

From 7a3fd8af335d1160f08cd79a5075301cb38f2b62 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Thu, 29 Sep 2016 15:23:42 -0700
Subject: [PATCH 291/493] Rename DataProtection.Azure.Blob to
 DataProtection.Azure.Storage (#180)

---
 DataProtection.sln                                            | 4 ++--
 NuGetPackageVerifier.json                                     | 2 +-
 samples/AzureBlob/Program.cs                                  | 1 -
 samples/AzureBlob/project.json                                | 2 +-
 .../AzureBlobXmlRepository.cs                                 | 2 +-
 .../AzureDataProtectionBuilderExtensions.cs                   | 3 ++-
 .../Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj}  | 3 +--
 .../Properties/AssemblyInfo.cs                                | 0
 .../project.json                                              | 4 ++--
 .../RedisDataProtectionBuilderExtensions.cs                   | 1 -
 .../AzureBlobXmlRepositoryTests.cs                            | 4 ++--
 ...rosoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj} | 2 +-
 .../project.json                                              | 2 +-
 13 files changed, 14 insertions(+), 16 deletions(-)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Blob => Microsoft.AspNetCore.DataProtection.Azure.Storage}/AzureBlobXmlRepository.cs (99%)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Blob => Microsoft.AspNetCore.DataProtection.Azure.Storage}/AzureDataProtectionBuilderExtensions.cs (98%)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Blob/Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj => Microsoft.AspNetCore.DataProtection.Azure.Storage/Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj} (91%)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Blob => Microsoft.AspNetCore.DataProtection.Azure.Storage}/Properties/AssemblyInfo.cs (100%)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Blob => Microsoft.AspNetCore.DataProtection.Azure.Storage}/project.json (90%)
 rename test/{Microsoft.AspNetCore.DataProtection.Azure.Blob.Test => Microsoft.AspNetCore.DataProtection.Azure.Storage.Test}/AzureBlobXmlRepositoryTests.cs (97%)
 rename test/{Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj => Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj} (91%)
 rename test/{Microsoft.AspNetCore.DataProtection.Azure.Blob.Test => Microsoft.AspNetCore.DataProtection.Azure.Storage.Test}/project.json (92%)

diff --git a/DataProtection.sln b/DataProtection.sln
index 20808113c9..6d0da99c3c 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -34,7 +34,7 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataPr
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.xproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Azure.Blob", "src\Microsoft.AspNetCore.DataProtection.Azure.Blob\Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Azure.Storage", "src\Microsoft.AspNetCore.DataProtection.Azure.Storage\Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5A3A5DE3-49AD-431C-971D-B01B62D94AE2}"
 EndProject
@@ -48,7 +48,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 		NuGet.config = NuGet.config
 	EndProjectSection
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Azure.Blob.Test", "test\Microsoft.AspNetCore.DataProtection.Azure.Blob.Test\Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Azure.Storage.Test", "test\Microsoft.AspNetCore.DataProtection.Azure.Storage.Test\Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Redis", "samples\Redis\Redis.xproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
 EndProject
diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
index 96174b2f82..6d2fed16b0 100644
--- a/NuGetPackageVerifier.json
+++ b/NuGetPackageVerifier.json
@@ -8,7 +8,7 @@
             "Microsoft.AspNetCore.Cryptography.KeyDerivation": { },
             "Microsoft.AspNetCore.DataProtection": { },
             "Microsoft.AspNetCore.DataProtection.Abstractions": { },
-            "Microsoft.AspNetCore.DataProtection.Azure.Blob": { },
+            "Microsoft.AspNetCore.DataProtection.Azure.Storage": { },
             "Microsoft.AspNetCore.DataProtection.Extensions": { },
             "Microsoft.AspNetCore.DataProtection.Redis": { },
             "Microsoft.AspNetCore.DataProtection.SystemWeb": { }
diff --git a/samples/AzureBlob/Program.cs b/samples/AzureBlob/Program.cs
index 45a69fb10c..d67432adac 100644
--- a/samples/AzureBlob/Program.cs
+++ b/samples/AzureBlob/Program.cs
@@ -3,7 +3,6 @@ using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.WindowsAzure.Storage;
-using Microsoft.AspNetCore.DataProtection.Azure.Blob;
 
 namespace AzureBlob
 {
diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index d4b49083a1..011a94e67a 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -6,7 +6,7 @@
 
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Azure.Blob": "0.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Azure.Storage": "1.0.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
     "Microsoft.Extensions.Logging": "1.1.0-*",
     "Microsoft.Extensions.Logging.Console": "1.1.0-*",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureBlobXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureBlobXmlRepository.cs
similarity index 99%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureBlobXmlRepository.cs
rename to src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureBlobXmlRepository.cs
index 0020fdc693..f24f5c7669 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureBlobXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureBlobXmlRepository.cs
@@ -15,7 +15,7 @@ using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Blob;
 
-namespace Microsoft.AspNetCore.DataProtection.Azure.Blob
+namespace Microsoft.AspNetCore.DataProtection.Azure.Storage
 {
     /// <summary>
     /// An <see cref="IXmlRepository"/> which is backed by Azure Blob Storage.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureDataProtectionBuilderExtensions.cs
similarity index 98%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureDataProtectionBuilderExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureDataProtectionBuilderExtensions.cs
index 0c5ac7299c..ebf54579f1 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/AzureDataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureDataProtectionBuilderExtensions.cs
@@ -2,13 +2,14 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNetCore.DataProtection.Azure.Storage;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Auth;
 using Microsoft.WindowsAzure.Storage.Blob;
 
-namespace Microsoft.AspNetCore.DataProtection.Azure.Blob
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Contains Azure-specific extension methods for modifying a
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj
similarity index 91%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj
rename to src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj
index 10f72048c6..0645a6ffb2 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Microsoft.AspNetCore.DataProtection.Azure.Blob.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj
@@ -7,11 +7,10 @@
   <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>cc799b57-81e2-4f45-8a32-0d5f49753c3f</ProjectGuid>
-    <RootNamespace>Microsoft.AspNetCore.DataProtection.Azure</RootNamespace>
+    <RootNamespace>Microsoft.AspNetCore.DataProtection.Azure.Storage</RootNamespace>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
-
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Blob/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/project.json b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json
similarity index 90%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Blob/project.json
rename to src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json
index 27d11056c3..7dcdcd9179 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Azure.Blob/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "0.1.0-*",
+  "version": "1.0.0-*",
   "description": "Microsoft Azure Blob storrage support as key store.",
   "packOptions": {
     "repository": {
@@ -15,7 +15,7 @@
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "WindowsAzure.Storage": "7.0.2-preview"
+    "WindowsAzure.Storage": "7.2.1"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
index 2974d23ce9..f18e0536b7 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
@@ -4,7 +4,6 @@
 using System;
 using StackExchange.Redis;
 using Microsoft.AspNetCore.DataProtection.Repositories;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 
 namespace Microsoft.AspNetCore.DataProtection
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/AzureBlobXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/AzureBlobXmlRepositoryTests.cs
similarity index 97%
rename from test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/AzureBlobXmlRepositoryTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/AzureBlobXmlRepositoryTests.cs
index fefee2dad1..520b273d29 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/AzureBlobXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/AzureBlobXmlRepositoryTests.cs
@@ -6,13 +6,13 @@ using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
 using System.Xml.Linq;
-using Microsoft.AspNetCore.DataProtection.Azure.Blob;
+using Microsoft.AspNetCore.DataProtection.Azure.Storage;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Blob;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNetCore.DataProtection.Azure.Test
+namespace Microsoft.AspNetCore.DataProtection.Azure.Storage.Test
 {
     public class AzureBlobXmlRepositoryTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj
similarity index 91%
rename from test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj
rename to test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj
index 5f0d8f3acc..efc577930b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj
@@ -7,7 +7,7 @@
   <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>8c41240e-48f8-402f-9388-74cfe27f4d76</ProjectGuid>
-    <RootNamespace>Microsoft.AspNetCore.DataProtection.Azure.Test</RootNamespace>
+    <RootNamespace>Microsoft.AspNetCore.DataProtection.Azure.Storage.Test</RootNamespace>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json
similarity index 92%
rename from test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json
rename to test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json
index 8ca8ffc9fa..2215160a64 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Azure.Blob.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json
@@ -2,7 +2,7 @@
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Azure.Blob": "0.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Azure.Storage": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
     "xunit": "2.2.0-*",

From 89c39a6c28e9bdd87cdc29b6297431fe3514d71e Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Mon, 3 Oct 2016 10:59:04 -0700
Subject: [PATCH 292/493] Update StackExchange.Redis.StrongName (#182)

---
 samples/Redis/project.json                             | 10 +++++++++-
 .../project.json                                       |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/samples/Redis/project.json b/samples/Redis/project.json
index 54f5b9aee3..d3aefe1d2b 100644
--- a/samples/Redis/project.json
+++ b/samples/Redis/project.json
@@ -11,6 +11,14 @@
     "Microsoft.Extensions.Logging.Console": "1.1.0-*"
   },
   "frameworks": {
-    "net451": { }
+    "netcoreapp1.0": {
+      "dependencies": {
+        "Microsoft.NETCore.App": {
+          "version": "1.0.0-*",
+          "type": "platform"
+        }
+      }
+    },
+    "net451": {}
   }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
index 399c52adc5..63adb10afc 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "StackExchange.Redis.StrongName": "1.1.604-alpha"
+    "StackExchange.Redis.StrongName": "1.1.605"
   },
   "frameworks": {
     "net451": {},

From 3d3d6a3fbabe6a059fec2d270d1a1e2e7ea2da95 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 28 Sep 2016 11:49:55 -0700
Subject: [PATCH 293/493] Updating partner package versions

---
 samples/AzureBlob/project.json                    |  6 ++----
 samples/Redis/project.json                        |  4 ++--
 .../project.json                                  | 15 ++++-----------
 .../project.json                                  | 11 +++--------
 .../project.json                                  |  8 +++-----
 .../project.json                                  |  1 +
 .../project.json                                  |  3 ++-
 .../project.json                                  |  1 +
 .../project.json                                  | 11 ++++-------
 .../project.json                                  | 13 +++++--------
 .../project.json                                  |  2 +-
 .../project.json                                  |  2 +-
 .../project.json                                  |  4 ++--
 .../project.json                                  |  9 ++++-----
 .../project.json                                  |  6 +++---
 .../project.json                                  |  2 +-
 .../project.json                                  |  2 +-
 .../project.json                                  |  5 ++---
 18 files changed, 42 insertions(+), 63 deletions(-)

diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index 011a94e67a..430d34beaa 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -3,7 +3,6 @@
   "buildOptions": {
     "emitEntryPoint": true
   },
-
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Azure.Storage": "1.0.0-*",
@@ -12,10 +11,9 @@
     "Microsoft.Extensions.Logging.Console": "1.1.0-*",
     "Microsoft.NETCore.App": {
       "type": "platform",
-      "version": "1.0.0"
+      "version": "1.1.0-*"
     }
   },
-
   "frameworks": {
     "netcoreapp1.0": {
       "imports": [
@@ -23,4 +21,4 @@
       ]
     }
   }
-}
+}
\ No newline at end of file
diff --git a/samples/Redis/project.json b/samples/Redis/project.json
index d3aefe1d2b..fdd37f2566 100644
--- a/samples/Redis/project.json
+++ b/samples/Redis/project.json
@@ -14,11 +14,11 @@
     "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.0.0-*",
+          "version": "1.1.0-*",
           "type": "platform"
         }
       }
     },
     "net451": {}
   }
-}
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index d8c2e9a180..7152528d99 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -11,19 +11,12 @@
       "dataprotection"
     ]
   },
-  "dependencies": {},
+  "dependencies": {
+    "NETStandard.Library": "1.6.1-*"
+  },
   "frameworks": {
     "net451": {},
-    "netstandard1.3": {
-      "dependencies": {
-        "System.Diagnostics.Debug": "4.0.11-*",
-        "System.Resources.ResourceManager": "4.0.1-*",
-        "System.Runtime.Handles": "4.0.1-*",
-        "System.Runtime.InteropServices": "4.1.0-*",
-        "System.Security.Cryptography.Primitives": "4.0.0-*",
-        "System.Threading": "4.0.11-*"
-      }
-    }
+    "netstandard1.3": {}
   },
   "buildOptions": {
     "allowUnsafe": true,
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index d4ef1fdd5a..ae6a0cb476 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -12,17 +12,12 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*"
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
+    "NETStandard.Library": "1.6.1-*"
   },
   "frameworks": {
     "net451": {},
-    "netstandard1.3": {
-      "dependencies": {
-        "System.Runtime.Extensions": "4.1.0-*",
-        "System.Security.Cryptography.Algorithms": "4.2.0-*",
-        "System.Text.Encoding.Extensions": "4.0.11-*"
-      }
-    }
+    "netstandard1.3": {}
   },
   "buildOptions": {
     "allowUnsafe": true,
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index 8a46ae5517..3089b494ba 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -19,16 +19,14 @@
     "Microsoft.Extensions.WebEncoders.Sources": {
       "type": "build",
       "version": "1.1.0-*"
-    }
+    },
+    "NETStandard.Library": "1.6.1-*"
   },
   "frameworks": {
     "net451": {},
     "netstandard1.3": {
       "dependencies": {
-        "System.ComponentModel": "4.0.1-*",
-        "System.Diagnostics.Debug": "4.0.11-*",
-        "System.Resources.ResourceManager": "4.0.1-*",
-        "System.Runtime.Extensions": "4.1.0-*"
+        "System.ComponentModel": "4.3.0-*"
       }
     }
   },
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json
index 7dcdcd9179..bda2487d40 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json
@@ -15,6 +15,7 @@
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "NETStandard.Library": "1.6.1-*",
     "WindowsAzure.Storage": "7.2.1"
   },
   "frameworks": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index 8df076b1a2..ab1b850392 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -17,7 +17,8 @@
       "type": "build",
       "version": "1.1.0-*"
     },
-    "Microsoft.Extensions.DependencyInjection": "1.1.0-*"
+    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
+    "NETStandard.Library": "1.6.1-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
index 63adb10afc..d31c33104b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
@@ -14,6 +14,7 @@
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "NETStandard.Library": "1.6.1-*",
     "StackExchange.Redis.StrongName": "1.1.605"
   },
   "frameworks": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
index 13438d9650..002264fbe1 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
@@ -11,15 +11,12 @@
       "dataprotection"
     ]
   },
-  "dependencies": {},
+  "dependencies": {
+    "NETStandard.Library": "1.6.1-*"
+  },
   "frameworks": {
     "net451": {},
-    "netstandard1.3": {
-      "dependencies": {
-        "System.Security.Cryptography.Primitives": "4.0.0-*",
-        "System.Text.Encoding.Extensions": "4.0.11-*"
-      }
-    }
+    "netstandard1.3": {}
   },
   "shared": "**\\*.cs",
   "buildOptions": {
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 138e50b5d8..312fb1c7a9 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -21,7 +21,8 @@
     "Microsoft.AspNetCore.Hosting.Abstractions": "1.1.0-*",
     "Microsoft.Extensions.DependencyInjection.Abstractions": "1.1.0-*",
     "Microsoft.Extensions.Logging.Abstractions": "1.1.0-*",
-    "Microsoft.Extensions.Options": "1.1.0-*"
+    "Microsoft.Extensions.Options": "1.1.0-*",
+    "NETStandard.Library": "1.6.1-*"
   },
   "frameworks": {
     "net451": {
@@ -36,13 +37,9 @@
     },
     "netstandard1.3": {
       "dependencies": {
-        "Microsoft.Win32.Registry": "4.0.0-*",
-        "System.IO.FileSystem": "4.0.1-*",
-        "System.Reflection.Extensions": "4.0.1-*",
-        "System.Security.Cryptography.X509Certificates": "4.1.0-*",
-        "System.Security.Claims": "4.0.1-*",
-        "System.Security.Principal.Windows": "4.0.0-*",
-        "System.Xml.XDocument": "4.0.11-*"
+        "Microsoft.Win32.Registry": "4.3.0-*",
+        "System.Security.Claims": "4.3.0-*",
+        "System.Security.Principal.Windows": "4.3.0-*"
       }
     }
   },
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index bebcb11214..28f893ea1f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -13,7 +13,7 @@
     "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.0.0-*",
+          "version": "1.1.0-*",
           "type": "platform"
         }
       },
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 189bf61634..203632773d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -11,7 +11,7 @@
     "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.0.0-*",
+          "version": "1.1.0-*",
           "type": "platform"
         }
       }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 2c510e4d62..33f636f5de 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -11,10 +11,10 @@
     "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.0.0-*",
+          "version": "1.1.0-*",
           "type": "platform"
         },
-        "System.Diagnostics.TraceSource": "4.0.0-*"
+        "System.Diagnostics.TraceSource": "4.3.0-*"
       }
     },
     "net451": {}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json
index 2215160a64..485b81038b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json
@@ -5,18 +5,17 @@
     "Microsoft.AspNetCore.DataProtection.Azure.Storage": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
-    "xunit": "2.2.0-*",
-    "Moq": "4.6.36-*"
+    "Moq": "4.6.36-*",
+    "xunit": "2.2.0-*"
   },
   "frameworks": {
     "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.0.0-*",
+          "version": "1.1.0-*",
           "type": "platform"
         },
-        "System.Diagnostics.Process": "4.1.0-*",
-        "System.Diagnostics.TraceSource": "4.0.0-*"
+        "System.Diagnostics.TraceSource": "4.3.0-*"
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 10e9f2f86f..a40f8c5caf 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -8,17 +8,17 @@
       "version": "1.0.0-*"
     },
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "Moq":  "4.6.36-*",
+    "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },
   "frameworks": {
     "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.0.0-*",
+          "version": "1.1.0-*",
           "type": "platform"
         },
-        "System.Diagnostics.TraceSource": "4.0.0-*"
+        "System.Diagnostics.TraceSource": "4.3.0-*"
       }
     },
     "net451": {}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
index 65e1c2bdca..6942deeaad 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
@@ -11,7 +11,7 @@
     "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.0.0-*",
+          "version": "1.1.0-*",
           "type": "platform"
         }
       }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index 73f8bafccc..17e8645ba1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -2,7 +2,7 @@
   "frameworks": {
     "netstandard1.1": {
       "dependencies": {
-        "System.Runtime": "4.1.0-*"
+        "NETStandard.Library": "1.6.1-*"
       }
     }
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 8f207a4c81..b1cefcb795 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -1,6 +1,5 @@
 {
   "dependencies": {
-    "System.Runtime.InteropServices.RuntimeInformation": "4.0.0-*",
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
@@ -16,10 +15,10 @@
     "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.0.0-*",
+          "version": "1.1.0-*",
           "type": "platform"
         },
-        "System.Diagnostics.TraceSource": "4.0.0-*"
+        "System.Diagnostics.TraceSource": "4.3.0-*"
       }
     },
     "net451": {}

From 6eacfd2679685085e0d7e106634e2dd17bd2381b Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Tue, 4 Oct 2016 11:51:50 -0700
Subject: [PATCH 294/493] Rename Azure.Storage to AzureStorage (#183)

---
 DataProtection.sln                                            | 4 ++--
 NuGetPackageVerifier.json                                     | 2 +-
 samples/AzureBlob/project.json                                | 2 +-
 .../AzureBlobXmlRepository.cs                                 | 2 +-
 .../AzureDataProtectionBuilderExtensions.cs                   | 2 +-
 .../Microsoft.AspNetCore.DataProtection.AzureStorage.xproj}   | 2 +-
 .../Properties/AssemblyInfo.cs                                | 0
 .../project.json                                              | 0
 .../AzureBlobXmlRepositoryTests.cs                            | 3 +--
 ...crosoft.AspNetCore.DataProtection.AzureStorage.Test.xproj} | 2 +-
 .../project.json                                              | 2 +-
 11 files changed, 10 insertions(+), 11 deletions(-)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Storage => Microsoft.AspNetCore.DataProtection.AzureStorage}/AzureBlobXmlRepository.cs (99%)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Storage => Microsoft.AspNetCore.DataProtection.AzureStorage}/AzureDataProtectionBuilderExtensions.cs (99%)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Storage/Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj => Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.xproj} (91%)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Storage => Microsoft.AspNetCore.DataProtection.AzureStorage}/Properties/AssemblyInfo.cs (100%)
 rename src/{Microsoft.AspNetCore.DataProtection.Azure.Storage => Microsoft.AspNetCore.DataProtection.AzureStorage}/project.json (100%)
 rename test/{Microsoft.AspNetCore.DataProtection.Azure.Storage.Test => Microsoft.AspNetCore.DataProtection.AzureStorage.Test}/AzureBlobXmlRepositoryTests.cs (97%)
 rename test/{Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj => Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj} (91%)
 rename test/{Microsoft.AspNetCore.DataProtection.Azure.Storage.Test => Microsoft.AspNetCore.DataProtection.AzureStorage.Test}/project.json (92%)

diff --git a/DataProtection.sln b/DataProtection.sln
index 6d0da99c3c..b98012a3b3 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -34,7 +34,7 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataPr
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.xproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Azure.Storage", "src\Microsoft.AspNetCore.DataProtection.Azure.Storage\Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.AzureStorage", "src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.xproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5A3A5DE3-49AD-431C-971D-B01B62D94AE2}"
 EndProject
@@ -48,7 +48,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 		NuGet.config = NuGet.config
 	EndProjectSection
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Azure.Storage.Test", "test\Microsoft.AspNetCore.DataProtection.Azure.Storage.Test\Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
+Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.AzureStorage.Test", "test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Redis", "samples\Redis\Redis.xproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
 EndProject
diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
index 6d2fed16b0..0ab081c48f 100644
--- a/NuGetPackageVerifier.json
+++ b/NuGetPackageVerifier.json
@@ -8,7 +8,7 @@
             "Microsoft.AspNetCore.Cryptography.KeyDerivation": { },
             "Microsoft.AspNetCore.DataProtection": { },
             "Microsoft.AspNetCore.DataProtection.Abstractions": { },
-            "Microsoft.AspNetCore.DataProtection.Azure.Storage": { },
+            "Microsoft.AspNetCore.DataProtection.AzureStorage": { },
             "Microsoft.AspNetCore.DataProtection.Extensions": { },
             "Microsoft.AspNetCore.DataProtection.Redis": { },
             "Microsoft.AspNetCore.DataProtection.SystemWeb": { }
diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index 430d34beaa..da1839acc1 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -5,7 +5,7 @@
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Azure.Storage": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.AzureStorage": "1.0.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
     "Microsoft.Extensions.Logging": "1.1.0-*",
     "Microsoft.Extensions.Logging.Console": "1.1.0-*",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureBlobXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
similarity index 99%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureBlobXmlRepository.cs
rename to src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
index f24f5c7669..2b7594e679 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureBlobXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
@@ -15,7 +15,7 @@ using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Blob;
 
-namespace Microsoft.AspNetCore.DataProtection.Azure.Storage
+namespace Microsoft.AspNetCore.DataProtection.AzureStorage
 {
     /// <summary>
     /// An <see cref="IXmlRepository"/> which is backed by Azure Blob Storage.
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
similarity index 99%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureDataProtectionBuilderExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
index ebf54579f1..90f403bfe3 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/AzureDataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNetCore.DataProtection.Azure.Storage;
+using Microsoft.AspNetCore.DataProtection.AzureStorage;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.WindowsAzure.Storage;
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.xproj
similarity index 91%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj
rename to src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.xproj
index 0645a6ffb2..1c10acb1a4 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Microsoft.AspNetCore.DataProtection.Azure.Storage.xproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.xproj
@@ -7,7 +7,7 @@
   <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>cc799b57-81e2-4f45-8a32-0d5f49753c3f</ProjectGuid>
-    <RootNamespace>Microsoft.AspNetCore.DataProtection.Azure.Storage</RootNamespace>
+    <RootNamespace>Microsoft.AspNetCore.DataProtection.AzureStorage</RootNamespace>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Storage/Properties/AssemblyInfo.cs
rename to src/Microsoft.AspNetCore.DataProtection.AzureStorage/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Azure.Storage/project.json
rename to src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/AzureBlobXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
similarity index 97%
rename from test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/AzureBlobXmlRepositoryTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
index 520b273d29..61d5d0ae78 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/AzureBlobXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
@@ -6,13 +6,12 @@ using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
 using System.Xml.Linq;
-using Microsoft.AspNetCore.DataProtection.Azure.Storage;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Blob;
 using Moq;
 using Xunit;
 
-namespace Microsoft.AspNetCore.DataProtection.Azure.Storage.Test
+namespace Microsoft.AspNetCore.DataProtection.AzureStorage.Test
 {
     public class AzureBlobXmlRepositoryTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj
similarity index 91%
rename from test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj
rename to test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj
index efc577930b..0de3804484 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test.xproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj
@@ -7,7 +7,7 @@
   <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
   <PropertyGroup Label="Globals">
     <ProjectGuid>8c41240e-48f8-402f-9388-74cfe27f4d76</ProjectGuid>
-    <RootNamespace>Microsoft.AspNetCore.DataProtection.Azure.Storage.Test</RootNamespace>
+    <RootNamespace>Microsoft.AspNetCore.DataProtection.AzureStorage.Test</RootNamespace>
     <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
     <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
   </PropertyGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
similarity index 92%
rename from test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json
rename to test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
index 485b81038b..ec77150f8f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Azure.Storage.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
@@ -2,7 +2,7 @@
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Azure.Storage": "1.0.0-*",
+    "Microsoft.AspNetCore.DataProtection.AzureStorage": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.1.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
     "Moq": "4.6.36-*",

From a2a214f698c1c500671e105924b5f67d1140d7c1 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 12 Oct 2016 13:44:59 -0700
Subject: [PATCH 295/493] Updating to netcoreapp1.1

---
 samples/AzureBlob/project.json                                  | 2 +-
 samples/Redis/project.json                                      | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../DataProtectionProviderTests.cs                              | 2 +-
 .../project.json                                                | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Redis.Test/project.json | 2 +-
 .../Repositories/FileSystemXmlRepositoryTests.cs                | 2 +-
 .../XmlEncryption/CertificateXmlEncryptionTests.cs              | 2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs                    | 2 +-
 test/Microsoft.AspNetCore.DataProtection.Test/project.json      | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index da1839acc1..c9da49430c 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -15,7 +15,7 @@
     }
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "imports": [
         "portable-net45+win8+wp8+wpa81"
       ]
diff --git a/samples/Redis/project.json b/samples/Redis/project.json
index fdd37f2566..40e2fd9589 100644
--- a/samples/Redis/project.json
+++ b/samples/Redis/project.json
@@ -11,7 +11,7 @@
     "Microsoft.Extensions.Logging.Console": "1.1.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 28f893ea1f..98a0cd070f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -10,7 +10,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 203632773d..b400805289 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 33f636f5de..e74f829527 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
index ec77150f8f..8b20d73137 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
@@ -9,7 +9,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 3f1080188a..c2e81fa7f2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -106,7 +106,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-#if !NETCOREAPP1_0 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETCOREAPP1_1 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         [ConditionalFact]
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         [ConditionalRunTestOnlyOnWindows]
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index a40f8c5caf..cfd8f00fe0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -12,7 +12,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
index 6942deeaad..248ddf2351 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 0213d96b59..37b603f174 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -158,7 +158,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static string GetLocalApplicationData()
         {
-#if NETCOREAPP1_0
+#if NETCOREAPP1_1
             return Environment.GetEnvironmentVariable("LOCALAPPDATA");
 #else
             return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index ea8c939b5b..e73a4912a4 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETCOREAPP1_0
+#if !NETCOREAPP1_1
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 128e563403..1d6d820810 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
-#if !NETCOREAPP1_0
+#if !NETCOREAPP1_1
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index b1cefcb795..2641bbedf7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -12,7 +12,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",

From 01e9377eff1891cb8e69f5add58d3fc235a40a6c Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 12 Oct 2016 16:08:10 -0700
Subject: [PATCH 296/493] Revert "Updating to netcoreapp1.1"

This reverts commit a2a214f698c1c500671e105924b5f67d1140d7c1.
---
 samples/AzureBlob/project.json                                  | 2 +-
 samples/Redis/project.json                                      | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../DataProtectionProviderTests.cs                              | 2 +-
 .../project.json                                                | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Redis.Test/project.json | 2 +-
 .../Repositories/FileSystemXmlRepositoryTests.cs                | 2 +-
 .../XmlEncryption/CertificateXmlEncryptionTests.cs              | 2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs                    | 2 +-
 test/Microsoft.AspNetCore.DataProtection.Test/project.json      | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index c9da49430c..da1839acc1 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -15,7 +15,7 @@
     }
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "imports": [
         "portable-net45+win8+wp8+wpa81"
       ]
diff --git a/samples/Redis/project.json b/samples/Redis/project.json
index 40e2fd9589..fdd37f2566 100644
--- a/samples/Redis/project.json
+++ b/samples/Redis/project.json
@@ -11,7 +11,7 @@
     "Microsoft.Extensions.Logging.Console": "1.1.0-*"
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 98a0cd070f..28f893ea1f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -10,7 +10,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index b400805289..203632773d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index e74f829527..33f636f5de 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
index 8b20d73137..ec77150f8f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
@@ -9,7 +9,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index c2e81fa7f2..3f1080188a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -106,7 +106,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-#if !NETCOREAPP1_1 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETCOREAPP1_0 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         [ConditionalFact]
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         [ConditionalRunTestOnlyOnWindows]
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index cfd8f00fe0..a40f8c5caf 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -12,7 +12,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
index 248ddf2351..6942deeaad 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 37b603f174..0213d96b59 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -158,7 +158,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static string GetLocalApplicationData()
         {
-#if NETCOREAPP1_1
+#if NETCOREAPP1_0
             return Environment.GetEnvironmentVariable("LOCALAPPDATA");
 #else
             return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index e73a4912a4..ea8c939b5b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETCOREAPP1_1
+#if !NETCOREAPP1_0
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 1d6d820810..128e563403 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
-#if !NETCOREAPP1_1
+#if !NETCOREAPP1_0
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 2641bbedf7..b1cefcb795 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -12,7 +12,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.1": {
+    "netcoreapp1.0": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",

From f3a6083c9c43058bc00650fcefbf40b61efb8ec6 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 13 Oct 2016 11:13:21 -0700
Subject: [PATCH 297/493] Updating to netcoreapp1.1

---
 samples/AzureBlob/project.json                                  | 2 +-
 samples/Redis/project.json                                      | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../project.json                                                | 2 +-
 .../DataProtectionProviderTests.cs                              | 2 +-
 .../project.json                                                | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Redis.Test/project.json | 2 +-
 .../Repositories/FileSystemXmlRepositoryTests.cs                | 2 +-
 .../XmlEncryption/CertificateXmlEncryptionTests.cs              | 2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs                    | 2 +-
 test/Microsoft.AspNetCore.DataProtection.Test/project.json      | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index da1839acc1..c9da49430c 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -15,7 +15,7 @@
     }
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "imports": [
         "portable-net45+win8+wp8+wpa81"
       ]
diff --git a/samples/Redis/project.json b/samples/Redis/project.json
index fdd37f2566..40e2fd9589 100644
--- a/samples/Redis/project.json
+++ b/samples/Redis/project.json
@@ -11,7 +11,7 @@
     "Microsoft.Extensions.Logging.Console": "1.1.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 28f893ea1f..98a0cd070f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -10,7 +10,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 203632773d..b400805289 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 33f636f5de..e74f829527 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
index ec77150f8f..8b20d73137 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
@@ -9,7 +9,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 3f1080188a..c2e81fa7f2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -106,7 +106,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-#if !NETCOREAPP1_0 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if !NETCOREAPP1_1 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         [ConditionalFact]
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         [ConditionalRunTestOnlyOnWindows]
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index a40f8c5caf..cfd8f00fe0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -12,7 +12,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
index 6942deeaad..248ddf2351 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
@@ -8,7 +8,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 0213d96b59..37b603f174 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -158,7 +158,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static string GetLocalApplicationData()
         {
-#if NETCOREAPP1_0
+#if NETCOREAPP1_1
             return Environment.GetEnvironmentVariable("LOCALAPPDATA");
 #else
             return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index ea8c939b5b..e73a4912a4 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETCOREAPP1_0
+#if !NETCOREAPP1_1
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 128e563403..1d6d820810 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -33,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
-#if !NETCOREAPP1_0
+#if !NETCOREAPP1_1
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index b1cefcb795..2641bbedf7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -12,7 +12,7 @@
     "xunit": "2.2.0-*"
   },
   "frameworks": {
-    "netcoreapp1.0": {
+    "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
           "version": "1.1.0-*",

From 8607844ac548d00619f9781cb0cc978f9a747c59 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 17 Oct 2016 09:48:49 -0700
Subject: [PATCH 298/493] Branching for 1.1.0-preview1

---
 NuGet.config | 4 ++--
 build.ps1    | 2 +-
 build.sh     | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 826a1f9035..6197c93176 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
+    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-release/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file
diff --git a/build.ps1 b/build.ps1
index 8f2f99691a..787f63ac02 100644
--- a/build.ps1
+++ b/build.ps1
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/1.1.0-preview1.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
diff --git a/build.sh b/build.sh
index f4208100eb..355c682856 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/1.1.0-preview1.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi

From 7c6583986cb696755b556348f4b23547e0aacd81 Mon Sep 17 00:00:00 2001
From: jacalvar <jacalvar@microsoft.com>
Date: Fri, 4 Nov 2016 13:06:00 -0700
Subject: [PATCH 299/493] Created public API baselines

---
 .../baseline.net45.json                       |    4 +
 .../baseline.netcore.json                     |    4 +
 .../baseline.net45.json                       |   78 +
 .../baseline.netcore.json                     |   78 +
 .../baseline.net45.json                       |  231 +
 .../baseline.netcore.json                     |  231 +
 .../baseline.net45.json                       |  298 ++
 .../baseline.netcore.json                     |  240 ++
 .../baseline.net45.json                       |  157 +
 .../baseline.net45.json                       | 3749 +++++++++++++++++
 .../baseline.netcore.json                     | 3515 ++++++++++++++++
 11 files changed, 8585 insertions(+)
 create mode 100644 src/Microsoft.AspNetCore.Cryptography.Internal/baseline.net45.json
 create mode 100644 src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
 create mode 100644 src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.net45.json
 create mode 100644 src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.net45.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.net45.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.net45.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/baseline.net45.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.net45.json b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.net45.json
new file mode 100644
index 0000000000..4e3124a689
--- /dev/null
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.net45.json
@@ -0,0 +1,4 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": []
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
new file mode 100644
index 0000000000..4e3124a689
--- /dev/null
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
@@ -0,0 +1,4 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": []
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.net45.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.net45.json
new file mode 100644
index 0000000000..93e2b1bed7
--- /dev/null
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.net45.json
@@ -0,0 +1,78 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivation",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Pbkdf2",
+          "Parameters": [
+            {
+              "Name": "password",
+              "Type": "System.String"
+            },
+            {
+              "Name": "salt",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "prf",
+              "Type": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivationPrf"
+            },
+            {
+              "Name": "iterationCount",
+              "Type": "System.Int32"
+            },
+            {
+              "Name": "numBytesRequested",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivationPrf",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA1",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA256",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        },
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA512",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "2"
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
new file mode 100644
index 0000000000..93e2b1bed7
--- /dev/null
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
@@ -0,0 +1,78 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivation",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Pbkdf2",
+          "Parameters": [
+            {
+              "Name": "password",
+              "Type": "System.String"
+            },
+            {
+              "Name": "salt",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "prf",
+              "Type": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivationPrf"
+            },
+            {
+              "Name": "iterationCount",
+              "Type": "System.Int32"
+            },
+            {
+              "Name": "numBytesRequested",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivationPrf",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA1",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA256",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        },
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA512",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "2"
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.net45.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.net45.json
new file mode 100644
index 0000000000..6d0d722ddc
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.net45.json
@@ -0,0 +1,231 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "provider",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
+            },
+            {
+              "Name": "purposes",
+              "Type": "System.Collections.Generic.IEnumerable<System.String>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "provider",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
+            },
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            },
+            {
+              "Name": "subPurposes",
+              "Type": "System.String[]",
+              "IsParams": true
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetDataProtectionProvider",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetDataProtector",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            },
+            {
+              "Name": "purposes",
+              "Type": "System.Collections.Generic.IEnumerable<System.String>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetDataProtector",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            },
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            },
+            {
+              "Name": "subPurposes",
+              "Type": "System.String[]",
+              "IsParams": true
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
+            },
+            {
+              "Name": "plaintext",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Unprotect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
+            },
+            {
+              "Name": "protectedData",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Unprotect",
+          "Parameters": [
+            {
+              "Name": "protectedData",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Infrastructure.IApplicationDiscriminator",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Discriminator",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
new file mode 100644
index 0000000000..6d0d722ddc
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
@@ -0,0 +1,231 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "provider",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
+            },
+            {
+              "Name": "purposes",
+              "Type": "System.Collections.Generic.IEnumerable<System.String>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "provider",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
+            },
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            },
+            {
+              "Name": "subPurposes",
+              "Type": "System.String[]",
+              "IsParams": true
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetDataProtectionProvider",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetDataProtector",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            },
+            {
+              "Name": "purposes",
+              "Type": "System.Collections.Generic.IEnumerable<System.String>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetDataProtector",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            },
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            },
+            {
+              "Name": "subPurposes",
+              "Type": "System.String[]",
+              "IsParams": true
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
+            },
+            {
+              "Name": "plaintext",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Unprotect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
+            },
+            {
+              "Name": "protectedData",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Unprotect",
+          "Parameters": [
+            {
+              "Name": "protectedData",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Infrastructure.IApplicationDiscriminator",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Discriminator",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.net45.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.net45.json
new file mode 100644
index 0000000000..93502e6e6e
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.net45.json
@@ -0,0 +1,298 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionAdvancedExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
+            },
+            {
+              "Name": "plaintext",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "lifetime",
+              "Type": "System.TimeSpan"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
+            },
+            {
+              "Name": "plaintext",
+              "Type": "System.String"
+            },
+            {
+              "Name": "expiration",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
+            },
+            {
+              "Name": "plaintext",
+              "Type": "System.String"
+            },
+            {
+              "Name": "lifetime",
+              "Type": "System.TimeSpan"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ToTimeLimitedDataProtector",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Unprotect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
+            },
+            {
+              "Name": "protectedData",
+              "Type": "System.String"
+            },
+            {
+              "Name": "expiration",
+              "Type": "System.DateTimeOffset",
+              "Direction": "Out"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionProvider",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "applicationName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "keyDirectory",
+              "Type": "System.IO.DirectoryInfo"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "keyDirectory",
+              "Type": "System.IO.DirectoryInfo"
+            },
+            {
+              "Name": "setupAction",
+              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "applicationName",
+              "Type": "System.String"
+            },
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "keyDirectory",
+              "Type": "System.IO.DirectoryInfo"
+            },
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "keyDirectory",
+              "Type": "System.IO.DirectoryInfo"
+            },
+            {
+              "Name": "setupAction",
+              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder>"
+            },
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtector"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "expiration",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Unprotect",
+          "Parameters": [
+            {
+              "Name": "protectedData",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "expiration",
+              "Type": "System.DateTimeOffset",
+              "Direction": "Out"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
new file mode 100644
index 0000000000..50b7e9764a
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
@@ -0,0 +1,240 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionAdvancedExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
+            },
+            {
+              "Name": "plaintext",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "lifetime",
+              "Type": "System.TimeSpan"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
+            },
+            {
+              "Name": "plaintext",
+              "Type": "System.String"
+            },
+            {
+              "Name": "expiration",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
+            },
+            {
+              "Name": "plaintext",
+              "Type": "System.String"
+            },
+            {
+              "Name": "lifetime",
+              "Type": "System.TimeSpan"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ToTimeLimitedDataProtector",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Unprotect",
+          "Parameters": [
+            {
+              "Name": "protector",
+              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
+            },
+            {
+              "Name": "protectedData",
+              "Type": "System.String"
+            },
+            {
+              "Name": "expiration",
+              "Type": "System.DateTimeOffset",
+              "Direction": "Out"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionProvider",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "applicationName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "keyDirectory",
+              "Type": "System.IO.DirectoryInfo"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "keyDirectory",
+              "Type": "System.IO.DirectoryInfo"
+            },
+            {
+              "Name": "setupAction",
+              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtector"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Protect",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "expiration",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Unprotect",
+          "Parameters": [
+            {
+              "Name": "protectedData",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "expiration",
+              "Type": "System.DateTimeOffset",
+              "Direction": "Out"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.net45.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.net45.json
new file mode 100644
index 0000000000..14bac24d73
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.net45.json
@@ -0,0 +1,157 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.SystemWeb, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.SystemWeb.CompatibilityDataProtector",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "BaseType": "System.Security.Cryptography.DataProtector",
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_PrependHashedPurposeToPlaintext",
+          "Parameters": [],
+          "ReturnType": "System.Boolean",
+          "Virtual": true,
+          "Override": true,
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "IsReprotectRequired",
+          "Parameters": [
+            {
+              "Name": "encryptedData",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "ReturnType": "System.Boolean",
+          "Virtual": true,
+          "Override": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProviderProtect",
+          "Parameters": [
+            {
+              "Name": "userData",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Virtual": true,
+          "Override": true,
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProviderUnprotect",
+          "Parameters": [
+            {
+              "Name": "encryptedData",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Virtual": true,
+          "Override": true,
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RunWithSuppressedPrimaryPurpose",
+          "Parameters": [
+            {
+              "Name": "callback",
+              "Type": "System.Func<System.Object, System.Byte[], System.Byte[]>"
+            },
+            {
+              "Name": "state",
+              "Type": "System.Object"
+            },
+            {
+              "Name": "input",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "applicationName",
+              "Type": "System.String"
+            },
+            {
+              "Name": "primaryPurpose",
+              "Type": "System.String"
+            },
+            {
+              "Name": "specificPurposes",
+              "Type": "System.String[]"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.SystemWeb.DataProtectionStartup",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ConfigureServices",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Virtual": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateDataProtectionProvider",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Virtual": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.net45.json b/src/Microsoft.AspNetCore.DataProtection/baseline.net45.json
new file mode 100644
index 0000000000..17dd37fc63
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/baseline.net45.json
@@ -0,0 +1,3749 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServiceCollectionExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "AddDataProtection",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddDataProtection",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
+            },
+            {
+              "Name": "setupAction",
+              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.DataProtectionOptions>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServices",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetDefaultServices",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IEnumerable<Microsoft.Extensions.DependencyInjection.ServiceDescriptor>",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "SetApplicationName",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "applicationName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddKeyEscrowSink",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "sink",
+              "Type": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddKeyEscrowSink<T0>",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": [
+            {
+              "ParameterName": "TImplementation",
+              "ParameterPosition": 0,
+              "Class": true,
+              "BaseTypeOrInterfaces": [
+                "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink"
+              ]
+            }
+          ]
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddKeyEscrowSink",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "factory",
+              "Type": "System.Func<System.IServiceProvider, Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddKeyManagementOptions",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "setupAction",
+              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.KeyManagement.KeyManagementOptions>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "DisableAutomaticKeyGeneration",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToFileSystem",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "directory",
+              "Type": "System.IO.DirectoryInfo"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToRegistry",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "registryKey",
+              "Type": "Microsoft.Win32.RegistryKey"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithCertificate",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithCertificate",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithDpapi",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithDpapi",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "protectToLocalMachine",
+              "Type": "System.Boolean"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithDpapiNG",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithDpapiNG",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "protectionDescriptorRule",
+              "Type": "System.String"
+            },
+            {
+              "Name": "flags",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "SetDefaultKeyLifetime",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "lifetime",
+              "Type": "System.TimeSpan"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseCryptographicAlgorithms",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseCustomCryptographicAlgorithms",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseCustomCryptographicAlgorithms",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseCustomCryptographicAlgorithms",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseEphemeralDataProtectionProvider",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionOptions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_ApplicationDiscriminator",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_ApplicationDiscriminator",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionUtilityExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetApplicationUniqueIdentifier",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.EphemeralDataProtectionProvider",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Services",
+          "Parameters": [],
+          "ReturnType": "Microsoft.Extensions.DependencyInjection.IServiceCollection",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.IPersistedDataProtector",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtector"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "DangerousUnprotect",
+          "Parameters": [
+            {
+              "Name": "protectedData",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "ignoreRevocationErrors",
+              "Type": "System.Boolean"
+            },
+            {
+              "Name": "requiresMigration",
+              "Type": "System.Boolean",
+              "Direction": "Out"
+            },
+            {
+              "Name": "wasRevoked",
+              "Type": "System.Boolean",
+              "Direction": "Out"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.ISecret",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "System.IDisposable"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Length",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "WriteSecretIntoBuffer",
+          "Parameters": [
+            {
+              "Name": "buffer",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Secret",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.ISecret"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Length",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Dispose",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "System.IDisposable",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Random",
+          "Parameters": [
+            {
+              "Name": "numBytes",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.Secret",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "WriteSecretIntoBuffer",
+          "Parameters": [
+            {
+              "Name": "buffer",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "WriteSecretIntoBuffer",
+          "Parameters": [
+            {
+              "Name": "buffer",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "bufferLength",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "secret",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "secretLength",
+              "Type": "System.Int32"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "secret",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateResolver",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ResolveCertificate",
+          "Parameters": [
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Security.Cryptography.X509Certificates.X509Certificate2",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor",
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            },
+            {
+              "Name": "certificateResolver",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            },
+            {
+              "Name": "certificateResolver",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "None",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "NamedDescriptor",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        },
+        {
+          "Kind": "Field",
+          "Name": "MachineKey",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "32"
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "protectionDescriptorRule",
+              "Type": "System.String"
+            },
+            {
+              "Name": "flags",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "protectionDescriptorRule",
+              "Type": "System.String"
+            },
+            {
+              "Name": "flags",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "protectToLocalMachine",
+              "Type": "System.Boolean"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "protectToLocalMachine",
+              "Type": "System.Boolean"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalEncryptedXmlDecryptor",
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DecryptorType",
+          "Parameters": [],
+          "ReturnType": "System.Type",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptedElement",
+          "Parameters": [],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "decryptorType",
+              "Type": "System.Type"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ResolveCertificate",
+          "Parameters": [
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Security.Cryptography.X509Certificates.X509Certificate2",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.NullXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.NullXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DefaultKeyStorageDirectory",
+          "Parameters": [],
+          "ReturnType": "System.IO.DirectoryInfo",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_Directory",
+          "Parameters": [],
+          "ReturnType": "System.IO.DirectoryInfo",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_Services",
+          "Parameters": [],
+          "ReturnType": "System.IServiceProvider",
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "directory",
+              "Type": "System.IO.DirectoryInfo"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "directory",
+              "Type": "System.IO.DirectoryInfo"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DefaultRegistryKey",
+          "Parameters": [],
+          "ReturnType": "Microsoft.Win32.RegistryKey",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_RegistryKey",
+          "Parameters": [],
+          "ReturnType": "Microsoft.Win32.RegistryKey",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_Services",
+          "Parameters": [],
+          "ReturnType": "System.IServiceProvider",
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "registryKey",
+              "Type": "Microsoft.Win32.RegistryKey"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "registryKey",
+              "Type": "Microsoft.Win32.RegistryKey"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_ActivationDate",
+          "Parameters": [],
+          "ReturnType": "System.DateTimeOffset",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_CreationDate",
+          "Parameters": [],
+          "ReturnType": "System.DateTimeOffset",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_ExpirationDate",
+          "Parameters": [],
+          "ReturnType": "System.DateTimeOffset",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_IsRevoked",
+          "Parameters": [],
+          "ReturnType": "System.Boolean",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_KeyId",
+          "Parameters": [],
+          "ReturnType": "System.Guid",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Store",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewKey",
+          "Parameters": [
+            {
+              "Name": "activationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "expirationDate",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAllKeys",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetCacheExpirationToken",
+          "Parameters": [],
+          "ReturnType": "System.Threading.CancellationToken",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeKey",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String",
+              "DefaultValue": "null"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeAllKeys",
+          "Parameters": [
+            {
+              "Name": "revocationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String",
+              "DefaultValue": "null"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyManagementOptions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_AutoGenerateKeys",
+          "Parameters": [],
+          "ReturnType": "System.Boolean",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_AutoGenerateKeys",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Boolean"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_NewKeyLifetime",
+          "Parameters": [],
+          "ReturnType": "System.TimeSpan",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_NewKeyLifetime",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.TimeSpan"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+        "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewKey",
+          "Parameters": [
+            {
+              "Name": "activationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "expirationDate",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAllKeys",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetCacheExpirationToken",
+          "Parameters": [],
+          "ReturnType": "System.Threading.CancellationToken",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeAllKeys",
+          "Parameters": [
+            {
+              "Name": "revocationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String",
+              "DefaultValue": "null"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeKey",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String",
+              "DefaultValue": "null"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "repository",
+              "Type": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+            },
+            {
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution",
+      "Visibility": "Public",
+      "Kind": "Struct",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "DefaultKey",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Field",
+          "Name": "FallbackKey",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Field",
+          "Name": "ShouldGenerateNewKey",
+          "Parameters": [],
+          "ReturnType": "System.Boolean",
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetCacheableKeyRing",
+          "Parameters": [
+            {
+              "Name": "now",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IDefaultKeyResolver",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ResolveDefaultKeyPolicy",
+          "Parameters": [
+            {
+              "Name": "now",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "allKeys",
+              "Type": "System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IDefaultKeyServices",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetKeyEncryptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetKeyRepository",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewKey",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "creationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "activationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "expirationDate",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "DeserializeDescriptorFromKeyElement",
+          "Parameters": [
+            {
+              "Name": "keyElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeSingleKey",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "revocationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRing",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DefaultAuthenticatedEncryptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_DefaultKeyId",
+          "Parameters": [],
+          "ReturnType": "System.Guid",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAuthenticatedEncryptorByKeyId",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "isRevoked",
+              "Type": "System.Boolean",
+              "Direction": "Out"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRingProvider",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetCurrentKeyRing",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRing",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Internal.DataProtectionBuilder",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Services",
+          "Parameters": [],
+          "ReturnType": "Microsoft.Extensions.DependencyInjection.IServiceCollection",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Internal.IActivator",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateInstance",
+          "Parameters": [
+            {
+              "Name": "expectedBaseType",
+              "Type": "System.Type"
+            },
+            {
+              "Name": "implementationTypeName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Object",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor",
+        "System.IDisposable"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "ciphertext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "DecryptImpl",
+          "Parameters": [
+            {
+              "Name": "pbCiphertext",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "cbCiphertext",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "pbAdditionalAuthenticatedData",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "cbAdditionalAuthenticatedData",
+              "Type": "System.UInt32"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Virtual": true,
+          "Abstract": true,
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Dispose",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Virtual": true,
+          "Abstract": true,
+          "ImplementedInterface": "System.IDisposable",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "preBufferSize",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "postBufferSize",
+              "Type": "System.UInt32"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "EncryptImpl",
+          "Parameters": [
+            {
+              "Name": "pbPlaintext",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "cbPlaintext",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "pbAdditionalAuthenticatedData",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "cbAdditionalAuthenticatedData",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "cbPreBuffer",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "cbPostBuffer",
+              "Type": "System.UInt32"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Virtual": true,
+          "Abstract": true,
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Protected",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithm",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_ValidationAlgorithm",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_ValidationAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Validate",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithm",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmProvider",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmProvider",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmKeySize",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmKeySize",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_HashAlgorithm",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_HashAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_HashAlgorithmProvider",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_HashAlgorithmProvider",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Validate",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithm",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmProvider",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmProvider",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmKeySize",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmKeySize",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Validate",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "AES_128_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_192_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_256_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "2"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_128_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "3"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_192_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "4"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_256_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "5"
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "ciphertext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmType",
+          "Parameters": [],
+          "ReturnType": "System.Type",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmType",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Type"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmKeySize",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmKeySize",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_ValidationAlgorithmType",
+          "Parameters": [],
+          "ReturnType": "System.Type",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_ValidationAlgorithmType",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Type"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Validate",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA256",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA512",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Settings",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Settings",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Settings",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Settings",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "MarkAsRequiresEncryption",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DeserializerType",
+          "Parameters": [],
+          "ReturnType": "System.Type",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_SerializedDescriptorElement",
+          "Parameters": [],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "serializedDescriptorElement",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "deserializerType",
+              "Type": "System.Type"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
new file mode 100644
index 0000000000..122e26797f
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
@@ -0,0 +1,3515 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServiceCollectionExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "AddDataProtection",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddDataProtection",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
+            },
+            {
+              "Name": "setupAction",
+              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.DataProtectionOptions>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServices",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetDefaultServices",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IEnumerable<Microsoft.Extensions.DependencyInjection.ServiceDescriptor>",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "SetApplicationName",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "applicationName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddKeyEscrowSink",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "sink",
+              "Type": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddKeyEscrowSink<T0>",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": [
+            {
+              "ParameterName": "TImplementation",
+              "ParameterPosition": 0,
+              "Class": true,
+              "BaseTypeOrInterfaces": [
+                "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink"
+              ]
+            }
+          ]
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddKeyEscrowSink",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "factory",
+              "Type": "System.Func<System.IServiceProvider, Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "AddKeyManagementOptions",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "setupAction",
+              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.KeyManagement.KeyManagementOptions>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "DisableAutomaticKeyGeneration",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToFileSystem",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "directory",
+              "Type": "System.IO.DirectoryInfo"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToRegistry",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "registryKey",
+              "Type": "Microsoft.Win32.RegistryKey"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithDpapi",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithDpapi",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "protectToLocalMachine",
+              "Type": "System.Boolean"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithDpapiNG",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithDpapiNG",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "protectionDescriptorRule",
+              "Type": "System.String"
+            },
+            {
+              "Name": "flags",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "SetDefaultKeyLifetime",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "lifetime",
+              "Type": "System.TimeSpan"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseCryptographicAlgorithms",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseCustomCryptographicAlgorithms",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseCustomCryptographicAlgorithms",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseCustomCryptographicAlgorithms",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "UseEphemeralDataProtectionProvider",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionOptions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_ApplicationDiscriminator",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_ApplicationDiscriminator",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionUtilityExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetApplicationUniqueIdentifier",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "ReturnType": "System.String",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.EphemeralDataProtectionProvider",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateProtector",
+          "Parameters": [
+            {
+              "Name": "purpose",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Services",
+          "Parameters": [],
+          "ReturnType": "Microsoft.Extensions.DependencyInjection.IServiceCollection",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.IPersistedDataProtector",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtector"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "DangerousUnprotect",
+          "Parameters": [
+            {
+              "Name": "protectedData",
+              "Type": "System.Byte[]"
+            },
+            {
+              "Name": "ignoreRevocationErrors",
+              "Type": "System.Boolean"
+            },
+            {
+              "Name": "requiresMigration",
+              "Type": "System.Boolean",
+              "Direction": "Out"
+            },
+            {
+              "Name": "wasRevoked",
+              "Type": "System.Boolean",
+              "Direction": "Out"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.ISecret",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "System.IDisposable"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Length",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "WriteSecretIntoBuffer",
+          "Parameters": [
+            {
+              "Name": "buffer",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Secret",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.ISecret"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Length",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Dispose",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "System.IDisposable",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Random",
+          "Parameters": [
+            {
+              "Name": "numBytes",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.Secret",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "WriteSecretIntoBuffer",
+          "Parameters": [
+            {
+              "Name": "buffer",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "WriteSecretIntoBuffer",
+          "Parameters": [
+            {
+              "Name": "buffer",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "bufferLength",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Byte[]"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "secret",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "secretLength",
+              "Type": "System.Int32"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "secret",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "None",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "NamedDescriptor",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        },
+        {
+          "Kind": "Field",
+          "Name": "MachineKey",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "32"
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "protectionDescriptorRule",
+              "Type": "System.String"
+            },
+            {
+              "Name": "flags",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "protectionDescriptorRule",
+              "Type": "System.String"
+            },
+            {
+              "Name": "flags",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "protectToLocalMachine",
+              "Type": "System.Boolean"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "protectToLocalMachine",
+              "Type": "System.Boolean"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DecryptorType",
+          "Parameters": [],
+          "ReturnType": "System.Type",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptedElement",
+          "Parameters": [],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "decryptorType",
+              "Type": "System.Type"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.NullXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.NullXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DefaultKeyStorageDirectory",
+          "Parameters": [],
+          "ReturnType": "System.IO.DirectoryInfo",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_Directory",
+          "Parameters": [],
+          "ReturnType": "System.IO.DirectoryInfo",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_Services",
+          "Parameters": [],
+          "ReturnType": "System.IServiceProvider",
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "directory",
+              "Type": "System.IO.DirectoryInfo"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "directory",
+              "Type": "System.IO.DirectoryInfo"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DefaultRegistryKey",
+          "Parameters": [],
+          "ReturnType": "Microsoft.Win32.RegistryKey",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_RegistryKey",
+          "Parameters": [],
+          "ReturnType": "Microsoft.Win32.RegistryKey",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_Services",
+          "Parameters": [],
+          "ReturnType": "System.IServiceProvider",
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "registryKey",
+              "Type": "Microsoft.Win32.RegistryKey"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "registryKey",
+              "Type": "Microsoft.Win32.RegistryKey"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_ActivationDate",
+          "Parameters": [],
+          "ReturnType": "System.DateTimeOffset",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_CreationDate",
+          "Parameters": [],
+          "ReturnType": "System.DateTimeOffset",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_ExpirationDate",
+          "Parameters": [],
+          "ReturnType": "System.DateTimeOffset",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_IsRevoked",
+          "Parameters": [],
+          "ReturnType": "System.Boolean",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_KeyId",
+          "Parameters": [],
+          "ReturnType": "System.Guid",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Store",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewKey",
+          "Parameters": [
+            {
+              "Name": "activationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "expirationDate",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAllKeys",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetCacheExpirationToken",
+          "Parameters": [],
+          "ReturnType": "System.Threading.CancellationToken",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeKey",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String",
+              "DefaultValue": "null"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeAllKeys",
+          "Parameters": [
+            {
+              "Name": "revocationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String",
+              "DefaultValue": "null"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyManagementOptions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_AutoGenerateKeys",
+          "Parameters": [],
+          "ReturnType": "System.Boolean",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_AutoGenerateKeys",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Boolean"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_NewKeyLifetime",
+          "Parameters": [],
+          "ReturnType": "System.TimeSpan",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_NewKeyLifetime",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.TimeSpan"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+        "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewKey",
+          "Parameters": [
+            {
+              "Name": "activationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "expirationDate",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAllKeys",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetCacheExpirationToken",
+          "Parameters": [],
+          "ReturnType": "System.Threading.CancellationToken",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeAllKeys",
+          "Parameters": [
+            {
+              "Name": "revocationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String",
+              "DefaultValue": "null"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeKey",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String",
+              "DefaultValue": "null"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "repository",
+              "Type": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+            },
+            {
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution",
+      "Visibility": "Public",
+      "Kind": "Struct",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "DefaultKey",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Field",
+          "Name": "FallbackKey",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Field",
+          "Name": "ShouldGenerateNewKey",
+          "Parameters": [],
+          "ReturnType": "System.Boolean",
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetCacheableKeyRing",
+          "Parameters": [
+            {
+              "Name": "now",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IDefaultKeyResolver",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ResolveDefaultKeyPolicy",
+          "Parameters": [
+            {
+              "Name": "now",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "allKeys",
+              "Type": "System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IDefaultKeyServices",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetKeyEncryptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetKeyRepository",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewKey",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "creationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "activationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "expirationDate",
+              "Type": "System.DateTimeOffset"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "DeserializeDescriptorFromKeyElement",
+          "Parameters": [
+            {
+              "Name": "keyElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "RevokeSingleKey",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "revocationDate",
+              "Type": "System.DateTimeOffset"
+            },
+            {
+              "Name": "reason",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRing",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DefaultAuthenticatedEncryptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_DefaultKeyId",
+          "Parameters": [],
+          "ReturnType": "System.Guid",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "GetAuthenticatedEncryptorByKeyId",
+          "Parameters": [
+            {
+              "Name": "keyId",
+              "Type": "System.Guid"
+            },
+            {
+              "Name": "isRevoked",
+              "Type": "System.Boolean",
+              "Direction": "Out"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRingProvider",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetCurrentKeyRing",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRing",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Internal.DataProtectionBuilder",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Services",
+          "Parameters": [],
+          "ReturnType": "Microsoft.Extensions.DependencyInjection.IServiceCollection",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Internal.IActivator",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateInstance",
+          "Parameters": [
+            {
+              "Name": "expectedBaseType",
+              "Type": "System.Type"
+            },
+            {
+              "Name": "implementationTypeName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Object",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor",
+        "System.IDisposable"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "ciphertext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "DecryptImpl",
+          "Parameters": [
+            {
+              "Name": "pbCiphertext",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "cbCiphertext",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "pbAdditionalAuthenticatedData",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "cbAdditionalAuthenticatedData",
+              "Type": "System.UInt32"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Virtual": true,
+          "Abstract": true,
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Dispose",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Virtual": true,
+          "Abstract": true,
+          "ImplementedInterface": "System.IDisposable",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "preBufferSize",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "postBufferSize",
+              "Type": "System.UInt32"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "EncryptImpl",
+          "Parameters": [
+            {
+              "Name": "pbPlaintext",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "cbPlaintext",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "pbAdditionalAuthenticatedData",
+              "Type": "System.Byte*"
+            },
+            {
+              "Name": "cbAdditionalAuthenticatedData",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "cbPreBuffer",
+              "Type": "System.UInt32"
+            },
+            {
+              "Name": "cbPostBuffer",
+              "Type": "System.UInt32"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "Virtual": true,
+          "Abstract": true,
+          "Visibility": "Protected",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Protected",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithm",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_ValidationAlgorithm",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_ValidationAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Validate",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithm",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmProvider",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmProvider",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmKeySize",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmKeySize",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_HashAlgorithm",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_HashAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_HashAlgorithmProvider",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_HashAlgorithmProvider",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Validate",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithm",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithm",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmProvider",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmProvider",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmKeySize",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmKeySize",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Validate",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "AES_128_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_192_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_256_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "2"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_128_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "3"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_192_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "4"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_256_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "5"
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "ciphertext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmType",
+          "Parameters": [],
+          "ReturnType": "System.Type",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmType",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Type"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_EncryptionAlgorithmKeySize",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_EncryptionAlgorithmKeySize",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_ValidationAlgorithmType",
+          "Parameters": [],
+          "ReturnType": "System.Type",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_ValidationAlgorithmType",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Type"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Validate",
+          "Parameters": [],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA256",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA512",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Settings",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Settings",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Settings",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Settings",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "settings",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "MarkAsRequiresEncryption",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DeserializerType",
+          "Parameters": [],
+          "ReturnType": "System.Type",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_SerializedDescriptorElement",
+          "Parameters": [],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "serializedDescriptorElement",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "deserializerType",
+              "Type": "System.Type"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file

From 5c56815fc8fb58a7586a8fab353789c62e950a8b Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 9 Nov 2016 11:29:47 -0800
Subject: [PATCH 300/493] Branching for 1.1.0

---
 NuGet.config | 4 ++--
 build.ps1    | 2 +-
 build.sh     | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 826a1f9035..6197c93176 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
+    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-release/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
\ No newline at end of file
diff --git a/build.ps1 b/build.ps1
index 8f2f99691a..24ca167cf6 100644
--- a/build.ps1
+++ b/build.ps1
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/1.1.0.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
diff --git a/build.sh b/build.sh
index f4208100eb..fea9ac64ad 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/1.1.0.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi

From 8e4ab2c6ff1c29e9c9f951fb6db61a4675542092 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 9 Nov 2016 14:17:00 -0800
Subject: [PATCH 301/493] Updating versions to 1.2.0-*

---
 samples/AzureBlob/project.json                |  8 ++++----
 samples/Redis/project.json                    |  6 +++---
 .../project.json                              |  2 +-
 .../project.json                              |  6 ++++--
 .../project.json                              |  6 +++---
 .../project.json                              |  6 ++++--
 .../project.json                              | 10 ++++++----
 .../project.json                              |  4 +++-
 .../project.json                              |  2 +-
 .../project.json                              |  6 +++---
 .../project.json                              | 20 +++++++++++--------
 .../project.json                              |  4 ++--
 .../project.json                              |  6 +++---
 .../project.json                              |  6 +++---
 .../project.json                              |  6 +++---
 .../project.json                              |  6 +++---
 .../project.json                              |  4 ++--
 .../project.json                              |  6 +++---
 18 files changed, 63 insertions(+), 51 deletions(-)

diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index c9da49430c..ff2d137452 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -4,11 +4,11 @@
     "emitEntryPoint": true
   },
   "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
     "Microsoft.AspNetCore.DataProtection.AzureStorage": "1.0.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
-    "Microsoft.Extensions.Logging": "1.1.0-*",
-    "Microsoft.Extensions.Logging.Console": "1.1.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
+    "Microsoft.Extensions.Logging": "1.2.0-*",
+    "Microsoft.Extensions.Logging.Console": "1.2.0-*",
     "Microsoft.NETCore.App": {
       "type": "platform",
       "version": "1.1.0-*"
diff --git a/samples/Redis/project.json b/samples/Redis/project.json
index 40e2fd9589..91c4b1d451 100644
--- a/samples/Redis/project.json
+++ b/samples/Redis/project.json
@@ -6,9 +6,9 @@
   },
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection.Redis": "0.1.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
-    "Microsoft.Extensions.Logging": "1.1.0-*",
-    "Microsoft.Extensions.Logging.Console": "1.1.0-*"
+    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
+    "Microsoft.Extensions.Logging": "1.2.0-*",
+    "Microsoft.Extensions.Logging.Console": "1.2.0-*"
   },
   "frameworks": {
     "netcoreapp1.1": {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index 7152528d99..fd52a56a56 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.1.0-*",
+  "version": "1.2.0-*",
   "description": "Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.",
   "packOptions": {
     "repository": {
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index ae6a0cb476..ed9d0aeffe 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.1.0-*",
+  "version": "1.2.0-*",
   "description": "ASP.NET Core utilities for key derivation.",
   "packOptions": {
     "repository": {
@@ -12,7 +12,9 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": {
+      "target": "project"
+    },
     "NETStandard.Library": "1.6.1-*"
   },
   "frameworks": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index 3089b494ba..170a4f6cb1 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.1.0-*",
+  "version": "1.2.0-*",
   "description": "ASP.NET Core data protection abstractions.\r\nCommonly used types:\r\nMicrosoft.AspNetCore.DataProtection.IDataProtectionProvider\r\nMicrosoft.AspNetCore.DataProtection.IDataProtector",
   "packOptions": {
     "repository": {
@@ -14,11 +14,11 @@
   "dependencies": {
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": "1.1.0-*"
+      "target": "project"
     },
     "Microsoft.Extensions.WebEncoders.Sources": {
       "type": "build",
-      "version": "1.1.0-*"
+      "version": "1.2.0-*"
     },
     "NETStandard.Library": "1.6.1-*"
   },
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
index bda2487d40..1b07e3a068 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.0-*",
+  "version": "1.1.0-*",
   "description": "Microsoft Azure Blob storrage support as key store.",
   "packOptions": {
     "repository": {
@@ -14,7 +14,9 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection": {
+      "target": "project"
+    },
     "NETStandard.Library": "1.6.1-*",
     "WindowsAzure.Storage": "7.2.1"
   },
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index ab1b850392..1c6ab2f429 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.1.0-*",
+  "version": "1.2.0-*",
   "description": "Additional APIs for ASP.NET Core data protection.",
   "packOptions": {
     "repository": {
@@ -12,12 +12,14 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection": {
+      "target": "project"
+    },
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": "1.1.0-*"
+      "target": "project"
     },
-    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
     "NETStandard.Library": "1.6.1-*"
   },
   "frameworks": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
index d31c33104b..b05004ab43 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
@@ -13,7 +13,9 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection": {
+      "target": "project"
+    },
     "NETStandard.Library": "1.6.1-*",
     "StackExchange.Redis.StrongName": "1.1.605"
   },
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
index 002264fbe1..8739ff2745 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.1.0-*",
+  "version": "1.2.0-*",
   "description": "ASP.NET Core data protection shared code.",
   "packOptions": {
     "repository": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
index 8ebdf3740a..070199a49c 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.1.0-*",
+  "version": "1.2.0-*",
   "description": "A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x <machineKey> element.",
   "packOptions": {
     "repository": {
@@ -20,8 +20,8 @@
   "frameworks": {
     "net451": {
       "dependencies": {
-        "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
-        "Microsoft.Extensions.DependencyInjection": "1.1.0-*"
+        "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
+        "Microsoft.Extensions.DependencyInjection": "1.2.0-*"
       },
       "frameworkAssemblies": {
         "System.Configuration": "4.0.0.0",
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 312fb1c7a9..52a3ea7e0e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.1.0-*",
+  "version": "1.2.0-*",
   "description": "ASP.NET Core logic to protect and unprotect data, similar to DPAPI.",
   "packOptions": {
     "repository": {
@@ -12,16 +12,20 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": {
+      "target": "project"
+    },
+    "Microsoft.AspNetCore.DataProtection.Abstractions": {
+      "target": "project"
+    },
     "Microsoft.AspNetCore.DataProtection.Sources": {
       "type": "build",
-      "version": "1.1.0-*"
+      "target": "project"
     },
-    "Microsoft.AspNetCore.Hosting.Abstractions": "1.1.0-*",
-    "Microsoft.Extensions.DependencyInjection.Abstractions": "1.1.0-*",
-    "Microsoft.Extensions.Logging.Abstractions": "1.1.0-*",
-    "Microsoft.Extensions.Options": "1.1.0-*",
+    "Microsoft.AspNetCore.Hosting.Abstractions": "1.2.0-*",
+    "Microsoft.Extensions.DependencyInjection.Abstractions": "1.2.0-*",
+    "Microsoft.Extensions.Logging.Abstractions": "1.2.0-*",
+    "Microsoft.Extensions.Options": "1.2.0-*",
     "NETStandard.Library": "1.6.1-*"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 98a0cd070f..4abcf4d687 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -1,12 +1,12 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": "1.0.0-*"
     },
-    "Microsoft.AspNetCore.Testing": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "xunit": "2.2.0-*"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index b400805289..5142109c87 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -1,10 +1,10 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
-    "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.1.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.2.0-*",
+    "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
-    "Microsoft.AspNetCore.Testing": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "xunit": "2.2.0-*"
   },
   "frameworks": {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index e74f829527..7a925c0123 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -1,9 +1,9 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
-    "Microsoft.AspNetCore.Testing": "1.1.0-*",
+    "Microsoft.AspNetCore.Cryptography.Internal": "1.2.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.2.0-*",
+    "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
index 8b20d73137..7d181c0bde 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
@@ -1,10 +1,10 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
     "Microsoft.AspNetCore.DataProtection.AzureStorage": "1.0.0-*",
-    "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.2.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
     "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index cfd8f00fe0..b539b49777 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -1,13 +1,13 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
-    "Microsoft.AspNetCore.DataProtection.Extensions": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.2.0-*",
+    "Microsoft.AspNetCore.DataProtection.Extensions": "1.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": "1.0.0-*"
     },
-    "Microsoft.AspNetCore.Testing": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
index 248ddf2351..2646e5df2c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
@@ -1,9 +1,9 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Redis": "0.1.0-*",
-    "Microsoft.AspNetCore.Testing": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 2641bbedf7..0ac4b8056c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -1,13 +1,13 @@
 {
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.DataProtection": "1.1.0-*",
+    "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Test.Shared": {
       "type": "build",
       "version": "1.0.0-*"
     },
-    "Microsoft.AspNetCore.Testing": "1.1.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.1.0-*",
+    "Microsoft.AspNetCore.Testing": "1.2.0-*",
+    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
     "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
   },

From 184fb812c90080116705dca46146e83f035cf13f Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Fri, 18 Nov 2016 10:56:12 -0800
Subject: [PATCH 302/493] Clean tmp folder after unzipping KoreBuild

---
 build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.sh b/build.sh
index f4208100eb..4fd7ede788 100755
--- a/build.sh
+++ b/build.sh
@@ -38,7 +38,7 @@ if test ! -d $buildFolder; then
     chmod +x $buildFile
     
     # Cleanup
-    if test ! -d $tempFolder; then
+    if test -d $tempFolder; then
         rm -rf $tempFolder  
     fi
 fi

From 8fd272e7ac526632b54a919dd6f9a6d481f74bde Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Wed, 23 Nov 2016 15:58:01 -0800
Subject: [PATCH 303/493] Pin global.json SDK to 1.0.0-preview2-1-003177.

---
 global.json | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/global.json b/global.json
index d9b4ed63ae..f45e8cc925 100644
--- a/global.json
+++ b/global.json
@@ -1,3 +1,8 @@
 {
-    "projects": [ "src" ]
-}
+  "projects": [
+    "src"
+  ],
+  "sdk": {
+    "version": "1.0.0-preview2-1-003177"
+  }
+}
\ No newline at end of file

From 09b1f9e51175cc999eb229dfa1a759861b56b82d Mon Sep 17 00:00:00 2001
From: "N. Taylor Mullen" <nimullen@microsoft.com>
Date: Thu, 8 Dec 2016 10:02:34 -0800
Subject: [PATCH 304/493] Update .travis.yml osx image to xcode7.3.

---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index a446a333d2..fba25ae65a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -19,7 +19,7 @@ mono:
 os:
   - linux
   - osx
-osx_image: xcode7.1
+osx_image: xcode7.3
 branches:
   only:
     - master

From 981dc794b37e395d00d2308c623e06fd923a7770 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Mon, 12 Dec 2016 00:49:46 -0800
Subject: [PATCH 305/493] Removed packages list in NuGetPackageVerifier.json

---
 NuGetPackageVerifier.json | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
index 0ab081c48f..c660b69e10 100644
--- a/NuGetPackageVerifier.json
+++ b/NuGetPackageVerifier.json
@@ -1,19 +1,4 @@
 {
-    "adx": { // Packages written by the ADX team and that ship on NuGet.org
-        "rules": [
-            "AdxVerificationCompositeRule"
-        ],
-        "packages": {
-            "Microsoft.AspNetCore.Cryptography.Internal": { },
-            "Microsoft.AspNetCore.Cryptography.KeyDerivation": { },
-            "Microsoft.AspNetCore.DataProtection": { },
-            "Microsoft.AspNetCore.DataProtection.Abstractions": { },
-            "Microsoft.AspNetCore.DataProtection.AzureStorage": { },
-            "Microsoft.AspNetCore.DataProtection.Extensions": { },
-            "Microsoft.AspNetCore.DataProtection.Redis": { },
-            "Microsoft.AspNetCore.DataProtection.SystemWeb": { }
-        }
-    },
     "adx-nonshipping": {
         "rules": [],
         "packages": {

From b3afbc79d2d32e00b47fba6ac84236596c89098a Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 5 Dec 2016 09:01:59 -0800
Subject: [PATCH 306/493] Updating to 4.4 CoreFx packages

---
 global.json                                               | 2 +-
 samples/AzureBlob/project.json                            | 2 +-
 samples/Redis/project.json                                | 2 +-
 .../project.json                                          | 2 +-
 .../project.json                                          | 2 +-
 .../project.json                                          | 4 ++--
 .../project.json                                          | 2 +-
 .../project.json                                          | 2 +-
 .../project.json                                          | 2 +-
 .../project.json                                          | 2 +-
 src/Microsoft.AspNetCore.DataProtection/project.json      | 8 ++++----
 .../project.json                                          | 2 +-
 .../project.json                                          | 2 +-
 .../project.json                                          | 4 ++--
 .../project.json                                          | 4 ++--
 .../project.json                                          | 4 ++--
 .../project.json                                          | 2 +-
 .../project.json                                          | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Test/project.json | 4 ++--
 19 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/global.json b/global.json
index f45e8cc925..0ad1995dd2 100644
--- a/global.json
+++ b/global.json
@@ -3,6 +3,6 @@
     "src"
   ],
   "sdk": {
-    "version": "1.0.0-preview2-1-003177"
+    "version": "1.0.0-preview2-1-003180"
   }
 }
\ No newline at end of file
diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
index ff2d137452..5eda4f5695 100644
--- a/samples/AzureBlob/project.json
+++ b/samples/AzureBlob/project.json
@@ -11,7 +11,7 @@
     "Microsoft.Extensions.Logging.Console": "1.2.0-*",
     "Microsoft.NETCore.App": {
       "type": "platform",
-      "version": "1.1.0-*"
+      "version": "1.2.0-*"
     }
   },
   "frameworks": {
diff --git a/samples/Redis/project.json b/samples/Redis/project.json
index 91c4b1d451..9ed09ac452 100644
--- a/samples/Redis/project.json
+++ b/samples/Redis/project.json
@@ -14,7 +14,7 @@
     "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.1.0-*",
+          "version": "1.2.0-*",
           "type": "platform"
         }
       }
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
index fd52a56a56..94b194ddcf 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
@@ -12,7 +12,7 @@
     ]
   },
   "dependencies": {
-    "NETStandard.Library": "1.6.1-*"
+    "NETStandard.Library": "1.6.2-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
index ed9d0aeffe..6d4cc2c410 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
@@ -15,7 +15,7 @@
     "Microsoft.AspNetCore.Cryptography.Internal": {
       "target": "project"
     },
-    "NETStandard.Library": "1.6.1-*"
+    "NETStandard.Library": "1.6.2-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index 170a4f6cb1..ce821ce104 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -20,13 +20,13 @@
       "type": "build",
       "version": "1.2.0-*"
     },
-    "NETStandard.Library": "1.6.1-*"
+    "NETStandard.Library": "1.6.2-*"
   },
   "frameworks": {
     "net451": {},
     "netstandard1.3": {
       "dependencies": {
-        "System.ComponentModel": "4.3.0-*"
+        "System.ComponentModel": "4.4.0-*"
       }
     }
   },
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
index 1b07e3a068..7c9ebeefa8 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
@@ -17,7 +17,7 @@
     "Microsoft.AspNetCore.DataProtection": {
       "target": "project"
     },
-    "NETStandard.Library": "1.6.1-*",
+    "NETStandard.Library": "1.6.2-*",
     "WindowsAzure.Storage": "7.2.1"
   },
   "frameworks": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index 1c6ab2f429..905bcb1002 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -20,7 +20,7 @@
       "target": "project"
     },
     "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
-    "NETStandard.Library": "1.6.1-*"
+    "NETStandard.Library": "1.6.2-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
index b05004ab43..1d7e83b6b4 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
@@ -16,7 +16,7 @@
     "Microsoft.AspNetCore.DataProtection": {
       "target": "project"
     },
-    "NETStandard.Library": "1.6.1-*",
+    "NETStandard.Library": "1.6.2-*",
     "StackExchange.Redis.StrongName": "1.1.605"
   },
   "frameworks": {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
index 8739ff2745..3190dfd233 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
@@ -12,7 +12,7 @@
     ]
   },
   "dependencies": {
-    "NETStandard.Library": "1.6.1-*"
+    "NETStandard.Library": "1.6.2-*"
   },
   "frameworks": {
     "net451": {},
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index 52a3ea7e0e..a9877b4304 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -26,7 +26,7 @@
     "Microsoft.Extensions.DependencyInjection.Abstractions": "1.2.0-*",
     "Microsoft.Extensions.Logging.Abstractions": "1.2.0-*",
     "Microsoft.Extensions.Options": "1.2.0-*",
-    "NETStandard.Library": "1.6.1-*"
+    "NETStandard.Library": "1.6.2-*"
   },
   "frameworks": {
     "net451": {
@@ -41,9 +41,9 @@
     },
     "netstandard1.3": {
       "dependencies": {
-        "Microsoft.Win32.Registry": "4.3.0-*",
-        "System.Security.Claims": "4.3.0-*",
-        "System.Security.Principal.Windows": "4.3.0-*"
+        "Microsoft.Win32.Registry": "4.4.0-*",
+        "System.Security.Claims": "4.4.0-*",
+        "System.Security.Principal.Windows": "4.4.0-*"
       }
     }
   },
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index 4abcf4d687..c8a739dd55 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -13,7 +13,7 @@
     "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.1.0-*",
+          "version": "1.2.0-*",
           "type": "platform"
         }
       },
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 5142109c87..1050bd3a3d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -11,7 +11,7 @@
     "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.1.0-*",
+          "version": "1.2.0-*",
           "type": "platform"
         }
       }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
index 7a925c0123..f247b4454f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
@@ -11,10 +11,10 @@
     "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.1.0-*",
+          "version": "1.2.0-*",
           "type": "platform"
         },
-        "System.Diagnostics.TraceSource": "4.3.0-*"
+        "System.Diagnostics.TraceSource": "4.4.0-*"
       }
     },
     "net451": {}
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
index 7d181c0bde..df9054164d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
@@ -12,10 +12,10 @@
     "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.1.0-*",
+          "version": "1.2.0-*",
           "type": "platform"
         },
-        "System.Diagnostics.TraceSource": "4.3.0-*"
+        "System.Diagnostics.TraceSource": "4.4.0-*"
       },
       "imports": [
         "dnxcore50",
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index b539b49777..5832651b11 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -15,10 +15,10 @@
     "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.1.0-*",
+          "version": "1.2.0-*",
           "type": "platform"
         },
-        "System.Diagnostics.TraceSource": "4.3.0-*"
+        "System.Diagnostics.TraceSource": "4.4.0-*"
       }
     },
     "net451": {}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
index 2646e5df2c..301bcb1146 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
@@ -11,7 +11,7 @@
     "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.1.0-*",
+          "version": "1.2.0-*",
           "type": "platform"
         }
       }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
index 17e8645ba1..638fb6f242 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
@@ -2,7 +2,7 @@
   "frameworks": {
     "netstandard1.1": {
       "dependencies": {
-        "NETStandard.Library": "1.6.1-*"
+        "NETStandard.Library": "1.6.2-*"
       }
     }
   },
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 0ac4b8056c..5d1947f2f4 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -15,10 +15,10 @@
     "netcoreapp1.1": {
       "dependencies": {
         "Microsoft.NETCore.App": {
-          "version": "1.1.0-*",
+          "version": "1.2.0-*",
           "type": "platform"
         },
-        "System.Diagnostics.TraceSource": "4.3.0-*"
+        "System.Diagnostics.TraceSource": "4.4.0-*"
       }
     },
     "net451": {}

From 0f276780de37f4700afa4a6ce0d6c63725e32c51 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 4 Jan 2017 15:22:08 -0800
Subject: [PATCH 307/493] Remove Microsoft.AspNetCore.DataProtection.Sources
 package

---
 NuGetPackageVerifier.json                     |  8 +-----
 .../EncodingUtil.cs                           |  0
 .../ExceptionExtensions.cs                    |  0
 .../project.json                              |  7 ++---
 .../project.json                              |  7 ++---
 ...ft.AspNetCore.DataProtection.Sources.xproj | 17 ------------
 .../project.json                              | 26 -------------------
 .../project.json                              |  7 ++---
 8 files changed, 7 insertions(+), 65 deletions(-)
 rename {src/Microsoft.AspNetCore.DataProtection.Sources => shared}/EncodingUtil.cs (100%)
 rename {src/Microsoft.AspNetCore.DataProtection.Sources => shared}/ExceptionExtensions.cs (100%)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Sources/project.json

diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
index c660b69e10..b153ab1515 100644
--- a/NuGetPackageVerifier.json
+++ b/NuGetPackageVerifier.json
@@ -1,11 +1,5 @@
 {
-    "adx-nonshipping": {
-        "rules": [],
-        "packages": {
-            "Microsoft.AspNetCore.DataProtection.Sources": { }
-        }
-    },
-    "Default": { // Rules to run for packages not listed in any other set.
+    "Default": {
         "rules": [
             "DefaultCompositeRule"
         ]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/EncodingUtil.cs b/shared/EncodingUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Sources/EncodingUtil.cs
rename to shared/EncodingUtil.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/ExceptionExtensions.cs b/shared/ExceptionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Sources/ExceptionExtensions.cs
rename to shared/ExceptionExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
index ce821ce104..0544786388 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
@@ -12,10 +12,6 @@
     ]
   },
   "dependencies": {
-    "Microsoft.AspNetCore.DataProtection.Sources": {
-      "type": "build",
-      "target": "project"
-    },
     "Microsoft.Extensions.WebEncoders.Sources": {
       "type": "build",
       "version": "1.2.0-*"
@@ -36,6 +32,7 @@
     "nowarn": [
       "CS1591"
     ],
-    "xmlDoc": true
+    "xmlDoc": true,
+    "compile": "../../shared/*.cs"
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
index 905bcb1002..a8117e8488 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
@@ -15,10 +15,6 @@
     "Microsoft.AspNetCore.DataProtection": {
       "target": "project"
     },
-    "Microsoft.AspNetCore.DataProtection.Sources": {
-      "type": "build",
-      "target": "project"
-    },
     "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
     "NETStandard.Library": "1.6.2-*"
   },
@@ -32,6 +28,7 @@
     "nowarn": [
       "CS1591"
     ],
-    "xmlDoc": true
+    "xmlDoc": true,
+    "compile": "../../shared/*.cs"
   }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj b/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
deleted file mode 100644
index 9efcc1390d..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/Microsoft.AspNetCore.DataProtection.Sources.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>3277bb22-033f-4010-8131-a515b910caad</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json b/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
deleted file mode 100644
index 3190dfd233..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Sources/project.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  "version": "1.2.0-*",
-  "description": "ASP.NET Core data protection shared code.",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnetcore",
-      "dataprotection"
-    ]
-  },
-  "dependencies": {
-    "NETStandard.Library": "1.6.2-*"
-  },
-  "frameworks": {
-    "net451": {},
-    "netstandard1.3": {}
-  },
-  "shared": "**\\*.cs",
-  "buildOptions": {
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
index a9877b4304..ce3c0da220 100644
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ b/src/Microsoft.AspNetCore.DataProtection/project.json
@@ -18,10 +18,6 @@
     "Microsoft.AspNetCore.DataProtection.Abstractions": {
       "target": "project"
     },
-    "Microsoft.AspNetCore.DataProtection.Sources": {
-      "type": "build",
-      "target": "project"
-    },
     "Microsoft.AspNetCore.Hosting.Abstractions": "1.2.0-*",
     "Microsoft.Extensions.DependencyInjection.Abstractions": "1.2.0-*",
     "Microsoft.Extensions.Logging.Abstractions": "1.2.0-*",
@@ -54,6 +50,7 @@
     "nowarn": [
       "CS1591"
     ],
-    "xmlDoc": true
+    "xmlDoc": true,
+    "compile": "../../shared/*.cs"
   }
 }
\ No newline at end of file

From 0e45531eb7b76549c13bd3af9f18c1f7cb1885f9 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 4 Jan 2017 17:17:33 -0800
Subject: [PATCH 308/493] Remove the .Sources package from the solution file
 and remove the 'shared' project within the test folder

---
 DataProtection.sln                            | 22 -------------------
 .../project.json                              |  7 ++----
 .../project.json                              |  4 ++--
 .../project.json                              |  7 ++----
 .../project.json                              | 10 ---------
 .../project.json                              |  7 ++----
 ...onalRunTestOnlyWindows8OrLaterAttribute.cs |  0
 .../ConditionalRunTestOnlyWindowsAttribute.cs |  0
 .../ExceptionAssert2.cs                       |  0
 ...spNetCore.DataProtection.Test.Shared.xproj |  0
 10 files changed, 8 insertions(+), 49 deletions(-)
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
 rename test/{Microsoft.AspNetCore.DataProtection.Test.Shared => shared}/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs (100%)
 rename test/{Microsoft.AspNetCore.DataProtection.Test.Shared => shared}/ConditionalRunTestOnlyWindowsAttribute.cs (100%)
 rename test/{Microsoft.AspNetCore.DataProtection.Test.Shared => shared}/ExceptionAssert2.cs (100%)
 rename test/{Microsoft.AspNetCore.DataProtection.Test.Shared => shared}/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj (100%)

diff --git a/DataProtection.sln b/DataProtection.sln
index b98012a3b3..f9c75589a5 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -22,10 +22,6 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataPr
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Abstractions.Test", "test\Microsoft.AspNetCore.DataProtection.Abstractions.Test\Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Test.Shared", "test\Microsoft.AspNetCore.DataProtection.Test.Shared\Microsoft.AspNetCore.DataProtection.Test.Shared.xproj", "{4F14BA2A-4F04-4676-8586-EC380977EE2E}"
-EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Sources", "src\Microsoft.AspNetCore.DataProtection.Sources\Microsoft.AspNetCore.DataProtection.Sources.xproj", "{3277BB22-033F-4010-8131-A515B910CAAD}"
-EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.SystemWeb", "src\Microsoft.AspNetCore.DataProtection.SystemWeb\Microsoft.AspNetCore.DataProtection.SystemWeb.xproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
 EndProject
 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Extensions.Test", "test\Microsoft.AspNetCore.DataProtection.Extensions.Test\Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj", "{04AA8E60-A053-4D50-89FE-E76C3DF45200}"
@@ -120,22 +116,6 @@ Global
 		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Release|Any CPU.Build.0 = Release|Any CPU
 		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Release|x86.ActiveCfg = Release|Any CPU
 		{FF650A69-DEE4-4B36-9E30-264EE7CFB478}.Release|x86.Build.0 = Release|Any CPU
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Debug|x86.Build.0 = Debug|Any CPU
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Release|Any CPU.Build.0 = Release|Any CPU
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Release|x86.ActiveCfg = Release|Any CPU
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E}.Release|x86.Build.0 = Release|Any CPU
-		{3277BB22-033F-4010-8131-A515B910CAAD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{3277BB22-033F-4010-8131-A515B910CAAD}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{3277BB22-033F-4010-8131-A515B910CAAD}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{3277BB22-033F-4010-8131-A515B910CAAD}.Debug|x86.Build.0 = Debug|Any CPU
-		{3277BB22-033F-4010-8131-A515B910CAAD}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{3277BB22-033F-4010-8131-A515B910CAAD}.Release|Any CPU.Build.0 = Release|Any CPU
-		{3277BB22-033F-4010-8131-A515B910CAAD}.Release|x86.ActiveCfg = Release|Any CPU
-		{3277BB22-033F-4010-8131-A515B910CAAD}.Release|x86.Build.0 = Release|Any CPU
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}.Debug|x86.ActiveCfg = Debug|Any CPU
@@ -221,8 +201,6 @@ Global
 		{37053D5F-5B61-47CE-8B72-298CE007FFB0} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{4B115BDE-B253-46A6-97BF-A8B37B344FF2} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{FF650A69-DEE4-4B36-9E30-264EE7CFB478} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
-		{4F14BA2A-4F04-4676-8586-EC380977EE2E} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
-		{3277BB22-033F-4010-8131-A515B910CAAD} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{04AA8E60-A053-4D50-89FE-E76C3DF45200} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
index c8a739dd55..7aebe7cd35 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
@@ -2,10 +2,6 @@
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Test.Shared": {
-      "type": "build",
-      "version": "1.0.0-*"
-    },
     "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "xunit": "2.2.0-*"
   },
@@ -33,6 +29,7 @@
   "buildOptions": {
     "allowUnsafe": true,
     "keyFile": "../../tools/Key.snk",
-    "warningsAsErrors": true
+    "warningsAsErrors": true,
+    "compile": "../shared/*.cs"
   }
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
index 1050bd3a3d..f9fe27a02d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
@@ -3,7 +3,6 @@
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.Cryptography.Internal": "1.2.0-*",
     "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Test.Shared": "1.0.0-*",
     "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "xunit": "2.2.0-*"
   },
@@ -22,6 +21,7 @@
   "buildOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "compile": "../shared/*.cs"
   }
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
index 5832651b11..77054cc9b0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
@@ -3,10 +3,6 @@
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Abstractions": "1.2.0-*",
     "Microsoft.AspNetCore.DataProtection.Extensions": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Test.Shared": {
-      "type": "build",
-      "version": "1.0.0-*"
-    },
     "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "Moq": "4.6.36-*",
     "xunit": "2.2.0-*"
@@ -26,6 +22,7 @@
   "testRunner": "xunit",
   "buildOptions": {
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "compile": "../shared/*.cs"
   }
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json b/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
deleted file mode 100644
index 638fb6f242..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/project.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-  "frameworks": {
-    "netstandard1.1": {
-      "dependencies": {
-        "NETStandard.Library": "1.6.2-*"
-      }
-    }
-  },
-  "shared": "**/*.cs"
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
index 5d1947f2f4..d912776c79 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
@@ -2,10 +2,6 @@
   "dependencies": {
     "dotnet-test-xunit": "2.2.0-*",
     "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Test.Shared": {
-      "type": "build",
-      "version": "1.0.0-*"
-    },
     "Microsoft.AspNetCore.Testing": "1.2.0-*",
     "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
     "Moq": "4.6.36-*",
@@ -27,6 +23,7 @@
   "buildOptions": {
     "allowUnsafe": true,
     "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
+    "keyFile": "../../tools/Key.snk",
+    "compile": "../shared/*.cs"
   }
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs b/test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
rename to test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs b/test/shared/ConditionalRunTestOnlyWindowsAttribute.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test.Shared/ConditionalRunTestOnlyWindowsAttribute.cs
rename to test/shared/ConditionalRunTestOnlyWindowsAttribute.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs b/test/shared/ExceptionAssert2.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test.Shared/ExceptionAssert2.cs
rename to test/shared/ExceptionAssert2.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj b/test/shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test.Shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
rename to test/shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj

From 0668a2a52e30ae93423a12437e7b90494a8645d0 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 31 Jan 2017 16:46:29 -0800
Subject: [PATCH 309/493] Upgrade to VS 2017

---
 DataProtection.sln                            |  39 ++++++-----
 NuGet.config                                  |   5 +-
 appveyor.yml                                  |   3 +-
 build.ps1                                     |   2 +-
 build.sh                                      |   2 +-
 {tools => build}/Key.snk                      | Bin
 build/common.props                            |  24 +++++++
 global.json                                   |   8 ---
 makefile.shade                                |  64 ------------------
 samples/AzureBlob/AzureBlob.csproj            |  17 +++++
 samples/AzureBlob/AzureBlob.xproj             |  21 ------
 .../AzureBlob/Properties/launchSettings.json  |  22 ++++++
 samples/AzureBlob/project.json                |  24 -------
 samples/Redis/Properties/launchSettings.json  |  22 ++++++
 samples/Redis/Redis.csproj                    |  18 +++++
 samples/Redis/Redis.xproj                     |  19 ------
 samples/Redis/project.json                    |  24 -------
 ...ft.AspNetCore.Cryptography.Internal.csproj |  14 ++++
 ...oft.AspNetCore.Cryptography.Internal.xproj |  17 -----
 .../Properties/AssemblyInfo.cs                |   7 --
 .../project.json                              |  30 --------
 ...pNetCore.Cryptography.KeyDerivation.csproj |  18 +++++
 ...spNetCore.Cryptography.KeyDerivation.xproj |  17 -----
 .../Properties/AssemblyInfo.cs                |   7 --
 .../project.json                              |  33 ---------
 ...NetCore.DataProtection.Abstractions.csproj |  28 ++++++++
 ...pNetCore.DataProtection.Abstractions.xproj |  17 -----
 .../Properties/AssemblyInfo.cs                |   7 --
 .../project.json                              |  38 -----------
 ...NetCore.DataProtection.AzureStorage.csproj |  21 ++++++
 ...pNetCore.DataProtection.AzureStorage.xproj |  18 -----
 .../Properties/AssemblyInfo.cs                |  12 ----
 .../project.json                              |  38 -----------
 ...spNetCore.DataProtection.Extensions.csproj |  22 ++++++
 ...AspNetCore.DataProtection.Extensions.xproj |  17 -----
 .../Properties/AssemblyInfo.cs                |   7 --
 .../project.json                              |  34 ----------
 ...oft.AspNetCore.DataProtection.Redis.csproj |  20 ++++++
 ...soft.AspNetCore.DataProtection.Redis.xproj |  19 ------
 .../Properties/AssemblyInfo.cs                |  11 ---
 .../project.json                              |  35 ----------
 ...AspNetCore.DataProtection.SystemWeb.csproj |  25 +++++++
 ....AspNetCore.DataProtection.SystemWeb.xproj |  17 -----
 .../Properties/AssemblyInfo.cs                |  11 ---
 .../project.json                              |  41 -----------
 ...Microsoft.AspNetCore.DataProtection.csproj |  39 +++++++++++
 .../Microsoft.AspNetCore.DataProtection.xproj |  17 -----
 .../Properties/AssemblyInfo.cs                |   7 --
 .../project.json                              |  56 ---------------
 ...pNetCore.Cryptography.Internal.Test.csproj |  24 +++++++
 ...spNetCore.Cryptography.Internal.Test.xproj |  20 ------
 .../Properties/AssemblyInfo.cs                |   1 -
 .../project.json                              |  35 ----------
 ...ore.Cryptography.KeyDerivation.Test.csproj |  24 +++++++
 ...Core.Cryptography.KeyDerivation.Test.xproj |  20 ------
 .../Properties/AssemblyInfo.cs                |   1 -
 .../project.json                              |  27 --------
 ...re.DataProtection.Abstractions.Test.csproj |  24 +++++++
 ...ore.DataProtection.Abstractions.Test.xproj |  20 ------
 .../project.json                              |  30 --------
 ...re.DataProtection.AzureStorage.Test.csproj |  23 +++++++
 ...ore.DataProtection.AzureStorage.Test.xproj |  21 ------
 .../project.json                              |  37 ----------
 ...Core.DataProtection.Extensions.Test.csproj |  24 +++++++
 ...tCore.DataProtection.Extensions.Test.xproj |  20 ------
 .../project.json                              |  28 --------
 ...spNetCore.DataProtection.Redis.Test.csproj |  24 +++++++
 ...AspNetCore.DataProtection.Redis.Test.xproj |  21 ------
 .../project.json                              |  29 --------
 ...soft.AspNetCore.DataProtection.Test.csproj |  29 ++++++++
 ...osoft.AspNetCore.DataProtection.Test.xproj |  20 ------
 .../Properties/AssemblyInfo.cs                |   1 -
 .../project.json                              |  29 --------
 ...spNetCore.DataProtection.Test.Shared.xproj |  17 -----
 version.props                                 |   7 ++
 75 files changed, 495 insertions(+), 1075 deletions(-)
 rename {tools => build}/Key.snk (100%)
 create mode 100644 build/common.props
 delete mode 100644 global.json
 delete mode 100644 makefile.shade
 create mode 100644 samples/AzureBlob/AzureBlob.csproj
 delete mode 100644 samples/AzureBlob/AzureBlob.xproj
 create mode 100644 samples/AzureBlob/Properties/launchSettings.json
 delete mode 100644 samples/AzureBlob/project.json
 create mode 100644 samples/Redis/Properties/launchSettings.json
 create mode 100644 samples/Redis/Redis.csproj
 delete mode 100644 samples/Redis/Redis.xproj
 delete mode 100644 samples/Redis/project.json
 create mode 100644 src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
 delete mode 100644 src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
 delete mode 100644 src/Microsoft.AspNetCore.Cryptography.Internal/project.json
 create mode 100644 src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
 delete mode 100644 src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
 delete mode 100644 src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.xproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureStorage/Properties/AssemblyInfo.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.xproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/Properties/AssemblyInfo.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/project.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/project.json
 create mode 100644 test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
 delete mode 100644 test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
 delete mode 100644 test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
 create mode 100644 test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
 delete mode 100644 test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
 delete mode 100644 test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/project.json
 delete mode 100644 test/shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
 create mode 100644 version.props

diff --git a/DataProtection.sln b/DataProtection.sln
index f9c75589a5..bcc119cb7a 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,52 +1,51 @@
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 14
-VisualStudioVersion = 14.0.25420.1
+# Visual Studio 15
+VisualStudioVersion = 15.0.26127.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection", "src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.xproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection", "src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Test", "test\Microsoft.AspNetCore.DataProtection.Test\Microsoft.AspNetCore.DataProtection.Test.xproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Test", "test\Microsoft.AspNetCore.DataProtection.Test\Microsoft.AspNetCore.DataProtection.Test.csproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.Cryptography.Internal", "src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.xproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Cryptography.Internal", "src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation", "src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation", "src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.Cryptography.Internal.Test", "test\Microsoft.AspNetCore.Cryptography.Internal.Test\Microsoft.AspNetCore.Cryptography.Internal.Test.xproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Cryptography.Internal.Test", "test\Microsoft.AspNetCore.Cryptography.Internal.Test\Microsoft.AspNetCore.Cryptography.Internal.Test.csproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Abstractions", "src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.xproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Abstractions", "src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Abstractions.Test", "test\Microsoft.AspNetCore.DataProtection.Abstractions.Test\Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Abstractions.Test", "test\Microsoft.AspNetCore.DataProtection.Abstractions.Test\Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.SystemWeb", "src\Microsoft.AspNetCore.DataProtection.SystemWeb\Microsoft.AspNetCore.DataProtection.SystemWeb.xproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.SystemWeb", "src\Microsoft.AspNetCore.DataProtection.SystemWeb\Microsoft.AspNetCore.DataProtection.SystemWeb.csproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Extensions.Test", "test\Microsoft.AspNetCore.DataProtection.Extensions.Test\Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj", "{04AA8E60-A053-4D50-89FE-E76C3DF45200}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Extensions.Test", "test\Microsoft.AspNetCore.DataProtection.Extensions.Test\Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj", "{04AA8E60-A053-4D50-89FE-E76C3DF45200}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Extensions", "src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.xproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Extensions", "src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.xproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.AzureStorage", "src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.xproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.AzureStorage", "src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5A3A5DE3-49AD-431C-971D-B01B62D94AE2}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "AzureBlob", "samples\AzureBlob\AzureBlob.xproj", "{B07435B3-CD81-4E3B-88A5-6384821E1C01}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AzureBlob", "samples\AzureBlob\AzureBlob.csproj", "{B07435B3-CD81-4E3B-88A5-6384821E1C01}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.Redis.Test", "test\Microsoft.AspNetCore.DataProtection.Redis.Test\Microsoft.AspNetCore.DataProtection.Redis.Test.xproj", "{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Redis.Test", "test\Microsoft.AspNetCore.DataProtection.Redis.Test\Microsoft.AspNetCore.DataProtection.Redis.Test.csproj", "{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{E1D86B1B-41D8-43C9-97FD-C2BF65C414E2}"
 	ProjectSection(SolutionItems) = preProject
-		global.json = global.json
 		NuGet.config = NuGet.config
 	EndProjectSection
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Microsoft.AspNetCore.DataProtection.AzureStorage.Test", "test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.AzureStorage.Test", "test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
 EndProject
-Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "Redis", "samples\Redis\Redis.xproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Redis", "samples\Redis\Redis.csproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
diff --git a/NuGet.config b/NuGet.config
index 826a1f9035..8e65695611 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,8 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
     <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
+    <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
-</configuration>
\ No newline at end of file
+</configuration>
diff --git a/appveyor.yml b/appveyor.yml
index b9a9bcd1e6..df67923781 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -10,4 +10,5 @@ build_script:
   - build.cmd verify
 clone_depth: 1
 test: off
-deploy: off
\ No newline at end of file
+deploy: off
+os: Visual Studio 2017 RC
diff --git a/build.ps1 b/build.ps1
index 8f2f99691a..0605b59c01 100644
--- a/build.ps1
+++ b/build.ps1
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/feature/msbuild.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
diff --git a/build.sh b/build.sh
index 4fd7ede788..07997d6c83 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/feature/msbuild.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi
diff --git a/tools/Key.snk b/build/Key.snk
similarity index 100%
rename from tools/Key.snk
rename to build/Key.snk
diff --git a/build/common.props b/build/common.props
new file mode 100644
index 0000000000..a9484f642b
--- /dev/null
+++ b/build/common.props
@@ -0,0 +1,24 @@
+<Project>
+  <Import Project="..\version.props" />
+
+  <PropertyGroup>
+    <Product>Microsoft ASP.NET Core</Product>
+    <RepositoryUrl>https://github.com/aspnet/DataProtection</RepositoryUrl>
+    <RepositoryType>git</RepositoryType>
+    <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)Key.snk</AssemblyOriginatorKeyFile>
+    <SignAssembly>true</SignAssembly>
+    <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
+    <NetCoreAppImplicitPackageVersion>1.2.0-*</NetCoreAppImplicitPackageVersion>
+    <NetStandardImplicitPackageVersion>1.6.2-*</NetStandardImplicitPackageVersion>
+    <VersionSuffix Condition="'$(VersionSuffix)'!='' AND '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Internal.AspNetCore.Sdk" Version="1.0.1-*" PrivateAssets="All" />
+  </ItemGroup>
+
+  <ItemGroup Condition="'$(TargetFrameworkIdentifier)'=='.NETFramework' AND '$(OutputType)'=='library'">
+    <PackageReference Include="NETStandard.Library" Version="$(NetStandardImplicitPackageVersion)" />
+  </ItemGroup>
+
+</Project>
diff --git a/global.json b/global.json
deleted file mode 100644
index 0ad1995dd2..0000000000
--- a/global.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "projects": [
-    "src"
-  ],
-  "sdk": {
-    "version": "1.0.0-preview2-1-003180"
-  }
-}
\ No newline at end of file
diff --git a/makefile.shade b/makefile.shade
deleted file mode 100644
index 2db83b1923..0000000000
--- a/makefile.shade
+++ /dev/null
@@ -1,64 +0,0 @@
-use import="Environment"
-
-var VERSION='0.1'
-var FULL_VERSION='0.1'
-var AUTHORS='Microsoft Open Technologies, Inc.'
-
-use-standard-lifecycle
-k-standard-goals
-
-var Configuration_Local = '${E("Configuration")}'
-default BASE_DIR_LOCAL='${Directory.GetCurrentDirectory()}'
-default TARGET_DIR_LOCAL='${Path.Combine(BASE_DIR_LOCAL, "artifacts")}'
-default BUILD_DIR_LOCAL='${Path.Combine(TARGET_DIR_LOCAL, "build")}'
-default SRC_PROJECT_GLOB_LOCAL="src/*/project.json"
-default TEST_PROJECT_GLOB_LOCAL="test/*/project.json"
-
-#build-compile target='compile' if='Directory.Exists("src")'
-  @{
-    // Don't remove the if clause in the target above - removing it will break CI test runs.
-
-    Directory.CreateDirectory(TARGET_DIR_LOCAL);
-
-    string commitHash = null;
-    if (AddAssemblyInfo)
-    {
-      var commitHashFile = Path.Combine(TARGET_DIR_LOCAL, "commit");
-      GitCommand("rev-parse HEAD >> " + commitHashFile);
-      commitHash = File.ReadAllLines(commitHashFile)[0];
-    }
-
-    var srcProjects = Files.Include(SRC_PROJECT_GLOB_LOCAL).ToList();
-    if (IsLinux)
-    {
-        srcProjects.Remove("src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json");
-    }
-    srcProjects.ForEach(projectFile =>
-    {
-        if (AddAssemblyInfo)
-        {
-            var projectText = File.ReadAllText(projectFile);
-            var project = (JsonObject)Json.Deserialize(projectText);
-            var isSharedProject = project.Keys.Contains("shared");
-
-            // We don't want to embed the commit hash in it because 
-            // the consumers would get that file
-            if (!isSharedProject)
-            {
-              Console.WriteLine("Embedding commit hash in assembly");
-              var projectFolder = Path.GetDirectoryName(projectFile);
-              var commitHashAttribute = String.Format("[assembly: System.Reflection.AssemblyMetadata(\"CommitHash\", \"{0}\")]", commitHash);
-
-              var buildInfoFile = Path.Combine(projectFolder, "BuildInfo.generated.cs");
-              File.WriteAllText(buildInfoFile, commitHashAttribute);
-            }
-        }
-        DotnetPack(projectFile, BUILD_DIR_LOCAL, Configuration_Local, "");
-    });
-    DotnetBuild(TEST_PROJECT_GLOB_LOCAL, Configuration_Local, BuildFramework);
-
-    foreach (var nupkg in Files.Include(Path.Combine(BUILD_DIR_LOCAL, "*/" + Configuration_Local + "/*.nupkg")))
-    {
-        File.Copy(nupkg, Path.Combine(BUILD_DIR_LOCAL, Path.GetFileName(nupkg)), true);
-    }
-  }
\ No newline at end of file
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
new file mode 100644
index 0000000000..f0bd9ec8e0
--- /dev/null
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -0,0 +1,17 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp1.1</TargetFramework>
+    <OutputType>Exe</OutputType>
+    <PackageTargetFallback>$(PackageTargetFallback);portable-net45+win8+wp8+wpa81</PackageTargetFallback>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/AzureBlob/AzureBlob.xproj b/samples/AzureBlob/AzureBlob.xproj
deleted file mode 100644
index 52a7e78b7e..0000000000
--- a/samples/AzureBlob/AzureBlob.xproj
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>b07435b3-cd81-4e3b-88a5-6384821e1c01</ProjectGuid>
-    <RootNamespace>AzureBlob</RootNamespace>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-    <TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
-  </PropertyGroup>
-
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
diff --git a/samples/AzureBlob/Properties/launchSettings.json b/samples/AzureBlob/Properties/launchSettings.json
new file mode 100644
index 0000000000..ae9a5dab5a
--- /dev/null
+++ b/samples/AzureBlob/Properties/launchSettings.json
@@ -0,0 +1,22 @@
+{
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:2041/",
+      "sslPort": 0
+    }
+  },
+  "profiles": {
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "AzureBlob": {
+      "commandName": "Project"
+    }
+  }
+}
\ No newline at end of file
diff --git a/samples/AzureBlob/project.json b/samples/AzureBlob/project.json
deleted file mode 100644
index 5eda4f5695..0000000000
--- a/samples/AzureBlob/project.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
-  "version": "1.0.0-*",
-  "buildOptions": {
-    "emitEntryPoint": true
-  },
-  "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.AzureStorage": "1.0.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
-    "Microsoft.Extensions.Logging": "1.2.0-*",
-    "Microsoft.Extensions.Logging.Console": "1.2.0-*",
-    "Microsoft.NETCore.App": {
-      "type": "platform",
-      "version": "1.2.0-*"
-    }
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "imports": [
-        "portable-net45+win8+wp8+wpa81"
-      ]
-    }
-  }
-}
\ No newline at end of file
diff --git a/samples/Redis/Properties/launchSettings.json b/samples/Redis/Properties/launchSettings.json
new file mode 100644
index 0000000000..4f4c767916
--- /dev/null
+++ b/samples/Redis/Properties/launchSettings.json
@@ -0,0 +1,22 @@
+{
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:2042/",
+      "sslPort": 0
+    }
+  },
+  "profiles": {
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "Redis": {
+      "commandName": "Project"
+    }
+  }
+}
\ No newline at end of file
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
new file mode 100644
index 0000000000..d428b50020
--- /dev/null
+++ b/samples/Redis/Redis.csproj
@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <!-- TODO remove when https://github.com/dotnet/sdk/issues/396 is resolved -->
+    <RuntimeIdentifier Condition=" '$(TargetFramework)' != 'netcoreapp1.1' ">win7-x64</RuntimeIdentifier>
+    <DebugType>portable</DebugType>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/Redis/Redis.xproj b/samples/Redis/Redis.xproj
deleted file mode 100644
index 29ab6c0dc5..0000000000
--- a/samples/Redis/Redis.xproj
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>24aaec96-df46-4f61-b2ff-3d5e056685d9</ProjectGuid>
-    <RootNamespace>Redis</RootNamespace>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/samples/Redis/project.json b/samples/Redis/project.json
deleted file mode 100644
index 9ed09ac452..0000000000
--- a/samples/Redis/project.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
-  "version": "1.0.0-*",
-  "buildOptions": {
-    "debugType": "portable",
-    "emitEntryPoint": true
-  },
-  "dependencies": {
-    "Microsoft.AspNetCore.DataProtection.Redis": "0.1.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
-    "Microsoft.Extensions.Logging": "1.2.0-*",
-    "Microsoft.Extensions.Logging.Console": "1.2.0-*"
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "dependencies": {
-        "Microsoft.NETCore.App": {
-          "version": "1.2.0-*",
-          "type": "platform"
-        }
-      }
-    },
-    "net451": {}
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
new file mode 100644
index 0000000000..75e58c0965
--- /dev/null
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <Description>Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.</Description>
+    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection</PackageTags>
+  </PropertyGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
deleted file mode 100644
index 87e2204bd2..0000000000
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>E2779976-A28C-4365-A4BB-4AD854FAF23E</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
index ede18c9302..62865ae945 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System.Reflection;
-using System.Resources;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
@@ -16,8 +14,3 @@ using System.Runtime.InteropServices;
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: AssemblyMetadata("Serviceable", "True")]
-[assembly: NeutralResourcesLanguage("en-US")]
-[assembly: AssemblyCompany("Microsoft Corporation.")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json b/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
deleted file mode 100644
index 94b194ddcf..0000000000
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/project.json
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  "version": "1.2.0-*",
-  "description": "Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnetcore",
-      "dataprotection"
-    ]
-  },
-  "dependencies": {
-    "NETStandard.Library": "1.6.2-*"
-  },
-  "frameworks": {
-    "net451": {},
-    "netstandard1.3": {}
-  },
-  "buildOptions": {
-    "allowUnsafe": true,
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "nowarn": [
-      "CS1591"
-    ],
-    "xmlDoc": true
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
new file mode 100644
index 0000000000..a93ee65f94
--- /dev/null
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <Description>ASP.NET Core utilities for key derivation.</Description>
+    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection</PackageTags>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
deleted file mode 100644
index efcdd4aa36..0000000000
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>421F0383-34B1-402D-807B-A94542513ABA</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
index a4ad1bb0a0..2ca6553c5d 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
@@ -1,13 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System.Reflection;
-using System.Resources;
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.Cryptography.KeyDerivation.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: AssemblyMetadata("Serviceable", "True")]
-[assembly: NeutralResourcesLanguage("en-US")]
-[assembly: AssemblyCompany("Microsoft Corporation.")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
deleted file mode 100644
index 6d4cc2c410..0000000000
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/project.json
+++ /dev/null
@@ -1,33 +0,0 @@
-{
-  "version": "1.2.0-*",
-  "description": "ASP.NET Core utilities for key derivation.",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnetcore",
-      "dataprotection"
-    ]
-  },
-  "dependencies": {
-    "Microsoft.AspNetCore.Cryptography.Internal": {
-      "target": "project"
-    },
-    "NETStandard.Library": "1.6.2-*"
-  },
-  "frameworks": {
-    "net451": {},
-    "netstandard1.3": {}
-  },
-  "buildOptions": {
-    "allowUnsafe": true,
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "nowarn": [
-      "CS1591"
-    ],
-    "xmlDoc": true
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
new file mode 100644
index 0000000000..d6ffd13cda
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -0,0 +1,28 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <Description>ASP.NET Core data protection abstractions.
+Commonly used types:
+Microsoft.AspNetCore.DataProtection.IDataProtectionProvider
+Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
+    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection</PackageTags>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\..\shared\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" Version="1.2.0-*" PrivateAssets="All"/>
+  </ItemGroup>
+
+  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
+    <PackageReference Include="System.ComponentModel" Version="4.4.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
deleted file mode 100644
index d9b66793bf..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>4b115bde-b253-46a6-97bf-a8b37b344ff2</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
index 78e1538ee5..838462a81d 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
@@ -1,14 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System.Reflection;
-using System.Resources;
 using System.Runtime.CompilerServices;
 
 // for unit testing
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Abstractions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: AssemblyMetadata("Serviceable", "True")]
-[assembly: NeutralResourcesLanguage("en-US")]
-[assembly: AssemblyCompany("Microsoft Corporation.")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
deleted file mode 100644
index 0544786388..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/project.json
+++ /dev/null
@@ -1,38 +0,0 @@
-{
-  "version": "1.2.0-*",
-  "description": "ASP.NET Core data protection abstractions.\r\nCommonly used types:\r\nMicrosoft.AspNetCore.DataProtection.IDataProtectionProvider\r\nMicrosoft.AspNetCore.DataProtection.IDataProtector",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnetcore",
-      "dataprotection"
-    ]
-  },
-  "dependencies": {
-    "Microsoft.Extensions.WebEncoders.Sources": {
-      "type": "build",
-      "version": "1.2.0-*"
-    },
-    "NETStandard.Library": "1.6.2-*"
-  },
-  "frameworks": {
-    "net451": {},
-    "netstandard1.3": {
-      "dependencies": {
-        "System.ComponentModel": "4.4.0-*"
-      }
-    }
-  },
-  "buildOptions": {
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "nowarn": [
-      "CS1591"
-    ],
-    "xmlDoc": true,
-    "compile": "../../shared/*.cs"
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
new file mode 100644
index 0000000000..036e0eb921
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <Description>Microsoft Azure Blob storrage support as key store.</Description>
+    <VersionPrefix>1.1.0</VersionPrefix>
+    <TargetFrameworks>net451;netstandard1.5</TargetFrameworks>
+    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection;azure;blob</PackageTags>
+    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netstandard1.5' ">$(PackageTargetFallback);portable-net45+win8+wp8+wpa81</PackageTargetFallback>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <PackageReference Include="WindowsAzure.Storage" Version="7.2.1" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.xproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.xproj
deleted file mode 100644
index 1c10acb1a4..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.xproj
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>cc799b57-81e2-4f45-8a32-0d5f49753c3f</ProjectGuid>
-    <RootNamespace>Microsoft.AspNetCore.DataProtection.AzureStorage</RootNamespace>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Properties/AssemblyInfo.cs
deleted file mode 100644
index 8c1d02d738..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Properties/AssemblyInfo.cs
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System.Reflection;
-using System.Resources;
-using System.Runtime.CompilerServices;
-
-[assembly: AssemblyMetadata("Serviceable", "True")]
-[assembly: NeutralResourcesLanguage("en-US")]
-[assembly: AssemblyCompany("Microsoft Corporation.")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
deleted file mode 100644
index 7c9ebeefa8..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/project.json
+++ /dev/null
@@ -1,38 +0,0 @@
-{
-  "version": "1.1.0-*",
-  "description": "Microsoft Azure Blob storrage support as key store.",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnetcore",
-      "dataprotection",
-      "azure",
-      "blob"
-    ]
-  },
-  "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": {
-      "target": "project"
-    },
-    "NETStandard.Library": "1.6.2-*",
-    "WindowsAzure.Storage": "7.2.1"
-  },
-  "frameworks": {
-    "net451": {},
-    "netstandard1.5": {
-      "imports": "portable-net45+win8+wp8+wpa81"
-    }
-  },
-  "buildOptions": {
-    "allowUnsafe": true,
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "nowarn": [
-      "CS1591"
-    ],
-    "xmlDoc": true
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
new file mode 100644
index 0000000000..3f2518f667
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <Description>Additional APIs for ASP.NET Core data protection.</Description>
+    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection</PackageTags>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\..\shared\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
deleted file mode 100644
index 3db92cd84b..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>bf8681db-c28b-441f-bd92-0dcfe9537a9f</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
index 88c1dd9455..022a5a3e6c 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
@@ -1,13 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System.Reflection;
-using System.Resources;
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
-[assembly: AssemblyMetadata("Serviceable", "True")]
-[assembly: NeutralResourcesLanguage("en-US")]
-[assembly: AssemblyCompany("Microsoft Corporation.")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
deleted file mode 100644
index a8117e8488..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/project.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
-  "version": "1.2.0-*",
-  "description": "Additional APIs for ASP.NET Core data protection.",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnetcore",
-      "dataprotection"
-    ]
-  },
-  "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": {
-      "target": "project"
-    },
-    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
-    "NETStandard.Library": "1.6.2-*"
-  },
-  "frameworks": {
-    "net451": {},
-    "netstandard1.3": {}
-  },
-  "buildOptions": {
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "nowarn": [
-      "CS1591"
-    ],
-    "xmlDoc": true,
-    "compile": "../../shared/*.cs"
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
new file mode 100644
index 0000000000..014574aaac
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <Description>Redis storrage support as key store.</Description>
+    <VersionPrefix>0.1.0</VersionPrefix>
+    <TargetFrameworks>net451;netstandard1.5</TargetFrameworks>
+    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection;redis</PackageTags>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <PackageReference Include="StackExchange.Redis.StrongName" Version="1.1.605" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.xproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.xproj
deleted file mode 100644
index ed52548f61..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.xproj
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>0508adb0-9d2e-4506-9aa3-c15d7beae7c9</ProjectGuid>
-    <RootNamespace>Microsoft.AspNetCore.DataProtection.Redis</RootNamespace>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.Redis/Properties/AssemblyInfo.cs
deleted file mode 100644
index e3ae91c58b..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Properties/AssemblyInfo.cs
+++ /dev/null
@@ -1,11 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System.Reflection;
-using System.Resources;
-
-[assembly: AssemblyMetadata("Serviceable", "True")]
-[assembly: NeutralResourcesLanguage("en-US")]
-[assembly: AssemblyCompany("Microsoft Corporation.")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json b/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
deleted file mode 100644
index 1d7e83b6b4..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/project.json
+++ /dev/null
@@ -1,35 +0,0 @@
-{
-  "version": "0.1.0-*",
-  "description": "Redis storrage support as key store.",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnetcore",
-      "dataprotection",
-      "redis"
-    ]
-  },
-  "dependencies": {
-    "Microsoft.AspNetCore.DataProtection": {
-      "target": "project"
-    },
-    "NETStandard.Library": "1.6.2-*",
-    "StackExchange.Redis.StrongName": "1.1.605"
-  },
-  "frameworks": {
-    "net451": {},
-    "netstandard1.5": {}
-  },
-  "buildOptions": {
-    "allowUnsafe": true,
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "nowarn": [
-      "CS1591"
-    ],
-    "xmlDoc": true
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
new file mode 100644
index 0000000000..b4878113a6
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
@@ -0,0 +1,25 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <Description>A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x &lt;machineKey&gt; element.</Description>
+    <TargetFramework>net451</TargetFramework>
+    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnet;aspnetcore;dataprotection</PackageTags>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Content Include="web.config.transform" PackagePath="content/net451/" Pack="true" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
+    <Reference Include="System.Configuration" />
+    <Reference Include="System.Security" />
+    <Reference Include="System.Web" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
deleted file mode 100644
index cbfe0341c9..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>e3552deb-4173-43ae-bf69-3c10dff3bab6</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
deleted file mode 100644
index e3ae91c58b..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/AssemblyInfo.cs
+++ /dev/null
@@ -1,11 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System.Reflection;
-using System.Resources;
-
-[assembly: AssemblyMetadata("Serviceable", "True")]
-[assembly: NeutralResourcesLanguage("en-US")]
-[assembly: AssemblyCompany("Microsoft Corporation.")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
deleted file mode 100644
index 070199a49c..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/project.json
+++ /dev/null
@@ -1,41 +0,0 @@
-{
-  "version": "1.2.0-*",
-  "description": "A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x <machineKey> element.",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnet",
-      "aspnetcore",
-      "dataprotection"
-    ],
-    "files": {
-      "mappings": {
-        "content/net451/": "web.config.transform"
-      }
-    }
-  },
-  "frameworks": {
-    "net451": {
-      "dependencies": {
-        "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
-        "Microsoft.Extensions.DependencyInjection": "1.2.0-*"
-      },
-      "frameworkAssemblies": {
-        "System.Configuration": "4.0.0.0",
-        "System.Security": "4.0.0.0",
-        "System.Web": "4.0.0.0"
-      }
-    }
-  },
-  "buildOptions": {
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "nowarn": [
-      "CS1591"
-    ],
-    "xmlDoc": true
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
new file mode 100644
index 0000000000..c21bff2ba1
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -0,0 +1,39 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <Description>ASP.NET Core logic to protect and unprotect data, similar to DPAPI.</Description>
+    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection</PackageTags>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\..\shared\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
+    <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.Options" Version="1.2.0-*" />
+  </ItemGroup>
+
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net451' ">
+    <Reference Include="System.Security" />
+    <Reference Include="System.Xml" />
+    <Reference Include="System.Xml.Linq" />
+  </ItemGroup>
+
+  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
+    <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0-*" />
+    <PackageReference Include="System.Security.Claims" Version="4.4.0-*" />
+    <PackageReference Include="System.Security.Principal.Windows" Version="4.4.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
deleted file mode 100644
index 462d2323b6..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>1e570cd4-6f12-44f4-961e-005ee2002bc2</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
index 6bb7a99e85..7816360b8b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
@@ -1,15 +1,8 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System.Reflection;
-using System.Resources;
 using System.Runtime.CompilerServices;
 
 // for unit testing
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
-[assembly: AssemblyMetadata("Serviceable", "True")]
-[assembly: NeutralResourcesLanguage("en-US")]
-[assembly: AssemblyCompany("Microsoft Corporation.")]
-[assembly: AssemblyCopyright("© Microsoft Corporation. All rights reserved.")]
-[assembly: AssemblyProduct("Microsoft ASP.NET Core")]
diff --git a/src/Microsoft.AspNetCore.DataProtection/project.json b/src/Microsoft.AspNetCore.DataProtection/project.json
deleted file mode 100644
index ce3c0da220..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/project.json
+++ /dev/null
@@ -1,56 +0,0 @@
-{
-  "version": "1.2.0-*",
-  "description": "ASP.NET Core logic to protect and unprotect data, similar to DPAPI.",
-  "packOptions": {
-    "repository": {
-      "type": "git",
-      "url": "git://github.com/aspnet/dataprotection"
-    },
-    "tags": [
-      "aspnetcore",
-      "dataprotection"
-    ]
-  },
-  "dependencies": {
-    "Microsoft.AspNetCore.Cryptography.Internal": {
-      "target": "project"
-    },
-    "Microsoft.AspNetCore.DataProtection.Abstractions": {
-      "target": "project"
-    },
-    "Microsoft.AspNetCore.Hosting.Abstractions": "1.2.0-*",
-    "Microsoft.Extensions.DependencyInjection.Abstractions": "1.2.0-*",
-    "Microsoft.Extensions.Logging.Abstractions": "1.2.0-*",
-    "Microsoft.Extensions.Options": "1.2.0-*",
-    "NETStandard.Library": "1.6.2-*"
-  },
-  "frameworks": {
-    "net451": {
-      "frameworkAssemblies": {
-        "System.Runtime": {
-          "type": "build"
-        },
-        "System.Security": "",
-        "System.Xml": "",
-        "System.Xml.Linq": ""
-      }
-    },
-    "netstandard1.3": {
-      "dependencies": {
-        "Microsoft.Win32.Registry": "4.4.0-*",
-        "System.Security.Claims": "4.4.0-*",
-        "System.Security.Principal.Windows": "4.4.0-*"
-      }
-    }
-  },
-  "buildOptions": {
-    "allowUnsafe": true,
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "nowarn": [
-      "CS1591"
-    ],
-    "xmlDoc": true,
-    "compile": "../../shared/*.cs"
-  }
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
new file mode 100644
index 0000000000..01da4eff40
--- /dev/null
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp1.1' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\shared\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
+    <PackageReference Include="xunit" Version="2.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
deleted file mode 100644
index 2cef9ca48f..0000000000
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.xproj
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>37053d5f-5b61-47ce-8b72-298ce007ffb0</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
index 36cdb8d8aa..3adbc7af4e 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
@@ -1,7 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Runtime.CompilerServices;
 
 // for unit testing
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
deleted file mode 100644
index 7aebe7cd35..0000000000
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/project.json
+++ /dev/null
@@ -1,35 +0,0 @@
-{
-  "dependencies": {
-    "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.2.0-*",
-    "Microsoft.AspNetCore.Testing": "1.2.0-*",
-    "xunit": "2.2.0-*"
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "dependencies": {
-        "Microsoft.NETCore.App": {
-          "version": "1.2.0-*",
-          "type": "platform"
-        }
-      },
-      "imports": [
-        "dnxcore50",
-        "portable-net451+win8"
-      ]
-    },
-    "net451": {
-      "frameworkAssemblies": {
-        "System.Runtime": "",
-        "System.Threading.Tasks": ""
-      }
-    }
-  },
-  "testRunner": "xunit",
-  "buildOptions": {
-    "allowUnsafe": true,
-    "keyFile": "../../tools/Key.snk",
-    "warningsAsErrors": true,
-    "compile": "../shared/*.cs"
-  }
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
new file mode 100644
index 0000000000..4a169c7d2e
--- /dev/null
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\shared\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
+    <PackageReference Include="xunit" Version="2.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
deleted file mode 100644
index 4dc21f6e52..0000000000
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.xproj
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>42c97f52-8d56-46bd-a712-4f22bed157a7</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
index 36cdb8d8aa..3adbc7af4e 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
@@ -1,7 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Runtime.CompilerServices;
 
 // for unit testing
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
deleted file mode 100644
index f9fe27a02d..0000000000
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/project.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-  "dependencies": {
-    "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.2.0-*",
-    "Microsoft.AspNetCore.Cryptography.KeyDerivation": "1.2.0-*",
-    "Microsoft.AspNetCore.Testing": "1.2.0-*",
-    "xunit": "2.2.0-*"
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "dependencies": {
-        "Microsoft.NETCore.App": {
-          "version": "1.2.0-*",
-          "type": "platform"
-        }
-      }
-    },
-    "net451": {}
-  },
-  "testRunner": "xunit",
-  "buildOptions": {
-    "allowUnsafe": true,
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "compile": "../shared/*.cs"
-  }
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
new file mode 100644
index 0000000000..3cff630330
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\common\**\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
+    <PackageReference Include="Moq" Version="4.6.36-*" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
+    <PackageReference Include="xunit" Version="2.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
deleted file mode 100644
index d3ab9d6ae6..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.xproj
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>ff650a69-dee4-4b36-9e30-264ee7cfb478</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
deleted file mode 100644
index f247b4454f..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/project.json
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  "dependencies": {
-    "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.Cryptography.Internal": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.2.0-*",
-    "Microsoft.AspNetCore.Testing": "1.2.0-*",
-    "Moq": "4.6.36-*",
-    "xunit": "2.2.0-*"
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "dependencies": {
-        "Microsoft.NETCore.App": {
-          "version": "1.2.0-*",
-          "type": "platform"
-        },
-        "System.Diagnostics.TraceSource": "4.4.0-*"
-      }
-    },
-    "net451": {}
-  },
-  "testRunner": "xunit",
-  "buildOptions": {
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "compile": {
-      "include": "../common/**/*.cs"
-    }
-  }
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
new file mode 100644
index 0000000000..4b2a09e3b5
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -0,0 +1,23 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp1.1' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
+    <PackageReference Include="Moq" Version="4.6.36-*" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
+    <PackageReference Include="xunit" Version="2.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj
deleted file mode 100644
index 0de3804484..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.xproj
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>8c41240e-48f8-402f-9388-74cfe27f4d76</ProjectGuid>
-    <RootNamespace>Microsoft.AspNetCore.DataProtection.AzureStorage.Test</RootNamespace>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
deleted file mode 100644
index df9054164d..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/project.json
+++ /dev/null
@@ -1,37 +0,0 @@
-{
-  "dependencies": {
-    "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.AzureStorage": "1.0.0-*",
-    "Microsoft.AspNetCore.Testing": "1.2.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
-    "Moq": "4.6.36-*",
-    "xunit": "2.2.0-*"
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "dependencies": {
-        "Microsoft.NETCore.App": {
-          "version": "1.2.0-*",
-          "type": "platform"
-        },
-        "System.Diagnostics.TraceSource": "4.4.0-*"
-      },
-      "imports": [
-        "dnxcore50",
-        "portable-net451+win8"
-      ]
-    },
-    "net451": {
-      "frameworkAssemblies": {
-        "System.Threading.Tasks": ""
-      }
-    }
-  },
-  "testRunner": "xunit",
-  "buildOptions": {
-    "allowUnsafe": true,
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk"
-  }
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
new file mode 100644
index 0000000000..5ddeeb8c10
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\shared\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
+    <PackageReference Include="Moq" Version="4.6.36-*" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
+    <PackageReference Include="xunit" Version="2.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
deleted file mode 100644
index e3f8006626..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.xproj
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>04aa8e60-a053-4d50-89fe-e76c3df45200</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
deleted file mode 100644
index 77054cc9b0..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/project.json
+++ /dev/null
@@ -1,28 +0,0 @@
-{
-  "dependencies": {
-    "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Extensions": "1.2.0-*",
-    "Microsoft.AspNetCore.Testing": "1.2.0-*",
-    "Moq": "4.6.36-*",
-    "xunit": "2.2.0-*"
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "dependencies": {
-        "Microsoft.NETCore.App": {
-          "version": "1.2.0-*",
-          "type": "platform"
-        },
-        "System.Diagnostics.TraceSource": "4.4.0-*"
-      }
-    },
-    "net451": {}
-  },
-  "testRunner": "xunit",
-  "buildOptions": {
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "compile": "../shared/*.cs"
-  }
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
new file mode 100644
index 0000000000..a7c9b2e1ba
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\common\**\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
+    <PackageReference Include="Moq" Version="4.6.36-*" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
+    <PackageReference Include="xunit" Version="2.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
deleted file mode 100644
index 723cb30927..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.xproj
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0.25420" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0.25420</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>abcf00e5-5b2f-469c-90dc-908c5a04c08d</ProjectGuid>
-    <RootNamespace>Microsoft.AspNetCore.DataProtection.Redis.Test</RootNamespace>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-  <Import Project="$(VSToolsPath)\DotNet\Microsoft.DotNet.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
deleted file mode 100644
index 301bcb1146..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/project.json
+++ /dev/null
@@ -1,29 +0,0 @@
-{
-  "dependencies": {
-    "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Abstractions": "1.2.0-*",
-    "Microsoft.AspNetCore.DataProtection.Redis": "0.1.0-*",
-    "Microsoft.AspNetCore.Testing": "1.2.0-*",
-    "Moq": "4.6.36-*",
-    "xunit": "2.2.0-*"
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "dependencies": {
-        "Microsoft.NETCore.App": {
-          "version": "1.2.0-*",
-          "type": "platform"
-        }
-      }
-    },
-    "net451": {}
-  },
-  "testRunner": "xunit",
-  "buildOptions": {
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "compile": {
-      "include": "../common/**/*.cs"
-    }
-  }
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
new file mode 100644
index 0000000000..9661b30562
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -0,0 +1,29 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Compile Include="..\shared\*.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
+    <PackageReference Include="Moq" Version="4.6.36-*" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
+    <PackageReference Include="xunit" Version="2.2.0-*" />
+  </ItemGroup>
+
+  <ItemGroup Condition="'$(TargetFramework)'=='net451'">
+    <Reference Include="System.Security" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
deleted file mode 100644
index 4673904cc3..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.xproj
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>7a637185-2ba1-437d-9d4c-7cc4f94cf7bf</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
index 36cdb8d8aa..3adbc7af4e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
@@ -1,7 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Runtime.CompilerServices;
 
 // for unit testing
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/project.json b/test/Microsoft.AspNetCore.DataProtection.Test/project.json
deleted file mode 100644
index d912776c79..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Test/project.json
+++ /dev/null
@@ -1,29 +0,0 @@
-{
-  "dependencies": {
-    "dotnet-test-xunit": "2.2.0-*",
-    "Microsoft.AspNetCore.DataProtection": "1.2.0-*",
-    "Microsoft.AspNetCore.Testing": "1.2.0-*",
-    "Microsoft.Extensions.DependencyInjection": "1.2.0-*",
-    "Moq": "4.6.36-*",
-    "xunit": "2.2.0-*"
-  },
-  "frameworks": {
-    "netcoreapp1.1": {
-      "dependencies": {
-        "Microsoft.NETCore.App": {
-          "version": "1.2.0-*",
-          "type": "platform"
-        },
-        "System.Diagnostics.TraceSource": "4.4.0-*"
-      }
-    },
-    "net451": {}
-  },
-  "testRunner": "xunit",
-  "buildOptions": {
-    "allowUnsafe": true,
-    "warningsAsErrors": true,
-    "keyFile": "../../tools/Key.snk",
-    "compile": "../shared/*.cs"
-  }
-}
\ No newline at end of file
diff --git a/test/shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj b/test/shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
deleted file mode 100644
index 3ba41bf1fd..0000000000
--- a/test/shared/Microsoft.AspNetCore.DataProtection.Test.Shared.xproj
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
-    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>4f14ba2a-4f04-4676-8586-ec380977ee2e</ProjectGuid>
-    <BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">.\obj</BaseIntermediateOutputPath>
-    <OutputPath Condition="'$(OutputPath)'=='' ">.\bin\</OutputPath>
-  </PropertyGroup>
-  <PropertyGroup>
-    <SchemaVersion>2.0</SchemaVersion>
-  </PropertyGroup>
-  <Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
\ No newline at end of file
diff --git a/version.props b/version.props
new file mode 100644
index 0000000000..17fd5ac36d
--- /dev/null
+++ b/version.props
@@ -0,0 +1,7 @@
+<!-- This file may be overwritten by automation. Only values allowed here are VersionPrefix and VersionSuffix.  -->
+<Project>
+  <PropertyGroup>
+    <VersionPrefix>1.2.0</VersionPrefix>
+    <VersionSuffix>preview1</VersionSuffix>
+  </PropertyGroup>
+</Project>

From ab33b6afe88a5a6304fd408ea7d4d60f811d003a Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 1 Feb 2017 12:35:44 -0800
Subject: [PATCH 310/493] Remove usage of conditional multi-targeting

---
 .../Microsoft.AspNetCore.Cryptography.Internal.Test.csproj     | 3 +--
 ...Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj | 3 +--
 ...icrosoft.AspNetCore.DataProtection.Abstractions.Test.csproj | 3 +--
 ...icrosoft.AspNetCore.DataProtection.AzureStorage.Test.csproj | 3 +--
 .../Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj | 3 +--
 .../Microsoft.AspNetCore.DataProtection.Redis.Test.csproj      | 3 +--
 .../Microsoft.AspNetCore.DataProtection.Test.csproj            | 3 +--
 7 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 01da4eff40..05e13e991d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -3,8 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
-    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp1.1' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
   </PropertyGroup>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index 4a169c7d2e..d43901eb99 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -3,8 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
-    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index 3cff630330..ccb6326b1d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -3,8 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
-    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index 4b2a09e3b5..cafc221a82 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -3,8 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
-    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp1.1' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
   </PropertyGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 5ddeeb8c10..efd2111af2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -3,8 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
-    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index a7c9b2e1ba..e3e2a90f65 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -3,8 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
-    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 9661b30562..3f92395e48 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -3,8 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1</TargetFrameworks>
-    <TargetFrameworks Condition="'$(OS)'=='Windows_NT'">$(TargetFrameworks);net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 

From a2a3d3585249fc88f871c4baa5427093549fae99 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Tue, 14 Feb 2017 09:05:16 -0800
Subject: [PATCH 311/493] Bump test projects up to .NET 4.5.2 -
 aspnet/Testing#248 - xUnit no longer supports .NET 4.5.1 - build tests for
 desktop .NET only on Windows

---
 .../Microsoft.AspNetCore.Cryptography.Internal.Test.csproj   | 3 ++-
 ...crosoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj | 3 ++-
 ...rosoft.AspNetCore.DataProtection.Abstractions.Test.csproj | 3 ++-
 ...rosoft.AspNetCore.DataProtection.AzureStorage.Test.csproj | 3 ++-
 ...icrosoft.AspNetCore.DataProtection.Extensions.Test.csproj | 3 ++-
 .../Microsoft.AspNetCore.DataProtection.Redis.Test.csproj    | 3 ++-
 .../AnonymousImpersonation.cs                                | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Test.csproj          | 5 +++--
 8 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 05e13e991d..832db33230 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -3,7 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp1.1' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
   </PropertyGroup>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index d43901eb99..041fc58a66 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -3,7 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index ccb6326b1d..6ecaf250d8 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -3,7 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index cafc221a82..ddb87f8ec0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -3,7 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp1.1' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
   </PropertyGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index efd2111af2..5c62910ca1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -3,7 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index e3e2a90f65..e1c3d0cb86 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -3,7 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
index f9b4ddde0e..8d1accf55b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET451
+#if NET452
 using System;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 3f92395e48..a8bcd60fbc 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -3,7 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
@@ -21,7 +22,7 @@
     <PackageReference Include="xunit" Version="2.2.0-*" />
   </ItemGroup>
 
-  <ItemGroup Condition="'$(TargetFramework)'=='net451'">
+  <ItemGroup Condition="'$(TargetFramework)'=='net452'">
     <Reference Include="System.Security" />
   </ItemGroup>
 

From 89a63f58858bed4283dc2cc85301e9d18ebc3684 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 14 Feb 2017 16:03:54 -0800
Subject: [PATCH 312/493] Downgrade to stable packages

---
 build/common.props                                          | 3 +--
 build/dependencies.props                                    | 6 ++++++
 .../Microsoft.AspNetCore.DataProtection.Abstractions.csproj | 2 +-
 .../Microsoft.AspNetCore.DataProtection.csproj              | 6 +++---
 4 files changed, 11 insertions(+), 6 deletions(-)
 create mode 100644 build/dependencies.props

diff --git a/build/common.props b/build/common.props
index a9484f642b..4a81c8df7c 100644
--- a/build/common.props
+++ b/build/common.props
@@ -1,4 +1,5 @@
 <Project>
+  <Import Project="dependencies.props" />
   <Import Project="..\version.props" />
 
   <PropertyGroup>
@@ -8,8 +9,6 @@
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)Key.snk</AssemblyOriginatorKeyFile>
     <SignAssembly>true</SignAssembly>
     <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
-    <NetCoreAppImplicitPackageVersion>1.2.0-*</NetCoreAppImplicitPackageVersion>
-    <NetStandardImplicitPackageVersion>1.6.2-*</NetStandardImplicitPackageVersion>
     <VersionSuffix Condition="'$(VersionSuffix)'!='' AND '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
   </PropertyGroup>
 
diff --git a/build/dependencies.props b/build/dependencies.props
new file mode 100644
index 0000000000..e704edaec0
--- /dev/null
+++ b/build/dependencies.props
@@ -0,0 +1,6 @@
+<Project>
+  <PropertyGroup>
+    <NetStandardImplicitPackageVersion>1.6.1</NetStandardImplicitPackageVersion>
+    <CoreFxVersion>4.3.0</CoreFxVersion>
+  </PropertyGroup>
+</Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index d6ffd13cda..b3ce474d7b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -22,7 +22,7 @@ Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
   </ItemGroup>
 
   <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
-    <PackageReference Include="System.ComponentModel" Version="4.4.0-*" />
+    <PackageReference Include="System.ComponentModel" Version="$(CoreFxVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index c21bff2ba1..20b56f57aa 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -31,9 +31,9 @@
   </ItemGroup>
 
   <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
-    <PackageReference Include="Microsoft.Win32.Registry" Version="4.4.0-*" />
-    <PackageReference Include="System.Security.Claims" Version="4.4.0-*" />
-    <PackageReference Include="System.Security.Principal.Windows" Version="4.4.0-*" />
+    <PackageReference Include="Microsoft.Win32.Registry" Version="$(CoreFxVersion)" />
+    <PackageReference Include="System.Security.Claims" Version="$(CoreFxVersion)" />
+    <PackageReference Include="System.Security.Principal.Windows" Version="$(CoreFxVersion)" />
   </ItemGroup>
 
 </Project>

From 55a7f9d8c9dce0ef1c42f7e691fde75d4b21568f Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 1 Mar 2017 18:14:13 -0800
Subject: [PATCH 313/493] Change korebuild branch and fix argument forwarding
 in bootstrapper

---
 build.ps1 | 16 ++++++++--------
 build.sh  | 22 +++++++++++-----------
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build.ps1 b/build.ps1
index 0605b59c01..5bf0e2c113 100644
--- a/build.ps1
+++ b/build.ps1
@@ -1,6 +1,6 @@
 $ErrorActionPreference = "Stop"
 
-function DownloadWithRetry([string] $url, [string] $downloadLocation, [int] $retries) 
+function DownloadWithRetry([string] $url, [string] $downloadLocation, [int] $retries)
 {
     while($true)
     {
@@ -19,7 +19,7 @@ function DownloadWithRetry([string] $url, [string] $downloadLocation, [int] $ret
                 Start-Sleep -Seconds 10
 
             }
-            else 
+            else
             {
                 $exception = $_.Exception
                 throw $exception
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/feature/msbuild.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
@@ -43,18 +43,18 @@ $buildFolder = ".build"
 $buildFile="$buildFolder\KoreBuild.ps1"
 
 if (!(Test-Path $buildFolder)) {
-    Write-Host "Downloading KoreBuild from $koreBuildZip"    
-    
+    Write-Host "Downloading KoreBuild from $koreBuildZip"
+
     $tempFolder=$env:TEMP + "\KoreBuild-" + [guid]::NewGuid()
     New-Item -Path "$tempFolder" -Type directory | Out-Null
 
     $localZipFile="$tempFolder\korebuild.zip"
-    
+
     DownloadWithRetry -url $koreBuildZip -downloadLocation $localZipFile -retries 6
 
     Add-Type -AssemblyName System.IO.Compression.FileSystem
     [System.IO.Compression.ZipFile]::ExtractToDirectory($localZipFile, $tempFolder)
-    
+
     New-Item -Path "$buildFolder" -Type directory | Out-Null
     copy-item "$tempFolder\**\build\*" $buildFolder -Recurse
 
@@ -64,4 +64,4 @@ if (!(Test-Path $buildFolder)) {
     }
 }
 
-&"$buildFile" $args
\ No newline at end of file
+&"$buildFile" @args
diff --git a/build.sh b/build.sh
index 07997d6c83..b0bcadb579 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/feature/msbuild.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi
@@ -12,12 +12,12 @@ buildFile="$buildFolder/KoreBuild.sh"
 
 if test ! -d $buildFolder; then
     echo "Downloading KoreBuild from $koreBuildZip"
-    
-    tempFolder="/tmp/KoreBuild-$(uuidgen)"    
+
+    tempFolder="/tmp/KoreBuild-$(uuidgen)"
     mkdir $tempFolder
-    
+
     localZipFile="$tempFolder/korebuild.zip"
-    
+
     retries=6
     until (wget -O $localZipFile $koreBuildZip 2>/dev/null || curl -o $localZipFile --location $koreBuildZip 2>/dev/null)
     do
@@ -29,18 +29,18 @@ if test ! -d $buildFolder; then
         echo "Waiting 10 seconds before retrying. Retries left: $retries"
         sleep 10s
     done
-    
+
     unzip -q -d $tempFolder $localZipFile
-  
+
     mkdir $buildFolder
     cp -r $tempFolder/**/build/** $buildFolder
-    
+
     chmod +x $buildFile
-    
+
     # Cleanup
     if test -d $tempFolder; then
-        rm -rf $tempFolder  
+        rm -rf $tempFolder
     fi
 fi
 
-$buildFile -r $repoFolder "$@"
\ No newline at end of file
+$buildFile -r $repoFolder "$@"

From 7f82c7030adf65d062650b7e84110c6cd434658b Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 1 Mar 2017 18:25:39 -0800
Subject: [PATCH 314/493] Update AppVeyor and Travis settings

---
 .travis.yml  | 2 +-
 appveyor.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index fba25ae65a..eb60f8b9e5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -29,7 +29,7 @@ branches:
 before_install:
   - if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/; fi
 script:
-  - ./build.sh --quiet verify
+  - ./build.sh
 notifications:
   webhooks:
     secure: "QLltxzNQ+TUgMurX3FuWB37LVsRx6kZBTXk4JG/BELqO5/Xuwzf8ChElW29d4AbwOeYv5ONYyrvdnLtel8MJCMs8rCxZ2kZZtmUtGdUpPeMavmrvDYQeNqHhFYpLu+bEjxuilGoVI2qonI29S3Q9fC+grXsktGPwPmhyulHbwkk="
diff --git a/appveyor.yml b/appveyor.yml
index df67923781..3f828ce38e 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -7,7 +7,7 @@ branches:
     - dev
     - /^(.*\/)?ci-.*$/
 build_script:
-  - build.cmd verify
+  - ps: .\build.ps1
 clone_depth: 1
 test: off
 deploy: off

From def3524f467d1cc8531434ca28f540e38127677a Mon Sep 17 00:00:00 2001
From: David Fowler <davidfowl@gmail.com>
Date: Wed, 8 Mar 2017 20:49:59 -0800
Subject: [PATCH 315/493] Update .travis.yml

---
 .travis.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index eb60f8b9e5..f05bb297d0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -14,8 +14,7 @@ env:
   global:
     - DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
     - DOTNET_CLI_TELEMETRY_OPTOUT: 1
-mono:
-  - 4.0.5
+mono: none
 os:
   - linux
   - osx

From bf7a238b85bd51d8cae7ecfa3ea4c05087678858 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 14 Mar 2017 13:39:54 -0700
Subject: [PATCH 316/493] Update appveyor and travis settings

---
 .travis.yml  | 1 -
 appveyor.yml | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index f05bb297d0..e397d6edf4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -18,7 +18,6 @@ mono: none
 os:
   - linux
   - osx
-osx_image: xcode7.3
 branches:
   only:
     - master
diff --git a/appveyor.yml b/appveyor.yml
index 3f828ce38e..1041615c68 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -11,4 +11,4 @@ build_script:
 clone_depth: 1
 test: off
 deploy: off
-os: Visual Studio 2017 RC
+os: Visual Studio 2017

From cde3b96aa7d1e51414ab02dc2c8f22649b595da3 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Tue, 9 Aug 2016 11:10:42 -0700
Subject: [PATCH 317/493] [Fixes #134] Refactored DI support

- Refactored builder extensions and service collection extensions
- Refactored Settings/Configuration/Descriptor
- Removed ConfigurationCommon/AuthenticatedEncryptorConfigurationExtensions
- Added IAuthenticatedEncryptorFactory and implementations
- Refactored IKey to have Descriptor instead of CreateEncryptorInstance()
- Handled Repository/Encryptor special logic
- Added samples
- Updated tests
---
 .gitignore                                    |   3 +-
 DataProtection.sln                            |  99 +++++---
 samples/AzureBlob/Program.cs                  |   5 +-
 .../CustomBuilderExtensions.cs                |  31 +++
 .../CustomEncryptorSample.csproj              |  18 ++
 .../CustomXmlDecryptor.cs                     |  32 +++
 .../CustomXmlEncryptor.cs                     |  38 +++
 samples/CustomEncryptorSample/Program.cs      |  38 +++
 .../Properties/launchSettings.json            |  22 ++
 .../KeyManagementSample.csproj                |  16 ++
 samples/KeyManagementSample/Program.cs        |  64 +++++
 .../Properties/launchSettings.json            |  22 ++
 samples/NonDISample/NonDISample.csproj        |  16 ++
 samples/NonDISample/Program.cs                |  41 +++
 .../Properties/launchSettings.json            |  22 ++
 samples/Redis/Program.cs                      |   5 +-
 ...gs.cs => AuthenticatedEncryptorFactory.cs} | 133 ++++------
 .../CngCbcAuthenticatedEncryptionSettings.cs  | 184 --------------
 .../CngCbcAuthenticatedEncryptorFactory.cs    | 124 ++++++++++
 .../CngGcmAuthenticatedEncryptionSettings.cs  | 125 ----------
 .../CngGcmAuthenticatedEncryptorFactory.cs    |  89 +++++++
 ...iguration.cs => AlgorithmConfiguration.cs} |  11 +-
 .../AuthenticatedEncryptorConfiguration.cs    |  59 +++--
 .../AuthenticatedEncryptorDescriptor.cs       |  31 +--
 ...nticatedEncryptorDescriptorDeserializer.cs |  22 +-
 ...gCbcAuthenticatedEncryptorConfiguration.cs | 101 ++++++--
 .../CngCbcAuthenticatedEncryptorDescriptor.cs |  40 +--
 ...nticatedEncryptorDescriptorDeserializer.cs |  26 +-
 ...gGcmAuthenticatedEncryptorConfiguration.cs |  77 ++++--
 .../CngGcmAuthenticatedEncryptorDescriptor.cs |  33 +--
 ...nticatedEncryptorDescriptorDeserializer.cs |  21 +-
 .../ConfigurationModel/ConfigurationCommon.cs |  20 --
 .../IAuthenticatedEncryptorDescriptor.cs      |  11 -
 ....cs => IInternalAlgorithmConfiguration.cs} |  23 +-
 ...agedAuthenticatedEncryptorConfiguration.cs | 100 ++++++--
 ...ManagedAuthenticatedEncryptorDescriptor.cs |  32 +--
 ...nticatedEncryptorDescriptorDeserializer.cs |  22 +-
 .../EncryptionAlgorithm.cs                    |   2 -
 .../IAuthenticatedEncryptorFactory.cs         |  22 ++
 ...InternalAuthenticatedEncryptionSettings.cs |  25 --
 .../ManagedAuthenticatedEncryptionSettings.cs | 166 -------------
 .../ManagedAuthenticatedEncryptorFactory.cs   | 130 ++++++++++
 .../DataProtectionBuilderExtensions.cs        | 175 ++++++++-----
 .../DataProtectionProviderFactory.cs          |  71 +-----
 ...taProtectionServiceCollectionExtensions.cs |  51 +++-
 .../DataProtectionServiceDescriptors.cs       | 136 ----------
 .../DataProtectionServices.cs                 | 156 ------------
 .../EphemeralDataProtectionProvider.cs        |  53 ++--
 .../Error.cs                                  |  10 +-
 .../IDataProtectionBuilder.cs                 |   8 +-
 .../Internal/DataProtectionBuilder.cs         |  11 -
 .../Internal/DataProtectionOptionsSetup.cs    |  23 ++
 .../Internal/KeyManagementOptionsSetup.cs     |  66 +++++
 .../KeyManagement/DefaultKeyResolver.cs       |  38 ++-
 .../KeyManagement/DeferredKey.cs              |   7 +-
 .../KeyManagement/IKey.cs                     |   7 +-
 .../Internal/CacheableKeyRing.cs              |   5 +-
 .../Internal/DefaultKeyResolution.cs          |   6 +-
 .../KeyManagement/Key.cs                      |   2 +-
 .../KeyManagement/KeyBase.cs                  |  14 +-
 .../KeyManagement/KeyManagementOptions.cs     |  49 +++-
 .../KeyManagement/KeyRing.cs                  |  21 +-
 .../KeyRingBasedDataProtectionProvider.cs     |   4 +-
 .../KeyRingBasedDataProtector.cs              |   6 +-
 .../KeyManagement/KeyRingProvider.cs          |  66 +++--
 .../KeyManagement/XmlKeyManager.cs            | 225 +++++++++++------
 .../Properties/Resources.Designer.cs          |  16 ++
 .../RC1ForwardingActivator.cs                 |   6 +-
 .../RegistryPolicy.cs                         |  28 +++
 .../RegistryPolicyResolver.cs                 |  87 +++----
 .../Repositories/EphemeralXmlRepository.cs    |   6 +-
 .../Repositories/FileSystemXmlRepository.cs   |  31 +--
 .../Repositories/RegistryXmlRepository.cs     |  38 +--
 .../Resources.resx                            |   3 +
 .../StringInterpolation.cs                    |  43 ----
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  48 +---
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |  25 +-
 .../XmlEncryption/DpapiXmlEncryptor.cs        |  22 +-
 ...pNetCore.Cryptography.Internal.Test.csproj |   4 +
 ...ore.Cryptography.KeyDerivation.Test.csproj |   4 +
 ...re.DataProtection.Abstractions.Test.csproj |   4 +
 ...re.DataProtection.AzureStorage.Test.csproj |   4 +
 ...Core.DataProtection.Extensions.Test.csproj |   4 +
 .../TimeLimitedDataProtectorTests.cs          |   3 +-
 ...spNetCore.DataProtection.Redis.Test.csproj |   4 +
 ...CngCbcAuthenticatedEncryptorFactoryTest.cs |  52 ++++
 ...CngGcmAuthenticatedEncryptorFactoryTest.cs |  52 ++++
 ...tedEncryptorDescriptorDeserializerTests.cs |  26 +-
 .../AuthenticatedEncryptorDescriptorTests.cs  |  25 +-
 ...uthenticatedEncryptorConfigurationTests.cs |   6 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |  26 +-
 ...bcAuthenticatedEncryptorDescriptorTests.cs |   4 +-
 ...uthenticatedEncryptorConfigurationTests.cs |   6 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |  26 +-
 ...cmAuthenticatedEncryptorDescriptorTests.cs |   4 +-
 ...uthenticatedEncryptorConfigurationTests.cs |   6 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |  40 ++-
 ...edAuthenticatedEncryptorDescriptorTests.cs |   8 +-
 ...anagedAuthenticatedEncryptorFactoryTest.cs |  50 ++++
 .../EphemeralDataProtectionProviderTests.cs   |   9 +-
 .../Internal/KeyManagementOptionsSetupTest.cs | 155 ++++++++++++
 .../KeyManagement/DefaultKeyResolverTests.cs  |  79 +++---
 .../KeyManagement/DeferredKeyTests.cs         |  46 ++--
 ...KeyEscrowServiceProviderExtensionsTests.cs |   6 +-
 .../KeyRingBasedDataProtectorTests.cs         |  69 ++++--
 .../KeyManagement/KeyRingProviderTests.cs     | 149 ++++++-----
 .../KeyManagement/KeyRingTests.cs             |  75 ++++--
 .../KeyManagement/KeyTests.cs                 |  23 +-
 .../KeyManagement/XmlKeyManagerTests.cs       | 234 ++++++++++--------
 ...soft.AspNetCore.DataProtection.Test.csproj |   4 +
 .../MockExtensions.cs                         |   6 +-
 .../RegistryPolicyResolverTests.cs            | 209 +++++++++-------
 .../EphemeralXmlRepositoryTests.cs            |   5 +-
 .../FileSystemXmlRepositoryTests.cs           |  11 +-
 .../RegistryXmlRepositoryTests.cs             |  11 +-
 .../StringLoggerFactory.cs                    |   2 +-
 .../XmlAssert.cs                              |   2 +-
 .../CertificateXmlEncryptionTests.cs          |   8 +-
 .../DpapiNGXmlEncryptionTests.cs              |   3 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |   5 +-
 .../XmlEncryptionExtensionsTests.cs           |   4 +-
 121 files changed, 2952 insertions(+), 2185 deletions(-)
 create mode 100644 samples/CustomEncryptorSample/CustomBuilderExtensions.cs
 create mode 100644 samples/CustomEncryptorSample/CustomEncryptorSample.csproj
 create mode 100644 samples/CustomEncryptorSample/CustomXmlDecryptor.cs
 create mode 100644 samples/CustomEncryptorSample/CustomXmlEncryptor.cs
 create mode 100644 samples/CustomEncryptorSample/Program.cs
 create mode 100644 samples/CustomEncryptorSample/Properties/launchSettings.json
 create mode 100644 samples/KeyManagementSample/KeyManagementSample.csproj
 create mode 100644 samples/KeyManagementSample/Program.cs
 create mode 100644 samples/KeyManagementSample/Properties/launchSettings.json
 create mode 100644 samples/NonDISample/NonDISample.csproj
 create mode 100644 samples/NonDISample/Program.cs
 create mode 100644 samples/NonDISample/Properties/launchSettings.json
 rename src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/{AuthenticatedEncryptionSettings.cs => AuthenticatedEncryptorFactory.cs} (57%)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionSettings.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
 rename src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/{IAuthenticatedEncryptorConfiguration.cs => AlgorithmConfiguration.cs} (67%)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
 rename src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/{IInternalAuthenticatedEncryptorConfiguration.cs => IInternalAlgorithmConfiguration.cs} (50%)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionSettings.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionSettings.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs

diff --git a/.gitignore b/.gitignore
index 0fb89cd896..fd02261e5f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,4 +27,5 @@ nuget.exe
 project.lock.json
 .vs
 .build/
-.testPublish/
\ No newline at end of file
+.testPublish/
+samples/**/temp-keys/
\ No newline at end of file
diff --git a/DataProtection.sln b/DataProtection.sln
index bcc119cb7a..664c368960 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,51 +1,57 @@
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
-VisualStudioVersion = 15.0.26127.0
+VisualStudioVersion = 15.0.26206.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection", "src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Test", "test\Microsoft.AspNetCore.DataProtection.Test\Microsoft.AspNetCore.DataProtection.Test.csproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Cryptography.Internal", "src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation", "src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Cryptography.Internal.Test", "test\Microsoft.AspNetCore.Cryptography.Internal.Test\Microsoft.AspNetCore.Cryptography.Internal.Test.csproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Abstractions", "src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Abstractions.Test", "test\Microsoft.AspNetCore.DataProtection.Abstractions.Test\Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.SystemWeb", "src\Microsoft.AspNetCore.DataProtection.SystemWeb\Microsoft.AspNetCore.DataProtection.SystemWeb.csproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Extensions.Test", "test\Microsoft.AspNetCore.DataProtection.Extensions.Test\Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj", "{04AA8E60-A053-4D50-89FE-E76C3DF45200}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Extensions", "src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.AzureStorage", "src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5A3A5DE3-49AD-431C-971D-B01B62D94AE2}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AzureBlob", "samples\AzureBlob\AzureBlob.csproj", "{B07435B3-CD81-4E3B-88A5-6384821E1C01}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.Redis.Test", "test\Microsoft.AspNetCore.DataProtection.Redis.Test\Microsoft.AspNetCore.DataProtection.Redis.Test.csproj", "{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{E1D86B1B-41D8-43C9-97FD-C2BF65C414E2}"
 	ProjectSection(SolutionItems) = preProject
 		NuGet.config = NuGet.config
 	EndProjectSection
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.DataProtection.AzureStorage.Test", "test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection", "src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Redis", "samples\Redis\Redis.csproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Test", "test\Microsoft.AspNetCore.DataProtection.Test\Microsoft.AspNetCore.DataProtection.Test.csproj", "{7A637185-2BA1-437D-9D4C-7CC4F94CF7BF}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Cryptography.Internal", "src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj", "{E2779976-A28C-4365-A4BB-4AD854FAF23E}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation", "src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj", "{421F0383-34B1-402D-807B-A94542513ABA}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Cryptography.KeyDerivation.Test", "test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test\Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj", "{42C97F52-8D56-46BD-A712-4F22BED157A7}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Cryptography.Internal.Test", "test\Microsoft.AspNetCore.Cryptography.Internal.Test\Microsoft.AspNetCore.Cryptography.Internal.Test.csproj", "{37053D5F-5B61-47CE-8B72-298CE007FFB0}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Abstractions", "src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj", "{4B115BDE-B253-46A6-97BF-A8B37B344FF2}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Abstractions.Test", "test\Microsoft.AspNetCore.DataProtection.Abstractions.Test\Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj", "{FF650A69-DEE4-4B36-9E30-264EE7CFB478}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.SystemWeb", "src\Microsoft.AspNetCore.DataProtection.SystemWeb\Microsoft.AspNetCore.DataProtection.SystemWeb.csproj", "{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Extensions.Test", "test\Microsoft.AspNetCore.DataProtection.Extensions.Test\Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj", "{04AA8E60-A053-4D50-89FE-E76C3DF45200}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Extensions", "src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.AzureStorage", "src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AzureBlob", "samples\AzureBlob\AzureBlob.csproj", "{B07435B3-CD81-4E3B-88A5-6384821E1C01}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Redis.Test", "test\Microsoft.AspNetCore.DataProtection.Redis.Test\Microsoft.AspNetCore.DataProtection.Redis.Test.csproj", "{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.AzureStorage.Test", "test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Redis", "samples\Redis\Redis.csproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "NonDISample", "samples\NonDISample\NonDISample.csproj", "{32CF970B-E2F1-4CD9-8DB3-F5715475373A}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "KeyManagementSample", "samples\KeyManagementSample\KeyManagementSample.csproj", "{6E066F8D-2910-404F-8949-F58125E28495}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "CustomEncryptorSample", "samples\CustomEncryptorSample\CustomEncryptorSample.csproj", "{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -187,6 +193,30 @@ Global
 		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|Any CPU.Build.0 = Release|Any CPU
 		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|x86.ActiveCfg = Release|Any CPU
 		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}.Release|x86.Build.0 = Release|Any CPU
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A}.Debug|x86.Build.0 = Debug|Any CPU
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A}.Release|Any CPU.Build.0 = Release|Any CPU
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A}.Release|x86.ActiveCfg = Release|Any CPU
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A}.Release|x86.Build.0 = Release|Any CPU
+		{6E066F8D-2910-404F-8949-F58125E28495}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6E066F8D-2910-404F-8949-F58125E28495}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6E066F8D-2910-404F-8949-F58125E28495}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{6E066F8D-2910-404F-8949-F58125E28495}.Debug|x86.Build.0 = Debug|Any CPU
+		{6E066F8D-2910-404F-8949-F58125E28495}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6E066F8D-2910-404F-8949-F58125E28495}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6E066F8D-2910-404F-8949-F58125E28495}.Release|x86.ActiveCfg = Release|Any CPU
+		{6E066F8D-2910-404F-8949-F58125E28495}.Release|x86.Build.0 = Release|Any CPU
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Debug|x86.Build.0 = Debug|Any CPU
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Release|x86.ActiveCfg = Release|Any CPU
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -209,5 +239,8 @@ Global
 		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{8C41240E-48F8-402F-9388-74CFE27F4D76} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
+		{32CF970B-E2F1-4CD9-8DB3-F5715475373A} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
+		{6E066F8D-2910-404F-8949-F58125E28495} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
+		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 	EndGlobalSection
 EndGlobal
diff --git a/samples/AzureBlob/Program.cs b/samples/AzureBlob/Program.cs
index d67432adac..dd1e45b5d9 100644
--- a/samples/AzureBlob/Program.cs
+++ b/samples/AzureBlob/Program.cs
@@ -1,4 +1,7 @@
-using System;
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
diff --git a/samples/CustomEncryptorSample/CustomBuilderExtensions.cs b/samples/CustomEncryptorSample/CustomBuilderExtensions.cs
new file mode 100644
index 0000000000..faa99a4a5d
--- /dev/null
+++ b/samples/CustomEncryptorSample/CustomBuilderExtensions.cs
@@ -0,0 +1,31 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace CustomEncryptorSample
+{
+    public static class CustomBuilderExtensions
+    {
+        public static IDataProtectionBuilder UseXmlEncryptor(
+            this IDataProtectionBuilder builder,
+            Func<IServiceProvider, IXmlEncryptor> factory)
+        {
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(serviceProvider =>
+            {
+                var instance = factory(serviceProvider);
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    options.XmlEncryptor = instance;
+                });
+            });
+
+            return builder;
+        }
+    }
+}
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
new file mode 100644
index 0000000000..b8d212454c
--- /dev/null
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
+    <!-- TODO remove when https://github.com/dotnet/sdk/issues/396 is resolved -->
+    <RuntimeIdentifier Condition=" '$(TargetFramework)' != 'netcoreapp1.1' ">win7-x64</RuntimeIdentifier>
+    <DebugType>portable</DebugType>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.2.0-*" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/CustomEncryptorSample/CustomXmlDecryptor.cs b/samples/CustomEncryptorSample/CustomXmlDecryptor.cs
new file mode 100644
index 0000000000..a8925f12f6
--- /dev/null
+++ b/samples/CustomEncryptorSample/CustomXmlDecryptor.cs
@@ -0,0 +1,32 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Linq;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace CustomEncryptorSample
+{
+    public class CustomXmlDecryptor : IXmlDecryptor
+    {
+        private readonly ILogger _logger;
+
+        public CustomXmlDecryptor(IServiceProvider services)
+        {
+            _logger = services.GetRequiredService<ILoggerFactory>().CreateLogger<CustomXmlDecryptor>();
+        }
+
+        public XElement Decrypt(XElement encryptedElement)
+        {
+            if (encryptedElement == null)
+            {
+                throw new ArgumentNullException(nameof(encryptedElement));
+            }
+
+            return new XElement(encryptedElement.Elements().Single());
+        }
+    }
+}
diff --git a/samples/CustomEncryptorSample/CustomXmlEncryptor.cs b/samples/CustomEncryptorSample/CustomXmlEncryptor.cs
new file mode 100644
index 0000000000..f6653f776a
--- /dev/null
+++ b/samples/CustomEncryptorSample/CustomXmlEncryptor.cs
@@ -0,0 +1,38 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace CustomEncryptorSample
+{
+    public class CustomXmlEncryptor : IXmlEncryptor
+    {
+        private readonly ILogger _logger;
+
+        public CustomXmlEncryptor(IServiceProvider services)
+        {
+            _logger = services.GetRequiredService<ILoggerFactory>().CreateLogger<CustomXmlEncryptor>();
+        }
+
+        public EncryptedXmlInfo Encrypt(XElement plaintextElement)
+        {
+            if (plaintextElement == null)
+            {
+                throw new ArgumentNullException(nameof(plaintextElement));
+            }
+
+            _logger.LogInformation("Not encrypting key");
+
+            var newElement = new XElement("unencryptedKey",
+                new XComment(" This key is not encrypted. "),
+                new XElement(plaintextElement));
+            var encryptedTextElement = new EncryptedXmlInfo(newElement, typeof(CustomXmlDecryptor));
+
+            return encryptedTextElement;
+        }
+    }
+}
diff --git a/samples/CustomEncryptorSample/Program.cs b/samples/CustomEncryptorSample/Program.cs
new file mode 100644
index 0000000000..c79d12c601
--- /dev/null
+++ b/samples/CustomEncryptorSample/Program.cs
@@ -0,0 +1,38 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace CustomEncryptorSample
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            var keysFolder = Path.Combine(Directory.GetCurrentDirectory(), "temp-keys");
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddLogging();
+            serviceCollection.AddDataProtection()
+                .PersistKeysToFileSystem(new DirectoryInfo(keysFolder))
+                .UseXmlEncryptor(s => new CustomXmlEncryptor(s));
+
+            var services = serviceCollection.BuildServiceProvider();
+            var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+            loggerFactory.AddConsole();
+
+            var protector = services.GetDataProtector("SamplePurpose");
+            
+            // protect the payload
+            var protectedPayload = protector.Protect("Hello World!");
+            Console.WriteLine($"Protect returned: {protectedPayload}");
+
+            // unprotect the payload
+            var unprotectedPayload = protector.Unprotect(protectedPayload);
+            Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
+        }
+    }
+}
diff --git a/samples/CustomEncryptorSample/Properties/launchSettings.json b/samples/CustomEncryptorSample/Properties/launchSettings.json
new file mode 100644
index 0000000000..c24bc96703
--- /dev/null
+++ b/samples/CustomEncryptorSample/Properties/launchSettings.json
@@ -0,0 +1,22 @@
+{
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:1398/",
+      "sslPort": 0
+    }
+  },
+  "profiles": {
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "CustomEncryptorSample": {
+      "commandName": "Project"
+    }
+  }
+}
\ No newline at end of file
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
new file mode 100644
index 0000000000..0769407b34
--- /dev/null
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
+    <!-- TODO remove when https://github.com/dotnet/sdk/issues/396 is resolved -->
+    <RuntimeIdentifier Condition=" '$(TargetFramework)' != 'netcoreapp1.1' ">win7-x64</RuntimeIdentifier>
+    <DebugType>portable</DebugType>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/KeyManagementSample/Program.cs b/samples/KeyManagementSample/Program.cs
new file mode 100644
index 0000000000..3feefebc14
--- /dev/null
+++ b/samples/KeyManagementSample/Program.cs
@@ -0,0 +1,64 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Runtime.InteropServices;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace KeyManagementSample
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            var keysFolder = Path.Combine(Directory.GetCurrentDirectory(), "temp-keys");
+            var serviceCollection = new ServiceCollection();
+            var builder = serviceCollection.AddDataProtection()
+                // point at a specific folder and use DPAPI to encrypt keys
+                .PersistKeysToFileSystem(new DirectoryInfo(keysFolder));
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                builder.ProtectKeysWithDpapi();
+            }
+
+            var services = serviceCollection.BuildServiceProvider();
+
+            // perform a protect operation to force the system to put at least
+            // one key in the key ring
+            services.GetDataProtector("Sample.KeyManager.v1").Protect("payload");
+            Console.WriteLine("Performed a protect operation.");
+
+            // get a reference to the key manager
+            var keyManager = services.GetService<IKeyManager>();
+
+            // list all keys in the key ring
+            var allKeys = keyManager.GetAllKeys();
+            Console.WriteLine($"The key ring contains {allKeys.Count} key(s).");
+            foreach (var key in allKeys)
+            {
+                Console.WriteLine($"Key {key.KeyId:B}: Created = {key.CreationDate:u}, IsRevoked = {key.IsRevoked}");
+            }
+
+            // revoke all keys in the key ring
+            keyManager.RevokeAllKeys(DateTimeOffset.Now, reason: "Revocation reason here.");
+            Console.WriteLine("Revoked all existing keys.");
+
+            // add a new key to the key ring with immediate activation and a 1-month expiration
+            keyManager.CreateNewKey(
+                activationDate: DateTimeOffset.Now,
+                expirationDate: DateTimeOffset.Now.AddMonths(1));
+            Console.WriteLine("Added a new key.");
+
+            // list all keys in the key ring
+            allKeys = keyManager.GetAllKeys();
+            Console.WriteLine($"The key ring contains {allKeys.Count} key(s).");
+            foreach (var key in allKeys)
+            {
+                Console.WriteLine($"Key {key.KeyId:B}: Created = {key.CreationDate:u}, IsRevoked = {key.IsRevoked}");
+            }
+        }
+    }
+}
diff --git a/samples/KeyManagementSample/Properties/launchSettings.json b/samples/KeyManagementSample/Properties/launchSettings.json
new file mode 100644
index 0000000000..9f2e8074fe
--- /dev/null
+++ b/samples/KeyManagementSample/Properties/launchSettings.json
@@ -0,0 +1,22 @@
+{
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:1396/",
+      "sslPort": 0
+    }
+  },
+  "profiles": {
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "KeyManagementSample": {
+      "commandName": "Project"
+    }
+  }
+}
\ No newline at end of file
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
new file mode 100644
index 0000000000..0769407b34
--- /dev/null
+++ b/samples/NonDISample/NonDISample.csproj
@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
+    <!-- TODO remove when https://github.com/dotnet/sdk/issues/396 is resolved -->
+    <RuntimeIdentifier Condition=" '$(TargetFramework)' != 'netcoreapp1.1' ">win7-x64</RuntimeIdentifier>
+    <DebugType>portable</DebugType>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/NonDISample/Program.cs b/samples/NonDISample/Program.cs
new file mode 100644
index 0000000000..f9ccd92603
--- /dev/null
+++ b/samples/NonDISample/Program.cs
@@ -0,0 +1,41 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Runtime.InteropServices;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+
+namespace NonDISample
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            var keysFolder = Path.Combine(Directory.GetCurrentDirectory(), "temp-keys");
+
+            // instantiate the data protection system at this folder
+            var dataProtectionProvider = DataProtectionProvider.Create(
+                new DirectoryInfo(keysFolder),
+                configuration =>
+                {
+                    configuration.SetApplicationName("my app name");
+                    if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+                    {
+                        configuration.ProtectKeysWithDpapi();
+                    }
+                });
+
+            var protector = dataProtectionProvider.CreateProtector("Program.No-DI");
+
+            // protect the payload
+            var protectedPayload = protector.Protect("Hello World!");
+            Console.WriteLine($"Protect returned: {protectedPayload}");
+
+            // unprotect the payload
+            var unprotectedPayload = protector.Unprotect(protectedPayload);
+            Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
+        }
+    }
+}
diff --git a/samples/NonDISample/Properties/launchSettings.json b/samples/NonDISample/Properties/launchSettings.json
new file mode 100644
index 0000000000..7d36272608
--- /dev/null
+++ b/samples/NonDISample/Properties/launchSettings.json
@@ -0,0 +1,22 @@
+{
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:1394/",
+      "sslPort": 0
+    }
+  },
+  "profiles": {
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "NonDISample": {
+      "commandName": "Project"
+    }
+  }
+}
\ No newline at end of file
diff --git a/samples/Redis/Program.cs b/samples/Redis/Program.cs
index a3401c86a2..94a32c116f 100644
--- a/samples/Redis/Program.cs
+++ b/samples/Redis/Program.cs
@@ -1,4 +1,7 @@
-using System;
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionSettings.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
similarity index 57%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionSettings.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
index 093dc3e1e5..9cff56e78e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptionSettings.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -6,103 +6,90 @@ using System.Security.Cryptography;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
-    /// <summary>
-    /// Settings for configuring authenticated encryption algorithms.
-    /// </summary>
-    public sealed class AuthenticatedEncryptionSettings : IInternalAuthenticatedEncryptionSettings
+    public sealed class AuthenticatedEncryptorFactory : IAuthenticatedEncryptorFactory
     {
-        /// <summary>
-        /// The algorithm to use for symmetric encryption (confidentiality).
-        /// </summary>
-        /// <remarks>
-        /// The default value is <see cref="EncryptionAlgorithm.AES_256_CBC"/>.
-        /// </remarks>
-        public EncryptionAlgorithm EncryptionAlgorithm { get; set; } = EncryptionAlgorithm.AES_256_CBC;
+        private readonly ILoggerFactory _loggerFactory;
 
-        /// <summary>
-        /// The algorithm to use for message authentication (tamper-proofing).
-        /// </summary>
-        /// <remarks>
-        /// The default value is <see cref="ValidationAlgorithm.HMACSHA256"/>.
-        /// This property is ignored if <see cref="EncryptionAlgorithm"/> specifies a 'GCM' algorithm.
-        /// </remarks>
-        public ValidationAlgorithm ValidationAlgorithm { get; set; } = ValidationAlgorithm.HMACSHA256;
-
-        /// <summary>
-        /// Validates that this <see cref="AuthenticatedEncryptionSettings"/> is well-formed, i.e.,
-        /// that the specified algorithms actually exist and that they can be instantiated properly.
-        /// An exception will be thrown if validation fails.
-        /// </summary>
-        public void Validate()
+        public AuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)
         {
-            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-            var encryptor = CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8));
-            try
-            {
-                encryptor.PerformSelfTest();
-            }
-            finally
-            {
-                (encryptor as IDisposable)?.Dispose();
-            }
+            _loggerFactory = loggerFactory;
         }
 
-        /*
-         * HELPER ROUTINES
-         */
-
-        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret, IServiceProvider services = null)
+        public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
         {
-            return CreateImplementationOptions()
-                .ToConfiguration(services)
-                .CreateDescriptorFromSecret(secret)
-                .CreateEncryptorInstance();
+            var descriptor = key.Descriptor as AuthenticatedEncryptorDescriptor;
+            if (descriptor == null)
+            {
+                return null;
+            }
+
+            return CreateAuthenticatedEncryptorInstance(descriptor.MasterKey, descriptor.Configuration);
         }
 
-        private IInternalAuthenticatedEncryptionSettings CreateImplementationOptions()
+        internal IAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(
+            ISecret secret,
+            AuthenticatedEncryptorConfiguration authenticatedConfiguration)
         {
-            if (IsGcmAlgorithm(EncryptionAlgorithm))
+            if (authenticatedConfiguration == null)
+            {
+                return null;
+            }
+
+            if (IsGcmAlgorithm(authenticatedConfiguration.EncryptionAlgorithm))
             {
                 // GCM requires CNG, and CNG is only supported on Windows.
                 if (!OSVersionUtil.IsWindows())
                 {
                     throw new PlatformNotSupportedException(Resources.Platform_WindowsRequiredForGcm);
                 }
-                return new CngGcmAuthenticatedEncryptionSettings()
+
+                var configuration = new CngGcmAuthenticatedEncryptorConfiguration()
                 {
-                    EncryptionAlgorithm = GetBCryptAlgorithmName(EncryptionAlgorithm),
-                    EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm)
+                    EncryptionAlgorithm = GetBCryptAlgorithmNameFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm),
+                    EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm)
                 };
+
+                return new CngGcmAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration);
             }
             else
             {
                 if (OSVersionUtil.IsWindows())
                 {
                     // CNG preferred over managed implementations if running on Windows
-                    return new CngCbcAuthenticatedEncryptionSettings()
+                    var configuration = new CngCbcAuthenticatedEncryptorConfiguration()
                     {
-                        EncryptionAlgorithm = GetBCryptAlgorithmName(EncryptionAlgorithm),
-                        EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm),
-                        HashAlgorithm = GetBCryptAlgorithmName(ValidationAlgorithm)
+                        EncryptionAlgorithm = GetBCryptAlgorithmNameFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm),
+                        EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm),
+                        HashAlgorithm = GetBCryptAlgorithmNameFromValidationAlgorithm(authenticatedConfiguration.ValidationAlgorithm)
                     };
+
+                    return new CngCbcAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration);
                 }
                 else
                 {
                     // Use managed implementations as a fallback
-                    return new ManagedAuthenticatedEncryptionSettings()
+                    var configuration = new ManagedAuthenticatedEncryptorConfiguration()
                     {
-                        EncryptionAlgorithmType = GetManagedTypeForAlgorithm(EncryptionAlgorithm),
-                        EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(EncryptionAlgorithm),
-                        ValidationAlgorithmType = GetManagedTypeForAlgorithm(ValidationAlgorithm)
+                        EncryptionAlgorithmType = GetManagedTypeFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm),
+                        EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm),
+                        ValidationAlgorithmType = GetManagedTypeFromValidationAlgorithm(authenticatedConfiguration.ValidationAlgorithm)
                     };
+
+                    return new ManagedAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration);
                 }
             }
         }
 
+        internal static bool IsGcmAlgorithm(EncryptionAlgorithm algorithm)
+        {
+            return (EncryptionAlgorithm.AES_128_GCM <= algorithm && algorithm <= EncryptionAlgorithm.AES_256_GCM);
+        }
+
         private static int GetAlgorithmKeySizeInBits(EncryptionAlgorithm algorithm)
         {
             switch (algorithm)
@@ -120,11 +107,11 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                     return 256;
 
                 default:
-                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+                    throw new ArgumentOutOfRangeException(nameof(EncryptionAlgorithm));
             }
         }
 
-        private static string GetBCryptAlgorithmName(EncryptionAlgorithm algorithm)
+        private static string GetBCryptAlgorithmNameFromEncryptionAlgorithm(EncryptionAlgorithm algorithm)
         {
             switch (algorithm)
             {
@@ -137,11 +124,11 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                     return Constants.BCRYPT_AES_ALGORITHM;
 
                 default:
-                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+                    throw new ArgumentOutOfRangeException(nameof(EncryptionAlgorithm));
             }
         }
 
-        private static string GetBCryptAlgorithmName(ValidationAlgorithm algorithm)
+        private static string GetBCryptAlgorithmNameFromValidationAlgorithm(ValidationAlgorithm algorithm)
         {
             switch (algorithm)
             {
@@ -152,11 +139,11 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                     return Constants.BCRYPT_SHA512_ALGORITHM;
 
                 default:
-                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+                    throw new ArgumentOutOfRangeException(nameof(ValidationAlgorithm));
             }
         }
 
-        private static Type GetManagedTypeForAlgorithm(EncryptionAlgorithm algorithm)
+        private static Type GetManagedTypeFromEncryptionAlgorithm(EncryptionAlgorithm algorithm)
         {
             switch (algorithm)
             {
@@ -169,11 +156,11 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                     return typeof(Aes);
 
                 default:
-                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+                    throw new ArgumentOutOfRangeException(nameof(EncryptionAlgorithm));
             }
         }
 
-        private static Type GetManagedTypeForAlgorithm(ValidationAlgorithm algorithm)
+        private static Type GetManagedTypeFromValidationAlgorithm(ValidationAlgorithm algorithm)
         {
             switch (algorithm)
             {
@@ -184,18 +171,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
                     return typeof(HMACSHA512);
 
                 default:
-                    throw new ArgumentOutOfRangeException(nameof(algorithm));
+                    throw new ArgumentOutOfRangeException(nameof(ValidationAlgorithm));
             }
         }
-
-        internal static bool IsGcmAlgorithm(EncryptionAlgorithm algorithm)
-        {
-            return (EncryptionAlgorithm.AES_128_GCM <= algorithm && algorithm <= EncryptionAlgorithm.AES_256_GCM);
-        }
-
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionSettings.ToConfiguration(IServiceProvider services)
-        {
-            return new AuthenticatedEncryptorConfiguration(this, services);
-        }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
deleted file mode 100644
index d9d4cd1aad..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptionSettings.cs
+++ /dev/null
@@ -1,184 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNetCore.Cryptography;
-using Microsoft.AspNetCore.Cryptography.Cng;
-using Microsoft.AspNetCore.Cryptography.SafeHandles;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNetCore.DataProtection.Cng;
-using Microsoft.Extensions.Logging;
-
-namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Settings for configuring an authenticated encryption mechanism which uses
-    /// Windows CNG algorithms in CBC encryption + HMAC authentication modes.
-    /// </summary>
-    public sealed class CngCbcAuthenticatedEncryptionSettings : IInternalAuthenticatedEncryptionSettings
-    {
-        /// <summary>
-        /// The name of the algorithm to use for symmetric encryption.
-        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The algorithm must support CBC-style encryption and must have a block size of 64 bits
-        /// or greater.
-        /// The default value is 'AES'.
-        /// </remarks>
-        [ApplyPolicy]
-        public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
-
-        /// <summary>
-        /// The name of the provider which contains the implementation of the symmetric encryption algorithm.
-        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
-        /// This property is optional.
-        /// </summary>
-        /// <remarks>
-        /// The default value is null.
-        /// </remarks>
-        [ApplyPolicy]
-        public string EncryptionAlgorithmProvider { get; set; } = null;
-
-        /// <summary>
-        /// The length (in bits) of the key that will be used for symmetric encryption.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The key length must be 128 bits or greater.
-        /// The default value is 256.
-        /// </remarks>
-        [ApplyPolicy]
-        public int EncryptionAlgorithmKeySize { get; set; } = 256;
-
-        /// <summary>
-        /// The name of the algorithm to use for hashing data.
-        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The algorithm must support being opened in HMAC mode and must have a digest length
-        /// of 128 bits or greater.
-        /// The default value is 'SHA256'.
-        /// </remarks>
-        [ApplyPolicy]
-        public string HashAlgorithm { get; set; } = Constants.BCRYPT_SHA256_ALGORITHM;
-
-        /// <summary>
-        /// The name of the provider which contains the implementation of the hash algorithm.
-        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
-        /// This property is optional.
-        /// </summary>
-        /// <remarks>
-        /// The default value is null.
-        /// </remarks>
-        [ApplyPolicy]
-        public string HashAlgorithmProvider { get; set; } = null;
-
-        /// <summary>
-        /// Validates that this <see cref="CngCbcAuthenticatedEncryptionSettings"/> is well-formed, i.e.,
-        /// that the specified algorithms actually exist and that they can be instantiated properly.
-        /// An exception will be thrown if validation fails.
-        /// </summary>
-        public void Validate()
-        {
-            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-            using (var encryptor = CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8)))
-            {
-                encryptor.PerformSelfTest();
-            }
-        }
-
-        /*
-         * HELPER ROUTINES
-         */
-
-        internal CbcAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret, ILogger logger = null)
-        {
-            return new CbcAuthenticatedEncryptor(
-                keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(logger),
-                symmetricAlgorithmKeySizeInBytes: (uint)(EncryptionAlgorithmKeySize / 8),
-                hmacAlgorithmHandle: GetHmacAlgorithmHandle(logger));
-        }
-
-        private BCryptAlgorithmHandle GetHmacAlgorithmHandle(ILogger logger)
-        {
-            // basic argument checking
-            if (String.IsNullOrEmpty(HashAlgorithm))
-            {
-                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(HashAlgorithm));
-            }
-
-            logger?.OpeningCNGAlgorithmFromProviderWithHMAC(HashAlgorithm, HashAlgorithmProvider);
-            BCryptAlgorithmHandle algorithmHandle = null;
-
-            // Special-case cached providers
-            if (HashAlgorithmProvider == null)
-            {
-                if (HashAlgorithm == Constants.BCRYPT_SHA1_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA1; }
-                else if (HashAlgorithm == Constants.BCRYPT_SHA256_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA256; }
-                else if (HashAlgorithm == Constants.BCRYPT_SHA512_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA512; }
-            }
-
-            // Look up the provider dynamically if we couldn't fetch a cached instance
-            if (algorithmHandle == null)
-            {
-                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(HashAlgorithm, HashAlgorithmProvider, hmac: true);
-            }
-
-            // Make sure we're using a hash algorithm. We require a minimum 128-bit digest.
-            var digestSize = algorithmHandle.GetHashDigestLength();
-            AlgorithmAssert.IsAllowableValidationAlgorithmDigestSize(checked(digestSize * 8));
-
-            // all good!
-            return algorithmHandle;
-        }
-
-        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle(ILogger logger)
-        {
-            // basic argument checking
-            if (String.IsNullOrEmpty(EncryptionAlgorithm))
-            {
-                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(EncryptionAlgorithm));
-            }
-            if (EncryptionAlgorithmKeySize < 0)
-            {
-                throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
-            }
-
-            logger?.OpeningCNGAlgorithmFromProviderWithChainingModeCBC(EncryptionAlgorithm, EncryptionAlgorithmProvider);
-
-            BCryptAlgorithmHandle algorithmHandle = null;
-
-            // Special-case cached providers
-            if (EncryptionAlgorithmProvider == null)
-            {
-                if (EncryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_CBC; }
-            }
-
-            // Look up the provider dynamically if we couldn't fetch a cached instance
-            if (algorithmHandle == null)
-            {
-                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(EncryptionAlgorithm, EncryptionAlgorithmProvider);
-                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_CBC);
-            }
-
-            // make sure we're using a block cipher with an appropriate key size & block size
-            AlgorithmAssert.IsAllowableSymmetricAlgorithmBlockSize(checked(algorithmHandle.GetCipherBlockLength() * 8));
-            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked((uint)EncryptionAlgorithmKeySize));
-
-            // make sure the provided key length is valid
-            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength((uint)EncryptionAlgorithmKeySize);
-
-            // all good!
-            return algorithmHandle;
-        }
-
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionSettings.ToConfiguration(IServiceProvider services)
-        {
-            return new CngCbcAuthenticatedEncryptorConfiguration(this, services);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
new file mode 100644
index 0000000000..86fc817ef1
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
@@ -0,0 +1,124 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
+{
+    public sealed class CngCbcAuthenticatedEncryptorFactory : IAuthenticatedEncryptorFactory
+    {
+        private readonly ILogger _logger;
+
+        public CngCbcAuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)
+        {
+            _logger = loggerFactory.CreateLogger<CngCbcAuthenticatedEncryptorFactory>();
+        }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
+        {
+            var descriptor = key.Descriptor as CngCbcAuthenticatedEncryptorDescriptor;
+            if (descriptor == null)
+            {
+                return null;
+            }
+
+            return CreateAuthenticatedEncryptorInstance(descriptor.MasterKey, descriptor.Configuration);
+        }
+
+        internal CbcAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(
+            ISecret secret,
+            CngCbcAuthenticatedEncryptorConfiguration configuration)
+        {
+            if (configuration == null)
+            {
+                return null;
+            }
+
+            return new CbcAuthenticatedEncryptor(
+                keyDerivationKey: new Secret(secret),
+                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(configuration),
+                symmetricAlgorithmKeySizeInBytes: (uint)(configuration.EncryptionAlgorithmKeySize / 8),
+                hmacAlgorithmHandle: GetHmacAlgorithmHandle(configuration));
+        }
+
+        private BCryptAlgorithmHandle GetHmacAlgorithmHandle(CngCbcAuthenticatedEncryptorConfiguration configuration)
+        {
+            // basic argument checking
+            if (String.IsNullOrEmpty(configuration.HashAlgorithm))
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(configuration.HashAlgorithm));
+            }
+
+            _logger.OpeningCNGAlgorithmFromProviderWithHMAC(configuration.HashAlgorithm, configuration.HashAlgorithmProvider);
+            BCryptAlgorithmHandle algorithmHandle = null;
+
+            // Special-case cached providers
+            if (configuration.HashAlgorithmProvider == null)
+            {
+                if (configuration.HashAlgorithm == Constants.BCRYPT_SHA1_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA1; }
+                else if (configuration.HashAlgorithm == Constants.BCRYPT_SHA256_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA256; }
+                else if (configuration.HashAlgorithm == Constants.BCRYPT_SHA512_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.HMAC_SHA512; }
+            }
+
+            // Look up the provider dynamically if we couldn't fetch a cached instance
+            if (algorithmHandle == null)
+            {
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(configuration.HashAlgorithm, configuration.HashAlgorithmProvider, hmac: true);
+            }
+
+            // Make sure we're using a hash algorithm. We require a minimum 128-bit digest.
+            uint digestSize = algorithmHandle.GetHashDigestLength();
+            AlgorithmAssert.IsAllowableValidationAlgorithmDigestSize(checked(digestSize * 8));
+
+            // all good!
+            return algorithmHandle;
+        }
+
+        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle(CngCbcAuthenticatedEncryptorConfiguration configuration)
+        {
+            // basic argument checking
+            if (String.IsNullOrEmpty(configuration.EncryptionAlgorithm))
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(EncryptionAlgorithm));
+            }
+            if (configuration.EncryptionAlgorithmKeySize < 0)
+            {
+                throw Error.Common_PropertyMustBeNonNegative(nameof(configuration.EncryptionAlgorithmKeySize));
+            }
+
+            _logger.OpeningCNGAlgorithmFromProviderWithChainingModeCBC(configuration.EncryptionAlgorithm, configuration.EncryptionAlgorithmProvider);
+
+            BCryptAlgorithmHandle algorithmHandle = null;
+
+            // Special-case cached providers
+            if (configuration.EncryptionAlgorithmProvider == null)
+            {
+                if (configuration.EncryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_CBC; }
+            }
+
+            // Look up the provider dynamically if we couldn't fetch a cached instance
+            if (algorithmHandle == null)
+            {
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(configuration.EncryptionAlgorithm, configuration.EncryptionAlgorithmProvider);
+                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_CBC);
+            }
+
+            // make sure we're using a block cipher with an appropriate key size & block size
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmBlockSize(checked(algorithmHandle.GetCipherBlockLength() * 8));
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked((uint)configuration.EncryptionAlgorithmKeySize));
+
+            // make sure the provided key length is valid
+            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength((uint)configuration.EncryptionAlgorithmKeySize);
+
+            // all good!
+            return algorithmHandle;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionSettings.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionSettings.cs
deleted file mode 100644
index 4c3f33d903..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptionSettings.cs
+++ /dev/null
@@ -1,125 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNetCore.Cryptography;
-using Microsoft.AspNetCore.Cryptography.Cng;
-using Microsoft.AspNetCore.Cryptography.SafeHandles;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNetCore.DataProtection.Cng;
-using Microsoft.Extensions.Logging;
-
-namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Settings for configuring an authenticated encryption mechanism which uses
-    /// Windows CNG algorithms in GCM encryption + authentication modes.
-    /// </summary>
-    public sealed class CngGcmAuthenticatedEncryptionSettings : IInternalAuthenticatedEncryptionSettings
-    {
-        /// <summary>
-        /// The name of the algorithm to use for symmetric encryption.
-        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The algorithm must support CBC-style encryption and must have a block size exactly
-        /// 128 bits.
-        /// The default value is 'AES'.
-        /// </remarks>
-        [ApplyPolicy]
-        public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
-
-        /// <summary>
-        /// The name of the provider which contains the implementation of the symmetric encryption algorithm.
-        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
-        /// This property is optional.
-        /// </summary>
-        /// <remarks>
-        /// The default value is null.
-        /// </remarks>
-        [ApplyPolicy]
-        public string EncryptionAlgorithmProvider { get; set; } = null;
-
-        /// <summary>
-        /// The length (in bits) of the key that will be used for symmetric encryption.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The key length must be 128 bits or greater.
-        /// The default value is 256.
-        /// </remarks>
-        [ApplyPolicy]
-        public int EncryptionAlgorithmKeySize { get; set; } = 256;
-
-        /// <summary>
-        /// Validates that this <see cref="CngGcmAuthenticatedEncryptionSettings"/> is well-formed, i.e.,
-        /// that the specified algorithm actually exists and can be instantiated properly.
-        /// An exception will be thrown if validation fails.
-        /// </summary>
-        public void Validate()
-        {
-            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-            using (var encryptor = CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8)))
-            {
-                encryptor.PerformSelfTest();
-            }
-        }
-
-        /*
-         * HELPER ROUTINES
-         */
-
-        internal GcmAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret, ILogger logger = null)
-        {
-            return new GcmAuthenticatedEncryptor(
-                keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(logger),
-                symmetricAlgorithmKeySizeInBytes: (uint)(EncryptionAlgorithmKeySize / 8));
-        }
-
-        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle(ILogger logger)
-        {
-            // basic argument checking
-            if (String.IsNullOrEmpty(EncryptionAlgorithm))
-            {
-                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(EncryptionAlgorithm));
-            }
-            if (EncryptionAlgorithmKeySize < 0)
-            {
-                throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
-            }
-
-            BCryptAlgorithmHandle algorithmHandle = null;
-
-            logger?.OpeningCNGAlgorithmFromProviderWithChainingModeGCM(EncryptionAlgorithm, EncryptionAlgorithmProvider);
-            // Special-case cached providers
-            if (EncryptionAlgorithmProvider == null)
-            {
-                if (EncryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_GCM; }
-            }
-
-            // Look up the provider dynamically if we couldn't fetch a cached instance
-            if (algorithmHandle == null)
-            {
-                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(EncryptionAlgorithm, EncryptionAlgorithmProvider);
-                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_GCM);
-            }
-
-            // make sure we're using a block cipher with an appropriate key size & block size
-            CryptoUtil.Assert(algorithmHandle.GetCipherBlockLength() == 128 / 8, "GCM requires a block cipher algorithm with a 128-bit block size.");
-            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked((uint)EncryptionAlgorithmKeySize));
-
-            // make sure the provided key length is valid
-            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength((uint)EncryptionAlgorithmKeySize);
-
-            // all good!
-            return algorithmHandle;
-        }
-
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionSettings.ToConfiguration(IServiceProvider services)
-        {
-            return new CngGcmAuthenticatedEncryptorConfiguration(this, services);
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
new file mode 100644
index 0000000000..fefd273059
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
@@ -0,0 +1,89 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
+{
+    public sealed class CngGcmAuthenticatedEncryptorFactory : IAuthenticatedEncryptorFactory
+    {
+        private readonly ILogger _logger;
+
+        public CngGcmAuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)
+        {
+            _logger = loggerFactory.CreateLogger<CngGcmAuthenticatedEncryptorFactory>();
+        }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
+        {
+            var descriptor = key.Descriptor as CngGcmAuthenticatedEncryptorDescriptor;
+            if (descriptor == null)
+            {
+                return null;
+            }
+
+            return CreateAuthenticatedEncryptorInstance(descriptor.MasterKey, descriptor.Configuration);
+        }
+
+        internal GcmAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(
+            ISecret secret,
+            CngGcmAuthenticatedEncryptorConfiguration configuration)
+        {
+            if (configuration == null)
+            {
+                return null;
+            }
+
+            return new GcmAuthenticatedEncryptor(
+                keyDerivationKey: new Secret(secret),
+                symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(configuration),
+                symmetricAlgorithmKeySizeInBytes: (uint)(configuration.EncryptionAlgorithmKeySize / 8));
+        }
+
+        private BCryptAlgorithmHandle GetSymmetricBlockCipherAlgorithmHandle(CngGcmAuthenticatedEncryptorConfiguration configuration)
+        {
+            // basic argument checking
+            if (String.IsNullOrEmpty(configuration.EncryptionAlgorithm))
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(EncryptionAlgorithm));
+            }
+            if (configuration.EncryptionAlgorithmKeySize < 0)
+            {
+                throw Error.Common_PropertyMustBeNonNegative(nameof(configuration.EncryptionAlgorithmKeySize));
+            }
+
+            BCryptAlgorithmHandle algorithmHandle = null;
+
+            _logger?.OpeningCNGAlgorithmFromProviderWithChainingModeGCM(configuration.EncryptionAlgorithm, configuration.EncryptionAlgorithmProvider);
+            // Special-case cached providers
+            if (configuration.EncryptionAlgorithmProvider == null)
+            {
+                if (configuration.EncryptionAlgorithm == Constants.BCRYPT_AES_ALGORITHM) { algorithmHandle = CachedAlgorithmHandles.AES_GCM; }
+            }
+
+            // Look up the provider dynamically if we couldn't fetch a cached instance
+            if (algorithmHandle == null)
+            {
+                algorithmHandle = BCryptAlgorithmHandle.OpenAlgorithmHandle(configuration.EncryptionAlgorithm, configuration.EncryptionAlgorithmProvider);
+                algorithmHandle.SetChainingMode(Constants.BCRYPT_CHAIN_MODE_GCM);
+            }
+
+            // make sure we're using a block cipher with an appropriate key size & block size
+            CryptoUtil.Assert(algorithmHandle.GetCipherBlockLength() == 128 / 8, "GCM requires a block cipher algorithm with a 128-bit block size.");
+            AlgorithmAssert.IsAllowableSymmetricAlgorithmKeySize(checked((uint)configuration.EncryptionAlgorithmKeySize));
+
+            // make sure the provided key length is valid
+            algorithmHandle.GetSupportedKeyLengths().EnsureValidKeyLength((uint)configuration.EncryptionAlgorithmKeySize);
+
+            // all good!
+            return algorithmHandle;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
similarity index 67%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
index 0d863bf7ab..4fddb0a706 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
@@ -1,21 +1,20 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
-    /// <summary>
-    /// The basic configuration that serves as a factory for types related to authenticated encryption.
-    /// </summary>
-    public interface IAuthenticatedEncryptorConfiguration
+    public abstract class AlgorithmConfiguration
     {
+        internal const int KDK_SIZE_IN_BYTES = 512 / 8;
+
         /// <summary>
         /// Creates a new <see cref="IAuthenticatedEncryptorDescriptor"/> instance based on this
         /// configuration. The newly-created instance contains unique key material and is distinct
         /// from all other descriptors created by the <see cref="CreateNewDescriptor"/> method.
         /// </summary>
         /// <returns>A unique <see cref="IAuthenticatedEncryptorDescriptor"/>.</returns>
-        IAuthenticatedEncryptorDescriptor CreateNewDescriptor();
+        public abstract IAuthenticatedEncryptorDescriptor CreateNewDescriptor();
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index 61aaa082e3..c3972e4e61 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -2,42 +2,57 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Cryptography;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// Represents a generalized authenticated encryption mechanism.
     /// </summary>
-    public sealed class AuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    public sealed class AuthenticatedEncryptorConfiguration : AlgorithmConfiguration, IInternalAlgorithmConfiguration
     {
-        private readonly IServiceProvider _services;
+        /// <summary>
+        /// The algorithm to use for symmetric encryption (confidentiality).
+        /// </summary>
+        /// <remarks>
+        /// The default value is <see cref="EncryptionAlgorithm.AES_256_CBC"/>.
+        /// </remarks>
+        public EncryptionAlgorithm EncryptionAlgorithm { get; set; } = EncryptionAlgorithm.AES_256_CBC;
 
-        public AuthenticatedEncryptorConfiguration(AuthenticatedEncryptionSettings settings)
-            : this(settings, services: null)
+        /// <summary>
+        /// The algorithm to use for message authentication (tamper-proofing).
+        /// </summary>
+        /// <remarks>
+        /// The default value is <see cref="ValidationAlgorithm.HMACSHA256"/>.
+        /// This property is ignored if <see cref="EncryptionAlgorithm"/> specifies a 'GCM' algorithm.
+        /// </remarks>
+        public ValidationAlgorithm ValidationAlgorithm { get; set; } = ValidationAlgorithm.HMACSHA256;
+
+        public override IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
+            var internalConfiguration = (IInternalAlgorithmConfiguration)this;
+            return internalConfiguration.CreateDescriptorFromSecret(Secret.Random(KDK_SIZE_IN_BYTES));
         }
 
-        public AuthenticatedEncryptorConfiguration(AuthenticatedEncryptionSettings settings, IServiceProvider services)
+        IAuthenticatedEncryptorDescriptor IInternalAlgorithmConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            if (settings == null)
+            return new AuthenticatedEncryptorDescriptor(this, secret);
+        }
+
+        void IInternalAlgorithmConfiguration.Validate()
+        {
+            var factory = new AuthenticatedEncryptorFactory(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
+            var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this);
+            try
             {
-                throw new ArgumentNullException(nameof(settings));
+                encryptor.PerformSelfTest();
+            }
+            finally
+            {
+                (encryptor as IDisposable)?.Dispose();
             }
-
-            Settings = settings;
-            _services = services;
-        }
-
-        public AuthenticatedEncryptionSettings Settings { get; }
-
-        public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
-        {
-            return this.CreateNewDescriptorCore();
-        }
-
-        IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
-        {
-            return new AuthenticatedEncryptorDescriptor(Settings, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
index bed3a894da..9539c9eb76 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
@@ -8,22 +8,15 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
-    /// configuration provided by an <see cref="AuthenticatedEncryptionSettings"/> object.
+    /// configuration provided by an <see cref="AuthenticatedEncryptorConfiguration"/> object.
     /// </summary>
     public sealed class AuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
-        private readonly IServiceProvider _services;
-
-        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptionSettings settings, ISecret masterKey)
-            : this(settings, masterKey, services: null)
+        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptorConfiguration configuration, ISecret masterKey)
         {
-        }
-
-        public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptionSettings settings, ISecret masterKey, IServiceProvider services)
-        {
-            if (settings == null)
+            if (configuration == null)
             {
-                throw new ArgumentNullException(nameof(settings));
+                throw new ArgumentNullException(nameof(configuration));
             }
 
             if (masterKey == null)
@@ -31,19 +24,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 throw new ArgumentNullException(nameof(masterKey));
             }
 
-            Settings = settings;
+            Configuration = configuration;
             MasterKey = masterKey;
-            _services = services;
         }
 
         internal ISecret MasterKey { get; }
 
-        internal AuthenticatedEncryptionSettings Settings { get; }
-
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
-        {
-            return Settings.CreateAuthenticatedEncryptorInstance(MasterKey, _services);
-        }
+        internal AuthenticatedEncryptorConfiguration Configuration { get; }
 
         public XmlSerializedDescriptorInfo ExportToXml()
         {
@@ -54,12 +41,12 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", Settings.EncryptionAlgorithm));
+                new XAttribute("algorithm", Configuration.EncryptionAlgorithm));
 
-            var validationElement = (AuthenticatedEncryptionSettings.IsGcmAlgorithm(Settings.EncryptionAlgorithm))
+            var validationElement = (AuthenticatedEncryptorFactory.IsGcmAlgorithm(Configuration.EncryptionAlgorithm))
                 ? (object)new XComment(" AES-GCM includes a 128-bit authentication tag, no extra validation algorithm required. ")
                 : (object)new XElement("validation",
-                    new XAttribute("algorithm", Settings.ValidationAlgorithm));
+                    new XAttribute("algorithm", Configuration.ValidationAlgorithm));
 
             var outerElement = new XElement("descriptor",
                 encryptionElement,
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
index 1628cd28e0..96737b75c3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
@@ -13,18 +13,6 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     /// </summary>
     public sealed class AuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
     {
-        private readonly IServiceProvider _services;
-
-        public AuthenticatedEncryptorDescriptorDeserializer()
-            : this(services: null)
-        {
-        }
-
-        public AuthenticatedEncryptorDescriptorDeserializer(IServiceProvider services)
-        {
-            _services = services;
-        }
-
         /// <summary>
         /// Imports the <see cref="AuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
@@ -41,20 +29,20 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             //   <masterKey requiresEncryption="true">...</masterKey>
             // </descriptor>
 
-            var settings = new AuthenticatedEncryptionSettings();
+            var configuration = new AuthenticatedEncryptorConfiguration();
 
             var encryptionElement = element.Element("encryption");
-            settings.EncryptionAlgorithm = (EncryptionAlgorithm)Enum.Parse(typeof(EncryptionAlgorithm), (string)encryptionElement.Attribute("algorithm"));
+            configuration.EncryptionAlgorithm = (EncryptionAlgorithm)Enum.Parse(typeof(EncryptionAlgorithm), (string)encryptionElement.Attribute("algorithm"));
 
             // only read <validation> if not GCM
-            if (!AuthenticatedEncryptionSettings.IsGcmAlgorithm(settings.EncryptionAlgorithm))
+            if (!AuthenticatedEncryptorFactory.IsGcmAlgorithm(configuration.EncryptionAlgorithm))
             {
                 var validationElement = element.Element("validation");
-                settings.ValidationAlgorithm = (ValidationAlgorithm)Enum.Parse(typeof(ValidationAlgorithm), (string)validationElement.Attribute("algorithm"));
+                configuration.ValidationAlgorithm = (ValidationAlgorithm)Enum.Parse(typeof(ValidationAlgorithm), (string)validationElement.Attribute("algorithm"));
             }
 
             Secret masterKey = ((string)element.Elements("masterKey").Single()).ToSecret();
-            return new AuthenticatedEncryptorDescriptor(settings, masterKey, _services);
+            return new AuthenticatedEncryptorDescriptor(configuration, masterKey);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index 712404513b..4b74177540 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
+using Microsoft.AspNetCore.Cryptography;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -9,36 +9,91 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     /// Represents a configured authenticated encryption mechanism which uses
     /// Windows CNG algorithms in CBC encryption + HMAC authentication modes.
     /// </summary>
-    public sealed class CngCbcAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    public sealed class CngCbcAuthenticatedEncryptorConfiguration : AlgorithmConfiguration, IInternalAlgorithmConfiguration
     {
-        private readonly IServiceProvider _services;
+        /// <summary>
+        /// The name of the algorithm to use for symmetric encryption.
+        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support CBC-style encryption and must have a block size of 64 bits
+        /// or greater.
+        /// The default value is 'AES'.
+        /// </remarks>
+        [ApplyPolicy]
+        public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
 
-        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptionSettings settings)
-            : this(settings, services: null)
+        /// <summary>
+        /// The name of the provider which contains the implementation of the symmetric encryption algorithm.
+        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is optional.
+        /// </summary>
+        /// <remarks>
+        /// The default value is null.
+        /// </remarks>
+        [ApplyPolicy]
+        public string EncryptionAlgorithmProvider { get; set; } = null;
+
+        /// <summary>
+        /// The length (in bits) of the key that will be used for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The key length must be 128 bits or greater.
+        /// The default value is 256.
+        /// </remarks>
+        [ApplyPolicy]
+        public int EncryptionAlgorithmKeySize { get; set; } = 256;
+
+        /// <summary>
+        /// The name of the algorithm to use for hashing data.
+        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support being opened in HMAC mode and must have a digest length
+        /// of 128 bits or greater.
+        /// The default value is 'SHA256'.
+        /// </remarks>
+        [ApplyPolicy]
+        public string HashAlgorithm { get; set; } = Constants.BCRYPT_SHA256_ALGORITHM;
+
+        /// <summary>
+        /// The name of the provider which contains the implementation of the hash algorithm.
+        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is optional.
+        /// </summary>
+        /// <remarks>
+        /// The default value is null.
+        /// </remarks>
+        [ApplyPolicy]
+        public string HashAlgorithmProvider { get; set; } = null;
+
+        public override IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
+            var internalConfiguration = (IInternalAlgorithmConfiguration)this;
+            return internalConfiguration.CreateDescriptorFromSecret(Secret.Random(KDK_SIZE_IN_BYTES));
         }
 
-        public CngCbcAuthenticatedEncryptorConfiguration(CngCbcAuthenticatedEncryptionSettings settings, IServiceProvider services)
+        IAuthenticatedEncryptorDescriptor IInternalAlgorithmConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            if (settings == null)
+            return new CngCbcAuthenticatedEncryptorDescriptor(this, secret);
+        }
+
+        /// <summary>
+        /// Validates that this <see cref="CngCbcAuthenticatedEncryptorConfiguration"/> is well-formed, i.e.,
+        /// that the specified algorithms actually exist and that they can be instantiated properly.
+        /// An exception will be thrown if validation fails.
+        /// </summary>
+        void IInternalAlgorithmConfiguration.Validate()
+        {
+            var factory = new CngCbcAuthenticatedEncryptorFactory(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
+            using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
             {
-                throw new ArgumentNullException(nameof(settings));
+                encryptor.PerformSelfTest();
             }
-
-            Settings = settings;
-            _services = services;
-        }
-
-        public CngCbcAuthenticatedEncryptionSettings Settings { get; }
-
-        public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
-        {
-            return this.CreateNewDescriptorCore();
-        }
-
-        IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
-        {
-            return new CngCbcAuthenticatedEncryptorDescriptor(Settings, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
index acc6525e35..0003f948ae 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
@@ -3,28 +3,20 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
-    /// configuration provided by an <see cref="CngCbcAuthenticatedEncryptionSettings"/> object.
+    /// configuration provided by an <see cref="CngCbcAuthenticatedEncryptorConfiguration"/> object.
     /// </summary>
     public sealed class CngCbcAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
-        private readonly ILogger _log;
-
-        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptionSettings settings, ISecret masterKey)
-            : this(settings, masterKey, services: null)
+        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptorConfiguration configuration, ISecret masterKey)
         {
-        }
-
-        public CngCbcAuthenticatedEncryptorDescriptor(CngCbcAuthenticatedEncryptionSettings settings, ISecret masterKey, IServiceProvider services)
-        {
-            if (settings == null)
+            if (configuration == null)
             {
-                throw new ArgumentNullException(nameof(settings));
+                throw new ArgumentNullException(nameof(configuration));
             }
 
             if (masterKey == null)
@@ -32,19 +24,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 throw new ArgumentNullException(nameof(masterKey));
             }
 
-            Settings = settings;
+            Configuration = configuration;
             MasterKey = masterKey;
-            _log = services.GetLogger<CngCbcAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
 
-        internal CngCbcAuthenticatedEncryptionSettings Settings { get; }
-
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
-        {
-            return Settings.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
-        }
+        internal CngCbcAuthenticatedEncryptorConfiguration Configuration { get; }
 
         public XmlSerializedDescriptorInfo ExportToXml()
         {
@@ -56,18 +42,18 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", Settings.EncryptionAlgorithm),
-                new XAttribute("keyLength", Settings.EncryptionAlgorithmKeySize));
-            if (Settings.EncryptionAlgorithmProvider != null)
+                new XAttribute("algorithm", Configuration.EncryptionAlgorithm),
+                new XAttribute("keyLength", Configuration.EncryptionAlgorithmKeySize));
+            if (Configuration.EncryptionAlgorithmProvider != null)
             {
-                encryptionElement.SetAttributeValue("provider", Settings.EncryptionAlgorithmProvider);
+                encryptionElement.SetAttributeValue("provider", Configuration.EncryptionAlgorithmProvider);
             }
 
             var hashElement = new XElement("hash",
-                new XAttribute("algorithm", Settings.HashAlgorithm));
-            if (Settings.HashAlgorithmProvider != null)
+                new XAttribute("algorithm", Configuration.HashAlgorithm));
+            if (Configuration.HashAlgorithmProvider != null)
             {
-                hashElement.SetAttributeValue("provider", Settings.HashAlgorithmProvider);
+                hashElement.SetAttributeValue("provider", Configuration.HashAlgorithmProvider);
             }
 
             var rootElement = new XElement("descriptor",
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
index b06659c969..534604839a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -12,18 +12,6 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     /// </summary>
     public sealed class CngCbcAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
     {
-        private readonly IServiceProvider _services;
-
-        public CngCbcAuthenticatedEncryptorDescriptorDeserializer()
-            : this(services: null)
-        {
-        }
-
-        public CngCbcAuthenticatedEncryptorDescriptorDeserializer(IServiceProvider services)
-        {
-            _services = services;
-        }
-
         /// <summary>
         /// Imports the <see cref="CngCbcAuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
@@ -41,20 +29,20 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             //   <masterKey>...</masterKey>
             // </descriptor>
 
-            var settings = new CngCbcAuthenticatedEncryptionSettings();
+            var configuration = new CngCbcAuthenticatedEncryptorConfiguration();
 
             var encryptionElement = element.Element("encryption");
-            settings.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
-            settings.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
-            settings.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
+            configuration.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
+            configuration.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+            configuration.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
 
             var hashElement = element.Element("hash");
-            settings.HashAlgorithm = (string)hashElement.Attribute("algorithm");
-            settings.HashAlgorithmProvider = (string)hashElement.Attribute("provider"); // could be null
+            configuration.HashAlgorithm = (string)hashElement.Attribute("algorithm");
+            configuration.HashAlgorithmProvider = (string)hashElement.Attribute("provider"); // could be null
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new CngCbcAuthenticatedEncryptorDescriptor(settings, masterKey, _services);
+            return new CngCbcAuthenticatedEncryptorDescriptor(configuration, masterKey);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index 980feff34c..9cf6e95136 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
+using Microsoft.AspNetCore.Cryptography;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -9,36 +9,67 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     /// Represents a configured authenticated encryption mechanism which uses
     /// Windows CNG algorithms in GCM encryption + authentication modes.
     /// </summary>
-    public sealed class CngGcmAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    public sealed class CngGcmAuthenticatedEncryptorConfiguration : AlgorithmConfiguration, IInternalAlgorithmConfiguration
     {
-        private readonly IServiceProvider _services;
+        /// <summary>
+        /// The name of the algorithm to use for symmetric encryption.
+        /// This property corresponds to the 'pszAlgId' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support GCM-style encryption and must have a block size exactly
+        /// 128 bits.
+        /// The default value is 'AES'.
+        /// </remarks>
+        [ApplyPolicy]
+        public string EncryptionAlgorithm { get; set; } = Constants.BCRYPT_AES_ALGORITHM;
 
-        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptionSettings settings)
-            : this(settings, services: null)
+        /// <summary>
+        /// The name of the provider which contains the implementation of the symmetric encryption algorithm.
+        /// This property corresponds to the 'pszImplementation' parameter of BCryptOpenAlgorithmProvider.
+        /// This property is optional.
+        /// </summary>
+        /// <remarks>
+        /// The default value is null.
+        /// </remarks>
+        [ApplyPolicy]
+        public string EncryptionAlgorithmProvider { get; set; } = null;
+
+        /// <summary>
+        /// The length (in bits) of the key that will be used for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The key length must be 128 bits or greater.
+        /// The default value is 256.
+        /// </remarks>
+        [ApplyPolicy]
+        public int EncryptionAlgorithmKeySize { get; set; } = 256;
+
+        public override IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
+            var internalConfiguration = (IInternalAlgorithmConfiguration)this;
+            return internalConfiguration.CreateDescriptorFromSecret(Secret.Random(KDK_SIZE_IN_BYTES));
         }
 
-        public CngGcmAuthenticatedEncryptorConfiguration(CngGcmAuthenticatedEncryptionSettings settings, IServiceProvider services)
+        IAuthenticatedEncryptorDescriptor IInternalAlgorithmConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            if (settings == null)
+            return new CngGcmAuthenticatedEncryptorDescriptor(this, secret);
+        }
+
+        /// <summary>
+        /// Validates that this <see cref="CngGcmAuthenticatedEncryptorConfiguration"/> is well-formed, i.e.,
+        /// that the specified algorithm actually exists and can be instantiated properly.
+        /// An exception will be thrown if validation fails.
+        /// </summary>
+        void IInternalAlgorithmConfiguration.Validate()
+        {
+            var factory = new CngGcmAuthenticatedEncryptorFactory(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
+            using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
             {
-                throw new ArgumentNullException(nameof(settings));
+                encryptor.PerformSelfTest();
             }
-
-            Settings = settings;
-            _services = services;
-        }
-
-        public CngGcmAuthenticatedEncryptionSettings Settings { get; }
-
-        public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
-        {
-            return this.CreateNewDescriptorCore();
-        }
-
-        IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
-        {
-            return new CngGcmAuthenticatedEncryptorDescriptor(Settings, secret, _services);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
index fe631d9480..28c0103a95 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
@@ -9,22 +9,15 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
-    /// configuration provided by an <see cref="CngGcmAuthenticatedEncryptionSettings"/> object.
+    /// configuration provided by an <see cref="CngGcmAuthenticatedEncryptorConfiguration"/> object.
     /// </summary>
     public sealed class CngGcmAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
-        private readonly ILogger _log;
-
-        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptionSettings settings, ISecret masterKey)
-            : this(settings, masterKey, services: null)
+        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptorConfiguration configuration, ISecret masterKey)
         {
-        }
-
-        public CngGcmAuthenticatedEncryptorDescriptor(CngGcmAuthenticatedEncryptionSettings settings, ISecret masterKey, IServiceProvider services)
-        {
-            if (settings == null)
+            if (configuration == null)
             {
-                throw new ArgumentNullException(nameof(settings));
+                throw new ArgumentNullException(nameof(configuration));
             }
 
             if (masterKey == null)
@@ -32,19 +25,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 throw new ArgumentNullException(nameof(masterKey));
             }
 
-            Settings = settings;
+            Configuration = configuration;
             MasterKey = masterKey;
-            _log = services.GetLogger<CngGcmAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
 
-        internal CngGcmAuthenticatedEncryptionSettings Settings { get; }
-
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
-        {
-            return Settings.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
-        }
+        internal CngGcmAuthenticatedEncryptorConfiguration Configuration { get; }
 
         public XmlSerializedDescriptorInfo ExportToXml()
         {
@@ -55,11 +42,11 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", Settings.EncryptionAlgorithm),
-                new XAttribute("keyLength", Settings.EncryptionAlgorithmKeySize));
-            if (Settings.EncryptionAlgorithmProvider != null)
+                new XAttribute("algorithm", Configuration.EncryptionAlgorithm),
+                new XAttribute("keyLength", Configuration.EncryptionAlgorithmKeySize));
+            if (Configuration.EncryptionAlgorithmProvider != null)
             {
-                encryptionElement.SetAttributeValue("provider", Settings.EncryptionAlgorithmProvider);
+                encryptionElement.SetAttributeValue("provider", Configuration.EncryptionAlgorithmProvider);
             }
 
             var rootElement = new XElement("descriptor",
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
index 1a980dfebf..0981fb55af 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -12,17 +12,6 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     /// </summary>
     public sealed class CngGcmAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
     {
-        private readonly IServiceProvider _services;
-
-        public CngGcmAuthenticatedEncryptorDescriptorDeserializer()
-            : this(services: null)
-        {
-        }
-
-        public CngGcmAuthenticatedEncryptorDescriptorDeserializer(IServiceProvider services)
-        {
-            _services = services;
-        }
 
         /// <summary>
         /// Imports the <see cref="CngCbcAuthenticatedEncryptorDescriptor"/> from serialized XML.
@@ -40,16 +29,16 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             //   <masterKey>...</masterKey>
             // </descriptor>
 
-            var settings = new CngGcmAuthenticatedEncryptionSettings();
+            var configuration = new CngGcmAuthenticatedEncryptorConfiguration();
 
             var encryptionElement = element.Element("encryption");
-            settings.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
-            settings.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
-            settings.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
+            configuration.EncryptionAlgorithm = (string)encryptionElement.Attribute("algorithm");
+            configuration.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+            configuration.EncryptionAlgorithmProvider = (string)encryptionElement.Attribute("provider"); // could be null
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new CngGcmAuthenticatedEncryptorDescriptor(settings, masterKey, _services);
+            return new CngGcmAuthenticatedEncryptorDescriptor(configuration, masterKey);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
deleted file mode 100644
index 359e0a19e4..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ConfigurationCommon.cs
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-
-namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
-{
-    internal static class ConfigurationCommon
-    {
-        /// <summary>
-        /// Creates an <see cref="IAuthenticatedEncryptorDescriptor"/> from this <see cref="IInternalAuthenticatedEncryptorConfiguration"/>
-        /// using a random 512-bit master key generated from a secure PRNG.
-        /// </summary>
-        public static IAuthenticatedEncryptorDescriptor CreateNewDescriptorCore(this IInternalAuthenticatedEncryptorConfiguration configuration)
-        {
-            const int KDK_SIZE_IN_BYTES = 512 / 8;
-            return configuration.CreateDescriptorFromSecret(Secret.Random(KDK_SIZE_IN_BYTES));
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
index f4c5128483..6176929583 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
@@ -12,17 +12,6 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     /// </summary>
     public interface IAuthenticatedEncryptorDescriptor
     {
-        /// <summary>
-        /// Creates an <see cref="IAuthenticatedEncryptor"/> instance based on the current descriptor.
-        /// </summary>
-        /// <returns>An <see cref="IAuthenticatedEncryptor"/> instance.</returns>
-        /// <remarks>
-        /// For a given descriptor, any two instances returned by this method should
-        /// be considered equivalent, e.g., the payload returned by one's <see cref="IAuthenticatedEncryptor.Encrypt(ArraySegment{byte}, ArraySegment{byte})"/>
-        /// method should be consumable by the other's <see cref="IAuthenticatedEncryptor.Decrypt(ArraySegment{byte}, ArraySegment{byte})"/> method.
-        /// </remarks>
-        IAuthenticatedEncryptor CreateEncryptorInstance();
-
         /// <summary>
         /// Exports the current descriptor to XML.
         /// </summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
similarity index 50%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
rename to src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
index bd5ba204dd..ede736e99d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
@@ -1,24 +1,27 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-using Microsoft.Extensions.Logging;
-
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
-    // This type is not public because we don't want to lock ourselves into a contract stating
-    // that a descriptor is simply a configuration plus a single serializable, reproducible secret.
-
     /// <summary>
     /// A type that knows how to create instances of an <see cref="IAuthenticatedEncryptorDescriptor"/>
     /// given specific secret key material.
     /// </summary>
-    internal interface IInternalAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration
+    /// <remarks>
+    /// This type is not public because we don't want to lock ourselves into a contract stating
+    /// that a descriptor is simply a configuration plus a single serializable, reproducible secret.
+    /// </remarks>
+    internal interface IInternalAlgorithmConfiguration
     {
         /// <summary>
-        /// Creates a new <see cref="IAuthenticatedEncryptorDescriptor"/> instance from this
-        /// configuration given specific secret key material.
+        /// Creates a new <see cref="IAuthenticatedEncryptorDescriptor"/> instance from this configuration
+        /// given specific secret key material.
         /// </summary>
         IAuthenticatedEncryptorDescriptor CreateDescriptorFromSecret(ISecret secret);
+
+        /// <summary>
+        /// Performs a self-test of the algorithm specified by the configuration object.
+        /// </summary>
+        void Validate();
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index 077b4f6ef9..b437d59bf2 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Security.Cryptography;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -10,36 +11,97 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     /// managed <see cref="System.Security.Cryptography.SymmetricAlgorithm"/> and
     /// <see cref="System.Security.Cryptography.KeyedHashAlgorithm"/> types.
     /// </summary>
-    public sealed class ManagedAuthenticatedEncryptorConfiguration : IAuthenticatedEncryptorConfiguration, IInternalAuthenticatedEncryptorConfiguration
+    public sealed class ManagedAuthenticatedEncryptorConfiguration : AlgorithmConfiguration, IInternalAlgorithmConfiguration
     {
-        private readonly IServiceProvider _services;
+        /// <summary>
+        /// The type of the algorithm to use for symmetric encryption.
+        /// The type must subclass <see cref="SymmetricAlgorithm"/>.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must support CBC-style encryption and PKCS#7 padding and must have a block size of 64 bits or greater.
+        /// The default algorithm is AES.
+        /// </remarks>
+        [ApplyPolicy]
+        public Type EncryptionAlgorithmType { get; set; } = typeof(Aes);
 
-        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptionSettings settings)
-            : this(settings, services: null)
+        /// <summary>
+        /// The length (in bits) of the key that will be used for symmetric encryption.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The key length must be 128 bits or greater.
+        /// The default value is 256.
+        /// </remarks>
+        [ApplyPolicy]
+        public int EncryptionAlgorithmKeySize { get; set; } = 256;
+
+        /// <summary>
+        /// The type of the algorithm to use for validation.
+        /// Type type must subclass <see cref="KeyedHashAlgorithm"/>.
+        /// This property is required to have a value.
+        /// </summary>
+        /// <remarks>
+        /// The algorithm must have a digest length of 128 bits or greater.
+        /// The default algorithm is HMACSHA256.
+        /// </remarks>
+        [ApplyPolicy]
+        public Type ValidationAlgorithmType { get; set; } = typeof(HMACSHA256);
+
+        public override IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
         {
+            var internalConfiguration = (IInternalAlgorithmConfiguration)this;
+            return internalConfiguration.CreateDescriptorFromSecret(Secret.Random(KDK_SIZE_IN_BYTES));
         }
 
-        public ManagedAuthenticatedEncryptorConfiguration(ManagedAuthenticatedEncryptionSettings settings, IServiceProvider services)
+        IAuthenticatedEncryptorDescriptor IInternalAlgorithmConfiguration.CreateDescriptorFromSecret(ISecret secret)
         {
-            if (settings == null)
+            return new ManagedAuthenticatedEncryptorDescriptor(this, secret);
+        }
+
+        /// <summary>
+        /// Validates that this <see cref="ManagedAuthenticatedEncryptorConfiguration"/> is well-formed, i.e.,
+        /// that the specified algorithms actually exist and can be instantiated properly.
+        /// An exception will be thrown if validation fails.
+        /// </summary>
+        void IInternalAlgorithmConfiguration.Validate()
+        {
+            var factory = new ManagedAuthenticatedEncryptorFactory(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
+            using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
             {
-                throw new ArgumentNullException(nameof(settings));
+                encryptor.PerformSelfTest();
             }
-
-            Settings = settings;
-            _services = services;
         }
 
-        public ManagedAuthenticatedEncryptionSettings Settings { get; }
-
-        public IAuthenticatedEncryptorDescriptor CreateNewDescriptor()
+        // Any changes to this method should also be be reflected
+        // in ManagedAuthenticatedEncryptorDescriptorDeserializer.FriendlyNameToType.
+        private static string TypeToFriendlyName(Type type)
         {
-            return this.CreateNewDescriptorCore();
-        }
-
-        IAuthenticatedEncryptorDescriptor IInternalAuthenticatedEncryptorConfiguration.CreateDescriptorFromSecret(ISecret secret)
-        {
-            return new ManagedAuthenticatedEncryptorDescriptor(Settings, secret, _services);
+            if (type == typeof(Aes))
+            {
+                return nameof(Aes);
+            }
+            else if (type == typeof(HMACSHA1))
+            {
+                return nameof(HMACSHA1);
+            }
+            else if (type == typeof(HMACSHA256))
+            {
+                return nameof(HMACSHA256);
+            }
+            else if (type == typeof(HMACSHA384))
+            {
+                return nameof(HMACSHA384);
+            }
+            else if (type == typeof(HMACSHA512))
+            {
+                return nameof(HMACSHA512);
+            }
+            else
+            {
+                return type.AssemblyQualifiedName;
+            }
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
index 62d2bae71a..2061115b42 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
@@ -4,28 +4,20 @@
 using System;
 using System.Security.Cryptography;
 using System.Xml.Linq;
-using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
     /// <summary>
     /// A descriptor which can create an authenticated encryption system based upon the
-    /// configuration provided by an <see cref="ManagedAuthenticatedEncryptionSettings"/> object.
+    /// configuration provided by an <see cref="ManagedAuthenticatedEncryptorConfiguration"/> object.
     /// </summary>
     public sealed class ManagedAuthenticatedEncryptorDescriptor : IAuthenticatedEncryptorDescriptor
     {
-        private readonly ILogger _log;
-
-        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptionSettings settings, ISecret masterKey)
-            : this(settings, masterKey, services: null)
+        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptorConfiguration configuration, ISecret masterKey)
         {
-        }
-
-        public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptionSettings settings, ISecret masterKey, IServiceProvider services)
-        {
-            if (settings == null)
+            if (configuration == null)
             {
-                throw new ArgumentNullException(nameof(settings));
+                throw new ArgumentNullException(nameof(configuration));
             }
 
             if (masterKey == null)
@@ -33,19 +25,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 throw new ArgumentNullException(nameof(masterKey));
             }
 
-            Settings = settings;
+            Configuration = configuration;
             MasterKey = masterKey;
-            _log = services.GetLogger<ManagedAuthenticatedEncryptorDescriptor>();
         }
 
         internal ISecret MasterKey { get; }
 
-        internal ManagedAuthenticatedEncryptionSettings Settings { get; }
-
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
-        {
-            return Settings.CreateAuthenticatedEncryptorInstance(MasterKey, _log);
-        }
+        internal ManagedAuthenticatedEncryptorConfiguration Configuration { get; }
 
         public XmlSerializedDescriptorInfo ExportToXml()
         {
@@ -57,11 +43,11 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             // </descriptor>
 
             var encryptionElement = new XElement("encryption",
-                new XAttribute("algorithm", TypeToFriendlyName(Settings.EncryptionAlgorithmType)),
-                new XAttribute("keyLength", Settings.EncryptionAlgorithmKeySize));
+                new XAttribute("algorithm", TypeToFriendlyName(Configuration.EncryptionAlgorithmType)),
+                new XAttribute("keyLength", Configuration.EncryptionAlgorithmKeySize));
 
             var validationElement = new XElement("validation",
-                new XAttribute("algorithm", TypeToFriendlyName(Settings.ValidationAlgorithmType)));
+                new XAttribute("algorithm", TypeToFriendlyName(Configuration.ValidationAlgorithmType)));
 
             var rootElement = new XElement("descriptor",
                 new XComment(" Algorithms provided by specified SymmetricAlgorithm and KeyedHashAlgorithm "),
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
index 5766051b1e..0f09c3a52e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
@@ -13,18 +13,6 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
     /// </summary>
     public sealed class ManagedAuthenticatedEncryptorDescriptorDeserializer : IAuthenticatedEncryptorDescriptorDeserializer
     {
-        private readonly IServiceProvider _services;
-
-        public ManagedAuthenticatedEncryptorDescriptorDeserializer()
-            : this(services: null)
-        {
-        }
-
-        public ManagedAuthenticatedEncryptorDescriptorDeserializer(IServiceProvider services)
-        {
-            _services = services;
-        }
-
         /// <summary>
         /// Imports the <see cref="ManagedAuthenticatedEncryptorDescriptor"/> from serialized XML.
         /// </summary>
@@ -42,18 +30,18 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             //   <masterKey>...</masterKey>
             // </descriptor>
 
-            var settings = new ManagedAuthenticatedEncryptionSettings();
+            var configuration = new ManagedAuthenticatedEncryptorConfiguration();
 
             var encryptionElement = element.Element("encryption");
-            settings.EncryptionAlgorithmType = FriendlyNameToType((string)encryptionElement.Attribute("algorithm"));
-            settings.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
+            configuration.EncryptionAlgorithmType = FriendlyNameToType((string)encryptionElement.Attribute("algorithm"));
+            configuration.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength");
 
             var validationElement = element.Element("validation");
-            settings.ValidationAlgorithmType = FriendlyNameToType((string)validationElement.Attribute("algorithm"));
+            configuration.ValidationAlgorithmType = FriendlyNameToType((string)validationElement.Attribute("algorithm"));
 
             Secret masterKey = ((string)element.Element("masterKey")).ToSecret();
 
-            return new ManagedAuthenticatedEncryptorDescriptor(settings, masterKey, _services);
+            return new ManagedAuthenticatedEncryptorDescriptor(configuration, masterKey);
         }
 
         // Any changes to this method should also be be reflected
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
index 20eec3eccd..d6fbf28020 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
     /// <summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
new file mode 100644
index 0000000000..b66f14422c
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
@@ -0,0 +1,22 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
+{
+    public interface IAuthenticatedEncryptorFactory
+    {
+        /// <summary>
+        /// Creates an <see cref="IAuthenticatedEncryptor"/> instance based on the given <see cref="IKey.Descriptor"/>.
+        /// </summary>
+        /// <returns>An <see cref="IAuthenticatedEncryptor"/> instance.</returns>
+        /// <remarks>
+        /// For a given <see cref="IKey.Descriptor"/>, any two instances returned by this method should
+        /// be considered equivalent, e.g., the payload returned by one's <see cref="IAuthenticatedEncryptor.Encrypt(ArraySegment{byte}, ArraySegment{byte})"/>
+        /// method should be consumable by the other's <see cref="IAuthenticatedEncryptor.Decrypt(ArraySegment{byte}, ArraySegment{byte})"/> method.
+        /// </remarks>
+        IAuthenticatedEncryptor CreateEncryptorInstance(IKey key);
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionSettings.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionSettings.cs
deleted file mode 100644
index 30c2113cb0..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IInternalAuthenticatedEncryptionSettings.cs
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-
-namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Implemented by our settings classes to generalize creating configuration objects.
-    /// </summary>
-    internal interface IInternalAuthenticatedEncryptionSettings
-    {
-        /// <summary>
-        /// Creates a <see cref="IInternalAuthenticatedEncryptorConfiguration"/> object
-        /// from the given settings.
-        /// </summary>
-        IInternalAuthenticatedEncryptorConfiguration ToConfiguration(IServiceProvider services);
-
-        /// <summary>
-        /// Performs a self-test of the algorithm specified by the settings object.
-        /// </summary>
-        void Validate();
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionSettings.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionSettings.cs
deleted file mode 100644
index 70bc7aa9f6..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptionSettings.cs
+++ /dev/null
@@ -1,166 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Security.Cryptography;
-using Microsoft.AspNetCore.Cryptography.Cng;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNetCore.DataProtection.Managed;
-using Microsoft.Extensions.Logging;
-
-namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
-{
-    /// <summary>
-    /// Settings for configuring an authenticated encryption mechanism which uses
-    /// managed SymmetricAlgorithm and KeyedHashAlgorithm implementations.
-    /// </summary>
-    public sealed class ManagedAuthenticatedEncryptionSettings : IInternalAuthenticatedEncryptionSettings
-    {
-        /// <summary>
-        /// The type of the algorithm to use for symmetric encryption.
-        /// The type must subclass <see cref="SymmetricAlgorithm"/>.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The algorithm must support CBC-style encryption and PKCS#7 padding and must have a block size of 64 bits or greater.
-        /// The default algorithm is AES.
-        /// </remarks>
-        [ApplyPolicy]
-        public Type EncryptionAlgorithmType { get; set; } = typeof(Aes);
-
-        /// <summary>
-        /// The length (in bits) of the key that will be used for symmetric encryption.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The key length must be 128 bits or greater.
-        /// The default value is 256.
-        /// </remarks>
-        [ApplyPolicy]
-        public int EncryptionAlgorithmKeySize { get; set; } = 256;
-
-        /// <summary>
-        /// The type of the algorithm to use for validation.
-        /// Type type must subclass <see cref="KeyedHashAlgorithm"/>.
-        /// This property is required to have a value.
-        /// </summary>
-        /// <remarks>
-        /// The algorithm must have a digest length of 128 bits or greater.
-        /// The default algorithm is HMACSHA256.
-        /// </remarks>
-        [ApplyPolicy]
-        public Type ValidationAlgorithmType { get; set; } = typeof(HMACSHA256);
-
-        /// <summary>
-        /// Validates that this <see cref="ManagedAuthenticatedEncryptionSettings"/> is well-formed, i.e.,
-        /// that the specified algorithms actually exist and can be instantiated properly.
-        /// An exception will be thrown if validation fails.
-        /// </summary>
-        public void Validate()
-        {
-            // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-            using (var encryptor = CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8)))
-            {
-                encryptor.PerformSelfTest();
-            }
-        }
-
-        /*
-         * HELPER ROUTINES
-         */
-
-        internal ManagedAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(ISecret secret, ILogger logger = null)
-        {
-            return new ManagedAuthenticatedEncryptor(
-                keyDerivationKey: new Secret(secret),
-                symmetricAlgorithmFactory: GetSymmetricBlockCipherAlgorithmFactory(logger),
-                symmetricAlgorithmKeySizeInBytes: EncryptionAlgorithmKeySize / 8,
-                validationAlgorithmFactory: GetKeyedHashAlgorithmFactory(logger));
-        }
-
-        private Func<KeyedHashAlgorithm> GetKeyedHashAlgorithmFactory(ILogger logger)
-        {
-            // basic argument checking
-            if (ValidationAlgorithmType == null)
-            {
-                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(ValidationAlgorithmType));
-            }
-
-            logger?.UsingManagedKeyedHashAlgorithm(ValidationAlgorithmType.FullName);
-            if (ValidationAlgorithmType == typeof(HMACSHA256))
-            {
-                return () => new HMACSHA256();
-            }
-            else if (ValidationAlgorithmType == typeof(HMACSHA512))
-            {
-                return () => new HMACSHA512();
-            }
-            else
-            {
-                return AlgorithmActivator.CreateFactory<KeyedHashAlgorithm>(ValidationAlgorithmType);
-            }
-        }
-
-        private Func<SymmetricAlgorithm> GetSymmetricBlockCipherAlgorithmFactory(ILogger logger)
-        {
-            // basic argument checking
-            if (EncryptionAlgorithmType == null)
-            {
-                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(EncryptionAlgorithmType));
-            }
-            typeof(SymmetricAlgorithm).AssertIsAssignableFrom(EncryptionAlgorithmType);
-            if (EncryptionAlgorithmKeySize < 0)
-            {
-                throw Error.Common_PropertyMustBeNonNegative(nameof(EncryptionAlgorithmKeySize));
-            }
-
-            logger?.UsingManagedSymmetricAlgorithm(EncryptionAlgorithmType.FullName);
-
-            if (EncryptionAlgorithmType == typeof(Aes))
-            {
-                Func<Aes> factory = null;
-#if !NETSTANDARD1_3
-                if (OSVersionUtil.IsWindows())
-                {
-                    // If we're on desktop CLR and running on Windows, use the FIPS-compliant implementation.
-                    factory = () => new AesCryptoServiceProvider();
-                }
-#endif
-                return factory ?? Aes.Create;
-            }
-            else
-            {
-                return AlgorithmActivator.CreateFactory<SymmetricAlgorithm>(EncryptionAlgorithmType);
-            }
-        }
-
-        IInternalAuthenticatedEncryptorConfiguration IInternalAuthenticatedEncryptionSettings.ToConfiguration(IServiceProvider services)
-        {
-            return new ManagedAuthenticatedEncryptorConfiguration(this, services);
-        }
-
-        /// <summary>
-        /// Contains helper methods for generating cryptographic algorithm factories.
-        /// </summary>
-        private static class AlgorithmActivator
-        {
-            /// <summary>
-            /// Creates a factory that wraps a call to <see cref="Activator.CreateInstance{T}"/>.
-            /// </summary>
-            public static Func<T> CreateFactory<T>(Type implementation)
-            {
-                return ((IActivator<T>)Activator.CreateInstance(typeof(AlgorithmActivatorCore<>).MakeGenericType(implementation))).Creator;
-            }
-
-            private interface IActivator<out T>
-            {
-                Func<T> Creator { get; }
-            }
-
-            private class AlgorithmActivatorCore<T> : IActivator<T> where T : new()
-            {
-                public Func<T> Creator { get; } = Activator.CreateInstance<T>;
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
new file mode 100644
index 0000000000..a0d7bc2226
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
@@ -0,0 +1,130 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Managed;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
+{
+    public sealed class ManagedAuthenticatedEncryptorFactory : IAuthenticatedEncryptorFactory
+    {
+        private readonly ILogger _logger;
+
+        public ManagedAuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)
+        {
+            _logger = loggerFactory.CreateLogger<ManagedAuthenticatedEncryptorFactory>();
+        }
+
+        public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
+        {
+            var descriptor = key.Descriptor as ManagedAuthenticatedEncryptorDescriptor;
+            if (descriptor == null)
+            {
+                return null;
+            }
+
+            return CreateAuthenticatedEncryptorInstance(descriptor.MasterKey, descriptor.Configuration);
+        }
+
+        internal ManagedAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(
+            ISecret secret,
+            ManagedAuthenticatedEncryptorConfiguration configuration)
+        {
+            if (configuration == null)
+            {
+                return null;
+            }
+
+            return new ManagedAuthenticatedEncryptor(
+                keyDerivationKey: new Secret(secret),
+                symmetricAlgorithmFactory: GetSymmetricBlockCipherAlgorithmFactory(configuration),
+                symmetricAlgorithmKeySizeInBytes: configuration.EncryptionAlgorithmKeySize / 8,
+                validationAlgorithmFactory: GetKeyedHashAlgorithmFactory(configuration));
+        }
+
+        private Func<KeyedHashAlgorithm> GetKeyedHashAlgorithmFactory(ManagedAuthenticatedEncryptorConfiguration configuration)
+        {
+            // basic argument checking
+            if (configuration.ValidationAlgorithmType == null)
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(configuration.ValidationAlgorithmType));
+            }
+
+            _logger.UsingManagedKeyedHashAlgorithm(configuration.ValidationAlgorithmType.FullName);
+            if (configuration.ValidationAlgorithmType == typeof(HMACSHA256))
+            {
+                return () => new HMACSHA256();
+            }
+            else if (configuration.ValidationAlgorithmType == typeof(HMACSHA512))
+            {
+                return () => new HMACSHA512();
+            }
+            else
+            {
+                return AlgorithmActivator.CreateFactory<KeyedHashAlgorithm>(configuration.ValidationAlgorithmType);
+            }
+        }
+
+        private Func<SymmetricAlgorithm> GetSymmetricBlockCipherAlgorithmFactory(ManagedAuthenticatedEncryptorConfiguration configuration)
+        {
+            // basic argument checking
+            if (configuration.EncryptionAlgorithmType == null)
+            {
+                throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(configuration.EncryptionAlgorithmType));
+            }
+            typeof(SymmetricAlgorithm).AssertIsAssignableFrom(configuration.EncryptionAlgorithmType);
+            if (configuration.EncryptionAlgorithmKeySize < 0)
+            {
+                throw Error.Common_PropertyMustBeNonNegative(nameof(configuration.EncryptionAlgorithmKeySize));
+            }
+
+            _logger.UsingManagedSymmetricAlgorithm(configuration.EncryptionAlgorithmType.FullName);
+
+            if (configuration.EncryptionAlgorithmType == typeof(Aes))
+            {
+                Func<Aes> factory = null;
+#if !NETSTANDARD1_3
+                if (OSVersionUtil.IsWindows())
+                {
+                    // If we're on desktop CLR and running on Windows, use the FIPS-compliant implementation.
+                    factory = () => new AesCryptoServiceProvider();
+                }
+#endif
+                return factory ?? Aes.Create;
+            }
+            else
+            {
+                return AlgorithmActivator.CreateFactory<SymmetricAlgorithm>(configuration.EncryptionAlgorithmType);
+            }
+        }
+
+        /// <summary>
+        /// Contains helper methods for generating cryptographic algorithm factories.
+        /// </summary>
+        private static class AlgorithmActivator
+        {
+            /// <summary>
+            /// Creates a factory that wraps a call to <see cref="Activator.CreateInstance{T}"/>.
+            /// </summary>
+            public static Func<T> CreateFactory<T>(Type implementation)
+            {
+                return ((IActivator<T>)Activator.CreateInstance(typeof(AlgorithmActivatorCore<>).MakeGenericType(implementation))).Creator;
+            }
+
+            private interface IActivator<out T>
+            {
+                Func<T> Creator { get; }
+            }
+
+            private class AlgorithmActivatorCore<T> : IActivator<T> where T : new()
+            {
+                public Func<T> Creator { get; } = Activator.CreateInstance<T>;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
index 74084f9d90..e7ca436f6f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -4,11 +4,16 @@
 using System;
 using System.ComponentModel;
 using System.IO;
+using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
 #if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
@@ -68,7 +73,11 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(sink));
             }
 
-            builder.Services.AddSingleton<IKeyEscrowSink>(sink);
+            builder.Services.Configure<KeyManagementOptions>(options =>
+            {
+                options.KeyEscrowSinks.Add(sink);
+            });
+
             return builder;
         }
 
@@ -89,7 +98,15 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(builder));
             }
 
-            builder.Services.AddSingleton<IKeyEscrowSink, TImplementation>();
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
+            {
+                var implementationInstance = services.GetRequiredService<TImplementation>();
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    options.KeyEscrowSinks.Add(implementationInstance);
+                });
+            });
+
             return builder;
         }
 
@@ -114,7 +131,15 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(factory));
             }
 
-            builder.Services.AddSingleton<IKeyEscrowSink>(factory);
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
+            {
+                var instance = factory(services);
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    options.KeyEscrowSinks.Add(instance);
+                });
+            });
+
             return builder;
         }
 
@@ -182,7 +207,15 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(directory));
             }
 
-            Use(builder.Services, DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory));
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
+            {
+                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    options.XmlRepository = new FileSystemXmlRepository(directory, loggerFactory);
+                });
+            });
+
             return builder;
         }
 
@@ -204,7 +237,15 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(registryKey));
             }
 
-            Use(builder.Services, DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey));
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
+            {
+                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    options.XmlRepository = new RegistryXmlRepository(registryKey, loggerFactory);
+                });
+            });
+
             return builder;
         }
 
@@ -228,7 +269,15 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(certificate));
             }
 
-            Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate));
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
+            {
+                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    options.XmlEncryptor = new CertificateXmlEncryptor(certificate, loggerFactory);
+                });
+            });
+
             return builder;
         }
 
@@ -256,12 +305,20 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw Error.CertificateXmlEncryptor_CertificateNotFound(thumbprint);
             }
 
-            var services = builder.Services;
-
             // ICertificateResolver is necessary for this type to work correctly, so register it
             // if it doesn't already exist.
-            services.TryAdd(DataProtectionServiceDescriptors.ICertificateResolver_Default());
-            Use(services, DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(thumbprint));
+            builder.Services.TryAddSingleton<ICertificateResolver, CertificateResolver>();
+
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
+            {
+                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                var certificateResolver = services.GetRequiredService<ICertificateResolver>();
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    options.XmlEncryptor = new CertificateXmlEncryptor(thumbprint, certificateResolver, loggerFactory);
+                });
+            });
+
             return builder;
         }
 
@@ -305,7 +362,16 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(builder));
             }
 
-            Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToLocalMachine));
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
+            {
+                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    CryptoUtil.AssertPlatformIsWindows();
+                    options.XmlEncryptor = new DpapiXmlEncryptor(protectToLocalMachine, loggerFactory);
+                });
+            });
+
             return builder;
         }
 
@@ -358,7 +424,16 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(protectionDescriptorRule));
             }
 
-            Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags));
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
+            {
+                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    CryptoUtil.AssertPlatformIsWindows8OrLater();
+                    options.XmlEncryptor = new DpapiNGXmlEncryptor(protectionDescriptorRule, flags, loggerFactory);
+                });
+            });
+
             return builder;
         }
 
@@ -395,21 +470,21 @@ namespace Microsoft.AspNetCore.DataProtection
         /// by default when generating protected payloads.
         /// </summary>
         /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
-        /// <param name="settings">Information about what cryptographic algorithms should be used.</param>
+        /// <param name="configuration">Information about what cryptographic algorithms should be used.</param>
         /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
-        public static IDataProtectionBuilder UseCryptographicAlgorithms(this IDataProtectionBuilder builder, AuthenticatedEncryptionSettings settings)
+        public static IDataProtectionBuilder UseCryptographicAlgorithms(this IDataProtectionBuilder builder, AuthenticatedEncryptorConfiguration configuration)
         {
             if (builder == null)
             {
                 throw new ArgumentNullException(nameof(builder));
             }
 
-            if (settings == null)
+            if (configuration == null)
             {
-                throw new ArgumentNullException(nameof(settings));
+                throw new ArgumentNullException(nameof(configuration));
             }
 
-            return UseCryptographicAlgorithmsCore(builder, settings);
+            return UseCryptographicAlgorithmsCore(builder, configuration);
         }
 
         /// <summary>
@@ -419,25 +494,25 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <see cref="ValidationAlgorithm"/> enumerations.
         /// </summary>
         /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
-        /// <param name="settings">Information about what cryptographic algorithms should be used.</param>
+        /// <param name="configuration">Information about what cryptographic algorithms should be used.</param>
         /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
         /// <remarks>
         /// This API is only available on Windows.
         /// </remarks>
         [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, CngCbcAuthenticatedEncryptionSettings settings)
+        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, CngCbcAuthenticatedEncryptorConfiguration configuration)
         {
             if (builder == null)
             {
                 throw new ArgumentNullException(nameof(builder));
             }
 
-            if (settings == null)
+            if (configuration == null)
             {
-                throw new ArgumentNullException(nameof(settings));
+                throw new ArgumentNullException(nameof(configuration));
             }
 
-            return UseCryptographicAlgorithmsCore(builder, settings);
+            return UseCryptographicAlgorithmsCore(builder, configuration);
         }
 
         /// <summary>
@@ -447,25 +522,25 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <see cref="ValidationAlgorithm"/> enumerations.
         /// </summary>
         /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
-        /// <param name="settings">Information about what cryptographic algorithms should be used.</param>
+        /// <param name="configuration">Information about what cryptographic algorithms should be used.</param>
         /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
         /// <remarks>
         /// This API is only available on Windows.
         /// </remarks>
         [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, CngGcmAuthenticatedEncryptionSettings settings)
+        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, CngGcmAuthenticatedEncryptorConfiguration configuration)
         {
             if (builder == null)
             {
                 throw new ArgumentNullException(nameof(builder));
             }
 
-            if (settings == null)
+            if (configuration == null)
             {
-                throw new ArgumentNullException(nameof(settings));
+                throw new ArgumentNullException(nameof(configuration));
             }
 
-            return UseCryptographicAlgorithmsCore(builder, settings);
+            return UseCryptographicAlgorithmsCore(builder, configuration);
         }
 
         /// <summary>
@@ -475,28 +550,33 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <see cref="ValidationAlgorithm"/> enumerations.
         /// </summary>
         /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
-        /// <param name="settings">Information about what cryptographic algorithms should be used.</param>
+        /// <param name="configuration">Information about what cryptographic algorithms should be used.</param>
         /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
         [EditorBrowsable(EditorBrowsableState.Advanced)]
-        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, ManagedAuthenticatedEncryptionSettings settings)
+        public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, ManagedAuthenticatedEncryptorConfiguration configuration)
         {
             if (builder == null)
             {
                 throw new ArgumentNullException(nameof(builder));
             }
 
-            if (settings == null)
+            if (configuration == null)
             {
-                throw new ArgumentNullException(nameof(settings));
+                throw new ArgumentNullException(nameof(configuration));
             }
 
-            return UseCryptographicAlgorithmsCore(builder, settings);
+            return UseCryptographicAlgorithmsCore(builder, configuration);
         }
 
-        private static IDataProtectionBuilder UseCryptographicAlgorithmsCore(IDataProtectionBuilder builder, IInternalAuthenticatedEncryptionSettings settings)
+        private static IDataProtectionBuilder UseCryptographicAlgorithmsCore(IDataProtectionBuilder builder, AlgorithmConfiguration configuration)
         {
-            settings.Validate(); // perform self-test
-            Use(builder.Services, DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(settings));
+            ((IInternalAlgorithmConfiguration)configuration).Validate(); // perform self-test
+
+            builder.Services.Configure<KeyManagementOptions>(options =>
+            {
+                options.AuthenticatedEncryptorConfiguration = configuration;
+            });
+
             return builder;
         }
 
@@ -517,30 +597,9 @@ namespace Microsoft.AspNetCore.DataProtection
                 throw new ArgumentNullException(nameof(builder));
             }
 
-            Use(builder.Services, DataProtectionServiceDescriptors.IDataProtectionProvider_Ephemeral());
+            builder.Services.Replace(ServiceDescriptor.Singleton<IDataProtectionProvider, EphemeralDataProtectionProvider>());
+
             return builder;
         }
-
-        /*
-         * UTILITY ISERVICECOLLECTION METHODS
-         */
-
-        private static void RemoveAllServicesOfType(IServiceCollection services, Type serviceType)
-        {
-            // We go backward since we're modifying the collection in-place.
-            for (var i = services.Count - 1; i >= 0; i--)
-            {
-                if (services[i]?.ServiceType == serviceType)
-                {
-                    services.RemoveAt(i);
-                }
-            }
-        }
-
-        private static void Use(IServiceCollection services, ServiceDescriptor descriptor)
-        {
-            RemoveAllServicesOfType(services, descriptor.ServiceType);
-            services.Add(descriptor);
-        }
     }
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
index d9ec04dded..4f05478c8d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
@@ -1,79 +1,16 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-    /// <summary>
-    /// Contains static factory methods for creating <see cref="IDataProtectionProvider"/> instances.
-    /// </summary>
     internal static class DataProtectionProviderFactory
     {
-        /// <summary>
-        /// Creates an <see cref="IDataProtectionProvider"/> given an <see cref="IServiceProvider"/>.
-        /// </summary>
-        /// <param name="options">The global options to use when creating the provider.</param>
-        /// <param name="services">Provides mandatory services for use by the provider.</param>
-        /// <returns>An <see cref="IDataProtectionProvider"/>.</returns>
-        public static IDataProtectionProvider GetProviderFromServices(DataProtectionOptions options, IServiceProvider services)
+        public static ILoggerFactory GetDefaultLoggerFactory()
         {
-            if (options == null)
-            {
-                throw new ArgumentNullException(nameof(options));
-            }
-
-            if (services == null)
-            {
-                throw new ArgumentNullException(nameof(services));
-            }
-
-            return GetProviderFromServices(options, services, mustCreateImmediately: false);
-        }
-
-        internal static IDataProtectionProvider GetProviderFromServices(DataProtectionOptions options, IServiceProvider services, bool mustCreateImmediately)
-        {
-            if (options == null)
-            {
-                throw new ArgumentNullException(nameof(options));
-            }
-
-            if (services == null)
-            {
-                throw new ArgumentNullException(nameof(services));
-            }
-
-            IDataProtectionProvider dataProtectionProvider = null;
-
-            // If we're being asked to create the provider immediately, then it means that
-            // we're already in a call to GetService, and we're responsible for supplying
-            // the default implementation ourselves. We can't call GetService again or
-            // else we risk stack diving.
-            if (!mustCreateImmediately)
-            {
-                dataProtectionProvider = services.GetService<IDataProtectionProvider>();
-            }
-
-            // If all else fails, create a keyring manually based on the other registered services.
-            if (dataProtectionProvider == null)
-            {
-                var keyRingProvider = new KeyRingProvider(
-                    keyManager: services.GetRequiredService<IKeyManager>(),
-                    keyManagementOptions: services.GetService<IOptions<KeyManagementOptions>>()?.Value, // might be null
-                    services: services);
-                dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, services);
-            }
-
-            // Finally, link the provider to the supplied discriminator
-            if (!String.IsNullOrEmpty(options.ApplicationDiscriminator))
-            {
-                dataProtectionProvider = dataProtectionProvider.CreateProtector(options.ApplicationDiscriminator);
-            }
-
-            return dataProtectionProvider;
+            return NullLoggerFactory.Instance;
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 36b4eabe98..95e8b2cc7e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -2,9 +2,15 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.DataProtection.Internal;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.Extensions.DependencyInjection
 {
@@ -26,7 +32,7 @@ namespace Microsoft.Extensions.DependencyInjection
 
             services.AddSingleton<IActivator, RC1ForwardingActivator>();
             services.AddOptions();
-            services.TryAdd(DataProtectionServices.GetDefaultServices());
+            AddDataProtectionServices(services);
 
             return new DataProtectionBuilder(services);
         }
@@ -53,5 +59,48 @@ namespace Microsoft.Extensions.DependencyInjection
             services.Configure(setupAction);
             return builder;
         }
+
+        private static void AddDataProtectionServices(IServiceCollection services)
+        {
+            services.TryAddSingleton<ILoggerFactory>(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+
+            if (OSVersionUtil.IsWindows())
+            {
+                services.AddSingleton<RegistryPolicyResolver>();
+            }
+
+            services.TryAddEnumerable(
+                ServiceDescriptor.Singleton<IConfigureOptions<KeyManagementOptions>, KeyManagementOptionsSetup>());
+            services.TryAddEnumerable(
+                ServiceDescriptor.Transient<IConfigureOptions<DataProtectionOptions>, DataProtectionOptionsSetup>());
+
+            services.AddSingleton<IKeyManager, XmlKeyManager>();
+
+            // Internal services
+            services.AddSingleton<IDefaultKeyResolver, DefaultKeyResolver>();
+            services.AddSingleton<IKeyRingProvider, KeyRingProvider>();
+
+            services.AddSingleton<IDataProtectionProvider>(s =>
+            {
+                var dpOptions = s.GetRequiredService<IOptions<DataProtectionOptions>>();
+                var keyRingProvider = s.GetRequiredService<IKeyRingProvider>();
+                var loggerFactory = s.GetRequiredService<ILoggerFactory>();
+
+                IDataProtectionProvider dataProtectionProvider = null;
+                dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, loggerFactory);
+
+                // Link the provider to the supplied discriminator
+                if (!string.IsNullOrEmpty(dpOptions.Value.ApplicationDiscriminator))
+                {
+                    dataProtectionProvider = dataProtectionProvider.CreateProtector(dpOptions.Value.ApplicationDiscriminator);
+                }
+
+                return dataProtectionProvider;
+            });
+
+#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+            services.AddSingleton<ICertificateResolver, CertificateResolver>();
+#endif
+        }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
deleted file mode 100644
index 388454fc01..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceDescriptors.cs
+++ /dev/null
@@ -1,136 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.IO;
-using Microsoft.AspNetCore.Cryptography;
-using Microsoft.AspNetCore.DataProtection;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.AspNetCore.DataProtection.Repositories;
-using Microsoft.AspNetCore.DataProtection.XmlEncryption;
-using Microsoft.Extensions.Options;
-using Microsoft.Win32;
-
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-using System.Security.Cryptography.X509Certificates;
-#endif
-
-namespace Microsoft.Extensions.DependencyInjection
-{
-    /// <summary>
-    /// Default <see cref="ServiceDescriptor"/> instances for the Data Protection system.
-    /// </summary>
-    internal static class DataProtectionServiceDescriptors
-    {
-        /// <summary>
-        /// An <see cref="IConfigureOptions{KeyManagementOptions}"/> where the key lifetime is specified explicitly.
-        /// </summary>
-
-        public static ServiceDescriptor ConfigureOptions_DefaultKeyLifetime(int numDays)
-        {
-            return ServiceDescriptor.Transient<IConfigureOptions<KeyManagementOptions>>(services =>
-            {
-                return new ConfigureOptions<KeyManagementOptions>(options =>
-                {
-                    options.NewKeyLifetime = TimeSpan.FromDays(numDays);
-                });
-            });
-        }
-
-        /// <summary>
-        /// An <see cref="IAuthenticatedEncryptorConfiguration"/> backed by an <see cref="IInternalAuthenticatedEncryptionSettings"/>.
-        /// </summary>
-        public static ServiceDescriptor IAuthenticatedEncryptorConfiguration_FromSettings(IInternalAuthenticatedEncryptionSettings options)
-        {
-            return ServiceDescriptor.Singleton<IAuthenticatedEncryptorConfiguration>(options.ToConfiguration);
-        }
-
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-        /// <summary>
-        /// An <see cref="ICertificateResolver"/> backed by the default implementation.
-        /// </summary>
-        public static ServiceDescriptor ICertificateResolver_Default()
-        {
-            return ServiceDescriptor.Singleton<ICertificateResolver, CertificateResolver>();
-        }
-#endif
-
-        /// <summary>
-        /// An ephemeral <see cref="IDataProtectionProvider"/>.
-        /// </summary>
-        public static ServiceDescriptor IDataProtectionProvider_Ephemeral()
-        {
-            return ServiceDescriptor.Singleton<IDataProtectionProvider>(services => new EphemeralDataProtectionProvider(services));
-        }
-
-        /// <summary>
-        /// An <see cref="IKeyEscrowSink"/> backed by a given implementation type.
-        /// </summary>
-        /// <remarks>
-        /// The implementation type name is provided as a string so that we can provide activation services.
-        /// </remarks>
-        public static ServiceDescriptor IKeyEscrowSink_FromTypeName(string implementationTypeName)
-        {
-            return ServiceDescriptor.Singleton<IKeyEscrowSink>(services => services.GetActivator().CreateInstance<IKeyEscrowSink>(implementationTypeName));
-        }
-
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
-        /// <summary>
-        /// An <see cref="IXmlEncryptor"/> backed by an X.509 certificate.
-        /// </summary>
-        public static ServiceDescriptor IXmlEncryptor_Certificate(X509Certificate2 certificate)
-        {
-            return ServiceDescriptor.Singleton<IXmlEncryptor>(services => new CertificateXmlEncryptor(certificate, services));
-        }
-
-        /// <summary>
-        /// An <see cref="IXmlEncryptor"/> backed by an X.509 certificate.
-        /// </summary>
-        public static ServiceDescriptor IXmlEncryptor_Certificate(string thumbprint)
-        {
-            return ServiceDescriptor.Singleton<IXmlEncryptor>(services => new CertificateXmlEncryptor(
-                thumbprint: thumbprint,
-                certificateResolver: services.GetRequiredService<ICertificateResolver>(),
-                services: services));
-        }
-
-#endif
-
-        /// <summary>
-        /// An <see cref="IXmlEncryptor"/> backed by DPAPI.
-        /// </summary>
-        public static ServiceDescriptor IXmlEncryptor_Dpapi(bool protectToMachine)
-        {
-            CryptoUtil.AssertPlatformIsWindows();
-            return ServiceDescriptor.Singleton<IXmlEncryptor>(services => new DpapiXmlEncryptor(protectToMachine, services));
-        }
-
-        /// <summary>
-        /// An <see cref="IXmlEncryptor"/> backed by DPAPI-NG.
-        /// </summary>
-        public static ServiceDescriptor IXmlEncryptor_DpapiNG(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
-        {
-            CryptoUtil.AssertPlatformIsWindows8OrLater();
-            return ServiceDescriptor.Singleton<IXmlEncryptor>(services => new DpapiNGXmlEncryptor(protectionDescriptorRule, flags, services));
-        }
-
-        /// <summary>
-        /// An <see cref="IXmlRepository"/> backed by a file system.
-        /// </summary>
-        public static ServiceDescriptor IXmlRepository_FileSystem(DirectoryInfo directory)
-        {
-            return ServiceDescriptor.Singleton<IXmlRepository>(services => new FileSystemXmlRepository(directory, services));
-        }
-
-        /// <summary>
-        /// An <see cref="IXmlRepository"/> backed by the Windows registry.
-        /// </summary>
-        public static ServiceDescriptor IXmlRepository_Registry(RegistryKey registryKey)
-        {
-            return ServiceDescriptor.Singleton<IXmlRepository>(services => new RegistryXmlRepository(registryKey, services));
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
deleted file mode 100644
index 424f4bad6e..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServices.cs
+++ /dev/null
@@ -1,156 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Collections.Generic;
-using Microsoft.AspNetCore.Cryptography.Cng;
-using Microsoft.AspNetCore.DataProtection;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
-using Microsoft.AspNetCore.DataProtection.Cng;
-using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNetCore.DataProtection.Repositories;
-using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
-using Microsoft.Win32;
-
-namespace Microsoft.Extensions.DependencyInjection
-{
-    /// <summary>
-    /// Provides access to default Data Protection <see cref="ServiceDescriptor"/> instances.
-    /// </summary>
-    public static class DataProtectionServices
-    {
-        /// <summary>
-        /// Returns a collection of default <see cref="ServiceDescriptor"/> instances that can be
-        /// used to bootstrap the Data Protection system.
-        /// </summary>
-        public static IEnumerable<ServiceDescriptor> GetDefaultServices()
-        {
-            // The default key services are a strange beast. We don't want to return
-            // IXmlEncryptor and IXmlRepository as-is because they almost always have to be
-            // set as a matched pair. Instead, our built-in key manager will use a meta-service
-            // which represents the default pairing (logic based on hosting environment as
-            // demonstrated below), and if the developer explicitly specifies one or the other
-            // we'll not use the fallback at all.
-            yield return ServiceDescriptor.Singleton<IDefaultKeyServices>(services =>
-            {
-                var log = services.GetLogger(typeof(DataProtectionServices));
-
-                ServiceDescriptor keyEncryptorDescriptor = null;
-                ServiceDescriptor keyRepositoryDescriptor = null;
-
-                // If we're running in Azure Web Sites, the key repository goes in the %HOME% directory.
-                var azureWebSitesKeysFolder = FileSystemXmlRepository.GetKeyStorageDirectoryForAzureWebSites();
-                if (azureWebSitesKeysFolder != null)
-                {
-                    log?.UsingAzureAsKeyRepository(azureWebSitesKeysFolder.FullName);
-
-                    // Cloud DPAPI isn't yet available, so we don't encrypt keys at rest.
-                    // This isn't all that different than what Azure Web Sites does today, and we can always add this later.
-                    keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_FileSystem(azureWebSitesKeysFolder);
-                }
-                else
-                {
-                    // If the user profile is available, store keys in the user profile directory.
-                    var localAppDataKeysFolder = FileSystemXmlRepository.DefaultKeyStorageDirectory;
-                    if (localAppDataKeysFolder != null)
-                    {
-                        if (OSVersionUtil.IsWindows())
-                        {
-                            // If the user profile is available, we can protect using DPAPI.
-                            // Probe to see if protecting to local user is available, and use it as the default if so.
-                            keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: !DpapiSecretSerializerHelper.CanProtectToCurrentUserAccount());
-                        }
-                        keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_FileSystem(localAppDataKeysFolder);
-
-                        if (keyEncryptorDescriptor != null)
-                        {
-                            log?.UsingProfileAsKeyRepositoryWithDPAPI(localAppDataKeysFolder.FullName);
-                        }
-                        else
-                        {
-                            log?.UsingProfileAsKeyRepository(localAppDataKeysFolder.FullName);
-                        }
-                    }
-                    else
-                    {
-                        // Use profile isn't available - can we use the HKLM registry?
-                        RegistryKey regKeyStorageKey = null;
-                        if (OSVersionUtil.IsWindows())
-                        {
-                            regKeyStorageKey = RegistryXmlRepository.DefaultRegistryKey;
-                        }
-                        if (regKeyStorageKey != null)
-                        {
-                            // If the user profile isn't available, we can protect using DPAPI (to machine).
-                            keyEncryptorDescriptor = DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToMachine: true);
-                            keyRepositoryDescriptor = DataProtectionServiceDescriptors.IXmlRepository_Registry(regKeyStorageKey);
-
-                            log?.UsingRegistryAsKeyRepositoryWithDPAPI(regKeyStorageKey.Name);
-                        }
-                        else
-                        {
-                            // Final fallback - use an ephemeral repository since we don't know where else to go.
-                            // This can only be used for development scenarios.
-                            keyRepositoryDescriptor = ServiceDescriptor.Singleton<IXmlRepository>(
-                                s => new EphemeralXmlRepository(s));
-
-                            log?.UsingEphemeralKeyRepository();
-                        }
-                    }
-                }
-
-                return new DefaultKeyServices(
-                    services: services,
-                    keyEncryptorDescriptor: keyEncryptorDescriptor,
-                    keyRepositoryDescriptor: keyRepositoryDescriptor);
-            });
-
-            // Provide root key management and data protection services
-            yield return ServiceDescriptor.Singleton<IKeyManager>(services => new XmlKeyManager(services));
-
-            yield return ServiceDescriptor.Singleton<IDataProtectionProvider>(
-                services => DataProtectionProviderFactory.GetProviderFromServices(
-                    options: services.GetRequiredService<IOptions<DataProtectionOptions>>().Value,
-                    services: services,
-                    mustCreateImmediately: true /* this is the ultimate fallback */));
-
-            // Provide services required for XML encryption
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-            yield return DataProtectionServiceDescriptors.ICertificateResolver_Default();
-#endif
-
-            // Hook up the logic which allows populating default options
-            yield return ServiceDescriptor.Transient<IConfigureOptions<DataProtectionOptions>>(services =>
-            {
-                return new ConfigureOptions<DataProtectionOptions>(options =>
-                {
-                    options.ApplicationDiscriminator = services.GetApplicationUniqueIdentifier();
-                });
-            });
-
-            // Read and apply policy from the registry, overriding any other defaults.
-            var encryptorConfigurationReadFromRegistry = false;
-            if (OSVersionUtil.IsWindows())
-            {
-                foreach (var descriptor in RegistryPolicyResolver.ResolveDefaultPolicy())
-                {
-                    yield return descriptor;
-                    if (descriptor.ServiceType == typeof(IAuthenticatedEncryptorConfiguration))
-                    {
-                        encryptorConfigurationReadFromRegistry = true;
-                    }
-                }
-            }
-
-            // Finally, provide a fallback encryptor configuration if one wasn't already specified.
-            if (!encryptorConfigurationReadFromRegistry)
-            {
-                yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(
-                    new AuthenticatedEncryptionSettings());;
-            }
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
index 6b30fd136d..93cb021537 100644
--- a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
@@ -4,6 +4,7 @@
 using System;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
@@ -22,36 +23,28 @@ namespace Microsoft.AspNetCore.DataProtection
     {
         private readonly KeyRingBasedDataProtectionProvider _dataProtectionProvider;
 
-        /// <summary>
-        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>.
-        /// </summary>
-        public EphemeralDataProtectionProvider()
-            : this(services: null)
-        {
-        }
-
         /// <summary>
         /// Creates an ephemeral <see cref="IDataProtectionProvider"/>, optionally providing
         /// services (such as logging) for consumption by the provider.
         /// </summary>
-        public EphemeralDataProtectionProvider(IServiceProvider services)
+        public EphemeralDataProtectionProvider(ILoggerFactory loggerFactory)
         {
             IKeyRingProvider keyringProvider;
             if (OSVersionUtil.IsWindows())
             {
                 // Fastest implementation: AES-256-GCM [CNG]
-                keyringProvider = new EphemeralKeyRing<CngGcmAuthenticatedEncryptionSettings>();
+                keyringProvider = new EphemeralKeyRing<CngGcmAuthenticatedEncryptorConfiguration>(loggerFactory);
             }
             else
             {
                 // Slowest implementation: AES-256-CBC + HMACSHA256 [Managed]
-                keyringProvider = new EphemeralKeyRing<ManagedAuthenticatedEncryptionSettings>();
+                keyringProvider = new EphemeralKeyRing<ManagedAuthenticatedEncryptorConfiguration>(loggerFactory);
             }
 
-            var logger = services.GetLogger<EphemeralDataProtectionProvider>();
-            logger?.UsingEphemeralDataProtectionProvider();
+            var logger = loggerFactory.CreateLogger<EphemeralDataProtectionProvider>();
+            logger.UsingEphemeralDataProtectionProvider();
 
-            _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, services);
+            _dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, loggerFactory);
         }
 
         public IDataProtector CreateProtector(string purpose)
@@ -66,12 +59,17 @@ namespace Microsoft.AspNetCore.DataProtection
         }
 
         private sealed class EphemeralKeyRing<T> : IKeyRing, IKeyRingProvider
-            where T : IInternalAuthenticatedEncryptionSettings, new()
+            where T : AlgorithmConfiguration, new()
         {
+            public EphemeralKeyRing(ILoggerFactory loggerFactory)
+            {
+                DefaultAuthenticatedEncryptor = GetDefaultEncryptor(loggerFactory);
+            }
+
             // Currently hardcoded to a 512-bit KDK.
             private const int NUM_BYTES_IN_KDK = 512 / 8;
 
-            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; } = new T().ToConfiguration(services: null).CreateNewDescriptor().CreateEncryptorInstance();
+            public IAuthenticatedEncryptor DefaultAuthenticatedEncryptor { get; }
 
             public Guid DefaultKeyId { get; } = default(Guid);
 
@@ -85,6 +83,29 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 return this;
             }
+
+            private static IAuthenticatedEncryptor GetDefaultEncryptor(ILoggerFactory loggerFactory)
+            {
+                var configuration = new T();
+                if (configuration is CngGcmAuthenticatedEncryptorConfiguration)
+                {
+                    var descriptor = (CngGcmAuthenticatedEncryptorDescriptor)new T().CreateNewDescriptor();
+                    return new CngGcmAuthenticatedEncryptorFactory(loggerFactory)
+                        .CreateAuthenticatedEncryptorInstance(
+                            descriptor.MasterKey,
+                            configuration as CngGcmAuthenticatedEncryptorConfiguration);
+                }
+                else if (configuration is ManagedAuthenticatedEncryptorConfiguration)
+                {
+                    var descriptor = (ManagedAuthenticatedEncryptorDescriptor)new T().CreateNewDescriptor();
+                    return new ManagedAuthenticatedEncryptorFactory(loggerFactory)
+                        .CreateAuthenticatedEncryptorInstance(
+                            descriptor.MasterKey,
+                            configuration as ManagedAuthenticatedEncryptorConfiguration);
+                }
+
+                return null;
+            }
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/Error.cs b/src/Microsoft.AspNetCore.DataProtection/Error.cs
index 8bd8d21c37..304f08e5c5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Error.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Error.cs
@@ -39,13 +39,13 @@ namespace Microsoft.AspNetCore.DataProtection
 
         public static InvalidOperationException Common_PropertyCannotBeNullOrEmpty(string propertyName)
         {
-            var message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyCannotBeNullOrEmpty, propertyName);
+            var message = string.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyCannotBeNullOrEmpty, propertyName);
             return new InvalidOperationException(message);
         }
 
         public static InvalidOperationException Common_PropertyMustBeNonNegative(string propertyName)
         {
-            var message = String.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyMustBeNonNegative, propertyName);
+            var message = string.Format(CultureInfo.CurrentCulture, Resources.Common_PropertyMustBeNonNegative, propertyName);
             return new InvalidOperationException(message);
         }
 
@@ -56,13 +56,13 @@ namespace Microsoft.AspNetCore.DataProtection
 
         public static CryptographicException Common_KeyNotFound(Guid id)
         {
-            var message = String.Format(CultureInfo.CurrentCulture, Resources.Common_KeyNotFound, id);
+            var message = string.Format(CultureInfo.CurrentCulture, Resources.Common_KeyNotFound, id);
             return new CryptographicException(message);
         }
 
         public static CryptographicException Common_KeyRevoked(Guid id)
         {
-            var message = String.Format(CultureInfo.CurrentCulture, Resources.Common_KeyRevoked, id);
+            var message = string.Format(CultureInfo.CurrentCulture, Resources.Common_KeyRevoked, id);
             return new CryptographicException(message);
         }
 
@@ -88,7 +88,7 @@ namespace Microsoft.AspNetCore.DataProtection
         
         public static InvalidOperationException XmlKeyManager_DuplicateKey(Guid keyId)
         {
-            var message = String.Format(CultureInfo.CurrentCulture, Resources.XmlKeyManager_DuplicateKey, keyId);
+            var message = string.Format(CultureInfo.CurrentCulture, Resources.XmlKeyManager_DuplicateKey, keyId);
             return new InvalidOperationException(message);
         }
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs b/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
index 55348b7501..54539f7b8e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
@@ -1,9 +1,9 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using System.IO;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
@@ -24,7 +24,7 @@ namespace Microsoft.AspNetCore.DataProtection
     /// <para>
     /// Similarly, when a developer modifies the default protected payload cryptographic
     /// algorithms, it is intended that he also select an explitiy key storage location.
-    /// A call to <see cref="DataProtectionBuilderExtensions.UseCryptographicAlgorithms(IDataProtectionBuilder,AuthenticatedEncryptionSettings)"/>
+    /// A call to <see cref="DataProtectionBuilderExtensions.UseCryptographicAlgorithms(IDataProtectionBuilder,AuthenticatedEncryptorConfiguration)"/>
     /// should therefore generally be paired with a call to <see cref="DataProtectionBuilderExtensions.PersistKeysToFileSystem(IDataProtectionBuilder,DirectoryInfo)"/>,
     /// for example.
     /// </para>
@@ -48,7 +48,7 @@ namespace Microsoft.AspNetCore.DataProtection
     /// <para>
     /// Similarly, when a developer modifies the default protected payload cryptographic
     /// algorithms, it is intended that he also select an explitiy key storage location.
-    /// A call to <see cref="DataProtectionBuilderExtensions.UseCryptographicAlgorithms(IDataProtectionBuilder,AuthenticatedEncryptionSettings)"/>
+    /// A call to <see cref="DataProtectionBuilderExtensions.UseCryptographicAlgorithms(IDataProtectionBuilder,AuthenticatedEncryptorConfiguration)"/>
     /// should therefore generally be paired with a call to <see cref="DataProtectionBuilderExtensions.PersistKeysToFileSystem(IDataProtectionBuilder,DirectoryInfo)"/>,
     /// for example.
     /// </para>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
index 3ab488b8db..bc8908c9c4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
@@ -2,18 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.ComponentModel;
-using System.IO;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.DependencyInjection.Extensions;
-using Microsoft.Win32;
-
-#if !DOTNET5_4 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-using System.Security.Cryptography.X509Certificates;
-#endif
 
 namespace Microsoft.AspNetCore.DataProtection.Internal
 {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
new file mode 100644
index 0000000000..d5e25b7586
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal
+{
+    internal class DataProtectionOptionsSetup : IConfigureOptions<DataProtectionOptions>
+    {
+        private readonly IServiceProvider _services;
+
+        public DataProtectionOptionsSetup(IServiceProvider provider)
+        {
+            _services = provider;
+        }
+
+        public void Configure(DataProtectionOptions options)
+        {
+            options.ApplicationDiscriminator = _services.GetApplicationUniqueIdentifier();
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
new file mode 100644
index 0000000000..1f72510e09
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
@@ -0,0 +1,66 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal
+{
+    internal class KeyManagementOptionsSetup : IConfigureOptions<KeyManagementOptions>
+    {
+        private readonly RegistryPolicyResolver _registryPolicyResolver;
+        private readonly ILoggerFactory _loggerFactory;
+
+        public KeyManagementOptionsSetup(ILoggerFactory loggerFactory) : this(loggerFactory, registryPolicyResolver: null)
+        {
+        }
+
+        public KeyManagementOptionsSetup(ILoggerFactory loggerFactory, RegistryPolicyResolver registryPolicyResolver)
+        {
+            _loggerFactory = loggerFactory;
+            _registryPolicyResolver = registryPolicyResolver;
+        }
+
+        public void Configure(KeyManagementOptions options)
+        {
+            RegistryPolicy context = null;
+            if (_registryPolicyResolver != null)
+            {
+                context = _registryPolicyResolver.ResolvePolicy();
+            }
+
+            if (context != null)
+            {
+                if (context.DefaultKeyLifetime.HasValue)
+                {
+                    options.NewKeyLifetime = TimeSpan.FromDays(context.DefaultKeyLifetime.Value);
+                }
+
+                options.AuthenticatedEncryptorConfiguration = context.EncryptorConfiguration;
+
+                var escrowSinks = context.KeyEscrowSinks;
+                if (escrowSinks != null)
+                {
+                    foreach (var escrowSink in escrowSinks)
+                    {
+                        options.KeyEscrowSinks.Add(escrowSink);
+                    }
+                }
+            }
+
+            if (options.AuthenticatedEncryptorConfiguration == null)
+            {
+                options.AuthenticatedEncryptorConfiguration = new AuthenticatedEncryptorConfiguration();
+            }
+
+            options.AuthenticatedEncryptorFactories.Add(new CngGcmAuthenticatedEncryptorFactory(_loggerFactory));
+            options.AuthenticatedEncryptorFactories.Add(new CngCbcAuthenticatedEncryptorFactory(_loggerFactory));
+            options.AuthenticatedEncryptorFactories.Add(new ManagedAuthenticatedEncryptorFactory(_loggerFactory));
+            options.AuthenticatedEncryptorFactories.Add(new AuthenticatedEncryptorFactory(_loggerFactory));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 6f2af2409b..c2efbf14bb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -8,6 +8,7 @@ using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
@@ -28,6 +29,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
         private readonly ILogger _logger;
 
+        private readonly IEnumerable<IAuthenticatedEncryptorFactory> _encryptorFactories;
+
         /// <summary>
         /// The maximum skew that is allowed between servers.
         /// This is used to allow newly-created keys to be used across servers even though
@@ -39,23 +42,38 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         /// </remarks>
         private readonly TimeSpan _maxServerToServerClockSkew;
 
-        public DefaultKeyResolver(TimeSpan keyPropagationWindow, TimeSpan maxServerToServerClockSkew, IServiceProvider services)
+        public DefaultKeyResolver(IOptions<KeyManagementOptions> keyManagementOptions, ILoggerFactory loggerFactory)
         {
-            _keyPropagationWindow = keyPropagationWindow;
-            _maxServerToServerClockSkew = maxServerToServerClockSkew;
-            _logger = services.GetLogger<DefaultKeyResolver>();
+            _keyPropagationWindow = keyManagementOptions.Value.KeyPropagationWindow;
+            _maxServerToServerClockSkew = keyManagementOptions.Value.MaxServerClockSkew;
+            _encryptorFactories = keyManagementOptions.Value.AuthenticatedEncryptorFactories;
+            _logger = loggerFactory.CreateLogger<DefaultKeyResolver>();
         }
 
         private bool CanCreateAuthenticatedEncryptor(IKey key)
         {
             try
             {
-                var encryptorInstance = key.CreateEncryptorInstance() ?? CryptoUtil.Fail<IAuthenticatedEncryptor>("CreateEncryptorInstance returned null.");
+                IAuthenticatedEncryptor encryptorInstance = null;
+                foreach (var factory in _encryptorFactories)
+                {
+                    encryptorInstance = factory.CreateEncryptorInstance(key);
+                    if (encryptorInstance != null)
+                    {
+                        break;
+                    }
+                }
+
+                if (encryptorInstance == null)
+                {
+                    CryptoUtil.Fail<IAuthenticatedEncryptor>("CreateEncryptorInstance returned null.");
+                }
+
                 return true;
             }
             catch (Exception ex)
             {
-                _logger?.KeyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(key.KeyId, nameof(IKey.CreateEncryptorInstance), ex);
+                _logger.KeyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(key.KeyId, nameof(IAuthenticatedEncryptorFactory.CreateEncryptorInstance), ex);
                 return false;
             }
         }
@@ -70,12 +88,12 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
             if (preferredDefaultKey != null)
             {
-                _logger?.ConsideringKeyWithExpirationDateAsDefaultKey(preferredDefaultKey.KeyId, preferredDefaultKey.ExpirationDate);
+                _logger.ConsideringKeyWithExpirationDateAsDefaultKey(preferredDefaultKey.KeyId, preferredDefaultKey.ExpirationDate);
 
                 // if the key has been revoked or is expired, it is no longer a candidate
                 if (preferredDefaultKey.IsRevoked || preferredDefaultKey.IsExpired(now) || !CanCreateAuthenticatedEncryptor(preferredDefaultKey))
                 {
-                    _logger?.KeyIsNoLongerUnderConsiderationAsDefault(preferredDefaultKey.KeyId);
+                    _logger.KeyIsNoLongerUnderConsiderationAsDefault(preferredDefaultKey.KeyId);
                     preferredDefaultKey = null;
                 }
             }
@@ -98,7 +116,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
                 if (callerShouldGenerateNewKey)
                 {
-                    _logger?.DefaultKeyExpirationImminentAndRepository();
+                    _logger.DefaultKeyExpirationImminentAndRepository();
                 }
 
                 fallbackKey = null;
@@ -119,7 +137,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                            where !key.IsRevoked && CanCreateAuthenticatedEncryptor(key)
                            select key).FirstOrDefault();
 
-            _logger?.RepositoryContainsNoViableDefaultKey();
+            _logger.RepositoryContainsNoViableDefaultKey();
 
             callerShouldGenerateNewKey = true;
             return null;
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
index 36b7bb0d7d..9afea8a92d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.DataProtection.XmlEncryption;
@@ -23,11 +22,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             DateTimeOffset expirationDate,
             IInternalXmlKeyManager keyManager,
             XElement keyElement)
-            : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptor>(GetLazyEncryptorDelegate(keyManager, keyElement)))
+            : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptorDescriptor>(GetLazyDescriptorDelegate(keyManager, keyElement)))
         {
         }
 
-        private static Func<IAuthenticatedEncryptor> GetLazyEncryptorDelegate(IInternalXmlKeyManager keyManager, XElement keyElement)
+        private static Func<IAuthenticatedEncryptorDescriptor> GetLazyDescriptorDelegate(IInternalXmlKeyManager keyManager, XElement keyElement)
         {
             // The <key> element will be held around in memory for a potentially lengthy period
             // of time. Since it might contain sensitive information, we should protect it.
@@ -35,7 +34,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
             try
             {
-                return () => keyManager.DeserializeDescriptorFromKeyElement(encryptedKeyElement.ToXElement()).CreateEncryptorInstance();
+                return () => keyManager.DeserializeDescriptorFromKeyElement(encryptedKeyElement.ToXElement());
             }
             finally
             {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
index f9ef009f7a..0ac314449f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
@@ -45,10 +46,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         Guid KeyId { get; }
 
         /// <summary>
-        /// Creates an IAuthenticatedEncryptor instance that can be used to encrypt data
-        /// to and decrypt data from this key.
+        /// Gets the <see cref="IAuthenticatedEncryptorDescriptor"/> instance associated with this key.
         /// </summary>
-        /// <returns>An IAuthenticatedEncryptor.</returns>
-        IAuthenticatedEncryptor CreateEncryptorInstance();
+        IAuthenticatedEncryptorDescriptor Descriptor { get; }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
index cd522e74af..36c9b00ac8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Threading;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
@@ -14,8 +15,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
     {
         private readonly CancellationToken _expirationToken;
 
-        internal CacheableKeyRing(CancellationToken expirationToken, DateTimeOffset expirationTime, IKey defaultKey, IEnumerable<IKey> allKeys)
-            : this(expirationToken, expirationTime, keyRing: new KeyRing(defaultKey, allKeys))
+        internal CacheableKeyRing(CancellationToken expirationToken, DateTimeOffset expirationTime, IKey defaultKey, IEnumerable<IKey> allKeys, IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
+            : this(expirationToken, expirationTime, keyRing: new KeyRing(defaultKey, allKeys, encryptorFactories))
         {
         }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
index f458092b5f..2d5b06d841 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
 {
@@ -11,7 +11,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
         /// The default key, may be null if no key is a good default candidate.
         /// </summary>
         /// <remarks>
-        /// If this property is non-null, its <see cref="IKey.CreateEncryptorInstance"/> method will succeed
+        /// If this property is non-null, its <see cref="IAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey)"/> method will succeed
         /// so is appropriate for use with deferred keys.
         /// </remarks>
         public IKey DefaultKey;
@@ -22,7 +22,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
         /// be null if there is no viable fallback key.
         /// </summary>
         /// <remarks>
-        /// If this property is non-null, its <see cref="IKey.CreateEncryptorInstance"/> method will succeed
+        /// If this property is non-null, its <see cref="IAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey)"/> method will succeed
         /// so is appropriate for use with deferred keys.
         /// </remarks>
         public IKey FallbackKey;
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
index 5e5b9766b0..fd049a6695 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
@@ -14,7 +14,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
     internal sealed class Key : KeyBase
     {
         public Key(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IAuthenticatedEncryptorDescriptor descriptor)
-            : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptor>(descriptor.CreateEncryptorInstance))
+            : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptorDescriptor>(() => descriptor))
         {
         }
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
index 1afc6237b3..cd14b5e209 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
@@ -11,15 +12,15 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
     /// </summary>
     internal abstract class KeyBase : IKey
     {
-        private readonly Lazy<IAuthenticatedEncryptor> _lazyEncryptor;
+        private readonly Lazy<IAuthenticatedEncryptorDescriptor> _lazyDescriptor;
 
-        public KeyBase(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, Lazy<IAuthenticatedEncryptor> lazyEncryptor)
+        public KeyBase(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, Lazy<IAuthenticatedEncryptorDescriptor> lazyDescriptor)
         {
             KeyId = keyId;
             CreationDate = creationDate;
             ActivationDate = activationDate;
             ExpirationDate = expirationDate;
-            _lazyEncryptor = lazyEncryptor;
+            _lazyDescriptor = lazyDescriptor;
         }
 
         public DateTimeOffset ActivationDate { get; }
@@ -32,9 +33,12 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
         public Guid KeyId { get; }
 
-        public IAuthenticatedEncryptor CreateEncryptorInstance()
+        public IAuthenticatedEncryptorDescriptor Descriptor
         {
-            return _lazyEncryptor.Value;
+            get
+            {
+                return _lazyDescriptor.Value;
+            }
         }
 
         internal void SetRevoked()
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
index 65652ea0cb..0680239f6b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
@@ -2,6 +2,11 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
@@ -24,8 +29,21 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             if (other != null)
             {
-                this.AutoGenerateKeys = other.AutoGenerateKeys;
-                this._newKeyLifetime = other._newKeyLifetime;
+                AutoGenerateKeys = other.AutoGenerateKeys;
+                _newKeyLifetime = other._newKeyLifetime;
+                XmlEncryptor = other.XmlEncryptor;
+                XmlRepository = other.XmlRepository;
+                AuthenticatedEncryptorConfiguration = other.AuthenticatedEncryptorConfiguration;
+
+                foreach (var keyEscrowSink in other.KeyEscrowSinks)
+                {
+                    KeyEscrowSinks.Add(keyEscrowSink);
+                }
+
+                foreach (var encryptorFactory in other.AuthenticatedEncryptorFactories)
+                {
+                    AuthenticatedEncryptorFactories.Add(encryptorFactory);
+                }
             }
         }
 
@@ -119,5 +137,32 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 _newKeyLifetime = value;
             }
         }
+
+        /// <summary>
+        /// The <see cref="AlgorithmConfiguration"/> instance that can be used to create
+        /// the <see cref="IAuthenticatedEncryptorDescriptor"/> instance.
+        /// </summary>
+        public AlgorithmConfiguration AuthenticatedEncryptorConfiguration { get; set; }
+
+        /// <summary>
+        /// The list of <see cref="IKeyEscrowSink"/> to store the key material in.
+        /// </summary>
+        public IList<IKeyEscrowSink> KeyEscrowSinks { get; } = new List<IKeyEscrowSink>();
+
+        /// <summary>
+        /// The <see cref="IXmlRepository"/> to use for storing and retrieving XML elements.
+        /// </summary>
+        public IXmlRepository XmlRepository { get; set; }
+
+        /// <summary>
+        /// The <see cref="IXmlEncryptor"/> to use for encrypting XML elements.
+        /// </summary>
+        public IXmlEncryptor XmlEncryptor { get; set; }
+
+        /// <summary>
+        /// The list of <see cref="IAuthenticatedEncryptorFactory"/> that will be used for creating
+        /// <see cref="IAuthenticatedEncryptor"/>s.
+        /// </summary>
+        public IList<IAuthenticatedEncryptorFactory> AuthenticatedEncryptorFactories { get; } = new List<IAuthenticatedEncryptorFactory>();
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
index 2a180afd04..b8392d548e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
@@ -17,12 +17,12 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         private readonly KeyHolder _defaultKeyHolder;
         private readonly Dictionary<Guid, KeyHolder> _keyIdToKeyHolderMap;
 
-        public KeyRing(IKey defaultKey, IEnumerable<IKey> allKeys)
+        public KeyRing(IKey defaultKey, IEnumerable<IKey> allKeys, IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
         {
             _keyIdToKeyHolderMap = new Dictionary<Guid, KeyHolder>();
             foreach (IKey key in allKeys)
             {
-                _keyIdToKeyHolderMap.Add(key.KeyId, new KeyHolder(key));
+                _keyIdToKeyHolderMap.Add(key.KeyId, new KeyHolder(key, encryptorFactories));
             }
 
             // It's possible under some circumstances that the default key won't be part of 'allKeys',
@@ -30,7 +30,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // wasn't in the underlying repository. In this case, we just add it now.
             if (!_keyIdToKeyHolderMap.ContainsKey(defaultKey.KeyId))
             {
-                _keyIdToKeyHolderMap.Add(defaultKey.KeyId, new KeyHolder(defaultKey));
+                _keyIdToKeyHolderMap.Add(defaultKey.KeyId, new KeyHolder(defaultKey, encryptorFactories));
             }
 
             DefaultKeyId = defaultKey.KeyId;
@@ -61,17 +61,19 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             private readonly IKey _key;
             private IAuthenticatedEncryptor _encryptor;
+            private readonly IEnumerable<IAuthenticatedEncryptorFactory> _encryptorFactories;
 
-            internal KeyHolder(IKey key)
+            internal KeyHolder(IKey key, IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
             {
                 _key = key;
+                _encryptorFactories = encryptorFactories;
             }
 
             internal IAuthenticatedEncryptor GetEncryptorInstance(out bool isRevoked)
             {
                 // simple double-check lock pattern
                 // we can't use LazyInitializer<T> because we don't have a simple value factory
-                var encryptor = Volatile.Read(ref _encryptor);
+                IAuthenticatedEncryptor encryptor = Volatile.Read(ref _encryptor);
                 if (encryptor == null)
                 {
                     lock (this)
@@ -79,7 +81,14 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                         encryptor = Volatile.Read(ref _encryptor);
                         if (encryptor == null)
                         {
-                            encryptor = _key.CreateEncryptorInstance();
+                            foreach (var factory in _encryptorFactories)
+                            {
+                                encryptor = factory.CreateEncryptorInstance(_key);
+                                if (encryptor != null)
+                                {
+                                    break;
+                                }
+                            }
                             Volatile.Write(ref _encryptor, encryptor);
                         }
                     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index 7ed4124f9f..f7f785cc3b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -12,10 +12,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         private readonly IKeyRingProvider _keyRingProvider;
         private readonly ILogger _logger;
 
-        public KeyRingBasedDataProtectionProvider(IKeyRingProvider keyRingProvider, IServiceProvider services)
+        public KeyRingBasedDataProtectionProvider(IKeyRingProvider keyRingProvider, ILoggerFactory loggerFactory)
         {
             _keyRingProvider = keyRingProvider;
-            _logger = services.GetLogger<KeyRingBasedDataProtector>(); // note: for protector (not provider!) type, could be null
+            _logger = loggerFactory.CreateLogger<KeyRingBasedDataProtector>(); // note: for protector (not provider!) type
         }
 
         public IDataProtector CreateProtector(string purpose)
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index 12888f8b3f..d866ed6e3a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -246,7 +246,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 var requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out keyWasRevoked);
                 if (requestedEncryptor == null)
                 {
-                    _logger?.KeyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(keyIdFromPayload);
+                    _logger.KeyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(keyIdFromPayload);
                     throw Error.Common_KeyNotFound(keyIdFromPayload);
                 }
 
@@ -262,12 +262,12 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 {
                     if (allowOperationsOnRevokedKeys)
                     {
-                        _logger?.KeyWasRevokedCallerRequestedUnprotectOperationProceedRegardless(keyIdFromPayload);
+                        _logger.KeyWasRevokedCallerRequestedUnprotectOperationProceedRegardless(keyIdFromPayload);
                         status = UnprotectStatus.DecryptionKeyWasRevoked;
                     }
                     else
                     {
-                        _logger?.KeyWasRevokedUnprotectOperationCannotProceed(keyIdFromPayload);
+                        _logger.KeyWasRevokedUnprotectOperationCannotProceed(keyIdFromPayload);
                         throw Error.Common_KeyRevoked(keyIdFromPayload);
                     }
                 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
index 6dbca4d9b6..7e953cbd5f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -6,9 +6,10 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.Threading;
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
@@ -22,14 +23,32 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         private readonly IKeyManager _keyManager;
         private readonly ILogger _logger;
 
-        public KeyRingProvider(IKeyManager keyManager, KeyManagementOptions keyManagementOptions, IServiceProvider services)
+        public KeyRingProvider(
+            IKeyManager keyManager,
+            IOptions<KeyManagementOptions> keyManagementOptions,
+            IDefaultKeyResolver defaultKeyResolver,
+            ILoggerFactory loggerFactory)
+            : this(
+                  keyManager,
+                  keyManagementOptions,
+                  cacheableKeyRingProvider: null,
+                  defaultKeyResolver: defaultKeyResolver,
+                  loggerFactory: loggerFactory)
         {
-            _keyManagementOptions = new KeyManagementOptions(keyManagementOptions); // clone so new instance is immutable
+        }
+
+        public KeyRingProvider(
+            IKeyManager keyManager,
+            IOptions<KeyManagementOptions> keyManagementOptions,
+            ICacheableKeyRingProvider cacheableKeyRingProvider,
+            IDefaultKeyResolver defaultKeyResolver,
+            ILoggerFactory loggerFactory)
+        {
+            _keyManagementOptions = new KeyManagementOptions(keyManagementOptions.Value); // clone so new instance is immutable
             _keyManager = keyManager;
-            _cacheableKeyRingProvider = services?.GetService<ICacheableKeyRingProvider>() ?? this;
-            _logger = services?.GetLogger<KeyRingProvider>();
-            _defaultKeyResolver = services?.GetService<IDefaultKeyResolver>()
-                ?? new DefaultKeyResolver(_keyManagementOptions.KeyPropagationWindow, _keyManagementOptions.MaxServerClockSkew, services);
+            _cacheableKeyRingProvider = cacheableKeyRingProvider ?? this;
+            _defaultKeyResolver = defaultKeyResolver;
+            _logger = loggerFactory.CreateLogger<KeyRingProvider>();
         }
 
         private CacheableKeyRing CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
@@ -46,7 +65,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, defaultKeyPolicy.DefaultKey, allKeys);
             }
 
-            _logger?.PolicyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing();
+            _logger.PolicyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing();
 
             // We shouldn't call CreateKey more than once, else we risk stack diving. This code path shouldn't
             // get hit unless there was an ineligible key with an activation date slightly later than the one we
@@ -67,12 +86,12 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 var keyToUse = defaultKeyPolicy.DefaultKey ?? defaultKeyPolicy.FallbackKey;
                 if (keyToUse == null)
                 {
-                    _logger?.KeyRingDoesNotContainValidDefaultKey();
+                    _logger.KeyRingDoesNotContainValidDefaultKey();
                     throw new InvalidOperationException(Resources.KeyRingProvider_NoDefaultKey_AutoGenerateDisabled);
                 }
                 else
                 {
-                    _logger?.UsingFallbackKeyWithExpirationAsDefaultKey(keyToUse.KeyId, keyToUse.ExpirationDate);
+                    _logger.UsingFallbackKeyWithExpirationAsDefaultKey(keyToUse.KeyId, keyToUse.ExpirationDate);
                     return CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, keyToUse, allKeys);
                 }
             }
@@ -99,9 +118,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Debug.Assert(defaultKey != null);
 
             // Invariant: our caller ensures that CreateEncryptorInstance succeeded at least once
-            Debug.Assert(defaultKey.CreateEncryptorInstance() != null);
+            Debug.Assert(CreateEncryptorForKey(defaultKey) != null);
 
-            _logger?.UsingKeyAsDefaultKey(defaultKey.KeyId);
+            _logger.UsingKeyAsDefaultKey(defaultKey.KeyId);
 
             var nextAutoRefreshTime = now + GetRefreshPeriodWithJitter(_keyManagementOptions.KeyRingRefreshPeriod);
 
@@ -116,7 +135,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 expirationToken: cacheExpirationToken,
                 expirationTime: (defaultKey.ExpirationDate <= now) ? nextAutoRefreshTime : Min(defaultKey.ExpirationDate, nextAutoRefreshTime),
                 defaultKey: defaultKey,
-                allKeys: allKeys);
+                allKeys: allKeys,
+                encryptorFactories: _keyManagementOptions.AuthenticatedEncryptorFactories);
         }
 
         public IKeyRing GetCurrentKeyRing()
@@ -156,7 +176,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
                     if (existingCacheableKeyRing != null)
                     {
-                        _logger?.ExistingCachedKeyRingIsExpired();
+                        _logger.ExistingCachedKeyRingIsExpired();
                     }
 
                     // It's up to us to refresh the cached keyring.
@@ -171,11 +191,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     {
                         if (existingCacheableKeyRing != null)
                         {
-                            _logger?.ErrorOccurredWhileRefreshingKeyRing(ex);
+                            _logger.ErrorOccurredWhileRefreshingKeyRing(ex);
                         }
                         else
                         {
-                            _logger?.ErrorOccurredWhileReadingKeyRing(ex);
+                            _logger.ErrorOccurredWhileReadingKeyRing(ex);
                         }
 
                         // Failures that occur while refreshing the keyring are most likely transient, perhaps due to a
@@ -216,6 +236,20 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             }
         }
 
+        private IAuthenticatedEncryptor CreateEncryptorForKey(IKey key)
+        {
+            foreach (var factory in _keyManagementOptions.AuthenticatedEncryptorFactories)
+            {
+                var encryptor = factory.CreateEncryptorInstance(key);
+                if (encryptor != null)
+                {
+                    return encryptor;
+                }
+            }
+
+            return null;
+        }
+
         private static TimeSpan GetRefreshPeriodWithJitter(TimeSpan refreshPeriod)
         {
             // We'll fudge the refresh period up to -20% so that multiple applications don't try to
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
index 64a84a51d8..b7b2911439 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -4,21 +4,23 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
+using System.Globalization;
 using System.Linq;
 using System.Runtime.CompilerServices;
 using System.Threading;
 using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.DataProtection.XmlEncryption;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
-
-using static System.FormattableString;
+using Microsoft.Extensions.Options;
+using Microsoft.Win32;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
@@ -43,9 +45,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         private const string RevokeAllKeysValue = "*";
 
         private readonly IActivator _activator;
-        private readonly IAuthenticatedEncryptorConfiguration _authenticatedEncryptorConfiguration;
-        private readonly IInternalXmlKeyManager _internalKeyManager;
+        private readonly AlgorithmConfiguration _authenticatedEncryptorConfiguration;
         private readonly IKeyEscrowSink _keyEscrowSink;
+        private readonly IInternalXmlKeyManager _internalKeyManager;
+        private readonly ILoggerFactory _loggerFactory;
         private readonly ILogger _logger;
 
         private CancellationTokenSource _cacheExpirationTokenSource;
@@ -53,59 +56,49 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         /// <summary>
         /// Creates an <see cref="XmlKeyManager"/>.
         /// </summary>
-        /// <param name="repository">The repository where keys are stored.</param>
-        /// <param name="configuration">Configuration for newly-created keys.</param>
-        /// <param name="services">A provider of optional services.</param>
-        public XmlKeyManager(
-            IXmlRepository repository,
-            IAuthenticatedEncryptorConfiguration configuration,
-            IServiceProvider services)
+        /// <param name="keyManagementOptions">The <see cref="IOptions{KeyManagementOptions}"/> instance that provides the configuration.</param>
+        /// <param name="activator">The <see cref="IActivator"/>.</param>
+        /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
+        public XmlKeyManager(IOptions<KeyManagementOptions> keyManagementOptions, IActivator activator, ILoggerFactory loggerFactory)
         {
-            if (repository == null)
-            {
-                throw new ArgumentNullException(nameof(repository));
-            }
+            _loggerFactory = loggerFactory;
+            _logger = _loggerFactory.CreateLogger<XmlKeyManager>();
 
-            if (configuration == null)
-            {
-                throw new ArgumentNullException(nameof(configuration));
-            }
-
-            KeyEncryptor = services.GetService<IXmlEncryptor>(); // optional
-            KeyRepository = repository;
-
-            _activator = services.GetActivator(); // returns non-null
-            _authenticatedEncryptorConfiguration = configuration;
-            _internalKeyManager = services.GetService<IInternalXmlKeyManager>() ?? this;
-            _keyEscrowSink = services.GetKeyEscrowSink(); // not required
-            _logger = services.GetLogger<XmlKeyManager>(); // not required
-            TriggerAndResetCacheExpirationToken(suppressLogging: true);
-        }
-
-        internal XmlKeyManager(IServiceProvider services)
-        {
-            // First, see if an explicit encryptor or repository was specified.
-            // If either was specified, then we won't use the fallback.
-            KeyEncryptor = services.GetService<IXmlEncryptor>(); // optional
-            KeyRepository = (KeyEncryptor != null)
-                ? services.GetRequiredService<IXmlRepository>() // required if encryptor is specified
-                : services.GetService<IXmlRepository>(); // optional if encryptor not specified
-
-            // If the repository is missing, then we get both the encryptor and the repository from the fallback.
-            // If the fallback is missing, the final call to GetRequiredService below will throw.
+            KeyRepository = keyManagementOptions.Value.XmlRepository;
+            KeyEncryptor = keyManagementOptions.Value.XmlEncryptor;
             if (KeyRepository == null)
             {
-                var defaultKeyServices = services.GetService<IDefaultKeyServices>();
-                KeyEncryptor = defaultKeyServices?.GetKeyEncryptor(); // optional
-                KeyRepository = defaultKeyServices?.GetKeyRepository() ?? services.GetRequiredService<IXmlRepository>();
+                if (KeyEncryptor != null)
+                {
+                    throw new InvalidOperationException(
+                        Resources.FormatXmlKeyManager_IXmlRepositoryNotFound(nameof(IXmlRepository), nameof(IXmlEncryptor)));
+                }
+                else
+                {
+                    var keyRepositoryEncryptorPair = GetFallbackKeyRepositoryEncryptorPair();
+                    KeyRepository = keyRepositoryEncryptorPair.Key;
+                    KeyEncryptor = keyRepositoryEncryptorPair.Value;
+                }
             }
 
-            _activator = services.GetActivator(); // returns non-null
-            _authenticatedEncryptorConfiguration = services.GetRequiredService<IAuthenticatedEncryptorConfiguration>();
-            _internalKeyManager = services.GetService<IInternalXmlKeyManager>() ?? this;
-            _keyEscrowSink = services.GetKeyEscrowSink(); // not required
-            _logger = services.GetLogger<XmlKeyManager>(); // not required
+            _authenticatedEncryptorConfiguration = keyManagementOptions.Value.AuthenticatedEncryptorConfiguration;
+
+            var escrowSinks = keyManagementOptions.Value.KeyEscrowSinks;
+            _keyEscrowSink = escrowSinks.Count > 0 ? new AggregateKeyEscrowSink(escrowSinks) : null;
+            _activator = activator;
             TriggerAndResetCacheExpirationToken(suppressLogging: true);
+            _internalKeyManager = _internalKeyManager ?? this;
+        }
+
+        // Internal for testing.
+        internal XmlKeyManager(
+            IOptions<KeyManagementOptions> keyManagementOptions,
+            IActivator activator,
+            ILoggerFactory loggerFactory,
+            IInternalXmlKeyManager internalXmlKeyManager)
+            : this(keyManagementOptions, activator, loggerFactory)
+        {
+            _internalKeyManager = internalXmlKeyManager;
         }
 
         internal IXmlEncryptor KeyEncryptor { get; }
@@ -177,7 +170,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 else
                 {
                     // Skip unknown elements.
-                    _logger?.UnknownElementWithNameFoundInKeyringSkipping(element.Name);
+                    _logger.UnknownElementWithNameFoundInKeyringSkipping(element.Name);
                 }
             }
 
@@ -191,11 +184,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     if (key != null)
                     {
                         key.SetRevoked();
-                        _logger?.MarkedKeyAsRevokedInTheKeyring(revokedKeyId);
+                        _logger.MarkedKeyAsRevokedInTheKeyring(revokedKeyId);
                     }
                     else
                     {
-                        _logger?.TriedToProcessRevocationOfKeyButNoSuchKeyWasFound(revokedKeyId);
+                        _logger.TriedToProcessRevocationOfKeyButNoSuchKeyWasFound(revokedKeyId);
                     }
                 }
             }
@@ -213,7 +206,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     if (key.CreationDate < mostRecentMassRevocationDate)
                     {
                         key.SetRevoked();
-                        _logger?.MarkedKeyAsRevokedInTheKeyring(key.KeyId);
+                        _logger.MarkedKeyAsRevokedInTheKeyring(key.KeyId);
                     }
                 }
             }
@@ -239,14 +232,14 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 DateTimeOffset activationDate = (DateTimeOffset)keyElement.Element(ActivationDateElementName);
                 DateTimeOffset expirationDate = (DateTimeOffset)keyElement.Element(ExpirationDateElementName);
 
-                _logger?.FoundKey(keyId);
+                _logger.FoundKey(keyId);
 
                 return new DeferredKey(
                     keyId: keyId,
                     creationDate: creationDate,
                     activationDate: activationDate,
                     expirationDate: expirationDate,
-                    keyManager: _internalKeyManager,
+                    keyManager: this,
                     keyElement: keyElement);
             }
             catch (Exception ex)
@@ -270,14 +263,14 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 {
                     // this is a mass revocation of all keys as of the specified revocation date
                     DateTimeOffset massRevocationDate = (DateTimeOffset)revocationElement.Element(RevocationDateElementName);
-                    _logger?.FoundRevocationOfAllKeysCreatedPriorTo(massRevocationDate);
+                    _logger.FoundRevocationOfAllKeysCreatedPriorTo(massRevocationDate);
                     return massRevocationDate;
                 }
                 else
                 {
                     // only one key is being revoked
                     var keyId = XmlConvert.ToGuid(keyIdAsString);
-                    _logger?.FoundRevocationOfKey(keyId);
+                    _logger.FoundRevocationOfKey(keyId);
                     return keyId;
                 }
             }
@@ -285,7 +278,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             {
                 // Any exceptions that occur are fatal - we don't want to continue if we cannot process
                 // revocation information.
-                _logger?.ExceptionWhileProcessingRevocationElement(revocationElement, ex);
+                _logger.ExceptionWhileProcessingRevocationElement(revocationElement, ex);
                 throw;
             }
         }
@@ -299,7 +292,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             //   <reason>...</reason>
             // </revocation>
 
-            _logger?.RevokingAllKeysAsOfForReason(revocationDate, reason);
+            _logger.RevokingAllKeysAsOfForReason(revocationDate, reason);
 
             var revocationElement = new XElement(RevocationElementName,
                 new XAttribute(VersionAttributeName, 1),
@@ -327,7 +320,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             if (!suppressLogging)
             {
-                _logger?.KeyCacheExpirationTokenTriggeredByOperation(opName);
+                _logger.KeyCacheExpirationTokenTriggeredByOperation(opName);
             }
 
             Interlocked.Exchange(ref _cacheExpirationTokenSource, new CancellationTokenSource())?.Cancel();
@@ -341,10 +334,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // include sensitive information in the exception message.
 
             // write sanitized <key> element
-            _logger?.ExceptionWhileProcessingKeyElement(keyElement.WithoutChildNodes(), error);
+            _logger.ExceptionWhileProcessingKeyElement(keyElement.WithoutChildNodes(), error);
 
             // write full <key> element
-            _logger?.AnExceptionOccurredWhileProcessingElementDebug(keyElement, error);
+            _logger.AnExceptionOccurredWhileProcessingElementDebug(keyElement, error);
 
         }
 
@@ -359,13 +352,13 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             //   </descriptor>
             // </key>
 
-            _logger?.CreatingKey(keyId, creationDate, activationDate, expirationDate);
+            _logger.CreatingKey(keyId, creationDate, activationDate, expirationDate);
 
             var newDescriptor = _authenticatedEncryptorConfiguration.CreateNewDescriptor()
                 ?? CryptoUtil.Fail<IAuthenticatedEncryptorDescriptor>("CreateNewDescriptor returned null.");
             var descriptorXmlInfo = newDescriptor.ExportToXml();
 
-            _logger?.DescriptorDeserializerTypeForKeyIs(keyId, descriptorXmlInfo.DeserializerType.AssemblyQualifiedName);
+            _logger.DescriptorDeserializerTypeForKeyIs(keyId, descriptorXmlInfo.DeserializerType.AssemblyQualifiedName);
 
             // build the <key> element
             var keyElement = new XElement(KeyElementName,
@@ -381,23 +374,23 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // If key escrow policy is in effect, write the *unencrypted* key now.
             if (_keyEscrowSink != null)
             {
-                _logger?.KeyEscrowSinkFoundWritingKeyToEscrow(keyId);
+                _logger.KeyEscrowSinkFoundWritingKeyToEscrow(keyId);
             }
             else
             {
-                _logger?.NoKeyEscrowSinkFoundNotWritingKeyToEscrow(keyId);
+                _logger.NoKeyEscrowSinkFoundNotWritingKeyToEscrow(keyId);
             }
             _keyEscrowSink?.Store(keyId, keyElement);
 
             // If an XML encryptor has been configured, protect secret key material now.
             if (KeyEncryptor == null)
             {
-                _logger?.NoXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm(keyId);
+                _logger.NoXMLEncryptorConfiguredKeyMayBePersistedToStorageInUnencryptedForm(keyId);
             }
             var possiblyEncryptedKeyElement = KeyEncryptor?.EncryptIfNecessary(keyElement) ?? keyElement;
 
             // Persist it to the underlying repository and trigger the cancellation token.
-            var friendlyName = Invariant($"key-{keyId:D}");
+            var friendlyName = string.Format(CultureInfo.InvariantCulture, "key-{0:D}", keyId);
             KeyRepository.StoreElement(possiblyEncryptedKeyElement, friendlyName);
             TriggerAndResetCacheExpirationToken();
 
@@ -440,7 +433,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             //   <reason>...</reason>
             // </revocation>
 
-            _logger?.RevokingKeyForReason(keyId, revocationDate, reason);
+            _logger.RevokingKeyForReason(keyId, revocationDate, reason);
 
             var revocationElement = new XElement(RevocationElementName,
                 new XAttribute(VersionAttributeName, 1),
@@ -450,9 +443,97 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 new XElement(ReasonElementName, reason));
 
             // Persist it to the underlying repository and trigger the cancellation token
-            var friendlyName = Invariant($"revocation-{keyId:D}");
+            var friendlyName = string.Format(CultureInfo.InvariantCulture, "revocation-{0:D}", keyId);
             KeyRepository.StoreElement(revocationElement, friendlyName);
             TriggerAndResetCacheExpirationToken();
         }
+
+        internal KeyValuePair<IXmlRepository, IXmlEncryptor> GetFallbackKeyRepositoryEncryptorPair()
+        {
+            IXmlRepository repository = null;
+            IXmlEncryptor encryptor = null;
+
+            // If we're running in Azure Web Sites, the key repository goes in the %HOME% directory.
+            var azureWebSitesKeysFolder = FileSystemXmlRepository.GetKeyStorageDirectoryForAzureWebSites();
+            if (azureWebSitesKeysFolder != null)
+            {
+                _logger.UsingAzureAsKeyRepository(azureWebSitesKeysFolder.FullName);
+
+                // Cloud DPAPI isn't yet available, so we don't encrypt keys at rest.
+                // This isn't all that different than what Azure Web Sites does today, and we can always add this later.
+                repository = new FileSystemXmlRepository(azureWebSitesKeysFolder, _loggerFactory);
+            }
+            else
+            {
+                // If the user profile is available, store keys in the user profile directory.
+                var localAppDataKeysFolder = FileSystemXmlRepository.DefaultKeyStorageDirectory;
+                if (localAppDataKeysFolder != null)
+                {
+                    if (OSVersionUtil.IsWindows())
+                    {
+                        // If the user profile is available, we can protect using DPAPI.
+                        // Probe to see if protecting to local user is available, and use it as the default if so.
+                        encryptor = new DpapiXmlEncryptor(
+                            protectToLocalMachine: !DpapiSecretSerializerHelper.CanProtectToCurrentUserAccount(),
+                            loggerFactory: _loggerFactory);
+                    }
+                    repository = new FileSystemXmlRepository(localAppDataKeysFolder, _loggerFactory);
+
+                    if (encryptor != null)
+                    {
+                        _logger.UsingProfileAsKeyRepositoryWithDPAPI(localAppDataKeysFolder.FullName);
+                    }
+                    else
+                    {
+                        _logger.UsingProfileAsKeyRepository(localAppDataKeysFolder.FullName);
+                    }
+                }
+                else
+                {
+                    // Use profile isn't available - can we use the HKLM registry?
+                    RegistryKey regKeyStorageKey = null;
+                    if (OSVersionUtil.IsWindows())
+                    {
+                        regKeyStorageKey = RegistryXmlRepository.DefaultRegistryKey;
+                    }
+                    if (regKeyStorageKey != null)
+                    {
+                        // If the user profile isn't available, we can protect using DPAPI (to machine).
+                        encryptor = new DpapiXmlEncryptor(protectToLocalMachine: true, loggerFactory: _loggerFactory);
+                        repository = new RegistryXmlRepository(regKeyStorageKey, _loggerFactory);
+
+                        _logger.UsingRegistryAsKeyRepositoryWithDPAPI(regKeyStorageKey.Name);
+                    }
+                    else
+                    {
+                        // Final fallback - use an ephemeral repository since we don't know where else to go.
+                        // This can only be used for development scenarios.
+                        repository = new EphemeralXmlRepository(_loggerFactory);
+
+                        _logger.UsingEphemeralKeyRepository();
+                    }
+                }
+            }
+
+            return new KeyValuePair<IXmlRepository, IXmlEncryptor>(repository, encryptor);
+        }
+
+        private sealed class AggregateKeyEscrowSink : IKeyEscrowSink
+        {
+            private readonly IList<IKeyEscrowSink> _sinks;
+
+            public AggregateKeyEscrowSink(IList<IKeyEscrowSink> sinks)
+            {
+                _sinks = sinks;
+            }
+
+            public void Store(Guid keyId, XElement element)
+            {
+                foreach (var sink in _sinks)
+                {
+                    sink.Store(keyId, element);
+                }
+            }
+        }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
index 287746ea82..c2db503dab 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
@@ -394,6 +394,22 @@ namespace Microsoft.AspNetCore.DataProtection
             return string.Format(CultureInfo.CurrentCulture, GetString("LifetimeMustNotBeNegative"), p0);
         }
 
+        /// <summary>
+        /// The '{0}' instance could not be found. When an '{1}' instance is set, a corresponding '{0}' instance must also be set.
+        /// </summary>
+        internal static string XmlKeyManager_IXmlRepositoryNotFound
+        {
+            get { return GetString("XmlKeyManager_IXmlRepositoryNotFound"); }
+        }
+
+        /// <summary>
+        /// The '{0}' instance could not be found. When an '{1}' instance is set, a corresponding '{0}' instance must also be set.
+        /// </summary>
+        internal static string FormatXmlKeyManager_IXmlRepositoryNotFound(object p0, object p1)
+        {
+            return string.Format(CultureInfo.CurrentCulture, GetString("XmlKeyManager_IXmlRepositoryNotFound"), p0, p1);
+        }
+
         private static string GetString(string name, params string[] formatterNames)
         {
             var value = _resourceManager.GetString(name);
diff --git a/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs b/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
index 10c936b6ba..9d76aaac49 100644
--- a/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
@@ -12,13 +12,13 @@ namespace Microsoft.AspNetCore.DataProtection
         private const string To = "Microsoft.AspNetCore.DataProtection";
         private readonly ILogger _logger;
 
-        public RC1ForwardingActivator(IServiceProvider services) : this(services, null)
+        public RC1ForwardingActivator(IServiceProvider services) : this(services, DataProtectionProviderFactory.GetDefaultLoggerFactory())
         {
         }
 
         public RC1ForwardingActivator(IServiceProvider services, ILoggerFactory loggerFactory) : base(services)
         {
-            _logger = loggerFactory?.CreateLogger(typeof(RC1ForwardingActivator));
+            _logger = loggerFactory.CreateLogger(typeof(RC1ForwardingActivator));
         }
 
         public override object CreateInstance(Type expectedBaseType, string implementationTypeName)
@@ -29,7 +29,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 var type = Type.GetType(forwardedImplementationTypeName, false);
                 if (type != null)
                 {
-                    _logger?.LogDebug("Forwarded activator type request from {FromType} to {ToType}",
+                    _logger.LogDebug("Forwarded activator type request from {FromType} to {ToType}",
                         implementationTypeName,
                         forwardedImplementationTypeName);
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
new file mode 100644
index 0000000000..5617ce78f6
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
@@ -0,0 +1,28 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    internal class RegistryPolicy
+    {
+        public RegistryPolicy(
+            AlgorithmConfiguration configuration,
+            IEnumerable<IKeyEscrowSink> keyEscrowSinks,
+            int? defaultKeyLifetime)
+        {
+            EncryptorConfiguration = configuration;
+            KeyEscrowSinks = keyEscrowSinks;
+            DefaultKeyLifetime = defaultKeyLifetime;
+        }
+
+        public AlgorithmConfiguration EncryptorConfiguration { get; }
+
+        public IEnumerable<IKeyEscrowSink> KeyEscrowSinks { get; }
+
+        public int? DefaultKeyLifetime { get; }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
index 31c44f66ea..da5b3357e6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
@@ -7,9 +7,10 @@ using System.Globalization;
 using System.Linq;
 using System.Reflection;
 using Microsoft.AspNetCore.Cryptography;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
 
 namespace Microsoft.AspNetCore.DataProtection
@@ -19,11 +20,22 @@ namespace Microsoft.AspNetCore.DataProtection
     /// </summary>
     internal sealed class RegistryPolicyResolver
     {
-        private readonly RegistryKey _policyRegKey;
+        private readonly Func<RegistryKey> _getPolicyRegKey;
+        private readonly IActivator _activator;
+        private readonly ILoggerFactory _loggerFactory;
 
-        internal RegistryPolicyResolver(RegistryKey policyRegKey)
+        public RegistryPolicyResolver(IActivator activator, ILoggerFactory loggerFactory)
         {
-            _policyRegKey = policyRegKey;
+            _getPolicyRegKey = () => Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection");
+            _activator = activator;
+            _loggerFactory = loggerFactory;
+        }
+
+        internal RegistryPolicyResolver(RegistryKey policyRegKey, IActivator activator, ILoggerFactory loggerFactory)
+        {
+            _getPolicyRegKey = () => policyRegKey;
+            _activator = activator;
+            _loggerFactory = loggerFactory;
         }
 
         // populates an options object from values stored in the registry
@@ -59,11 +71,11 @@ namespace Microsoft.AspNetCore.DataProtection
 
         private static List<string> ReadKeyEscrowSinks(RegistryKey key)
         {
-            List<string> sinks = new List<string>();
+            var sinks = new List<string>();
 
             // The format of this key is "type1; type2; ...".
             // We call Type.GetType to perform an eager check that the type exists.
-            string sinksFromRegistry = (string)key.GetValue("KeyEscrowSinks");
+            var sinksFromRegistry = (string)key.GetValue("KeyEscrowSinks");
             if (sinksFromRegistry != null)
             {
                 foreach (string sinkFromRegistry in sinksFromRegistry.Split(';'))
@@ -81,69 +93,60 @@ namespace Microsoft.AspNetCore.DataProtection
         }
 
         /// <summary>
-        /// Returns an array of <see cref="ServiceDescriptor"/>s from the default registry location.
+        /// Returns a <see cref="RegistryPolicy"/> from the default registry location.
         /// </summary>
-        public static ServiceDescriptor[] ResolveDefaultPolicy()
+        public static RegistryPolicy ResolveDefaultPolicy(IActivator activator, ILoggerFactory loggerFactory)
         {
-            var subKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection");
-            if (subKey != null)
+                return new RegistryPolicyResolver(activator, loggerFactory).ResolvePolicy();
+        }
+
+        internal RegistryPolicy ResolvePolicy()
+        {
+            using (var registryKey = _getPolicyRegKey())
             {
-                using (subKey)
-                {
-                    return new RegistryPolicyResolver(subKey).ResolvePolicy();
-                }
-            }
-            else
-            {
-                return new ServiceDescriptor[0];
+                return ResolvePolicyCore(registryKey); // fully evaluate enumeration while the reg key is open
             }
         }
 
-        internal ServiceDescriptor[] ResolvePolicy()
+        private RegistryPolicy ResolvePolicyCore(RegistryKey policyRegKey)
         {
-            return ResolvePolicyCore().ToArray(); // fully evaluate enumeration while the reg key is open
-        }
+            if (policyRegKey == null)
+            {
+                return null;
+            }
 
-        private IEnumerable<ServiceDescriptor> ResolvePolicyCore()
-        {
             // Read the encryption options type: CNG-CBC, CNG-GCM, Managed
-            IInternalAuthenticatedEncryptionSettings options = null;
-            string encryptionType = (string)_policyRegKey.GetValue("EncryptionType");
+            AlgorithmConfiguration configuration = null;
+
+            var encryptionType = (string)policyRegKey.GetValue("EncryptionType");
             if (String.Equals(encryptionType, "CNG-CBC", StringComparison.OrdinalIgnoreCase))
             {
-                options = new CngCbcAuthenticatedEncryptionSettings();
+                configuration = new CngCbcAuthenticatedEncryptorConfiguration();
             }
             else if (String.Equals(encryptionType, "CNG-GCM", StringComparison.OrdinalIgnoreCase))
             {
-                options = new CngGcmAuthenticatedEncryptionSettings();
+                configuration = new CngGcmAuthenticatedEncryptorConfiguration();
             }
             else if (String.Equals(encryptionType, "Managed", StringComparison.OrdinalIgnoreCase))
             {
-                options = new ManagedAuthenticatedEncryptionSettings();
+                configuration = new ManagedAuthenticatedEncryptorConfiguration();
             }
             else if (!String.IsNullOrEmpty(encryptionType))
             {
                 throw CryptoUtil.Fail("Unrecognized EncryptionType: " + encryptionType);
             }
-            if (options != null)
+            if (configuration != null)
             {
-                PopulateOptions(options, _policyRegKey);
-                yield return DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(options);
+                PopulateOptions(configuration, policyRegKey);
             }
 
             // Read ancillary data
 
-            int? defaultKeyLifetime = (int?)_policyRegKey.GetValue("DefaultKeyLifetime");
-            if (defaultKeyLifetime.HasValue)
-            {
-                yield return DataProtectionServiceDescriptors.ConfigureOptions_DefaultKeyLifetime(defaultKeyLifetime.Value);
-            }
+            var defaultKeyLifetime = (int?)policyRegKey.GetValue("DefaultKeyLifetime");
 
-            var keyEscrowSinks = ReadKeyEscrowSinks(_policyRegKey);
-            foreach (var keyEscrowSink in keyEscrowSinks)
-            {
-                yield return DataProtectionServiceDescriptors.IKeyEscrowSink_FromTypeName(keyEscrowSink);
-            }
+            var keyEscrowSinks = ReadKeyEscrowSinks(policyRegKey).Select(item => _activator.CreateInstance<IKeyEscrowSink>(item));
+
+            return new RegistryPolicy(configuration, keyEscrowSinks, defaultKeyLifetime);
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
index e5f0f9379b..17c7156b8d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
@@ -17,10 +17,10 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
     {
         private readonly List<XElement> _storedElements = new List<XElement>();
 
-        public EphemeralXmlRepository(IServiceProvider services)
+        public EphemeralXmlRepository(ILoggerFactory loggerFactory)
         {
-            var logger = services?.GetLogger<EphemeralXmlRepository>();
-            logger?.UsingInmemoryRepository();
+            var logger = loggerFactory.CreateLogger<EphemeralXmlRepository>();
+            logger.UsingInmemoryRepository();
         }
 
         public virtual IReadOnlyCollection<XElement> GetAllElements()
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index fc47f43778..696e54bcae 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -24,21 +24,8 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         /// Creates a <see cref="FileSystemXmlRepository"/> with keys stored at the given directory.
         /// </summary>
         /// <param name="directory">The directory in which to persist key material.</param>
-        public FileSystemXmlRepository(DirectoryInfo directory)
-            : this(directory, services: null)
-        {
-            if (directory == null)
-            {
-                throw new ArgumentNullException(nameof(directory));
-            }
-        }
-
-        /// <summary>
-        /// Creates a <see cref="FileSystemXmlRepository"/> with keys stored at the given directory.
-        /// </summary>
-        /// <param name="directory">The directory in which to persist key material.</param>
-        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public FileSystemXmlRepository(DirectoryInfo directory, IServiceProvider services)
+        /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
+        public FileSystemXmlRepository(DirectoryInfo directory, ILoggerFactory loggerFactory)
         {
             if (directory == null)
             {
@@ -46,8 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             }
 
             Directory = directory;
-            Services = services;
-            _logger = services?.GetLogger<FileSystemXmlRepository>();
+            _logger = loggerFactory.CreateLogger<FileSystemXmlRepository>();
         }
 
         /// <summary>
@@ -65,11 +51,6 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         /// </summary>
         public DirectoryInfo Directory { get; }
 
-        /// <summary>
-        /// The <see cref="IServiceProvider"/> provided to the constructor.
-        /// </summary>
-        protected IServiceProvider Services { get; }
-
         private const string DataProtectionKeysFolderName = "DataProtection-Keys";
 
         private static DirectoryInfo GetKeyStorageDirectoryFromBaseAppDataPath(string basePath)
@@ -185,7 +166,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private XElement ReadElementFromFile(string fullPath)
         {
-            _logger?.ReadingDataFromFile(fullPath);
+            _logger.ReadingDataFromFile(fullPath);
 
             using (var fileStream = File.OpenRead(fullPath))
             {
@@ -203,7 +184,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             if (!IsSafeFilename(friendlyName))
             {
                 var newFriendlyName = Guid.NewGuid().ToString();
-                _logger?.NameIsNotSafeFileName(friendlyName, newFriendlyName);
+                _logger.NameIsNotSafeFileName(friendlyName, newFriendlyName);
                 friendlyName = newFriendlyName;
             }
 
@@ -229,7 +210,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
                 // Once the file has been fully written, perform the rename.
                 // Renames are atomic operations on the file systems we support.
-                _logger?.WritingDataToFile(finalFilename);
+                _logger.WritingDataToFile(finalFilename);
                 File.Move(tempFilename, finalFilename);
             }
             finally
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
index fa237c6f7e..7692d1ccb5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
@@ -3,14 +3,13 @@
 
 using System;
 using System.Collections.Generic;
+using System.Globalization;
 using System.Linq;
 using System.Security.Principal;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
 
-using static System.FormattableString;
-
 namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     /// <summary>
@@ -26,21 +25,8 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         /// Creates a <see cref="RegistryXmlRepository"/> with keys stored in the given registry key.
         /// </summary>
         /// <param name="registryKey">The registry key in which to persist key material.</param>
-        public RegistryXmlRepository(RegistryKey registryKey)
-            : this(registryKey, services: null)
-        {
-            if (registryKey == null)
-            {
-                throw new ArgumentNullException(nameof(registryKey));
-            }
-        }
-
-        /// <summary>
-        /// Creates a <see cref="RegistryXmlRepository"/> with keys stored in the given registry key.
-        /// </summary>
-        /// <param name="registryKey">The registry key in which to persist key material.</param>
-        /// <param name="services">The <see cref="IServiceProvider"/> used to resolve services.</param>
-        public RegistryXmlRepository(RegistryKey registryKey, IServiceProvider services)
+        /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
+        public RegistryXmlRepository(RegistryKey registryKey, ILoggerFactory loggerFactory)
         {
             if (registryKey == null)
             {
@@ -48,8 +34,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             }
 
             RegistryKey = registryKey;
-            Services = services;
-            _logger = services?.GetLogger<RegistryXmlRepository>();
+            _logger = loggerFactory.CreateLogger<RegistryXmlRepository>();
         }
 
         /// <summary>
@@ -67,11 +52,6 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         /// </summary>
         public RegistryKey RegistryKey { get; }
 
-        /// <summary>
-        /// The <see cref="IServiceProvider"/> provided to the constructor.
-        /// </summary>
-        protected IServiceProvider Services { get; }
-
         public virtual IReadOnlyCollection<XElement> GetAllElements()
         {
             // forces complete enumeration
@@ -107,7 +87,11 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
                     // Even though this is in HKLM, WAS ensures that applications hosted in IIS are properly isolated.
                     // See APP_POOL::EnsureSharedMachineKeyStorage in WAS source for more info.
                     // The version number will need to change if IIS hosts Core CLR directly.
-                    var aspnetAutoGenKeysBaseKeyName = Invariant($@"SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{WindowsIdentity.GetCurrent().User.Value}");
+                    var aspnetAutoGenKeysBaseKeyName = string.Format(
+                        CultureInfo.InvariantCulture,
+                        @"SOFTWARE\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeys\{0}",
+                        WindowsIdentity.GetCurrent().User.Value);
+
                     var aspnetBaseKey = hklmBaseKey.OpenSubKey(aspnetAutoGenKeysBaseKeyName, writable: true);
                     if (aspnetBaseKey != null)
                     {
@@ -141,7 +125,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private XElement ReadElementFromRegKey(RegistryKey regKey, string valueName)
         {
-            _logger?.ReadingDataFromRegistryKeyValue(regKey, valueName);
+            _logger.ReadingDataFromRegistryKeyValue(regKey, valueName);
 
             var data = regKey.GetValue(valueName) as string;
             return (!String.IsNullOrEmpty(data)) ? XElement.Parse(data) : null;
@@ -157,7 +141,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             if (!IsSafeRegistryValueName(friendlyName))
             {
                 var newFriendlyName = Guid.NewGuid().ToString();
-                _logger?.NameIsNotSafeRegistryValueName(friendlyName, newFriendlyName);
+                _logger.NameIsNotSafeRegistryValueName(friendlyName, newFriendlyName);
                 friendlyName = newFriendlyName;
             }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/Resources.resx b/src/Microsoft.AspNetCore.DataProtection/Resources.resx
index e45b22742d..292ec05625 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNetCore.DataProtection/Resources.resx
@@ -189,4 +189,7 @@
   <data name="LifetimeMustNotBeNegative" xml:space="preserve">
     <value>{0} must not be negative</value>
   </data>
+  <data name="XmlKeyManager_IXmlRepositoryNotFound" xml:space="preserve">
+    <value>The '{0}' instance could not be found. When an '{1}' instance is set, a corresponding '{0}' instance must also be set.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs b/src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs
deleted file mode 100644
index cb6120c647..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/StringInterpolation.cs
+++ /dev/null
@@ -1,43 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-#if !NETSTANDARD1_3
-// These classes allow using the C# string interpolation feature from .NET 4.5.1.
-// They're slimmed-down versions of the classes that exist in .NET 4.6.
-
-using System.Globalization;
-
-namespace System
-{
-    internal struct FormattableString
-    {
-        private readonly object[] _arguments;
-        public readonly string Format;
-
-        internal FormattableString(string format, params object[] arguments)
-        {
-            Format = format;
-            _arguments = arguments;
-        }
-
-        public object[] GetArguments() => _arguments;
-
-        public static string Invariant(FormattableString formattable)
-        {
-            return String.Format(CultureInfo.InvariantCulture, formattable.Format, formattable.GetArguments());
-        }
-    }
-}
-
-namespace System.Runtime.CompilerServices
-{
-    internal static class FormattableStringFactory
-    {
-        public static FormattableString Create(string format, params object[] arguments)
-        {
-            return new FormattableString(format, arguments);
-        }
-    }
-}
-
-#endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 4e7a538ea0..3bf68dcc66 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -9,7 +9,6 @@ using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
@@ -23,29 +22,13 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         private readonly IInternalCertificateXmlEncryptor _encryptor;
         private readonly ILogger _logger;
 
-        /// <summary>
-        /// Creates a <see cref="CertificateXmlEncryptor"/> given a certificate's thumbprint and an
-        /// <see cref="ICertificateResolver"/> that can be used to resolve the certificate.
-        /// </summary>
-        /// <param name="thumbprint">The thumbprint (as a hex string) of the certificate with which to
-        /// encrypt the key material. The certificate must be locatable by <paramref name="certificateResolver"/>.</param>
-        /// <param name="certificateResolver">A resolver which can locate <see cref="X509Certificate2"/> objects.</param>
-        public CertificateXmlEncryptor(string thumbprint, ICertificateResolver certificateResolver)
-            : this(thumbprint, certificateResolver, services: null)
-        {
-        }
-
         /// <summary>
         /// Creates a <see cref="CertificateXmlEncryptor"/> given a certificate's thumbprint, an
         /// <see cref="ICertificateResolver"/> that can be used to resolve the certificate, and
         /// an <see cref="IServiceProvider"/>.
         /// </summary>
-        /// <param name="thumbprint">The thumbprint (as a hex string) of the certificate with which to
-        /// encrypt the key material. The certificate must be locatable by <paramref name="certificateResolver"/>.</param>
-        /// <param name="certificateResolver">A resolver which can locate <see cref="X509Certificate2"/> objects.</param>
-        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public CertificateXmlEncryptor(string thumbprint, ICertificateResolver certificateResolver, IServiceProvider services)
-            : this(services)
+        public CertificateXmlEncryptor(string thumbprint, ICertificateResolver certificateResolver, ILoggerFactory loggerFactory)
+            : this(loggerFactory, encryptor: null)
         {
             if (thumbprint == null)
             {
@@ -60,23 +43,12 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             _certFactory = CreateCertFactory(thumbprint, certificateResolver);
         }
 
-        /// <summary>
-        /// Creates a <see cref="CertificateXmlEncryptor"/> given an <see cref="X509Certificate2"/> instance.
-        /// </summary>
-        /// <param name="certificate">The <see cref="X509Certificate2"/> with which to encrypt the key material.</param>
-        public CertificateXmlEncryptor(X509Certificate2 certificate)
-            : this(certificate, services: null)
-        {
-        }
-
         /// <summary>
         /// Creates a <see cref="CertificateXmlEncryptor"/> given an <see cref="X509Certificate2"/> instance
         /// and an <see cref="IServiceProvider"/>.
         /// </summary>
-        /// <param name="certificate">The <see cref="X509Certificate2"/> with which to encrypt the key material.</param>
-        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public CertificateXmlEncryptor(X509Certificate2 certificate, IServiceProvider services)
-            : this(services)
+        public CertificateXmlEncryptor(X509Certificate2 certificate, ILoggerFactory loggerFactory)
+            : this(loggerFactory, encryptor: null)
         {
             if (certificate == null)
             {
@@ -86,10 +58,10 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             _certFactory = () => certificate;
         }
 
-        internal CertificateXmlEncryptor(IServiceProvider services)
+        internal CertificateXmlEncryptor(ILoggerFactory loggerFactory, IInternalCertificateXmlEncryptor encryptor)
         {
-            _encryptor = services?.GetService<IInternalCertificateXmlEncryptor>() ?? this;
-            _logger = services.GetLogger<CertificateXmlEncryptor>();
+            _encryptor = encryptor ?? this;
+            _logger = loggerFactory.CreateLogger<CertificateXmlEncryptor>();
         }
 
         /// <summary>
@@ -149,7 +121,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                 }
                 catch (Exception ex)
                 {
-                    _logger?.ExceptionWhileTryingToResolveCertificateWithThumbprint(thumbprint, ex);
+                    _logger.ExceptionWhileTryingToResolveCertificateWithThumbprint(thumbprint, ex);
 
                     throw;
                 }
@@ -161,7 +133,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             var cert = _certFactory()
                 ?? CryptoUtil.Fail<X509Certificate2>("Cert factory returned null.");
 
-            _logger?.EncryptingToX509CertificateWithThumbprint(cert.Thumbprint);
+            _logger.EncryptingToX509CertificateWithThumbprint(cert.Thumbprint);
 
             try
             {
@@ -169,7 +141,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                _logger?.AnErrorOccurredWhileEncryptingToX509CertificateWithThumbprint(cert.Thumbprint, ex);
+                _logger.AnErrorOccurredWhileEncryptingToX509CertificateWithThumbprint(cert.Thumbprint, ex);
                 throw;
             }
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
index 3ec4325edd..f5162496bb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Globalization;
 using System.Security.Principal;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
@@ -9,8 +10,6 @@ using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.Extensions.Logging;
 
-using static System.FormattableString;
-
 namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
     /// <summary>
@@ -29,18 +28,8 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         /// </summary>
         /// <param name="protectionDescriptorRule">The rule string from which to create the protection descriptor.</param>
         /// <param name="flags">Flags controlling the creation of the protection descriptor.</param>
-        public DpapiNGXmlEncryptor(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
-            : this(protectionDescriptorRule, flags, services: null)
-        {
-        }
-
-        /// <summary>
-        /// Creates a new instance of a <see cref="DpapiNGXmlEncryptor"/>.
-        /// </summary>
-        /// <param name="protectionDescriptorRule">The rule string from which to create the protection descriptor.</param>
-        /// <param name="flags">Flags controlling the creation of the protection descriptor.</param>
-        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public DpapiNGXmlEncryptor(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags, IServiceProvider services)
+        /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
+        public DpapiNGXmlEncryptor(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags, ILoggerFactory loggerFactory)
         {
             if (protectionDescriptorRule == null)
             {
@@ -53,7 +42,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             UnsafeNativeMethods.ThrowExceptionForNCryptStatus(ntstatus);
             CryptoUtil.AssertSafeHandleIsValid(_protectionDescriptorHandle);
 
-            _logger = services.GetLogger<DpapiNGXmlEncryptor>();
+            _logger = loggerFactory.CreateLogger<DpapiNGXmlEncryptor>();
         }
 
         /// <summary>
@@ -73,7 +62,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             }
 
             var protectionDescriptorRuleString = _protectionDescriptorHandle.GetProtectionDescriptorRuleString();
-            _logger?.EncryptingToWindowsDPAPINGUsingProtectionDescriptorRule(protectionDescriptorRuleString);
+            _logger.EncryptingToWindowsDPAPINGUsingProtectionDescriptorRule(protectionDescriptorRuleString);
 
             // Convert the XML element to a binary secret so that it can be run through DPAPI
             byte[] cngDpapiEncryptedData;
@@ -86,7 +75,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                _logger?.ErrorOccurredWhileEncryptingToWindowsDPAPING(ex);
+                _logger.ErrorOccurredWhileEncryptingToWindowsDPAPING(ex);
                 throw;
             }
 
@@ -118,7 +107,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             using (var currentIdentity = WindowsIdentity.GetCurrent())
             {
                 // use the SID to create an SDDL string
-                return Invariant($"SID={currentIdentity.User.Value}");
+                return string.Format(CultureInfo.InvariantCulture, "SID={0}", currentIdentity.User.Value);
             }
         }
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
index 5b216ec581..d7fa2d7b1b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
@@ -21,28 +21,18 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         private readonly ILogger _logger;
         private readonly bool _protectToLocalMachine;
 
-        /// <summary>
-        /// Creates a <see cref="DpapiXmlEncryptor"/> given a protection scope.
-        /// </summary>
-        /// <param name="protectToLocalMachine">'true' if the data should be decipherable by anybody on the local machine,
-        /// 'false' if the data should only be decipherable by the current Windows user account.</param>
-        public DpapiXmlEncryptor(bool protectToLocalMachine)
-            : this(protectToLocalMachine, services: null)
-        {
-        }
-
         /// <summary>
         /// Creates a <see cref="DpapiXmlEncryptor"/> given a protection scope and an <see cref="IServiceProvider"/>.
         /// </summary>
         /// <param name="protectToLocalMachine">'true' if the data should be decipherable by anybody on the local machine,
         /// 'false' if the data should only be decipherable by the current Windows user account.</param>
-        /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
-        public DpapiXmlEncryptor(bool protectToLocalMachine, IServiceProvider services)
+        /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
+        public DpapiXmlEncryptor(bool protectToLocalMachine, ILoggerFactory loggerFactory)
         {
             CryptoUtil.AssertPlatformIsWindows();
 
             _protectToLocalMachine = protectToLocalMachine;
-            _logger = services.GetLogger<DpapiXmlEncryptor>();
+            _logger = loggerFactory.CreateLogger<DpapiXmlEncryptor>();
         }
 
         /// <summary>
@@ -62,11 +52,11 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             }
             if (_protectToLocalMachine)
             {
-                _logger?.EncryptingToWindowsDPAPIForLocalMachineAccount();
+                _logger.EncryptingToWindowsDPAPIForLocalMachineAccount();
             }
             else
             {
-                _logger?.EncryptingToWindowsDPAPIForCurrentUserAccount(WindowsIdentity.GetCurrent().Name);
+                _logger.EncryptingToWindowsDPAPIForCurrentUserAccount(WindowsIdentity.GetCurrent().Name);
             }
 
             // Convert the XML element to a binary secret so that it can be run through DPAPI
@@ -80,7 +70,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             }
             catch (Exception ex)
             {
-                _logger?.ErrorOccurredWhileEncryptingToWindowsDPAPI(ex);
+                _logger.ErrorOccurredWhileEncryptingToWindowsDPAPI(ex);
                 throw;
             }
 
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 832db33230..ec9c8b6437 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -21,4 +21,8 @@
     <PackageReference Include="xunit" Version="2.2.0-*" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
+
 </Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index 041fc58a66..d2be0cffdb 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -21,4 +21,8 @@
     <PackageReference Include="xunit" Version="2.2.0-*" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
+
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index 6ecaf250d8..263dddece7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -21,4 +21,8 @@
     <PackageReference Include="xunit" Version="2.2.0-*" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
+
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index ddb87f8ec0..1aeefb1e4b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -20,4 +20,8 @@
     <PackageReference Include="xunit" Version="2.2.0-*" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
+
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 5c62910ca1..36750335a7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -21,4 +21,8 @@
     <PackageReference Include="xunit" Version="2.2.0-*" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
+
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
index be9b19c27a..45f8175615 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Globalization;
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.DataProtection.Extensions;
+using Microsoft.Extensions.Logging.Abstractions;
 using Moq;
 using Xunit;
 
@@ -152,7 +153,7 @@ namespace Microsoft.AspNetCore.DataProtection
         public void RoundTrip_ProtectedData()
         {
             // Arrange
-            var ephemeralProtector = new EphemeralDataProtectionProvider().CreateProtector("my purpose");
+            var ephemeralProtector = new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("my purpose");
             var timeLimitedProtector = new TimeLimitedDataProtector(ephemeralProtector);
             var expectedExpiration = StringToDateTime("2020-01-01 00:00:00Z");
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index e1c3d0cb86..39ba6b87ea 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -21,4 +21,8 @@
     <PackageReference Include="xunit" Version="2.2.0-*" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
+
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
new file mode 100644
index 0000000000..2b13d7990c
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
@@ -0,0 +1,52 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
+{
+    public class CngCbcAuthenticatedEncryptorFactoryTest
+    {
+        [Fact]
+        public void CreateEncrptorInstance_UnknownDescriptorType_ReturnsNull()
+        {
+            // Arrange
+            var key = new Mock<IKey>();
+            key.Setup(k => k.Descriptor).Returns(new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+
+            var factory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            // Act
+            var encryptor = factory.CreateEncryptorInstance(key.Object);
+
+            // Assert
+            Assert.Null(encryptor);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void CreateEncrptorInstance_ExpectedDescriptorType_ReturnsEncryptor()
+        {
+            // Arrange
+            var descriptor = new CngCbcAuthenticatedEncryptorConfiguration().CreateNewDescriptor();
+            var key = new Mock<IKey>();
+            key.Setup(k => k.Descriptor).Returns(descriptor);
+
+            var factory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            // Act
+            var encryptor = factory.CreateEncryptorInstance(key.Object);
+
+            // Assert
+            Assert.NotNull(encryptor);
+            Assert.IsType<CbcAuthenticatedEncryptor>(encryptor);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
new file mode 100644
index 0000000000..e641705f3a
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
@@ -0,0 +1,52 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
+{
+    public class CngGcmAuthenticatedEncryptorFactoryTest
+    {
+        [Fact]
+        public void CreateEncrptorInstance_UnknownDescriptorType_ReturnsNull()
+        {
+            // Arrange
+            var key = new Mock<IKey>();
+            key.Setup(k => k.Descriptor).Returns(new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+
+            var factory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            // Act
+            var encryptor = factory.CreateEncryptorInstance(key.Object);
+
+            // Assert
+            Assert.Null(encryptor);
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyOnWindows]
+        public void CreateEncrptorInstance_ExpectedDescriptorType_ReturnsEncryptor()
+        {
+            // Arrange
+            var descriptor = new CngGcmAuthenticatedEncryptorConfiguration().CreateNewDescriptor();
+            var key = new Mock<IKey>();
+            key.Setup(k => k.Descriptor).Returns(descriptor);
+
+            var factory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            // Act
+            var encryptor = factory.CreateEncryptorInstance(key.Object);
+
+            // Assert
+            Assert.NotNull(encryptor);
+            Assert.IsType<GcmAuthenticatedEncryptor>(encryptor);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
index ad79a1e2ec..9264566756 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -3,6 +3,8 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -13,13 +15,14 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void ImportFromXml_Cbc_CreatesAppropriateDescriptor()
         {
             // Arrange
-            var control = new AuthenticatedEncryptorDescriptor(
-                new AuthenticatedEncryptionSettings()
+            var descriptor = new AuthenticatedEncryptorDescriptor(
+                new AuthenticatedEncryptorConfiguration()
                 {
                     EncryptionAlgorithm = EncryptionAlgorithm.AES_192_CBC,
                     ValidationAlgorithm = ValidationAlgorithm.HMACSHA512
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+            var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
             const string xml = @"
                 <encryptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
@@ -27,7 +30,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                   <validation algorithm='HMACSHA512' />
                   <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
                 </encryptor>";
-            var test = new AuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+            var deserializedDescriptor = new AuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
+            var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as AuthenticatedEncryptorDescriptor);
 
             // Act & assert
             byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
@@ -36,5 +40,19 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
             Assert.Equal(plaintext, roundTripPlaintext);
         }
+
+        private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(AuthenticatedEncryptorDescriptor descriptor)
+        {
+            var key = new Key(
+                Guid.NewGuid(),
+                DateTimeOffset.Now,
+                DateTimeOffset.Now + TimeSpan.FromHours(1),
+                DateTimeOffset.Now + TimeSpan.FromDays(30),
+                descriptor);
+
+            var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            return encryptorFactory.CreateEncryptorInstance(key);
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index 96a16dcc73..54b977c845 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -8,9 +8,11 @@ using System.Text.RegularExpressions;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.Managed;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -38,7 +40,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
                 symmetricAlgorithmKeySizeInBytes: (uint)(keyLengthInBits / 8),
                 hmacAlgorithmHandle: BCryptAlgorithmHandle.OpenAlgorithmHandle(hashAlgorithm, hmac: true));
-            var test = CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey).CreateEncryptorInstance();
+            var test = CreateEncryptorInstanceFromDescriptor(CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey));
 
             // Act & assert - data round trips properly from control to test
             byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
@@ -64,7 +66,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 keyDerivationKey: masterKey,
                 symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_GCM,
                 symmetricAlgorithmKeySizeInBytes: (uint)(keyLengthInBits / 8));
-            var test = CreateDescriptor(encryptionAlgorithm, ValidationAlgorithm.HMACSHA256 /* unused */, masterKey).CreateEncryptorInstance();
+            var test = CreateEncryptorInstanceFromDescriptor(CreateDescriptor(encryptionAlgorithm, ValidationAlgorithm.HMACSHA256 /* unused */, masterKey));
 
             // Act & assert - data round trips properly from control to test
             byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
@@ -102,7 +104,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                 symmetricAlgorithmFactory: () => Aes.Create(),
                 symmetricAlgorithmKeySizeInBytes: keyLengthInBits / 8,
                 validationAlgorithmFactory: validationAlgorithmFactory);
-            var test = CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey).CreateEncryptorInstance();
+            var test = CreateEncryptorInstanceFromDescriptor(CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey));
 
             // Act & assert - data round trips properly from control to test
             byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
@@ -160,11 +162,26 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         private static AuthenticatedEncryptorDescriptor CreateDescriptor(EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm, ISecret masterKey)
         {
-            return new AuthenticatedEncryptorDescriptor(new AuthenticatedEncryptionSettings()
+            return new AuthenticatedEncryptorDescriptor(new AuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = encryptionAlgorithm,
                 ValidationAlgorithm = validationAlgorithm
             }, masterKey);
         }
+
+        private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(AuthenticatedEncryptorDescriptor descriptor)
+        {
+            // Dummy key with the specified descriptor.
+            var key = new Key(
+                Guid.NewGuid(),
+                DateTimeOffset.Now,
+                DateTimeOffset.Now + TimeSpan.FromHours(1),
+                DateTimeOffset.Now + TimeSpan.FromDays(30),
+                descriptor);
+
+            var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            return encryptorFactory.CreateEncryptorInstance(key);
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
index d3e125010e..9be301495e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
         {
             // Arrange
-            var configuration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionSettings());
+            var configuration = new CngCbcAuthenticatedEncryptorConfiguration();
 
             // Act
             var masterKey1 = ((CngCbcAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
@@ -28,13 +28,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_PropagatesOptions()
         {
             // Arrange
-            var configuration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionSettings());
+            var configuration = new CngCbcAuthenticatedEncryptorConfiguration();
 
             // Act
             var descriptor = (CngCbcAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
 
             // Assert
-            Assert.Equal(configuration.Settings, descriptor.Settings);
+            Assert.Equal(configuration, descriptor.Configuration);
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
index cffbb27908..51897e64e9 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -4,8 +4,10 @@
 using System;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -17,8 +19,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void ImportFromXml_CreatesAppropriateDescriptor()
         {
             // Arrange
-            var control = new CngCbcAuthenticatedEncryptorDescriptor(
-                new CngCbcAuthenticatedEncryptionSettings()
+            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(
+                new CngCbcAuthenticatedEncryptorConfiguration()
                 {
                     EncryptionAlgorithm = Constants.BCRYPT_AES_ALGORITHM,
                     EncryptionAlgorithmKeySize = 192,
@@ -26,7 +28,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                     HashAlgorithm = Constants.BCRYPT_SHA512_ALGORITHM,
                     HashAlgorithmProvider = null
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+            var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
             const string xml = @"
                 <descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
@@ -34,7 +37,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                   <hash algorithm='SHA512' />
                   <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
                 </descriptor>";
-            var test = new CngCbcAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+            var deserializedDescriptor = new CngCbcAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
+            var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as CngCbcAuthenticatedEncryptorDescriptor);
 
             // Act & assert
             byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
@@ -43,5 +47,19 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
             Assert.Equal(plaintext, roundTripPlaintext);
         }
+
+        private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(CngCbcAuthenticatedEncryptorDescriptor descriptor)
+        {
+            var key = new Key(
+                Guid.NewGuid(),
+                DateTimeOffset.Now,
+                DateTimeOffset.Now + TimeSpan.FromHours(1),
+                DateTimeOffset.Now + TimeSpan.FromDays(30),
+                descriptor);
+
+            var encryptorFactory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            return encryptorFactory.CreateEncryptorInstance(key);
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
index beb176d589..090465fb13 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
@@ -13,7 +13,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptionSettings()
+            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
@@ -43,7 +43,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptionSettings()
+            var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
index a5b84d7d3f..e70460cf40 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
         {
             // Arrange
-            var configuration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionSettings());
+            var configuration = new CngGcmAuthenticatedEncryptorConfiguration();
 
             // Act
             var masterKey1 = ((CngGcmAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
@@ -28,13 +28,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_PropagatesOptions()
         {
             // Arrange
-            var configuration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionSettings());
+            var configuration = new CngGcmAuthenticatedEncryptorConfiguration();
 
             // Act
             var descriptor = (CngGcmAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
 
             // Assert
-            Assert.Equal(configuration.Settings, descriptor.Settings);
+            Assert.Equal(configuration, descriptor.Configuration);
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
index cbb10767ed..6adbdcc1d3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -4,8 +4,10 @@
 using System;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -17,21 +19,23 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void ImportFromXml_CreatesAppropriateDescriptor()
         {
             // Arrange
-            var control = new CngGcmAuthenticatedEncryptorDescriptor(
-                new CngGcmAuthenticatedEncryptionSettings()
+            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(
+                new CngGcmAuthenticatedEncryptorConfiguration()
                 {
                     EncryptionAlgorithm = Constants.BCRYPT_AES_ALGORITHM,
                     EncryptionAlgorithmKeySize = 192,
                     EncryptionAlgorithmProvider = null
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+            var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
             const string xml = @"
                 <descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
                   <encryption algorithm='AES' keyLength='192' />
                   <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
                 </descriptor>";
-            var test = new CngGcmAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+            var deserializedDescriptor = new CngGcmAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
+            var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as CngGcmAuthenticatedEncryptorDescriptor);
 
             // Act & assert
             byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
@@ -40,5 +44,19 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
             Assert.Equal(plaintext, roundTripPlaintext);
         }
+
+        private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(CngGcmAuthenticatedEncryptorDescriptor descriptor)
+        {
+            var key = new Key(
+                keyId: Guid.NewGuid(),
+                creationDate: DateTimeOffset.Now,
+                activationDate: DateTimeOffset.Now + TimeSpan.FromHours(1),
+                expirationDate: DateTimeOffset.Now + TimeSpan.FromDays(30),
+                descriptor: descriptor);
+
+            var encryptorFactory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            return encryptorFactory.CreateEncryptorInstance(key);
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
index 57334b35ac..933f7e7d85 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
@@ -13,7 +13,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptionSettings()
+            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
@@ -40,7 +40,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptionSettings()
+            var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
index d851234bf6..6dbc4b7fea 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey()
         {
             // Arrange
-            var configuration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionSettings());
+            var configuration = new ManagedAuthenticatedEncryptorConfiguration();
 
             // Act
             var masterKey1 = ((ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey;
@@ -28,13 +28,13 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void CreateNewDescriptor_PropagatesOptions()
         {
             // Arrange
-            var configuration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionSettings());
+            var configuration = new ManagedAuthenticatedEncryptorConfiguration();
 
             // Act
             var descriptor = (ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor();
 
             // Assert
-            Assert.Equal(configuration.Settings, descriptor.Settings);
+            Assert.Equal(configuration, descriptor.Configuration);
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
index a79fc1c613..9a5162cce1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -4,6 +4,8 @@
 using System;
 using System.Security.Cryptography;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -18,16 +20,17 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void ImportFromXml_BuiltInTypes_CreatesAppropriateDescriptor(Type encryptionAlgorithmType, Type validationAlgorithmType)
         {
             // Arrange
-            var control = new ManagedAuthenticatedEncryptorDescriptor(
-                new ManagedAuthenticatedEncryptionSettings()
+            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(
+                new ManagedAuthenticatedEncryptorConfiguration()
                 {
                     EncryptionAlgorithmType = encryptionAlgorithmType,
                     EncryptionAlgorithmKeySize = 192,
                     ValidationAlgorithmType = validationAlgorithmType
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+            var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            string xml = String.Format(@"
+            string xml = string.Format(@"
                 <descriptor>
                   <encryption algorithm='{0}' keyLength='192' />
                   <validation algorithm='{1}' />
@@ -36,7 +39,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                   </masterKey>
                 </descriptor>",
                  encryptionAlgorithmType.Name, validationAlgorithmType.Name);
-            var test = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+            var deserializedDescriptor = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
+            var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as ManagedAuthenticatedEncryptorDescriptor);
 
             // Act & assert
             byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
@@ -50,16 +54,17 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         public void ImportFromXml_CustomType_CreatesAppropriateDescriptor()
         {
             // Arrange
-            var control = new ManagedAuthenticatedEncryptorDescriptor(
-                new ManagedAuthenticatedEncryptionSettings()
+            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(
+                new ManagedAuthenticatedEncryptorConfiguration()
                 {
                     EncryptionAlgorithmType = typeof(Aes),
                     EncryptionAlgorithmKeySize = 192,
                     ValidationAlgorithmType = typeof(HMACSHA384)
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret()).CreateEncryptorInstance();
+                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+            var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            string xml = String.Format(@"
+            string xml = string.Format(@"
                 <descriptor>
                   <encryption algorithm='{0}' keyLength='192' />
                   <validation algorithm='{1}' />
@@ -68,7 +73,8 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
                   </masterKey>
                 </descriptor>",
                  typeof(Aes).AssemblyQualifiedName, typeof(HMACSHA384).AssemblyQualifiedName);
-            var test = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml)).CreateEncryptorInstance();
+            var deserializedDescriptor = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
+            var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as ManagedAuthenticatedEncryptorDescriptor);
 
             // Act & assert
             byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
@@ -77,5 +83,19 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
             byte[] roundTripPlaintext = test.Decrypt(new ArraySegment<byte>(ciphertext), new ArraySegment<byte>(aad));
             Assert.Equal(plaintext, roundTripPlaintext);
         }
+
+        private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(ManagedAuthenticatedEncryptorDescriptor descriptor)
+        {
+            var key = new Key(
+                Guid.NewGuid(),
+                DateTimeOffset.Now,
+                DateTimeOffset.Now + TimeSpan.FromHours(1),
+                DateTimeOffset.Now + TimeSpan.FromDays(30),
+                descriptor);
+
+            var encryptorFactory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            return encryptorFactory.CreateEncryptorInstance(key);
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
index 6383b7e70b..4e4f453448 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
@@ -14,7 +14,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptionSettings()
+            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithmType = typeof(MySymmetricAlgorithm),
                 EncryptionAlgorithmKeySize = 2048,
@@ -26,7 +26,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
             // Assert
             Assert.Equal(typeof(ManagedAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            string expectedXml = String.Format(@"
+            string expectedXml = string.Format(@"
                 <descriptor>
                   <encryption algorithm='{0}' keyLength='2048' />
                   <validation algorithm='{1}' />
@@ -47,7 +47,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         {
             // Arrange
             var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptionSettings()
+            var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithmType = encryptionAlgorithmType,
                 EncryptionAlgorithmKeySize = 2048,
@@ -59,7 +59,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
             // Assert
             Assert.Equal(typeof(ManagedAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            string expectedXml = String.Format(@"
+            string expectedXml = string.Format(@"
                 <descriptor>
                   <encryption algorithm='{0}' keyLength='2048' />
                   <validation algorithm='{1}' />
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
new file mode 100644
index 0000000000..ef5eae5d19
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
@@ -0,0 +1,50 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Cng;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Managed;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
+{
+    public class ManagedAuthenticatedEncryptorFactoryTest
+    {
+        [Fact]
+        public void CreateEncrptorInstance_UnknownDescriptorType_ReturnsNull()
+        {
+            // Arrange
+            var key = new Mock<IKey>();
+            key.Setup(k => k.Descriptor).Returns(new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+
+            var factory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            // Act
+            var encryptor = factory.CreateEncryptorInstance(key.Object);
+
+            // Assert
+            Assert.Null(encryptor);
+        }
+
+        [Fact]
+        public void CreateEncrptorInstance_ExpectedDescriptorType_ReturnsEncryptor()
+        {
+            // Arrange
+            var descriptor = new ManagedAuthenticatedEncryptorConfiguration().CreateNewDescriptor();
+            var key = new Mock<IKey>();
+            key.Setup(k => k.Descriptor).Returns(descriptor);
+
+            var factory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+            // Act
+            var encryptor = factory.CreateEncryptorInstance(key.Object);
+
+            // Assert
+            Assert.NotNull(encryptor);
+            Assert.IsType<ManagedAuthenticatedEncryptor>(encryptor);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
index 45a51e2224..dc7dc642f4 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Security.Cryptography;
 using System.Text;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection
@@ -14,8 +15,8 @@ namespace Microsoft.AspNetCore.DataProtection
         public void DifferentProvider_SamePurpose_DoesNotRoundTripData()
         {
             // Arrange
-            var dataProtector1 = new EphemeralDataProtectionProvider().CreateProtector("purpose");
-            var dataProtector2 = new EphemeralDataProtectionProvider().CreateProtector("purpose");
+            var dataProtector1 = new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("purpose");
+            var dataProtector2 = new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("purpose");
             byte[] bytes = Encoding.UTF8.GetBytes("Hello there!");
 
             // Act & assert
@@ -31,7 +32,7 @@ namespace Microsoft.AspNetCore.DataProtection
         public void SingleProvider_DifferentPurpose_DoesNotRoundTripData()
         {
             // Arrange
-            var dataProtectionProvider = new EphemeralDataProtectionProvider();
+            var dataProtectionProvider = new EphemeralDataProtectionProvider(NullLoggerFactory.Instance);
             var dataProtector1 = dataProtectionProvider.CreateProtector("purpose");
             var dataProtector2 = dataProtectionProvider.CreateProtector("different purpose");
             byte[] bytes = Encoding.UTF8.GetBytes("Hello there!");
@@ -48,7 +49,7 @@ namespace Microsoft.AspNetCore.DataProtection
         public void SingleProvider_SamePurpose_RoundTripsData()
         {
             // Arrange
-            var dataProtectionProvider = new EphemeralDataProtectionProvider();
+            var dataProtectionProvider = new EphemeralDataProtectionProvider(NullLoggerFactory.Instance);
             var dataProtector1 = dataProtectionProvider.CreateProtector("purpose");
             var dataProtector2 = dataProtectionProvider.CreateProtector("purpose"); // should be equivalent to the previous instance
             byte[] bytes = Encoding.UTF8.GetBytes("Hello there!");
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
new file mode 100644
index 0000000000..6de0c19551
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
@@ -0,0 +1,155 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Runtime.InteropServices;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Win32;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal
+{
+    public class KeyManagementOptionsSetupTest
+    {
+        [Fact]
+        public void Configure_SetsExpectedValues()
+        {
+            // Arrange
+            var setup = new KeyManagementOptionsSetup(NullLoggerFactory.Instance);
+            var options = new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = null
+            };
+
+            // Act
+            setup.Configure(options);
+
+            // Assert
+            Assert.Empty(options.KeyEscrowSinks);
+            Assert.NotNull(options.AuthenticatedEncryptorConfiguration);
+            Assert.IsType<AuthenticatedEncryptorConfiguration>(options.AuthenticatedEncryptorConfiguration);
+            Assert.Collection(
+                options.AuthenticatedEncryptorFactories,
+                f => Assert.IsType<CngGcmAuthenticatedEncryptorFactory>(f),
+                f => Assert.IsType<CngCbcAuthenticatedEncryptorFactory>(f),
+                f => Assert.IsType<ManagedAuthenticatedEncryptorFactory>(f),
+                f => Assert.IsType<AuthenticatedEncryptorFactory>(f));
+        }
+
+        [ConditionalFact]
+        [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
+        public void Configure_WithRegistryPolicyResolver_SetsValuesFromResolver()
+        {
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
+            {
+                ["KeyEscrowSinks"] = String.Join(" ;; ; ", new Type[] { typeof(MyKeyEscrowSink1), typeof(MyKeyEscrowSink2) }.Select(t => t.AssemblyQualifiedName)),
+                ["EncryptionType"] = "managed",
+                ["DefaultKeyLifetime"] = 1024 // days
+            };
+            var options = new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = null
+            };
+
+            // Act
+            RunTest(registryEntries, options);
+
+            // Assert
+            Assert.Collection(
+                options.KeyEscrowSinks,
+                k => Assert.IsType<MyKeyEscrowSink1>(k),
+                k => Assert.IsType<MyKeyEscrowSink2>(k));
+            Assert.Equal(TimeSpan.FromDays(1024), options.NewKeyLifetime);
+            Assert.NotNull(options.AuthenticatedEncryptorConfiguration);
+            Assert.IsType<ManagedAuthenticatedEncryptorConfiguration>(options.AuthenticatedEncryptorConfiguration);
+            Assert.Collection(
+                options.AuthenticatedEncryptorFactories,
+                f => Assert.IsType<CngGcmAuthenticatedEncryptorFactory>(f),
+                f => Assert.IsType<CngCbcAuthenticatedEncryptorFactory>(f),
+                f => Assert.IsType<ManagedAuthenticatedEncryptorFactory>(f),
+                f => Assert.IsType<AuthenticatedEncryptorFactory>(f));
+        }
+
+        private static void RunTest(Dictionary<string, object> regValues, KeyManagementOptions options)
+        {
+            WithUniqueTempRegKey(registryKey =>
+            {
+                foreach (var entry in regValues)
+                {
+                    registryKey.SetValue(entry.Key, entry.Value);
+                }
+
+                var policyResolver = new RegistryPolicyResolver(
+                    registryKey,
+                    activator: SimpleActivator.DefaultWithoutServices,
+                    loggerFactory: NullLoggerFactory.Instance);
+
+                var setup = new KeyManagementOptionsSetup(NullLoggerFactory.Instance, policyResolver);
+
+                setup.Configure(options);
+            });
+        }
+
+        /// <summary>
+        /// Runs a test and cleans up the registry key afterward.
+        /// </summary>
+        private static void WithUniqueTempRegKey(Action<RegistryKey> testCode)
+        {
+            string uniqueName = Guid.NewGuid().ToString();
+            var uniqueSubkey = LazyHkcuTempKey.Value.CreateSubKey(uniqueName);
+            try
+            {
+                testCode(uniqueSubkey);
+            }
+            finally
+            {
+                // clean up when test is done
+                LazyHkcuTempKey.Value.DeleteSubKeyTree(uniqueName, throwOnMissingSubKey: false);
+            }
+        }
+
+        private static readonly Lazy<RegistryKey> LazyHkcuTempKey = new Lazy<RegistryKey>(() =>
+        {
+            try
+            {
+                return Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\ASP.NET\temp");
+            }
+            catch
+            {
+                // swallow all failures
+                return null;
+            }
+        });
+
+        private class ConditionalRunTestOnlyIfHkcuRegistryAvailable : Attribute, ITestCondition
+        {
+            public bool IsMet => (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && LazyHkcuTempKey.Value != null);
+
+            public string SkipReason { get; } = "HKCU registry couldn't be opened.";
+        }
+
+        private class MyKeyEscrowSink1 : IKeyEscrowSink
+        {
+            public void Store(Guid keyId, XElement element)
+            {
+                throw new NotImplementedException();
+            }
+        }
+
+        private class MyKeyEscrowSink2 : IKeyEscrowSink
+        {
+            public void Store(Guid keyId, XElement element)
+            {
+                throw new NotImplementedException();
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index dec696bfcc..9aeb5ea236 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -4,8 +4,11 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
+using System.Linq;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
 using Moq;
 using Xunit;
 
@@ -17,7 +20,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_EmptyKeyRing_ReturnsNullDefaultKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
 
             // Act
             var resolution = resolver.ResolveDefaultKeyPolicy(DateTimeOffset.Now, new IKey[0]);
@@ -31,7 +34,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_ReturnsExistingKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
             var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
 
@@ -47,7 +50,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_AllowsForClockSkew_KeysStraddleSkewLine_ReturnsExistingKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
             var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
 
@@ -63,7 +66,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_AllowsForClockSkew_AllKeysInFuture_ReturnsExistingKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
 
             // Act
@@ -78,7 +81,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_NoSuccessor_ReturnsExistingKey_SignalsGenerateNewKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
 
             // Act
@@ -93,7 +96,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_NoLegitimateSuccessor_ReturnsExistingKey_SignalsGenerateNewKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
             var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z", isRevoked: true);
             var key3 = CreateKey("2016-03-01 00:00:00Z", "2016-03-02 00:00:00Z"); // key expires too soon
@@ -110,7 +113,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_BecauseOfRevocation_ReturnsNull()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
             var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z", isRevoked: true);
 
@@ -126,9 +129,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_BecauseOfFailureToDecipher_ReturnsNull()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
-            var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z", createEncryptorInstanceThrows: true);
+            var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z");
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory(throwForKeys: key2));
 
             // Act
             var resolution = resolver.ResolveDefaultKeyPolicy("2015-04-01 00:00:00Z", key1, key2);
@@ -142,11 +145,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FutureKeyIsValidAndWithinClockSkew_ReturnsFutureKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
 
             // Act
-            var resolution = resolver.ResolveDefaultKeyPolicy("2015-02-28 23:53:00Z", key1);
+            var resolution = resolver.ResolveDefaultKeyPolicy("2015-02-28 23:55:00Z", key1);
 
             // Assert
             Assert.Same(key1, resolution.DefaultKey);
@@ -157,7 +160,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FutureKeyIsValidButNotWithinClockSkew_ReturnsNull()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
 
             // Act
@@ -172,7 +175,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_IgnoresExpiredOrRevokedFutureKeys()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2014-03-01 00:00:00Z"); // expiration before activation should never occur
             var key2 = CreateKey("2015-03-01 00:01:00Z", "2015-04-01 00:00:00Z", isRevoked: true);
             var key3 = CreateKey("2015-03-01 00:02:00Z", "2015-04-01 00:00:00Z");
@@ -189,7 +192,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow_IgnoresRevokedKeys()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-01 00:00:00Z");
             var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-02 00:00:00Z");
             var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", isRevoked: true);
@@ -207,11 +210,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow_IgnoresFailures()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-01 00:00:00Z");
             var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-02 00:00:00Z");
-            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", createEncryptorInstanceThrows: true);
+            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z");
             var key4 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory(throwForKeys: key3));
 
             // Act
             var resolution = resolver.ResolveDefaultKeyPolicy("2000-01-05 00:00:00Z", key1, key2, key3, key4);
@@ -225,7 +228,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FallbackKey_NoNonRevokedKeysBeforePriorPropagationWindow_SelectsEarliestNonRevokedKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver();
+            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
             var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", isRevoked: true);
             var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");
             var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-05 00:00:00Z");
@@ -238,15 +241,14 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Assert.True(resolution.ShouldGenerateNewKey);
         }
 
-        private static IDefaultKeyResolver CreateDefaultKeyResolver()
+        private static IDefaultKeyResolver CreateDefaultKeyResolver(IAuthenticatedEncryptorFactory encryptorFactory)
         {
-            return new DefaultKeyResolver(
-                keyPropagationWindow: TimeSpan.FromDays(2),
-                maxServerToServerClockSkew: TimeSpan.FromMinutes(7),
-                services: null);
+            var options = Options.Create(new KeyManagementOptions());
+            options.Value.AuthenticatedEncryptorFactories.Add(encryptorFactory);
+            return new DefaultKeyResolver(options, NullLoggerFactory.Instance);
         }
 
-        private static IKey CreateKey(string activationDate, string expirationDate, string creationDate = null, bool isRevoked = false, bool createEncryptorInstanceThrows = false)
+        private static IKey CreateKey(string activationDate, string expirationDate, string creationDate = null, bool isRevoked = false)
         {
             var mockKey = new Mock<IKey>();
             mockKey.Setup(o => o.KeyId).Returns(Guid.NewGuid());
@@ -254,16 +256,31 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
-            if (createEncryptorInstanceThrows)
-            {
-                mockKey.Setup(o => o.CreateEncryptorInstance()).Throws(new Exception("This method fails."));
-            }
-            else
-            {
-                mockKey.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
-            }
+            
             return mockKey.Object;
         }
+
+        private class MyEncryptorFactory : IAuthenticatedEncryptorFactory
+        {
+            private IReadOnlyList<IKey> _throwForKeys;
+
+            public MyEncryptorFactory(params IKey[] throwForKeys)
+            {
+                _throwForKeys = throwForKeys;
+            }
+
+            public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
+            {
+                if (_throwForKeys.Contains(key))
+                {
+                    throw new Exception("This method fails.");
+                }
+                else
+                {
+                    return new Mock<IAuthenticatedEncryptor>().Object;
+                }
+            }
+        }
     }
 
     internal static class DefaultKeyResolverExtensions
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
index 53ec59402c..90cf63c073 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
@@ -3,10 +3,10 @@
 
 using System;
 using System.Xml.Linq;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.Testing;
+using Microsoft.Extensions.Options;
 using Moq;
 using Xunit;
 
@@ -22,15 +22,25 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var creationDate = DateTimeOffset.Now;
             var activationDate = creationDate.AddDays(2);
             var expirationDate = creationDate.AddDays(90);
+            var mockDescriptor = Mock.Of<IAuthenticatedEncryptorDescriptor>();
+            var mockInternalKeyManager = new Mock<IInternalXmlKeyManager>();
+            mockInternalKeyManager.Setup(o => o.DeserializeDescriptorFromKeyElement(It.IsAny<XElement>()))
+                .Returns<XElement>(element =>
+                {
+                    XmlAssert.Equal(@"<node />", element);
+                    return mockDescriptor;
+                });
+            var options = Options.Create(new KeyManagementOptions());
 
             // Act
-            var key = new DeferredKey(keyId, creationDate, activationDate, expirationDate, new Mock<IInternalXmlKeyManager>().Object, XElement.Parse(@"<node />"));
+            var key = new DeferredKey(keyId, creationDate, activationDate, expirationDate, mockInternalKeyManager.Object, XElement.Parse(@"<node />"));
 
             // Assert
             Assert.Equal(keyId, key.KeyId);
             Assert.Equal(creationDate, key.CreationDate);
             Assert.Equal(activationDate, key.ActivationDate);
             Assert.Equal(expirationDate, key.ExpirationDate);
+            Assert.Same(mockDescriptor, key.Descriptor);
         }
 
         [Fact]
@@ -38,6 +48,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             var now = DateTimeOffset.UtcNow;
+            var options = Options.Create(new KeyManagementOptions());
             var key = new DeferredKey(Guid.Empty, now, now, now, new Mock<IInternalXmlKeyManager>().Object, XElement.Parse(@"<node />"));
 
             // Act & assert
@@ -47,32 +58,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         }
 
         [Fact]
-        public void CreateEncryptorInstance_Success()
-        {
-            // Arrange
-            var expectedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
-            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expectedEncryptor);
-            var mockKeyManager = new Mock<IInternalXmlKeyManager>();
-            mockKeyManager.Setup(o => o.DeserializeDescriptorFromKeyElement(It.IsAny<XElement>()))
-                .Returns<XElement>(element =>
-                {
-                    XmlAssert.Equal(@"<node />", element);
-                    return mockDescriptor.Object;
-                });
-
-            var now = DateTimeOffset.UtcNow;
-            var key = new DeferredKey(Guid.Empty, now, now, now, mockKeyManager.Object, XElement.Parse(@"<node />"));
-
-            // Act
-            var actual = key.CreateEncryptorInstance();
-
-            // Assert
-            Assert.Same(expectedEncryptor, actual);
-        }
-
-        [Fact]
-        public void CreateEncryptorInstance_CachesFailures()
+        public void Get_Descriptor_CachesFailures()
         {
             // Arrange
             int numTimesCalled = 0;
@@ -88,8 +74,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var key = new DeferredKey(Guid.Empty, now, now, now, mockKeyManager.Object, XElement.Parse(@"<node />"));
 
             // Act & assert
-            ExceptionAssert.Throws<Exception>(() => key.CreateEncryptorInstance(), "How exceptional.");
-            ExceptionAssert.Throws<Exception>(() => key.CreateEncryptorInstance(), "How exceptional.");
+            ExceptionAssert.Throws<Exception>(() => key.Descriptor, "How exceptional.");
+            ExceptionAssert.Throws<Exception>(() => key.Descriptor, "How exceptional.");
             Assert.Equal(1, numTimesCalled);
         }
     }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
index bd90f3740f..8db64657db 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
@@ -39,7 +39,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             mockKeyEscrowSink.Setup(o => o.Store(It.IsAny<Guid>(), It.IsAny<XElement>()))
                 .Callback<Guid, XElement>((keyId, element) =>
                 {
-                    output.Add(String.Format(CultureInfo.InvariantCulture, "{0:D}: {1}", keyId, element.Name.LocalName));
+                    output.Add(string.Format(CultureInfo.InvariantCulture, "{0:D}: {1}", keyId, element.Name.LocalName));
                 });
 
             var serviceCollection = new ServiceCollection();
@@ -64,14 +64,14 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             mockKeyEscrowSink1.Setup(o => o.Store(It.IsAny<Guid>(), It.IsAny<XElement>()))
                 .Callback<Guid, XElement>((keyId, element) =>
                 {
-                    output.Add(String.Format(CultureInfo.InvariantCulture, "[sink1] {0:D}: {1}", keyId, element.Name.LocalName));
+                    output.Add(string.Format(CultureInfo.InvariantCulture, "[sink1] {0:D}: {1}", keyId, element.Name.LocalName));
                 });
 
             var mockKeyEscrowSink2 = new Mock<IKeyEscrowSink>();
             mockKeyEscrowSink2.Setup(o => o.Store(It.IsAny<Guid>(), It.IsAny<XElement>()))
                 .Callback<Guid, XElement>((keyId, element) =>
                 {
-                    output.Add(String.Format(CultureInfo.InvariantCulture, "[sink2] {0:D}: {1}", keyId, element.Name.LocalName));
+                    output.Add(string.Format(CultureInfo.InvariantCulture, "[sink2] {0:D}: {1}", keyId, element.Name.LocalName));
                 });
 
             var serviceCollection = new ServiceCollection();
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 2e510d5ccf..42b5153c5f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -11,6 +11,8 @@ using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.Testing;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Moq;
 using Xunit;
 
@@ -24,7 +26,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: new Mock<IKeyRingProvider>().Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -59,7 +61,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: new[] { "purpose1", "purpose2" },
                 newPurpose: "yet another purpose");
 
@@ -97,7 +99,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: new string[0],
                 newPurpose: "single purpose");
 
@@ -114,7 +116,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: new Mock<IKeyRingProvider>(MockBehavior.Strict).Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -129,7 +131,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: new Mock<IKeyRingProvider>().Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -143,7 +145,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: new Mock<IKeyRingProvider>().Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -161,7 +163,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: new Mock<IKeyRingProvider>().Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -179,7 +181,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: new Mock<IKeyRingProvider>().Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -201,17 +203,19 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 ciphertext: new byte[0]);
 
             var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+            var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
+            mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+            var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
 
             // the keyring has only one key
             Key key = new Key(Guid.Empty, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(key, new[] { key });
+            var keyRing = new KeyRing(key, new[] { key }, new[] { mockEncryptorFactory.Object });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -230,18 +234,19 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 ciphertext: new byte[0]);
 
             var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+            var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
+            mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(new Mock<IAuthenticatedEncryptor>().Object);
 
             // the keyring has only one key
             Key key = new Key(keyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
             key.SetRevoked();
-            var keyRing = new KeyRing(key, new[] { key });
+            var keyRing = new KeyRing(key, new[] { key }, new[] { mockEncryptorFactory.Object });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -270,17 +275,18 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     return expectedPlaintext;
                 });
             var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(mockEncryptor.Object);
+            var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
+            mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(mockEncryptor.Object);
 
             Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
             defaultKey.SetRevoked();
-            var keyRing = new KeyRing(defaultKey, new[] { defaultKey });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey }, new[] { mockEncryptorFactory.Object });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -317,16 +323,17 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     return expectedPlaintext;
                 });
             var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(mockEncryptor.Object);
+            var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
+            mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(mockEncryptor.Object);
 
             Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(defaultKey, new[] { defaultKey });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey }, new[] { mockEncryptorFactory.Object });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -366,17 +373,18 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     return expectedPlaintext;
                 });
             var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(mockEncryptor.Object);
+            var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
+            mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(mockEncryptor.Object);
 
             Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
             Key embeddedKey = new Key(embeddedKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(defaultKey, new[] { defaultKey, embeddedKey });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey, embeddedKey }, new[] { mockEncryptorFactory.Object });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -400,14 +408,15 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             byte[] plaintext = new byte[] { 0x10, 0x20, 0x30, 0x40, 0x50 };
-            Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration(new AuthenticatedEncryptionSettings()).CreateNewDescriptor());
-            var keyRing = new KeyRing(key, new[] { key });
+            Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration().CreateNewDescriptor());
+            var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+            var keyRing = new KeyRing(key, new[] { key }, new[] { encryptorFactory });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
             var protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose");
 
@@ -448,7 +457,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
             IDataProtector protector = new KeyRingBasedDataProtector(
                 keyRingProvider: mockKeyRingProvider.Object,
-                logger: null,
+                logger: GetLogger(),
                 originalPurposes: null,
                 newPurpose: "purpose1").CreateProtector("purpose2");
 
@@ -484,5 +493,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
               .Concat(ciphertext).ToArray();
 
         }
+
+        private static ILogger GetLogger()
+        {
+            var loggerFactory = NullLoggerFactory.Instance;
+            return loggerFactory.CreateLogger(typeof(KeyRingBasedDataProtector));
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index 2f7517c86b..7337c779f1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -7,14 +7,15 @@ using System.Globalization;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.Testing;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
 using Moq;
 using Xunit;
 
-using static System.FormattableString;
-
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
     public class KeyRingProviderTests
@@ -353,62 +354,6 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Assert.Equal(new[] { "GetCacheExpirationToken", "GetAllKeys", "ResolveDefaultKeyPolicy" }, callSequence);
         }
 
-        private static ICacheableKeyRingProvider SetupCreateCacheableKeyRingTestAndCreateKeyManager(
-            IList<string> callSequence,
-            IEnumerable<CancellationToken> getCacheExpirationTokenReturnValues,
-            IEnumerable<IReadOnlyCollection<IKey>> getAllKeysReturnValues,
-            IEnumerable<Tuple<DateTimeOffset, DateTimeOffset, IKey>> createNewKeyCallbacks,
-            IEnumerable<Tuple<DateTimeOffset, IEnumerable<IKey>, DefaultKeyResolution>> resolveDefaultKeyPolicyReturnValues,
-            KeyManagementOptions keyManagementOptions = null)
-        {
-            var getCacheExpirationTokenReturnValuesEnumerator = getCacheExpirationTokenReturnValues.GetEnumerator();
-            var mockKeyManager = new Mock<IKeyManager>(MockBehavior.Strict);
-            mockKeyManager.Setup(o => o.GetCacheExpirationToken())
-                .Returns(() =>
-                {
-                    callSequence.Add("GetCacheExpirationToken");
-                    getCacheExpirationTokenReturnValuesEnumerator.MoveNext();
-                    return getCacheExpirationTokenReturnValuesEnumerator.Current;
-                });
-
-            var getAllKeysReturnValuesEnumerator = getAllKeysReturnValues.GetEnumerator();
-            mockKeyManager.Setup(o => o.GetAllKeys())
-              .Returns(() =>
-              {
-                  callSequence.Add("GetAllKeys");
-                  getAllKeysReturnValuesEnumerator.MoveNext();
-                  return getAllKeysReturnValuesEnumerator.Current;
-              });
-
-            if (createNewKeyCallbacks != null)
-            {
-                var createNewKeyCallbacksEnumerator = createNewKeyCallbacks.GetEnumerator();
-                mockKeyManager.Setup(o => o.CreateNewKey(It.IsAny<DateTimeOffset>(), It.IsAny<DateTimeOffset>()))
-                    .Returns<DateTimeOffset, DateTimeOffset>((activationDate, expirationDate) =>
-                    {
-                        callSequence.Add("CreateNewKey");
-                        createNewKeyCallbacksEnumerator.MoveNext();
-                        Assert.Equal(createNewKeyCallbacksEnumerator.Current.Item1, activationDate);
-                        Assert.Equal(createNewKeyCallbacksEnumerator.Current.Item2, expirationDate);
-                        return createNewKeyCallbacksEnumerator.Current.Item3;
-                    });
-            }
-
-            var resolveDefaultKeyPolicyReturnValuesEnumerator = resolveDefaultKeyPolicyReturnValues.GetEnumerator();
-            var mockDefaultKeyResolver = new Mock<IDefaultKeyResolver>(MockBehavior.Strict);
-            mockDefaultKeyResolver.Setup(o => o.ResolveDefaultKeyPolicy(It.IsAny<DateTimeOffset>(), It.IsAny<IEnumerable<IKey>>()))
-                .Returns<DateTimeOffset, IEnumerable<IKey>>((now, allKeys) =>
-                 {
-                     callSequence.Add("ResolveDefaultKeyPolicy");
-                     resolveDefaultKeyPolicyReturnValuesEnumerator.MoveNext();
-                     Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item1, now);
-                     Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item2, allKeys);
-                     return resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item3;
-                 });
-
-            return CreateKeyRingProvider(mockKeyManager.Object, mockDefaultKeyResolver.Object, keyManagementOptions);
-        }
-
         [Fact]
         public void GetCurrentKeyRing_NoKeyRingCached_CachesAndReturns()
         {
@@ -586,24 +531,90 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             mockCacheableKeyRingProvider.Verify(o => o.GetCacheableKeyRing(updatedKeyRingTime), Times.Once);
         }
 
+        private static ICacheableKeyRingProvider SetupCreateCacheableKeyRingTestAndCreateKeyManager(
+            IList<string> callSequence,
+            IEnumerable<CancellationToken> getCacheExpirationTokenReturnValues,
+            IEnumerable<IReadOnlyCollection<IKey>> getAllKeysReturnValues,
+            IEnumerable<Tuple<DateTimeOffset, DateTimeOffset, IKey>> createNewKeyCallbacks,
+            IEnumerable<Tuple<DateTimeOffset, IEnumerable<IKey>, DefaultKeyResolution>> resolveDefaultKeyPolicyReturnValues,
+            KeyManagementOptions keyManagementOptions = null)
+        {
+            var getCacheExpirationTokenReturnValuesEnumerator = getCacheExpirationTokenReturnValues.GetEnumerator();
+            var mockKeyManager = new Mock<IKeyManager>(MockBehavior.Strict);
+            mockKeyManager.Setup(o => o.GetCacheExpirationToken())
+                .Returns(() =>
+                {
+                    callSequence.Add("GetCacheExpirationToken");
+                    getCacheExpirationTokenReturnValuesEnumerator.MoveNext();
+                    return getCacheExpirationTokenReturnValuesEnumerator.Current;
+                });
+
+            var getAllKeysReturnValuesEnumerator = getAllKeysReturnValues.GetEnumerator();
+            mockKeyManager.Setup(o => o.GetAllKeys())
+              .Returns(() =>
+              {
+                  callSequence.Add("GetAllKeys");
+                  getAllKeysReturnValuesEnumerator.MoveNext();
+                  return getAllKeysReturnValuesEnumerator.Current;
+              });
+
+            if (createNewKeyCallbacks != null)
+            {
+                var createNewKeyCallbacksEnumerator = createNewKeyCallbacks.GetEnumerator();
+                mockKeyManager.Setup(o => o.CreateNewKey(It.IsAny<DateTimeOffset>(), It.IsAny<DateTimeOffset>()))
+                    .Returns<DateTimeOffset, DateTimeOffset>((activationDate, expirationDate) =>
+                    {
+                        callSequence.Add("CreateNewKey");
+                        createNewKeyCallbacksEnumerator.MoveNext();
+                        Assert.Equal(createNewKeyCallbacksEnumerator.Current.Item1, activationDate);
+                        Assert.Equal(createNewKeyCallbacksEnumerator.Current.Item2, expirationDate);
+                        return createNewKeyCallbacksEnumerator.Current.Item3;
+                    });
+            }
+
+            var resolveDefaultKeyPolicyReturnValuesEnumerator = resolveDefaultKeyPolicyReturnValues.GetEnumerator();
+            var mockDefaultKeyResolver = new Mock<IDefaultKeyResolver>(MockBehavior.Strict);
+            mockDefaultKeyResolver.Setup(o => o.ResolveDefaultKeyPolicy(It.IsAny<DateTimeOffset>(), It.IsAny<IEnumerable<IKey>>()))
+                .Returns<DateTimeOffset, IEnumerable<IKey>>((now, allKeys) =>
+                {
+                    callSequence.Add("ResolveDefaultKeyPolicy");
+                    resolveDefaultKeyPolicyReturnValuesEnumerator.MoveNext();
+                    Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item1, now);
+                    Assert.Equal(resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item2, allKeys);
+                    return resolveDefaultKeyPolicyReturnValuesEnumerator.Current.Item3;
+                });
+
+            return CreateKeyRingProvider(mockKeyManager.Object, mockDefaultKeyResolver.Object, keyManagementOptions);
+        }
+
         private static KeyRingProvider CreateKeyRingProvider(ICacheableKeyRingProvider cacheableKeyRingProvider)
         {
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<ICacheableKeyRingProvider>(cacheableKeyRingProvider);
+            var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
+            mockEncryptorFactory.Setup(m => m.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+            var options = new KeyManagementOptions();
+            options.AuthenticatedEncryptorFactories.Add(mockEncryptorFactory.Object);
+
             return new KeyRingProvider(
                 keyManager: null,
-                keyManagementOptions: null,
-                services: serviceCollection.BuildServiceProvider());
+                keyManagementOptions: Options.Create(options),
+                cacheableKeyRingProvider: cacheableKeyRingProvider,
+                defaultKeyResolver: null,
+                loggerFactory: NullLoggerFactory.Instance);
         }
 
         private static ICacheableKeyRingProvider CreateKeyRingProvider(IKeyManager keyManager, IDefaultKeyResolver defaultKeyResolver, KeyManagementOptions keyManagementOptions= null)
         {
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IDefaultKeyResolver>(defaultKeyResolver);
+            var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
+            mockEncryptorFactory.Setup(m => m.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+            keyManagementOptions = keyManagementOptions ?? new KeyManagementOptions();
+            keyManagementOptions.AuthenticatedEncryptorFactories.Add(mockEncryptorFactory.Object);
+
             return new KeyRingProvider(
                 keyManager: keyManager,
-                keyManagementOptions: keyManagementOptions,
-                services: serviceCollection.BuildServiceProvider());
+                keyManagementOptions: Options.Create(keyManagementOptions),
+                cacheableKeyRingProvider: null,
+                defaultKeyResolver: defaultKeyResolver,
+                loggerFactory: NullLoggerFactory.Instance);
         }
 
         private static void AssertWithinJitterRange(DateTimeOffset actual, DateTimeOffset now)
@@ -620,7 +631,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         private static IKey CreateKey()
         {
             var now = DateTimeOffset.Now;
-            return CreateKey(Invariant($"{now:u}"), Invariant($"{now.AddDays(90):u}"));
+            return CreateKey(
+                string.Format(CultureInfo.InvariantCulture, "{0:u}", now),
+                string.Format(CultureInfo.InvariantCulture, "{0:u}", now.AddDays(90)));
         }
 
         private static IKey CreateKey(string activationDate, string expirationDate, bool isRevoked = false)
@@ -630,7 +643,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
-            mockKey.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
+            mockKey.Setup(o => o.Descriptor).Returns(new Mock<IAuthenticatedEncryptorDescriptor>().Object);
             return mockKey.Object;
         }
     }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
index f973af9c42..915b4704cc 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Moq;
 using Xunit;
 
@@ -15,19 +16,20 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             var expectedEncryptorInstance = new Mock<IAuthenticatedEncryptor>().Object;
+            var encryptorFactory = new MyEncryptorFactory(expectedEncryptorInstance);
 
-            var key1 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance);
+            var key1 = new MyKey();
             var key2 = new MyKey();
 
             // Act
-            var keyRing = new KeyRing(key1, new[] { key1, key2 });
+            var keyRing = new KeyRing(key1, new[] { key1, key2 }, new[] { encryptorFactory });
 
             // Assert
-            Assert.Equal(0, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(0, encryptorFactory.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance, keyRing.DefaultAuthenticatedEncryptor);
-            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, encryptorFactory.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance, keyRing.DefaultAuthenticatedEncryptor);
-            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled); // should've been cached
+            Assert.Equal(1, encryptorFactory.NumTimesCreateEncryptorInstanceCalled); // should've been cached
         }
 
         [Fact]
@@ -36,9 +38,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             var key1 = new MyKey();
             var key2 = new MyKey();
+            var encryptorFactory = new MyEncryptorFactory();
 
             // Act
-            var keyRing = new KeyRing(key2, new[] { key1, key2 });
+            var keyRing = new KeyRing(key2, new[] { key1, key2 }, new[] { encryptorFactory });
 
             // Assert
             Assert.Equal(key2.KeyId, keyRing.DefaultKeyId);
@@ -50,15 +53,16 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             var key1 = new MyKey();
             var key2 = new MyKey();
-            var key3 = new MyKey(expectedEncryptorInstance: new Mock<IAuthenticatedEncryptor>().Object);
+            var key3 = new MyKey();
+            var encryptorFactory = new MyEncryptorFactory(expectedEncryptorInstance: new Mock<IAuthenticatedEncryptor>().Object);
 
             // Act
-            var keyRing = new KeyRing(key3, new[] { key1, key2 });
+            var keyRing = new KeyRing(key3, new[] { key1, key2 }, new[] { encryptorFactory });
 
             // Assert
             bool unused;
             Assert.Equal(key3.KeyId, keyRing.DefaultKeyId);
-            Assert.Equal(key3.CreateEncryptorInstance(), keyRing.GetAuthenticatedEncryptorByKeyId(key3.KeyId, out unused));
+            Assert.Equal(encryptorFactory.CreateEncryptorInstance(key3), keyRing.GetAuthenticatedEncryptorByKeyId(key3.KeyId, out unused));
         }
 
         [Fact]
@@ -68,45 +72,44 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var expectedEncryptorInstance1 = new Mock<IAuthenticatedEncryptor>().Object;
             var expectedEncryptorInstance2 = new Mock<IAuthenticatedEncryptor>().Object;
 
-            var key1 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance1, isRevoked: true);
-            var key2 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance2);
+            var key1 = new MyKey(isRevoked: true);
+            var key2 = new MyKey();
+
+            var encryptorFactory1 = new MyEncryptorFactory(expectedEncryptorInstance: expectedEncryptorInstance1, associatedKey: key1);
+            var encryptorFactory2 = new MyEncryptorFactory(expectedEncryptorInstance: expectedEncryptorInstance2, associatedKey: key2);
 
             // Act
-            var keyRing = new KeyRing(key2, new[] { key1, key2 });
+            var keyRing = new KeyRing(key2, new[] { key1, key2 }, new[] { encryptorFactory1, encryptorFactory2 });
 
             // Assert
             bool isRevoked;
-            Assert.Equal(0, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(0, encryptorFactory1.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out isRevoked));
             Assert.True(isRevoked);
-            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, encryptorFactory1.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out isRevoked));
             Assert.True(isRevoked);
-            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
-            Assert.Equal(0, key2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, encryptorFactory1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(0, encryptorFactory2.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance2, keyRing.GetAuthenticatedEncryptorByKeyId(key2.KeyId, out isRevoked));
             Assert.False(isRevoked);
-            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, encryptorFactory2.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance2, keyRing.GetAuthenticatedEncryptorByKeyId(key2.KeyId, out isRevoked));
             Assert.False(isRevoked);
-            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, encryptorFactory2.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance2, keyRing.DefaultAuthenticatedEncryptor);
-            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, encryptorFactory2.NumTimesCreateEncryptorInstanceCalled);
         }
 
         private sealed class MyKey : IKey
         {
-            public int NumTimesCreateEncryptorInstanceCalled;
-            private readonly Func<IAuthenticatedEncryptor> _encryptorFactory;
-
-            public MyKey(bool isRevoked = false, IAuthenticatedEncryptor expectedEncryptorInstance = null)
+            public MyKey(bool isRevoked = false)
             {
                 CreationDate = DateTimeOffset.Now;
                 ActivationDate = CreationDate + TimeSpan.FromHours(1);
                 ExpirationDate = CreationDate + TimeSpan.FromDays(30);
                 IsRevoked = isRevoked;
                 KeyId = Guid.NewGuid();
-                _encryptorFactory = () => expectedEncryptorInstance ?? new Mock<IAuthenticatedEncryptor>().Object;
             }
 
             public DateTimeOffset ActivationDate { get; }
@@ -114,11 +117,31 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             public DateTimeOffset ExpirationDate { get; }
             public bool IsRevoked { get; }
             public Guid KeyId { get; }
+            public IAuthenticatedEncryptorDescriptor Descriptor => throw new NotImplementedException();
+        }
 
-            public IAuthenticatedEncryptor CreateEncryptorInstance()
+        private sealed class MyEncryptorFactory : IAuthenticatedEncryptorFactory
+        {
+            public int NumTimesCreateEncryptorInstanceCalled;
+            private IAuthenticatedEncryptor _expectedEncryptorInstance;
+            private IKey _associatedKey;
+
+            public MyEncryptorFactory(IAuthenticatedEncryptor expectedEncryptorInstance = null, IKey associatedKey = null)
             {
+                _expectedEncryptorInstance = expectedEncryptorInstance;
+                _associatedKey = associatedKey;
+            }
+
+            public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
+            {
+                if (_associatedKey != null && key != _associatedKey)
+                {
+                    return null;
+                }
+
                 NumTimesCreateEncryptorInstanceCalled++;
-                return _encryptorFactory();
+
+                return _expectedEncryptorInstance ?? new Mock<IAuthenticatedEncryptor>().Object;
             }
         }
     }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
index e42632dd1d..5a2053737e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Moq;
 using Xunit;
@@ -19,15 +18,17 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var creationDate = DateTimeOffset.Now;
             var activationDate = creationDate.AddDays(2);
             var expirationDate = creationDate.AddDays(90);
+            var descriptor = Mock.Of<IAuthenticatedEncryptorDescriptor>();
 
             // Act
-            var key = new Key(keyId, creationDate, activationDate, expirationDate, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+            var key = new Key(keyId, creationDate, activationDate, expirationDate, descriptor);
 
             // Assert
             Assert.Equal(keyId, key.KeyId);
             Assert.Equal(creationDate, key.CreationDate);
             Assert.Equal(activationDate, key.ActivationDate);
             Assert.Equal(expirationDate, key.ExpirationDate);
+            Assert.Same(descriptor, key.Descriptor);
         }
 
         [Fact]
@@ -42,23 +43,5 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             key.SetRevoked();
             Assert.True(key.IsRevoked);
         }
-
-        [Fact]
-        public void CreateEncryptorInstance()
-        {
-            // Arrange
-            var expected = new Mock<IAuthenticatedEncryptor>().Object;
-            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expected);
-
-            var now = DateTimeOffset.UtcNow;
-            var key = new Key(Guid.Empty, now, now, now, mockDescriptor.Object);
-
-            // Act
-            var actual = key.CreateEncryptorInstance();
-
-            // Assert
-            Assert.Same(expected, actual);
-        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index ff991bf34e..231e0c7b15 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -6,14 +6,16 @@ using System.Collections.Generic;
 using System.Linq;
 using System.Xml;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.DataProtection.XmlEncryption;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
 using Moq;
 using Xunit;
 
@@ -32,41 +34,39 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void Ctor_WithoutEncryptorOrRepository_UsesFallback()
         {
             // Arrange
-            var expectedEncryptor = new Mock<IXmlEncryptor>().Object;
-            var expectedRepository = new Mock<IXmlRepository>().Object;
-            var mockFallback = new Mock<IDefaultKeyServices>();
-            mockFallback.Setup(o => o.GetKeyEncryptor()).Returns(expectedEncryptor);
-            mockFallback.Setup(o => o.GetKeyRepository()).Returns(expectedRepository);
-
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IDefaultKeyServices>(mockFallback.Object);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            var services = serviceCollection.BuildServiceProvider();
+            var options = Options.Create(new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = new Mock<AlgorithmConfiguration>().Object,
+                XmlRepository = null,
+                XmlEncryptor = null
+            });
 
             // Act
-            var keyManager = new XmlKeyManager(services);
+            var keyManager = new XmlKeyManager(options, SimpleActivator.DefaultWithoutServices, NullLoggerFactory.Instance);
 
             // Assert
-            Assert.Same(expectedEncryptor, keyManager.KeyEncryptor);
-            Assert.Same(expectedRepository, keyManager.KeyRepository);
+            Assert.NotNull(keyManager.KeyRepository);
+
+            if (OSVersionUtil.IsWindows())
+            {
+                Assert.NotNull(keyManager.KeyEncryptor);
+            }
         }
 
         [Fact]
         public void Ctor_WithEncryptorButNoRepository_IgnoresFallback_FailsWithServiceNotFound()
         {
             // Arrange
-            var mockFallback = new Mock<IDefaultKeyServices>();
-            mockFallback.Setup(o => o.GetKeyEncryptor()).Returns(new Mock<IXmlEncryptor>().Object);
-            mockFallback.Setup(o => o.GetKeyRepository()).Returns(new Mock<IXmlRepository>().Object);
-
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IDefaultKeyServices>(mockFallback.Object);
-            serviceCollection.AddSingleton<IXmlEncryptor>(new Mock<IXmlEncryptor>().Object);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            var services = serviceCollection.BuildServiceProvider();
+            var options = Options.Create(new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = new Mock<AlgorithmConfiguration>().Object,
+                XmlRepository = null,
+                XmlEncryptor = new Mock<IXmlEncryptor>().Object
+            });
 
             // Act & assert - we don't care about exception type, only exception message
-            Exception ex = Assert.ThrowsAny<Exception>(() => new XmlKeyManager(services));
+            Exception ex = Assert.ThrowsAny<Exception>(
+                () => new XmlKeyManager(options, SimpleActivator.DefaultWithoutServices, NullLoggerFactory.Instance));
             Assert.Contains("IXmlRepository", ex.Message);
         }
 
@@ -79,15 +79,16 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var expirationDate = new DateTimeOffset(2014, 03, 01, 0, 0, 0, TimeSpan.Zero);
             var keyId = new Guid("3d6d01fd-c0e7-44ae-82dd-013b996b4093");
 
-            // Arrange - mocks
+            // Arrange
             XElement elementStoredInRepository = null;
             string friendlyNameStoredInRepository = null;
             var expectedAuthenticatedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
             var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
             mockDescriptor.Setup(o => o.ExportToXml()).Returns(new XmlSerializedDescriptorInfo(serializedDescriptor, typeof(MyDeserializer)));
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expectedAuthenticatedEncryptor);
-            var mockConfiguration = new Mock<IAuthenticatedEncryptorConfiguration>();
-            mockConfiguration.Setup(o => o.CreateNewDescriptor()).Returns(mockDescriptor.Object);
+            var expectedDescriptor = mockDescriptor.Object;
+            var testEncryptorFactory = new TestEncryptorFactory(expectedDescriptor, expectedAuthenticatedEncryptor);
+            var mockConfiguration = new Mock<AlgorithmConfiguration>();
+            mockConfiguration.Setup(o => o.CreateNewDescriptor()).Returns(expectedDescriptor);
             var mockXmlRepository = new Mock<IXmlRepository>();
             mockXmlRepository
                 .Setup(o => o.StoreElement(It.IsAny<XElement>(), It.IsAny<string>()))
@@ -96,13 +97,15 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     elementStoredInRepository = el;
                     friendlyNameStoredInRepository = friendlyName;
                 });
+            var options = Options.Create(new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = mockConfiguration.Object,
+                XmlRepository = mockXmlRepository.Object,
+                XmlEncryptor = null
+            });
+            options.Value.AuthenticatedEncryptorFactories.Add(testEncryptorFactory);
 
-            // Arrange - services
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(mockConfiguration.Object);
-            var services = serviceCollection.BuildServiceProvider();
-            var keyManager = new XmlKeyManager(services);
+            var keyManager = new XmlKeyManager(options, SimpleActivator.DefaultWithoutServices, NullLoggerFactory.Instance);
 
             // Act & assert
 
@@ -126,11 +129,12 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Assert.Equal(creationDate, newKey.CreationDate);
             Assert.Equal(activationDate, newKey.ActivationDate);
             Assert.Equal(expirationDate, newKey.ExpirationDate);
+            Assert.Same(expectedDescriptor, newKey.Descriptor);
             Assert.False(newKey.IsRevoked);
-            Assert.Same(expectedAuthenticatedEncryptor, newKey.CreateEncryptorInstance());
+            Assert.Same(expectedAuthenticatedEncryptor, testEncryptorFactory.CreateEncryptorInstance(newKey));
 
             // Finally, was the correct element stored in the repository?
-            string expectedXml = String.Format(@"
+            string expectedXml = string.Format(@"
                 <key id='3d6d01fd-c0e7-44ae-82dd-013b996b4093' version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
                   {1}
                   {2}
@@ -160,7 +164,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var expirationDate = new DateTimeOffset(2014, 03, 01, 0, 0, 0, TimeSpan.Zero);
             var keyId = new Guid("3d6d01fd-c0e7-44ae-82dd-013b996b4093");
 
-            // Arrange - mocks
+            // Arrange
             XElement elementStoredInEscrow = null;
             Guid? keyIdStoredInEscrow = null;
             XElement elementStoredInRepository = null;
@@ -168,9 +172,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var expectedAuthenticatedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
             var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
             mockDescriptor.Setup(o => o.ExportToXml()).Returns(new XmlSerializedDescriptorInfo(serializedDescriptor, typeof(MyDeserializer)));
-            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expectedAuthenticatedEncryptor);
-            var mockConfiguration = new Mock<IAuthenticatedEncryptorConfiguration>();
-            mockConfiguration.Setup(o => o.CreateNewDescriptor()).Returns(mockDescriptor.Object);
+            var expectedDescriptor = mockDescriptor.Object;
+            var testEncryptorFactory = new TestEncryptorFactory(expectedDescriptor, expectedAuthenticatedEncryptor);
+            var mockConfiguration = new Mock<AlgorithmConfiguration>();
+            mockConfiguration.Setup(o => o.CreateNewDescriptor()).Returns(expectedDescriptor);
             var mockXmlRepository = new Mock<IXmlRepository>();
             mockXmlRepository
                 .Setup(o => o.StoreElement(It.IsAny<XElement>(), It.IsAny<string>()))
@@ -188,14 +193,15 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     elementStoredInEscrow = el;
                 });
 
-            // Arrange - services
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(mockConfiguration.Object);
-            serviceCollection.AddSingleton<IKeyEscrowSink>(mockKeyEscrow.Object);
-            serviceCollection.AddSingleton<IXmlEncryptor, NullXmlEncryptor>();
-            var services = serviceCollection.BuildServiceProvider();
-            var keyManager = new XmlKeyManager(services);
+            var options = Options.Create(new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = mockConfiguration.Object,
+                XmlRepository = mockXmlRepository.Object,
+                XmlEncryptor = new NullXmlEncryptor()
+            });
+            options.Value.AuthenticatedEncryptorFactories.Add(testEncryptorFactory);
+            options.Value.KeyEscrowSinks.Add(mockKeyEscrow.Object);
+            var keyManager = new XmlKeyManager(options, SimpleActivator.DefaultWithoutServices, NullLoggerFactory.Instance);
 
             // Act & assert
 
@@ -219,12 +225,13 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Assert.Equal(creationDate, newKey.CreationDate);
             Assert.Equal(activationDate, newKey.ActivationDate);
             Assert.Equal(expirationDate, newKey.ExpirationDate);
+            Assert.Same(expectedDescriptor, newKey.Descriptor);
             Assert.False(newKey.IsRevoked);
-            Assert.Same(expectedAuthenticatedEncryptor, newKey.CreateEncryptorInstance());
+            Assert.Same(expectedAuthenticatedEncryptor, testEncryptorFactory.CreateEncryptorInstance(newKey));
 
             // Was the correct element stored in escrow?
             // This should not have gone through the encryptor.
-            string expectedEscrowXml = String.Format(@"
+            string expectedEscrowXml = string.Format(@"
                 <key id='3d6d01fd-c0e7-44ae-82dd-013b996b4093' version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
                   {1}
                   {2}
@@ -275,7 +282,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         [Fact]
         public void CreateNewKey_CallsInternalManager()
         {
-            // Arrange - mocks
+            // Arrange
             DateTimeOffset minCreationDate = DateTimeOffset.UtcNow;
             DateTimeOffset? actualCreationDate = null;
             DateTimeOffset activationDate = minCreationDate + TimeSpan.FromDays(7);
@@ -288,13 +295,13 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     actualCreationDate = innerCreationDate;
                 });
 
-            // Arrange - services
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IXmlRepository>(new Mock<IXmlRepository>().Object);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            serviceCollection.AddSingleton<IInternalXmlKeyManager>(mockInternalKeyManager.Object);
-            var services = serviceCollection.BuildServiceProvider();
-            var keyManager = new XmlKeyManager(services);
+            var options = Options.Create(new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = new Mock<AlgorithmConfiguration>().Object,
+                XmlRepository = new Mock<IXmlRepository>().Object,
+                XmlEncryptor = null
+            });
+            var keyManager = new XmlKeyManager(options, SimpleActivator.DefaultWithoutServices, NullLoggerFactory.Instance, mockInternalKeyManager.Object);
 
             // Act
             keyManager.CreateNewKey(activationDate, expirationDate);
@@ -344,11 +351,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                   </key>
                 </root>";
 
-            var encryptorA = new Mock<IAuthenticatedEncryptor>().Object;
-            var encryptorB = new Mock<IAuthenticatedEncryptor>().Object;
+            var descriptorA = new Mock<IAuthenticatedEncryptorDescriptor>().Object;
+            var descriptorB = new Mock<IAuthenticatedEncryptorDescriptor>().Object;
             var mockActivator = new Mock<IActivator>();
-            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("deserializer-A", "<elementA />", encryptorA);
-            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("deserializer-B", "<elementB />", encryptorB);
+            mockActivator.ReturnDescriptorGivenDeserializerTypeNameAndInput("deserializer-A", "<elementA />", descriptorA);
+            mockActivator.ReturnDescriptorGivenDeserializerTypeNameAndInput("deserializer-B", "<elementB />", descriptorB);
 
             // Act
             var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
@@ -360,13 +367,13 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Assert.Equal(XmlConvert.ToDateTimeOffset("2015-02-01T00:00:00Z"), keys[0].ActivationDate);
             Assert.Equal(XmlConvert.ToDateTimeOffset("2015-03-01T00:00:00Z"), keys[0].ExpirationDate);
             Assert.False(keys[0].IsRevoked);
-            Assert.Same(encryptorA, keys[0].CreateEncryptorInstance());
+            Assert.Same(descriptorA, keys[0].Descriptor);
             Assert.Equal(new Guid("041be4c0-52d7-48b4-8d32-f8c0ff315459"), keys[1].KeyId);
             Assert.Equal(XmlConvert.ToDateTimeOffset("2015-04-01T00:00:00Z"), keys[1].CreationDate);
             Assert.Equal(XmlConvert.ToDateTimeOffset("2015-05-01T00:00:00Z"), keys[1].ActivationDate);
             Assert.Equal(XmlConvert.ToDateTimeOffset("2015-06-01T00:00:00Z"), keys[1].ExpirationDate);
             Assert.False(keys[1].IsRevoked);
-            Assert.Same(encryptorB, keys[1].CreateEncryptorInstance());
+            Assert.Same(descriptorB, keys[1].Descriptor);
         }
 
         [Fact]
@@ -425,7 +432,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 </root>";
 
             var mockActivator = new Mock<IActivator>();
-            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("theDeserializer", "<node />", new Mock<IAuthenticatedEncryptor>().Object);
+            mockActivator.ReturnDescriptorGivenDeserializerTypeNameAndInput("theDeserializer", "<node />", new Mock<IAuthenticatedEncryptorDescriptor>().Object);
 
             // Act
             var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
@@ -460,10 +467,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                   </key>
                 </root>";
 
-            var expectedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
+            var expectedDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>().Object;
             var mockActivator = new Mock<IActivator>();
             mockActivator.ReturnDecryptedElementGivenDecryptorTypeNameAndInput("theDecryptor", "<node xmlns='private' />", "<decryptedNode />");
-            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("theDeserializer", "<decryptedNode />", expectedEncryptor);
+            mockActivator.ReturnDescriptorGivenDeserializerTypeNameAndInput("theDeserializer", "<decryptedNode />", expectedDescriptor);
 
             // Act
             var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
@@ -471,7 +478,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Assert
             Assert.Equal(1, keys.Length);
             Assert.Equal(new Guid("09712588-ba68-438a-a5ee-fe842b3453b2"), keys[0].KeyId);
-            Assert.Same(expectedEncryptor, keys[0].CreateEncryptorInstance());
+            Assert.Same(expectedDescriptor, keys[0].Descriptor);
         }
 
         [Fact]
@@ -500,9 +507,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                   </key>
                 </root>";
 
-            var expectedEncryptor = new Mock<IAuthenticatedEncryptor>().Object;
+            var expectedDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>().Object;
             var mockActivator = new Mock<IActivator>();
-            mockActivator.ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput("goodDeserializer", "<node xmlns='private' />", expectedEncryptor);
+            mockActivator.ReturnDescriptorGivenDeserializerTypeNameAndInput("goodDeserializer", "<node xmlns='private' />", expectedDescriptor);
 
             // Act
             var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
@@ -510,7 +517,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Assert
             Assert.Equal(1, keys.Length);
             Assert.Equal(new Guid("49c0cda9-0232-4d8c-a541-de20cc5a73d6"), keys[0].KeyId);
-            Assert.Same(expectedEncryptor, keys[0].CreateEncryptorInstance());
+            Assert.Same(expectedDescriptor, keys[0].Descriptor);
         }
 
         [Fact]
@@ -580,21 +587,16 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
         private static IReadOnlyCollection<IKey> RunGetAllKeysCore(string xml, IActivator activator, ILoggerFactory loggerFactory = null)
         {
-            // Arrange - mocks
+            // Arrange
             var mockXmlRepository = new Mock<IXmlRepository>();
             mockXmlRepository.Setup(o => o.GetAllElements()).Returns(XElement.Parse(xml).Elements().ToArray());
-
-            // Arrange - services
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddSingleton<IActivator>(activator);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            if (loggerFactory != null)
+            var options = Options.Create(new KeyManagementOptions()
             {
-                serviceCollection.AddSingleton<ILoggerFactory>(loggerFactory);
-            }
-            var services = serviceCollection.BuildServiceProvider();
-            var keyManager = new XmlKeyManager(services);
+                AuthenticatedEncryptorConfiguration = new Mock<AlgorithmConfiguration>().Object,
+                XmlRepository = mockXmlRepository.Object,
+                XmlEncryptor = null
+            });
+            var keyManager = new XmlKeyManager(options, activator, loggerFactory ?? NullLoggerFactory.Instance);
 
             // Act
             return keyManager.GetAllKeys();
@@ -603,7 +605,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         [Fact]
         public void RevokeAllKeys()
         {
-            // Arrange - mocks
+            // Arrange
             XElement elementStoredInRepository = null;
             string friendlyNameStoredInRepository = null;
             var mockXmlRepository = new Mock<IXmlRepository>();
@@ -615,12 +617,13 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     friendlyNameStoredInRepository = friendlyName;
                 });
 
-            // Arrange - services
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            var services = serviceCollection.BuildServiceProvider();
-            var keyManager = new XmlKeyManager(services);
+            var options = Options.Create(new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = new Mock<AlgorithmConfiguration>().Object,
+                XmlRepository = mockXmlRepository.Object,
+                XmlEncryptor = null
+            });
+            var keyManager = new XmlKeyManager(options, SimpleActivator.DefaultWithoutServices, NullLoggerFactory.Instance);
 
             var revocationDate = XmlConvert.ToDateTimeOffset("2015-03-01T19:13:19.7573854-08:00");
 
@@ -664,12 +667,13 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     friendlyNameStoredInRepository = friendlyName;
                 });
 
-            // Arrange - services
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IXmlRepository>(mockXmlRepository.Object);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            var services = serviceCollection.BuildServiceProvider();
-            var keyManager = new XmlKeyManager(services);
+            var options = Options.Create(new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = new Mock<AlgorithmConfiguration>().Object,
+                XmlRepository = mockXmlRepository.Object,
+                XmlEncryptor = null
+            });
+            var keyManager = new XmlKeyManager(options, SimpleActivator.DefaultWithoutServices, NullLoggerFactory.Instance);
 
             var revocationDate = new DateTimeOffset(2014, 01, 01, 0, 0, 0, TimeSpan.Zero);
 
@@ -704,7 +708,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         [Fact]
         public void RevokeKey_CallsInternalManager()
         {
-            // Arrange - mocks
+            // Arrange
             var keyToRevoke = new Guid("a11f35fc-1fed-4bd4-b727-056a63b70932");
             DateTimeOffset minRevocationDate = DateTimeOffset.UtcNow;
             DateTimeOffset? actualRevocationDate = null;
@@ -716,13 +720,13 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     actualRevocationDate = innerRevocationDate;
                 });
 
-            // Arrange - services
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddSingleton<IXmlRepository>(new Mock<IXmlRepository>().Object);
-            serviceCollection.AddSingleton<IAuthenticatedEncryptorConfiguration>(new Mock<IAuthenticatedEncryptorConfiguration>().Object);
-            serviceCollection.AddSingleton<IInternalXmlKeyManager>(mockInternalKeyManager.Object);
-            var services = serviceCollection.BuildServiceProvider();
-            var keyManager = new XmlKeyManager(services);
+            var options = Options.Create(new KeyManagementOptions()
+            {
+                AuthenticatedEncryptorConfiguration = new Mock<AlgorithmConfiguration>().Object,
+                XmlRepository = new Mock<IXmlRepository>().Object,
+                XmlEncryptor = null
+            });
+            var keyManager = new XmlKeyManager(options, SimpleActivator.DefaultWithoutServices, NullLoggerFactory.Instance, mockInternalKeyManager.Object);
 
             // Act
             keyManager.RevokeKey(keyToRevoke, "Here's some reason text.");
@@ -738,5 +742,27 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 throw new NotImplementedException();
             }
         }
+
+        private class TestEncryptorFactory : IAuthenticatedEncryptorFactory
+        {
+            private IAuthenticatedEncryptorDescriptor _associatedDescriptor;
+            private IAuthenticatedEncryptor _expectedEncryptor;
+
+            public TestEncryptorFactory(IAuthenticatedEncryptorDescriptor associatedDescriptor = null, IAuthenticatedEncryptor expectedEncryptor = null)
+            {
+                _associatedDescriptor = associatedDescriptor;
+                _expectedEncryptor = expectedEncryptor;
+            }
+
+            public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
+            {
+                if (_associatedDescriptor != null && _associatedDescriptor != key.Descriptor)
+                {
+                    return null;
+                }
+
+                return _expectedEncryptor ?? new Mock<IAuthenticatedEncryptor>().Object;
+            }
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index a8bcd60fbc..fbf6744846 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -26,4 +26,8 @@
     <Reference Include="System.Security" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
+  </ItemGroup>
+
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs b/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
index 40a34afca6..76f5dc94e6 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
@@ -17,7 +17,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// Sets up a mock such that given the name of a deserializer class and the XML node that class's
         /// Import method should expect returns a descriptor which produces the given authenticator.
         /// </summary>
-        public static void ReturnAuthenticatedEncryptorGivenDeserializerTypeNameAndInput(this Mock<IActivator> mockActivator, string typeName, string xml, IAuthenticatedEncryptor encryptor)
+        public static void ReturnDescriptorGivenDeserializerTypeNameAndInput(this Mock<IActivator> mockActivator, string typeName, string xml, IAuthenticatedEncryptorDescriptor descriptor)
         {
             mockActivator
                 .Setup(o => o.CreateInstance(typeof(IAuthenticatedEncryptorDescriptorDeserializer), typeName))
@@ -30,9 +30,7 @@ namespace Microsoft.AspNetCore.DataProtection
                         {
                             // Only return the descriptor if the XML matches
                             XmlAssert.Equal(xml, el);
-                            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
-                            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(encryptor);
-                            return mockDescriptor.Object;
+                            return descriptor;
                         });
                     return mockDeserializer.Object;
                 });
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
index 1bf706dda2..3ce7ee9f67 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -7,12 +7,14 @@ using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Xml.Linq;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.Testing.xunit;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 using Xunit;
@@ -25,27 +27,33 @@ namespace Microsoft.AspNetCore.DataProtection
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_NoEntries_ResultsInNoPolicies()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
-            {
-                ["unused"] = 42
-            });
+            // Arrange
+            var registryEntries = new Dictionary<string, object>();
 
-            Assert.Empty(serviceCollection);
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
+
+            // Assert
+            Assert.Null(context.EncryptorConfiguration);
+            Assert.Null(context.DefaultKeyLifetime);
+            Assert.Empty(context.KeyEscrowSinks);
         }
 
         [ConditionalFact]
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_KeyEscrowSinks()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
             {
                 ["KeyEscrowSinks"] = String.Join(" ;; ; ", new Type[] { typeof(MyKeyEscrowSink1), typeof(MyKeyEscrowSink2) }.Select(t => t.AssemblyQualifiedName))
-            });
+            };
 
-            var services = serviceCollection.BuildServiceProvider();
-            var actualKeyEscrowSinks = services.GetService<IEnumerable<IKeyEscrowSink>>().ToArray();
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
+
+            // Assert
+            var actualKeyEscrowSinks = context.KeyEscrowSinks.ToArray();
             Assert.Equal(2, actualKeyEscrowSinks.Length);
             Assert.IsType(typeof(MyKeyEscrowSink1), actualKeyEscrowSinks[0]);
             Assert.IsType(typeof(MyKeyEscrowSink2), actualKeyEscrowSinks[1]);
@@ -55,45 +63,49 @@ namespace Microsoft.AspNetCore.DataProtection
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_DefaultKeyLifetime()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            serviceCollection.AddOptions();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
             {
                 ["DefaultKeyLifetime"] = 1024 // days
-            });
+            };
 
-            var services = serviceCollection.BuildServiceProvider();
-            var keyManagementOptions = services.GetService<IOptions<KeyManagementOptions>>();
-            Assert.Equal(TimeSpan.FromDays(1024), keyManagementOptions.Value.NewKeyLifetime);
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
+
+            // Assert
+            Assert.Equal(1024, context.DefaultKeyLifetime);
         }
 
         [ConditionalFact]
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_CngCbcEncryption_WithoutExplicitSettings()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
             {
                 ["EncryptionType"] = "cng-cbc"
-            });
+            };
+            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration();
 
-            var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionSettings());
-            var actualConfiguration = (CngCbcAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
 
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithm, actualConfiguration.Settings.EncryptionAlgorithm);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmProvider, actualConfiguration.Settings.EncryptionAlgorithmProvider);
-            Assert.Equal(expectedConfiguration.Settings.HashAlgorithm, actualConfiguration.Settings.HashAlgorithm);
-            Assert.Equal(expectedConfiguration.Settings.HashAlgorithmProvider, actualConfiguration.Settings.HashAlgorithmProvider);
+            // Assert
+            var actualConfiguration = (CngCbcAuthenticatedEncryptorConfiguration)context.EncryptorConfiguration;
+
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithm, actualConfiguration.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmKeySize, actualConfiguration.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmProvider, actualConfiguration.EncryptionAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.HashAlgorithm, actualConfiguration.HashAlgorithm);
+            Assert.Equal(expectedConfiguration.HashAlgorithmProvider, actualConfiguration.HashAlgorithmProvider);
         }
 
         [ConditionalFact]
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_CngCbcEncryption_WithExplicitSettings()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
             {
                 ["EncryptionType"] = "cng-cbc",
                 ["EncryptionAlgorithm"] = "enc-alg",
@@ -101,142 +113,161 @@ namespace Microsoft.AspNetCore.DataProtection
                 ["EncryptionAlgorithmProvider"] = "my-enc-alg-provider",
                 ["HashAlgorithm"] = "hash-alg",
                 ["HashAlgorithmProvider"] = "my-hash-alg-provider"
-            });
-
-            var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration(new CngCbcAuthenticatedEncryptionSettings()
+            };
+            var expectedConfiguration = new CngCbcAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
                 EncryptionAlgorithmProvider = "my-enc-alg-provider",
                 HashAlgorithm = "hash-alg",
                 HashAlgorithmProvider = "my-hash-alg-provider"
-            });
-            var actualConfiguration = (CngCbcAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+            };
 
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithm, actualConfiguration.Settings.EncryptionAlgorithm);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmProvider, actualConfiguration.Settings.EncryptionAlgorithmProvider);
-            Assert.Equal(expectedConfiguration.Settings.HashAlgorithm, actualConfiguration.Settings.HashAlgorithm);
-            Assert.Equal(expectedConfiguration.Settings.HashAlgorithmProvider, actualConfiguration.Settings.HashAlgorithmProvider);
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
+
+            // Assert
+            var actualConfiguration = (CngCbcAuthenticatedEncryptorConfiguration)context.EncryptorConfiguration;
+
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithm, actualConfiguration.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmKeySize, actualConfiguration.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmProvider, actualConfiguration.EncryptionAlgorithmProvider);
+            Assert.Equal(expectedConfiguration.HashAlgorithm, actualConfiguration.HashAlgorithm);
+            Assert.Equal(expectedConfiguration.HashAlgorithmProvider, actualConfiguration.HashAlgorithmProvider);
         }
 
         [ConditionalFact]
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_CngGcmEncryption_WithoutExplicitSettings()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
             {
                 ["EncryptionType"] = "cng-gcm"
-            });
+            };
+            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration();
 
-            var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionSettings());
-            var actualConfiguration = (CngGcmAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
 
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithm, actualConfiguration.Settings.EncryptionAlgorithm);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmProvider, actualConfiguration.Settings.EncryptionAlgorithmProvider);
+            // Assert
+            var actualConfiguration = (CngGcmAuthenticatedEncryptorConfiguration)context.EncryptorConfiguration;
+
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithm, actualConfiguration.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmKeySize, actualConfiguration.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmProvider, actualConfiguration.EncryptionAlgorithmProvider);
         }
 
         [ConditionalFact]
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_CngGcmEncryption_WithExplicitSettings()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
             {
                 ["EncryptionType"] = "cng-gcm",
                 ["EncryptionAlgorithm"] = "enc-alg",
                 ["EncryptionAlgorithmKeySize"] = 2048,
                 ["EncryptionAlgorithmProvider"] = "my-enc-alg-provider"
-            });
-
-            var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration(new CngGcmAuthenticatedEncryptionSettings()
+            };
+            var expectedConfiguration = new CngGcmAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
                 EncryptionAlgorithmProvider = "my-enc-alg-provider"
-            });
-            var actualConfiguration = (CngGcmAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+            };
 
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithm, actualConfiguration.Settings.EncryptionAlgorithm);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmProvider, actualConfiguration.Settings.EncryptionAlgorithmProvider);
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
+
+            // Assert
+            var actualConfiguration = (CngGcmAuthenticatedEncryptorConfiguration)context.EncryptorConfiguration;
+
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithm, actualConfiguration.EncryptionAlgorithm);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmKeySize, actualConfiguration.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmProvider, actualConfiguration.EncryptionAlgorithmProvider);
         }
 
         [ConditionalFact]
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_ManagedEncryption_WithoutExplicitSettings()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
             {
                 ["EncryptionType"] = "managed"
-            });
+            };
+            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration();
 
-            var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionSettings());
-            var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
 
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmType, actualConfiguration.Settings.EncryptionAlgorithmType);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Settings.ValidationAlgorithmType, actualConfiguration.Settings.ValidationAlgorithmType);
+            // Assert
+            var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)context.EncryptorConfiguration;
+
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmType, actualConfiguration.EncryptionAlgorithmType);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmKeySize, actualConfiguration.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.ValidationAlgorithmType, actualConfiguration.ValidationAlgorithmType);
         }
 
         [ConditionalFact]
         [ConditionalRunTestOnlyIfHkcuRegistryAvailable]
         public void ResolvePolicy_ManagedEncryption_WithExplicitSettings()
         {
-            IServiceCollection serviceCollection = new ServiceCollection();
-            RunTestWithRegValues(serviceCollection, new Dictionary<string, object>()
+            // Arrange
+            var registryEntries = new Dictionary<string, object>()
             {
                 ["EncryptionType"] = "managed",
                 ["EncryptionAlgorithmType"] = typeof(TripleDES).AssemblyQualifiedName,
                 ["EncryptionAlgorithmKeySize"] = 2048,
                 ["ValidationAlgorithmType"] = typeof(HMACSHA1).AssemblyQualifiedName
-            });
-
-            var services = serviceCollection.BuildServiceProvider();
-            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionSettings()
+            };
+            var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithmType = typeof(TripleDES),
                 EncryptionAlgorithmKeySize = 2048,
                 ValidationAlgorithmType = typeof(HMACSHA1)
-            });
-            var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService<IAuthenticatedEncryptorConfiguration>();
+            };
 
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmType, actualConfiguration.Settings.EncryptionAlgorithmType);
-            Assert.Equal(expectedConfiguration.Settings.EncryptionAlgorithmKeySize, actualConfiguration.Settings.EncryptionAlgorithmKeySize);
-            Assert.Equal(expectedConfiguration.Settings.ValidationAlgorithmType, actualConfiguration.Settings.ValidationAlgorithmType);
+            // Act
+            var context = RunTestWithRegValues(registryEntries);
+
+            // Assert
+            var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)context.EncryptorConfiguration;
+
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmType, actualConfiguration.EncryptionAlgorithmType);
+            Assert.Equal(expectedConfiguration.EncryptionAlgorithmKeySize, actualConfiguration.EncryptionAlgorithmKeySize);
+            Assert.Equal(expectedConfiguration.ValidationAlgorithmType, actualConfiguration.ValidationAlgorithmType);
         }
 
-        private static void RunTestWithRegValues(IServiceCollection services, Dictionary<string, object> regValues)
+        private static RegistryPolicy RunTestWithRegValues(Dictionary<string, object> regValues)
         {
-            WithUniqueTempRegKey(registryKey =>
+            return WithUniqueTempRegKey(registryKey =>
             {
                 foreach (var entry in regValues)
                 {
                     registryKey.SetValue(entry.Key, entry.Value);
                 }
 
-                var policyResolver = new RegistryPolicyResolver(registryKey);
-                services.Add(policyResolver.ResolvePolicy());
+                var policyResolver = new RegistryPolicyResolver(
+                    registryKey,
+                    activator: SimpleActivator.DefaultWithoutServices,
+                    loggerFactory: NullLoggerFactory.Instance);
+
+                return policyResolver.ResolvePolicy();
             });
         }
 
         /// <summary>
         /// Runs a test and cleans up the registry key afterward.
         /// </summary>
-        private static void WithUniqueTempRegKey(Action<RegistryKey> testCode)
+        private static RegistryPolicy WithUniqueTempRegKey(Func<RegistryKey, RegistryPolicy> testCode)
         {
             string uniqueName = Guid.NewGuid().ToString();
             var uniqueSubkey = LazyHkcuTempKey.Value.CreateSubKey(uniqueName);
             try
             {
-                testCode(uniqueSubkey);
+                return testCode(uniqueSubkey);
             }
             finally
             {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
index 2690da8254..b903267415 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Xml.Linq;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.Repositories
@@ -13,7 +14,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         public void GetAllElements_Empty()
         {
             // Arrange
-            var repository = new EphemeralXmlRepository(null);
+            var repository = new EphemeralXmlRepository(NullLoggerFactory.Instance);
 
             // Act & assert
             Assert.Empty(repository.GetAllElements());
@@ -26,7 +27,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             var element1 = XElement.Parse(@"<element1 />");
             var element2 = XElement.Parse(@"<element1 />");
             var element3 = XElement.Parse(@"<element1 />");
-            var repository = new EphemeralXmlRepository(null);
+            var repository = new EphemeralXmlRepository(NullLoggerFactory.Instance);
 
             // Act & assert
             repository.StoreElement(element1, "Invalid friendly name."); // nobody should care about the friendly name
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 37b603f174..28cb78c8ba 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -6,6 +6,7 @@ using System.IO;
 using System.Linq;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.Repositories
@@ -30,7 +31,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             WithUniqueTempDirectory(dirInfo =>
             {
                 // Arrange
-                var repository = new FileSystemXmlRepository(dirInfo);
+                var repository = new FileSystemXmlRepository(dirInfo, NullLoggerFactory.Instance);
 
                 // Act
                 var retVal = repository.Directory;
@@ -46,7 +47,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             WithUniqueTempDirectory(dirInfo =>
             {
                 // Arrange
-                var repository = new FileSystemXmlRepository(dirInfo);
+                var repository = new FileSystemXmlRepository(dirInfo, NullLoggerFactory.Instance);
 
                 // Act
                 var allElements = repository.GetAllElements();
@@ -63,7 +64,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             {
                 // Arrange
                 var element = XElement.Parse("<element1 />");
-                var repository = new FileSystemXmlRepository(dirInfo);
+                var repository = new FileSystemXmlRepository(dirInfo, NullLoggerFactory.Instance);
 
                 // Act
                 repository.StoreElement(element, "valid-friendly-name");
@@ -93,7 +94,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             {
                 // Arrange
                 var element = XElement.Parse("<element1 />");
-                var repository = new FileSystemXmlRepository(dirInfo);
+                var repository = new FileSystemXmlRepository(dirInfo, NullLoggerFactory.Instance);
 
                 // Act
                 repository.StoreElement(element, friendlyName);
@@ -121,7 +122,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             WithUniqueTempDirectory(dirInfo =>
             {
                 // Arrange
-                var repository = new FileSystemXmlRepository(dirInfo);
+                var repository = new FileSystemXmlRepository(dirInfo, NullLoggerFactory.Instance);
 
                 // Act
                 repository.StoreElement(new XElement("element1"), friendlyName: null);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
index 92c16a782c..11f0060ca3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
@@ -6,6 +6,7 @@ using System.Linq;
 using System.Runtime.InteropServices;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Win32;
 using Xunit;
 
@@ -20,7 +21,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             WithUniqueTempRegKey(regKey =>
             {
                 // Arrange
-                var repository = new RegistryXmlRepository(regKey);
+                var repository = new RegistryXmlRepository(regKey, NullLoggerFactory.Instance);
 
                 // Act
                 var retVal = repository.RegistryKey;
@@ -37,7 +38,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             WithUniqueTempRegKey(regKey =>
             {
                 // Arrange
-                var repository = new RegistryXmlRepository(regKey);
+                var repository = new RegistryXmlRepository(regKey, NullLoggerFactory.Instance);
 
                 // Act
                 var allElements = repository.GetAllElements();
@@ -55,7 +56,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             {
                 // Arrange
                 var element = XElement.Parse("<element1 />");
-                var repository = new RegistryXmlRepository(regKey);
+                var repository = new RegistryXmlRepository(regKey, NullLoggerFactory.Instance);
 
                 // Act
                 repository.StoreElement(element, "valid-friendly-name");
@@ -86,7 +87,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             {
                 // Arrange
                 var element = XElement.Parse("<element1 />");
-                var repository = new RegistryXmlRepository(regKey);
+                var repository = new RegistryXmlRepository(regKey, NullLoggerFactory.Instance);
 
                 // Act
                 repository.StoreElement(element, friendlyName);
@@ -112,7 +113,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             WithUniqueTempRegKey(regKey =>
             {
                 // Arrange
-                var repository = new RegistryXmlRepository(regKey);
+                var repository = new RegistryXmlRepository(regKey, NullLoggerFactory.Instance);
 
                 // Act
                 repository.StoreElement(new XElement("element1"), friendlyName: null);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
index 7a7596cc7f..8d2b146b27 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
@@ -61,7 +61,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
             public void Log<TState>(LogLevel logLevel, EventId eventId, TState state, Exception exception, Func<TState, Exception, string> formatter)
             {
-                string message = String.Format(CultureInfo.InvariantCulture,
+                string message = string.Format(CultureInfo.InvariantCulture,
                     "Provider: {0}" + Environment.NewLine +
                     "Log level: {1}" + Environment.NewLine +
                     "Event id: {2}" + Environment.NewLine +
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
index e33bc0d84c..3bd5ccdc16 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
@@ -124,7 +124,7 @@ namespace Microsoft.AspNetCore.DataProtection
                     return true; // relevant
                 }
 
-                throw new NotSupportedException(String.Format("Node of type '{0}' is not supported.", node.GetType().Name));
+                throw new NotSupportedException(string.Format("Node of type '{0}' is not supported.", node.GetType().Name));
             }
         }
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index e73a4912a4..23fd3bd06a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -8,6 +8,8 @@ using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Moq;
 using Xunit;
 
@@ -22,7 +24,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             var symmetricAlgorithm = new TripleDESCryptoServiceProvider();
             symmetricAlgorithm.GenerateKey();
 
-            var serviceCollection = new ServiceCollection();
             var mockInternalEncryptor = new Mock<IInternalCertificateXmlEncryptor>();
             mockInternalEncryptor.Setup(o => o.PerformEncryption(It.IsAny<EncryptedXml>(), It.IsAny<XmlElement>()))
                 .Returns<EncryptedXml, XmlElement>((encryptedXml, element) =>
@@ -30,7 +31,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                     encryptedXml.AddKeyNameMapping("theKey", symmetricAlgorithm); // use symmetric encryption
                     return encryptedXml.Encrypt(element, "theKey");
                 });
-            serviceCollection.AddSingleton<IInternalCertificateXmlEncryptor>(mockInternalEncryptor.Object);
 
             var mockInternalDecryptor = new Mock<IInternalEncryptedXmlDecryptor>();
             mockInternalDecryptor.Setup(o => o.PerformPreDecryptionSetup(It.IsAny<EncryptedXml>()))
@@ -38,10 +38,12 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                 {
                     encryptedXml.AddKeyNameMapping("theKey", symmetricAlgorithm); // use symmetric encryption
                 });
+
+            var serviceCollection = new ServiceCollection();
             serviceCollection.AddSingleton<IInternalEncryptedXmlDecryptor>(mockInternalDecryptor.Object);
 
             var services = serviceCollection.BuildServiceProvider();
-            var encryptor = new CertificateXmlEncryptor(services);
+            var encryptor = new CertificateXmlEncryptor(NullLoggerFactory.Instance, mockInternalEncryptor.Object);
             var decryptor = new EncryptedXmlDecryptor(services);
 
             var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
index 2a4f19dfab..6b16c638a8 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
@@ -17,7 +18,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         {
             // Arrange
             var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
-            var encryptor = new DpapiNGXmlEncryptor("LOCAL=user", DpapiNGProtectionDescriptorFlags.None);
+            var encryptor = new DpapiNGXmlEncryptor("LOCAL=user", DpapiNGProtectionDescriptorFlags.None, NullLoggerFactory.Instance);
             var decryptor = new DpapiNGXmlDecryptor();
 
             // Act & assert - run through encryptor and make sure we get back an obfuscated element
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 1d6d820810..a397337f8d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -6,6 +6,7 @@ using System.Xml.Linq;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing;
 using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
@@ -20,7 +21,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         {
             // Arrange
             var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
-            var encryptor = new DpapiXmlEncryptor(protectToLocalMachine);
+            var encryptor = new DpapiXmlEncryptor(protectToLocalMachine, NullLoggerFactory.Instance);
             var decryptor = new DpapiXmlDecryptor();
 
             // Act & assert - run through encryptor and make sure we get back an obfuscated element
@@ -40,7 +41,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         {
             // Arrange
             var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
-            var encryptor = new DpapiXmlEncryptor(protectToLocalMachine: false);
+            var encryptor = new DpapiXmlEncryptor(protectToLocalMachine: false, loggerFactory: NullLoggerFactory.Instance);
             var decryptor = new DpapiXmlDecryptor();
 
             // Act & assert - run through encryptor and make sure we get back an obfuscated element
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
index d03fee0c09..bf3c455b5a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
@@ -151,7 +151,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                   </node2>
                 </rootNode>");
 
-            var expected = String.Format(@"
+            var expected = string.Format(@"
                 <rootNode xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
                   <x:encryptedSecret decryptorType='{0}'>
                     <node1_encrypted />
@@ -194,7 +194,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                   </node2>
                 </rootNode>");
 
-            var expected = String.Format(@"
+            var expected = string.Format(@"
                 <rootNode xmlns:x='http://schemas.asp.net/2015/03/dataProtection'>
                   <x:encryptedSecret decryptorType='{0}'>
                     <node1 x:requiresEncryption='true'>

From 6a61e10a4b9289c507a517a0033191bf7bca129b Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 15 Mar 2017 10:47:41 -0700
Subject: [PATCH 318/493] Unify dependency versions and remove workarounds

---
 DataProtection.sln                                |  3 ++-
 build/dependencies.props                          |  8 +++++++-
 samples/AzureBlob/AzureBlob.csproj                | 11 ++++++++---
 .../CustomEncryptorSample.csproj                  | 13 +++++++------
 .../KeyManagementSample.csproj                    |  4 ----
 samples/NonDISample/NonDISample.csproj            |  4 ----
 samples/Redis/Redis.csproj                        | 15 ++++++++-------
 ....AspNetCore.DataProtection.Abstractions.csproj |  2 +-
 ....AspNetCore.DataProtection.AzureStorage.csproj |  2 +-
 ...ft.AspNetCore.DataProtection.Extensions.csproj |  2 +-
 ...crosoft.AspNetCore.DataProtection.Redis.csproj |  2 +-
 ...oft.AspNetCore.DataProtection.SystemWeb.csproj |  2 +-
 .../Microsoft.AspNetCore.DataProtection.csproj    |  8 ++++----
 ...t.AspNetCore.Cryptography.Internal.Test.csproj |  8 ++++----
 ...NetCore.Cryptography.KeyDerivation.Test.csproj |  8 ++++----
 ...etCore.DataProtection.Abstractions.Test.csproj | 10 +++++-----
 ...etCore.DataProtection.AzureStorage.Test.csproj | 12 ++++++------
 ...pNetCore.DataProtection.Extensions.Test.csproj | 10 +++++-----
 ...ft.AspNetCore.DataProtection.Redis.Test.csproj | 10 +++++-----
 ...icrosoft.AspNetCore.DataProtection.Test.csproj | 12 ++++++------
 20 files changed, 76 insertions(+), 70 deletions(-)

diff --git a/DataProtection.sln b/DataProtection.sln
index 664c368960..f56c09d294 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,6 +1,7 @@
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
-VisualStudioVersion = 15.0.26206.0
+VisualStudioVersion = 15.0.26228.4
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
diff --git a/build/dependencies.props b/build/dependencies.props
index e704edaec0..18af43d19a 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,6 +1,12 @@
 <Project>
   <PropertyGroup>
-    <NetStandardImplicitPackageVersion>1.6.1</NetStandardImplicitPackageVersion>
+    <AspNetCoreVersion>1.2.0-*</AspNetCoreVersion>
     <CoreFxVersion>4.3.0</CoreFxVersion>
+    <MoqVersion>4.7.1</MoqVersion>
+    <NetStandardImplicitPackageVersion>1.6.1</NetStandardImplicitPackageVersion>
+    <RedisVersion>1.1.605</RedisVersion>
+    <TestSdkVersion>15.0.0</TestSdkVersion>
+    <XunitVersion>2.2.0</XunitVersion>
+    <WindowsAzureStorageVersion>7.2.1</WindowsAzureStorageVersion>
   </PropertyGroup>
 </Project>
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index f0bd9ec8e0..b7314e9091 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -1,5 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
+  <Import Project="..\..\build\dependencies.props" />
+
   <PropertyGroup>
     <TargetFramework>netcoreapp1.1</TargetFramework>
     <OutputType>Exe</OutputType>
@@ -9,9 +11,12 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.2.0-*" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index b8d212454c..60db203544 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -1,18 +1,19 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
+  <Import Project="..\..\build\dependencies.props" />
+
   <PropertyGroup>
     <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
-    <!-- TODO remove when https://github.com/dotnet/sdk/issues/396 is resolved -->
-    <RuntimeIdentifier Condition=" '$(TargetFramework)' != 'netcoreapp1.1' ">win7-x64</RuntimeIdentifier>
-    <DebugType>portable</DebugType>
-    <OutputType>Exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.2.0-*" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index 0769407b34..355b4edab0 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -2,10 +2,6 @@
 
   <PropertyGroup>
     <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
-    <!-- TODO remove when https://github.com/dotnet/sdk/issues/396 is resolved -->
-    <RuntimeIdentifier Condition=" '$(TargetFramework)' != 'netcoreapp1.1' ">win7-x64</RuntimeIdentifier>
-    <DebugType>portable</DebugType>
-    <OutputType>Exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index 0769407b34..355b4edab0 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -2,10 +2,6 @@
 
   <PropertyGroup>
     <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
-    <!-- TODO remove when https://github.com/dotnet/sdk/issues/396 is resolved -->
-    <RuntimeIdentifier Condition=" '$(TargetFramework)' != 'netcoreapp1.1' ">win7-x64</RuntimeIdentifier>
-    <DebugType>portable</DebugType>
-    <OutputType>Exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index d428b50020..21530ce9e2 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -1,18 +1,19 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
+  <Import Project="..\..\build\dependencies.props" />
+
   <PropertyGroup>
     <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
-    <!-- TODO remove when https://github.com/dotnet/sdk/issues/396 is resolved -->
-    <RuntimeIdentifier Condition=" '$(TargetFramework)' != 'netcoreapp1.1' ">win7-x64</RuntimeIdentifier>
-    <DebugType>portable</DebugType>
-    <OutputType>Exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.2.0-*" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index b3ce474d7b..4a2cef6f08 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -18,7 +18,7 @@ Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" Version="1.2.0-*" PrivateAssets="All"/>
+    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" Version="$(AspNetCoreVersion)" PrivateAssets="All"/>
   </ItemGroup>
 
   <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
index 036e0eb921..b830b0f744 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -15,7 +15,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
-    <PackageReference Include="WindowsAzure.Storage" Version="7.2.1" />
+    <PackageReference Include="WindowsAzure.Storage" Version="$(WindowsAzureStorageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
index 3f2518f667..41950e5567 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
@@ -16,7 +16,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index 014574aaac..de1593b27f 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -14,7 +14,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
-    <PackageReference Include="StackExchange.Redis.StrongName" Version="1.1.605" />
+    <PackageReference Include="StackExchange.Redis.StrongName" Version="$(RedisVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
index b4878113a6..bc2dc0d8e9 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
@@ -16,7 +16,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <Reference Include="System.Configuration" />
     <Reference Include="System.Security" />
     <Reference Include="System.Web" />
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index 20b56f57aa..ea7409c31e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -18,10 +18,10 @@
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.Options" Version="1.2.0-*" />
+    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Options" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
   <ItemGroup Condition=" '$(TargetFramework)' == 'net451' ">
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index ec9c8b6437..129d71ce1f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -15,10 +15,10 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
-    <PackageReference Include="xunit" Version="2.2.0-*" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index d2be0cffdb..42e4d7a6d8 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -15,10 +15,10 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
-    <PackageReference Include="xunit" Version="2.2.0-*" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index 263dddece7..f8b5ce9a84 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -14,11 +14,11 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
-    <PackageReference Include="Moq" Version="4.6.36-*" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
-    <PackageReference Include="xunit" Version="2.2.0-*" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index 1aeefb1e4b..5620bd450e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -12,12 +12,12 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
-    <PackageReference Include="Moq" Version="4.6.36-*" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
-    <PackageReference Include="xunit" Version="2.2.0-*" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 36750335a7..59ed96d0de 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -14,11 +14,11 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
-    <PackageReference Include="Moq" Version="4.6.36-*" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
-    <PackageReference Include="xunit" Version="2.2.0-*" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 39ba6b87ea..8d0866a5e2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -14,11 +14,11 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
-    <PackageReference Include="Moq" Version="4.6.36-*" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
-    <PackageReference Include="xunit" Version="2.2.0-*" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index fbf6744846..0c070e19c2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -14,12 +14,12 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="1.2.0-*" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0-*" />
-    <PackageReference Include="Moq" Version="4.6.36-*" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.2.0-*" />
-    <PackageReference Include="xunit" Version="2.2.0-*" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)'=='net452'">

From 1ce7fc72451442e6b8fa794583432de4563f3879 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Wed, 15 Mar 2017 17:54:34 -0700
Subject: [PATCH 319/493] Use TryAdd to add services

---
 .../DataProtectionServiceCollectionExtensions.cs     | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 95e8b2cc7e..3fcaee8f69 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -66,7 +66,7 @@ namespace Microsoft.Extensions.DependencyInjection
 
             if (OSVersionUtil.IsWindows())
             {
-                services.AddSingleton<RegistryPolicyResolver>();
+                services.TryAddSingleton<RegistryPolicyResolver>();
             }
 
             services.TryAddEnumerable(
@@ -74,13 +74,13 @@ namespace Microsoft.Extensions.DependencyInjection
             services.TryAddEnumerable(
                 ServiceDescriptor.Transient<IConfigureOptions<DataProtectionOptions>, DataProtectionOptionsSetup>());
 
-            services.AddSingleton<IKeyManager, XmlKeyManager>();
+            services.TryAddSingleton<IKeyManager, XmlKeyManager>();
 
             // Internal services
-            services.AddSingleton<IDefaultKeyResolver, DefaultKeyResolver>();
-            services.AddSingleton<IKeyRingProvider, KeyRingProvider>();
+            services.TryAddSingleton<IDefaultKeyResolver, DefaultKeyResolver>();
+            services.TryAddSingleton<IKeyRingProvider, KeyRingProvider>();
 
-            services.AddSingleton<IDataProtectionProvider>(s =>
+            services.TryAddSingleton<IDataProtectionProvider>(s =>
             {
                 var dpOptions = s.GetRequiredService<IOptions<DataProtectionOptions>>();
                 var keyRingProvider = s.GetRequiredService<IKeyRingProvider>();
@@ -99,7 +99,7 @@ namespace Microsoft.Extensions.DependencyInjection
             });
 
 #if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-            services.AddSingleton<ICertificateResolver, CertificateResolver>();
+            services.TryAddSingleton<ICertificateResolver, CertificateResolver>();
 #endif
         }
     }

From 7628d2f634603b737b6df022f66264fdb5fb844b Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 21 Mar 2017 12:05:57 -0700
Subject: [PATCH 320/493] Update Travis to macOS Sierra

[skip appveyor]
---
 .travis.yml | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index e397d6edf4..2a46104677 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,15 +1,6 @@
 language: csharp
-sudo: required
+sudo: false
 dist: trusty
-addons:
-  apt:
-    packages:
-    - gettext
-    - libcurl4-openssl-dev
-    - libicu-dev
-    - libssl-dev
-    - libunwind8
-    - zlib1g
 env:
   global:
     - DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
@@ -18,6 +9,7 @@ mono: none
 os:
   - linux
   - osx
+osx_image: xcode8.2
 branches:
   only:
     - master
@@ -28,9 +20,3 @@ before_install:
   - if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/; fi
 script:
   - ./build.sh
-notifications:
-  webhooks:
-    secure: "QLltxzNQ+TUgMurX3FuWB37LVsRx6kZBTXk4JG/BELqO5/Xuwzf8ChElW29d4AbwOeYv5ONYyrvdnLtel8MJCMs8rCxZ2kZZtmUtGdUpPeMavmrvDYQeNqHhFYpLu+bEjxuilGoVI2qonI29S3Q9fC+grXsktGPwPmhyulHbwkk="
-  on_success: always
-  on_failure: always
-  on_start: always

From 55507de7dda14fecf13f9ce870ba57595ccf6568 Mon Sep 17 00:00:00 2001
From: Doug Bunting <dougbu@microsoft.com>
Date: Tue, 21 Mar 2017 11:01:21 -0700
Subject: [PATCH 321/493] Disable API Check in a project with untracked
 breaking changes

---
 .../Microsoft.AspNetCore.DataProtection.csproj                   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index ea7409c31e..62c08637af 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -9,6 +9,7 @@
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection</PackageTags>
+    <EnableApiCheck>false</EnableApiCheck>
   </PropertyGroup>
 
   <ItemGroup>

From bb7b58321ca355f150b119d74d3c81315f6a4180 Mon Sep 17 00:00:00 2001
From: Kiran Challa <kichalla@microsoft.com>
Date: Thu, 23 Mar 2017 00:04:04 -0700
Subject: [PATCH 322/493] Converted samples and test projects to run on
 netcoreapp2.0

---
 build/dependencies.props                                    | 1 +
 samples/AzureBlob/AzureBlob.csproj                          | 2 +-
 samples/CustomEncryptorSample/CustomEncryptorSample.csproj  | 2 +-
 samples/KeyManagementSample/KeyManagementSample.csproj      | 4 +++-
 samples/NonDISample/NonDISample.csproj                      | 4 +++-
 samples/Redis/Redis.csproj                                  | 2 +-
 .../Microsoft.AspNetCore.Cryptography.Internal.Test.csproj  | 6 +++---
 ...rosoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj | 4 ++--
 ...osoft.AspNetCore.DataProtection.Abstractions.Test.csproj | 4 ++--
 ...osoft.AspNetCore.DataProtection.AzureStorage.Test.csproj | 6 +++---
 .../DataProtectionProviderTests.cs                          | 5 ++++-
 ...crosoft.AspNetCore.DataProtection.Extensions.Test.csproj | 4 ++--
 .../Microsoft.AspNetCore.DataProtection.Redis.Test.csproj   | 4 ++--
 .../AnonymousImpersonation.cs                               | 3 +++
 .../Microsoft.AspNetCore.DataProtection.Test.csproj         | 4 ++--
 .../Repositories/FileSystemXmlRepositoryTests.cs            | 6 ++++--
 .../XmlEncryption/CertificateXmlEncryptionTests.cs          | 5 ++++-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs                | 5 ++++-
 18 files changed, 45 insertions(+), 26 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 18af43d19a..d3527e5a2b 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -5,6 +5,7 @@
     <MoqVersion>4.7.1</MoqVersion>
     <NetStandardImplicitPackageVersion>1.6.1</NetStandardImplicitPackageVersion>
     <RedisVersion>1.1.605</RedisVersion>
+    <RuntimeFrameworkVersion>2.0.0-*</RuntimeFrameworkVersion>
     <TestSdkVersion>15.0.0</TestSdkVersion>
     <XunitVersion>2.2.0</XunitVersion>
     <WindowsAzureStorageVersion>7.2.1</WindowsAzureStorageVersion>
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index b7314e9091..8ce0a3e6d9 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp1.1</TargetFramework>
+    <TargetFramework>netcoreapp2.0</TargetFramework>
     <OutputType>Exe</OutputType>
     <PackageTargetFallback>$(PackageTargetFallback);portable-net45+win8+wp8+wpa81</PackageTargetFallback>
   </PropertyGroup>
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index 60db203544..7422388415 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>net451;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index 355b4edab0..1b23de0ddf 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -1,7 +1,9 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
+  <Import Project="..\..\build\dependencies.props" />
+
   <PropertyGroup>
-    <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>net451;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index 355b4edab0..1b23de0ddf 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -1,7 +1,9 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
+  <Import Project="..\..\build\dependencies.props" />
+
   <PropertyGroup>
-    <TargetFrameworks>net451;netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>net451;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 21530ce9e2..73863155a2 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net451</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 129d71ce1f..71a60ea4d8 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -3,10 +3,10 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp1.1' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
+    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index 42e4d7a6d8..56b23f29fd 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -3,8 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index f8b5ce9a84..076480457b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -3,8 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index 5620bd450e..fb2b75b60a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -3,10 +3,10 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp1.1' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
+    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index c2e81fa7f2..694b612ce1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -106,7 +106,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-#if !NETCOREAPP1_1 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET452 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         [ConditionalFact]
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         [ConditionalRunTestOnlyOnWindows]
@@ -149,6 +149,9 @@ namespace Microsoft.AspNetCore.DataProtection
                 }
             });
         }
+#elif NETCOREAPP2_0
+#else
+#error Target framework needs to be updated
 #endif
 
         /// <summary>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 59ed96d0de..4dc5e85324 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -3,8 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 8d0866a5e2..f873d70e1d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -3,8 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
index 8d1accf55b..89f115beba 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
@@ -86,4 +86,7 @@ namespace Microsoft.AspNetCore.DataProtection
         }
     }
 }
+#elif NETCOREAPP2_0
+#else
+#error Target framework needs to be updated
 #endif
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 0c070e19c2..e5f8052014 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -3,8 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp1.1;net452</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.1</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 28cb78c8ba..bb371dd889 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -159,10 +159,12 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static string GetLocalApplicationData()
         {
-#if NETCOREAPP1_1
+#if NETCOREAPP2_0
             return Environment.GetEnvironmentVariable("LOCALAPPDATA");
-#else
+#elif NET452
             return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+#else
+#error Target framework needs to be updated
 #endif
         }
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 23fd3bd06a..0dd9e072c2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETCOREAPP1_1
+#if NET452
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
@@ -61,5 +61,8 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
+#elif NETCOREAPP2_0
+#else
+#error Target framework needs to be updated
 #endif
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index a397337f8d..bcb41921d5 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -34,7 +34,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
-#if !NETCOREAPP1_1
+#if NET452
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
@@ -53,6 +53,9 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             ExceptionAssert2.ThrowsCryptographicException(() =>
                 AnonymousImpersonation.Run(() => decryptor.Decrypt(encryptedXmlInfo.EncryptedElement)));
         }
+#elif NETCOREAPP2_0
+#else
+#error Target framework needs to be updated
 #endif
     }
 }

From 91406009d3322f1b0c58f442883cecf52efcfcf8 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Sun, 12 Mar 2017 17:28:11 -0700
Subject: [PATCH 323/493] Remove net451 as a cross-compile target

---
 .gitignore                                    |  3 +-
 .../CustomEncryptorSample.csproj              |  2 +-
 .../KeyManagementSample.csproj                |  2 +-
 samples/NonDISample/NonDISample.csproj        |  2 +-
 samples/Redis/Redis.csproj                    |  2 +-
 .../CryptoUtil.cs                             |  5 +++-
 ...ft.AspNetCore.Cryptography.Internal.csproj |  2 +-
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |  3 ++
 .../SafeHandles/SafeLibraryHandle.cs          | 29 ++++++++++++++-----
 .../SafeHandles/SecureLocalAllocHandle.cs     |  5 +++-
 .../UnsafeNativeMethods.cs                    | 22 ++++++++++----
 ...pNetCore.Cryptography.KeyDerivation.csproj |  2 +-
 ...NetCore.DataProtection.Abstractions.csproj |  2 +-
 ...NetCore.DataProtection.AzureStorage.csproj |  2 +-
 .../DataProtectionProvider.cs                 | 10 +++++--
 ...spNetCore.DataProtection.Extensions.csproj |  2 +-
 ...oft.AspNetCore.DataProtection.Redis.csproj |  2 +-
 ...AspNetCore.DataProtection.SystemWeb.csproj |  4 +--
 .../Cng/DpapiSecretSerializerHelper.cs        | 20 ++++++++++---
 .../DataProtectionBuilderExtensions.cs        |  8 +++--
 ...taProtectionServiceCollectionExtensions.cs |  5 +++-
 .../IDataProtectionBuilder.cs                 |  6 ++--
 .../Managed/ManagedAuthenticatedEncryptor.cs  |  6 ++--
 ...Microsoft.AspNetCore.DataProtection.csproj |  4 +--
 .../Repositories/FileSystemXmlRepository.cs   |  6 ++--
 .../XmlEncryption/CertificateResolver.cs      |  6 ++--
 .../XmlEncryption/CertificateXmlEncryptor.cs  |  6 ++--
 .../EncryptedXmlDecryptor.core50.cs           |  4 ++-
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  6 ++--
 .../XmlEncryption/ICertificateResolver.cs     |  6 ++--
 .../IInternalCertificateXmlEncryptor.cs       |  6 ++--
 .../IInternalEncryptedXmlDecryptor.cs         |  6 ++--
 .../XmlEncryption/XmlEncryptionExtensions.cs  |  6 ++--
 ...pNetCore.Cryptography.Internal.Test.csproj |  3 +-
 ...ore.Cryptography.KeyDerivation.Test.csproj |  2 +-
 ...re.DataProtection.Abstractions.Test.csproj |  2 +-
 ...re.DataProtection.AzureStorage.Test.csproj |  2 +-
 .../DataProtectionProviderTests.cs            |  2 +-
 ...Core.DataProtection.Extensions.Test.csproj |  2 +-
 ...spNetCore.DataProtection.Redis.Test.csproj |  2 +-
 .../AnonymousImpersonation.cs                 |  2 +-
 ...soft.AspNetCore.DataProtection.Test.csproj |  4 +--
 .../FileSystemXmlRepositoryTests.cs           |  2 +-
 .../CertificateXmlEncryptionTests.cs          |  2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |  2 +-
 45 files changed, 155 insertions(+), 74 deletions(-)

diff --git a/.gitignore b/.gitignore
index fd02261e5f..5af949b050 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,4 +28,5 @@ project.lock.json
 .vs
 .build/
 .testPublish/
-samples/**/temp-keys/
\ No newline at end of file
+samples/**/temp-keys/
+global.json
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index 7422388415..96ea1517fa 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>net451;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net46;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index 1b23de0ddf..dd0a98bd0c 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>net451;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net46;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index 1b23de0ddf..dd0a98bd0c 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>net451;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net46;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 73863155a2..6952eb460c 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net451</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
index 8a268af986..45f405248d 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
@@ -73,8 +73,11 @@ namespace Microsoft.AspNetCore.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
-#if !NETSTANDARD1_3
+#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
         public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint count)
         {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
index 75e58c0965..ee4be7ad30 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.</Description>
-    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <TargetFrameworks>net46;netstandard1.3</TargetFrameworks>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
index 2c7ca7eb33..b61a4c3c44 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
@@ -24,4 +24,7 @@ namespace Microsoft.Win32.SafeHandles
         }
     }
 }
+#elif NET46
+#else
+#error target frameworks need to be updated.
 #endif
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index c6ed16428b..c1ee52202e 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -127,23 +127,30 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             return UnsafeNativeMethods.FreeLibrary(handle);
         }
 
-#if !NETSTANDARD1_3
+#if NET46
         [SuppressUnmanagedCodeSecurity]
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
         private static class UnsafeNativeMethods
         {
 #if NETSTANDARD1_3
             private const string CORE_LIBRARY_LOADER_LIB = "api-ms-win-core-libraryloader-l1-1-0.dll";
             private const string CORE_LOCALIZATION_LIB = "api-ms-win-core-localization-l1-2-0.dll";
-#else
+#elif NET46
             private const string KERNEL32_LIB = "kernel32.dll";
+#else
+#error target frameworks need to be updated.
 #endif
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx
 #if NETSTANDARD1_3
             [DllImport(CORE_LOCALIZATION_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
-#else
+#elif NET46
             [DllImport(KERNEL32_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
+#else
+#error target frameworks need to be updated.
 #endif
             public static extern int FormatMessage(
                 [In] uint dwFlags,
@@ -159,9 +166,11 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             [return: MarshalAs(UnmanagedType.Bool)]
 #if NETSTANDARD1_3
             [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
-#else
+#elif NET46
             [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
+#else
+#error target frameworks need to be updated.
 #endif
             internal static extern bool FreeLibrary(IntPtr hModule);
 
@@ -169,8 +178,10 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             [return: MarshalAs(UnmanagedType.Bool)]
 #if NETSTANDARD1_3
             [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#else
+#elif NET46
             [DllImport(KERNEL32_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#else
+#error target frameworks need to be updated.
 #endif
             internal static extern bool GetModuleHandleEx(
                 [In] uint dwFlags,
@@ -180,8 +191,10 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
 #if NETSTANDARD1_3
             [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#else
+#elif NET46
             [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#else
+#error target frameworks need to be updated.
 #endif
             internal static extern IntPtr GetProcAddress(
                 [In] SafeLibraryHandle hModule,
@@ -190,8 +203,10 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx
 #if NETSTANDARD1_3
             [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#else
+#elif NET46
             [DllImport(KERNEL32_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
+#else
+#error target frameworks need to be updated.
 #endif
             internal static extern SafeLibraryHandle LoadLibraryEx(
                 [In, MarshalAs(UnmanagedType.LPWStr)] string lpFileName,
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index 9c7faeed90..52399e0f7b 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -41,8 +41,11 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             return newHandle;
         }
 
-#if !NETSTANDARD1_3
+#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
         private void AllocateImpl(IntPtr cb)
         {
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
index 73cf4e91bd..c36f78997b 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -12,14 +12,17 @@ using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Microsoft.Win32.SafeHandles;
 
-#if !NETSTANDARD1_3
+#if NET46
 using System.Runtime.ConstrainedExecution;
 #endif
 
 namespace Microsoft.AspNetCore.Cryptography
 {
-#if !NETSTANDARD1_3
+#if NET46
     [SuppressUnmanagedCodeSecurity]
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
     internal unsafe static class UnsafeNativeMethods
     {
@@ -87,16 +90,22 @@ namespace Microsoft.AspNetCore.Cryptography
             [In] uint dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !NETSTANDARD1_3
+#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
         internal static extern int BCryptDestroyHash(
             [In] IntPtr hHash);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !NETSTANDARD1_3
+#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375404(v=vs.85).aspx
         internal static extern int BCryptDestroyKey(
@@ -249,8 +258,11 @@ namespace Microsoft.AspNetCore.Cryptography
          */
 
         [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if !NETSTANDARD1_3
+#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706799(v=vs.85).aspx
         internal static extern int NCryptCloseProtectionDescriptor(
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
index a93ee65f94..4ff88fbf5e 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>ASP.NET Core utilities for key derivation.</Description>
-    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <TargetFramework>netstandard1.3</TargetFramework>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index 4a2cef6f08..788a8fc77c 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -7,7 +7,7 @@
 Commonly used types:
 Microsoft.AspNetCore.DataProtection.IDataProtectionProvider
 Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
-    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <TargetFramework>netstandard1.3</TargetFramework>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection</PackageTags>
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
index b830b0f744..c2c890d657 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -5,7 +5,7 @@
   <PropertyGroup>
     <Description>Microsoft Azure Blob storrage support as key store.</Description>
     <VersionPrefix>1.1.0</VersionPrefix>
-    <TargetFrameworks>net451;netstandard1.5</TargetFrameworks>
+    <TargetFrameworks>net46;netstandard1.5</TargetFrameworks>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
index 58972aa4d9..1b9e30a94e 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
@@ -73,7 +73,7 @@ namespace Microsoft.AspNetCore.DataProtection
             return CreateProvider(keyDirectory, setupAction, certificate: null);
         }
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         /// <summary>
         /// Creates a <see cref="DataProtectionProvider"/> that store keys in a location based on
         /// the platform and operating system and uses the given <see cref="X509Certificate2"/> to encrypt the keys.
@@ -150,6 +150,9 @@ namespace Microsoft.AspNetCore.DataProtection
 
             return CreateProvider(keyDirectory, setupAction, certificate);
         }
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
 
         private static IDataProtectionProvider CreateProvider(
@@ -166,11 +169,14 @@ namespace Microsoft.AspNetCore.DataProtection
                 builder.PersistKeysToFileSystem(keyDirectory);
             }
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
             if (certificate != null)
             {
                 builder.ProtectKeysWithCertificate(certificate);
             }
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
 
             setupAction(builder);
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
index 41950e5567..fe2f163044 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>Additional APIs for ASP.NET Core data protection.</Description>
-    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <TargetFrameworks>net46;netstandard1.3</TargetFrameworks>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection</PackageTags>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index de1593b27f..e305facf8d 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -5,7 +5,7 @@
   <PropertyGroup>
     <Description>Redis storrage support as key store.</Description>
     <VersionPrefix>0.1.0</VersionPrefix>
-    <TargetFrameworks>net451;netstandard1.5</TargetFrameworks>
+    <TargetFrameworks>net46;netstandard1.5</TargetFrameworks>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
index bc2dc0d8e9..d1ae6aeda7 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
@@ -4,14 +4,14 @@
 
   <PropertyGroup>
     <Description>A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x &lt;machineKey&gt; element.</Description>
-    <TargetFramework>net451</TargetFramework>
+    <TargetFramework>net46</TargetFramework>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnet;aspnetcore;dataprotection</PackageTags>
   </PropertyGroup>
 
   <ItemGroup>
-    <Content Include="web.config.transform" PackagePath="content/net451/" Pack="true" />
+    <Content Include="web.config.transform" PackagePath="content/net46/" Pack="true" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index d007ca4412..ea37a1b989 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -78,8 +78,11 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             };
             var dataOut = default(DATA_BLOB);
 
-#if !NETSTANDARD1_3
+#if NET46
             RuntimeHelpers.PrepareConstrainedRegions();
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
             try
             {
@@ -168,8 +171,11 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                     fixed (byte* pbRetVal = retVal)
                     {
                         var handleAcquired = false;
-#if !NETSTANDARD1_3
+#if NET46
                         RuntimeHelpers.PrepareConstrainedRegions();
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
                         try
                         {
@@ -218,8 +224,11 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             };
             var dataOut = default(DATA_BLOB);
 
-#if !NETSTANDARD1_3
+#if NET46
             RuntimeHelpers.PrepareConstrainedRegions();
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
             try
             {
@@ -291,8 +300,11 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             using (unencryptedPayloadHandle)
             {
                 var handleAcquired = false;
-#if !NETSTANDARD1_3
+#if NET46
                 RuntimeHelpers.PrepareConstrainedRegions();
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
                 try
                 {
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
index e7ca436f6f..6a3a9d459c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -16,7 +16,7 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 using System.Security.Cryptography.X509Certificates;
 #endif
 
@@ -249,7 +249,7 @@ namespace Microsoft.AspNetCore.DataProtection
             return builder;
         }
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
         /// <summary>
         /// Configures keys to be encrypted to a given certificate before being persisted to storage.
@@ -321,7 +321,9 @@ namespace Microsoft.AspNetCore.DataProtection
 
             return builder;
         }
-
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
 
         /// <summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 3fcaee8f69..4cde160961 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -98,8 +98,11 @@ namespace Microsoft.Extensions.DependencyInjection
                 return dataProtectionProvider;
             });
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
             services.TryAddSingleton<ICertificateResolver, CertificateResolver>();
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
         }
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs b/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
index 54539f7b8e..619bdfcad4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
@@ -7,7 +7,7 @@ using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-#if !NETSTANDARD1_3
+#if NET46
     /// <summary>
     /// Provides access to configuration for the data protection system, which allows the
     /// developer to configure default cryptographic algorithms, key storage locations,
@@ -34,7 +34,7 @@ namespace Microsoft.AspNetCore.DataProtection
     /// contain existing keys that use older algorithms or protection mechanisms.
     /// </para>
     /// </remarks>
-#else
+#elif NETSTANDARD1_3
     /// <summary>
     /// Provides access to configuration for the data protection system, which allows the
     /// developer to configure default cryptographic algorithms, key storage locations,
@@ -58,6 +58,8 @@ namespace Microsoft.AspNetCore.DataProtection
     /// contain existing keys that use older algorithms or protection mechanisms.
     /// </para>
     /// </remarks>
+#else
+#error target frameworks need to be updated.
 #endif
     public interface IDataProtectionBuilder
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 917d01f190..89cc875d10 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -343,11 +343,13 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
 
                             using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkey))
                             {
-#if !NETSTANDARD1_3
+#if NET46
                                 // As an optimization, avoid duplicating the underlying buffer if we're on desktop CLR.
                                 var underlyingBuffer = outputStream.GetBuffer();
-#else
+#elif NETSTANDARD1_3
                                 var underlyingBuffer = outputStream.ToArray();
+#else
+#error target frameworks need to be updated.
 #endif
 
                                 var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index 62c08637af..ccf9d95f42 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>ASP.NET Core logic to protect and unprotect data, similar to DPAPI.</Description>
-    <TargetFrameworks>net451;netstandard1.3</TargetFrameworks>
+    <TargetFrameworks>net46;netstandard1.3</TargetFrameworks>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
@@ -25,7 +25,7 @@
     <PackageReference Include="Microsoft.Extensions.Options" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'net451' ">
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net46' ">
     <Reference Include="System.Security" />
     <Reference Include="System.Xml" />
     <Reference Include="System.Xml.Linq" />
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index 696e54bcae..b88f575a03 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -82,7 +82,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static DirectoryInfo GetDefaultKeyStorageDirectory()
         {
-#if !NETSTANDARD1_3
+#if NET46
             // Environment.GetFolderPath returns null if the user profile isn't loaded.
             var folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
             if (!String.IsNullOrEmpty(folderPath))
@@ -93,7 +93,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             {
                 return null;
             }
-#else
+#elif NETSTANDARD1_3
             // On core CLR, we need to fall back to environment variables.
             DirectoryInfo retVal;
 
@@ -131,6 +131,8 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             {
                 return null;
             }
+#else
+#error target frameworks need to be updated.
 #endif
         }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
index 1116fd4c10..3bf578e14a 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.X509Certificates;
@@ -51,5 +51,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
-
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 3bf68dcc66..0cbcf30bae 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.X509Certificates;
@@ -147,5 +147,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
-
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
index 565c30e297..36bba2fb81 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
@@ -38,5 +38,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
-
+#elif NET46
+#else
+#error target frameworks need to be updated.
 #endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index eb8d163d45..bfb70d3283 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.Xml;
@@ -73,5 +73,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
-
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
index 9834687d8d..78b629fd2f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System.Security.Cryptography.X509Certificates;
 
@@ -20,5 +20,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         X509Certificate2 ResolveCertificate(string thumbprint);
     }
 }
-
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
index 1e3cfeaee0..33761a29ed 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Xml;
@@ -17,5 +17,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         EncryptedData PerformEncryption(EncryptedXml encryptedXml, XmlElement elementToEncrypt);
     }
 }
-
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
index 0bdf6680d6..74987d8f60 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if !NETSTANDARD1_3 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
 
 using System;
 using System.Security.Cryptography.Xml;
@@ -16,5 +16,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         void PerformPreDecryptionSetup(EncryptedXml encryptedXml);
     }
 }
-
+#elif NETSTANDARD1_3
+#else
+#error target frameworks need to be updated.
 #endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index 073b82386d..59dcfc96e5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -133,7 +133,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             var memoryStream = new MemoryStream(DEFAULT_BUFFER_SIZE);
             element.Save(memoryStream);
 
-#if !NETSTANDARD1_3
+#if NET46
             var underlyingBuffer = memoryStream.GetBuffer();
             fixed (byte* __unused__ = underlyingBuffer) // try to limit this moving around in memory while we allocate
             {
@@ -146,7 +146,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                     Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
                 }
             }
-#else
+#elif NETSTANDARD1_3
             ArraySegment<byte> underlyingBuffer;
             CryptoUtil.Assert(memoryStream.TryGetBuffer(out underlyingBuffer), "Underlying buffer isn't exposable.");
             fixed (byte* __unused__ = underlyingBuffer.Array) // try to limit this moving around in memory while we allocate
@@ -160,6 +160,8 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                     Array.Clear(underlyingBuffer.Array, underlyingBuffer.Offset, underlyingBuffer.Count);
                 }
             }
+#else
+#error target frameworks need to be updated.
 #endif
         }
 
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 71a60ea4d8..6e44f5d7c3 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -3,10 +3,9 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index 56b23f29fd..4fec4fa063 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index 076480457b..8a478b5dd2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index fb2b75b60a..c0432a5da6 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 694b612ce1..d23d088d87 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -106,7 +106,7 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-#if NET452 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
+#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         [ConditionalFact]
         [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         [ConditionalRunTestOnlyOnWindows]
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 4dc5e85324..70bbf78e0c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index f873d70e1d..8f86aafb2a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
index 89f115beba..ec61427bb2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET452
+#if NET46
 using System;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index e5f8052014..724912b1f5 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net452</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -22,7 +22,7 @@
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
-  <ItemGroup Condition="'$(TargetFramework)'=='net452'">
+  <ItemGroup Condition="'$(TargetFramework)'=='net46'">
     <Reference Include="System.Security" />
   </ItemGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index bb371dd889..a6a1f7896b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -161,7 +161,7 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         {
 #if NETCOREAPP2_0
             return Environment.GetEnvironmentVariable("LOCALAPPDATA");
-#elif NET452
+#elif NET46
             return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
 #else
 #error Target framework needs to be updated
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 0dd9e072c2..a70e908b9d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET452
+#if NET46
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index bcb41921d5..828761b430 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -34,7 +34,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
-#if NET452
+#if NET46
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()

From 679a0e60f78121d69e9a0556662ef0e9dcbb1049 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 29 Mar 2017 11:30:32 -0700
Subject: [PATCH 324/493] Updating to 2.0.0 Internal.AspNetCore.Sdk

---
 build/common.props       | 2 +-
 build/dependencies.props | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/build/common.props b/build/common.props
index 4a81c8df7c..87205db500 100644
--- a/build/common.props
+++ b/build/common.props
@@ -13,7 +13,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Internal.AspNetCore.Sdk" Version="1.0.1-*" PrivateAssets="All" />
+    <PackageReference Include="Internal.AspNetCore.Sdk" Version="$(InternalAspNetCoreSdkVersion)" PrivateAssets="All" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFrameworkIdentifier)'=='.NETFramework' AND '$(OutputType)'=='library'">
diff --git a/build/dependencies.props b/build/dependencies.props
index d3527e5a2b..bc95228e54 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -2,6 +2,7 @@
   <PropertyGroup>
     <AspNetCoreVersion>1.2.0-*</AspNetCoreVersion>
     <CoreFxVersion>4.3.0</CoreFxVersion>
+    <InternalAspNetCoreSdkVersion>2.0.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>
     <NetStandardImplicitPackageVersion>1.6.1</NetStandardImplicitPackageVersion>
     <RedisVersion>1.1.605</RedisVersion>
@@ -10,4 +11,4 @@
     <XunitVersion>2.2.0</XunitVersion>
     <WindowsAzureStorageVersion>7.2.1</WindowsAzureStorageVersion>
   </PropertyGroup>
-</Project>
+</Project>
\ No newline at end of file

From 9b5a26f774938c9038cf8bb7d964bf3297850f0d Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 3 Apr 2017 21:41:09 -0700
Subject: [PATCH 325/493] Updating versions to 2.0.0-preview1

---
 build/dependencies.props                                        | 2 +-
 .../Microsoft.AspNetCore.DataProtection.AzureStorage.csproj     | 2 +-
 version.props                                                   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index bc95228e54..f94b00d78b 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <AspNetCoreVersion>1.2.0-*</AspNetCoreVersion>
+    <AspNetCoreVersion>2.0.0-*</AspNetCoreVersion>
     <CoreFxVersion>4.3.0</CoreFxVersion>
     <InternalAspNetCoreSdkVersion>2.0.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
index c2c890d657..e017d060cc 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>Microsoft Azure Blob storrage support as key store.</Description>
-    <VersionPrefix>1.1.0</VersionPrefix>
+    <VersionPrefix>2.0.0</VersionPrefix>
     <TargetFrameworks>net46;netstandard1.5</TargetFrameworks>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
diff --git a/version.props b/version.props
index 17fd5ac36d..c7150e64f4 100644
--- a/version.props
+++ b/version.props
@@ -1,7 +1,7 @@
 <!-- This file may be overwritten by automation. Only values allowed here are VersionPrefix and VersionSuffix.  -->
 <Project>
   <PropertyGroup>
-    <VersionPrefix>1.2.0</VersionPrefix>
+    <VersionPrefix>2.0.0</VersionPrefix>
     <VersionSuffix>preview1</VersionSuffix>
   </PropertyGroup>
 </Project>

From 697745c4909886736ce340782b606d2c43f90cc6 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Wed, 5 Apr 2017 12:38:40 -0700
Subject: [PATCH 326/493] [Fixes #218] Set IXmlRepository using
 ConfigureOptions

---
 .../AzureDataProtectionBuilderExtensions.cs   | 11 ++++---
 .../RedisDataProtectionBuilderExtensions.cs   | 13 +++++---
 ...zureDataProtectionBuilderExtensionsTest.cs | 32 +++++++++++++++++++
 ...spNetCore.DataProtection.Redis.Test.csproj |  1 +
 ...edisDataProtectionBuilderExtensionsTest.cs | 32 +++++++++++++++++++
 5 files changed, 80 insertions(+), 9 deletions(-)
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
index 90f403bfe3..8ff62929e2 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
@@ -3,7 +3,7 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection.AzureStorage;
-using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.WindowsAzure.Storage;
 using Microsoft.WindowsAzure.Storage.Auth;
@@ -163,10 +163,13 @@ namespace Microsoft.AspNetCore.DataProtection
         }
 
         // important: the Func passed into this method must return a new instance with each call
-        private static IDataProtectionBuilder PersistKeystoAzureBlobStorageInternal(IDataProtectionBuilder config, Func<CloudBlockBlob> blobRefFactory)
+        private static IDataProtectionBuilder PersistKeystoAzureBlobStorageInternal(IDataProtectionBuilder builder, Func<CloudBlockBlob> blobRefFactory)
         {
-            config.Services.AddSingleton<IXmlRepository>(services => new AzureBlobXmlRepository(blobRefFactory));
-            return config;
+            builder.Services.Configure<KeyManagementOptions>(options =>
+            {
+                options.XmlRepository = new AzureBlobXmlRepository(blobRefFactory);
+            });
+            return builder;
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
index f18e0536b7..97593cbb03 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
@@ -3,8 +3,8 @@
 
 using System;
 using StackExchange.Redis;
-using Microsoft.AspNetCore.DataProtection.Repositories;
-using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
@@ -66,10 +66,13 @@ namespace Microsoft.AspNetCore.DataProtection
             return PersistKeysToRedisInternal(builder, () => connectionMultiplexer.GetDatabase(), key);
         }
 
-        private static IDataProtectionBuilder PersistKeysToRedisInternal(IDataProtectionBuilder config, Func<IDatabase> databaseFactory, RedisKey key)
+        private static IDataProtectionBuilder PersistKeysToRedisInternal(IDataProtectionBuilder builder, Func<IDatabase> databaseFactory, RedisKey key)
         {
-            config.Services.TryAddSingleton<IXmlRepository>(services => new RedisXmlRepository(databaseFactory, key));
-            return config;
+            builder.Services.Configure<KeyManagementOptions>(options =>
+            {
+                options.XmlRepository = new RedisXmlRepository(databaseFactory, key);
+            });
+            return builder;
         }
     }
 }
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
new file mode 100644
index 0000000000..d386352b73
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
@@ -0,0 +1,32 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Microsoft.WindowsAzure.Storage.Blob;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.AzureStorage
+{
+    public class AzureDataProtectionBuilderExtensionsTest
+    {
+        [Fact]
+        public void PersistKeysToAzureBlobStorage_UsesAzureBlobXmlRepository()
+        {
+            // Arrange
+            var container = new CloudBlobContainer(new Uri("http://www.example.com"));
+            var serviceCollection = new ServiceCollection();
+            var builder = serviceCollection.AddDataProtection();
+
+            // Act
+            builder.PersistKeysToAzureBlobStorage(container, "keys.xml");
+            var services = serviceCollection.BuildServiceProvider();
+
+            // Assert
+            var options = services.GetRequiredService<IOptions<KeyManagementOptions>>();
+            Assert.IsType<AzureBlobXmlRepository>(options.Value.XmlRepository);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 8f86aafb2a..0c82d3e86b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -15,6 +15,7 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs
new file mode 100644
index 0000000000..a3d8f82e33
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs
@@ -0,0 +1,32 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Moq;
+using StackExchange.Redis;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.Redis
+{
+    public class RedisDataProtectionBuilderExtensionsTest
+    {
+        [Fact]
+        public void PersistKeysToRedis_UsesRedisXmlRepository()
+        {
+            // Arrange
+            var connection = Mock.Of<IConnectionMultiplexer>();
+            var serviceCollection = new ServiceCollection();
+            var builder = serviceCollection.AddDataProtection();
+
+            // Act
+            builder.PersistKeysToRedis(connection);
+            var services = serviceCollection.BuildServiceProvider();
+
+            // Assert
+            var options = services.GetRequiredService<IOptions<KeyManagementOptions>>();
+            Assert.IsType<RedisXmlRepository>(options.Value.XmlRepository);
+        }
+    }
+}

From ff3ff939c3429fbf4fa100f0f8fe88433454b5d8 Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Wed, 5 Apr 2017 16:28:43 -0700
Subject: [PATCH 327/493] Update WindowsAzure.Storage version (#217)

* Update WindowsAzure.Storage version

* Remove target fallback
---
 build/dependencies.props                                        | 2 +-
 .../Microsoft.AspNetCore.DataProtection.AzureStorage.csproj     | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index f94b00d78b..da37719ca8 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -9,6 +9,6 @@
     <RuntimeFrameworkVersion>2.0.0-*</RuntimeFrameworkVersion>
     <TestSdkVersion>15.0.0</TestSdkVersion>
     <XunitVersion>2.2.0</XunitVersion>
-    <WindowsAzureStorageVersion>7.2.1</WindowsAzureStorageVersion>
+    <WindowsAzureStorageVersion>8.1.1</WindowsAzureStorageVersion>
   </PropertyGroup>
 </Project>
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
index e017d060cc..1aa0031625 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -10,7 +10,6 @@
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection;azure;blob</PackageTags>
-    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netstandard1.5' ">$(PackageTargetFallback);portable-net45+win8+wp8+wpa81</PackageTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>

From c959795a6461a9150fbabfd5c08486d05e363057 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Wed, 5 Apr 2017 21:00:39 -0700
Subject: [PATCH 328/493] Creating one IAuthenticatedEncryptor per IKey

---
 .../KeyManagement/DefaultKeyResolver.cs       | 16 +----
 .../KeyManagement/DeferredKey.cs              | 12 +++-
 .../KeyManagement/IKey.cs                     |  7 ++
 .../Internal/CacheableKeyRing.cs              |  4 +-
 .../Internal/DefaultKeyResolution.cs          |  4 +-
 .../KeyManagement/Key.cs                      | 16 ++++-
 .../KeyManagement/KeyBase.cs                  | 31 +++++++-
 .../KeyManagement/KeyRing.cs                  | 19 ++---
 .../KeyManagement/KeyRingProvider.cs          | 20 +-----
 .../KeyManagement/XmlKeyManager.cs            |  9 ++-
 ...tedEncryptorDescriptorDeserializerTests.cs |  7 +-
 .../AuthenticatedEncryptorDescriptorTests.cs  |  8 ++-
 ...tedEncryptorDescriptorDeserializerTests.cs |  7 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |  7 +-
 ...tedEncryptorDescriptorDeserializerTests.cs |  8 +--
 .../KeyManagement/DefaultKeyResolverTests.cs  | 68 +++++++-----------
 .../KeyManagement/DeferredKeyTests.cs         | 12 ++--
 .../KeyRingBasedDataProtectorTests.cs         | 26 +++----
 .../KeyManagement/KeyRingProviderTests.cs     |  1 +
 .../KeyManagement/KeyRingTests.cs             | 72 +++++++------------
 .../KeyManagement/KeyTests.cs                 |  7 +-
 21 files changed, 180 insertions(+), 181 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
index c2efbf14bb..9c545c793f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -29,8 +29,6 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
         private readonly ILogger _logger;
 
-        private readonly IEnumerable<IAuthenticatedEncryptorFactory> _encryptorFactories;
-
         /// <summary>
         /// The maximum skew that is allowed between servers.
         /// This is used to allow newly-created keys to be used across servers even though
@@ -46,7 +44,6 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             _keyPropagationWindow = keyManagementOptions.Value.KeyPropagationWindow;
             _maxServerToServerClockSkew = keyManagementOptions.Value.MaxServerClockSkew;
-            _encryptorFactories = keyManagementOptions.Value.AuthenticatedEncryptorFactories;
             _logger = loggerFactory.CreateLogger<DefaultKeyResolver>();
         }
 
@@ -54,16 +51,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             try
             {
-                IAuthenticatedEncryptor encryptorInstance = null;
-                foreach (var factory in _encryptorFactories)
-                {
-                    encryptorInstance = factory.CreateEncryptorInstance(key);
-                    if (encryptorInstance != null)
-                    {
-                        break;
-                    }
-                }
-
+                var encryptorInstance = key.CreateEncryptor();
                 if (encryptorInstance == null)
                 {
                     CryptoUtil.Fail<IAuthenticatedEncryptor>("CreateEncryptorInstance returned null.");
@@ -73,7 +61,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             }
             catch (Exception ex)
             {
-                _logger.KeyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(key.KeyId, nameof(IAuthenticatedEncryptorFactory.CreateEncryptorInstance), ex);
+                _logger.KeyIsIneligibleToBeTheDefaultKeyBecauseItsMethodFailed(key.KeyId, nameof(IKey.CreateEncryptor), ex);
                 return false;
             }
         }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
index 9afea8a92d..a21210aceb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
@@ -2,7 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.DataProtection.XmlEncryption;
@@ -21,8 +23,14 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             DateTimeOffset activationDate,
             DateTimeOffset expirationDate,
             IInternalXmlKeyManager keyManager,
-            XElement keyElement)
-            : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptorDescriptor>(GetLazyDescriptorDelegate(keyManager, keyElement)))
+            XElement keyElement,
+            IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
+            : base(keyId,
+                  creationDate,
+                  activationDate,
+                  expirationDate,
+                  new Lazy<IAuthenticatedEncryptorDescriptor>(GetLazyDescriptorDelegate(keyManager, keyElement)),
+                  encryptorFactories)
         {
         }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
index 0ac314449f..f590c01c1b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
@@ -49,5 +49,12 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         /// Gets the <see cref="IAuthenticatedEncryptorDescriptor"/> instance associated with this key.
         /// </summary>
         IAuthenticatedEncryptorDescriptor Descriptor { get; }
+
+        /// <summary>
+        /// Creates an <see cref="IAuthenticatedEncryptor"/> instance that can be used to encrypt data
+        /// to and decrypt data from this key.
+        /// </summary>
+        /// <returns>An <see cref="IAuthenticatedEncryptor"/>.</returns>
+        IAuthenticatedEncryptor CreateEncryptor();
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
index 36c9b00ac8..ff6fa87fce 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
@@ -15,8 +15,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
     {
         private readonly CancellationToken _expirationToken;
 
-        internal CacheableKeyRing(CancellationToken expirationToken, DateTimeOffset expirationTime, IKey defaultKey, IEnumerable<IKey> allKeys, IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
-            : this(expirationToken, expirationTime, keyRing: new KeyRing(defaultKey, allKeys, encryptorFactories))
+        internal CacheableKeyRing(CancellationToken expirationToken, DateTimeOffset expirationTime, IKey defaultKey, IEnumerable<IKey> allKeys)
+            : this(expirationToken, expirationTime, keyRing: new KeyRing(defaultKey, allKeys))
         {
         }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
index 2d5b06d841..1c4170607b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
@@ -11,7 +11,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
         /// The default key, may be null if no key is a good default candidate.
         /// </summary>
         /// <remarks>
-        /// If this property is non-null, its <see cref="IAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey)"/> method will succeed
+        /// If this property is non-null, its <see cref="IKey.CreateEncryptor()"/> method will succeed
         /// so is appropriate for use with deferred keys.
         /// </remarks>
         public IKey DefaultKey;
@@ -22,7 +22,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
         /// be null if there is no viable fallback key.
         /// </summary>
         /// <remarks>
-        /// If this property is non-null, its <see cref="IAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey)"/> method will succeed
+        /// If this property is non-null, its <see cref="IKey.CreateEncryptor()"/> method will succeed
         /// so is appropriate for use with deferred keys.
         /// </remarks>
         public IKey FallbackKey;
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
index fd049a6695..84569a8e1b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
@@ -13,8 +14,19 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
     /// </summary>
     internal sealed class Key : KeyBase
     {
-        public Key(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, IAuthenticatedEncryptorDescriptor descriptor)
-            : base(keyId, creationDate, activationDate, expirationDate, new Lazy<IAuthenticatedEncryptorDescriptor>(() => descriptor))
+        public Key(
+            Guid keyId,
+            DateTimeOffset creationDate,
+            DateTimeOffset activationDate,
+            DateTimeOffset expirationDate,
+            IAuthenticatedEncryptorDescriptor descriptor,
+            IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
+            : base(keyId,
+                  creationDate,
+                  activationDate,
+                  expirationDate,
+                  new Lazy<IAuthenticatedEncryptorDescriptor>(() => descriptor),
+                  encryptorFactories)
         {
         }
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
index cd14b5e209..005a6ea9d5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 
@@ -13,14 +14,24 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
     internal abstract class KeyBase : IKey
     {
         private readonly Lazy<IAuthenticatedEncryptorDescriptor> _lazyDescriptor;
+        private readonly IEnumerable<IAuthenticatedEncryptorFactory> _encryptorFactories;
 
-        public KeyBase(Guid keyId, DateTimeOffset creationDate, DateTimeOffset activationDate, DateTimeOffset expirationDate, Lazy<IAuthenticatedEncryptorDescriptor> lazyDescriptor)
+        private IAuthenticatedEncryptor _encryptor;
+
+        public KeyBase(
+            Guid keyId,
+            DateTimeOffset creationDate,
+            DateTimeOffset activationDate,
+            DateTimeOffset expirationDate,
+            Lazy<IAuthenticatedEncryptorDescriptor> lazyDescriptor,
+            IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
         {
             KeyId = keyId;
             CreationDate = creationDate;
             ActivationDate = activationDate;
             ExpirationDate = expirationDate;
             _lazyDescriptor = lazyDescriptor;
+            _encryptorFactories = encryptorFactories;
         }
 
         public DateTimeOffset ActivationDate { get; }
@@ -41,6 +52,24 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             }
         }
 
+        public IAuthenticatedEncryptor CreateEncryptor()
+        {
+            if (_encryptor == null)
+            {
+                foreach (var factory in _encryptorFactories)
+                {
+                    var encryptor = factory.CreateEncryptorInstance(this);
+                    if (encryptor != null)
+                    {
+                        _encryptor = encryptor;
+                        break;
+                    }
+                }
+            }
+
+            return _encryptor;
+        }
+
         internal void SetRevoked()
         {
             IsRevoked = true;
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
index b8392d548e..2bbba031a6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
@@ -17,12 +17,12 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         private readonly KeyHolder _defaultKeyHolder;
         private readonly Dictionary<Guid, KeyHolder> _keyIdToKeyHolderMap;
 
-        public KeyRing(IKey defaultKey, IEnumerable<IKey> allKeys, IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
+        public KeyRing(IKey defaultKey, IEnumerable<IKey> allKeys)
         {
             _keyIdToKeyHolderMap = new Dictionary<Guid, KeyHolder>();
             foreach (IKey key in allKeys)
             {
-                _keyIdToKeyHolderMap.Add(key.KeyId, new KeyHolder(key, encryptorFactories));
+                _keyIdToKeyHolderMap.Add(key.KeyId, new KeyHolder(key));
             }
 
             // It's possible under some circumstances that the default key won't be part of 'allKeys',
@@ -30,7 +30,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // wasn't in the underlying repository. In this case, we just add it now.
             if (!_keyIdToKeyHolderMap.ContainsKey(defaultKey.KeyId))
             {
-                _keyIdToKeyHolderMap.Add(defaultKey.KeyId, new KeyHolder(defaultKey, encryptorFactories));
+                _keyIdToKeyHolderMap.Add(defaultKey.KeyId, new KeyHolder(defaultKey));
             }
 
             DefaultKeyId = defaultKey.KeyId;
@@ -61,12 +61,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             private readonly IKey _key;
             private IAuthenticatedEncryptor _encryptor;
-            private readonly IEnumerable<IAuthenticatedEncryptorFactory> _encryptorFactories;
 
-            internal KeyHolder(IKey key, IEnumerable<IAuthenticatedEncryptorFactory> encryptorFactories)
+            internal KeyHolder(IKey key)
             {
                 _key = key;
-                _encryptorFactories = encryptorFactories;
             }
 
             internal IAuthenticatedEncryptor GetEncryptorInstance(out bool isRevoked)
@@ -81,14 +79,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                         encryptor = Volatile.Read(ref _encryptor);
                         if (encryptor == null)
                         {
-                            foreach (var factory in _encryptorFactories)
-                            {
-                                encryptor = factory.CreateEncryptorInstance(_key);
-                                if (encryptor != null)
-                                {
-                                    break;
-                                }
-                            }
+                            encryptor = _key.CreateEncryptor();
                             Volatile.Write(ref _encryptor, encryptor);
                         }
                     }
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
index 7e953cbd5f..8b0b25e7a7 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -6,7 +6,6 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.Threading;
 using Microsoft.AspNetCore.Cryptography;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -118,7 +117,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Debug.Assert(defaultKey != null);
 
             // Invariant: our caller ensures that CreateEncryptorInstance succeeded at least once
-            Debug.Assert(CreateEncryptorForKey(defaultKey) != null);
+            Debug.Assert(defaultKey.CreateEncryptor() != null);
 
             _logger.UsingKeyAsDefaultKey(defaultKey.KeyId);
 
@@ -135,8 +134,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 expirationToken: cacheExpirationToken,
                 expirationTime: (defaultKey.ExpirationDate <= now) ? nextAutoRefreshTime : Min(defaultKey.ExpirationDate, nextAutoRefreshTime),
                 defaultKey: defaultKey,
-                allKeys: allKeys,
-                encryptorFactories: _keyManagementOptions.AuthenticatedEncryptorFactories);
+                allKeys: allKeys);
         }
 
         public IKeyRing GetCurrentKeyRing()
@@ -236,20 +234,6 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             }
         }
 
-        private IAuthenticatedEncryptor CreateEncryptorForKey(IKey key)
-        {
-            foreach (var factory in _keyManagementOptions.AuthenticatedEncryptorFactories)
-            {
-                var encryptor = factory.CreateEncryptorInstance(key);
-                if (encryptor != null)
-                {
-                    return encryptor;
-                }
-            }
-
-            return null;
-        }
-
         private static TimeSpan GetRefreshPeriodWithJitter(TimeSpan refreshPeriod)
         {
             // We'll fudge the refresh period up to -20% so that multiple applications don't try to
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
index b7b2911439..b68a997c63 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -12,6 +12,7 @@ using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.AspNetCore.DataProtection.Internal;
@@ -50,6 +51,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         private readonly IInternalXmlKeyManager _internalKeyManager;
         private readonly ILoggerFactory _loggerFactory;
         private readonly ILogger _logger;
+        private readonly IEnumerable<IAuthenticatedEncryptorFactory> _encryptorFactories;
 
         private CancellationTokenSource _cacheExpirationTokenSource;
 
@@ -88,6 +90,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             _activator = activator;
             TriggerAndResetCacheExpirationToken(suppressLogging: true);
             _internalKeyManager = _internalKeyManager ?? this;
+            _encryptorFactories = keyManagementOptions.Value.AuthenticatedEncryptorFactories;
         }
 
         // Internal for testing.
@@ -240,7 +243,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     activationDate: activationDate,
                     expirationDate: expirationDate,
                     keyManager: this,
-                    keyElement: keyElement);
+                    keyElement: keyElement,
+                    encryptorFactories: _encryptorFactories);
             }
             catch (Exception ex)
             {
@@ -400,7 +404,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 creationDate: creationDate,
                 activationDate: activationDate,
                 expirationDate: expirationDate,
-                descriptor: newDescriptor);
+                descriptor: newDescriptor,
+                encryptorFactories: _encryptorFactories);
         }
 
         IAuthenticatedEncryptorDescriptor IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
index 9264566756..e7ef5d69c7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -43,16 +43,17 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(AuthenticatedEncryptorDescriptor descriptor)
         {
+            var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
             var key = new Key(
                 Guid.NewGuid(),
                 DateTimeOffset.Now,
                 DateTimeOffset.Now + TimeSpan.FromHours(1),
                 DateTimeOffset.Now + TimeSpan.FromDays(30),
-                descriptor);
+                descriptor,
+                new[] { encryptorFactory });
 
-            var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
 
-            return encryptorFactory.CreateEncryptorInstance(key);
+            return key.CreateEncryptor();
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index 54b977c845..0bed1de2e4 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -171,17 +171,19 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(AuthenticatedEncryptorDescriptor descriptor)
         {
+            var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
             // Dummy key with the specified descriptor.
             var key = new Key(
                 Guid.NewGuid(),
                 DateTimeOffset.Now,
                 DateTimeOffset.Now + TimeSpan.FromHours(1),
                 DateTimeOffset.Now + TimeSpan.FromDays(30),
-                descriptor);
+                descriptor,
+                new[] { encryptorFactory });
 
-            var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
 
-            return encryptorFactory.CreateEncryptorInstance(key);
+            return key.CreateEncryptor();
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 51897e64e9..eb61aaa676 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -50,16 +50,17 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(CngCbcAuthenticatedEncryptorDescriptor descriptor)
         {
+            var encryptorFactory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
             var key = new Key(
                 Guid.NewGuid(),
                 DateTimeOffset.Now,
                 DateTimeOffset.Now + TimeSpan.FromHours(1),
                 DateTimeOffset.Now + TimeSpan.FromDays(30),
-                descriptor);
+                descriptor,
+                new[] { encryptorFactory });
 
-            var encryptorFactory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
 
-            return encryptorFactory.CreateEncryptorInstance(key);
+            return key.CreateEncryptor();
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 6adbdcc1d3..05845dfde0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -47,16 +47,17 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(CngGcmAuthenticatedEncryptorDescriptor descriptor)
         {
+            var encryptorFactory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
             var key = new Key(
                 keyId: Guid.NewGuid(),
                 creationDate: DateTimeOffset.Now,
                 activationDate: DateTimeOffset.Now + TimeSpan.FromHours(1),
                 expirationDate: DateTimeOffset.Now + TimeSpan.FromDays(30),
-                descriptor: descriptor);
+                descriptor: descriptor,
+                encryptorFactories: new[] { encryptorFactory });
 
-            var encryptorFactory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
 
-            return encryptorFactory.CreateEncryptorInstance(key);
+            return key.CreateEncryptor();
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 9a5162cce1..69cc556e6b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -86,16 +86,16 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         private static IAuthenticatedEncryptor CreateEncryptorInstanceFromDescriptor(ManagedAuthenticatedEncryptorDescriptor descriptor)
         {
+            var encryptorFactory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
             var key = new Key(
                 Guid.NewGuid(),
                 DateTimeOffset.Now,
                 DateTimeOffset.Now + TimeSpan.FromHours(1),
                 DateTimeOffset.Now + TimeSpan.FromDays(30),
-                descriptor);
+                descriptor,
+                new[] { encryptorFactory });
 
-            var encryptorFactory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
-
-            return encryptorFactory.CreateEncryptorInstance(key);
+            return key.CreateEncryptor();
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
index 9aeb5ea236..46e9b5f993 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
@@ -4,7 +4,6 @@
 using System;
 using System.Collections.Generic;
 using System.Globalization;
-using System.Linq;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging.Abstractions;
@@ -20,7 +19,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_EmptyKeyRing_ReturnsNullDefaultKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
 
             // Act
             var resolution = resolver.ResolveDefaultKeyPolicy(DateTimeOffset.Now, new IKey[0]);
@@ -34,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_ReturnsExistingKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
             var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
 
@@ -50,7 +49,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_AllowsForClockSkew_KeysStraddleSkewLine_ReturnsExistingKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
             var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
 
@@ -66,7 +65,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_AllowsForClockSkew_AllKeysInFuture_ReturnsExistingKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");
 
             // Act
@@ -81,7 +80,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_NoSuccessor_ReturnsExistingKey_SignalsGenerateNewKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
 
             // Act
@@ -96,7 +95,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_ValidExistingKey_NoLegitimateSuccessor_ReturnsExistingKey_SignalsGenerateNewKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
             var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z", isRevoked: true);
             var key3 = CreateKey("2016-03-01 00:00:00Z", "2016-03-02 00:00:00Z"); // key expires too soon
@@ -113,7 +112,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_BecauseOfRevocation_ReturnsNull()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
             var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z", isRevoked: true);
 
@@ -130,8 +129,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
-            var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z");
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory(throwForKeys: key2));
+            var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z", createEncryptorThrows: true);
+            var resolver = CreateDefaultKeyResolver();
 
             // Act
             var resolution = resolver.ResolveDefaultKeyPolicy("2015-04-01 00:00:00Z", key1, key2);
@@ -145,7 +144,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FutureKeyIsValidAndWithinClockSkew_ReturnsFutureKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
 
             // Act
@@ -160,7 +159,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FutureKeyIsValidButNotWithinClockSkew_ReturnsNull()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
 
             // Act
@@ -175,7 +174,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_IgnoresExpiredOrRevokedFutureKeys()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2015-03-01 00:00:00Z", "2014-03-01 00:00:00Z"); // expiration before activation should never occur
             var key2 = CreateKey("2015-03-01 00:01:00Z", "2015-04-01 00:00:00Z", isRevoked: true);
             var key3 = CreateKey("2015-03-01 00:02:00Z", "2015-04-01 00:00:00Z");
@@ -192,7 +191,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow_IgnoresRevokedKeys()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-01 00:00:00Z");
             var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-02 00:00:00Z");
             var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", isRevoked: true);
@@ -212,9 +211,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-01 00:00:00Z");
             var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-02 00:00:00Z");
-            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z");
+            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", createEncryptorThrows: true);
             var key4 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory(throwForKeys: key3));
+            var resolver = CreateDefaultKeyResolver();
 
             // Act
             var resolution = resolver.ResolveDefaultKeyPolicy("2000-01-05 00:00:00Z", key1, key2, key3, key4);
@@ -228,7 +227,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public void ResolveDefaultKeyPolicy_FallbackKey_NoNonRevokedKeysBeforePriorPropagationWindow_SelectsEarliestNonRevokedKey()
         {
             // Arrange
-            var resolver = CreateDefaultKeyResolver(new MyEncryptorFactory());
+            var resolver = CreateDefaultKeyResolver();
             var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", isRevoked: true);
             var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");
             var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-05 00:00:00Z");
@@ -241,14 +240,13 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Assert.True(resolution.ShouldGenerateNewKey);
         }
 
-        private static IDefaultKeyResolver CreateDefaultKeyResolver(IAuthenticatedEncryptorFactory encryptorFactory)
+        private static IDefaultKeyResolver CreateDefaultKeyResolver()
         {
             var options = Options.Create(new KeyManagementOptions());
-            options.Value.AuthenticatedEncryptorFactories.Add(encryptorFactory);
             return new DefaultKeyResolver(options, NullLoggerFactory.Instance);
         }
 
-        private static IKey CreateKey(string activationDate, string expirationDate, string creationDate = null, bool isRevoked = false)
+        private static IKey CreateKey(string activationDate, string expirationDate, string creationDate = null, bool isRevoked = false, bool createEncryptorThrows = false)
         {
             var mockKey = new Mock<IKey>();
             mockKey.Setup(o => o.KeyId).Returns(Guid.NewGuid());
@@ -256,31 +254,17 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
+            if (createEncryptorThrows)
+            {
+                mockKey.Setup(o => o.CreateEncryptor()).Throws(new Exception("This method fails."));
+            }
+            else
+            {
+                mockKey.Setup(o => o.CreateEncryptor()).Returns(Mock.Of<IAuthenticatedEncryptor>());
+            }
             
             return mockKey.Object;
         }
-
-        private class MyEncryptorFactory : IAuthenticatedEncryptorFactory
-        {
-            private IReadOnlyList<IKey> _throwForKeys;
-
-            public MyEncryptorFactory(params IKey[] throwForKeys)
-            {
-                _throwForKeys = throwForKeys;
-            }
-
-            public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
-            {
-                if (_throwForKeys.Contains(key))
-                {
-                    throw new Exception("This method fails.");
-                }
-                else
-                {
-                    return new Mock<IAuthenticatedEncryptor>().Object;
-                }
-            }
-        }
     }
 
     internal static class DefaultKeyResolverExtensions
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
index 90cf63c073..2a166564d0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
@@ -9,6 +9,7 @@ using Microsoft.AspNetCore.Testing;
 using Microsoft.Extensions.Options;
 using Moq;
 using Xunit;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
@@ -30,10 +31,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     XmlAssert.Equal(@"<node />", element);
                     return mockDescriptor;
                 });
-            var options = Options.Create(new KeyManagementOptions());
+            var encryptorFactory = Mock.Of<IAuthenticatedEncryptorFactory>();
 
             // Act
-            var key = new DeferredKey(keyId, creationDate, activationDate, expirationDate, mockInternalKeyManager.Object, XElement.Parse(@"<node />"));
+            var key = new DeferredKey(keyId, creationDate, activationDate, expirationDate, mockInternalKeyManager.Object, XElement.Parse(@"<node />"), new[] { encryptorFactory });
 
             // Assert
             Assert.Equal(keyId, key.KeyId);
@@ -48,8 +49,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             var now = DateTimeOffset.UtcNow;
-            var options = Options.Create(new KeyManagementOptions());
-            var key = new DeferredKey(Guid.Empty, now, now, now, new Mock<IInternalXmlKeyManager>().Object, XElement.Parse(@"<node />"));
+            var encryptorFactory = Mock.Of<IAuthenticatedEncryptorFactory>();
+            var key = new DeferredKey(Guid.Empty, now, now, now, new Mock<IInternalXmlKeyManager>().Object, XElement.Parse(@"<node />"), new[] { encryptorFactory });
 
             // Act & assert
             Assert.False(key.IsRevoked);
@@ -71,7 +72,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 });
 
             var now = DateTimeOffset.UtcNow;
-            var key = new DeferredKey(Guid.Empty, now, now, now, mockKeyManager.Object, XElement.Parse(@"<node />"));
+            var encryptorFactory = Mock.Of<IAuthenticatedEncryptorFactory>();
+            var key = new DeferredKey(Guid.Empty, now, now, now, mockKeyManager.Object, XElement.Parse(@"<node />"), new[] { encryptorFactory });
 
             // Act & assert
             ExceptionAssert.Throws<Exception>(() => key.Descriptor, "How exceptional.");
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 42b5153c5f..eb8d35fef0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -208,8 +208,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
 
             // the keyring has only one key
-            Key key = new Key(Guid.Empty, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(key, new[] { key }, new[] { mockEncryptorFactory.Object });
+            Key key = new Key(Guid.Empty, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object, new[] { mockEncryptorFactory.Object });
+            var keyRing = new KeyRing(key, new[] { key });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -238,9 +238,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(new Mock<IAuthenticatedEncryptor>().Object);
 
             // the keyring has only one key
-            Key key = new Key(keyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
+            Key key = new Key(keyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object, new[] { mockEncryptorFactory.Object });
             key.SetRevoked();
-            var keyRing = new KeyRing(key, new[] { key }, new[] { mockEncryptorFactory.Object });
+            var keyRing = new KeyRing(key, new[] { key });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -278,9 +278,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
             mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(mockEncryptor.Object);
 
-            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
+            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object, new[] { mockEncryptorFactory.Object });
             defaultKey.SetRevoked();
-            var keyRing = new KeyRing(defaultKey, new[] { defaultKey }, new[] { mockEncryptorFactory.Object });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -326,8 +326,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
             mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(mockEncryptor.Object);
 
-            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(defaultKey, new[] { defaultKey }, new[] { mockEncryptorFactory.Object });
+            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object, new[] { mockEncryptorFactory.Object });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -376,9 +376,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var mockEncryptorFactory = new Mock<IAuthenticatedEncryptorFactory>();
             mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny<IKey>())).Returns(mockEncryptor.Object);
 
-            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
-            Key embeddedKey = new Key(embeddedKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
-            var keyRing = new KeyRing(defaultKey, new[] { defaultKey, embeddedKey }, new[] { mockEncryptorFactory.Object });
+            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new Mock<IAuthenticatedEncryptorDescriptor>().Object, new[] { mockEncryptorFactory.Object });
+            Key embeddedKey = new Key(embeddedKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object, new[] { mockEncryptorFactory.Object });
+            var keyRing = new KeyRing(defaultKey, new[] { defaultKey, embeddedKey });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
@@ -408,9 +408,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             byte[] plaintext = new byte[] { 0x10, 0x20, 0x30, 0x40, 0x50 };
-            Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration().CreateNewDescriptor());
             var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
-            var keyRing = new KeyRing(key, new[] { key }, new[] { encryptorFactory });
+            Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration().CreateNewDescriptor(), new[] { encryptorFactory });
+            var keyRing = new KeyRing(key, new[] { key });
             var mockKeyRingProvider = new Mock<IKeyRingProvider>();
             mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index 7337c779f1..5654943820 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -644,6 +644,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
             mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
             mockKey.Setup(o => o.Descriptor).Returns(new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+            mockKey.Setup(o => o.CreateEncryptor()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
             return mockKey.Object;
         }
     }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
index 915b4704cc..4d137986fa 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
@@ -16,20 +16,19 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             var expectedEncryptorInstance = new Mock<IAuthenticatedEncryptor>().Object;
-            var encryptorFactory = new MyEncryptorFactory(expectedEncryptorInstance);
 
-            var key1 = new MyKey();
+            var key1 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance);
             var key2 = new MyKey();
 
             // Act
-            var keyRing = new KeyRing(key1, new[] { key1, key2 }, new[] { encryptorFactory });
+            var keyRing = new KeyRing(key1, new[] { key1, key2 });
 
             // Assert
-            Assert.Equal(0, encryptorFactory.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(0, key1.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance, keyRing.DefaultAuthenticatedEncryptor);
-            Assert.Equal(1, encryptorFactory.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance, keyRing.DefaultAuthenticatedEncryptor);
-            Assert.Equal(1, encryptorFactory.NumTimesCreateEncryptorInstanceCalled); // should've been cached
+            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled); // should've been cached
         }
 
         [Fact]
@@ -38,10 +37,9 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             var key1 = new MyKey();
             var key2 = new MyKey();
-            var encryptorFactory = new MyEncryptorFactory();
 
             // Act
-            var keyRing = new KeyRing(key2, new[] { key1, key2 }, new[] { encryptorFactory });
+            var keyRing = new KeyRing(key2, new[] { key1, key2 });
 
             // Assert
             Assert.Equal(key2.KeyId, keyRing.DefaultKeyId);
@@ -53,16 +51,15 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             // Arrange
             var key1 = new MyKey();
             var key2 = new MyKey();
-            var key3 = new MyKey();
-            var encryptorFactory = new MyEncryptorFactory(expectedEncryptorInstance: new Mock<IAuthenticatedEncryptor>().Object);
+            var key3 = new MyKey(expectedEncryptorInstance: new Mock<IAuthenticatedEncryptor>().Object);
 
             // Act
-            var keyRing = new KeyRing(key3, new[] { key1, key2 }, new[] { encryptorFactory });
+            var keyRing = new KeyRing(key3, new[] { key1, key2 });
 
             // Assert
             bool unused;
             Assert.Equal(key3.KeyId, keyRing.DefaultKeyId);
-            Assert.Equal(encryptorFactory.CreateEncryptorInstance(key3), keyRing.GetAuthenticatedEncryptorByKeyId(key3.KeyId, out unused));
+            Assert.Equal(key3.CreateEncryptor(), keyRing.GetAuthenticatedEncryptorByKeyId(key3.KeyId, out unused));
         }
 
         [Fact]
@@ -72,44 +69,46 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var expectedEncryptorInstance1 = new Mock<IAuthenticatedEncryptor>().Object;
             var expectedEncryptorInstance2 = new Mock<IAuthenticatedEncryptor>().Object;
 
-            var key1 = new MyKey(isRevoked: true);
-            var key2 = new MyKey();
+            var key1 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance1, isRevoked: true);
+            var key2 = new MyKey(expectedEncryptorInstance: expectedEncryptorInstance2);
 
-            var encryptorFactory1 = new MyEncryptorFactory(expectedEncryptorInstance: expectedEncryptorInstance1, associatedKey: key1);
-            var encryptorFactory2 = new MyEncryptorFactory(expectedEncryptorInstance: expectedEncryptorInstance2, associatedKey: key2);
 
             // Act
-            var keyRing = new KeyRing(key2, new[] { key1, key2 }, new[] { encryptorFactory1, encryptorFactory2 });
+            var keyRing = new KeyRing(key2, new[] { key1, key2 });
 
             // Assert
             bool isRevoked;
-            Assert.Equal(0, encryptorFactory1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(0, key1.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out isRevoked));
             Assert.True(isRevoked);
-            Assert.Equal(1, encryptorFactory1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out isRevoked));
             Assert.True(isRevoked);
-            Assert.Equal(1, encryptorFactory1.NumTimesCreateEncryptorInstanceCalled);
-            Assert.Equal(0, encryptorFactory2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(0, key2.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance2, keyRing.GetAuthenticatedEncryptorByKeyId(key2.KeyId, out isRevoked));
             Assert.False(isRevoked);
-            Assert.Equal(1, encryptorFactory2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance2, keyRing.GetAuthenticatedEncryptorByKeyId(key2.KeyId, out isRevoked));
             Assert.False(isRevoked);
-            Assert.Equal(1, encryptorFactory2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance2, keyRing.DefaultAuthenticatedEncryptor);
-            Assert.Equal(1, encryptorFactory2.NumTimesCreateEncryptorInstanceCalled);
+            Assert.Equal(1, key2.NumTimesCreateEncryptorInstanceCalled);
         }
 
         private sealed class MyKey : IKey
         {
-            public MyKey(bool isRevoked = false)
+            public int NumTimesCreateEncryptorInstanceCalled;
+            private readonly Func<IAuthenticatedEncryptor> _encryptorFactory;
+
+            public MyKey(bool isRevoked = false, IAuthenticatedEncryptor expectedEncryptorInstance = null)
             {
                 CreationDate = DateTimeOffset.Now;
                 ActivationDate = CreationDate + TimeSpan.FromHours(1);
                 ExpirationDate = CreationDate + TimeSpan.FromDays(30);
                 IsRevoked = isRevoked;
                 KeyId = Guid.NewGuid();
+                _encryptorFactory = () => expectedEncryptorInstance ?? new Mock<IAuthenticatedEncryptor>().Object;
             }
 
             public DateTimeOffset ActivationDate { get; }
@@ -118,30 +117,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             public bool IsRevoked { get; }
             public Guid KeyId { get; }
             public IAuthenticatedEncryptorDescriptor Descriptor => throw new NotImplementedException();
-        }
 
-        private sealed class MyEncryptorFactory : IAuthenticatedEncryptorFactory
-        {
-            public int NumTimesCreateEncryptorInstanceCalled;
-            private IAuthenticatedEncryptor _expectedEncryptorInstance;
-            private IKey _associatedKey;
-
-            public MyEncryptorFactory(IAuthenticatedEncryptor expectedEncryptorInstance = null, IKey associatedKey = null)
+            public IAuthenticatedEncryptor CreateEncryptor()
             {
-                _expectedEncryptorInstance = expectedEncryptorInstance;
-                _associatedKey = associatedKey;
-            }
-
-            public IAuthenticatedEncryptor CreateEncryptorInstance(IKey key)
-            {
-                if (_associatedKey != null && key != _associatedKey)
-                {
-                    return null;
-                }
-
                 NumTimesCreateEncryptorInstanceCalled++;
-
-                return _expectedEncryptorInstance ?? new Mock<IAuthenticatedEncryptor>().Object;
+                return _encryptorFactory();
             }
         }
     }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
index 5a2053737e..6aa691723d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
@@ -5,6 +5,7 @@ using System;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Moq;
 using Xunit;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 {
@@ -19,9 +20,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var activationDate = creationDate.AddDays(2);
             var expirationDate = creationDate.AddDays(90);
             var descriptor = Mock.Of<IAuthenticatedEncryptorDescriptor>();
+            var encryptorFactory = Mock.Of<IAuthenticatedEncryptorFactory>();
 
             // Act
-            var key = new Key(keyId, creationDate, activationDate, expirationDate, descriptor);
+            var key = new Key(keyId, creationDate, activationDate, expirationDate, descriptor, new[] { encryptorFactory });
 
             // Assert
             Assert.Equal(keyId, key.KeyId);
@@ -36,7 +38,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         {
             // Arrange
             var now = DateTimeOffset.UtcNow;
-            var key = new Key(Guid.Empty, now, now, now, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
+            var encryptorFactory = Mock.Of<IAuthenticatedEncryptorFactory>();
+            var key = new Key(Guid.Empty, now, now, now, new Mock<IAuthenticatedEncryptorDescriptor>().Object, new[] { encryptorFactory });
 
             // Act & assert
             Assert.False(key.IsRevoked);

From edd7386aa8f658a7aa4c11ec6a851f72fe93bd9e Mon Sep 17 00:00:00 2001
From: Smit Patel <smitpatel@users.noreply.github.com>
Date: Mon, 24 Apr 2017 16:44:16 -0700
Subject: [PATCH 329/493] Update API Check related files React to
 aspnet/BuildTools#238

---
 .../{baseline.net45.json => baseline.netframework.json}           | 0
 .../{baseline.net45.json => baseline.netframework.json}           | 0
 .../{baseline.net45.json => baseline.netframework.json}           | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename src/Microsoft.AspNetCore.Cryptography.Internal/{baseline.net45.json => baseline.netframework.json} (100%)
 rename src/Microsoft.AspNetCore.DataProtection.Extensions/{baseline.net45.json => baseline.netframework.json} (100%)
 rename src/Microsoft.AspNetCore.DataProtection.SystemWeb/{baseline.net45.json => baseline.netframework.json} (100%)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.net45.json b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netframework.json
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/baseline.net45.json
rename to src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netframework.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.net45.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netframework.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.net45.json
rename to src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netframework.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.net45.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.net45.json
rename to src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json

From 5fe4807c1e169420881b7fcc5184e66fe47e2014 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 25 Apr 2017 11:04:07 -0700
Subject: [PATCH 330/493] Use Bundled NETStandard.Library \ NETCoreApp versions
 instead of explicitly specifying one

---
 build/common.props       | 2 +-
 build/dependencies.props | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/build/common.props b/build/common.props
index 87205db500..7449c51fe1 100644
--- a/build/common.props
+++ b/build/common.props
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFrameworkIdentifier)'=='.NETFramework' AND '$(OutputType)'=='library'">
-    <PackageReference Include="NETStandard.Library" Version="$(NetStandardImplicitPackageVersion)" />
+    <PackageReference Include="NETStandard.Library" Version="$(BundledNETStandardPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/build/dependencies.props b/build/dependencies.props
index da37719ca8..ecd4333d46 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,11 +4,9 @@
     <CoreFxVersion>4.3.0</CoreFxVersion>
     <InternalAspNetCoreSdkVersion>2.0.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>
-    <NetStandardImplicitPackageVersion>1.6.1</NetStandardImplicitPackageVersion>
     <RedisVersion>1.1.605</RedisVersion>
-    <RuntimeFrameworkVersion>2.0.0-*</RuntimeFrameworkVersion>
     <TestSdkVersion>15.0.0</TestSdkVersion>
     <XunitVersion>2.2.0</XunitVersion>
     <WindowsAzureStorageVersion>8.1.1</WindowsAzureStorageVersion>
   </PropertyGroup>
-</Project>
\ No newline at end of file
+</Project>

From 4dad47eeab6be84c70d431a21fdc4d152ca332ea Mon Sep 17 00:00:00 2001
From: Nate McMaster <natemcmaster@users.noreply.github.com>
Date: Tue, 25 Apr 2017 14:29:26 -0700
Subject: [PATCH 331/493] Ignore assembly version when activating
 DataProtection types from string name (#223)

---
 ...oft.AspNetCore.DataProtection.Redis.csproj |   4 +-
 ...taProtectionServiceCollectionExtensions.cs |   2 +-
 .../RC1ForwardingActivator.cs                 |  42 -----
 .../TypeForwardingActivator.cs                |  73 ++++++++
 .../RC1ForwardingActivatorTests.cs            |  49 -----
 .../TypeForwardingActivatorTests.cs           | 177 ++++++++++++++++++
 6 files changed, 253 insertions(+), 94 deletions(-)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
 delete mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/RC1ForwardingActivatorTests.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index e305facf8d..65b0d5c216 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -3,8 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <Description>Redis storrage support as key store.</Description>
-    <VersionPrefix>0.1.0</VersionPrefix>
+    <Description>Redis storage support as key store.</Description>
+    <VersionPrefix>0.3.0</VersionPrefix>
     <TargetFrameworks>net46;netstandard1.5</TargetFrameworks>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 4cde160961..5a64d5e44f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -30,7 +30,7 @@ namespace Microsoft.Extensions.DependencyInjection
                 throw new ArgumentNullException(nameof(services));
             }
 
-            services.AddSingleton<IActivator, RC1ForwardingActivator>();
+            services.TryAddSingleton<IActivator, TypeForwardingActivator>();
             services.AddOptions();
             AddDataProtectionServices(services);
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs b/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
deleted file mode 100644
index 9d76aaac49..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/RC1ForwardingActivator.cs
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.Extensions.Logging;
-
-namespace Microsoft.AspNetCore.DataProtection
-{
-    internal class RC1ForwardingActivator: SimpleActivator
-    {
-        private const string From = "Microsoft.AspNet.DataProtection";
-        private const string To = "Microsoft.AspNetCore.DataProtection";
-        private readonly ILogger _logger;
-
-        public RC1ForwardingActivator(IServiceProvider services) : this(services, DataProtectionProviderFactory.GetDefaultLoggerFactory())
-        {
-        }
-
-        public RC1ForwardingActivator(IServiceProvider services, ILoggerFactory loggerFactory) : base(services)
-        {
-            _logger = loggerFactory.CreateLogger(typeof(RC1ForwardingActivator));
-        }
-
-        public override object CreateInstance(Type expectedBaseType, string implementationTypeName)
-        {
-            if (implementationTypeName.Contains(From))
-            {
-                var forwardedImplementationTypeName = implementationTypeName.Replace(From, To);
-                var type = Type.GetType(forwardedImplementationTypeName, false);
-                if (type != null)
-                {
-                    _logger.LogDebug("Forwarded activator type request from {FromType} to {ToType}",
-                        implementationTypeName,
-                        forwardedImplementationTypeName);
-
-                    implementationTypeName = forwardedImplementationTypeName;
-                }
-            }
-            return base.CreateInstance(expectedBaseType, implementationTypeName);
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs b/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
new file mode 100644
index 0000000000..3865adbf37
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
@@ -0,0 +1,73 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Text.RegularExpressions;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    internal class TypeForwardingActivator : SimpleActivator
+    {
+        private const string OldNamespace = "Microsoft.AspNet.DataProtection";
+        private const string CurrentNamespace = "Microsoft.AspNetCore.DataProtection";
+        private readonly ILogger _logger;
+        private static readonly Regex _versionPattern = new Regex(@",\s?Version=(\d+\.?)(\d+\.?)?(\d+\.?)?(\d+\.?)?", RegexOptions.Compiled, TimeSpan.FromSeconds(2));
+
+        public TypeForwardingActivator(IServiceProvider services)
+            : this(services, DataProtectionProviderFactory.GetDefaultLoggerFactory())
+        {
+        }
+
+        public TypeForwardingActivator(IServiceProvider services, ILoggerFactory loggerFactory)
+            : base(services)
+        {
+            _logger = loggerFactory.CreateLogger(typeof(TypeForwardingActivator));
+        }
+
+        public override object CreateInstance(Type expectedBaseType, string originalTypeName)
+            => CreateInstance(expectedBaseType, originalTypeName, out var _);
+
+        // for testing
+        internal object CreateInstance(Type expectedBaseType, string originalTypeName, out bool forwarded)
+        {
+            var forwardedTypeName = originalTypeName;
+            var candidate = false;
+            if (originalTypeName.Contains(OldNamespace))
+            {
+                candidate = true;
+                forwardedTypeName = originalTypeName.Replace(OldNamespace, CurrentNamespace);
+            }
+
+#if NET46
+            if (candidate || forwardedTypeName.Contains(CurrentNamespace))
+            {
+                candidate = true;
+                forwardedTypeName = RemoveVersionFromAssemblyName(forwardedTypeName);
+            }
+#elif NETSTANDARD1_3
+#else
+#error Target framework needs to be updated
+#endif
+
+            if (candidate)
+            {
+                var type = Type.GetType(forwardedTypeName, false);
+                if (type != null)
+                {
+                    _logger.LogDebug("Forwarded activator type request from {FromType} to {ToType}",
+                        originalTypeName,
+                        forwardedTypeName);
+                    forwarded = true;
+                    return base.CreateInstance(expectedBaseType, forwardedTypeName);
+                }
+            }
+
+            forwarded = false;
+            return base.CreateInstance(expectedBaseType, originalTypeName);
+        }
+
+        protected string RemoveVersionFromAssemblyName(string forwardedTypeName)
+            => _versionPattern.Replace(forwardedTypeName, "");
+    }
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RC1ForwardingActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RC1ForwardingActivatorTests.cs
deleted file mode 100644
index d0f01533b7..0000000000
--- a/test/Microsoft.AspNetCore.DataProtection.Test/RC1ForwardingActivatorTests.cs
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.Extensions.DependencyInjection;
-using Xunit;
-
-namespace Microsoft.AspNetCore.DataProtection
-{
-    public class RC1ForwardingActivatorTests
-    {
-        [Fact]
-        public void CreateInstance_ForwardsToNewNamespaceIfExists()
-        {
-            // Arrange
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddDataProtection();
-            var services = serviceCollection.BuildServiceProvider();
-            var activator = services.GetActivator();
-            
-            // Act
-            var name = "Microsoft.AspNet.DataProtection.RC1ForwardingActivatorTests+ClassWithParameterlessCtor, Microsoft.AspNet.DataProtection.Test";
-            var instance = activator.CreateInstance<object>(name);
-
-            // Assert
-            Assert.IsType<ClassWithParameterlessCtor>(instance);
-        }
-
-        [Fact]
-        public void CreateInstance_DoesNotForwardIfClassDoesNotExist()
-        {
-            // Arrange
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddDataProtection();
-            var services = serviceCollection.BuildServiceProvider();
-            var activator = services.GetActivator();
-
-            // Act & Assert
-            var name = "Microsoft.AspNet.DataProtection.RC1ForwardingActivatorTests+NonExistentClassWithParameterlessCtor, Microsoft.AspNet.DataProtection.Test";
-            var exception = Assert.ThrowsAny<Exception>(()=> activator.CreateInstance<object>(name));
-
-            Assert.Contains("Microsoft.AspNet.DataProtection.Test", exception.Message);
-        }
-
-        private class ClassWithParameterlessCtor
-        {
-        }
-    }
-}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
new file mode 100644
index 0000000000..1d8e02d80a
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
@@ -0,0 +1,177 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Reflection;
+using Microsoft.Extensions.DependencyInjection;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    public class TypeForwardingActivatorTests : MarshalByRefObject
+    {
+        [Fact]
+        public void CreateInstance_ForwardsToNewNamespaceIfExists()
+        {
+            // Arrange
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddDataProtection();
+            var services = serviceCollection.BuildServiceProvider();
+            var activator = services.GetActivator();
+
+            // Act
+            var name = "Microsoft.AspNet.DataProtection.TypeForwardingActivatorTests+ClassWithParameterlessCtor, Microsoft.AspNet.DataProtection.Test, Version=1.0.0.0";
+            var instance = activator.CreateInstance<object>(name);
+
+            // Assert
+            Assert.IsType<ClassWithParameterlessCtor>(instance);
+        }
+
+        [Fact]
+        public void CreateInstance_DoesNotForwardIfClassDoesNotExist()
+        {
+            // Arrange
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddDataProtection();
+            var services = serviceCollection.BuildServiceProvider();
+            var activator = services.GetActivator();
+
+            // Act & Assert
+            var name = "Microsoft.AspNet.DataProtection.TypeForwardingActivatorTests+NonExistentClassWithParameterlessCtor, Microsoft.AspNet.DataProtection.Test";
+            var exception = Assert.ThrowsAny<Exception>(() => activator.CreateInstance<object>(name));
+
+            Assert.Contains("Microsoft.AspNet.DataProtection.Test", exception.Message);
+        }
+
+        [Theory]
+        [InlineData(typeof(GenericType<GenericType<ClassWithParameterlessCtor>>))]
+        [InlineData(typeof(GenericType<ClassWithParameterlessCtor>))]
+        [InlineData(typeof(GenericType<GenericType<string>>))]
+        [InlineData(typeof(GenericType<GenericType<string, string>>))]
+        [InlineData(typeof(GenericType<string>))]
+        [InlineData(typeof(GenericType<int>))]
+        [InlineData(typeof(List<ClassWithParameterlessCtor>))]
+        public void CreateInstance_Generics(Type type)
+        {
+            // Arrange
+            var activator = new TypeForwardingActivator(null);
+            var name = type.AssemblyQualifiedName;
+
+            // Act & Assert
+            Assert.IsType(type, activator.CreateInstance<object>(name));
+        }
+
+        [Theory]
+        [InlineData(typeof(GenericType<>))]
+        [InlineData(typeof(GenericType<,>))]
+        public void CreateInstance_ThrowsForOpenGenerics(Type type)
+        {
+            // Arrange
+            var activator = new TypeForwardingActivator(null);
+            var name = type.AssemblyQualifiedName;
+
+            // Act & Assert
+            Assert.Throws<ArgumentException>(() => activator.CreateInstance<object>(name));
+        }
+
+        [Theory]
+        [InlineData(
+            "System.Tuple`1[[Some.Type, Microsoft.AspNetCore.DataProtection, Version=1.0.0.0, Culture=neutral]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+            "System.Tuple`1[[Some.Type, Microsoft.AspNetCore.DataProtection, Culture=neutral]], mscorlib, Culture=neutral, PublicKeyToken=b77a5c561934e089")]
+        [InlineData(
+            "Some.Type`1[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], Microsoft.AspNetCore.DataProtection, Version=1.0.0.0, Culture=neutral",
+            "Some.Type`1[[System.Int32, mscorlib, Culture=neutral, PublicKeyToken=b77a5c561934e089]], Microsoft.AspNetCore.DataProtection, Culture=neutral")]
+        [InlineData(
+            "System.Tuple`1[[System.Tuple`1[[Some.Type, Microsoft.AspNetCore.DataProtection, Version=1.0.0.0, Culture=neutral]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+            "System.Tuple`1[[System.Tuple`1[[Some.Type, Microsoft.AspNetCore.DataProtection, Culture=neutral]], mscorlib, Culture=neutral, PublicKeyToken=b77a5c561934e089]], mscorlib, Culture=neutral, PublicKeyToken=b77a5c561934e089")]
+        public void ParsesFullyQualifiedTypeName(string typeName, string expected)
+        {
+            Assert.Equal(expected, new MockTypeForwardingActivator().Parse(typeName));
+        }
+
+        [Theory]
+        [InlineData(typeof(List<string>))]
+        [InlineData(typeof(FactAttribute))]
+        public void CreateInstance_DoesNotForwardingTypesExternalTypes(Type type)
+        {
+            new TypeForwardingActivator(null).CreateInstance(typeof(object), type.AssemblyQualifiedName, out var forwarded);
+            Assert.False(forwarded, "Should not have forwarded types that are not in Microsoft.AspNetCore.DataProjection");
+        }
+
+        [Theory]
+        [MemberData(nameof(AssemblyVersions))]
+        public void CreateInstance_ForwardsAcrossVersionChanges(Version version)
+        {
+#if NET46
+            // run this test in an appdomain without testhost's custom assembly resolution hooks
+            var setupInfo = new AppDomainSetup
+            {
+                ApplicationBase = AppDomain.CurrentDomain.BaseDirectory
+            };
+            var domain = AppDomain.CreateDomain("TestDomain", null, setupInfo);
+            var wrappedTestClass = (TypeForwardingActivatorTests)domain.CreateInstanceAndUnwrap(GetType().Assembly.FullName, typeof(TypeForwardingActivatorTests).FullName);
+            wrappedTestClass.CreateInstance_ForwardsAcrossVersionChangesImpl(version);
+#elif NETCOREAPP2_0
+            CreateInstance_ForwardsAcrossVersionChangesImpl(version);
+#else
+#error Target framework should be updated
+#endif
+        }
+
+        private void CreateInstance_ForwardsAcrossVersionChangesImpl(Version newVersion)
+        {
+            var activator = new TypeForwardingActivator(null);
+
+            var typeInfo = typeof(ClassWithParameterlessCtor).GetTypeInfo();
+            var typeName = typeInfo.FullName;
+            var assemblyName = typeInfo.Assembly.GetName();
+
+            assemblyName.Version = newVersion;
+            var newName = $"{typeName}, {assemblyName}";
+
+            Assert.NotEqual(typeInfo.AssemblyQualifiedName, newName);
+            Assert.IsType<ClassWithParameterlessCtor>(activator.CreateInstance(typeof(object), newName, out var forwarded));
+#if NET46
+            Assert.True(forwarded, "Should have forwarded this type to new version or namespace");
+#elif NETCOREAPP2_0
+            Assert.False(forwarded, "Should not have forwarded this type to new version or namespace");
+#else
+#error Target framework should be updated
+#endif
+        }
+
+        public static TheoryData<Version> AssemblyVersions
+        {
+            get
+            {
+                var current = typeof(ActivatorTests).Assembly.GetName().Version;
+                return new TheoryData<Version>
+                {
+                    new Version(Math.Max(0, current.Major - 1), 0, 0, 0),
+                    new Version(current.Major + 1, 0, 0, 0),
+                    new Version(current.Major, current.Minor + 1, 0, 0),
+                    new Version(current.Major, current.Minor, current.Revision + 1, 0),
+                };
+            }
+        }
+
+        private class MockTypeForwardingActivator : TypeForwardingActivator
+        {
+            public MockTypeForwardingActivator() : base(null) { }
+            public string Parse(string typeName) => RemoveVersionFromAssemblyName(typeName);
+        }
+
+        private class ClassWithParameterlessCtor
+        {
+        }
+
+        private class GenericType<T>
+        {
+        }
+
+        private class GenericType<T1, T2>
+        {
+        }
+    }
+}
\ No newline at end of file

From 3489d027208646916ad67f906c8d8ed226f90280 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 25 Apr 2017 22:01:28 -0700
Subject: [PATCH 332/493] Branching for 2.0.0-preview1

---
 NuGet.config             | 2 +-
 build.ps1                | 2 +-
 build.sh                 | 2 +-
 build/dependencies.props | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 8e65695611..fa4304af9c 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
+    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-release/api/v3/index.json" />
     <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
diff --git a/build.ps1 b/build.ps1
index 5bf0e2c113..225b1fe450 100644
--- a/build.ps1
+++ b/build.ps1
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/2.0.0-preview1.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
diff --git a/build.sh b/build.sh
index b0bcadb579..702b25c636 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/2.0.0-preview1.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi
diff --git a/build/dependencies.props b/build/dependencies.props
index ecd4333d46..5890be654b 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <AspNetCoreVersion>2.0.0-*</AspNetCoreVersion>
+    <AspNetCoreVersion>2.0.0-preview1-*</AspNetCoreVersion>
     <CoreFxVersion>4.3.0</CoreFxVersion>
     <InternalAspNetCoreSdkVersion>2.0.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>

From febaba836745213b0b0011881a0c820ac38e973c Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 26 Apr 2017 07:12:42 -0700
Subject: [PATCH 333/493] Updating package version to preview2

---
 version.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.props b/version.props
index c7150e64f4..6af4f81de2 100644
--- a/version.props
+++ b/version.props
@@ -2,6 +2,6 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.0.0</VersionPrefix>
-    <VersionSuffix>preview1</VersionSuffix>
+    <VersionSuffix>preview2</VersionSuffix>
   </PropertyGroup>
 </Project>

From e70ee8ab6e7c97586069e9fa1af3528d26fbdaee Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 1 May 2017 12:39:07 -0700
Subject: [PATCH 334/493] Use the bundled NETStandard.Library package in
 netstandard targeting libraries

---
 build/dependencies.props | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build/dependencies.props b/build/dependencies.props
index 5890be654b..5da0ff1fed 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,6 +4,7 @@
     <CoreFxVersion>4.3.0</CoreFxVersion>
     <InternalAspNetCoreSdkVersion>2.0.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>
+    <NETStandardImplicitPackageVersion>$(BundledNETStandardPackageVersion)</NETStandardImplicitPackageVersion>
     <RedisVersion>1.1.605</RedisVersion>
     <TestSdkVersion>15.0.0</TestSdkVersion>
     <XunitVersion>2.2.0</XunitVersion>

From 53caf55116ddb2f74021254b1d73eb5af16b2fc3 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Mon, 1 May 2017 16:25:44 -0700
Subject: [PATCH 335/493] Remove unnecessary null check.

Resolves #210
---
 .../KeyManagement/KeyRingBasedDataProtector.cs              | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
index d866ed6e3a..e0157e66fe 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
@@ -96,12 +96,6 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 throw new ArgumentNullException(nameof(plaintext));
             }
 
-            // argument & state checking
-            if (plaintext == null)
-            {
-                throw new ArgumentNullException(nameof(plaintext));
-            }
-
             try
             {
                 // Perform the encryption operation using the current default encryptor.

From 1e639aca4991efe5eb15b85e63262431e4402e79 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Fri, 5 May 2017 10:20:05 -0700
Subject: [PATCH 336/493] Update InternalAspNetCoreSdkVersion

---
 build/dependencies.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 5da0ff1fed..b1105be960 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -2,7 +2,7 @@
   <PropertyGroup>
     <AspNetCoreVersion>2.0.0-preview1-*</AspNetCoreVersion>
     <CoreFxVersion>4.3.0</CoreFxVersion>
-    <InternalAspNetCoreSdkVersion>2.0.0-*</InternalAspNetCoreSdkVersion>
+    <InternalAspNetCoreSdkVersion>2.1.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>
     <NETStandardImplicitPackageVersion>$(BundledNETStandardPackageVersion)</NETStandardImplicitPackageVersion>
     <RedisVersion>1.1.605</RedisVersion>

From 3a7022fdcdcc19f5fd782d331266aab2c66f152a Mon Sep 17 00:00:00 2001
From: "Chris Ross (ASP.NET)" <chrross@microsoft.com>
Date: Fri, 5 May 2017 15:41:16 -0700
Subject: [PATCH 337/493] Remove IHostingEnvironment dependency

---
 .../DataProtectionUtilityExtensions.cs             |  5 -----
 .../Microsoft.AspNetCore.DataProtection.csproj     |  2 +-
 .../DataProtectionUtilityExtensionsTests.cs        | 14 ++++----------
 3 files changed, 5 insertions(+), 16 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
index 0b72c11864..04152f3ed6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
@@ -4,7 +4,6 @@
 using System;
 using System.ComponentModel;
 using Microsoft.AspNetCore.DataProtection.Infrastructure;
-using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.DataProtection
@@ -37,10 +36,6 @@ namespace Microsoft.AspNetCore.DataProtection
             if (services != null)
             {
                 discriminator = services.GetService<IApplicationDiscriminator>()?.Discriminator;
-                if (discriminator == null)
-                {
-                    discriminator = services.GetService<IHostingEnvironment>()?.ContentRootPath;
-                }
             }
 
             // Remove whitespace and homogenize empty -> null
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index ccf9d95f42..79a93e283b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -19,7 +19,6 @@
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Options" Version="$(AspNetCoreVersion)" />
@@ -33,6 +32,7 @@
 
   <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
     <PackageReference Include="Microsoft.Win32.Registry" Version="$(CoreFxVersion)" />
+    <PackageReference Include="System.Reflection.TypeExtensions" Version="$(CoreFxVersion)" />
     <PackageReference Include="System.Security.Claims" Version="$(CoreFxVersion)" />
     <PackageReference Include="System.Security.Principal.Windows" Version="$(CoreFxVersion)" />
   </ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
index 8e2cbd71d9..f1b2f508da 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
@@ -3,7 +3,6 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection.Infrastructure;
-using Microsoft.AspNetCore.Hosting;
 using Moq;
 using Xunit;
 
@@ -12,21 +11,16 @@ namespace Microsoft.AspNetCore.DataProtection
     public class DataProtectionUtilityExtensionsTests
     {
         [Theory]
-        [InlineData(" discriminator", "app-path ", "discriminator")] // normalized trim
-        [InlineData("", "app-path", null)] // app discriminator not null -> overrides app base path
-        [InlineData(null, "app-path ", "app-path")] // normalized trim
-        [InlineData(null, "  ", null)] // normalized whitespace -> null
-        [InlineData(null, null, null)] // nothing provided at all
-        public void GetApplicationUniqueIdentifier(string appDiscriminator, string appBasePath, string expected)
+        [InlineData(" discriminator", "discriminator")] // normalized trim
+        [InlineData("", null)] // app discriminator not null -> overrides app base path
+        [InlineData(null, null)] // nothing provided at all
+        public void GetApplicationUniqueIdentifier(string appDiscriminator, string expected)
         {
             // Arrange
             var mockAppDiscriminator = new Mock<IApplicationDiscriminator>();
             mockAppDiscriminator.Setup(o => o.Discriminator).Returns(appDiscriminator);
-            var mockEnvironment = new Mock<IHostingEnvironment>();
-            mockEnvironment.Setup(o => o.ContentRootPath).Returns(appBasePath);
             var mockServiceProvider = new Mock<IServiceProvider>();
             mockServiceProvider.Setup(o => o.GetService(typeof(IApplicationDiscriminator))).Returns(mockAppDiscriminator.Object);
-            mockServiceProvider.Setup(o => o.GetService(typeof(IHostingEnvironment))).Returns(mockEnvironment.Object);
 
             // Act
             string actual = mockServiceProvider.Object.GetApplicationUniqueIdentifier();

From 129edaec7c4c1bc6a6291aac98e8282d52bde979 Mon Sep 17 00:00:00 2001
From: Chris R <Tratcher@Outlook.com>
Date: Fri, 5 May 2017 17:03:33 -0700
Subject: [PATCH 338/493] Remove IHostingEnvironment dependency (#230)

---
 .../DataProtectionUtilityExtensions.cs             |  5 -----
 .../Microsoft.AspNetCore.DataProtection.csproj     |  2 +-
 .../DataProtectionUtilityExtensionsTests.cs        | 14 ++++----------
 3 files changed, 5 insertions(+), 16 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
index 0b72c11864..04152f3ed6 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
@@ -4,7 +4,6 @@
 using System;
 using System.ComponentModel;
 using Microsoft.AspNetCore.DataProtection.Infrastructure;
-using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.DataProtection
@@ -37,10 +36,6 @@ namespace Microsoft.AspNetCore.DataProtection
             if (services != null)
             {
                 discriminator = services.GetService<IApplicationDiscriminator>()?.Discriminator;
-                if (discriminator == null)
-                {
-                    discriminator = services.GetService<IHostingEnvironment>()?.ContentRootPath;
-                }
             }
 
             // Remove whitespace and homogenize empty -> null
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index ccf9d95f42..79a93e283b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -19,7 +19,6 @@
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Options" Version="$(AspNetCoreVersion)" />
@@ -33,6 +32,7 @@
 
   <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
     <PackageReference Include="Microsoft.Win32.Registry" Version="$(CoreFxVersion)" />
+    <PackageReference Include="System.Reflection.TypeExtensions" Version="$(CoreFxVersion)" />
     <PackageReference Include="System.Security.Claims" Version="$(CoreFxVersion)" />
     <PackageReference Include="System.Security.Principal.Windows" Version="$(CoreFxVersion)" />
   </ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
index 8e2cbd71d9..f1b2f508da 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
@@ -3,7 +3,6 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection.Infrastructure;
-using Microsoft.AspNetCore.Hosting;
 using Moq;
 using Xunit;
 
@@ -12,21 +11,16 @@ namespace Microsoft.AspNetCore.DataProtection
     public class DataProtectionUtilityExtensionsTests
     {
         [Theory]
-        [InlineData(" discriminator", "app-path ", "discriminator")] // normalized trim
-        [InlineData("", "app-path", null)] // app discriminator not null -> overrides app base path
-        [InlineData(null, "app-path ", "app-path")] // normalized trim
-        [InlineData(null, "  ", null)] // normalized whitespace -> null
-        [InlineData(null, null, null)] // nothing provided at all
-        public void GetApplicationUniqueIdentifier(string appDiscriminator, string appBasePath, string expected)
+        [InlineData(" discriminator", "discriminator")] // normalized trim
+        [InlineData("", null)] // app discriminator not null -> overrides app base path
+        [InlineData(null, null)] // nothing provided at all
+        public void GetApplicationUniqueIdentifier(string appDiscriminator, string expected)
         {
             // Arrange
             var mockAppDiscriminator = new Mock<IApplicationDiscriminator>();
             mockAppDiscriminator.Setup(o => o.Discriminator).Returns(appDiscriminator);
-            var mockEnvironment = new Mock<IHostingEnvironment>();
-            mockEnvironment.Setup(o => o.ContentRootPath).Returns(appBasePath);
             var mockServiceProvider = new Mock<IServiceProvider>();
             mockServiceProvider.Setup(o => o.GetService(typeof(IApplicationDiscriminator))).Returns(mockAppDiscriminator.Object);
-            mockServiceProvider.Setup(o => o.GetService(typeof(IHostingEnvironment))).Returns(mockEnvironment.Object);
 
             // Act
             string actual = mockServiceProvider.Object.GetApplicationUniqueIdentifier();

From 47ee65f318638a51ff15362dace56696e2349cd1 Mon Sep 17 00:00:00 2001
From: Mike Harder <mharder@microsoft.com>
Date: Mon, 8 May 2017 13:04:25 -0700
Subject: [PATCH 339/493] Upgrade StackExchange.Redis.StrongName to version
 1.2.3 (#231)

- Addresses package downgrade warnings (https://github.com/aspnet/DataProtection/issues/227)
---
 .travis.yml              | 1 +
 appveyor.yml             | 1 +
 build/dependencies.props | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 2a46104677..27c93bcd6f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,6 +16,7 @@ branches:
     - release
     - dev
     - /^(.*\/)?ci-.*$/
+    - /^rel\/.*/
 before_install:
   - if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/; fi
 script:
diff --git a/appveyor.yml b/appveyor.yml
index 1041615c68..04dfabcb0b 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -6,6 +6,7 @@ branches:
     - release
     - dev
     - /^(.*\/)?ci-.*$/
+    - /^rel\/.*/
 build_script:
   - ps: .\build.ps1
 clone_depth: 1
diff --git a/build/dependencies.props b/build/dependencies.props
index b1105be960..67534cec24 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -5,7 +5,7 @@
     <InternalAspNetCoreSdkVersion>2.1.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>
     <NETStandardImplicitPackageVersion>$(BundledNETStandardPackageVersion)</NETStandardImplicitPackageVersion>
-    <RedisVersion>1.1.605</RedisVersion>
+    <RedisVersion>1.2.3</RedisVersion>
     <TestSdkVersion>15.0.0</TestSdkVersion>
     <XunitVersion>2.2.0</XunitVersion>
     <WindowsAzureStorageVersion>8.1.1</WindowsAzureStorageVersion>

From f70e17c138b2a63a8530f268b6ae227dd0ef87d0 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Mon, 15 May 2017 16:02:04 -0700
Subject: [PATCH 340/493] Upgrade test framework versions

---
 build/dependencies.props                                      | 4 ++--
 .../Microsoft.AspNetCore.Cryptography.Internal.Test.csproj    | 4 ----
 ...icrosoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj | 4 ----
 ...crosoft.AspNetCore.DataProtection.Abstractions.Test.csproj | 4 ----
 ...crosoft.AspNetCore.DataProtection.AzureStorage.Test.csproj | 4 ----
 ...Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj | 4 ----
 .../Microsoft.AspNetCore.DataProtection.Redis.Test.csproj     | 4 ----
 .../Microsoft.AspNetCore.DataProtection.Test.csproj           | 4 ----
 8 files changed, 2 insertions(+), 30 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 457821c88c..11c37b70e3 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -6,8 +6,8 @@
     <MoqVersion>4.7.1</MoqVersion>
     <NETStandardImplicitPackageVersion>$(BundledNETStandardPackageVersion)</NETStandardImplicitPackageVersion>
     <RedisVersion>1.2.3</RedisVersion>
-    <TestSdkVersion>15.0.0</TestSdkVersion>
-    <XunitVersion>2.2.0</XunitVersion>
+    <TestSdkVersion>15.3.0-*</TestSdkVersion>
+    <XunitVersion>2.3.0-beta2-*</XunitVersion>
     <WindowsAzureStorageVersion>8.1.1</WindowsAzureStorageVersion>
   </PropertyGroup>
 </Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 6e44f5d7c3..846a77a978 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -20,8 +20,4 @@
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index 4fec4fa063..79b3bbc0de 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -21,8 +21,4 @@
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index 8a478b5dd2..998bd51703 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -21,8 +21,4 @@
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index c0432a5da6..5b8c5b01a1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -20,8 +20,4 @@
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 70bbf78e0c..23599649bf 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -21,8 +21,4 @@
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 0c82d3e86b..3f854ec2bb 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -22,8 +22,4 @@
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 724912b1f5..a895a4cc31 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -26,8 +26,4 @@
     <Reference Include="System.Security" />
   </ItemGroup>
 
-  <ItemGroup>
-    <Service Include="{82a7f48d-3b50-4b1e-b82e-3ada8210c358}" />
-  </ItemGroup>
-
 </Project>

From b706a75e03f93d2f9175a7fc3339baa87ad653f0 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Fri, 5 May 2017 10:59:13 -0700
Subject: [PATCH 341/493] Target .NET Standard 2.0

This retargets all data protection libraries to ns2.0. This means .NET
Framework applications will need to upgrade to .NET Framework 4.6.1.
This upgrade makes available API to .NET Core that was previously only
available on .NET Framework, such as encrypting keys at rest with
certificates.

New API for .NET Core users:
- IDataProtectionBuilder.ProtectKeysWithCertificate(string thumbprint)
- CertificateXmlEncryptor
- ICertificateResolver
- DataProtectionProvider
  - .Create(string applicationName, X509Certificate2 certificate)
  - .Create(DirectoryInfo keyDirectory, X509Certificate2 certificate)
  - .Create(DirectoryInfo keyDirectory, Action<IDataProtectionBuilder>
  setupAction, X509Certificate2 certificate

Other minor changes in this commit:
- Fixed samples that were using obsolete logging API
- Remove calls to api-sets, instead using kernel32. .NET Core 2.0 no
longer requires using api-sets as Nano Server now forwards kernel32
calls
- Made minor improvements to the TypeForwardingActivator
- Remove dead code an unused api baselines
- Enable more tests on macOS/Linux that previously only ran on Windows
---
 DataProtection.sln                            |    5 +-
 build/common.props                            |    4 +-
 build/dependencies.props                      |    4 +-
 samples/AzureBlob/AzureBlob.csproj            |    2 -
 samples/AzureBlob/Program.cs                  |    4 +-
 .../CustomEncryptorSample.csproj              |    6 +-
 samples/CustomEncryptorSample/Program.cs      |    4 +-
 .../KeyManagementSample.csproj                |    6 +-
 samples/NonDISample/NonDISample.csproj        |    6 +-
 samples/Redis/Program.cs                      |    6 +-
 samples/Redis/Redis.csproj                    |    6 +-
 .../CryptoUtil.cs                             |   10 +-
 ...ft.AspNetCore.Cryptography.Internal.csproj |    2 +-
 .../SafeHandleZeroOrMinusOneIsInvalid.cs      |   30 -
 .../SafeHandles/SafeLibraryHandle.cs          |   59 +-
 .../SafeHandles/SecureLocalAllocHandle.cs     |    8 -
 .../UnsafeBufferUtil.cs                       |   37 +-
 .../UnsafeNativeMethods.cs                    |   27 +-
 .../baseline.netframework.json                |    4 -
 ...pNetCore.Cryptography.KeyDerivation.csproj |    3 +-
 .../baseline.net45.json                       |   78 -
 ...NetCore.DataProtection.Abstractions.csproj |    7 +-
 .../baseline.net45.json                       |  231 -
 .../AzureBlobXmlRepository.cs                 |    2 +
 ...NetCore.DataProtection.AzureStorage.csproj |    7 +-
 .../DataProtectionAdvancedExtensions.cs       |    3 +
 .../DataProtectionProvider.cs                 |   12 +-
 ...spNetCore.DataProtection.Extensions.csproj |    6 +-
 .../baseline.netcore.json                     |   58 +
 .../baseline.netframework.json                |  298 --
 ...oft.AspNetCore.DataProtection.Redis.csproj |    6 +-
 ...AspNetCore.DataProtection.SystemWeb.csproj |    6 +-
 .../Cng/DpapiSecretSerializerHelper.cs        |   26 +-
 .../DataProtectionBuilderExtensions.cs        |   13 +-
 ...taProtectionServiceCollectionExtensions.cs |    5 -
 .../IDataProtectionBuilder.cs                 |   28 -
 .../Managed/ManagedAuthenticatedEncryptor.cs  |    8 +-
 ...Microsoft.AspNetCore.DataProtection.csproj |   18 +-
 .../Repositories/FileSystemXmlRepository.cs   |   42 +-
 .../TypeForwardingActivator.cs                |   11 +-
 .../XmlEncryption/CertificateResolver.cs      |   22 +-
 .../XmlEncryption/CertificateXmlEncryptor.cs  |    6 -
 .../EncryptedXmlDecryptor.core50.cs           |   44 -
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |    6 -
 .../XmlEncryption/ICertificateResolver.cs     |    6 -
 .../IInternalCertificateXmlEncryptor.cs       |    6 -
 .../IInternalEncryptedXmlDecryptor.cs         |    6 -
 .../XmlEncryption/XmlEncryptionExtensions.cs  |   18 -
 .../baseline.net45.json                       | 3749 -----------------
 .../baseline.netcore.json                     |  234 +
 ...pNetCore.Cryptography.Internal.Test.csproj |    5 +-
 ...ore.Cryptography.KeyDerivation.Test.csproj |    5 +-
 ...re.DataProtection.Abstractions.Test.csproj |    5 +-
 ...re.DataProtection.AzureStorage.Test.csproj |    5 +-
 .../DataProtectionProviderTests.cs            |   48 +-
 ...Core.DataProtection.Extensions.Test.csproj |    5 +-
 ...spNetCore.DataProtection.Redis.Test.csproj |    5 +-
 .../AnonymousImpersonation.cs                 |    4 +-
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs |    9 +-
 .../ManagedAuthenticatedEncryptorTests.cs     |    3 +-
 ...soft.AspNetCore.DataProtection.Test.csproj |    9 +-
 .../FileSystemXmlRepositoryTests.cs           |   31 +-
 .../TypeForwardingActivatorTests.cs           |   13 +-
 .../CertificateXmlEncryptionTests.cs          |    6 -
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |    2 +-
 65 files changed, 481 insertions(+), 4869 deletions(-)
 delete mode 100644 src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
 delete mode 100644 src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netframework.json
 delete mode 100644 src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.net45.json
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.net45.json
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netframework.json
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/baseline.net45.json

diff --git a/DataProtection.sln b/DataProtection.sln
index f56c09d294..ead0e13a92 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,7 +1,6 @@
-
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
-VisualStudioVersion = 15.0.26228.4
+VisualStudioVersion = 15.0.26504.1
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
@@ -11,6 +10,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5A3A
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{E1D86B1B-41D8-43C9-97FD-C2BF65C414E2}"
 	ProjectSection(SolutionItems) = preProject
+		build\common.props = build\common.props
+		build\dependencies.props = build\dependencies.props
 		NuGet.config = NuGet.config
 	EndProjectSection
 EndProject
diff --git a/build/common.props b/build/common.props
index 7449c51fe1..b6da5ae4c0 100644
--- a/build/common.props
+++ b/build/common.props
@@ -16,8 +16,8 @@
     <PackageReference Include="Internal.AspNetCore.Sdk" Version="$(InternalAspNetCoreSdkVersion)" PrivateAssets="All" />
   </ItemGroup>
 
-  <ItemGroup Condition="'$(TargetFrameworkIdentifier)'=='.NETFramework' AND '$(OutputType)'=='library'">
-    <PackageReference Include="NETStandard.Library" Version="$(BundledNETStandardPackageVersion)" />
+  <ItemGroup Condition="'$(TargetFrameworkIdentifier)' == '.NETFramework'">
+    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" PrivateAssets="All" />
   </ItemGroup>
 
 </Project>
diff --git a/build/dependencies.props b/build/dependencies.props
index 11c37b70e3..78d56b807a 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,10 +1,10 @@
 <Project>
   <PropertyGroup>
     <AspNetCoreVersion>2.0.0-*</AspNetCoreVersion>
-    <CoreFxVersion>4.3.0</CoreFxVersion>
+    <CoreFxVersion>4.4.0-*</CoreFxVersion>
     <InternalAspNetCoreSdkVersion>2.1.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>
-    <NETStandardImplicitPackageVersion>$(BundledNETStandardPackageVersion)</NETStandardImplicitPackageVersion>
+    <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>
     <RedisVersion>1.2.3</RedisVersion>
     <TestSdkVersion>15.3.0-*</TestSdkVersion>
     <XunitVersion>2.3.0-beta2-*</XunitVersion>
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index 8ce0a3e6d9..9d6881602f 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -4,8 +4,6 @@
 
   <PropertyGroup>
     <TargetFramework>netcoreapp2.0</TargetFramework>
-    <OutputType>Exe</OutputType>
-    <PackageTargetFallback>$(PackageTargetFallback);portable-net45+win8+wp8+wpa81</PackageTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/AzureBlob/Program.cs b/samples/AzureBlob/Program.cs
index dd1e45b5d9..f0aa1efea5 100644
--- a/samples/AzureBlob/Program.cs
+++ b/samples/AzureBlob/Program.cs
@@ -31,8 +31,8 @@ namespace AzureBlob
                 .PersistKeysToAzureBlobStorage(container, "keys.xml");
 
             var services = serviceCollection.BuildServiceProvider();
-            var loggerFactory = services.GetService<ILoggerFactory>();
-            loggerFactory.AddConsole(Microsoft.Extensions.Logging.LogLevel.Trace);
+            var loggerFactory = services.GetService<LoggerFactory>();
+            loggerFactory.AddConsole();
 
             // Run a sample payload
 
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index 96ea1517fa..ca8401e36d 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>net46;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
@@ -16,4 +16,8 @@
     <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net461' ">
+    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" />
+  </ItemGroup>
+
 </Project>
diff --git a/samples/CustomEncryptorSample/Program.cs b/samples/CustomEncryptorSample/Program.cs
index c79d12c601..89e0f82810 100644
--- a/samples/CustomEncryptorSample/Program.cs
+++ b/samples/CustomEncryptorSample/Program.cs
@@ -21,11 +21,11 @@ namespace CustomEncryptorSample
                 .UseXmlEncryptor(s => new CustomXmlEncryptor(s));
 
             var services = serviceCollection.BuildServiceProvider();
-            var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+            var loggerFactory = services.GetRequiredService<LoggerFactory>();
             loggerFactory.AddConsole();
 
             var protector = services.GetDataProtector("SamplePurpose");
-            
+
             // protect the payload
             var protectedPayload = protector.Protect("Hello World!");
             Console.WriteLine($"Protect returned: {protectedPayload}");
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index dd0a98bd0c..b15e9017a6 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>net46;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
@@ -11,4 +11,8 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
   </ItemGroup>
 
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net461' ">
+    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" />
+  </ItemGroup>
+
 </Project>
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index dd0a98bd0c..b15e9017a6 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>net46;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
@@ -11,4 +11,8 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
   </ItemGroup>
 
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net461' ">
+    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" />
+  </ItemGroup>
+
 </Project>
diff --git a/samples/Redis/Program.cs b/samples/Redis/Program.cs
index 94a32c116f..6731c10541 100644
--- a/samples/Redis/Program.cs
+++ b/samples/Redis/Program.cs
@@ -23,8 +23,8 @@ namespace Redis
                 .PersistKeysToRedis(redis, "DataProtection-Keys");
 
             var services = serviceCollection.BuildServiceProvider();
-            var loggerFactory = services.GetService<ILoggerFactory>();
-            loggerFactory.AddConsole(LogLevel.Trace);
+            var loggerFactory = services.GetService<LoggerFactory>();
+            loggerFactory.AddConsole();
 
             // Run a sample payload
             var protector = services.GetDataProtector("sample-purpose");
@@ -32,4 +32,4 @@ namespace Redis
             Console.WriteLine(protectedData);
         }
     }
-}
\ No newline at end of file
+}
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 6952eb460c..37aecfb68b 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
@@ -16,4 +16,8 @@
     <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net461' ">
+    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" />
+  </ItemGroup>
+
 </Project>
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
index 45f405248d..e60673634d 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
@@ -4,15 +4,12 @@
 using System;
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
+using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.Internal;
 
-#if !NETSTANDARD1_3
-using System.Runtime.ConstrainedExecution;
-#endif
-
 namespace Microsoft.AspNetCore.Cryptography
 {
     internal unsafe static class CryptoUtil
@@ -73,12 +70,7 @@ namespace Microsoft.AspNetCore.Cryptography
         }
 
         [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
-#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
         public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint count)
         {
             bool areEqual = true;
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
index ee4be7ad30..8fe369a218 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.</Description>
-    <TargetFrameworks>net46;netstandard1.3</TargetFrameworks>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
deleted file mode 100644
index b61a4c3c44..0000000000
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeHandleZeroOrMinusOneIsInvalid.cs
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using System.Runtime.InteropServices;
-
-#if NETSTANDARD1_3
-namespace Microsoft.Win32.SafeHandles
-{
-    internal abstract class SafeHandleZeroOrMinusOneIsInvalid : SafeHandle
-    {
-        // Called by P/Invoke when returning SafeHandles
-        protected SafeHandleZeroOrMinusOneIsInvalid(bool ownsHandle)
-            : base(IntPtr.Zero, ownsHandle)
-        {
-        }
-
-        public override bool IsInvalid
-        {
-            get
-            {
-                return (handle == IntPtr.Zero || handle == (IntPtr)(-1));
-            }
-        }
-    }
-}
-#elif NET46
-#else
-#error target frameworks need to be updated.
-#endif
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
index c1ee52202e..ccd0b99c79 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
@@ -2,14 +2,11 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
 using System.Security;
 using Microsoft.Win32.SafeHandles;
 
-#if !NETSTANDARD1_3
-using System.Runtime.ConstrainedExecution;
-#endif
-
 namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
     /// <summary>
@@ -127,31 +124,11 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             return UnsafeNativeMethods.FreeLibrary(handle);
         }
 
-#if NET46
         [SuppressUnmanagedCodeSecurity]
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
         private static class UnsafeNativeMethods
         {
-#if NETSTANDARD1_3
-            private const string CORE_LIBRARY_LOADER_LIB = "api-ms-win-core-libraryloader-l1-1-0.dll";
-            private const string CORE_LOCALIZATION_LIB = "api-ms-win-core-localization-l1-2-0.dll";
-#elif NET46
-            private const string KERNEL32_LIB = "kernel32.dll";
-#else
-#error target frameworks need to be updated.
-#endif
-
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx
-#if NETSTANDARD1_3
-            [DllImport(CORE_LOCALIZATION_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
-#elif NET46
-            [DllImport(KERNEL32_LIB, EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
-#else
-#error target frameworks need to be updated.
-#endif
+            [DllImport("kernel32.dll", EntryPoint = "FormatMessageW", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode, SetLastError = true)]
             public static extern int FormatMessage(
                 [In] uint dwFlags,
                 [In] SafeLibraryHandle lpSource,
@@ -164,50 +141,26 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 
             // http://msdn.microsoft.com/en-us/library/ms683152(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if NETSTANDARD1_3
-            [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
-#elif NET46
             [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
-#else
-#error target frameworks need to be updated.
-#endif
+            [DllImport("kernel32.dll", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Unicode)]
             internal static extern bool FreeLibrary(IntPtr hModule);
 
             // http://msdn.microsoft.com/en-us/library/ms683200(v=vs.85).aspx
             [return: MarshalAs(UnmanagedType.Bool)]
-#if NETSTANDARD1_3
-            [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#elif NET46
-            [DllImport(KERNEL32_LIB, EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#else
-#error target frameworks need to be updated.
-#endif
+            [DllImport("kernel32.dll", EntryPoint = "GetModuleHandleExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
             internal static extern bool GetModuleHandleEx(
                 [In] uint dwFlags,
                 [In] SafeLibraryHandle lpModuleName, // can point to a location within the module if GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS is set
                 [Out] out IntPtr phModule);
 
             // http://msdn.microsoft.com/en-us/library/ms683212(v=vs.85).aspx
-#if NETSTANDARD1_3
-            [DllImport(CORE_LIBRARY_LOADER_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#elif NET46
-            [DllImport(KERNEL32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#else
-#error target frameworks need to be updated.
-#endif
+            [DllImport("kernel32.dll", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
             internal static extern IntPtr GetProcAddress(
                 [In] SafeLibraryHandle hModule,
                 [In, MarshalAs(UnmanagedType.LPStr)] string lpProcName);
 
             // http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx
-#if NETSTANDARD1_3
-            [DllImport(CORE_LIBRARY_LOADER_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#elif NET46
-            [DllImport(KERNEL32_LIB, EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
-#else
-#error target frameworks need to be updated.
-#endif
+            [DllImport("kernel32.dll", EntryPoint = "LoadLibraryExW", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
             internal static extern SafeLibraryHandle LoadLibraryEx(
                 [In, MarshalAs(UnmanagedType.LPWStr)] string lpFileName,
                 [In] IntPtr hFile,
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
index 52399e0f7b..ac1f3c6172 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
@@ -3,10 +3,7 @@
 
 using System;
 using System.Runtime.InteropServices;
-
-#if !NETSTANDARD1_3
 using System.Runtime.ConstrainedExecution;
-#endif
 
 namespace Microsoft.AspNetCore.Cryptography.SafeHandles
 {
@@ -41,12 +38,7 @@ namespace Microsoft.AspNetCore.Cryptography.SafeHandles
             return newHandle;
         }
 
-#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
         private void AllocateImpl(IntPtr cb)
         {
             handle = Marshal.AllocHGlobal(cb); // actually calls LocalAlloc
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
index 247812f020..681adb8bc3 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
@@ -3,30 +3,23 @@
 
 using System;
 using System.Runtime.CompilerServices;
+using System.Runtime.ConstrainedExecution;
 using System.Threading;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
 
-#if !NETSTANDARD1_3
-using System.Runtime.ConstrainedExecution;
-#endif
-
 namespace Microsoft.AspNetCore.Cryptography
 {
     internal unsafe static class UnsafeBufferUtil
     {
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
         public static void BlockCopy(void* from, void* to, int byteCount)
         {
             BlockCopy(from, to, checked((uint)byteCount)); // will be checked before invoking the delegate
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
         public static void BlockCopy(void* from, void* to, uint byteCount)
         {
             if (byteCount != 0)
@@ -35,9 +28,7 @@ namespace Microsoft.AspNetCore.Cryptography
             }
         }
 
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
-#endif
         public static void BlockCopy(LocalAllocHandle from, void* to, uint byteCount)
         {
             bool refAdded = false;
@@ -55,9 +46,7 @@ namespace Microsoft.AspNetCore.Cryptography
             }
         }
 
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
-#endif
         public static void BlockCopy(void* from, LocalAllocHandle to, uint byteCount)
         {
             bool refAdded = false;
@@ -75,9 +64,7 @@ namespace Microsoft.AspNetCore.Cryptography
             }
         }
 
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
-#endif
         public static void BlockCopy(LocalAllocHandle from, LocalAllocHandle to, IntPtr length)
         {
             if (length == IntPtr.Zero)
@@ -116,36 +103,20 @@ namespace Microsoft.AspNetCore.Cryptography
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void BlockCopyCore(byte* from, byte* to, uint byteCount)
         {
-#if NETSTANDARD1_3
             Buffer.MemoryCopy(from, to, (ulong)byteCount, (ulong)byteCount);
-#else
-            while (byteCount-- != 0)
-            {
-                to[byteCount] = from[byteCount];
-            }
-#endif
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private static void BlockCopyCore(byte* from, byte* to, ulong byteCount)
         {
-#if NETSTANDARD1_3
             Buffer.MemoryCopy(from, to, byteCount, byteCount);
-#else
-            while (byteCount-- != 0)
-            {
-                to[byteCount] = from[byteCount];
-            }
-#endif
         }
 
         /// <summary>
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
         public static void SecureZeroMemory(byte* buffer, int byteCount)
         {
             SecureZeroMemory(buffer, checked((uint)byteCount));
@@ -155,9 +126,7 @@ namespace Microsoft.AspNetCore.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
         public static void SecureZeroMemory(byte* buffer, uint byteCount)
         {
             if (byteCount != 0)
@@ -176,9 +145,7 @@ namespace Microsoft.AspNetCore.Cryptography
         /// Securely clears a memory buffer.
         /// </summary>
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
         public static void SecureZeroMemory(byte* buffer, ulong byteCount)
         {
             if (byteCount != 0)
@@ -196,9 +163,7 @@ namespace Microsoft.AspNetCore.Cryptography
         /// <summary>
         /// Securely clears a memory buffer.
         /// </summary>
-#if !NETSTANDARD1_3
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#endif
         public static void SecureZeroMemory(byte* buffer, IntPtr length)
         {
             if (sizeof(IntPtr) == 4)
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
index c36f78997b..3a5a4d8db3 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Diagnostics;
 using System.Runtime.CompilerServices;
+using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.Cryptography;
@@ -12,18 +13,9 @@ using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Microsoft.Win32.SafeHandles;
 
-#if NET46
-using System.Runtime.ConstrainedExecution;
-#endif
-
 namespace Microsoft.AspNetCore.Cryptography
 {
-#if NET46
     [SuppressUnmanagedCodeSecurity]
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
     internal unsafe static class UnsafeNativeMethods
     {
         private const string BCRYPT_LIB = "bcrypt.dll";
@@ -90,23 +82,13 @@ namespace Microsoft.AspNetCore.Cryptography
             [In] uint dwFlags);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375399(v=vs.85).aspx
         internal static extern int BCryptDestroyHash(
             [In] IntPtr hHash);
 
         [DllImport(BCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa375404(v=vs.85).aspx
         internal static extern int BCryptDestroyKey(
             [In] IntPtr hKey);
@@ -209,7 +191,7 @@ namespace Microsoft.AspNetCore.Cryptography
         /*
          * CRYPT32.DLL
          */
-         
+
         [DllImport(CRYPT32_LIB, CallingConvention = CallingConvention.Winapi, SetLastError = true)]
         // http://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx
         internal static extern bool CryptProtectData(
@@ -258,12 +240,7 @@ namespace Microsoft.AspNetCore.Cryptography
          */
 
         [DllImport(NCRYPT_LIB, CallingConvention = CallingConvention.Winapi)]
-#if NET46
         [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
         // http://msdn.microsoft.com/en-us/library/windows/desktop/hh706799(v=vs.85).aspx
         internal static extern int NCryptCloseProtectionDescriptor(
             [In] IntPtr hDescriptor);
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netframework.json b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netframework.json
deleted file mode 100644
index 4e3124a689..0000000000
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netframework.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
-  "Types": []
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
index 4ff88fbf5e..478845ec47 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
@@ -4,8 +4,7 @@
 
   <PropertyGroup>
     <Description>ASP.NET Core utilities for key derivation.</Description>
-    <TargetFramework>netstandard1.3</TargetFramework>
-    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection</PackageTags>
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.net45.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.net45.json
deleted file mode 100644
index 93e2b1bed7..0000000000
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.net45.json
+++ /dev/null
@@ -1,78 +0,0 @@
-{
-  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
-  "Types": [
-    {
-      "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivation",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Pbkdf2",
-          "Parameters": [
-            {
-              "Name": "password",
-              "Type": "System.String"
-            },
-            {
-              "Name": "salt",
-              "Type": "System.Byte[]"
-            },
-            {
-              "Name": "prf",
-              "Type": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivationPrf"
-            },
-            {
-              "Name": "iterationCount",
-              "Type": "System.Int32"
-            },
-            {
-              "Name": "numBytesRequested",
-              "Type": "System.Int32"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivationPrf",
-      "Visibility": "Public",
-      "Kind": "Enumeration",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Field",
-          "Name": "HMACSHA1",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "0"
-        },
-        {
-          "Kind": "Field",
-          "Name": "HMACSHA256",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "1"
-        },
-        {
-          "Kind": "Field",
-          "Name": "HMACSHA512",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "2"
-        }
-      ],
-      "GenericParameters": []
-    }
-  ]
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index 788a8fc77c..936785fab3 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -7,8 +7,7 @@
 Commonly used types:
 Microsoft.AspNetCore.DataProtection.IDataProtectionProvider
 Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
-    <TargetFramework>netstandard1.3</TargetFramework>
-    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection</PackageTags>
   </PropertyGroup>
@@ -21,8 +20,4 @@ Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
     <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" Version="$(AspNetCoreVersion)" PrivateAssets="All"/>
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
-    <PackageReference Include="System.ComponentModel" Version="$(CoreFxVersion)" />
-  </ItemGroup>
-
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.net45.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.net45.json
deleted file mode 100644
index 6d0d722ddc..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.net45.json
+++ /dev/null
@@ -1,231 +0,0 @@
-{
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
-  "Types": [
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateProtector",
-          "Parameters": [
-            {
-              "Name": "provider",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
-            },
-            {
-              "Name": "purposes",
-              "Type": "System.Collections.Generic.IEnumerable<System.String>"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateProtector",
-          "Parameters": [
-            {
-              "Name": "provider",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
-            },
-            {
-              "Name": "purpose",
-              "Type": "System.String"
-            },
-            {
-              "Name": "subPurposes",
-              "Type": "System.String[]",
-              "IsParams": true
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetDataProtectionProvider",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetDataProtector",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            },
-            {
-              "Name": "purposes",
-              "Type": "System.Collections.Generic.IEnumerable<System.String>"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetDataProtector",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            },
-            {
-              "Name": "purpose",
-              "Type": "System.String"
-            },
-            {
-              "Name": "subPurposes",
-              "Type": "System.String[]",
-              "IsParams": true
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Protect",
-          "Parameters": [
-            {
-              "Name": "protector",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
-            },
-            {
-              "Name": "plaintext",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.String",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Unprotect",
-          "Parameters": [
-            {
-              "Name": "protector",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
-            },
-            {
-              "Name": "protectedData",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.String",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateProtector",
-          "Parameters": [
-            {
-              "Name": "purpose",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtector",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Protect",
-          "Parameters": [
-            {
-              "Name": "plaintext",
-              "Type": "System.Byte[]"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Unprotect",
-          "Parameters": [
-            {
-              "Name": "protectedData",
-              "Type": "System.Byte[]"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Infrastructure.IApplicationDiscriminator",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Discriminator",
-          "Parameters": [],
-          "ReturnType": "System.String",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    }
-  ]
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
index 2b7594e679..e39babaa31 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
@@ -51,6 +51,7 @@ namespace Microsoft.AspNetCore.DataProtection.AzureStorage
             _random = new Random();
         }
 
+        /// <inheritdoc />
         public IReadOnlyCollection<XElement> GetAllElements()
         {
             var blobRef = CreateFreshBlobRef();
@@ -62,6 +63,7 @@ namespace Microsoft.AspNetCore.DataProtection.AzureStorage
             return new ReadOnlyCollection<XElement>(elements);
         }
 
+        /// <inheritdoc />
         public void StoreElement(XElement element, string friendlyName)
         {
             if (element == null)
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
index 1aa0031625..57a9cbc921 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -4,9 +4,7 @@
 
   <PropertyGroup>
     <Description>Microsoft Azure Blob storrage support as key store.</Description>
-    <VersionPrefix>2.0.0</VersionPrefix>
-    <TargetFrameworks>net46;netstandard1.5</TargetFrameworks>
-    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection;azure;blob</PackageTags>
@@ -14,6 +12,9 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="WindowsAzure.Storage" Version="$(WindowsAzureStorageVersion)" />
   </ItemGroup>
 
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
index cb452164df..6e4c2aabac 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
@@ -5,6 +5,9 @@ using System;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
+    /// <summary>
+    /// Helpful extension methods for data protection APIs.
+    /// </summary>
     public static class DataProtectionAdvancedExtensions
     {
         /// <summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
index 1b9e30a94e..7b080a9a87 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
@@ -73,7 +73,6 @@ namespace Microsoft.AspNetCore.DataProtection
             return CreateProvider(keyDirectory, setupAction, certificate: null);
         }
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
         /// <summary>
         /// Creates a <see cref="DataProtectionProvider"/> that store keys in a location based on
         /// the platform and operating system and uses the given <see cref="X509Certificate2"/> to encrypt the keys.
@@ -150,10 +149,6 @@ namespace Microsoft.AspNetCore.DataProtection
 
             return CreateProvider(keyDirectory, setupAction, certificate);
         }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
 
         private static IDataProtectionProvider CreateProvider(
             DirectoryInfo keyDirectory,
@@ -169,15 +164,10 @@ namespace Microsoft.AspNetCore.DataProtection
                 builder.PersistKeysToFileSystem(keyDirectory);
             }
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
             if (certificate != null)
             {
                 builder.ProtectKeysWithCertificate(certificate);
             }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
 
             setupAction(builder);
 
@@ -185,4 +175,4 @@ namespace Microsoft.AspNetCore.DataProtection
             return serviceCollection.BuildServiceProvider().GetRequiredService<IDataProtectionProvider>();
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
index fe2f163044..c5e139b89b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
@@ -4,8 +4,7 @@
 
   <PropertyGroup>
     <Description>Additional APIs for ASP.NET Core data protection.</Description>
-    <TargetFrameworks>net46;netstandard1.3</TargetFrameworks>
-    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection</PackageTags>
   </PropertyGroup>
@@ -16,6 +15,9 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
index 50b7e9764a..93502e6e6e 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
@@ -175,6 +175,64 @@
           "Static": true,
           "Visibility": "Public",
           "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "applicationName",
+              "Type": "System.String"
+            },
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "keyDirectory",
+              "Type": "System.IO.DirectoryInfo"
+            },
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Create",
+          "Parameters": [
+            {
+              "Name": "keyDirectory",
+              "Type": "System.IO.DirectoryInfo"
+            },
+            {
+              "Name": "setupAction",
+              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder>"
+            },
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+          "Static": true,
+          "Visibility": "Public",
+          "GenericParameter": []
         }
       ],
       "GenericParameters": []
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netframework.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netframework.json
deleted file mode 100644
index 93502e6e6e..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netframework.json
+++ /dev/null
@@ -1,298 +0,0 @@
-{
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
-  "Types": [
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionAdvancedExtensions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Protect",
-          "Parameters": [
-            {
-              "Name": "protector",
-              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
-            },
-            {
-              "Name": "plaintext",
-              "Type": "System.Byte[]"
-            },
-            {
-              "Name": "lifetime",
-              "Type": "System.TimeSpan"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Protect",
-          "Parameters": [
-            {
-              "Name": "protector",
-              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
-            },
-            {
-              "Name": "plaintext",
-              "Type": "System.String"
-            },
-            {
-              "Name": "expiration",
-              "Type": "System.DateTimeOffset"
-            }
-          ],
-          "ReturnType": "System.String",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Protect",
-          "Parameters": [
-            {
-              "Name": "protector",
-              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
-            },
-            {
-              "Name": "plaintext",
-              "Type": "System.String"
-            },
-            {
-              "Name": "lifetime",
-              "Type": "System.TimeSpan"
-            }
-          ],
-          "ReturnType": "System.String",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ToTimeLimitedDataProtector",
-          "Parameters": [
-            {
-              "Name": "protector",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtector"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Unprotect",
-          "Parameters": [
-            {
-              "Name": "protector",
-              "Type": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector"
-            },
-            {
-              "Name": "protectedData",
-              "Type": "System.String"
-            },
-            {
-              "Name": "expiration",
-              "Type": "System.DateTimeOffset",
-              "Direction": "Out"
-            }
-          ],
-          "ReturnType": "System.String",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionProvider",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Create",
-          "Parameters": [
-            {
-              "Name": "applicationName",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Create",
-          "Parameters": [
-            {
-              "Name": "keyDirectory",
-              "Type": "System.IO.DirectoryInfo"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Create",
-          "Parameters": [
-            {
-              "Name": "keyDirectory",
-              "Type": "System.IO.DirectoryInfo"
-            },
-            {
-              "Name": "setupAction",
-              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder>"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Create",
-          "Parameters": [
-            {
-              "Name": "applicationName",
-              "Type": "System.String"
-            },
-            {
-              "Name": "certificate",
-              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Create",
-          "Parameters": [
-            {
-              "Name": "keyDirectory",
-              "Type": "System.IO.DirectoryInfo"
-            },
-            {
-              "Name": "certificate",
-              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Create",
-          "Parameters": [
-            {
-              "Name": "keyDirectory",
-              "Type": "System.IO.DirectoryInfo"
-            },
-            {
-              "Name": "setupAction",
-              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder>"
-            },
-            {
-              "Name": "certificate",
-              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.IDataProtector"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateProtector",
-          "Parameters": [
-            {
-              "Name": "purpose",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.ITimeLimitedDataProtector",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Protect",
-          "Parameters": [
-            {
-              "Name": "plaintext",
-              "Type": "System.Byte[]"
-            },
-            {
-              "Name": "expiration",
-              "Type": "System.DateTimeOffset"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Unprotect",
-          "Parameters": [
-            {
-              "Name": "protectedData",
-              "Type": "System.Byte[]"
-            },
-            {
-              "Name": "expiration",
-              "Type": "System.DateTimeOffset",
-              "Direction": "Out"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    }
-  ]
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index 65b0d5c216..e5f3a6f620 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -5,8 +5,7 @@
   <PropertyGroup>
     <Description>Redis storage support as key store.</Description>
     <VersionPrefix>0.3.0</VersionPrefix>
-    <TargetFrameworks>net46;netstandard1.5</TargetFrameworks>
-    <NoWarn>$(NoWarn);CS1591</NoWarn>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection;redis</PackageTags>
@@ -14,6 +13,9 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="StackExchange.Redis.StrongName" Version="$(RedisVersion)" />
   </ItemGroup>
 
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
index d1ae6aeda7..76f71bd615 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x &lt;machineKey&gt; element.</Description>
-    <TargetFramework>net46</TargetFramework>
+    <TargetFramework>net461</TargetFramework>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnet;aspnetcore;dataprotection</PackageTags>
@@ -16,9 +16,11 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <Reference Include="System.Configuration" />
-    <Reference Include="System.Security" />
     <Reference Include="System.Web" />
   </ItemGroup>
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
index ea37a1b989..61bbb4f9ea 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
@@ -78,12 +78,8 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             };
             var dataOut = default(DATA_BLOB);
 
-#if NET46
             RuntimeHelpers.PrepareConstrainedRegions();
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
+
             try
             {
                 var success = UnsafeNativeMethods.CryptProtectData(
@@ -171,12 +167,9 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
                     fixed (byte* pbRetVal = retVal)
                     {
                         var handleAcquired = false;
-#if NET46
+
                         RuntimeHelpers.PrepareConstrainedRegions();
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
+
                         try
                         {
                             protectedData.DangerousAddRef(ref handleAcquired);
@@ -224,12 +217,8 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             };
             var dataOut = default(DATA_BLOB);
 
-#if NET46
             RuntimeHelpers.PrepareConstrainedRegions();
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
+
             try
             {
                 var success = UnsafeNativeMethods.CryptUnprotectData(
@@ -300,12 +289,9 @@ namespace Microsoft.AspNetCore.DataProtection.Cng
             using (unencryptedPayloadHandle)
             {
                 var handleAcquired = false;
-#if NET46
+
                 RuntimeHelpers.PrepareConstrainedRegions();
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
+
                 try
                 {
                     unencryptedPayloadHandle.DangerousAddRef(ref handleAcquired);
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
index 6a3a9d459c..0bbb916868 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -4,6 +4,7 @@
 using System;
 using System.ComponentModel;
 using System.IO;
+using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
@@ -16,10 +17,6 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-using System.Security.Cryptography.X509Certificates;
-#endif
-
 namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
@@ -249,8 +246,6 @@ namespace Microsoft.AspNetCore.DataProtection
             return builder;
         }
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
         /// <summary>
         /// Configures keys to be encrypted to a given certificate before being persisted to storage.
         /// </summary>
@@ -321,10 +316,6 @@ namespace Microsoft.AspNetCore.DataProtection
 
             return builder;
         }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
 
         /// <summary>
         /// Configures keys to be encrypted with Windows DPAPI before being persisted to
@@ -604,4 +595,4 @@ namespace Microsoft.AspNetCore.DataProtection
             return builder;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 5a64d5e44f..95fef0d55c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -98,12 +98,7 @@ namespace Microsoft.Extensions.DependencyInjection
                 return dataProtectionProvider;
             });
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
             services.TryAddSingleton<ICertificateResolver, CertificateResolver>();
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
         }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs b/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
index 619bdfcad4..95c7c61f50 100644
--- a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
@@ -7,7 +7,6 @@ using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
-#if NET46
     /// <summary>
     /// Provides access to configuration for the data protection system, which allows the
     /// developer to configure default cryptographic algorithms, key storage locations,
@@ -34,33 +33,6 @@ namespace Microsoft.AspNetCore.DataProtection
     /// contain existing keys that use older algorithms or protection mechanisms.
     /// </para>
     /// </remarks>
-#elif NETSTANDARD1_3
-    /// <summary>
-    /// Provides access to configuration for the data protection system, which allows the
-    /// developer to configure default cryptographic algorithms, key storage locations,
-    /// and the mechanism by which keys are protected at rest.
-    /// </summary>
-    /// <remarks>
-    /// <para>
-    /// If the developer changes the at-rest key protection mechanism, it is intended that
-    /// he also change the key storage location, and vice versa.
-    /// </para>
-    /// <para>
-    /// Similarly, when a developer modifies the default protected payload cryptographic
-    /// algorithms, it is intended that he also select an explitiy key storage location.
-    /// A call to <see cref="DataProtectionBuilderExtensions.UseCryptographicAlgorithms(IDataProtectionBuilder,AuthenticatedEncryptorConfiguration)"/>
-    /// should therefore generally be paired with a call to <see cref="DataProtectionBuilderExtensions.PersistKeysToFileSystem(IDataProtectionBuilder,DirectoryInfo)"/>,
-    /// for example.
-    /// </para>
-    /// <para>
-    /// When the default cryptographic algorithms or at-rest key protection mechanisms are
-    /// changed, they only affect <strong>new</strong> keys in the repository. The repository may
-    /// contain existing keys that use older algorithms or protection mechanisms.
-    /// </para>
-    /// </remarks>
-#else
-#error target frameworks need to be updated.
-#endif
     public interface IDataProtectionBuilder
     {
         /// <summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
index 89cc875d10..0d93955d75 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
@@ -343,14 +343,8 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
 
                             using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkey))
                             {
-#if NET46
-                                // As an optimization, avoid duplicating the underlying buffer if we're on desktop CLR.
+                                // As an optimization, avoid duplicating the underlying buffer
                                 var underlyingBuffer = outputStream.GetBuffer();
-#elif NETSTANDARD1_3
-                                var underlyingBuffer = outputStream.ToArray();
-#else
-#error target frameworks need to be updated.
-#endif
 
                                 var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
                                 outputStream.Write(mac, 0, mac.Length);
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index 79a93e283b..a46c797a51 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>ASP.NET Core logic to protect and unprotect data, similar to DPAPI.</Description>
-    <TargetFrameworks>net46;netstandard1.3</TargetFrameworks>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
@@ -19,22 +19,14 @@
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
     <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Options" Version="$(AspNetCoreVersion)" />
-  </ItemGroup>
-
-  <ItemGroup Condition=" '$(TargetFramework)' == 'net46' ">
-    <Reference Include="System.Security" />
-    <Reference Include="System.Xml" />
-    <Reference Include="System.Xml.Linq" />
-  </ItemGroup>
-
-  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard1.3' ">
     <PackageReference Include="Microsoft.Win32.Registry" Version="$(CoreFxVersion)" />
-    <PackageReference Include="System.Reflection.TypeExtensions" Version="$(CoreFxVersion)" />
-    <PackageReference Include="System.Security.Claims" Version="$(CoreFxVersion)" />
-    <PackageReference Include="System.Security.Principal.Windows" Version="$(CoreFxVersion)" />
+    <PackageReference Include="System.Security.Cryptography.Xml" Version="$(CoreFxVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index b88f575a03..ce2bb494ff 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -6,6 +6,7 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.IO;
 using System.Linq;
+using System.Runtime.InteropServices;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 
@@ -37,8 +38,9 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         }
 
         /// <summary>
-        /// The default key storage directory, which currently corresponds to
-        /// "%LOCALAPPDATA%\ASP.NET\DataProtection-Keys".
+        /// The default key storage directory.
+        /// On Windows, this currently corresponds to "Environment.SpecialFolder.LocalApplication/ASP.NET/DataProtection-Keys".
+        /// On Linux and macOS, this currently corresponds to "$HOME/.aspnet/DataProtection-Keys".
         /// </summary>
         /// <remarks>
         /// This property can return null if no suitable default key storage directory can
@@ -82,28 +84,23 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
         private static DirectoryInfo GetDefaultKeyStorageDirectory()
         {
-#if NET46
-            // Environment.GetFolderPath returns null if the user profile isn't loaded.
-            var folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
-            if (!String.IsNullOrEmpty(folderPath))
-            {
-                return GetKeyStorageDirectoryFromBaseAppDataPath(folderPath);
-            }
-            else
-            {
-                return null;
-            }
-#elif NETSTANDARD1_3
-            // On core CLR, we need to fall back to environment variables.
             DirectoryInfo retVal;
 
-            var localAppDataPath = Environment.GetEnvironmentVariable("LOCALAPPDATA");
+            // Environment.GetFolderPath returns null if the user profile isn't loaded.
+            var localAppDataFromSystemPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+            var localAppDataFromEnvPath = Environment.GetEnvironmentVariable("LOCALAPPDATA");
             var userProfilePath = Environment.GetEnvironmentVariable("USERPROFILE");
             var homePath = Environment.GetEnvironmentVariable("HOME");
 
-            if (localAppDataPath != null)
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !string.IsNullOrEmpty(localAppDataFromSystemPath))
             {
-                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataPath);
+                // To preserve backwards-compatibility with 1.x, Environment.SpecialFolder.LocalApplicationData
+                // cannot take precedence over $LOCALAPPDATA and $HOME/.aspnet on non-Windows platforms
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromSystemPath);
+            }
+            else if (localAppDataFromEnvPath != null)
+            {
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromEnvPath);
             }
             else if (userProfilePath != null)
             {
@@ -115,6 +112,12 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
                 // it's a good guess that this is a *NIX machine.  Use *NIX conventions for a folder name.
                 retVal = new DirectoryInfo(Path.Combine(homePath, ".aspnet", DataProtectionKeysFolderName));
             }
+            else if (!string.IsNullOrEmpty(localAppDataFromSystemPath))
+            {
+                // Starting in 2.x, non-Windows platforms may use Environment.SpecialFolder.LocalApplicationData
+                // but only after checking for $LOCALAPPDATA, $USERPROFILE, and $HOME.
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromSystemPath);
+            }
             else
             {
                 return null;
@@ -131,9 +134,6 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             {
                 return null;
             }
-#else
-#error target frameworks need to be updated.
-#endif
         }
 
         internal static DirectoryInfo GetKeyStorageDirectoryForAzureWebSites()
diff --git a/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs b/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
index 3865adbf37..311d4ed48e 100644
--- a/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
@@ -12,7 +12,7 @@ namespace Microsoft.AspNetCore.DataProtection
         private const string OldNamespace = "Microsoft.AspNet.DataProtection";
         private const string CurrentNamespace = "Microsoft.AspNetCore.DataProtection";
         private readonly ILogger _logger;
-        private static readonly Regex _versionPattern = new Regex(@",\s?Version=(\d+\.?)(\d+\.?)?(\d+\.?)?(\d+\.?)?", RegexOptions.Compiled, TimeSpan.FromSeconds(2));
+        private static readonly Regex _versionPattern = new Regex(@",\s?Version=[0-9]+(\.[0-9]+){0,3}", RegexOptions.Compiled, TimeSpan.FromSeconds(2));
 
         public TypeForwardingActivator(IServiceProvider services)
             : this(services, DataProtectionProviderFactory.GetDefaultLoggerFactory())
@@ -39,16 +39,11 @@ namespace Microsoft.AspNetCore.DataProtection
                 forwardedTypeName = originalTypeName.Replace(OldNamespace, CurrentNamespace);
             }
 
-#if NET46
-            if (candidate || forwardedTypeName.Contains(CurrentNamespace))
+            if (candidate || forwardedTypeName.StartsWith(CurrentNamespace + ".", StringComparison.Ordinal))
             {
                 candidate = true;
                 forwardedTypeName = RemoveVersionFromAssemblyName(forwardedTypeName);
             }
-#elif NETSTANDARD1_3
-#else
-#error Target framework needs to be updated
-#endif
 
             if (candidate)
             {
@@ -70,4 +65,4 @@ namespace Microsoft.AspNetCore.DataProtection
         protected string RemoveVersionFromAssemblyName(string forwardedTypeName)
             => _versionPattern.Replace(forwardedTypeName, "");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
index 3bf578e14a..36ff53a6f3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
@@ -1,9 +1,8 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
 using System;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 
 namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
@@ -40,9 +39,19 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             var store = new X509Store(location);
             try
             {
-                store.Open(OpenFlags.ReadOnly);
+                store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
                 var matchingCerts = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: true);
-                return (matchingCerts != null && matchingCerts.Count > 0) ? matchingCerts[0] : null;
+                return (matchingCerts != null && matchingCerts.Count > 0)
+                    ? matchingCerts[0]
+                    : null;
+            }
+            catch (CryptographicException)
+            {
+                // Suppress first-chance exceptions when opening the store.
+                // For example, LocalMachine\My is not supported on Linux yet and will throw on Open(),
+                // but there isn't a good way to detect this without attempting to open the store.
+                // See https://github.com/dotnet/corefx/issues/3690.
+                return null;
             }
             finally
             {
@@ -51,7 +60,4 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
+
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
index 0cbcf30bae..ee1342df94 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
 using System;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Cryptography.Xml;
@@ -147,7 +145,3 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
deleted file mode 100644
index 36bba2fb81..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.core50.cs
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-#if NETSTANDARD1_3
-// [[ISSUE60]] Remove this entire file when Core CLR gets support for EncryptedXml.
-// This is just a dummy implementation of the class that always throws.
-// The only reason it's here (albeit internal) is to provide a nice error message if key
-// material that was generated by Desktop CLR needs to be read by Core CLR.
-
-using System;
-using System.Xml.Linq;
-using Microsoft.Extensions.Logging;
-
-namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
-{
-    internal sealed class EncryptedXmlDecryptor : IXmlDecryptor
-    {
-        private readonly ILogger _logger;
-
-        public EncryptedXmlDecryptor()
-            : this(services: null)
-        {
-        }
-
-        public EncryptedXmlDecryptor(IServiceProvider services)
-        {
-            _logger = services.GetLogger<EncryptedXmlDecryptor>();
-        }
-
-        public XElement Decrypt(XElement encryptedElement)
-        {
-            if (_logger.IsErrorLevelEnabled())
-            {
-                _logger.LogError(Resources.EncryptedXmlDecryptor_DoesNotWorkOnCoreClr);
-            }
-
-            throw new PlatformNotSupportedException(Resources.EncryptedXmlDecryptor_DoesNotWorkOnCoreClr);
-        }
-    }
-}
-#elif NET46
-#else
-#error target frameworks need to be updated.
-#endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index bfb70d3283..6bc280900c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
 using System;
 using System.Security.Cryptography.Xml;
 using System.Xml;
@@ -73,7 +71,3 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
index 78b629fd2f..1be22dfbce 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
 using System.Security.Cryptography.X509Certificates;
 
 namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
@@ -20,7 +18,3 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         X509Certificate2 ResolveCertificate(string thumbprint);
     }
 }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
index 33761a29ed..ef9fe71648 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
 using System;
 using System.Xml;
 using System.Security.Cryptography.Xml;
@@ -17,7 +15,3 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         EncryptedData PerformEncryption(EncryptedXml encryptedXml, XmlElement elementToEncrypt);
     }
 }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
index 74987d8f60..79fc0481ed 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-
 using System;
 using System.Security.Cryptography.Xml;
 
@@ -16,7 +14,3 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         void PerformPreDecryptionSetup(EncryptedXml encryptedXml);
     }
 }
-#elif NETSTANDARD1_3
-#else
-#error target frameworks need to be updated.
-#endif
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index 59dcfc96e5..74189cfad1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -133,7 +133,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             var memoryStream = new MemoryStream(DEFAULT_BUFFER_SIZE);
             element.Save(memoryStream);
 
-#if NET46
             var underlyingBuffer = memoryStream.GetBuffer();
             fixed (byte* __unused__ = underlyingBuffer) // try to limit this moving around in memory while we allocate
             {
@@ -146,23 +145,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                     Array.Clear(underlyingBuffer, 0, underlyingBuffer.Length);
                 }
             }
-#elif NETSTANDARD1_3
-            ArraySegment<byte> underlyingBuffer;
-            CryptoUtil.Assert(memoryStream.TryGetBuffer(out underlyingBuffer), "Underlying buffer isn't exposable.");
-            fixed (byte* __unused__ = underlyingBuffer.Array) // try to limit this moving around in memory while we allocate
-            {
-                try
-                {
-                    return new Secret(underlyingBuffer);
-                }
-                finally
-                {
-                    Array.Clear(underlyingBuffer.Array, underlyingBuffer.Offset, underlyingBuffer.Count);
-                }
-            }
-#else
-#error target frameworks need to be updated.
-#endif
         }
 
         /// <summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.net45.json b/src/Microsoft.AspNetCore.DataProtection/baseline.net45.json
deleted file mode 100644
index 17dd37fc63..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/baseline.net45.json
+++ /dev/null
@@ -1,3749 +0,0 @@
-{
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
-  "Types": [
-    {
-      "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServiceCollectionExtensions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "AddDataProtection",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "AddDataProtection",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
-            },
-            {
-              "Name": "setupAction",
-              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.DataProtectionOptions>"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServices",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetDefaultServices",
-          "Parameters": [],
-          "ReturnType": "System.Collections.Generic.IEnumerable<Microsoft.Extensions.DependencyInjection.ServiceDescriptor>",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "SetApplicationName",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "applicationName",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "AddKeyEscrowSink",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "sink",
-              "Type": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "AddKeyEscrowSink<T0>",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": [
-            {
-              "ParameterName": "TImplementation",
-              "ParameterPosition": 0,
-              "Class": true,
-              "BaseTypeOrInterfaces": [
-                "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink"
-              ]
-            }
-          ]
-        },
-        {
-          "Kind": "Method",
-          "Name": "AddKeyEscrowSink",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "factory",
-              "Type": "System.Func<System.IServiceProvider, Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink>"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "AddKeyManagementOptions",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "setupAction",
-              "Type": "System.Action<Microsoft.AspNetCore.DataProtection.KeyManagement.KeyManagementOptions>"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "DisableAutomaticKeyGeneration",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "PersistKeysToFileSystem",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "directory",
-              "Type": "System.IO.DirectoryInfo"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "PersistKeysToRegistry",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "registryKey",
-              "Type": "Microsoft.Win32.RegistryKey"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ProtectKeysWithCertificate",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "certificate",
-              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ProtectKeysWithCertificate",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "thumbprint",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ProtectKeysWithDpapi",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ProtectKeysWithDpapi",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "protectToLocalMachine",
-              "Type": "System.Boolean"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ProtectKeysWithDpapiNG",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ProtectKeysWithDpapiNG",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "protectionDescriptorRule",
-              "Type": "System.String"
-            },
-            {
-              "Name": "flags",
-              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "SetDefaultKeyLifetime",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "lifetime",
-              "Type": "System.TimeSpan"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "UseCryptographicAlgorithms",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "UseCustomCryptographicAlgorithms",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "UseCustomCryptographicAlgorithms",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "UseCustomCryptographicAlgorithms",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "UseEphemeralDataProtectionProvider",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionOptions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_ApplicationDiscriminator",
-          "Parameters": [],
-          "ReturnType": "System.String",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_ApplicationDiscriminator",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionUtilityExtensions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetApplicationUniqueIdentifier",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "ReturnType": "System.String",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.EphemeralDataProtectionProvider",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateProtector",
-          "Parameters": [
-            {
-              "Name": "purpose",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtector",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Services",
-          "Parameters": [],
-          "ReturnType": "Microsoft.Extensions.DependencyInjection.IServiceCollection",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.IPersistedDataProtector",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.IDataProtector"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "DangerousUnprotect",
-          "Parameters": [
-            {
-              "Name": "protectedData",
-              "Type": "System.Byte[]"
-            },
-            {
-              "Name": "ignoreRevocationErrors",
-              "Type": "System.Boolean"
-            },
-            {
-              "Name": "requiresMigration",
-              "Type": "System.Boolean",
-              "Direction": "Out"
-            },
-            {
-              "Name": "wasRevoked",
-              "Type": "System.Boolean",
-              "Direction": "Out"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.ISecret",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [
-        "System.IDisposable"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Length",
-          "Parameters": [],
-          "ReturnType": "System.Int32",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "WriteSecretIntoBuffer",
-          "Parameters": [
-            {
-              "Name": "buffer",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Secret",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.ISecret"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Length",
-          "Parameters": [],
-          "ReturnType": "System.Int32",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Dispose",
-          "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "System.IDisposable",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Random",
-          "Parameters": [
-            {
-              "Name": "numBytes",
-              "Type": "System.Int32"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.Secret",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "WriteSecretIntoBuffer",
-          "Parameters": [
-            {
-              "Name": "buffer",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "WriteSecretIntoBuffer",
-          "Parameters": [
-            {
-              "Name": "buffer",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "bufferLength",
-              "Type": "System.Int32"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.Byte[]"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "secret",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "secretLength",
-              "Type": "System.Int32"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "secret",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateResolver",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ResolveCertificate",
-          "Parameters": [
-            {
-              "Name": "thumbprint",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Security.Cryptography.X509Certificates.X509Certificate2",
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor",
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintextElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "thumbprint",
-              "Type": "System.String"
-            },
-            {
-              "Name": "certificateResolver",
-              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "thumbprint",
-              "Type": "System.String"
-            },
-            {
-              "Name": "certificateResolver",
-              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "certificate",
-              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "certificate",
-              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags",
-      "Visibility": "Public",
-      "Kind": "Enumeration",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Field",
-          "Name": "None",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "0"
-        },
-        {
-          "Kind": "Field",
-          "Name": "NamedDescriptor",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "1"
-        },
-        {
-          "Kind": "Field",
-          "Name": "MachineKey",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "32"
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlDecryptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Decrypt",
-          "Parameters": [
-            {
-              "Name": "encryptedElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "System.Xml.Linq.XElement",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlEncryptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintextElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "protectionDescriptorRule",
-              "Type": "System.String"
-            },
-            {
-              "Name": "flags",
-              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "protectionDescriptorRule",
-              "Type": "System.String"
-            },
-            {
-              "Name": "flags",
-              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Decrypt",
-          "Parameters": [
-            {
-              "Name": "encryptedElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "System.Xml.Linq.XElement",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlEncryptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintextElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "protectToLocalMachine",
-              "Type": "System.Boolean"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "protectToLocalMachine",
-              "Type": "System.Boolean"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalEncryptedXmlDecryptor",
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Decrypt",
-          "Parameters": [
-            {
-              "Name": "encryptedElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "System.Xml.Linq.XElement",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_DecryptorType",
-          "Parameters": [],
-          "ReturnType": "System.Type",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptedElement",
-          "Parameters": [],
-          "ReturnType": "System.Xml.Linq.XElement",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "encryptedElement",
-              "Type": "System.Xml.Linq.XElement"
-            },
-            {
-              "Name": "decryptorType",
-              "Type": "System.Type"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ResolveCertificate",
-          "Parameters": [
-            {
-              "Name": "thumbprint",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Security.Cryptography.X509Certificates.X509Certificate2",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Decrypt",
-          "Parameters": [
-            {
-              "Name": "encryptedElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "System.Xml.Linq.XElement",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintextElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.NullXmlDecryptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Decrypt",
-          "Parameters": [
-            {
-              "Name": "encryptedElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "System.Xml.Linq.XElement",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.NullXmlEncryptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintextElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_DefaultKeyStorageDirectory",
-          "Parameters": [],
-          "ReturnType": "System.IO.DirectoryInfo",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_Directory",
-          "Parameters": [],
-          "ReturnType": "System.IO.DirectoryInfo",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_Services",
-          "Parameters": [],
-          "ReturnType": "System.IServiceProvider",
-          "Visibility": "Protected",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetAllElements",
-          "Parameters": [],
-          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "StoreElement",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            },
-            {
-              "Name": "friendlyName",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "directory",
-              "Type": "System.IO.DirectoryInfo"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "directory",
-              "Type": "System.IO.DirectoryInfo"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetAllElements",
-          "Parameters": [],
-          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "StoreElement",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            },
-            {
-              "Name": "friendlyName",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_DefaultRegistryKey",
-          "Parameters": [],
-          "ReturnType": "Microsoft.Win32.RegistryKey",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_RegistryKey",
-          "Parameters": [],
-          "ReturnType": "Microsoft.Win32.RegistryKey",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_Services",
-          "Parameters": [],
-          "ReturnType": "System.IServiceProvider",
-          "Visibility": "Protected",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetAllElements",
-          "Parameters": [],
-          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "StoreElement",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            },
-            {
-              "Name": "friendlyName",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "registryKey",
-              "Type": "Microsoft.Win32.RegistryKey"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "registryKey",
-              "Type": "Microsoft.Win32.RegistryKey"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_ActivationDate",
-          "Parameters": [],
-          "ReturnType": "System.DateTimeOffset",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_CreationDate",
-          "Parameters": [],
-          "ReturnType": "System.DateTimeOffset",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_ExpirationDate",
-          "Parameters": [],
-          "ReturnType": "System.DateTimeOffset",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_IsRevoked",
-          "Parameters": [],
-          "ReturnType": "System.Boolean",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_KeyId",
-          "Parameters": [],
-          "ReturnType": "System.Guid",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Store",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateNewKey",
-          "Parameters": [
-            {
-              "Name": "activationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "expirationDate",
-              "Type": "System.DateTimeOffset"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetAllKeys",
-          "Parameters": [],
-          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetCacheExpirationToken",
-          "Parameters": [],
-          "ReturnType": "System.Threading.CancellationToken",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "RevokeKey",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "reason",
-              "Type": "System.String",
-              "DefaultValue": "null"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "RevokeAllKeys",
-          "Parameters": [
-            {
-              "Name": "revocationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "reason",
-              "Type": "System.String",
-              "DefaultValue": "null"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.KeyManagementOptions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_AutoGenerateKeys",
-          "Parameters": [],
-          "ReturnType": "System.Boolean",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_AutoGenerateKeys",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.Boolean"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_NewKeyLifetime",
-          "Parameters": [],
-          "ReturnType": "System.TimeSpan",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_NewKeyLifetime",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.TimeSpan"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
-        "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateNewKey",
-          "Parameters": [
-            {
-              "Name": "activationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "expirationDate",
-              "Type": "System.DateTimeOffset"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetAllKeys",
-          "Parameters": [],
-          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetCacheExpirationToken",
-          "Parameters": [],
-          "ReturnType": "System.Threading.CancellationToken",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "RevokeAllKeys",
-          "Parameters": [
-            {
-              "Name": "revocationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "reason",
-              "Type": "System.String",
-              "DefaultValue": "null"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "RevokeKey",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "reason",
-              "Type": "System.String",
-              "DefaultValue": "null"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "repository",
-              "Type": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
-            },
-            {
-              "Name": "configuration",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution",
-      "Visibility": "Public",
-      "Kind": "Struct",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Field",
-          "Name": "DefaultKey",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Field",
-          "Name": "FallbackKey",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Field",
-          "Name": "ShouldGenerateNewKey",
-          "Parameters": [],
-          "ReturnType": "System.Boolean",
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetCacheableKeyRing",
-          "Parameters": [
-            {
-              "Name": "now",
-              "Type": "System.DateTimeOffset"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IDefaultKeyResolver",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ResolveDefaultKeyPolicy",
-          "Parameters": [
-            {
-              "Name": "now",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "allKeys",
-              "Type": "System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IDefaultKeyServices",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetKeyEncryptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetKeyRepository",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateNewKey",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "creationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "activationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "expirationDate",
-              "Type": "System.DateTimeOffset"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "DeserializeDescriptorFromKeyElement",
-          "Parameters": [
-            {
-              "Name": "keyElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "RevokeSingleKey",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "revocationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "reason",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRing",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_DefaultAuthenticatedEncryptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_DefaultKeyId",
-          "Parameters": [],
-          "ReturnType": "System.Guid",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetAuthenticatedEncryptorByKeyId",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "isRevoked",
-              "Type": "System.Boolean",
-              "Direction": "Out"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRingProvider",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetCurrentKeyRing",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRing",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Internal.DataProtectionBuilder",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Services",
-          "Parameters": [],
-          "ReturnType": "Microsoft.Extensions.DependencyInjection.IServiceCollection",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Internal.IActivator",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateInstance",
-          "Parameters": [
-            {
-              "Name": "expectedBaseType",
-              "Type": "System.Type"
-            },
-            {
-              "Name": "implementationTypeName",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Object",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor",
-        "System.IDisposable"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Decrypt",
-          "Parameters": [
-            {
-              "Name": "ciphertext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "DecryptImpl",
-          "Parameters": [
-            {
-              "Name": "pbCiphertext",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "cbCiphertext",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "pbAdditionalAuthenticatedData",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "cbAdditionalAuthenticatedData",
-              "Type": "System.UInt32"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Virtual": true,
-          "Abstract": true,
-          "Visibility": "Protected",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Dispose",
-          "Parameters": [],
-          "ReturnType": "System.Void",
-          "Virtual": true,
-          "Abstract": true,
-          "ImplementedInterface": "System.IDisposable",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "preBufferSize",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "postBufferSize",
-              "Type": "System.UInt32"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "EncryptImpl",
-          "Parameters": [
-            {
-              "Name": "pbPlaintext",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "cbPlaintext",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "pbAdditionalAuthenticatedData",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "cbAdditionalAuthenticatedData",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "cbPreBuffer",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "cbPostBuffer",
-              "Type": "System.UInt32"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Virtual": true,
-          "Abstract": true,
-          "Visibility": "Protected",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Protected",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithm",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithm",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_ValidationAlgorithm",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_ValidationAlgorithm",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Validate",
-          "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithm",
-          "Parameters": [],
-          "ReturnType": "System.String",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithm",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithmProvider",
-          "Parameters": [],
-          "ReturnType": "System.String",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithmProvider",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithmKeySize",
-          "Parameters": [],
-          "ReturnType": "System.Int32",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithmKeySize",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.Int32"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_HashAlgorithm",
-          "Parameters": [],
-          "ReturnType": "System.String",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_HashAlgorithm",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_HashAlgorithmProvider",
-          "Parameters": [],
-          "ReturnType": "System.String",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_HashAlgorithmProvider",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Validate",
-          "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithm",
-          "Parameters": [],
-          "ReturnType": "System.String",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithm",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithmProvider",
-          "Parameters": [],
-          "ReturnType": "System.String",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithmProvider",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithmKeySize",
-          "Parameters": [],
-          "ReturnType": "System.Int32",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithmKeySize",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.Int32"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Validate",
-          "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm",
-      "Visibility": "Public",
-      "Kind": "Enumeration",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Field",
-          "Name": "AES_128_CBC",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "0"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_192_CBC",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "1"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_256_CBC",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "2"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_128_GCM",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "3"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_192_GCM",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "4"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_256_GCM",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "5"
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "Decrypt",
-          "Parameters": [
-            {
-              "Name": "ciphertext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithmType",
-          "Parameters": [],
-          "ReturnType": "System.Type",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithmType",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.Type"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_EncryptionAlgorithmKeySize",
-          "Parameters": [],
-          "ReturnType": "System.Int32",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_EncryptionAlgorithmKeySize",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.Int32"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_ValidationAlgorithmType",
-          "Parameters": [],
-          "ReturnType": "System.Type",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "set_ValidationAlgorithmType",
-          "Parameters": [
-            {
-              "Name": "value",
-              "Type": "System.Type"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Validate",
-          "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm",
-      "Visibility": "Public",
-      "Kind": "Enumeration",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Field",
-          "Name": "HMACSHA256",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "0"
-        },
-        {
-          "Kind": "Field",
-          "Name": "HMACSHA512",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "1"
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Settings",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Settings",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Settings",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Settings",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlExtensions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "MarkAsRequiresEncryption",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_DeserializerType",
-          "Parameters": [],
-          "ReturnType": "System.Type",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_SerializedDescriptorElement",
-          "Parameters": [],
-          "ReturnType": "System.Xml.Linq.XElement",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "serializedDescriptorElement",
-              "Type": "System.Xml.Linq.XElement"
-            },
-            {
-              "Name": "deserializerType",
-              "Type": "System.Type"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    }
-  ]
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
index 122e26797f..17dd37fc63 100644
--- a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
@@ -230,6 +230,44 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithCertificate",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "ProtectKeysWithCertificate",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
         {
           "Kind": "Method",
           "Name": "ProtectKeysWithDpapi",
@@ -745,6 +783,132 @@
       ],
       "GenericParameters": []
     },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateResolver",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ResolveCertificate",
+          "Parameters": [
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Security.Cryptography.X509Certificates.X509Certificate2",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor",
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintextElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            },
+            {
+              "Name": "certificateResolver",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            },
+            {
+              "Name": "certificateResolver",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "certificate",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+            },
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
     {
       "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags",
       "Visibility": "Public",
@@ -990,6 +1154,54 @@
       ],
       "GenericParameters": []
     },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalEncryptedXmlDecryptor",
+        "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "Decrypt",
+          "Parameters": [
+            {
+              "Name": "encryptedElement",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "System.Xml.Linq.XElement",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
     {
       "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlInfo",
       "Visibility": "Public",
@@ -1032,6 +1244,28 @@
       ],
       "GenericParameters": []
     },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ResolveCertificate",
+          "Parameters": [
+            {
+              "Name": "thumbprint",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Security.Cryptography.X509Certificates.X509Certificate2",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
     {
       "Name": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlDecryptor",
       "Visibility": "Public",
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 846a77a978..6b455b9067 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -14,6 +14,9 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index 79b3bbc0de..a2b9f2d39c 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -15,6 +15,9 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index 998bd51703..4a5375118b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
@@ -14,6 +14,9 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index 5b8c5b01a1..290cca3a57 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
@@ -12,6 +12,9 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index d23d088d87..dee13c5ca1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -4,7 +4,9 @@
 using System;
 using System.IO;
 using System.Reflection;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography.X509Certificates;
+using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing.xunit;
 using Xunit;
@@ -13,8 +15,7 @@ namespace Microsoft.AspNetCore.DataProtection
 {
     public class DataProtectionProviderTests
     {
-        [ConditionalFact]
-        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
+        [Fact]
         public void System_UsesProvidedDirectory()
         {
             WithUniqueTempDirectory(directory =>
@@ -37,13 +38,13 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-        [ConditionalFact]
-        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
-        [ConditionalRunTestOnlyOnWindows]
+        [Fact]
         public void System_NoKeysDirectoryProvided_UsesDefaultKeysDirectory()
         {
-            var keysPath = Path.Combine(Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%"), "ASP.NET", "DataProtection-Keys");
-            var tempPath = Path.Combine(Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%"), "ASP.NET", "DataProtection-KeysTemp");
+            Assert.NotNull(FileSystemXmlRepository.DefaultKeyStorageDirectory);
+
+            var keysPath = FileSystemXmlRepository.DefaultKeyStorageDirectory.FullName;
+            var tempPath = FileSystemXmlRepository.DefaultKeyStorageDirectory.FullName + "Temp";
 
             try
             {
@@ -57,13 +58,21 @@ namespace Microsoft.AspNetCore.DataProtection
                 var protector = DataProtectionProvider.Create("TestApplication").CreateProtector("purpose");
                 Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
 
-                // Step 3: Validate that there's now a single key in the directory and that it's protected using Windows DPAPI.
+                // Step 3: Validate that there's now a single key in the directory
                 var newFileName = Assert.Single(Directory.GetFiles(keysPath));
                 var file = new FileInfo(newFileName);
                 Assert.StartsWith("key-", file.Name, StringComparison.OrdinalIgnoreCase);
                 var fileText = File.ReadAllText(file.FullName);
-                Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
-                Assert.Contains("This key is encrypted with Windows DPAPI.", fileText, StringComparison.Ordinal);
+                // On Windows, validate that it's protected using Windows DPAPI.
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+                {
+                    Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                    Assert.Contains("This key is encrypted with Windows DPAPI.", fileText, StringComparison.Ordinal);
+                }
+                else
+                {
+                    Assert.Contains("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                }
             }
             finally
             {
@@ -79,7 +88,6 @@ namespace Microsoft.AspNetCore.DataProtection
         }
 
         [ConditionalFact]
-        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
         [ConditionalRunTestOnlyOnWindows]
         public void System_UsesProvidedDirectory_WithConfigurationCallback()
         {
@@ -106,16 +114,13 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-#if NET46 // [[ISSUE60]] Remove this #ifdef when Core CLR gets support for EncryptedXml
-        [ConditionalFact]
-        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
-        [ConditionalRunTestOnlyOnWindows]
+        [Fact]
         public void System_UsesProvidedDirectoryAndCertificate()
         {
             var filePath = Path.Combine(GetTestFilesPath(), "TestCert.pfx");
             var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
             store.Open(OpenFlags.ReadWrite);
-            store.Add(new X509Certificate2(filePath, "password"));
+            store.Add(new X509Certificate2(filePath, "password", X509KeyStorageFlags.Exportable));
             store.Close();
 
             WithUniqueTempDirectory(directory =>
@@ -149,10 +154,6 @@ namespace Microsoft.AspNetCore.DataProtection
                 }
             });
         }
-#elif NETCOREAPP2_0
-#else
-#error Target framework needs to be updated
-#endif
 
         /// <summary>
         /// Runs a test and cleans up the temp directory afterward.
@@ -175,13 +176,6 @@ namespace Microsoft.AspNetCore.DataProtection
             }
         }
 
-        private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
-        {
-            public bool IsMet => Environment.ExpandEnvironmentVariables("%LOCALAPPDATA%") != null;
-
-            public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
-        }
-
         private static string GetTestFilesPath()
         {
             var projectName = typeof(DataProtectionProviderTests).GetTypeInfo().Assembly.GetName().Name;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 23599649bf..3fe0d683b7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
@@ -14,6 +14,9 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 3f854ec2bb..8760c8feb0 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
   </PropertyGroup>
 
@@ -14,6 +14,9 @@
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
index ec61427bb2..15fd53ee6a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET46
+#if NET461
 using System;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
@@ -89,4 +89,4 @@ namespace Microsoft.AspNetCore.DataProtection
 #elif NETCOREAPP2_0
 #else
 #error Target framework needs to be updated
-#endif
\ No newline at end of file
+#endif
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
index a67d410f4f..faedbf44e9 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
@@ -11,8 +11,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng.Internal
 {
     public unsafe class CngAuthenticatedEncryptorBaseTests
     {
-        [ConditionalFact]
-        [ConditionalRunTestOnlyOnWindows]
+        [Fact]
         public void Decrypt_ForwardsArraySegment()
         {
             // Arrange
@@ -37,8 +36,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng.Internal
             Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
         }
 
-        [ConditionalFact]
-        [ConditionalRunTestOnlyOnWindows]
+        [Fact]
         public void Decrypt_HandlesEmptyAADPointerFixup()
         {
             // Arrange
@@ -63,8 +61,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng.Internal
             Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
         }
 
-        [ConditionalFact]
-        [ConditionalRunTestOnlyOnWindows]
+        [Fact]
         public void Decrypt_HandlesEmptyCiphertextPointerFixup()
         {
             // Arrange
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
index 4e5f67fc65..d279f73cf6 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -79,8 +79,7 @@ namespace Microsoft.AspNetCore.DataProtection.Managed
             });
         }
 
-        [ConditionalFact]
-        [ConditionalRunTestOnlyOnWindows]
+        [Fact]
         public void Encrypt_KnownKey()
         {
             // Arrange
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index a895a4cc31..065d45985a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net46</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
@@ -14,6 +14,9 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
@@ -22,8 +25,4 @@
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
-  <ItemGroup Condition="'$(TargetFramework)'=='net46'">
-    <Reference Include="System.Security" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index a6a1f7896b..95ba4d1945 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -4,8 +4,8 @@
 using System;
 using System.IO;
 using System.Linq;
+using System.Runtime.InteropServices;
 using System.Xml.Linq;
-using Microsoft.AspNetCore.Testing.xunit;
 using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
@@ -13,16 +13,19 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 {
     public class FileSystemXmlRepositoryTests
     {
-        [ConditionalFact]
-        [ConditionalRunTestOnlyIfLocalAppDataAvailable]
+        [Fact]
         public void DefaultKeyStorageDirectory_Property()
         {
+            var baseDir = RuntimeInformation.IsOSPlatform(OSPlatform.Windows)
+                ? Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "ASP.NET")
+                : Path.Combine(Environment.GetEnvironmentVariable("HOME"), ".aspnet");
+            var expectedDir = new DirectoryInfo(Path.Combine(baseDir, "DataProtection-Keys")).FullName;
+
             // Act
             var defaultDirInfo = FileSystemXmlRepository.DefaultKeyStorageDirectory;
 
             // Assert
-            Assert.Equal(defaultDirInfo.FullName,
-                new DirectoryInfo(Path.Combine(GetLocalApplicationData(), "ASP.NET", "DataProtection-Keys")).FullName);
+            Assert.Equal(expectedDir, defaultDirInfo.FullName);
         }
 
         [Fact]
@@ -156,23 +159,5 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
                 }
             }
         }
-
-        private static string GetLocalApplicationData()
-        {
-#if NETCOREAPP2_0
-            return Environment.GetEnvironmentVariable("LOCALAPPDATA");
-#elif NET46
-            return Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
-#else
-#error Target framework needs to be updated
-#endif
-        }
-
-        private class ConditionalRunTestOnlyIfLocalAppDataAvailable : Attribute, ITestCondition
-        {
-            public bool IsMet => GetLocalApplicationData() != null;
-
-            public string SkipReason { get; } = "%LOCALAPPDATA% couldn't be located.";
-        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
index 1d8e02d80a..d985c130f3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
@@ -103,11 +103,12 @@ namespace Microsoft.AspNetCore.DataProtection
         [MemberData(nameof(AssemblyVersions))]
         public void CreateInstance_ForwardsAcrossVersionChanges(Version version)
         {
-#if NET46
+#if NET461
             // run this test in an appdomain without testhost's custom assembly resolution hooks
             var setupInfo = new AppDomainSetup
             {
-                ApplicationBase = AppDomain.CurrentDomain.BaseDirectory
+                ApplicationBase = AppDomain.CurrentDomain.BaseDirectory,
+                ConfigurationFile = AppDomain.CurrentDomain.SetupInformation.ConfigurationFile,
             };
             var domain = AppDomain.CreateDomain("TestDomain", null, setupInfo);
             var wrappedTestClass = (TypeForwardingActivatorTests)domain.CreateInstanceAndUnwrap(GetType().Assembly.FullName, typeof(TypeForwardingActivatorTests).FullName);
@@ -132,13 +133,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
             Assert.NotEqual(typeInfo.AssemblyQualifiedName, newName);
             Assert.IsType<ClassWithParameterlessCtor>(activator.CreateInstance(typeof(object), newName, out var forwarded));
-#if NET46
             Assert.True(forwarded, "Should have forwarded this type to new version or namespace");
-#elif NETCOREAPP2_0
-            Assert.False(forwarded, "Should not have forwarded this type to new version or namespace");
-#else
-#error Target framework should be updated
-#endif
         }
 
         public static TheoryData<Version> AssemblyVersions
@@ -174,4 +169,4 @@ namespace Microsoft.AspNetCore.DataProtection
         {
         }
     }
-}
\ No newline at end of file
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index a70e908b9d..9c5cd6b9c7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -1,7 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-#if NET46
 using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.Xml;
@@ -61,8 +60,3 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         }
     }
 }
-#elif NETCOREAPP2_0
-#else
-#error Target framework needs to be updated
-#endif
-
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 828761b430..6806048d55 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -34,7 +34,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             XmlAssert.Equal(originalXml, roundTrippedElement);
         }
 
-#if NET46
+#if NET461
         [ConditionalFact]
         [ConditionalRunTestOnlyOnWindows]
         public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()

From 9ef496fe5b9757f337c7c9d2a2fca74a0f6df63c Mon Sep 17 00:00:00 2001
From: Kiran Challa <kichalla@microsoft.com>
Date: Fri, 26 May 2017 12:39:04 -0700
Subject: [PATCH 342/493] Updated to use the latest shared runtime

---
 build/dependencies.props | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build/dependencies.props b/build/dependencies.props
index 78d56b807a..0d1ef256ee 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -6,6 +6,7 @@
     <MoqVersion>4.7.1</MoqVersion>
     <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>
     <RedisVersion>1.2.3</RedisVersion>
+    <RuntimeFrameworkVersion Condition="'$(TargetFramework)'=='netcoreapp2.0'">2.0.0-*</RuntimeFrameworkVersion>
     <TestSdkVersion>15.3.0-*</TestSdkVersion>
     <XunitVersion>2.3.0-beta2-*</XunitVersion>
     <WindowsAzureStorageVersion>8.1.1</WindowsAzureStorageVersion>

From 5c556079c2497c9e2dba56d722648a4c147422f7 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 31 May 2017 19:36:17 -0700
Subject: [PATCH 343/493] Branching for rel/2.0.0-preview2

---
 NuGet.config             | 7 ++++---
 build/dependencies.props | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 8e65695611..c4bc056c4d 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,8 +1,9 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
+    <clear />
+    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-release/api/v3/index.json" />
     <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
-</configuration>
+</configuration>
\ No newline at end of file
diff --git a/build/dependencies.props b/build/dependencies.props
index 0d1ef256ee..87d62782ef 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <AspNetCoreVersion>2.0.0-*</AspNetCoreVersion>
+    <AspNetCoreVersion>2.0.0-preview2-*</AspNetCoreVersion>
     <CoreFxVersion>4.4.0-*</CoreFxVersion>
     <InternalAspNetCoreSdkVersion>2.1.0-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.1</MoqVersion>

From fa33a5586739b9a3fd523c019fee9bb4901a29d5 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 31 May 2017 19:53:14 -0700
Subject: [PATCH 344/493] Updating build scripts to point to 2.0.0-preview2
 KoreBuild

---
 build.ps1 | 2 +-
 build.sh  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.ps1 b/build.ps1
index 5bf0e2c113..3a2476b2b4 100644
--- a/build.ps1
+++ b/build.ps1
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/2.0.0-preview2.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
diff --git a/build.sh b/build.sh
index b0bcadb579..a40bdb87b1 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/2.0.0-preview2.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi

From 91e48874ff643ac7145923629ee916ce710f4778 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 1 Jun 2017 10:46:42 -0700
Subject: [PATCH 345/493] Updating versions to preview3

---
 NuGet.config  | 3 ++-
 version.props | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 8e65695611..4e8a1f6de1 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -1,6 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
+    <clear />
     <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
     <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
diff --git a/version.props b/version.props
index 6af4f81de2..193a5999d8 100644
--- a/version.props
+++ b/version.props
@@ -2,6 +2,6 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.0.0</VersionPrefix>
-    <VersionSuffix>preview2</VersionSuffix>
+    <VersionSuffix>preview3</VersionSuffix>
   </PropertyGroup>
 </Project>

From 22ebf68f74cf22ed1f2dba71256328f4b4a00f24 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Wed, 31 May 2017 11:05:55 -0700
Subject: [PATCH 346/493] Enable Api check and added breakingchanges json

---
 ...Microsoft.AspNetCore.DataProtection.csproj |   1 -
 .../breakingchanges.netcore.json              | 247 ++++++++++++++++++
 2 files changed, 247 insertions(+), 1 deletion(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json

diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index a46c797a51..4ecef314c9 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -9,7 +9,6 @@
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection</PackageTags>
-    <EnableApiCheck>false</EnableApiCheck>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json b/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json
new file mode 100644
index 0000000000..81b60f185d
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json
@@ -0,0 +1,247 @@
+[
+  {
+    "TypeId": "public interface Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
+    "Kind": "Removal"
+  },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public static class Microsoft.Extensions.DependencyInjection.DataProtectionServices",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public interface Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+      "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public interface Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+      "MemberId": "protected System.IServiceProvider get_Services()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+      "MemberId": "public .ctor(System.IO.DirectoryInfo directory)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+      "MemberId": "public .ctor(System.IO.DirectoryInfo directory, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+      "MemberId": "protected System.IServiceProvider get_Services()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+      "MemberId": "public .ctor(Microsoft.Win32.RegistryKey registryKey)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+      "MemberId": "public .ctor(Microsoft.Win32.RegistryKey registryKey, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.EphemeralDataProtectionProvider : Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+      "MemberId": "public .ctor()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.EphemeralDataProtectionProvider : Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
+      "MemberId": "public .ctor(System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+      "MemberId": "public Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager : Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager, Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager",
+      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository repository, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration configuration, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "MemberId": "public .ctor(System.Boolean protectToLocalMachine)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "MemberId": "public .ctor(System.Boolean protectToLocalMachine, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+      "MemberId": "public .ctor(System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptorDeserializer : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+      "MemberId": "public .ctor(System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptorDeserializer : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+      "MemberId": "public .ctor(System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptorDeserializer : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+      "MemberId": "public .ctor(System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor, Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "MemberId": "public .ctor(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor, Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "MemberId": "public .ctor(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor, Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "MemberId": "public .ctor(System.String thumbprint, Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver certificateResolver)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor, Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "MemberId": "public .ctor(System.String thumbprint, Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver certificateResolver, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "MemberId": "public .ctor(System.String protectionDescriptorRule, Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags flags)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+      "MemberId": "public .ctor(System.String protectionDescriptorRule, Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags flags, System.IServiceProvider services)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public static class Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
+      "MemberId": "public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder UseCryptographicAlgorithms(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings settings)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public static class Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
+      "MemberId": "public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder UseCustomCryptographicAlgorithms(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings settings)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public static class Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
+      "MemberId": "public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder UseCustomCryptographicAlgorithms(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings settings)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public static class Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
+      "MemberId": "public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder UseCustomCryptographicAlgorithms(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings settings)",
+      "Kind": "Removal"
+    },
+    {
+      "TypeId": "public interface Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+      "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor get_Descriptor()",
+      "Kind": "Addition"
+    },
+    {
+      "TypeId": "public interface Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
+      "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptor()",
+      "Kind": "Addition"
+    }
+  ]
\ No newline at end of file

From 285b973a5c6520caf78a83738748a928df6cf2de Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 1 Jun 2017 16:34:41 -0700
Subject: [PATCH 347/493] Use IHostingEnvironment to determine application
 identifier

Reverses changes made in #230
---
 ...taProtectionServiceCollectionExtensions.cs |  2 +
 .../HostingApplicationDiscriminator.cs        | 25 +++++++
 ...Microsoft.AspNetCore.DataProtection.csproj |  1 +
 .../DataProtectionUtilityExtensionsTests.cs   | 65 ++++++++++++++++---
 4 files changed, 85 insertions(+), 8 deletions(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 95fef0d55c..04e68303d0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -4,6 +4,7 @@
 using System;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.Infrastructure;
 using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
@@ -75,6 +76,7 @@ namespace Microsoft.Extensions.DependencyInjection
                 ServiceDescriptor.Transient<IConfigureOptions<DataProtectionOptions>, DataProtectionOptionsSetup>());
 
             services.TryAddSingleton<IKeyManager, XmlKeyManager>();
+            services.TryAddSingleton<IApplicationDiscriminator, HostingApplicationDiscriminator>();
 
             // Internal services
             services.TryAddSingleton<IDefaultKeyResolver, DefaultKeyResolver>();
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs
new file mode 100644
index 0000000000..400d372418
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs
@@ -0,0 +1,25 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.Infrastructure;
+using Microsoft.AspNetCore.Hosting;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal
+{
+    internal class HostingApplicationDiscriminator : IApplicationDiscriminator
+    {
+        private readonly IHostingEnvironment _hosting;
+
+        // the optional constructor for when IHostingEnvironment is not available from DI
+        public HostingApplicationDiscriminator()
+        {
+        }
+
+        public HostingApplicationDiscriminator(IHostingEnvironment hosting)
+        {
+            _hosting = hosting;
+        }
+
+        public string Discriminator => _hosting?.ContentRootPath;
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index 4ecef314c9..6495b57699 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -21,6 +21,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Options" Version="$(AspNetCoreVersion)" />
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
index f1b2f508da..5af33b1b25 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
@@ -3,6 +3,8 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection.Infrastructure;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;
 
@@ -11,28 +13,75 @@ namespace Microsoft.AspNetCore.DataProtection
     public class DataProtectionUtilityExtensionsTests
     {
         [Theory]
-        [InlineData(" discriminator", "discriminator")] // normalized trim
-        [InlineData("", null)] // app discriminator not null -> overrides app base path
+        [InlineData("app-path", "app-path")]
+        [InlineData("app-path ", "app-path")] // normalized trim
+        [InlineData("  ", null)] // normalized whitespace -> null
         [InlineData(null, null)] // nothing provided at all
-        public void GetApplicationUniqueIdentifier(string appDiscriminator, string expected)
+        public void GetApplicationUniqueIdentifierFromHosting(string contentRootPath, string expected)
         {
             // Arrange
-            var mockAppDiscriminator = new Mock<IApplicationDiscriminator>();
-            mockAppDiscriminator.Setup(o => o.Discriminator).Returns(appDiscriminator);
-            var mockServiceProvider = new Mock<IServiceProvider>();
-            mockServiceProvider.Setup(o => o.GetService(typeof(IApplicationDiscriminator))).Returns(mockAppDiscriminator.Object);
+            var mockEnvironment = new Mock<IHostingEnvironment>();
+            mockEnvironment.Setup(o => o.ContentRootPath).Returns(contentRootPath);
+
+            var services = new ServiceCollection()
+                .AddSingleton(mockEnvironment.Object)
+                .AddDataProtection()
+                .Services
+                .BuildServiceProvider();
 
             // Act
-            string actual = mockServiceProvider.Object.GetApplicationUniqueIdentifier();
+            var actual = services.GetApplicationUniqueIdentifier();
 
             // Assert
             Assert.Equal(expected, actual);
         }
 
+        [Theory]
+        [InlineData(" discriminator ", "discriminator")]
+        [InlineData(" discriminator", "discriminator")] // normalized trim
+        [InlineData("  ", null)] // normalized whitespace -> null
+        [InlineData(null, null)] // nothing provided at all
+        public void GetApplicationIdentifierFromApplicationDiscriminator(string discriminator, string expected)
+        {
+            // Arrange
+            var mockAppDiscriminator = new Mock<IApplicationDiscriminator>();
+            mockAppDiscriminator.Setup(o => o.Discriminator).Returns(discriminator);
+
+            var mockEnvironment = new Mock<IHostingEnvironment>();
+            mockEnvironment.SetupGet(o => o.ContentRootPath).Throws(new InvalidOperationException("Hosting environment should not be checked"));
+
+            var services = new ServiceCollection()
+                .AddSingleton(mockEnvironment.Object)
+                .AddSingleton(mockAppDiscriminator.Object)
+                .AddDataProtection()
+                .Services
+                .BuildServiceProvider();
+
+            // Act
+            var actual = services.GetApplicationUniqueIdentifier();
+
+            // Assert
+            Assert.Equal(expected, actual);
+            mockAppDiscriminator.VerifyAll();
+        }
+
         [Fact]
         public void GetApplicationUniqueIdentifier_NoServiceProvider_ReturnsNull()
         {
             Assert.Null(((IServiceProvider)null).GetApplicationUniqueIdentifier());
         }
+
+        [Fact]
+        public void GetApplicationUniqueIdentifier_NoHostingEnvironment_ReturnsNull()
+        {
+            // arrange
+            var services = new ServiceCollection()
+              .AddDataProtection()
+              .Services
+              .BuildServiceProvider();
+
+            // act & assert
+            Assert.Null(services.GetApplicationUniqueIdentifier());
+        }
     }
 }

From fe83e69b1a731323d0a9c8364ef72daaf462e15b Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 1 Jun 2017 17:51:23 -0700
Subject: [PATCH 348/493] Add a startup filter which initializes the key ring
 before the server starts

---
 ...taProtectionServiceCollectionExtensions.cs |   2 +
 .../Internal/DataProtectionStartupFilter.cs   |  43 ++++++++
 .../LoggingExtensions.cs                      |  24 +++-
 .../HostingTests.cs                           | 104 ++++++++++++++++++
 ...soft.AspNetCore.DataProtection.Test.csproj |   1 +
 5 files changed, 173 insertions(+), 1 deletion(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 04e68303d0..0df59732cf 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -9,6 +9,7 @@ using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -77,6 +78,7 @@ namespace Microsoft.Extensions.DependencyInjection
 
             services.TryAddSingleton<IKeyManager, XmlKeyManager>();
             services.TryAddSingleton<IApplicationDiscriminator, HostingApplicationDiscriminator>();
+            services.TryAddEnumerable(ServiceDescriptor.Singleton<IStartupFilter, DataProtectionStartupFilter>());
 
             // Internal services
             services.TryAddSingleton<IDefaultKeyResolver, DefaultKeyResolver>();
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
new file mode 100644
index 0000000000..f2abbae5be
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
@@ -0,0 +1,43 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal
+{
+    internal class DataProtectionStartupFilter : IStartupFilter
+    {
+        private readonly IKeyRingProvider _keyRingProvider;
+        private readonly ILogger<DataProtectionStartupFilter> _logger;
+
+        public DataProtectionStartupFilter(IKeyRingProvider keyRingProvider, ILoggerFactory loggerFactory)
+        {
+            _keyRingProvider = keyRingProvider;
+            _logger = loggerFactory.CreateLogger<DataProtectionStartupFilter>();
+        }
+
+        public Action<IApplicationBuilder> Configure(Action<IApplicationBuilder> next)
+        {
+            try
+            {
+                // It doesn't look like much, but this preloads the key ring,
+                // which in turn may load data from remote stores like Redis or Azure.
+                var keyRing = _keyRingProvider.GetCurrentKeyRing();
+
+                _logger.KeyRingWasLoadedOnStartup(keyRing.DefaultKeyId);
+            }
+            catch (Exception ex)
+            {
+                // This should be non-fatal, so swallow, log, and allow server startup to continue.
+                // The KeyRingProvider may be able to try again on the first request.
+                _logger.KeyRingFailedToLoadOnStartup(ex);
+            }
+
+            return next;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
index b7667b503c..a2cc325f46 100644
--- a/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
@@ -129,6 +129,10 @@ namespace Microsoft.Extensions.Logging
 
         private static Action<ILogger, Exception> _policyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing;
 
+        private static Action<ILogger, Guid, Exception> _keyRingWasLoadedOnStartup;
+
+        private static Action<ILogger, Exception> _keyRingFailedToLoadOnStartup;
+
         private static Action<ILogger, Exception> _usingEphemeralKeyRepository;
 
         private static Action<ILogger, string, Exception> _usingRegistryAsKeyRepositoryWithDPAPI;
@@ -388,6 +392,14 @@ namespace Microsoft.Extensions.Logging
             _usingAzureAsKeyRepository = LoggerMessage.Define<string>(eventId: 0,
                 logLevel: LogLevel.Information,
                 formatString: "Azure Web Sites environment detected. Using '{FullName}' as key repository; keys will not be encrypted at rest.");
+            _keyRingWasLoadedOnStartup = LoggerMessage.Define<Guid>(
+                eventId: 0,
+                logLevel: LogLevel.Debug,
+                formatString: "Key ring with default key {KeyId:B} was loaded during application startup.");
+            _keyRingFailedToLoadOnStartup = LoggerMessage.Define(
+                eventId: 0,
+                logLevel: LogLevel.Information,
+                formatString: "Key ring failed to load during application startup.");
         }
 
         /// <summary>
@@ -760,5 +772,15 @@ namespace Microsoft.Extensions.Logging
         {
             _usingAzureAsKeyRepository(logger, fullName, null);
         }
+
+        public static void KeyRingWasLoadedOnStartup(this ILogger logger, Guid defaultKeyId)
+        {
+            _keyRingWasLoadedOnStartup(logger, defaultKeyId, null);
+        }
+
+        public static void KeyRingFailedToLoadOnStartup(this ILogger logger, Exception innerException)
+        {
+            _keyRingFailedToLoadOnStartup(logger, innerException);
+        }
     }
-}
\ No newline at end of file
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs
new file mode 100644
index 0000000000..cd43effe37
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs
@@ -0,0 +1,104 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Hosting.Server;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Testing;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.Test
+{
+    public class HostingTests
+    {
+        [Fact]
+        public async Task LoadsKeyRingBeforeServerStarts()
+        {
+            var tcs = new TaskCompletionSource<object>();
+            var mockKeyRing = new Mock<IKeyRingProvider>();
+            mockKeyRing.Setup(m => m.GetCurrentKeyRing())
+                .Returns(Mock.Of<IKeyRing>())
+                .Callback(() => tcs.TrySetResult(null));
+
+            var builder = new WebHostBuilder()
+                .UseStartup<TestStartup>()
+                .ConfigureServices(s =>
+                    s.AddDataProtection()
+                    .Services
+                    .Replace(ServiceDescriptor.Singleton(mockKeyRing.Object))
+                    .AddSingleton<IServer>(
+                        new FakeServer(onStart: () => tcs.TrySetException(new InvalidOperationException("Server was started before key ring was initialized")))));
+
+            using (var host = builder.Build())
+            {
+                await host.StartAsync();
+            }
+
+            await tcs.Task.TimeoutAfter(TimeSpan.FromSeconds(10));
+            mockKeyRing.VerifyAll();
+        }
+
+        [Fact]
+        public async Task StartupContinuesOnFailureToLoadKey()
+        {
+            var mockKeyRing = new Mock<IKeyRingProvider>();
+            mockKeyRing.Setup(m => m.GetCurrentKeyRing())
+                .Throws(new NotSupportedException("This mock doesn't actually work, but shouldn't kill the server"))
+                .Verifiable();
+
+            var builder = new WebHostBuilder()
+                .UseStartup<TestStartup>()
+                .ConfigureServices(s =>
+                    s.AddDataProtection()
+                    .Services
+                    .Replace(ServiceDescriptor.Singleton(mockKeyRing.Object))
+                    .AddSingleton(Mock.Of<IServer>()));
+
+            using (var host = builder.Build())
+            {
+                await host.StartAsync();
+            }
+            
+            mockKeyRing.VerifyAll();
+        }
+
+        private class TestStartup
+        {
+            public void Configure(IApplicationBuilder app)
+            {
+            }
+        }
+
+        public class FakeServer : IServer
+        {
+            private readonly Action _onStart;
+
+            public FakeServer(Action onStart)
+            {
+                _onStart = onStart;
+            }
+
+            public IFeatureCollection Features => new FeatureCollection();
+
+            public Task StartAsync<TContext>(IHttpApplication<TContext> application, CancellationToken cancellationToken)
+            {
+                _onStart();
+                return Task.CompletedTask;
+            }
+
+            public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+
+            public void Dispose()
+            {
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 065d45985a..6dd58b3e0b 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -17,6 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Hosting" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />

From ac3cbb5f8d1e73784c0d28129ea45ecc789e4f28 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Fri, 2 Jun 2017 15:16:16 -0700
Subject: [PATCH 349/493] Generated api check baselines for AzureStorage

---
 .../baseline.netcore.json                     | 156 ++++++++++++++++++
 ...oft.AspNetCore.DataProtection.Redis.csproj |   1 +
 2 files changed, 157 insertions(+)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json

diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
new file mode 100644
index 0000000000..77f138be32
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
@@ -0,0 +1,156 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.AzureStorage, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AzureDataProtectionBuilderExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToAzureBlobStorage",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "storageAccount",
+              "Type": "Microsoft.WindowsAzure.Storage.CloudStorageAccount"
+            },
+            {
+              "Name": "relativePath",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToAzureBlobStorage",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "blobUri",
+              "Type": "System.Uri"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToAzureBlobStorage",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "blobReference",
+              "Type": "Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToAzureBlobStorage",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "container",
+              "Type": "Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer"
+            },
+            {
+              "Name": "blobName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AzureStorage.AzureBlobXmlRepository",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "blobRefFactory",
+              "Type": "System.Func<Microsoft.WindowsAzure.Storage.Blob.ICloudBlob>"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index e5f3a6f620..2b0006adaf 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -9,6 +9,7 @@
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection;redis</PackageTags>
+    <EnableApiCheck>false</EnableApiCheck>
   </PropertyGroup>
 
   <ItemGroup>

From e7fa69d63c7fe1f8c77a92062ca65b09babbaceb Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 8 Jun 2017 16:40:09 -0700
Subject: [PATCH 350/493] Minor cleanup: remove unnecessary conditional
 compilation line

---
 .../ManagedAuthenticatedEncryptorFactory.cs                  | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
index a0d7bc2226..03bd596346 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -88,13 +88,12 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
             if (configuration.EncryptionAlgorithmType == typeof(Aes))
             {
                 Func<Aes> factory = null;
-#if !NETSTANDARD1_3
                 if (OSVersionUtil.IsWindows())
                 {
                     // If we're on desktop CLR and running on Windows, use the FIPS-compliant implementation.
                     factory = () => new AesCryptoServiceProvider();
                 }
-#endif
+
                 return factory ?? Aes.Create;
             }
             else

From ddd041b0f11858fc8d31b9fcf110427145d7a94d Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 13 Jun 2017 00:34:35 -0700
Subject: [PATCH 351/493] Remove DefaultKeyServices

---
 .../KeyManagement/DefaultKeyServices.cs       | 59 -------------------
 .../Internal/IDefaultKeyServices.cs           | 27 ---------
 2 files changed, 86 deletions(-)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs
deleted file mode 100644
index 1fe5f0a5d3..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyServices.cs
+++ /dev/null
@@ -1,59 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNetCore.Cryptography;
-using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
-using Microsoft.AspNetCore.DataProtection.Repositories;
-using Microsoft.AspNetCore.DataProtection.XmlEncryption;
-using Microsoft.Extensions.DependencyInjection;
-
-namespace Microsoft.AspNetCore.DataProtection.KeyManagement
-{
-    internal sealed class DefaultKeyServices : IDefaultKeyServices
-    {
-        private readonly Lazy<object> _keyEncryptorLazy;
-        private readonly Lazy<object> _keyRepositoryLazy;
-
-        public DefaultKeyServices(IServiceProvider services, ServiceDescriptor keyEncryptorDescriptor, ServiceDescriptor keyRepositoryDescriptor)
-        {
-            if (keyEncryptorDescriptor != null)
-            {
-                // optional
-                CryptoUtil.Assert(keyEncryptorDescriptor.ServiceType == typeof(IXmlEncryptor), "Bad service type.");
-                _keyEncryptorLazy = GetLazyForService(services, keyEncryptorDescriptor);
-            }
-
-            CryptoUtil.Assert(keyRepositoryDescriptor.ServiceType == typeof(IXmlRepository), "Bad service type.");
-            _keyRepositoryLazy = GetLazyForService(services, keyRepositoryDescriptor);
-        }
-
-        /// <summary>
-        /// Gets the default <see cref="IXmlEncryptor"/> service (could return null).
-        /// </summary>
-        /// <returns></returns>
-        public IXmlEncryptor GetKeyEncryptor()
-        {
-            return (IXmlEncryptor)_keyEncryptorLazy?.Value;
-        }
-
-        /// <summary>
-        /// Gets the default <see cref="IXmlRepository"/> service (must not be null).
-        /// </summary>
-        /// <returns></returns>
-        public IXmlRepository GetKeyRepository()
-        {
-            return (IXmlRepository)_keyRepositoryLazy.Value ?? CryptoUtil.Fail<IXmlRepository>("GetKeyRepository returned null.");
-        }
-
-        private static Lazy<object> GetLazyForService(IServiceProvider services, ServiceDescriptor descriptor)
-        {
-            CryptoUtil.Assert(descriptor != null && descriptor.Lifetime == ServiceLifetime.Singleton, "Descriptor must represent singleton.");
-            CryptoUtil.Assert(descriptor.ImplementationFactory != null, "Descriptor must have an implementation factory.");
-
-            // pull the factory out so we don't close over the whole descriptor instance
-            Func<IServiceProvider, object> wrapped = descriptor.ImplementationFactory;
-            return new Lazy<object>(() => wrapped(services));
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
deleted file mode 100644
index 0552187f58..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyServices.cs
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using System;
-using Microsoft.AspNetCore.DataProtection.Repositories;
-using Microsoft.AspNetCore.DataProtection.XmlEncryption;
-
-namespace Microsoft.AspNetCore.DataProtection.KeyManagement.Internal
-{
-    /// <summary>
-    /// Provides default implementations of the services required by an <see cref="IKeyManager"/>.
-    /// </summary>
-    public interface IDefaultKeyServices
-    {
-        /// <summary>
-        /// Gets the default <see cref="IXmlEncryptor"/> service (could return null).
-        /// </summary>
-        /// <returns></returns>
-        IXmlEncryptor GetKeyEncryptor();
-
-        /// <summary>
-        /// Gets the default <see cref="IXmlRepository"/> service (must not be null).
-        /// </summary>
-        /// <returns></returns>
-        IXmlRepository GetKeyRepository();
-    }
-}

From abf05e285699793a3b50f245325119a6067f22cc Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Mon, 5 Jun 2017 16:31:59 -0700
Subject: [PATCH 352/493] Docker: add warning when FileSystemXmlRepository
 saves a key to non-volume mounted folder

---
 samples/NonDISample/NonDISample.csproj        |   4 +-
 .../Properties/launchSettings.json            |  22 ---
 .../Properties/Resources.Designer.cs          |  24 +--
 .../Properties/Resources.Designer.cs          |  24 +--
 .../Properties/Resources.Designer.cs          |  18 +-
 .../Properties/Resources.Designer.cs          |  12 +-
 .../Internal/DockerUtils.cs                   |  99 +++++++++++
 .../LoggingExtensions.cs                      |  28 ++-
 .../Properties/Resources.Designer.cs          | 160 +++++++-----------
 .../Repositories/FileSystemXmlRepository.cs   |  17 ++
 .../Resources.resx                            |   3 +
 .../DockerUtilsTests.cs                       |  56 ++++++
 .../FileSystemXmlRepositoryTests.cs           |  19 +++
 13 files changed, 307 insertions(+), 179 deletions(-)
 delete mode 100644 samples/NonDISample/Properties/launchSettings.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs

diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index b15e9017a6..118eed8588 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -1,13 +1,13 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <OutputType>exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
   </ItemGroup>
 
diff --git a/samples/NonDISample/Properties/launchSettings.json b/samples/NonDISample/Properties/launchSettings.json
deleted file mode 100644
index 7d36272608..0000000000
--- a/samples/NonDISample/Properties/launchSettings.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "http://localhost:1394/",
-      "sslPort": 0
-    }
-  },
-  "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
-    "NonDISample": {
-      "commandName": "Project"
-    }
-  }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
index 8d910ded82..df010bc683 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
@@ -15,64 +15,56 @@ namespace Microsoft.AspNetCore.Cryptography.Internal
         /// </summary>
         internal static string BCryptAlgorithmHandle_ProviderNotFound
         {
-            get { return GetString("BCryptAlgorithmHandle_ProviderNotFound"); }
+            get => GetString("BCryptAlgorithmHandle_ProviderNotFound");
         }
 
         /// <summary>
         /// A provider could not be found for algorithm '{0}'.
         /// </summary>
         internal static string FormatBCryptAlgorithmHandle_ProviderNotFound(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("BCryptAlgorithmHandle_ProviderNotFound"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("BCryptAlgorithmHandle_ProviderNotFound"), p0);
 
         /// <summary>
         /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
         /// </summary>
         internal static string BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength
         {
-            get { return GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"); }
+            get => GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength");
         }
 
         /// <summary>
         /// The key length {0} is invalid. Valid key lengths are {1} to {2} bits (step size {3}).
         /// </summary>
         internal static string FormatBCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength(object p0, object p1, object p2, object p3)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"), p0, p1, p2, p3);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("BCRYPT_KEY_LENGTHS_STRUCT_InvalidKeyLength"), p0, p1, p2, p3);
 
         /// <summary>
         /// This operation requires Windows 7 / Windows Server 2008 R2 or later.
         /// </summary>
         internal static string Platform_Windows7Required
         {
-            get { return GetString("Platform_Windows7Required"); }
+            get => GetString("Platform_Windows7Required");
         }
 
         /// <summary>
         /// This operation requires Windows 7 / Windows Server 2008 R2 or later.
         /// </summary>
         internal static string FormatPlatform_Windows7Required()
-        {
-            return GetString("Platform_Windows7Required");
-        }
+            => GetString("Platform_Windows7Required");
 
         /// <summary>
         /// This operation requires Windows 8 / Windows Server 2012 or later.
         /// </summary>
         internal static string Platform_Windows8Required
         {
-            get { return GetString("Platform_Windows8Required"); }
+            get => GetString("Platform_Windows8Required");
         }
 
         /// <summary>
         /// This operation requires Windows 8 / Windows Server 2012 or later.
         /// </summary>
         internal static string FormatPlatform_Windows8Required()
-        {
-            return GetString("Platform_Windows8Required");
-        }
+            => GetString("Platform_Windows8Required");
 
         private static string GetString(string name, params string[] formatterNames)
         {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
index b8bfe383ee..7f8422cf6b 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
@@ -15,64 +15,56 @@ namespace Microsoft.AspNetCore.DataProtection.Abstractions
         /// </summary>
         internal static string CryptCommon_PayloadInvalid
         {
-            get { return GetString("CryptCommon_PayloadInvalid"); }
+            get => GetString("CryptCommon_PayloadInvalid");
         }
 
         /// <summary>
         /// The payload was invalid.
         /// </summary>
         internal static string FormatCryptCommon_PayloadInvalid()
-        {
-            return GetString("CryptCommon_PayloadInvalid");
-        }
+            => GetString("CryptCommon_PayloadInvalid");
 
         /// <summary>
         /// The purposes collection cannot be null or empty and cannot contain null elements.
         /// </summary>
         internal static string DataProtectionExtensions_NullPurposesCollection
         {
-            get { return GetString("DataProtectionExtensions_NullPurposesCollection"); }
+            get => GetString("DataProtectionExtensions_NullPurposesCollection");
         }
 
         /// <summary>
         /// The purposes collection cannot be null or empty and cannot contain null elements.
         /// </summary>
         internal static string FormatDataProtectionExtensions_NullPurposesCollection()
-        {
-            return GetString("DataProtectionExtensions_NullPurposesCollection");
-        }
+            => GetString("DataProtectionExtensions_NullPurposesCollection");
 
         /// <summary>
         /// An error occurred during a cryptographic operation.
         /// </summary>
         internal static string CryptCommon_GenericError
         {
-            get { return GetString("CryptCommon_GenericError"); }
+            get => GetString("CryptCommon_GenericError");
         }
 
         /// <summary>
         /// An error occurred during a cryptographic operation.
         /// </summary>
         internal static string FormatCryptCommon_GenericError()
-        {
-            return GetString("CryptCommon_GenericError");
-        }
+            => GetString("CryptCommon_GenericError");
 
         /// <summary>
         /// No service for type '{0}' has been registered.
         /// </summary>
         internal static string DataProtectionExtensions_NoService
         {
-            get { return GetString("DataProtectionExtensions_NoService"); }
+            get => GetString("DataProtectionExtensions_NoService");
         }
 
         /// <summary>
         /// No service for type '{0}' has been registered.
         /// </summary>
         internal static string FormatDataProtectionExtensions_NoService(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("DataProtectionExtensions_NoService"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("DataProtectionExtensions_NoService"), p0);
 
         private static string GetString(string name, params string[] formatterNames)
         {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
index 12a8e114f3..8fba5cd9f2 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
@@ -15,48 +15,42 @@ namespace Microsoft.AspNetCore.DataProtection.Extensions
         /// </summary>
         internal static string CryptCommon_GenericError
         {
-            get { return GetString("CryptCommon_GenericError"); }
+            get => GetString("CryptCommon_GenericError");
         }
 
         /// <summary>
         /// An error occurred during a cryptographic operation.
         /// </summary>
         internal static string FormatCryptCommon_GenericError()
-        {
-            return GetString("CryptCommon_GenericError");
-        }
+            => GetString("CryptCommon_GenericError");
 
         /// <summary>
         /// The payload expired at {0}.
         /// </summary>
         internal static string TimeLimitedDataProtector_PayloadExpired
         {
-            get { return GetString("TimeLimitedDataProtector_PayloadExpired"); }
+            get => GetString("TimeLimitedDataProtector_PayloadExpired");
         }
 
         /// <summary>
         /// The payload expired at {0}.
         /// </summary>
         internal static string FormatTimeLimitedDataProtector_PayloadExpired(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("TimeLimitedDataProtector_PayloadExpired"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("TimeLimitedDataProtector_PayloadExpired"), p0);
 
         /// <summary>
         /// The payload is invalid.
         /// </summary>
         internal static string TimeLimitedDataProtector_PayloadInvalid
         {
-            get { return GetString("TimeLimitedDataProtector_PayloadInvalid"); }
+            get => GetString("TimeLimitedDataProtector_PayloadInvalid");
         }
 
         /// <summary>
         /// The payload is invalid.
         /// </summary>
         internal static string FormatTimeLimitedDataProtector_PayloadInvalid()
-        {
-            return GetString("TimeLimitedDataProtector_PayloadInvalid");
-        }
+            => GetString("TimeLimitedDataProtector_PayloadInvalid");
 
         private static string GetString(string name, params string[] formatterNames)
         {
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
index 802e2366d7..ddc7e53910 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
@@ -15,32 +15,28 @@ namespace Microsoft.AspNetCore.DataProtection.SystemWeb
         /// </summary>
         internal static string DataProtector_ProtectFailed
         {
-            get { return GetString("DataProtector_ProtectFailed"); }
+            get => GetString("DataProtector_ProtectFailed");
         }
 
         /// <summary>
         /// A call to Protect failed. This most likely means that the data protection system is misconfigured. See the inner exception for more information.
         /// </summary>
         internal static string FormatDataProtector_ProtectFailed()
-        {
-            return GetString("DataProtector_ProtectFailed");
-        }
+            => GetString("DataProtector_ProtectFailed");
 
         /// <summary>
         /// The CreateDataProtectionProvider method returned null.
         /// </summary>
         internal static string Startup_CreateProviderReturnedNull
         {
-            get { return GetString("Startup_CreateProviderReturnedNull"); }
+            get => GetString("Startup_CreateProviderReturnedNull");
         }
 
         /// <summary>
         /// The CreateDataProtectionProvider method returned null.
         /// </summary>
         internal static string FormatStartup_CreateProviderReturnedNull()
-        {
-            return GetString("Startup_CreateProviderReturnedNull");
-        }
+            => GetString("Startup_CreateProviderReturnedNull");
 
         private static string GetString(string name, params string[] formatterNames)
         {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
new file mode 100644
index 0000000000..7a1ede17e0
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
@@ -0,0 +1,99 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal
+{
+    internal static class DockerUtils
+    {
+        private static Lazy<bool> _isDocker = new Lazy<bool>(IsProcessRunningInDocker);
+
+        public static bool IsDocker => _isDocker.Value;
+
+        public static bool IsVolumeMountedFolder(DirectoryInfo directory)
+        {
+            if (!IsDocker)
+            {
+                return false;
+            }
+
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                // we currently don't have a good way to detect mounted file systems within Windows ctonainers
+                return false;
+            }
+
+            const string mountsFile = "/proc/self/mounts";
+            if (!File.Exists(mountsFile))
+            {
+                return false;
+            }
+
+            var lines = File.ReadAllLines(mountsFile);
+            return IsDirectoryMounted(directory, lines);
+        }
+
+        // internal for testing. Don't use directly
+        internal static bool IsDirectoryMounted(DirectoryInfo directory, IEnumerable<string> fstab)
+        {
+            // Expected file format: http://man7.org/linux/man-pages/man5/fstab.5.html
+            foreach (var line in fstab)
+            {
+                if (line == null || line.Length == 0 || line[0] == '#')
+                {
+                    // skip empty and commented-out lines
+                    continue;
+                }
+
+                var fields = line.Split(new[] { '\t', ' ' });
+
+                if (fields.Length < 2 // line had too few fields
+                    || fields[1].Length <= 1 // fs_file empty or is the root directory '/'
+                    || fields[1][0] != '/') // fs_file was not a file path
+                {
+                    continue;
+                }
+
+                // check if directory is a subdirectory of this location
+                var fs_file = new DirectoryInfo(fields[1].TrimEnd(Path.DirectorySeparatorChar)).FullName;
+                var dir = directory;
+                while (dir != null)
+                {
+                    // filesystems on Linux are case sensitive
+                    if (fs_file.Equals(dir.FullName.TrimEnd(Path.DirectorySeparatorChar), StringComparison.Ordinal))
+                    {
+                        return true;
+                    }
+
+                    dir = dir.Parent;
+                }
+            }
+
+            return false;
+        }
+
+        private static bool IsProcessRunningInDocker()
+        {
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                // we currently don't have a good way to detect if running in a Windows container
+                return false;
+            }
+
+            const string procFile = "/proc/1/cgroup";
+            if (!File.Exists(procFile))
+            {
+                return false;
+            }
+
+            var lines = File.ReadAllLines(procFile);
+            // typically the last line in the file is "1:name=openrc:/docker"
+            return lines.Reverse().Any(l => l.EndsWith("name=openrc:/docker", StringComparison.Ordinal));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
index a2cc325f46..7792d48dbe 100644
--- a/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Runtime.CompilerServices;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Win32;
 
 namespace Microsoft.Extensions.Logging
@@ -143,6 +144,8 @@ namespace Microsoft.Extensions.Logging
 
         private static Action<ILogger, string, Exception> _usingAzureAsKeyRepository;
 
+        private static Action<ILogger, string, Exception> _usingEphemeralFileSystemLocationInContainer;
+
         static LoggingExtensions()
         {
             _usingFallbackKeyWithExpirationAsDefaultKey = LoggerMessage.Define<Guid, DateTimeOffset>(
@@ -377,19 +380,29 @@ namespace Microsoft.Extensions.Logging
                 eventId: 58,
                 logLevel: LogLevel.Information,
                 formatString: "Creating key {KeyId:B} with creation date {CreationDate:u}, activation date {ActivationDate:u}, and expiration date {ExpirationDate:u}.");
-            _usingEphemeralKeyRepository = LoggerMessage.Define(eventId: 59,
+            _usingEphemeralKeyRepository = LoggerMessage.Define(
+                eventId: 59,
                 logLevel: LogLevel.Warning,
                 formatString: "Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.");
-            _usingRegistryAsKeyRepositoryWithDPAPI = LoggerMessage.Define<string>(eventId: 0,
+            _usingEphemeralFileSystemLocationInContainer = LoggerMessage.Define<string>(
+                eventId: 60,
+                logLevel: LogLevel.Warning,
+                formatString: Resources.FileSystem_EphemeralKeysLocationInContainer);
+
+            _usingRegistryAsKeyRepositoryWithDPAPI = LoggerMessage.Define<string>(
+                eventId: 0,
                 logLevel: LogLevel.Information,
                 formatString: "User profile not available. Using '{Name}' as key repository and Windows DPAPI to encrypt keys at rest.");
-            _usingProfileAsKeyRepository = LoggerMessage.Define<string>(eventId: 0,
+            _usingProfileAsKeyRepository = LoggerMessage.Define<string>(
+                eventId: 0,
                 logLevel: LogLevel.Information,
                 formatString: "User profile is available. Using '{FullName}' as key repository; keys will not be encrypted at rest.");
-            _usingProfileAsKeyRepositoryWithDPAPI = LoggerMessage.Define<string>(eventId: 0,
+            _usingProfileAsKeyRepositoryWithDPAPI = LoggerMessage.Define<string>(
+                eventId: 0,
                 logLevel: LogLevel.Information,
                 formatString: "User profile is available. Using '{FullName}' as key repository and Windows DPAPI to encrypt keys at rest.");
-            _usingAzureAsKeyRepository = LoggerMessage.Define<string>(eventId: 0,
+            _usingAzureAsKeyRepository = LoggerMessage.Define<string>(
+                eventId: 0,
                 logLevel: LogLevel.Information,
                 formatString: "Azure Web Sites environment detected. Using '{FullName}' as key repository; keys will not be encrypted at rest.");
             _keyRingWasLoadedOnStartup = LoggerMessage.Define<Guid>(
@@ -782,5 +795,10 @@ namespace Microsoft.Extensions.Logging
         {
             _keyRingFailedToLoadOnStartup(logger, innerException);
         }
+
+        public static void UsingEphemeralFileSystemLocationInContainer(this ILogger logger, string path)
+        {
+            _usingEphemeralFileSystemLocationInContainer(logger, path, null);
+        }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
index c2db503dab..c570287f84 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
@@ -15,401 +15,365 @@ namespace Microsoft.AspNetCore.DataProtection
         /// </summary>
         internal static string CryptCommon_GenericError
         {
-            get { return GetString("CryptCommon_GenericError"); }
+            get => GetString("CryptCommon_GenericError");
         }
 
         /// <summary>
         /// An error occurred during a cryptographic operation.
         /// </summary>
         internal static string FormatCryptCommon_GenericError()
-        {
-            return GetString("CryptCommon_GenericError");
-        }
+            => GetString("CryptCommon_GenericError");
 
         /// <summary>
         /// The provided buffer is of length {0} byte(s). It must instead be exactly {1} byte(s) in length.
         /// </summary>
         internal static string Common_BufferIncorrectlySized
         {
-            get { return GetString("Common_BufferIncorrectlySized"); }
+            get => GetString("Common_BufferIncorrectlySized");
         }
 
         /// <summary>
         /// The provided buffer is of length {0} byte(s). It must instead be exactly {1} byte(s) in length.
         /// </summary>
         internal static string FormatCommon_BufferIncorrectlySized(object p0, object p1)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("Common_BufferIncorrectlySized"), p0, p1);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("Common_BufferIncorrectlySized"), p0, p1);
 
         /// <summary>
         /// The payload was invalid.
         /// </summary>
         internal static string CryptCommon_PayloadInvalid
         {
-            get { return GetString("CryptCommon_PayloadInvalid"); }
+            get => GetString("CryptCommon_PayloadInvalid");
         }
 
         /// <summary>
         /// The payload was invalid.
         /// </summary>
         internal static string FormatCryptCommon_PayloadInvalid()
-        {
-            return GetString("CryptCommon_PayloadInvalid");
-        }
+            => GetString("CryptCommon_PayloadInvalid");
 
         /// <summary>
         /// Property {0} cannot be null or empty.
         /// </summary>
         internal static string Common_PropertyCannotBeNullOrEmpty
         {
-            get { return GetString("Common_PropertyCannotBeNullOrEmpty"); }
+            get => GetString("Common_PropertyCannotBeNullOrEmpty");
         }
 
         /// <summary>
         /// Property {0} cannot be null or empty.
         /// </summary>
         internal static string FormatCommon_PropertyCannotBeNullOrEmpty(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("Common_PropertyCannotBeNullOrEmpty"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("Common_PropertyCannotBeNullOrEmpty"), p0);
 
         /// <summary>
         /// The provided payload could not be decrypted. Refer to the inner exception for more information.
         /// </summary>
         internal static string Common_DecryptionFailed
         {
-            get { return GetString("Common_DecryptionFailed"); }
+            get => GetString("Common_DecryptionFailed");
         }
 
         /// <summary>
         /// The provided payload could not be decrypted. Refer to the inner exception for more information.
         /// </summary>
         internal static string FormatCommon_DecryptionFailed()
-        {
-            return GetString("Common_DecryptionFailed");
-        }
+            => GetString("Common_DecryptionFailed");
 
         /// <summary>
         /// An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information.
         /// </summary>
         internal static string Common_EncryptionFailed
         {
-            get { return GetString("Common_EncryptionFailed"); }
+            get => GetString("Common_EncryptionFailed");
         }
 
         /// <summary>
         /// An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information.
         /// </summary>
         internal static string FormatCommon_EncryptionFailed()
-        {
-            return GetString("Common_EncryptionFailed");
-        }
+            => GetString("Common_EncryptionFailed");
 
         /// <summary>
         /// The key {0:B} was not found in the key ring.
         /// </summary>
         internal static string Common_KeyNotFound
         {
-            get { return GetString("Common_KeyNotFound"); }
+            get => GetString("Common_KeyNotFound");
         }
 
         /// <summary>
         /// The key {0:B} was not found in the key ring.
         /// </summary>
         internal static string FormatCommon_KeyNotFound()
-        {
-            return GetString("Common_KeyNotFound");
-        }
+            => GetString("Common_KeyNotFound");
 
         /// <summary>
         /// The key {0:B} has been revoked.
         /// </summary>
         internal static string Common_KeyRevoked
         {
-            get { return GetString("Common_KeyRevoked"); }
+            get => GetString("Common_KeyRevoked");
         }
 
         /// <summary>
         /// The key {0:B} has been revoked.
         /// </summary>
         internal static string FormatCommon_KeyRevoked()
-        {
-            return GetString("Common_KeyRevoked");
-        }
+            => GetString("Common_KeyRevoked");
 
         /// <summary>
         /// The provided payload cannot be decrypted because it was not protected with this protection provider.
         /// </summary>
         internal static string ProtectionProvider_BadMagicHeader
         {
-            get { return GetString("ProtectionProvider_BadMagicHeader"); }
+            get => GetString("ProtectionProvider_BadMagicHeader");
         }
 
         /// <summary>
         /// The provided payload cannot be decrypted because it was not protected with this protection provider.
         /// </summary>
         internal static string FormatProtectionProvider_BadMagicHeader()
-        {
-            return GetString("ProtectionProvider_BadMagicHeader");
-        }
+            => GetString("ProtectionProvider_BadMagicHeader");
 
         /// <summary>
         /// The provided payload cannot be decrypted because it was protected with a newer version of the protection provider.
         /// </summary>
         internal static string ProtectionProvider_BadVersion
         {
-            get { return GetString("ProtectionProvider_BadVersion"); }
+            get => GetString("ProtectionProvider_BadVersion");
         }
 
         /// <summary>
         /// The provided payload cannot be decrypted because it was protected with a newer version of the protection provider.
         /// </summary>
         internal static string FormatProtectionProvider_BadVersion()
-        {
-            return GetString("ProtectionProvider_BadVersion");
-        }
+            => GetString("ProtectionProvider_BadVersion");
 
         /// <summary>
         /// Value must be non-negative.
         /// </summary>
         internal static string Common_ValueMustBeNonNegative
         {
-            get { return GetString("Common_ValueMustBeNonNegative"); }
+            get => GetString("Common_ValueMustBeNonNegative");
         }
 
         /// <summary>
         /// Value must be non-negative.
         /// </summary>
         internal static string FormatCommon_ValueMustBeNonNegative()
-        {
-            return GetString("Common_ValueMustBeNonNegative");
-        }
+            => GetString("Common_ValueMustBeNonNegative");
 
         /// <summary>
         /// The type '{1}' is not assignable to '{0}'.
         /// </summary>
         internal static string TypeExtensions_BadCast
         {
-            get { return GetString("TypeExtensions_BadCast"); }
+            get => GetString("TypeExtensions_BadCast");
         }
 
         /// <summary>
         /// The type '{1}' is not assignable to '{0}'.
         /// </summary>
         internal static string FormatTypeExtensions_BadCast(object p0, object p1)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("TypeExtensions_BadCast"), p0, p1);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("TypeExtensions_BadCast"), p0, p1);
 
         /// <summary>
         /// The new key lifetime must be at least one week.
         /// </summary>
         internal static string KeyManagementOptions_MinNewKeyLifetimeViolated
         {
-            get { return GetString("KeyManagementOptions_MinNewKeyLifetimeViolated"); }
+            get => GetString("KeyManagementOptions_MinNewKeyLifetimeViolated");
         }
 
         /// <summary>
         /// The new key lifetime must be at least one week.
         /// </summary>
         internal static string FormatKeyManagementOptions_MinNewKeyLifetimeViolated()
-        {
-            return GetString("KeyManagementOptions_MinNewKeyLifetimeViolated");
-        }
+            => GetString("KeyManagementOptions_MinNewKeyLifetimeViolated");
 
         /// <summary>
         /// The key {0:B} already exists in the keyring.
         /// </summary>
         internal static string XmlKeyManager_DuplicateKey
         {
-            get { return GetString("XmlKeyManager_DuplicateKey"); }
+            get => GetString("XmlKeyManager_DuplicateKey");
         }
 
         /// <summary>
         /// The key {0:B} already exists in the keyring.
         /// </summary>
         internal static string FormatXmlKeyManager_DuplicateKey()
-        {
-            return GetString("XmlKeyManager_DuplicateKey");
-        }
+            => GetString("XmlKeyManager_DuplicateKey");
 
         /// <summary>
         /// Argument cannot be null or empty.
         /// </summary>
         internal static string Common_ArgumentCannotBeNullOrEmpty
         {
-            get { return GetString("Common_ArgumentCannotBeNullOrEmpty"); }
+            get => GetString("Common_ArgumentCannotBeNullOrEmpty");
         }
 
         /// <summary>
         /// Argument cannot be null or empty.
         /// </summary>
         internal static string FormatCommon_ArgumentCannotBeNullOrEmpty()
-        {
-            return GetString("Common_ArgumentCannotBeNullOrEmpty");
-        }
+            => GetString("Common_ArgumentCannotBeNullOrEmpty");
 
         /// <summary>
         /// Property {0} must have a non-negative value.
         /// </summary>
         internal static string Common_PropertyMustBeNonNegative
         {
-            get { return GetString("Common_PropertyMustBeNonNegative"); }
+            get => GetString("Common_PropertyMustBeNonNegative");
         }
 
         /// <summary>
         /// Property {0} must have a non-negative value.
         /// </summary>
         internal static string FormatCommon_PropertyMustBeNonNegative(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("Common_PropertyMustBeNonNegative"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("Common_PropertyMustBeNonNegative"), p0);
 
         /// <summary>
         /// GCM algorithms require the Windows platform.
         /// </summary>
         internal static string Platform_WindowsRequiredForGcm
         {
-            get { return GetString("Platform_WindowsRequiredForGcm"); }
+            get => GetString("Platform_WindowsRequiredForGcm");
         }
 
         /// <summary>
         /// GCM algorithms require the Windows platform.
         /// </summary>
         internal static string FormatPlatform_WindowsRequiredForGcm()
-        {
-            return GetString("Platform_WindowsRequiredForGcm");
-        }
+            => GetString("Platform_WindowsRequiredForGcm");
 
         /// <summary>
         /// A certificate with the thumbprint '{0}' could not be found.
         /// </summary>
         internal static string CertificateXmlEncryptor_CertificateNotFound
         {
-            get { return GetString("CertificateXmlEncryptor_CertificateNotFound"); }
+            get => GetString("CertificateXmlEncryptor_CertificateNotFound");
         }
 
         /// <summary>
         /// A certificate with the thumbprint '{0}' could not be found.
         /// </summary>
         internal static string FormatCertificateXmlEncryptor_CertificateNotFound(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("CertificateXmlEncryptor_CertificateNotFound"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("CertificateXmlEncryptor_CertificateNotFound"), p0);
 
         /// <summary>
         /// Decrypting EncryptedXml-encapsulated payloads is not yet supported on Core CLR.
         /// </summary>
         internal static string EncryptedXmlDecryptor_DoesNotWorkOnCoreClr
         {
-            get { return GetString("EncryptedXmlDecryptor_DoesNotWorkOnCoreClr"); }
+            get => GetString("EncryptedXmlDecryptor_DoesNotWorkOnCoreClr");
         }
 
         /// <summary>
         /// Decrypting EncryptedXml-encapsulated payloads is not yet supported on Core CLR.
         /// </summary>
         internal static string FormatEncryptedXmlDecryptor_DoesNotWorkOnCoreClr()
-        {
-            return GetString("EncryptedXmlDecryptor_DoesNotWorkOnCoreClr");
-        }
+            => GetString("EncryptedXmlDecryptor_DoesNotWorkOnCoreClr");
 
         /// <summary>
         /// The symmetric algorithm block size of {0} bits is invalid. The block size must be between 64 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
         /// </summary>
         internal static string AlgorithmAssert_BadBlockSize
         {
-            get { return GetString("AlgorithmAssert_BadBlockSize"); }
+            get => GetString("AlgorithmAssert_BadBlockSize");
         }
 
         /// <summary>
         /// The symmetric algorithm block size of {0} bits is invalid. The block size must be between 64 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
         /// </summary>
         internal static string FormatAlgorithmAssert_BadBlockSize(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadBlockSize"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadBlockSize"), p0);
 
         /// <summary>
         /// The validation algorithm digest size of {0} bits is invalid. The digest size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
         /// </summary>
         internal static string AlgorithmAssert_BadDigestSize
         {
-            get { return GetString("AlgorithmAssert_BadDigestSize"); }
+            get => GetString("AlgorithmAssert_BadDigestSize");
         }
 
         /// <summary>
         /// The validation algorithm digest size of {0} bits is invalid. The digest size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
         /// </summary>
         internal static string FormatAlgorithmAssert_BadDigestSize(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadDigestSize"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadDigestSize"), p0);
 
         /// <summary>
         /// The symmetric algorithm key size of {0} bits is invalid. The key size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
         /// </summary>
         internal static string AlgorithmAssert_BadKeySize
         {
-            get { return GetString("AlgorithmAssert_BadKeySize"); }
+            get => GetString("AlgorithmAssert_BadKeySize");
         }
 
         /// <summary>
         /// The symmetric algorithm key size of {0} bits is invalid. The key size must be between 128 and 2048 bits, inclusive, and it must be a multiple of 8 bits.
         /// </summary>
         internal static string FormatAlgorithmAssert_BadKeySize(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadKeySize"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("AlgorithmAssert_BadKeySize"), p0);
 
         /// <summary>
         /// The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
         /// </summary>
         internal static string KeyRingProvider_NoDefaultKey_AutoGenerateDisabled
         {
-            get { return GetString("KeyRingProvider_NoDefaultKey_AutoGenerateDisabled"); }
+            get => GetString("KeyRingProvider_NoDefaultKey_AutoGenerateDisabled");
         }
 
         /// <summary>
         /// The key ring does not contain a valid default protection key. The data protection system cannot create a new key because auto-generation of keys is disabled.
         /// </summary>
         internal static string FormatKeyRingProvider_NoDefaultKey_AutoGenerateDisabled()
-        {
-            return GetString("KeyRingProvider_NoDefaultKey_AutoGenerateDisabled");
-        }
+            => GetString("KeyRingProvider_NoDefaultKey_AutoGenerateDisabled");
 
         /// <summary>
         /// {0} must not be negative
         /// </summary>
         internal static string LifetimeMustNotBeNegative
         {
-            get { return GetString("LifetimeMustNotBeNegative"); }
+            get => GetString("LifetimeMustNotBeNegative");
         }
 
         /// <summary>
         /// {0} must not be negative
         /// </summary>
         internal static string FormatLifetimeMustNotBeNegative(object p0)
-        {
-            return string.Format(CultureInfo.CurrentCulture, GetString("LifetimeMustNotBeNegative"), p0);
-        }
+            => string.Format(CultureInfo.CurrentCulture, GetString("LifetimeMustNotBeNegative"), p0);
 
         /// <summary>
         /// The '{0}' instance could not be found. When an '{1}' instance is set, a corresponding '{0}' instance must also be set.
         /// </summary>
         internal static string XmlKeyManager_IXmlRepositoryNotFound
         {
-            get { return GetString("XmlKeyManager_IXmlRepositoryNotFound"); }
+            get => GetString("XmlKeyManager_IXmlRepositoryNotFound");
         }
 
         /// <summary>
         /// The '{0}' instance could not be found. When an '{1}' instance is set, a corresponding '{0}' instance must also be set.
         /// </summary>
         internal static string FormatXmlKeyManager_IXmlRepositoryNotFound(object p0, object p1)
+            => string.Format(CultureInfo.CurrentCulture, GetString("XmlKeyManager_IXmlRepositoryNotFound"), p0, p1);
+
+        /// <summary>
+        /// Storing keys in a directory '{path}' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.
+        /// </summary>
+        internal static string FileSystem_EphemeralKeysLocationInContainer
         {
-            return string.Format(CultureInfo.CurrentCulture, GetString("XmlKeyManager_IXmlRepositoryNotFound"), p0, p1);
+            get => GetString("FileSystem_EphemeralKeysLocationInContainer");
         }
 
+        /// <summary>
+        /// Storing keys in a directory '{path}' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.
+        /// </summary>
+        internal static string FormatFileSystem_EphemeralKeysLocationInContainer(object path)
+            => string.Format(CultureInfo.CurrentCulture, GetString("FileSystem_EphemeralKeysLocationInContainer", "path"), path);
+
         private static string GetString(string name, params string[] formatterNames)
         {
             var value = _resourceManager.GetString(name);
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index ce2bb494ff..a980e7f82c 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -8,6 +8,7 @@ using System.IO;
 using System.Linq;
 using System.Runtime.InteropServices;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.Repositories
@@ -35,6 +36,22 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
 
             Directory = directory;
             _logger = loggerFactory.CreateLogger<FileSystemXmlRepository>();
+
+            try
+            {
+                if (DockerUtils.IsDocker && !DockerUtils.IsVolumeMountedFolder(Directory))
+                {
+                    // warn users that keys may be lost when running in docker without a volume mounted folder
+                    _logger.UsingEphemeralFileSystemLocationInContainer(Directory.FullName);
+                }
+            }
+            catch (Exception ex)
+            {
+                // Treat exceptions as non-fatal when attempting to detect docker. 
+                // These might occur if fstab is an unrecognized format, or if there are other unusual
+                // file IO errors.
+                _logger.LogTrace(ex, "Failure occurred while attempting to detect docker.");
+            }
         }
 
         /// <summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Resources.resx b/src/Microsoft.AspNetCore.DataProtection/Resources.resx
index 292ec05625..9540aa54fa 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Resources.resx
+++ b/src/Microsoft.AspNetCore.DataProtection/Resources.resx
@@ -192,4 +192,7 @@
   <data name="XmlKeyManager_IXmlRepositoryNotFound" xml:space="preserve">
     <value>The '{0}' instance could not be found. When an '{1}' instance is set, a corresponding '{0}' instance must also be set.</value>
   </data>
+  <data name="FileSystem_EphemeralKeysLocationInContainer" xml:space="preserve">
+    <value>Storing keys in a directory '{path}' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs
new file mode 100644
index 0000000000..9ede10426b
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs
@@ -0,0 +1,56 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.IO;
+using Microsoft.AspNetCore.DataProtection.Internal;
+using Microsoft.AspNetCore.Testing.xunit;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.Test
+{
+    public class DockerUtilsTests
+    {
+        // example of content from /proc/self/mounts
+        private static readonly string[] fstab = new []
+        {
+            "none / aufs rw,relatime,si=f9bfcf896de3f6c2,dio,dirperm1 0 0",
+            "# comments",
+            "",
+            "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0",
+            "tmpfs /dev tmpfs rw,nosuid,mode=755 0 0",
+            "devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0",
+            "/dev/vda2 /etc/resolv.conf ext4 rw,relatime,data=ordered 0 0",
+            "/dev/vda2 /etc/hostname ext4 rw,relatime,data=ordered 0 0",
+            "/dev/vda2 /etc/hosts ext4 rw,relatime,data=ordered 0 0",
+            "shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k 0 0",
+            // the mounted directory
+            "osxfs /app fuse.osxfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other,max_read=1048576 0 0",
+        };
+
+        [ConditionalTheory]
+        [OSSkipCondition(OperatingSystems.Windows)]
+        [InlineData("/")]
+        [InlineData("/home")]
+        [InlineData("/home/")]
+        [InlineData("/home/root")]
+        [InlineData("./dir")]
+        [InlineData("../dir")]
+        public void DeterminesFolderIsNotMounted(string directory)
+        {
+            Assert.False(DockerUtils.IsDirectoryMounted(new DirectoryInfo(directory), fstab));
+        }
+
+        [ConditionalTheory]
+        [OSSkipCondition(OperatingSystems.Windows)]
+        [InlineData("/app")]
+        [InlineData("/app/")]
+        [InlineData("/app/subdir")]
+        [InlineData("/app/subdir/")]
+        [InlineData("/app/subdir/two")]
+        [InlineData("/app/subdir/two/")]
+        public void DeterminesFolderIsMounted(string directory)
+        {
+            Assert.True(DockerUtils.IsDirectoryMounted(new DirectoryInfo(directory), fstab));
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
index 95ba4d1945..4bc2e10171 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
@@ -6,6 +6,8 @@ using System.IO;
 using System.Linq;
 using System.Runtime.InteropServices;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
@@ -139,6 +141,23 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             });
         }
 
+        [ConditionalFact]
+        [DockerOnly]
+        [Trait("Docker", "true")]
+        public void Logs_DockerEphemeralFolders()
+        {
+            // Arrange
+            var loggerFactory = new StringLoggerFactory(LogLevel.Warning);
+            WithUniqueTempDirectory(dirInfo =>
+            {
+                // Act
+                var repo = new FileSystemXmlRepository(dirInfo, loggerFactory);
+
+                // Assert
+                Assert.Contains(Resources.FormatFileSystem_EphemeralKeysLocationInContainer(dirInfo.FullName), loggerFactory.ToString());
+            });
+        }
+
         /// <summary>
         /// Runs a test and cleans up the temp directory afterward.
         /// </summary>

From 5d1a523682c04c4381dda8a164a154d7730e5b60 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 13 Jun 2017 00:00:47 -0700
Subject: [PATCH 353/493] Make ILoggerFactory an optional service on any
 DI-injected services

---
 samples/AzureBlob/AzureBlob.csproj            |  3 +-
 samples/AzureBlob/Program.cs                  | 27 ++++----
 .../AzureBlob/Properties/launchSettings.json  | 22 ------
 .../CustomEncryptorSample.csproj              |  3 +-
 samples/CustomEncryptorSample/Program.cs      | 30 ++++-----
 .../Properties/launchSettings.json            | 22 ------
 .../KeyManagementSample.csproj                |  3 +-
 samples/KeyManagementSample/Program.cs        | 64 +++++++++---------
 .../Properties/launchSettings.json            | 22 ------
 samples/Redis/Program.cs                      | 25 ++++---
 samples/Redis/Properties/launchSettings.json  | 22 ------
 samples/Redis/Redis.csproj                    |  3 +-
 .../AuthenticatedEncryptorConfiguration.cs    |  3 +-
 ...gCbcAuthenticatedEncryptorConfiguration.cs |  3 +-
 ...gGcmAuthenticatedEncryptorConfiguration.cs |  3 +-
 ...agedAuthenticatedEncryptorConfiguration.cs |  3 +-
 .../DataProtectionBuilderExtensions.cs        | 13 ++--
 .../DataProtectionProviderFactory.cs          | 16 -----
 ...taProtectionServiceCollectionExtensions.cs |  8 +--
 .../EphemeralDataProtectionProvider.cs        | 17 ++++-
 .../Internal/DataProtectionStartupFilter.cs   |  5 ++
 .../Internal/KeyManagementOptionsSetup.cs     | 14 +++-
 .../KeyManagement/DefaultKeyResolver.cs       |  5 ++
 .../KeyManagement/KeyRingProvider.cs          | 18 ++---
 .../KeyManagement/XmlKeyManager.cs            | 12 +++-
 .../RegistryPolicyResolver.cs                 | 14 ++--
 .../TypeForwardingActivator.cs                |  3 +-
 .../breakingchanges.netcore.json              |  7 +-
 .../EphemeralDataProtectionProviderTests.cs   |  2 +-
 .../Internal/KeyManagementOptionsSetupTest.cs |  3 +-
 .../KeyManagement/KeyRingProviderTests.cs     |  9 +--
 .../RegistryPolicyResolverTests.cs            |  3 +-
 .../ServiceCollectionTests.cs                 | 67 +++++++++++++++++++
 33 files changed, 238 insertions(+), 236 deletions(-)
 delete mode 100644 samples/AzureBlob/Properties/launchSettings.json
 delete mode 100644 samples/CustomEncryptorSample/Properties/launchSettings.json
 delete mode 100644 samples/KeyManagementSample/Properties/launchSettings.json
 delete mode 100644 samples/Redis/Properties/launchSettings.json
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs

diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index 9d6881602f..899b254265 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -1,9 +1,10 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
     <TargetFramework>netcoreapp2.0</TargetFramework>
+    <OutputType>exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/AzureBlob/Program.cs b/samples/AzureBlob/Program.cs
index f0aa1efea5..cce8604648 100644
--- a/samples/AzureBlob/Program.cs
+++ b/samples/AzureBlob/Program.cs
@@ -6,6 +6,7 @@ using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.WindowsAzure.Storage;
+using LogLevel = Microsoft.Extensions.Logging.LogLevel;
 
 namespace AzureBlob
 {
@@ -24,21 +25,19 @@ namespace AzureBlob
             container.CreateIfNotExistsAsync().GetAwaiter().GetResult();
 
             // Configure
+            using (var services = new ServiceCollection()
+                .AddLogging(o => o.AddConsole().SetMinimumLevel(LogLevel.Debug))
+                .AddDataProtection()
+                .PersistKeysToAzureBlobStorage(container, "keys.xml")
+                .Services
+                .BuildServiceProvider())
+            {
+                // Run a sample payload
 
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddLogging();
-            serviceCollection.AddDataProtection()
-                .PersistKeysToAzureBlobStorage(container, "keys.xml");
-
-            var services = serviceCollection.BuildServiceProvider();
-            var loggerFactory = services.GetService<LoggerFactory>();
-            loggerFactory.AddConsole();
-
-            // Run a sample payload
-
-            var protector = services.GetDataProtector("sample-purpose");
-            var protectedData = protector.Protect("Hello world!");
-            Console.WriteLine(protectedData);
+                var protector = services.GetDataProtector("sample-purpose");
+                var protectedData = protector.Protect("Hello world!");
+                Console.WriteLine(protectedData);
+            }
         }
     }
 }
diff --git a/samples/AzureBlob/Properties/launchSettings.json b/samples/AzureBlob/Properties/launchSettings.json
deleted file mode 100644
index ae9a5dab5a..0000000000
--- a/samples/AzureBlob/Properties/launchSettings.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "http://localhost:2041/",
-      "sslPort": 0
-    }
-  },
-  "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
-    "AzureBlob": {
-      "commandName": "Project"
-    }
-  }
-}
\ No newline at end of file
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index ca8401e36d..ddd92112c2 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -1,9 +1,10 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <OutputType>exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/CustomEncryptorSample/Program.cs b/samples/CustomEncryptorSample/Program.cs
index 89e0f82810..9079aeee3f 100644
--- a/samples/CustomEncryptorSample/Program.cs
+++ b/samples/CustomEncryptorSample/Program.cs
@@ -14,25 +14,23 @@ namespace CustomEncryptorSample
         public static void Main(string[] args)
         {
             var keysFolder = Path.Combine(Directory.GetCurrentDirectory(), "temp-keys");
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddLogging();
-            serviceCollection.AddDataProtection()
+            using (var services = new ServiceCollection()
+                .AddLogging(o => o.AddConsole().SetMinimumLevel(LogLevel.Debug))
+                .AddDataProtection()
                 .PersistKeysToFileSystem(new DirectoryInfo(keysFolder))
-                .UseXmlEncryptor(s => new CustomXmlEncryptor(s));
+                .UseXmlEncryptor(s => new CustomXmlEncryptor(s))
+                .Services.BuildServiceProvider())
+            {
+                var protector = services.GetDataProtector("SamplePurpose");
 
-            var services = serviceCollection.BuildServiceProvider();
-            var loggerFactory = services.GetRequiredService<LoggerFactory>();
-            loggerFactory.AddConsole();
+                // protect the payload
+                var protectedPayload = protector.Protect("Hello World!");
+                Console.WriteLine($"Protect returned: {protectedPayload}");
 
-            var protector = services.GetDataProtector("SamplePurpose");
-
-            // protect the payload
-            var protectedPayload = protector.Protect("Hello World!");
-            Console.WriteLine($"Protect returned: {protectedPayload}");
-
-            // unprotect the payload
-            var unprotectedPayload = protector.Unprotect(protectedPayload);
-            Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
+                // unprotect the payload
+                var unprotectedPayload = protector.Unprotect(protectedPayload);
+                Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
+            }
         }
     }
 }
diff --git a/samples/CustomEncryptorSample/Properties/launchSettings.json b/samples/CustomEncryptorSample/Properties/launchSettings.json
deleted file mode 100644
index c24bc96703..0000000000
--- a/samples/CustomEncryptorSample/Properties/launchSettings.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "http://localhost:1398/",
-      "sslPort": 0
-    }
-  },
-  "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
-    "CustomEncryptorSample": {
-      "commandName": "Project"
-    }
-  }
-}
\ No newline at end of file
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index b15e9017a6..34b42ebd92 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -1,9 +1,10 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <OutputType>exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/samples/KeyManagementSample/Program.cs b/samples/KeyManagementSample/Program.cs
index 3feefebc14..be128aa11c 100644
--- a/samples/KeyManagementSample/Program.cs
+++ b/samples/KeyManagementSample/Program.cs
@@ -16,7 +16,8 @@ namespace KeyManagementSample
         {
             var keysFolder = Path.Combine(Directory.GetCurrentDirectory(), "temp-keys");
             var serviceCollection = new ServiceCollection();
-            var builder = serviceCollection.AddDataProtection()
+            var builder = serviceCollection
+                .AddDataProtection()
                 // point at a specific folder and use DPAPI to encrypt keys
                 .PersistKeysToFileSystem(new DirectoryInfo(keysFolder));
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
@@ -24,40 +25,41 @@ namespace KeyManagementSample
                 builder.ProtectKeysWithDpapi();
             }
 
-            var services = serviceCollection.BuildServiceProvider();
-
-            // perform a protect operation to force the system to put at least
-            // one key in the key ring
-            services.GetDataProtector("Sample.KeyManager.v1").Protect("payload");
-            Console.WriteLine("Performed a protect operation.");
-
-            // get a reference to the key manager
-            var keyManager = services.GetService<IKeyManager>();
-
-            // list all keys in the key ring
-            var allKeys = keyManager.GetAllKeys();
-            Console.WriteLine($"The key ring contains {allKeys.Count} key(s).");
-            foreach (var key in allKeys)
+            using (var services = serviceCollection.BuildServiceProvider())
             {
-                Console.WriteLine($"Key {key.KeyId:B}: Created = {key.CreationDate:u}, IsRevoked = {key.IsRevoked}");
-            }
+                // perform a protect operation to force the system to put at least
+                // one key in the key ring
+                services.GetDataProtector("Sample.KeyManager.v1").Protect("payload");
+                Console.WriteLine("Performed a protect operation.");
 
-            // revoke all keys in the key ring
-            keyManager.RevokeAllKeys(DateTimeOffset.Now, reason: "Revocation reason here.");
-            Console.WriteLine("Revoked all existing keys.");
+                // get a reference to the key manager
+                var keyManager = services.GetService<IKeyManager>();
 
-            // add a new key to the key ring with immediate activation and a 1-month expiration
-            keyManager.CreateNewKey(
-                activationDate: DateTimeOffset.Now,
-                expirationDate: DateTimeOffset.Now.AddMonths(1));
-            Console.WriteLine("Added a new key.");
+                // list all keys in the key ring
+                var allKeys = keyManager.GetAllKeys();
+                Console.WriteLine($"The key ring contains {allKeys.Count} key(s).");
+                foreach (var key in allKeys)
+                {
+                    Console.WriteLine($"Key {key.KeyId:B}: Created = {key.CreationDate:u}, IsRevoked = {key.IsRevoked}");
+                }
 
-            // list all keys in the key ring
-            allKeys = keyManager.GetAllKeys();
-            Console.WriteLine($"The key ring contains {allKeys.Count} key(s).");
-            foreach (var key in allKeys)
-            {
-                Console.WriteLine($"Key {key.KeyId:B}: Created = {key.CreationDate:u}, IsRevoked = {key.IsRevoked}");
+                // revoke all keys in the key ring
+                keyManager.RevokeAllKeys(DateTimeOffset.Now, reason: "Revocation reason here.");
+                Console.WriteLine("Revoked all existing keys.");
+
+                // add a new key to the key ring with immediate activation and a 1-month expiration
+                keyManager.CreateNewKey(
+                    activationDate: DateTimeOffset.Now,
+                    expirationDate: DateTimeOffset.Now.AddMonths(1));
+                Console.WriteLine("Added a new key.");
+
+                // list all keys in the key ring
+                allKeys = keyManager.GetAllKeys();
+                Console.WriteLine($"The key ring contains {allKeys.Count} key(s).");
+                foreach (var key in allKeys)
+                {
+                    Console.WriteLine($"Key {key.KeyId:B}: Created = {key.CreationDate:u}, IsRevoked = {key.IsRevoked}");
+                }
             }
         }
     }
diff --git a/samples/KeyManagementSample/Properties/launchSettings.json b/samples/KeyManagementSample/Properties/launchSettings.json
deleted file mode 100644
index 9f2e8074fe..0000000000
--- a/samples/KeyManagementSample/Properties/launchSettings.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "http://localhost:1396/",
-      "sslPort": 0
-    }
-  },
-  "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
-    "KeyManagementSample": {
-      "commandName": "Project"
-    }
-  }
-}
\ No newline at end of file
diff --git a/samples/Redis/Program.cs b/samples/Redis/Program.cs
index 6731c10541..f8f213cfad 100644
--- a/samples/Redis/Program.cs
+++ b/samples/Redis/Program.cs
@@ -17,19 +17,18 @@ namespace Redis
             var redis = ConnectionMultiplexer.Connect("localhost:6379");
 
             // Configure
-            var serviceCollection = new ServiceCollection();
-            serviceCollection.AddLogging();
-            serviceCollection.AddDataProtection()
-                .PersistKeysToRedis(redis, "DataProtection-Keys");
-
-            var services = serviceCollection.BuildServiceProvider();
-            var loggerFactory = services.GetService<LoggerFactory>();
-            loggerFactory.AddConsole();
-
-            // Run a sample payload
-            var protector = services.GetDataProtector("sample-purpose");
-            var protectedData = protector.Protect("Hello world!");
-            Console.WriteLine(protectedData);
+            using (var services = new ServiceCollection()
+                .AddLogging(o => o.AddConsole().SetMinimumLevel(LogLevel.Debug))
+                .AddDataProtection()
+                .PersistKeysToRedis(redis, "DataProtection-Keys")
+                .Services
+                .BuildServiceProvider())
+            {
+                // Run a sample payload
+                var protector = services.GetDataProtector("sample-purpose");
+                var protectedData = protector.Protect("Hello world!");
+                Console.WriteLine(protectedData);
+            }
         }
     }
 }
diff --git a/samples/Redis/Properties/launchSettings.json b/samples/Redis/Properties/launchSettings.json
deleted file mode 100644
index 4f4c767916..0000000000
--- a/samples/Redis/Properties/launchSettings.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "http://localhost:2042/",
-      "sslPort": 0
-    }
-  },
-  "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
-    "Redis": {
-      "commandName": "Project"
-    }
-  }
-}
\ No newline at end of file
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 37aecfb68b..7040d86af2 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -1,9 +1,10 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <Import Project="..\..\build\dependencies.props" />
 
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <OutputType>exe</OutputType>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
index c3972e4e61..606d7484fb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -42,7 +43,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
 
         void IInternalAlgorithmConfiguration.Validate()
         {
-            var factory = new AuthenticatedEncryptorFactory(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+            var factory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
             // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
             var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this);
             try
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
index 4b74177540..1c23957db2 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -88,7 +89,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         /// </summary>
         void IInternalAlgorithmConfiguration.Validate()
         {
-            var factory = new CngCbcAuthenticatedEncryptorFactory(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+            var factory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
             // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
             using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
             {
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
index 9cf6e95136..d9c1f84718 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -64,7 +65,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         /// </summary>
         void IInternalAlgorithmConfiguration.Validate()
         {
-            var factory = new CngGcmAuthenticatedEncryptorFactory(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+            var factory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
             // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
             using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
             {
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
index b437d59bf2..dad6cd9dbc 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
 {
@@ -66,7 +67,7 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.Configurat
         /// </summary>
         void IInternalAlgorithmConfiguration.Validate()
         {
-            var factory = new ManagedAuthenticatedEncryptorFactory(DataProtectionProviderFactory.GetDefaultLoggerFactory());
+            var factory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
             // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
             using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
             {
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
index 0bbb916868..30b9edbf32 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -14,6 +14,7 @@ using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
@@ -206,7 +207,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
             builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
             {
-                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
                 return new ConfigureOptions<KeyManagementOptions>(options =>
                 {
                     options.XmlRepository = new FileSystemXmlRepository(directory, loggerFactory);
@@ -236,7 +237,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
             builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
             {
-                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
                 return new ConfigureOptions<KeyManagementOptions>(options =>
                 {
                     options.XmlRepository = new RegistryXmlRepository(registryKey, loggerFactory);
@@ -266,7 +267,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
             builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
             {
-                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
                 return new ConfigureOptions<KeyManagementOptions>(options =>
                 {
                     options.XmlEncryptor = new CertificateXmlEncryptor(certificate, loggerFactory);
@@ -306,7 +307,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
             builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
             {
-                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
                 var certificateResolver = services.GetRequiredService<ICertificateResolver>();
                 return new ConfigureOptions<KeyManagementOptions>(options =>
                 {
@@ -357,7 +358,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
             builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
             {
-                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
                 return new ConfigureOptions<KeyManagementOptions>(options =>
                 {
                     CryptoUtil.AssertPlatformIsWindows();
@@ -419,7 +420,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
             builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
             {
-                var loggerFactory = services.GetRequiredService<ILoggerFactory>();
+                var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
                 return new ConfigureOptions<KeyManagementOptions>(options =>
                 {
                     CryptoUtil.AssertPlatformIsWindows8OrLater();
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
deleted file mode 100644
index 4f05478c8d..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionProviderFactory.cs
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Logging.Abstractions;
-
-namespace Microsoft.AspNetCore.DataProtection
-{
-    internal static class DataProtectionProviderFactory
-    {
-        public static ILoggerFactory GetDefaultLoggerFactory()
-        {
-            return NullLoggerFactory.Instance;
-        }
-    }
-}
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index 0df59732cf..e951736e1f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -12,6 +12,7 @@ using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.Extensions.DependencyInjection
@@ -64,8 +65,6 @@ namespace Microsoft.Extensions.DependencyInjection
 
         private static void AddDataProtectionServices(IServiceCollection services)
         {
-            services.TryAddSingleton<ILoggerFactory>(DataProtectionProviderFactory.GetDefaultLoggerFactory());
-
             if (OSVersionUtil.IsWindows())
             {
                 services.TryAddSingleton<RegistryPolicyResolver>();
@@ -88,10 +87,9 @@ namespace Microsoft.Extensions.DependencyInjection
             {
                 var dpOptions = s.GetRequiredService<IOptions<DataProtectionOptions>>();
                 var keyRingProvider = s.GetRequiredService<IKeyRingProvider>();
-                var loggerFactory = s.GetRequiredService<ILoggerFactory>();
+                var loggerFactory = s.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
 
-                IDataProtectionProvider dataProtectionProvider = null;
-                dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, loggerFactory);
+                IDataProtectionProvider dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, loggerFactory);
 
                 // Link the provider to the supplied discriminator
                 if (!string.IsNullOrEmpty(dpOptions.Value.ApplicationDiscriminator))
diff --git a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
index 93cb021537..587b0ebfd4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
@@ -8,6 +8,7 @@ using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationM
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
@@ -24,11 +25,23 @@ namespace Microsoft.AspNetCore.DataProtection
         private readonly KeyRingBasedDataProtectionProvider _dataProtectionProvider;
 
         /// <summary>
-        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>, optionally providing
-        /// services (such as logging) for consumption by the provider.
+        /// Creates an ephemeral <see cref="IDataProtectionProvider"/>.
         /// </summary>
+        public EphemeralDataProtectionProvider()
+            : this (NullLoggerFactory.Instance)
+        { }
+
+        /// <summary>
+        /// Creates an ephemeral <see cref="IDataProtectionProvider"/> with logging.
+        /// </summary>
+        /// <param name="loggerFactory">The <see cref="ILoggerFactory" />.</param>
         public EphemeralDataProtectionProvider(ILoggerFactory loggerFactory)
         {
+            if (loggerFactory == null)
+            {
+                throw new ArgumentNullException(nameof(loggerFactory));
+            }
+
             IKeyRingProvider keyringProvider;
             if (OSVersionUtil.IsWindows())
             {
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
index f2abbae5be..d9faa5b0f8 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
@@ -6,6 +6,7 @@ using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection.Internal
 {
@@ -14,6 +15,10 @@ namespace Microsoft.AspNetCore.DataProtection.Internal
         private readonly IKeyRingProvider _keyRingProvider;
         private readonly ILogger<DataProtectionStartupFilter> _logger;
 
+        public DataProtectionStartupFilter(IKeyRingProvider keyRingProvider)
+            : this(keyRingProvider, NullLoggerFactory.Instance)
+        { }
+
         public DataProtectionStartupFilter(IKeyRingProvider keyRingProvider, ILoggerFactory loggerFactory)
         {
             _keyRingProvider = keyRingProvider;
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
index 1f72510e09..a197b7ceba 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
@@ -6,6 +6,7 @@ using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.DataProtection.Internal
@@ -15,7 +16,18 @@ namespace Microsoft.AspNetCore.DataProtection.Internal
         private readonly RegistryPolicyResolver _registryPolicyResolver;
         private readonly ILoggerFactory _loggerFactory;
 
-        public KeyManagementOptionsSetup(ILoggerFactory loggerFactory) : this(loggerFactory, registryPolicyResolver: null)
+        public KeyManagementOptionsSetup()
+            : this(NullLoggerFactory.Instance, registryPolicyResolver: null)
+        {
+        }
+
+        public KeyManagementOptionsSetup(ILoggerFactory loggerFactory)
+            : this(loggerFactory, registryPolicyResolver: null)
+        {
+        }
+
+        public KeyManagementOptionsSetup(RegistryPolicyResolver registryPolicyResolver)
+            : this(NullLoggerFactory.Instance, registryPolicyResolver)
         {
         }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
index 9c545c793f..b4f686c9f3 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
@@ -8,6 +8,7 @@ using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
@@ -40,6 +41,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         /// </remarks>
         private readonly TimeSpan _maxServerToServerClockSkew;
 
+        public DefaultKeyResolver(IOptions<KeyManagementOptions> keyManagementOptions)
+            : this(keyManagementOptions, NullLoggerFactory.Instance)
+        { }
+
         public DefaultKeyResolver(IOptions<KeyManagementOptions> keyManagementOptions, ILoggerFactory loggerFactory)
         {
             _keyPropagationWindow = keyManagementOptions.Value.KeyPropagationWindow;
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
index 8b0b25e7a7..e407ae62dd 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
@@ -8,6 +8,7 @@ using System.Threading;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement
@@ -16,7 +17,6 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
     {
         private CacheableKeyRing _cacheableKeyRing;
         private readonly object _cacheableKeyRingLockObj = new object();
-        private readonly ICacheableKeyRingProvider _cacheableKeyRingProvider;
         private readonly IDefaultKeyResolver _defaultKeyResolver;
         private readonly KeyManagementOptions _keyManagementOptions;
         private readonly IKeyManager _keyManager;
@@ -25,31 +25,31 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         public KeyRingProvider(
             IKeyManager keyManager,
             IOptions<KeyManagementOptions> keyManagementOptions,
-            IDefaultKeyResolver defaultKeyResolver,
-            ILoggerFactory loggerFactory)
+            IDefaultKeyResolver defaultKeyResolver)
             : this(
                   keyManager,
                   keyManagementOptions,
-                  cacheableKeyRingProvider: null,
-                  defaultKeyResolver: defaultKeyResolver,
-                  loggerFactory: loggerFactory)
+                  defaultKeyResolver,
+                  NullLoggerFactory.Instance)
         {
         }
 
         public KeyRingProvider(
             IKeyManager keyManager,
             IOptions<KeyManagementOptions> keyManagementOptions,
-            ICacheableKeyRingProvider cacheableKeyRingProvider,
             IDefaultKeyResolver defaultKeyResolver,
             ILoggerFactory loggerFactory)
         {
             _keyManagementOptions = new KeyManagementOptions(keyManagementOptions.Value); // clone so new instance is immutable
             _keyManager = keyManager;
-            _cacheableKeyRingProvider = cacheableKeyRingProvider ?? this;
+            CacheableKeyRingProvider = this;
             _defaultKeyResolver = defaultKeyResolver;
             _logger = loggerFactory.CreateLogger<KeyRingProvider>();
         }
 
+        // for testing
+        internal ICacheableKeyRingProvider CacheableKeyRingProvider { get; set; }
+
         private CacheableKeyRing CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)
         {
             // Refresh the list of all keys
@@ -183,7 +183,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
                     try
                     {
-                        newCacheableKeyRing = _cacheableKeyRingProvider.GetCacheableKeyRing(utcNow);
+                        newCacheableKeyRing = CacheableKeyRingProvider.GetCacheableKeyRing(utcNow);
                     }
                     catch (Exception ex)
                     {
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
index b68a997c63..66e7a96dcb 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -20,6 +20,7 @@ using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.DataProtection.XmlEncryption;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Microsoft.Win32;
 
@@ -55,6 +56,15 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
         private CancellationTokenSource _cacheExpirationTokenSource;
 
+        /// <summary>
+        /// Creates an <see cref="XmlKeyManager"/>.
+        /// </summary>
+        /// <param name="keyManagementOptions">The <see cref="IOptions{KeyManagementOptions}"/> instance that provides the configuration.</param>
+        /// <param name="activator">The <see cref="IActivator"/>.</param>
+        public XmlKeyManager(IOptions<KeyManagementOptions> keyManagementOptions, IActivator activator)
+            : this (keyManagementOptions, activator, NullLoggerFactory.Instance)
+        { }
+
         /// <summary>
         /// Creates an <see cref="XmlKeyManager"/>.
         /// </summary>
@@ -63,7 +73,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
         public XmlKeyManager(IOptions<KeyManagementOptions> keyManagementOptions, IActivator activator, ILoggerFactory loggerFactory)
         {
-            _loggerFactory = loggerFactory;
+            _loggerFactory = loggerFactory ?? throw new ArgumentNullException(nameof(loggerFactory));
             _logger = _loggerFactory.CreateLogger<XmlKeyManager>();
 
             KeyRepository = keyManagementOptions.Value.XmlRepository;
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
index da5b3357e6..a6f63ee9a1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
@@ -10,7 +10,6 @@ using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.Extensions.Logging;
 using Microsoft.Win32;
 
 namespace Microsoft.AspNetCore.DataProtection
@@ -22,20 +21,17 @@ namespace Microsoft.AspNetCore.DataProtection
     {
         private readonly Func<RegistryKey> _getPolicyRegKey;
         private readonly IActivator _activator;
-        private readonly ILoggerFactory _loggerFactory;
 
-        public RegistryPolicyResolver(IActivator activator, ILoggerFactory loggerFactory)
+        public RegistryPolicyResolver(IActivator activator)
         {
             _getPolicyRegKey = () => Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\DotNetPackages\Microsoft.AspNetCore.DataProtection");
             _activator = activator;
-            _loggerFactory = loggerFactory;
         }
 
-        internal RegistryPolicyResolver(RegistryKey policyRegKey, IActivator activator, ILoggerFactory loggerFactory)
+        internal RegistryPolicyResolver(RegistryKey policyRegKey, IActivator activator)
         {
             _getPolicyRegKey = () => policyRegKey;
             _activator = activator;
-            _loggerFactory = loggerFactory;
         }
 
         // populates an options object from values stored in the registry
@@ -95,10 +91,8 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <summary>
         /// Returns a <see cref="RegistryPolicy"/> from the default registry location.
         /// </summary>
-        public static RegistryPolicy ResolveDefaultPolicy(IActivator activator, ILoggerFactory loggerFactory)
-        {
-                return new RegistryPolicyResolver(activator, loggerFactory).ResolvePolicy();
-        }
+        public static RegistryPolicy ResolveDefaultPolicy(IActivator activator)
+            => new RegistryPolicyResolver(activator).ResolvePolicy();
 
         internal RegistryPolicy ResolvePolicy()
         {
diff --git a/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs b/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
index 311d4ed48e..bf3113eada 100644
--- a/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Text.RegularExpressions;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
@@ -15,7 +16,7 @@ namespace Microsoft.AspNetCore.DataProtection
         private static readonly Regex _versionPattern = new Regex(@",\s?Version=[0-9]+(\.[0-9]+){0,3}", RegexOptions.Compiled, TimeSpan.FromSeconds(2));
 
         public TypeForwardingActivator(IServiceProvider services)
-            : this(services, DataProtectionProviderFactory.GetDefaultLoggerFactory())
+            : this(services, NullLoggerFactory.Instance)
         {
         }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json b/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json
index 81b60f185d..2c1b337ca5 100644
--- a/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json
@@ -79,11 +79,6 @@
       "MemberId": "public .ctor(Microsoft.Win32.RegistryKey registryKey, System.IServiceProvider services)",
       "Kind": "Removal"
     },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.EphemeralDataProtectionProvider : Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-      "MemberId": "public .ctor()",
-      "Kind": "Removal"
-    },
     {
       "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.EphemeralDataProtectionProvider : Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
       "MemberId": "public .ctor(System.IServiceProvider services)",
@@ -244,4 +239,4 @@
       "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptor()",
       "Kind": "Addition"
     }
-  ]
\ No newline at end of file
+  ]
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
index dc7dc642f4..d42fe2113c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
@@ -15,7 +15,7 @@ namespace Microsoft.AspNetCore.DataProtection
         public void DifferentProvider_SamePurpose_DoesNotRoundTripData()
         {
             // Arrange
-            var dataProtector1 = new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("purpose");
+            var dataProtector1 = new EphemeralDataProtectionProvider().CreateProtector("purpose");
             var dataProtector2 = new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("purpose");
             byte[] bytes = Encoding.UTF8.GetBytes("Hello there!");
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs b/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
index 6de0c19551..ae49c7edab 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
@@ -89,8 +89,7 @@ namespace Microsoft.AspNetCore.DataProtection.Internal
 
                 var policyResolver = new RegistryPolicyResolver(
                     registryKey,
-                    activator: SimpleActivator.DefaultWithoutServices,
-                    loggerFactory: NullLoggerFactory.Instance);
+                    activator: SimpleActivator.DefaultWithoutServices);
 
                 var setup = new KeyManagementOptionsSetup(NullLoggerFactory.Instance, policyResolver);
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
index 5654943820..8582ed8359 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
@@ -45,7 +45,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                             ShouldGenerateNewKey = false
                         })
                 });
-            
+
             // Act
             var cacheableKeyRing = keyRingProvider.GetCacheableKeyRing(now);
 
@@ -597,9 +597,11 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             return new KeyRingProvider(
                 keyManager: null,
                 keyManagementOptions: Options.Create(options),
-                cacheableKeyRingProvider: cacheableKeyRingProvider,
                 defaultKeyResolver: null,
-                loggerFactory: NullLoggerFactory.Instance);
+                loggerFactory: NullLoggerFactory.Instance)
+            {
+                CacheableKeyRingProvider = cacheableKeyRingProvider
+            };
         }
 
         private static ICacheableKeyRingProvider CreateKeyRingProvider(IKeyManager keyManager, IDefaultKeyResolver defaultKeyResolver, KeyManagementOptions keyManagementOptions= null)
@@ -612,7 +614,6 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             return new KeyRingProvider(
                 keyManager: keyManager,
                 keyManagementOptions: Options.Create(keyManagementOptions),
-                cacheableKeyRingProvider: null,
                 defaultKeyResolver: defaultKeyResolver,
                 loggerFactory: NullLoggerFactory.Instance);
         }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
index 3ce7ee9f67..d2de2cde39 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -251,8 +251,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
                 var policyResolver = new RegistryPolicyResolver(
                     registryKey,
-                    activator: SimpleActivator.DefaultWithoutServices,
-                    loggerFactory: NullLoggerFactory.Instance);
+                    activator: SimpleActivator.DefaultWithoutServices);
 
                 return policyResolver.ResolvePolicy();
             });
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs
new file mode 100644
index 0000000000..ad05973c0b
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs
@@ -0,0 +1,67 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    public class ServiceCollectionTests
+    {
+        [Fact]
+        public void AddsOptions()
+        {
+            var services = new ServiceCollection()
+                .AddDataProtection()
+                .Services
+                .BuildServiceProvider();
+
+            Assert.NotNull(services.GetService<IOptions<DataProtectionOptions>>());
+        }
+
+        [Fact]
+        public void DoesNotOverrideLogging()
+        {
+            var services1 = new ServiceCollection()
+                .AddLogging()
+                .AddDataProtection()
+                .Services
+                .BuildServiceProvider();
+
+            var services2 = new ServiceCollection()
+                .AddDataProtection()
+                .Services
+                .AddLogging()
+                .BuildServiceProvider();
+
+            Assert.Equal(
+                services1.GetRequiredService<ILoggerFactory>().GetType(),
+                services2.GetRequiredService<ILoggerFactory>().GetType());
+        }
+
+        [Fact]
+        public void CanResolveAllRegisteredServices()
+        {
+            var serviceCollection = new ServiceCollection()
+                .AddDataProtection()
+                .Services;
+            var services = serviceCollection.BuildServiceProvider(validateScopes: true);
+
+            Assert.Null(services.GetService<ILoggerFactory>());
+
+            foreach (var descriptor in serviceCollection)
+            {
+                if (descriptor.ServiceType.Assembly.GetName().Name == "Microsoft.Extensions.Options")
+                {
+                    // ignore any descriptors added by the call to .AddOptions()
+                    continue;
+                }
+
+                Assert.NotNull(services.GetService(descriptor.ServiceType));
+            }
+        }
+    }
+}

From 6134a11c2856c47826eee67fb34ad92fd75ebf3c Mon Sep 17 00:00:00 2001
From: Kiran Challa <kichalla@microsoft.com>
Date: Wed, 14 Jun 2017 14:30:53 -0700
Subject: [PATCH 354/493] Changed all references of PackageTargetFallback to
 AssetTargetFallback

---
 ...Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index 290cca3a57..b85924e7bf 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -6,7 +6,7 @@
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <PackageTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(PackageTargetFallback);dnxcore50;portable-net451+win8</PackageTargetFallback>
+    <AssetTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(AssetTargetFallback);dnxcore50;portable-net451+win8</AssetTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>

From 3280ebd84bb2d6540dd0c7635d3d4f60ad36134e Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Mon, 26 Jun 2017 09:35:42 -0700
Subject: [PATCH 355/493] Adding libunwind8 to .travis.yml

[skip appveyor]
---
 .travis.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 27c93bcd6f..6c59666f3a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -10,6 +10,10 @@ os:
   - linux
   - osx
 osx_image: xcode8.2
+addons:
+  apt:
+    packages:
+      - libunwind8
 branches:
   only:
     - master

From 379d6d8dcd046fb31632e29bbaa4038bcd3895a5 Mon Sep 17 00:00:00 2001
From: Ajay Bhargav Baaskaran <ajbaaska@microsoft.com>
Date: Tue, 27 Jun 2017 15:02:17 -0700
Subject: [PATCH 356/493] Added some missed doc comments

---
 .../AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs  | 4 ++++
 .../CngCbcAuthenticatedEncryptorFactory.cs                    | 3 +++
 .../CngGcmAuthenticatedEncryptorFactory.cs                    | 3 +++
 .../ManagedAuthenticatedEncryptorFactory.cs                   | 3 +++
 .../DataProtectionBuilderExtensions.cs                        | 2 +-
 5 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
index 9cff56e78e..f9be1e1994 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
@@ -11,6 +11,10 @@ using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
+    /// <summary>
+    /// An <see cref="IAuthenticatedEncryptorFactory"/> to create an <see cref="IAuthenticatedEncryptor"/>
+    /// based on the <see cref="AuthenticatedEncryptorConfiguration"/>.
+    /// </summary>
     public sealed class AuthenticatedEncryptorFactory : IAuthenticatedEncryptorFactory
     {
         private readonly ILoggerFactory _loggerFactory;
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
index 86fc817ef1..1ccc76d501 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
@@ -12,6 +12,9 @@ using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
+    /// <summary>
+    /// An <see cref="IAuthenticatedEncryptorFactory"/> for <see cref="CbcAuthenticatedEncryptor"/>.
+    /// </summary>
     public sealed class CngCbcAuthenticatedEncryptorFactory : IAuthenticatedEncryptorFactory
     {
         private readonly ILogger _logger;
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
index fefd273059..39b6c0e55d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
@@ -12,6 +12,9 @@ using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
+    /// <summary>
+    /// An <see cref="IAuthenticatedEncryptorFactory"/> for <see cref="GcmAuthenticatedEncryptor"/>.
+    /// </summary>
     public sealed class CngGcmAuthenticatedEncryptorFactory : IAuthenticatedEncryptorFactory
     {
         private readonly ILogger _logger;
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
index 03bd596346..32fb4f44f4 100644
--- a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
@@ -11,6 +11,9 @@ using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption
 {
+    /// <summary>
+    /// An <see cref="IAuthenticatedEncryptorFactory"/> for <see cref="ManagedAuthenticatedEncryptor"/>.
+    /// </summary>
     public sealed class ManagedAuthenticatedEncryptorFactory : IAuthenticatedEncryptorFactory
     {
         private readonly ILogger _logger;
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
index 30b9edbf32..ec1d1136dd 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -145,7 +145,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// Configures the key management options for the data protection system.
         /// </summary>
         /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
-        /// <param name="setupAction">An <see cref="Action{KeyManagementOptions}"/> to configure the provided<see cref="KeyManagementOptions"/>.</param>
+        /// <param name="setupAction">An <see cref="Action{KeyManagementOptions}"/> to configure the provided <see cref="KeyManagementOptions"/>.</param>
         /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
         public static IDataProtectionBuilder AddKeyManagementOptions(this IDataProtectionBuilder builder, Action<KeyManagementOptions> setupAction)
         {

From a5fd1bef223fcba6647cc7813c38ffbced36fc6d Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 29 Jun 2017 07:48:25 -0700
Subject: [PATCH 357/493] Update dependencies.props

* Update Moq to 4.7.49.
* Add NETStandardImplicitPackageVersion
---
 build/dependencies.props | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 0d1ef256ee..44b41f7476 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,9 +1,10 @@
-<Project>
+<Project>
   <PropertyGroup>
     <AspNetCoreVersion>2.0.0-*</AspNetCoreVersion>
     <CoreFxVersion>4.4.0-*</CoreFxVersion>
     <InternalAspNetCoreSdkVersion>2.1.0-*</InternalAspNetCoreSdkVersion>
-    <MoqVersion>4.7.1</MoqVersion>
+    <MoqVersion>4.7.49</MoqVersion>
+    <NETStandardImplicitPackageVersion>2.0.0-*</NETStandardImplicitPackageVersion>
     <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>
     <RedisVersion>1.2.3</RedisVersion>
     <RuntimeFrameworkVersion Condition="'$(TargetFramework)'=='netcoreapp2.0'">2.0.0-*</RuntimeFrameworkVersion>

From 531a11cb4068134f8cfd221ca39e54269c5bbb43 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Wed, 28 Jun 2017 16:35:44 -0700
Subject: [PATCH 358/493] Remove NETStandard.Library.NETFramework and update
 Moq

---
 build/common.props | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/build/common.props b/build/common.props
index b6da5ae4c0..d946a89105 100644
--- a/build/common.props
+++ b/build/common.props
@@ -16,8 +16,4 @@
     <PackageReference Include="Internal.AspNetCore.Sdk" Version="$(InternalAspNetCoreSdkVersion)" PrivateAssets="All" />
   </ItemGroup>
 
-  <ItemGroup Condition="'$(TargetFrameworkIdentifier)' == '.NETFramework'">
-    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" PrivateAssets="All" />
-  </ItemGroup>
-
 </Project>

From b61244dac945eccbe6175fe38ec2379455e0c11b Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Thu, 29 Jun 2017 16:45:37 -0700
Subject: [PATCH 359/493] Remove AssetTargetFallback

---
 .../Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index b85924e7bf..cafd48aa69 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -6,7 +6,6 @@
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
-    <AssetTargetFallback Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(AssetTargetFallback);dnxcore50;portable-net451+win8</AssetTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>

From f04b049860addf06991fbd282cd5519728be7bcf Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 3 Jul 2017 14:05:09 -0700
Subject: [PATCH 360/493] Update LICENSE.txt text

---
 LICENSE.txt | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/LICENSE.txt b/LICENSE.txt
index 0bdc1962b6..7b2956ecee 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,10 +1,12 @@
-Copyright (c) .NET Foundation. All rights reserved.
+Copyright (c) .NET Foundation and Contributors
+
+All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use
-these files except in compliance with the License. You may obtain a copy of the
+this file except in compliance with the License. You may obtain a copy of the
 License at
 
-http://www.apache.org/licenses/LICENSE-2.0
+    http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software distributed
 under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR

From 95831af3ebf407e3c2a16959e0bfa89ccd8928c5 Mon Sep 17 00:00:00 2001
From: Mike Harder <mharder@microsoft.com>
Date: Mon, 3 Jul 2017 17:40:05 -0700
Subject: [PATCH 361/493] Set "TreatWarningsAsErrors" before NuGet restore
 (#255)

* Ensures our build stays clean of NuGet warnings
---
 build/common.props | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build/common.props b/build/common.props
index d946a89105..a865ed071e 100644
--- a/build/common.props
+++ b/build/common.props
@@ -10,6 +10,7 @@
     <SignAssembly>true</SignAssembly>
     <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
     <VersionSuffix Condition="'$(VersionSuffix)'!='' AND '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
   <ItemGroup>

From 35e6714c341d06f1df8c680025edaf26a0f9df70 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 6 Jul 2017 10:36:51 -0700
Subject: [PATCH 362/493] React to aspnet/BuildTools#293

[ci skip]
---
 build/dependencies.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 44b41f7476..a2f699717d 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -2,7 +2,7 @@
   <PropertyGroup>
     <AspNetCoreVersion>2.0.0-*</AspNetCoreVersion>
     <CoreFxVersion>4.4.0-*</CoreFxVersion>
-    <InternalAspNetCoreSdkVersion>2.1.0-*</InternalAspNetCoreSdkVersion>
+    <InternalAspNetCoreSdkVersion>2.0.1-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.49</MoqVersion>
     <NETStandardImplicitPackageVersion>2.0.0-*</NETStandardImplicitPackageVersion>
     <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>

From 83c141ab353048b8b5da36bbb1394f354b8c2192 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 6 Jul 2017 15:08:04 -0700
Subject: [PATCH 363/493] Update version suffix for 2.0.0 RTM release

---
 version.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.props b/version.props
index 193a5999d8..eba6b16756 100644
--- a/version.props
+++ b/version.props
@@ -2,6 +2,6 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.0.0</VersionPrefix>
-    <VersionSuffix>preview3</VersionSuffix>
+    <VersionSuffix>rtm</VersionSuffix>
   </PropertyGroup>
 </Project>

From aa89cb7face8168fd606c49dd3321c35f4ef0c83 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Thu, 6 Jul 2017 15:17:54 -0700
Subject: [PATCH 364/493] Remove NETSTandard.Library.NETFramework

---
 samples/CustomEncryptorSample/CustomEncryptorSample.csproj | 4 ----
 samples/KeyManagementSample/KeyManagementSample.csproj     | 4 ----
 samples/NonDISample/NonDISample.csproj                     | 4 ----
 samples/Redis/Redis.csproj                                 | 4 ----
 4 files changed, 16 deletions(-)

diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index ddd92112c2..27499c6475 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -17,8 +17,4 @@
     <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'net461' ">
-    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" />
-  </ItemGroup>
-
 </Project>
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index 34b42ebd92..21d821f5da 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -12,8 +12,4 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'net461' ">
-    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" />
-  </ItemGroup>
-
 </Project>
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index 118eed8588..d2e3d9a672 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -11,8 +11,4 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'net461' ">
-    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" />
-  </ItemGroup>
-
 </Project>
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 7040d86af2..58a63baa17 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -17,8 +17,4 @@
     <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'net461' ">
-    <PackageReference Include="NETStandard.Library.NETFramework" Version="$(NETStandardLibraryNETFrameworkVersion)" />
-  </ItemGroup>
-
 </Project>

From 82292e1d33e52787d40661ea73d9789b0c72848c Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 10 Jul 2017 11:41:37 -0700
Subject: [PATCH 365/493] Branching for 2.0.0 rtm

---
 NuGet.config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NuGet.config b/NuGet.config
index 4e8a1f6de1..37f0d27ea0 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -2,7 +2,7 @@
 <configuration>
   <packageSources>
     <clear />
-    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
+    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-release/api/v3/index.json" />
     <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>

From e4edce2c28f298fa72985125d32d2ab824e5dbce Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 10 Jul 2017 11:57:55 -0700
Subject: [PATCH 366/493] Updating KoreBuild branch

---
 build.ps1 | 2 +-
 build.sh  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.ps1 b/build.ps1
index 5bf0e2c113..1785334385 100644
--- a/build.ps1
+++ b/build.ps1
@@ -33,7 +33,7 @@ cd $PSScriptRoot
 $repoFolder = $PSScriptRoot
 $env:REPO_FOLDER = $repoFolder
 
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/2.0.0.zip"
 if ($env:KOREBUILD_ZIP)
 {
     $koreBuildZip=$env:KOREBUILD_ZIP
diff --git a/build.sh b/build.sh
index b0bcadb579..5e27ed8efb 100755
--- a/build.sh
+++ b/build.sh
@@ -2,7 +2,7 @@
 repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
+koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/2.0.0.zip"
 if [ ! -z $KOREBUILD_ZIP ]; then
     koreBuildZip=$KOREBUILD_ZIP
 fi

From 88aec3348ecedd9731c577cf59f2ea82e8574cc6 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Fri, 7 Jul 2017 14:54:46 -0700
Subject: [PATCH 367/493] Skip first time experience on Appveyor

---
 appveyor.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/appveyor.yml b/appveyor.yml
index 04dfabcb0b..4f85bae466 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,4 +1,4 @@
-init:
+init:
   - git config --global core.autocrlf true
 branches:
   only:
@@ -10,6 +10,10 @@ branches:
 build_script:
   - ps: .\build.ps1
 clone_depth: 1
+environment:
+  global:
+    DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+    DOTNET_CLI_TELEMETRY_OPTOUT: 1
 test: off
 deploy: off
 os: Visual Studio 2017

From 021c6042441a83b06846bb7063f5bafb8ea83c8c Mon Sep 17 00:00:00 2001
From: Mike Harder <mharder@microsoft.com>
Date: Wed, 12 Jul 2017 18:41:03 -0700
Subject: [PATCH 368/493] Update WindowsAzure.Storage to latest (#258)

---
 build/dependencies.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index a2f699717d..5ffef187dd 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -10,6 +10,6 @@
     <RuntimeFrameworkVersion Condition="'$(TargetFramework)'=='netcoreapp2.0'">2.0.0-*</RuntimeFrameworkVersion>
     <TestSdkVersion>15.3.0-*</TestSdkVersion>
     <XunitVersion>2.3.0-beta2-*</XunitVersion>
-    <WindowsAzureStorageVersion>8.1.1</WindowsAzureStorageVersion>
+    <WindowsAzureStorageVersion>8.1.4</WindowsAzureStorageVersion>
   </PropertyGroup>
 </Project>

From 806ba70a6af7b53f228c6db2796a33205978adc0 Mon Sep 17 00:00:00 2001
From: Mike Harder <mharder@microsoft.com>
Date: Thu, 13 Jul 2017 15:07:37 -0700
Subject: [PATCH 369/493] Update StackExchange.Redis to latest (#260)

---
 build/dependencies.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 5ffef187dd..8293dd82b8 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -6,7 +6,7 @@
     <MoqVersion>4.7.49</MoqVersion>
     <NETStandardImplicitPackageVersion>2.0.0-*</NETStandardImplicitPackageVersion>
     <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>
-    <RedisVersion>1.2.3</RedisVersion>
+    <RedisVersion>1.2.4</RedisVersion>
     <RuntimeFrameworkVersion Condition="'$(TargetFramework)'=='netcoreapp2.0'">2.0.0-*</RuntimeFrameworkVersion>
     <TestSdkVersion>15.3.0-*</TestSdkVersion>
     <XunitVersion>2.3.0-beta2-*</XunitVersion>

From e7c94a3ca1c963f8381c51ec7e4af9f39a921660 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Fri, 21 Jul 2017 12:57:52 -0700
Subject: [PATCH 370/493] 2.0.0-rtm to 2.1.0-preview1

---
 version.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.props b/version.props
index eba6b16756..1ea46af42a 100644
--- a/version.props
+++ b/version.props
@@ -1,7 +1,7 @@
 <!-- This file may be overwritten by automation. Only values allowed here are VersionPrefix and VersionSuffix.  -->
 <Project>
   <PropertyGroup>
-    <VersionPrefix>2.0.0</VersionPrefix>
-    <VersionSuffix>rtm</VersionSuffix>
+    <VersionPrefix>2.1.0</VersionPrefix>
+    <VersionSuffix>preview1</VersionSuffix>
   </PropertyGroup>
 </Project>

From edf47fedd19df14e8ee81e4b0dd169d6b7225578 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Mon, 24 Jul 2017 17:55:09 -0700
Subject: [PATCH 371/493] Set AspNetCoreVersion

---
 build/dependencies.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 8293dd82b8..1ec72e277d 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,6 +1,6 @@
-<Project>
+<Project>
   <PropertyGroup>
-    <AspNetCoreVersion>2.0.0-*</AspNetCoreVersion>
+    <AspNetCoreVersion>2.1.0-*</AspNetCoreVersion>
     <CoreFxVersion>4.4.0-*</CoreFxVersion>
     <InternalAspNetCoreSdkVersion>2.0.1-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.49</MoqVersion>

From f9681cd3c30af939ccdea9ba39550ca35f76f770 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 25 Jul 2017 15:12:42 -0700
Subject: [PATCH 372/493] Updating to InternalAspNetCoreSdkVersion 2.1.1-*

---
 build/dependencies.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 1ec72e277d..4502c0eba6 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -2,7 +2,7 @@
   <PropertyGroup>
     <AspNetCoreVersion>2.1.0-*</AspNetCoreVersion>
     <CoreFxVersion>4.4.0-*</CoreFxVersion>
-    <InternalAspNetCoreSdkVersion>2.0.1-*</InternalAspNetCoreSdkVersion>
+    <InternalAspNetCoreSdkVersion>2.1.1-*</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.49</MoqVersion>
     <NETStandardImplicitPackageVersion>2.0.0-*</NETStandardImplicitPackageVersion>
     <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>

From 43330e4211aec6117f1e27d7c10f3049af55bd82 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 25 Jul 2017 16:31:09 -0700
Subject: [PATCH 373/493] Update bootstrappers to use the compiled version of
 KoreBuild

[ci skip]
---
 .gitignore                   |   1 +
 build.cmd                    |   2 +-
 build.ps1                    | 218 +++++++++++++++++++++++++---------
 build.sh                     | 224 +++++++++++++++++++++++++++++------
 build/common.props           |   2 +-
 version.props => version.xml |   3 +-
 6 files changed, 356 insertions(+), 94 deletions(-)
 rename version.props => version.xml (55%)

diff --git a/.gitignore b/.gitignore
index 5af949b050..c632acb4ef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,4 @@ project.lock.json
 .testPublish/
 samples/**/temp-keys/
 global.json
+korebuild-lock.txt
diff --git a/build.cmd b/build.cmd
index 7d4894cb4a..b6c8d24864 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,2 +1,2 @@
 @ECHO OFF
-PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0build.ps1' %*; exit $LASTEXITCODE"
\ No newline at end of file
+PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0build.ps1' %*; exit $LASTEXITCODE"
diff --git a/build.ps1 b/build.ps1
index 5bf0e2c113..d5eb4d5cf2 100644
--- a/build.ps1
+++ b/build.ps1
@@ -1,67 +1,177 @@
-$ErrorActionPreference = "Stop"
+#!/usr/bin/env powershell
+#requires -version 4
 
-function DownloadWithRetry([string] $url, [string] $downloadLocation, [int] $retries)
-{
-    while($true)
-    {
-        try
-        {
-            Invoke-WebRequest $url -OutFile $downloadLocation
-            break
-        }
-        catch
-        {
-            $exceptionMessage = $_.Exception.Message
-            Write-Host "Failed to download '$url': $exceptionMessage"
-            if ($retries -gt 0) {
-                $retries--
-                Write-Host "Waiting 10 seconds before retrying. Retries left: $retries"
-                Start-Sleep -Seconds 10
+<#
+.SYNOPSIS
+Build this repository
 
+.DESCRIPTION
+Downloads korebuild if required. Then builds the repository.
+
+.PARAMETER Path
+The folder to build. Defaults to the folder containing this script.
+
+.PARAMETER Channel
+The channel of KoreBuild to download. Overrides the value from the config file.
+
+.PARAMETER DotNetHome
+The directory where .NET Core tools will be stored.
+
+.PARAMETER ToolsSource
+The base url where build tools can be downloaded. Overrides the value from the config file.
+
+.PARAMETER Update
+Updates KoreBuild to the latest version even if a lock file is present.
+
+.PARAMETER ConfigFile
+The path to the configuration file that stores values. Defaults to version.xml.
+
+.PARAMETER MSBuildArgs
+Arguments to be passed to MSBuild
+
+.NOTES
+This function will create a file $PSScriptRoot/korebuild-lock.txt. This lock file can be committed to source, but does not have to be.
+When the lockfile is not present, KoreBuild will create one using latest available version from $Channel.
+
+The $ConfigFile is expected to be an XML file. It is optional, and the configuration values in it are optional as well.
+
+.EXAMPLE
+Example config file:
+```xml
+<!-- version.xml -->
+<Project>
+  <PropertyGroup>
+    <KoreBuildChannel>dev</KoreBuildChannel>
+    <KoreBuildToolsSource>https://aspnetcore.blob.core.windows.net/buildtools</KoreBuildToolsSource>
+  </PropertyGroup>
+</Project>
+```
+#>
+[CmdletBinding(PositionalBinding = $false)]
+param(
+    [string]$Path = $PSScriptRoot,
+    [Alias('c')]
+    [string]$Channel,
+    [Alias('d')]
+    [string]$DotNetHome,
+    [Alias('s')]
+    [string]$ToolsSource,
+    [Alias('u')]
+    [switch]$Update,
+    [string]$ConfigFile = (Join-Path $PSScriptRoot 'version.xml'),
+    [Parameter(ValueFromRemainingArguments = $true)]
+    [string[]]$MSBuildArgs
+)
+
+Set-StrictMode -Version 2
+$ErrorActionPreference = 'Stop'
+
+#
+# Functions
+#
+
+function Get-KoreBuild {
+
+    $lockFile = Join-Path $Path 'korebuild-lock.txt'
+
+    if (!(Test-Path $lockFile) -or $Update) {
+        Get-RemoteFile "$ToolsSource/korebuild/channels/$Channel/latest.txt" $lockFile
+    }
+
+    $version = Get-Content $lockFile | Where-Object { $_ -like 'version:*' } | Select-Object -first 1
+    if (!$version) {
+        Write-Error "Failed to parse version from $lockFile. Expected a line that begins with 'version:'"
+    }
+    $version = $version.TrimStart('version:').Trim()
+    $korebuildPath = Join-Paths $DotNetHome ('buildtools', 'korebuild', $version)
+
+    if (!(Test-Path $korebuildPath)) {
+        Write-Host -ForegroundColor Magenta "Downloading KoreBuild $version"
+        New-Item -ItemType Directory -Path $korebuildPath | Out-Null
+        $remotePath = "$ToolsSource/korebuild/artifacts/$version/korebuild.$version.zip"
+
+        try {
+            $tmpfile = Join-Path ([IO.Path]::GetTempPath()) "KoreBuild-$([guid]::NewGuid()).zip"
+            Get-RemoteFile $remotePath $tmpfile
+            if (Get-Command -Name 'Expand-Archive' -ErrorAction Ignore) {
+                # Use built-in commands where possible as they are cross-plat compatible
+                Expand-Archive -Path $tmpfile -DestinationPath $korebuildPath
             }
-            else
-            {
-                $exception = $_.Exception
-                throw $exception
+            else {
+                # Fallback to old approach for old installations of PowerShell
+                Add-Type -AssemblyName System.IO.Compression.FileSystem
+                [System.IO.Compression.ZipFile]::ExtractToDirectory($tmpfile, $korebuildPath)
             }
         }
+        catch {
+            Remove-Item -Recurse -Force $korebuildPath -ErrorAction Ignore
+            throw
+        }
+        finally {
+            Remove-Item $tmpfile -ErrorAction Ignore
+        }
     }
+
+    return $korebuildPath
 }
 
-cd $PSScriptRoot
-
-$repoFolder = $PSScriptRoot
-$env:REPO_FOLDER = $repoFolder
-
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
-if ($env:KOREBUILD_ZIP)
-{
-    $koreBuildZip=$env:KOREBUILD_ZIP
+function Join-Paths([string]$path, [string[]]$childPaths) {
+    $childPaths | ForEach-Object { $path = Join-Path $path $_ }
+    return $path
 }
 
-$buildFolder = ".build"
-$buildFile="$buildFolder\KoreBuild.ps1"
-
-if (!(Test-Path $buildFolder)) {
-    Write-Host "Downloading KoreBuild from $koreBuildZip"
-
-    $tempFolder=$env:TEMP + "\KoreBuild-" + [guid]::NewGuid()
-    New-Item -Path "$tempFolder" -Type directory | Out-Null
-
-    $localZipFile="$tempFolder\korebuild.zip"
-
-    DownloadWithRetry -url $koreBuildZip -downloadLocation $localZipFile -retries 6
-
-    Add-Type -AssemblyName System.IO.Compression.FileSystem
-    [System.IO.Compression.ZipFile]::ExtractToDirectory($localZipFile, $tempFolder)
-
-    New-Item -Path "$buildFolder" -Type directory | Out-Null
-    copy-item "$tempFolder\**\build\*" $buildFolder -Recurse
-
-    # Cleanup
-    if (Test-Path $tempFolder) {
-        Remove-Item -Recurse -Force $tempFolder
+function Get-RemoteFile([string]$RemotePath, [string]$LocalPath) {
+    if ($RemotePath -notlike 'http*') {
+        Copy-Item $RemotePath $LocalPath
+        return
     }
+
+    $retries = 10
+    while ($retries -gt 0) {
+        $retries -= 1
+        try {
+            Invoke-WebRequest -UseBasicParsing -Uri $RemotePath -OutFile $LocalPath
+            return
+        }
+        catch {
+            Write-Verbose "Request failed. $retries retries remaining"
+        }
+    }
+
+    Write-Error "Download failed: '$RemotePath'."
 }
 
-&"$buildFile" @args
+#
+# Main
+#
+
+# Load configuration or set defaults
+
+if (Test-Path $ConfigFile) {
+    [xml] $config = Get-Content $ConfigFile
+    if (!($Channel)) { [string] $Channel = Select-Xml -Xml $config -XPath '/Project/PropertyGroup/KoreBuildChannel' }
+    if (!($ToolsSource)) { [string] $ToolsSource = Select-Xml -Xml $config -XPath '/Project/PropertyGroup/KoreBuildToolsSource' }
+}
+
+if (!$DotNetHome) {
+    $DotNetHome = if ($env:DOTNET_HOME) { $env:DOTNET_HOME } `
+        elseif ($env:USERPROFILE) { Join-Path $env:USERPROFILE '.dotnet'} `
+        elseif ($env:HOME) {Join-Path $env:HOME '.dotnet'}`
+        else { Join-Path $PSScriptRoot '.dotnet'}
+}
+
+if (!$Channel) { $Channel = 'dev' }
+if (!$ToolsSource) { $ToolsSource = 'https://aspnetcore.blob.core.windows.net/buildtools' }
+
+# Execute
+
+$korebuildPath = Get-KoreBuild
+Import-Module -Force -Scope Local (Join-Path $korebuildPath 'KoreBuild.psd1')
+
+try {
+    Install-Tools $ToolsSource $DotNetHome
+    Invoke-RepositoryBuild $Path @MSBuildArgs
+}
+finally {
+    Remove-Module 'KoreBuild' -ErrorAction Ignore
+}
diff --git a/build.sh b/build.sh
index b0bcadb579..ab590e62f1 100755
--- a/build.sh
+++ b/build.sh
@@ -1,46 +1,196 @@
 #!/usr/bin/env bash
-repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/dev.zip"
-if [ ! -z $KOREBUILD_ZIP ]; then
-    koreBuildZip=$KOREBUILD_ZIP
-fi
+set -euo pipefail
 
-buildFolder=".build"
-buildFile="$buildFolder/KoreBuild.sh"
+#
+# variables
+#
 
-if test ! -d $buildFolder; then
-    echo "Downloading KoreBuild from $koreBuildZip"
+RESET="\033[0m"
+RED="\033[0;31m"
+MAGENTA="\033[0;95m"
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+[ -z "${DOTNET_HOME:-}"] && DOTNET_HOME="$HOME/.dotnet"
+config_file="$DIR/version.xml"
+verbose=false
+update=false
+repo_path="$DIR"
+channel=''
+tools_source=''
 
-    tempFolder="/tmp/KoreBuild-$(uuidgen)"
-    mkdir $tempFolder
+#
+# Functions
+#
+__usage() {
+    echo "Usage: $(basename ${BASH_SOURCE[0]}) [options] [[--] <MSBUILD_ARG>...]"
+    echo ""
+    echo "Arguments:"
+    echo "    <MSBUILD_ARG>...         Arguments passed to MSBuild. Variable number of arguments allowed."
+    echo ""
+    echo "Options:"
+    echo "    --verbose                Show verbose output."
+    echo "    -c|--channel <CHANNEL>   The channel of KoreBuild to download. Overrides the value from the config file.."
+    echo "    --config-file <FILE>     TThe path to the configuration file that stores values. Defaults to version.xml."
+    echo "    -d|--dotnet-home <DIR>   The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
+    echo "    --path <PATH>            The directory to build. Defaults to the directory containing the script."
+    echo "    -s|--tools-source <URL>  The base url where build tools can be downloaded. Overrides the value from the config file."
+    echo "    -u|--update              Update to the latest KoreBuild even if the lock file is present."
+    echo ""
+    echo "Description:"
+    echo "    This function will create a file \$DIR/korebuild-lock.txt. This lock file can be committed to source, but does not have to be."
+    echo "    When the lockfile is not present, KoreBuild will create one using latest available version from \$channel."
 
-    localZipFile="$tempFolder/korebuild.zip"
-
-    retries=6
-    until (wget -O $localZipFile $koreBuildZip 2>/dev/null || curl -o $localZipFile --location $koreBuildZip 2>/dev/null)
-    do
-        echo "Failed to download '$koreBuildZip'"
-        if [ "$retries" -le 0 ]; then
-            exit 1
-        fi
-        retries=$((retries - 1))
-        echo "Waiting 10 seconds before retrying. Retries left: $retries"
-        sleep 10s
-    done
-
-    unzip -q -d $tempFolder $localZipFile
-
-    mkdir $buildFolder
-    cp -r $tempFolder/**/build/** $buildFolder
-
-    chmod +x $buildFile
-
-    # Cleanup
-    if test -d $tempFolder; then
-        rm -rf $tempFolder
+    if [[ "${1:-}" != '--no-exit' ]]; then
+        exit 2
     fi
+}
+
+get_korebuild() {
+    local lock_file="$repo_path/korebuild-lock.txt"
+    if [ ! -f $lock_file ] || [ "$update" = true ]; then
+        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" $lock_file
+    fi
+    local version="$(grep 'version:*' -m 1 $lock_file)"
+    if [[ "$version" == '' ]]; then
+        __error "Failed to parse version from $lock_file. Expected a line that begins with 'version:'"
+        return 1
+    fi
+    version="$(echo ${version#version:} | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+    local korebuild_path="$DOTNET_HOME/buildtools/korebuild/$version"
+
+    {
+        if [ ! -d "$korebuild_path" ]; then
+            mkdir -p "$korebuild_path"
+            local remote_path="$tools_source/korebuild/artifacts/$version/korebuild.$version.zip"
+            tmpfile="$(mktemp)"
+            echo -e "${MAGENTA}Downloading KoreBuild ${version}${RESET}"
+            if __get_remote_file $remote_path $tmpfile; then
+                unzip -q -d "$korebuild_path" $tmpfile
+            fi
+            rm $tmpfile || true
+        fi
+
+        source "$korebuild_path/KoreBuild.sh"
+    } || {
+        if [ -d "$korebuild_path" ]; then
+            echo "Cleaning up after failed installation"
+            rm -rf "$korebuild_path" || true
+        fi
+        return 1
+    }
+}
+
+__error() {
+    echo -e "${RED}$@${RESET}" 1>&2
+}
+
+__machine_has() {
+    hash "$1" > /dev/null 2>&1
+    return $?
+}
+
+__get_remote_file() {
+    local remote_path=$1
+    local local_path=$2
+
+    if [[ "$remote_path" != 'http'* ]]; then
+        cp $remote_path $local_path
+        return 0
+    fi
+
+    failed=false
+    if __machine_has wget; then
+        wget --tries 10 --quiet -O $local_path $remote_path || failed=true
+    fi
+
+    if [ "$failed" = true ] && __machine_has curl; then
+        failed=false
+        curl --retry 10 -sSL -f --create-dirs -o $local_path $remote_path || failed=true
+    fi
+
+    if [ "$failed" = true ]; then
+        __error "Download failed: $remote_path" 1>&2
+        return 1
+    fi
+}
+
+__read_dom () { local IFS=\> ; read -d \< ENTITY CONTENT ;}
+
+#
+# main
+#
+
+while [[ $# > 0 ]]; do
+    case $1 in
+        -\?|-h|--help)
+            __usage --no-exit
+            exit 0
+            ;;
+        -c|--channel|-Channel)
+            shift
+            channel=${1:-}
+            [ -z "$channel" ] && __usage
+            ;;
+        --config-file|-ConfigFile)
+            shift
+            config_file="${1:-}"
+            [ -z "$config_file" ] && __usage
+            ;;
+        -d|--dotnet-home|-DotNetHome)
+            shift
+            DOTNET_HOME=${1:-}
+            [ -z "$DOTNET_HOME" ] && __usage
+            ;;
+        --path|-Path)
+            shift
+            repo_path="${1:-}"
+            [ -z "$repo_path" ] && __usage
+            ;;
+        -s|--tools-source|-ToolsSource)
+            shift
+            tools_source="${1:-}"
+            [ -z "$tools_source" ] && __usage
+            ;;
+        -u|--update|-Update)
+            update=true
+            ;;
+        --verbose|-Verbose)
+            verbose=true
+            ;;
+        --)
+            shift
+            break
+            ;;
+        *)
+            break
+            ;;
+    esac
+    shift
+done
+
+if ! __machine_has unzip; then
+    __error 'Missing required command: unzip'
+    exit 1
 fi
 
-$buildFile -r $repoFolder "$@"
+if ! __machine_has curl && ! __machine_has wget; then
+    __error 'Missing required command. Either wget or curl is required.'
+    exit 1
+fi
+
+if [ -f $config_file ]; then
+    comment=false
+    while __read_dom; do
+        if [ "$comment" = true ]; then [[ $CONTENT == *'-->'* ]] && comment=false ; continue; fi
+        if [[ $ENTITY == '!--'* ]]; then comment=true; continue; fi
+        if [ -z "$channel" ] && [[ $ENTITY == "KoreBuildChannel" ]]; then channel=$CONTENT; fi
+        if [ -z "$tools_source" ] && [[ $ENTITY == "KoreBuildToolsSource" ]]; then tools_source=$CONTENT; fi
+    done < $config_file
+fi
+
+[ -z "$channel" ] && channel='dev'
+[ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
+
+get_korebuild
+install_tools "$tools_source" "$DOTNET_HOME"
+invoke_repository_build "$repo_path" $@
diff --git a/build/common.props b/build/common.props
index a865ed071e..c468ea2192 100644
--- a/build/common.props
+++ b/build/common.props
@@ -1,6 +1,6 @@
 <Project>
   <Import Project="dependencies.props" />
-  <Import Project="..\version.props" />
+  <Import Project="..\version.xml" />
 
   <PropertyGroup>
     <Product>Microsoft ASP.NET Core</Product>
diff --git a/version.props b/version.xml
similarity index 55%
rename from version.props
rename to version.xml
index 1ea46af42a..3c05022b7d 100644
--- a/version.props
+++ b/version.xml
@@ -1,6 +1,7 @@
-<!-- This file may be overwritten by automation. Only values allowed here are VersionPrefix and VersionSuffix.  -->
+<!-- This file may be overwritten by automation. -->
 <Project>
   <PropertyGroup>
+    <KoreBuildChannel>dev</KoreBuildChannel>
     <VersionPrefix>2.1.0</VersionPrefix>
     <VersionSuffix>preview1</VersionSuffix>
   </PropertyGroup>

From 1fe47d68da278d83bef0354ff4b2440982ba71b5 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 26 Jul 2017 10:26:56 -0700
Subject: [PATCH 374/493] Fix syntax warning when running build.sh on older
 versions of bash

[ci skip]
---
 build.sh | 41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/build.sh b/build.sh
index ab590e62f1..5568c6182a 100755
--- a/build.sh
+++ b/build.sh
@@ -10,7 +10,7 @@ RESET="\033[0m"
 RED="\033[0;31m"
 MAGENTA="\033[0;95m"
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-[ -z "${DOTNET_HOME:-}"] && DOTNET_HOME="$HOME/.dotnet"
+[ -z "${DOTNET_HOME:-}" ] && DOTNET_HOME="$HOME/.dotnet"
 config_file="$DIR/version.xml"
 verbose=false
 update=false
@@ -22,7 +22,7 @@ tools_source=''
 # Functions
 #
 __usage() {
-    echo "Usage: $(basename ${BASH_SOURCE[0]}) [options] [[--] <MSBUILD_ARG>...]"
+    echo "Usage: $(basename "${BASH_SOURCE[0]}") [options] [[--] <MSBUILD_ARG>...]"
     echo ""
     echo "Arguments:"
     echo "    <MSBUILD_ARG>...         Arguments passed to MSBuild. Variable number of arguments allowed."
@@ -46,16 +46,17 @@ __usage() {
 }
 
 get_korebuild() {
+    local version
     local lock_file="$repo_path/korebuild-lock.txt"
-    if [ ! -f $lock_file ] || [ "$update" = true ]; then
-        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" $lock_file
+    if [ ! -f "$lock_file" ] || [ "$update" = true ]; then
+        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file"
     fi
-    local version="$(grep 'version:*' -m 1 $lock_file)"
+    version="$(grep 'version:*' -m 1 "$lock_file")"
     if [[ "$version" == '' ]]; then
         __error "Failed to parse version from $lock_file. Expected a line that begins with 'version:'"
         return 1
     fi
-    version="$(echo ${version#version:} | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+    version="$(echo "${version#version:}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
     local korebuild_path="$DOTNET_HOME/buildtools/korebuild/$version"
 
     {
@@ -64,10 +65,10 @@ get_korebuild() {
             local remote_path="$tools_source/korebuild/artifacts/$version/korebuild.$version.zip"
             tmpfile="$(mktemp)"
             echo -e "${MAGENTA}Downloading KoreBuild ${version}${RESET}"
-            if __get_remote_file $remote_path $tmpfile; then
-                unzip -q -d "$korebuild_path" $tmpfile
+            if __get_remote_file "$remote_path" "$tmpfile"; then
+                unzip -q -d "$korebuild_path" "$tmpfile"
             fi
-            rm $tmpfile || true
+            rm "$tmpfile" || true
         fi
 
         source "$korebuild_path/KoreBuild.sh"
@@ -81,7 +82,7 @@ get_korebuild() {
 }
 
 __error() {
-    echo -e "${RED}$@${RESET}" 1>&2
+    echo -e "${RED}$*${RESET}" 1>&2
 }
 
 __machine_has() {
@@ -94,18 +95,18 @@ __get_remote_file() {
     local local_path=$2
 
     if [[ "$remote_path" != 'http'* ]]; then
-        cp $remote_path $local_path
+        cp "$remote_path" "$local_path"
         return 0
     fi
 
     failed=false
     if __machine_has wget; then
-        wget --tries 10 --quiet -O $local_path $remote_path || failed=true
+        wget --tries 10 --quiet -O "$local_path" "$remote_path" || failed=true
     fi
 
     if [ "$failed" = true ] && __machine_has curl; then
         failed=false
-        curl --retry 10 -sSL -f --create-dirs -o $local_path $remote_path || failed=true
+        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" || failed=true
     fi
 
     if [ "$failed" = true ]; then
@@ -114,13 +115,13 @@ __get_remote_file() {
     fi
 }
 
-__read_dom () { local IFS=\> ; read -d \< ENTITY CONTENT ;}
+__read_dom () { local IFS=\> ; read -r -d \< ENTITY CONTENT ;}
 
 #
 # main
 #
 
-while [[ $# > 0 ]]; do
+while [[ $# -gt 0 ]]; do
     case $1 in
         -\?|-h|--help)
             __usage --no-exit
@@ -128,7 +129,7 @@ while [[ $# > 0 ]]; do
             ;;
         -c|--channel|-Channel)
             shift
-            channel=${1:-}
+            channel="${1:-}"
             [ -z "$channel" ] && __usage
             ;;
         --config-file|-ConfigFile)
@@ -138,7 +139,7 @@ while [[ $# > 0 ]]; do
             ;;
         -d|--dotnet-home|-DotNetHome)
             shift
-            DOTNET_HOME=${1:-}
+            DOTNET_HOME="${1:-}"
             [ -z "$DOTNET_HOME" ] && __usage
             ;;
         --path|-Path)
@@ -178,14 +179,14 @@ if ! __machine_has curl && ! __machine_has wget; then
     exit 1
 fi
 
-if [ -f $config_file ]; then
+if [ -f "$config_file" ]; then
     comment=false
     while __read_dom; do
         if [ "$comment" = true ]; then [[ $CONTENT == *'-->'* ]] && comment=false ; continue; fi
         if [[ $ENTITY == '!--'* ]]; then comment=true; continue; fi
         if [ -z "$channel" ] && [[ $ENTITY == "KoreBuildChannel" ]]; then channel=$CONTENT; fi
         if [ -z "$tools_source" ] && [[ $ENTITY == "KoreBuildToolsSource" ]]; then tools_source=$CONTENT; fi
-    done < $config_file
+    done < "$config_file"
 fi
 
 [ -z "$channel" ] && channel='dev'
@@ -193,4 +194,4 @@ fi
 
 get_korebuild
 install_tools "$tools_source" "$DOTNET_HOME"
-invoke_repository_build "$repo_path" $@
+invoke_repository_build "$repo_path" "$@"

From 5b85b3f6c7734593b0cd15054b0eb44963cd5fe0 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Wed, 26 Jul 2017 12:55:22 -0700
Subject: [PATCH 375/493] Update VersionPrefix

---
 .../Microsoft.AspNetCore.DataProtection.Redis.csproj            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index 2b0006adaf..a522675670 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -4,7 +4,7 @@
 
   <PropertyGroup>
     <Description>Redis storage support as key store.</Description>
-    <VersionPrefix>0.3.0</VersionPrefix>
+    <VersionPrefix>0.4.0</VersionPrefix>
     <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>

From a47427b25c237ae35fe27fa72a321a14376c930d Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Wed, 2 Aug 2017 12:44:43 -0700
Subject: [PATCH 376/493] Update __get_remote_file logic

---
 build.sh | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/build.sh b/build.sh
index 5568c6182a..8eace4c20d 100755
--- a/build.sh
+++ b/build.sh
@@ -99,17 +99,16 @@ __get_remote_file() {
         return 0
     fi
 
-    failed=false
+    local succeeded=false
     if __machine_has wget; then
-        wget --tries 10 --quiet -O "$local_path" "$remote_path" || failed=true
+        wget --tries 10 --quiet -O "$local_path" "$remote_path" && succeeded=true
     fi
 
-    if [ "$failed" = true ] && __machine_has curl; then
-        failed=false
-        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" || failed=true
+    if [ "$succeeded" = false ] && __machine_has curl; then
+        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" && succeeded=true
     fi
 
-    if [ "$failed" = true ]; then
+    if [ "$succeeded" = false ]; then
         __error "Download failed: $remote_path" 1>&2
         return 1
     fi

From bd8207bf8fde1bf6dce21174ef5de9f686e08ec2 Mon Sep 17 00:00:00 2001
From: John Luo <jt.luo@mail.utoronto.ca>
Date: Wed, 2 Aug 2017 14:31:07 -0700
Subject: [PATCH 377/493] Ensure fallback to curl after failed wget

---
 build.sh | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/build.sh b/build.sh
index 8eace4c20d..11cdbe5504 100755
--- a/build.sh
+++ b/build.sh
@@ -99,16 +99,19 @@ __get_remote_file() {
         return 0
     fi
 
-    local succeeded=false
+    local failed=false
     if __machine_has wget; then
-        wget --tries 10 --quiet -O "$local_path" "$remote_path" && succeeded=true
+        wget --tries 10 --quiet -O "$local_path" "$remote_path" || failed=true
+    else
+        failed=true
     fi
 
-    if [ "$succeeded" = false ] && __machine_has curl; then
-        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" && succeeded=true
+    if [ "$failed" = true ] && __machine_has curl; then
+        failed=false
+        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" || failed=true
     fi
 
-    if [ "$succeeded" = false ]; then
+    if [ "$failed" = true ]; then
         __error "Download failed: $remote_path" 1>&2
         return 1
     fi

From 5d6330e6b19b5454f61ed33c7ffbcac3fcbcbdc2 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Thu, 17 Aug 2017 14:59:12 -0700
Subject: [PATCH 378/493] Pinning versions for 2.0.0

---
 NuGet.config                                    |  2 +-
 build/dependencies.props                        | 17 +++++++++--------
 ...AspNetCore.Cryptography.Internal.Test.csproj |  2 +-
 ...tCore.Cryptography.KeyDerivation.Test.csproj |  2 +-
 ...Core.DataProtection.Abstractions.Test.csproj |  2 +-
 ...Core.DataProtection.AzureStorage.Test.csproj |  2 +-
 ...etCore.DataProtection.Extensions.Test.csproj |  2 +-
 ....AspNetCore.DataProtection.Redis.Test.csproj |  2 +-
 ...rosoft.AspNetCore.DataProtection.Test.csproj |  2 +-
 version.props                                   |  1 -
 10 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/NuGet.config b/NuGet.config
index 37f0d27ea0..6a62aeda63 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -2,7 +2,7 @@
 <configuration>
   <packageSources>
     <clear />
-    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-release/api/v3/index.json" />
+    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-master/api/v3/index.json" />
     <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
diff --git a/build/dependencies.props b/build/dependencies.props
index 8293dd82b8..b32cbf333c 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,15 +1,16 @@
 <Project>
   <PropertyGroup>
-    <AspNetCoreVersion>2.0.0-*</AspNetCoreVersion>
-    <CoreFxVersion>4.4.0-*</CoreFxVersion>
-    <InternalAspNetCoreSdkVersion>2.0.1-*</InternalAspNetCoreSdkVersion>
+    <AspNetCoreVersion>2.0.0</AspNetCoreVersion>
+    <CoreFxVersion>4.4.0</CoreFxVersion>
+    <InternalAspNetCoreSdkVersion>2.0.1-rtm-15400</InternalAspNetCoreSdkVersion>
     <MoqVersion>4.7.49</MoqVersion>
-    <NETStandardImplicitPackageVersion>2.0.0-*</NETStandardImplicitPackageVersion>
-    <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>
+    <NETStandardImplicitPackageVersion>2.0.0</NETStandardImplicitPackageVersion>
+    <NETStandardLibraryNETFrameworkVersion>2.0.0</NETStandardLibraryNETFrameworkVersion>
     <RedisVersion>1.2.4</RedisVersion>
-    <RuntimeFrameworkVersion Condition="'$(TargetFramework)'=='netcoreapp2.0'">2.0.0-*</RuntimeFrameworkVersion>
-    <TestSdkVersion>15.3.0-*</TestSdkVersion>
-    <XunitVersion>2.3.0-beta2-*</XunitVersion>
+    <RuntimeFrameworkVersion Condition="'$(TargetFramework)'=='netcoreapp2.0'">2.0.0</RuntimeFrameworkVersion>
+    <TestSdkVersion>15.3.0</TestSdkVersion>
+    <XunitVersion>2.3.0-beta2-build3683</XunitVersion>
+    <XunitRunnerVisualStudioVersion>2.3.0-beta2-build1317</XunitRunnerVisualStudioVersion>
     <WindowsAzureStorageVersion>8.1.4</WindowsAzureStorageVersion>
   </PropertyGroup>
 </Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 6b455b9067..4ae08cfafd 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -19,7 +19,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index a2b9f2d39c..f3a89ed8ac 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -20,7 +20,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index 4a5375118b..f0ba469499 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -20,7 +20,7 @@
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index cafd48aa69..1af35a2f05 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -18,7 +18,7 @@
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 3fe0d683b7..6072bb32f8 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -20,7 +20,7 @@
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 8760c8feb0..2b7f018dad 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -21,7 +21,7 @@
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 6dd58b3e0b..735a3b89fe 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -22,7 +22,7 @@
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
     <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioVersion)" />
     <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
diff --git a/version.props b/version.props
index eba6b16756..e69e2c659c 100644
--- a/version.props
+++ b/version.props
@@ -2,6 +2,5 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.0.0</VersionPrefix>
-    <VersionSuffix>rtm</VersionSuffix>
   </PropertyGroup>
 </Project>

From 8ed38f5dcf4ed461d5066cf6e43088a94dab4275 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 22 Aug 2017 15:01:11 -0700
Subject: [PATCH 379/493] Upgrade to xunit 2.3.0-beta4

---
 build/dependencies.props                      |  4 ++--
 ...PT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs |  5 +----
 .../WeakReferenceHelpersTests.cs              |  9 +++------
 .../DataProtectionCommonExtensionsTests.cs    |  4 ++--
 .../DataProtectionAdvancedExtensionsTests.cs  |  3 +--
 .../DataProtectionProviderTests.cs            |  6 +++---
 .../TimeLimitedDataProtectorTests.cs          | 20 +++++++++----------
 .../KeyRingBasedDataProtectorTests.cs         | 17 +++++++---------
 .../KeyManagement/KeyRingTests.cs             |  6 ++----
 .../KeyManagement/XmlKeyManagerTests.cs       |  4 ++--
 .../RegistryPolicyResolverTests.cs            |  4 ++--
 11 files changed, 35 insertions(+), 47 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 4502c0eba6..a3bda1eab5 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -8,8 +8,8 @@
     <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>
     <RedisVersion>1.2.4</RedisVersion>
     <RuntimeFrameworkVersion Condition="'$(TargetFramework)'=='netcoreapp2.0'">2.0.0-*</RuntimeFrameworkVersion>
-    <TestSdkVersion>15.3.0-*</TestSdkVersion>
-    <XunitVersion>2.3.0-beta2-*</XunitVersion>
+    <TestSdkVersion>15.3.0</TestSdkVersion>
+    <XunitVersion>2.3.0-beta4-build3742</XunitVersion>
     <WindowsAzureStorageVersion>8.1.4</WindowsAzureStorageVersion>
   </PropertyGroup>
 </Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
index a455fd571f..69dfcdfe03 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
@@ -11,11 +11,8 @@ namespace Microsoft.AspNetCore.Cryptography.Cng
         [Fact]
         public void Init_SetsProperties()
         {
-            // Arrange
-            BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO cipherModeInfo;
-
             // Act
-            BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out cipherModeInfo);
+            BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out var cipherModeInfo);
 
             // Assert
             Assert.Equal((uint)sizeof(BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO), cipherModeInfo.cbSize);
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
index 8bdfddc030..da66146b07 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
@@ -20,10 +20,9 @@ namespace Microsoft.AspNetCore.Cryptography
             var retVal = WeakReferenceHelpers.GetSharedInstance(ref wr, () => newInstance);
 
             // Assert
-            MyDisposable target;
             Assert.NotNull(wr);
             Assert.NotSame(wrOriginal, wr);
-            Assert.True(wr.TryGetTarget(out target));
+            Assert.True(wr.TryGetTarget(out var target));
             Assert.Same(newInstance, target);
             Assert.Same(newInstance, retVal);
             Assert.False(newInstance.HasBeenDisposed);
@@ -40,9 +39,8 @@ namespace Microsoft.AspNetCore.Cryptography
             var retVal = WeakReferenceHelpers.GetSharedInstance(ref wr, () => newInstance);
 
             // Assert
-            MyDisposable target;
             Assert.NotNull(wr);
-            Assert.True(wr.TryGetTarget(out target));
+            Assert.True(wr.TryGetTarget(out var target));
             Assert.Same(newInstance, target);
             Assert.Same(newInstance, retVal);
             Assert.False(newInstance.HasBeenDisposed);
@@ -65,9 +63,8 @@ namespace Microsoft.AspNetCore.Cryptography
             });
 
             // Assert
-            MyDisposable target;
             Assert.NotNull(wr);
-            Assert.True(wr.TryGetTarget(out target));
+            Assert.True(wr.TryGetTarget(out var target));
             Assert.Same(instanceThatWillBeCreatedFirst, target);
             Assert.Same(instanceThatWillBeCreatedFirst, retVal);
             Assert.False(instanceThatWillBeCreatedFirst.HasBeenDisposed);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
index c6eee2eddc..cfd4f3b41f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
@@ -251,7 +251,7 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 mockProtector.Object.Protect("Hello\ud800");
             });
-            Assert.IsAssignableFrom(typeof(EncoderFallbackException), ex.InnerException);
+            Assert.IsAssignableFrom<EncoderFallbackException>(ex.InnerException);
         }
 
         [Fact]
@@ -293,7 +293,7 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 mockProtector.Object.Unprotect("AQIDBAU");
             });
-            Assert.IsAssignableFrom(typeof(DecoderFallbackException), ex.InnerException);
+            Assert.IsAssignableFrom<DecoderFallbackException>(ex.InnerException);
         }
 
         [Fact]
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
index 11fa056a4b..c98aff6c8f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
@@ -86,8 +86,7 @@ namespace Microsoft.AspNetCore.DataProtection
             mockDataProtector.Setup(o => o.Unprotect(new byte[] { 0x01, 0x02 }, out controlExpiration)).Returns(Encoding.UTF8.GetBytes("this is plaintext"));
 
             // Act
-            DateTimeOffset testExpiration;
-            string unprotectedPayload = mockDataProtector.Object.Unprotect(SampleEncodedString, out testExpiration);
+            string unprotectedPayload = mockDataProtector.Object.Unprotect(SampleEncodedString, out var testExpiration);
 
             // Assert
             Assert.Equal("this is plaintext", unprotectedPayload);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index dee13c5ca1..fc73e1397d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -30,7 +30,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
                 // Step 3: validate that there's now a single key in the directory and that it's not protected
                 var allFiles = directory.GetFiles();
-                Assert.Equal(1, allFiles.Length);
+                Assert.Single(allFiles);
                 Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
                 string fileText = File.ReadAllText(allFiles[0].FullName);
                 Assert.Contains("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
@@ -106,7 +106,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
                 // Step 3: validate that there's now a single key in the directory and that it's protected with DPAPI
                 var allFiles = directory.GetFiles();
-                Assert.Equal(1, allFiles.Length);
+                Assert.Single(allFiles);
                 Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
                 string fileText = File.ReadAllText(allFiles[0].FullName);
                 Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
@@ -141,7 +141,7 @@ namespace Microsoft.AspNetCore.DataProtection
 
                     // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate
                     var allFiles = directory.GetFiles();
-                    Assert.Equal(1, allFiles.Length);
+                    Assert.Single(allFiles);
                     Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
                     string fileText = File.ReadAllText(allFiles[0].FullName);
                     Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
index 45f8175615..6f71977154 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
@@ -78,8 +78,7 @@ namespace Microsoft.AspNetCore.DataProtection
             var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
 
             // Act
-            DateTimeOffset actualExpiration;
-            var retVal = timeLimitedProtector.UnprotectCore(new byte[] { 0x10, 0x11 }, now, out actualExpiration);
+            var retVal = timeLimitedProtector.UnprotectCore(new byte[] { 0x10, 0x11 }, now, out var actualExpiration);
 
             // Assert
             Assert.Equal(expectedExpiration, actualExpiration);
@@ -103,8 +102,8 @@ namespace Microsoft.AspNetCore.DataProtection
             var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
 
             // Act & assert
-            DateTimeOffset unused;
-            var ex = Assert.Throws<CryptographicException>(() => timeLimitedProtector.UnprotectCore(new byte[] { 0x10, 0x11 }, now, out unused));
+            var ex = Assert.Throws<CryptographicException>(()
+                => timeLimitedProtector.UnprotectCore(new byte[] { 0x10, 0x11 }, now, out var _));
 
             // Assert
             Assert.Equal(Resources.FormatTimeLimitedDataProtector_PayloadExpired(expectedExpiration), ex.Message);
@@ -124,8 +123,8 @@ namespace Microsoft.AspNetCore.DataProtection
             var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
 
             // Act & assert
-            DateTimeOffset unused;
-            var ex = Assert.Throws<CryptographicException>(() => timeLimitedProtector.Unprotect(new byte[] { 0x10, 0x11 }, out unused));
+            var ex = Assert.Throws<CryptographicException>(()
+                => timeLimitedProtector.Unprotect(new byte[] { 0x10, 0x11 }, out var _));
 
             // Assert
             Assert.Equal(Resources.TimeLimitedDataProtector_PayloadInvalid, ex.Message);
@@ -141,8 +140,8 @@ namespace Microsoft.AspNetCore.DataProtection
             var timeLimitedProtector = new TimeLimitedDataProtector(mockInnerProtector.Object);
 
             // Act & assert
-            DateTimeOffset unused;
-            var ex = Assert.Throws<CryptographicException>(() => timeLimitedProtector.Unprotect(new byte[] { 0x10, 0x11 }, out unused));
+            var ex = Assert.Throws<CryptographicException>(()
+                => timeLimitedProtector.Unprotect(new byte[] { 0x10, 0x11 }, out var _));
 
             // Assert
             Assert.Equal(Resources.CryptCommon_GenericError, ex.Message);
@@ -162,8 +161,9 @@ namespace Microsoft.AspNetCore.DataProtection
             byte[] timeLimitedProtectedPayload = timeLimitedProtector.Protect(new byte[] { 0x11, 0x22, 0x33, 0x44 }, expectedExpiration);
 
             // Assert
-            DateTimeOffset actualExpiration;
-            Assert.Equal(new byte[] { 0x11, 0x22, 0x33, 0x44 }, timeLimitedProtector.UnprotectCore(timeLimitedProtectedPayload, StringToDateTime("2010-01-01 00:00:00Z"), out actualExpiration));
+            Assert.Equal(
+                new byte[] { 0x11, 0x22, 0x33, 0x44 },
+                timeLimitedProtector.UnprotectCore(timeLimitedProtectedPayload, StringToDateTime("2010-01-01 00:00:00Z"), out var actualExpiration));
             Assert.Equal(expectedExpiration, actualExpiration);
 
             // the two providers shouldn't be able to talk to one another (due to the purpose chaining)
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
index eb8d35fef0..d28ea7ff84 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -122,7 +122,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
 
             // Act & assert
             var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Protect(new byte[0]));
-            Assert.IsAssignableFrom(typeof(MockException), ex.InnerException);
+            Assert.IsAssignableFrom<MockException>(ex.InnerException);
         }
 
         [Fact]
@@ -291,11 +291,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                 newPurpose: "purpose");
 
             // Act
-            bool requiresMigration, wasRevoked;
             byte[] retVal = ((IPersistedDataProtector)protector).DangerousUnprotect(protectedData,
                 ignoreRevocationErrors: true,
-                requiresMigration: out requiresMigration,
-                wasRevoked: out wasRevoked);
+                requiresMigration: out var requiresMigration,
+                wasRevoked: out var wasRevoked);
 
             // Assert
             Assert.Equal(expectedPlaintext, retVal);
@@ -342,11 +341,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Assert.Equal(expectedPlaintext, retVal);
 
             // Act & assert - IPersistedDataProtector
-            bool requiresMigration, wasRevoked;
             retVal = ((IPersistedDataProtector)protector).DangerousUnprotect(protectedData,
                 ignoreRevocationErrors: false,
-                requiresMigration: out requiresMigration,
-                wasRevoked: out wasRevoked);
+                requiresMigration: out var requiresMigration,
+                wasRevoked: out var wasRevoked);
             Assert.Equal(expectedPlaintext, retVal);
             Assert.False(requiresMigration);
             Assert.False(wasRevoked);
@@ -393,11 +391,10 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             Assert.Equal(expectedPlaintext, retVal);
 
             // Act & assert - IPersistedDataProtector
-            bool requiresMigration, wasRevoked;
             retVal = ((IPersistedDataProtector)protector).DangerousUnprotect(protectedData,
                 ignoreRevocationErrors: false,
-                requiresMigration: out requiresMigration,
-                wasRevoked: out wasRevoked);
+                requiresMigration: out var requiresMigration,
+                wasRevoked: out var wasRevoked);
             Assert.Equal(expectedPlaintext, retVal);
             Assert.True(requiresMigration);
             Assert.False(wasRevoked);
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
index 4d137986fa..177c7c5d63 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
@@ -57,9 +57,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var keyRing = new KeyRing(key3, new[] { key1, key2 });
 
             // Assert
-            bool unused;
             Assert.Equal(key3.KeyId, keyRing.DefaultKeyId);
-            Assert.Equal(key3.CreateEncryptor(), keyRing.GetAuthenticatedEncryptorByKeyId(key3.KeyId, out unused));
+            Assert.Equal(key3.CreateEncryptor(), keyRing.GetAuthenticatedEncryptorByKeyId(key3.KeyId, out var _));
         }
 
         [Fact]
@@ -77,9 +76,8 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var keyRing = new KeyRing(key2, new[] { key1, key2 });
 
             // Assert
-            bool isRevoked;
             Assert.Equal(0, key1.NumTimesCreateEncryptorInstanceCalled);
-            Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out isRevoked));
+            Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out var isRevoked));
             Assert.True(isRevoked);
             Assert.Equal(1, key1.NumTimesCreateEncryptorInstanceCalled);
             Assert.Same(expectedEncryptorInstance1, keyRing.GetAuthenticatedEncryptorByKeyId(key1.KeyId, out isRevoked));
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index 231e0c7b15..ba9f21be61 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -476,7 +476,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
 
             // Assert
-            Assert.Equal(1, keys.Length);
+            Assert.Single(keys);
             Assert.Equal(new Guid("09712588-ba68-438a-a5ee-fe842b3453b2"), keys[0].KeyId);
             Assert.Same(expectedDescriptor, keys[0].Descriptor);
         }
@@ -515,7 +515,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             var keys = RunGetAllKeysCore(xml, mockActivator.Object).ToArray();
 
             // Assert
-            Assert.Equal(1, keys.Length);
+            Assert.Single(keys);
             Assert.Equal(new Guid("49c0cda9-0232-4d8c-a541-de20cc5a73d6"), keys[0].KeyId);
             Assert.Same(expectedDescriptor, keys[0].Descriptor);
         }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
index d2de2cde39..d10fd872cd 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
@@ -55,8 +55,8 @@ namespace Microsoft.AspNetCore.DataProtection
             // Assert
             var actualKeyEscrowSinks = context.KeyEscrowSinks.ToArray();
             Assert.Equal(2, actualKeyEscrowSinks.Length);
-            Assert.IsType(typeof(MyKeyEscrowSink1), actualKeyEscrowSinks[0]);
-            Assert.IsType(typeof(MyKeyEscrowSink2), actualKeyEscrowSinks[1]);
+            Assert.IsType<MyKeyEscrowSink1>(actualKeyEscrowSinks[0]);
+            Assert.IsType<MyKeyEscrowSink2>(actualKeyEscrowSinks[1]);
         }
 
         [ConditionalFact]

From 28acde451e713e23c8ef736c5cca577bba1574b2 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 29 Aug 2017 09:14:03 -0700
Subject: [PATCH 380/493] Use Directory.Build.props/targets

---
 appveyor.yml => .appveyor.yml                        |  0
 build/common.props => Directory.Build.props          | 12 ++++--------
 Directory.Build.targets                              |  2 ++
 samples/AzureBlob/AzureBlob.csproj                   |  4 +---
 .../CustomEncryptorSample.csproj                     |  2 --
 .../KeyManagementSample/KeyManagementSample.csproj   |  2 --
 samples/NonDISample/NonDISample.csproj               |  2 --
 samples/Redis/Redis.csproj                           |  4 +---
 src/Directory.Build.props                            |  7 +++++++
 ...Microsoft.AspNetCore.Cryptography.Internal.csproj |  2 --
 ...soft.AspNetCore.Cryptography.KeyDerivation.csproj |  2 --
 ...oft.AspNetCore.DataProtection.Abstractions.csproj |  4 +---
 ...oft.AspNetCore.DataProtection.AzureStorage.csproj |  2 --
 ...osoft.AspNetCore.DataProtection.Extensions.csproj |  2 --
 .../Microsoft.AspNetCore.DataProtection.Redis.csproj |  2 --
 ...rosoft.AspNetCore.DataProtection.SystemWeb.csproj |  2 --
 .../Microsoft.AspNetCore.DataProtection.csproj       |  2 --
 test/Directory.Build.props                           | 12 ++++++++++++
 ...soft.AspNetCore.Cryptography.Internal.Test.csproj |  9 ---------
 ...AspNetCore.Cryptography.KeyDerivation.Test.csproj |  9 ---------
 ...spNetCore.DataProtection.Abstractions.Test.csproj | 10 ----------
 ...spNetCore.DataProtection.AzureStorage.Test.csproj |  7 -------
 ....AspNetCore.DataProtection.Extensions.Test.csproj | 10 ----------
 ...osoft.AspNetCore.DataProtection.Redis.Test.csproj |  7 -------
 .../Microsoft.AspNetCore.DataProtection.Test.csproj  |  7 -------
 25 files changed, 28 insertions(+), 96 deletions(-)
 rename appveyor.yml => .appveyor.yml (100%)
 rename build/common.props => Directory.Build.props (60%)
 create mode 100644 Directory.Build.targets
 create mode 100644 src/Directory.Build.props
 create mode 100644 test/Directory.Build.props

diff --git a/appveyor.yml b/.appveyor.yml
similarity index 100%
rename from appveyor.yml
rename to .appveyor.yml
diff --git a/build/common.props b/Directory.Build.props
similarity index 60%
rename from build/common.props
rename to Directory.Build.props
index c468ea2192..467b457623 100644
--- a/build/common.props
+++ b/Directory.Build.props
@@ -1,20 +1,16 @@
-<Project>
-  <Import Project="dependencies.props" />
-  <Import Project="..\version.xml" />
+<Project>
+  <Import Project="build\dependencies.props" />
+  <Import Project="version.xml" />
 
   <PropertyGroup>
     <Product>Microsoft ASP.NET Core</Product>
     <RepositoryUrl>https://github.com/aspnet/DataProtection</RepositoryUrl>
     <RepositoryType>git</RepositoryType>
-    <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)Key.snk</AssemblyOriginatorKeyFile>
+    <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)build\Key.snk</AssemblyOriginatorKeyFile>
     <SignAssembly>true</SignAssembly>
     <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
     <VersionSuffix Condition="'$(VersionSuffix)'!='' AND '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Internal.AspNetCore.Sdk" Version="$(InternalAspNetCoreSdkVersion)" PrivateAssets="All" />
-  </ItemGroup>
-
 </Project>
diff --git a/Directory.Build.targets b/Directory.Build.targets
new file mode 100644
index 0000000000..f75adf7e4d
--- /dev/null
+++ b/Directory.Build.targets
@@ -0,0 +1,2 @@
+<Project>
+</Project>
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index 899b254265..cf7a08f41a 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -1,6 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <Import Project="..\..\build\dependencies.props" />
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFramework>netcoreapp2.0</TargetFramework>
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index 27499c6475..e86fc74819 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\dependencies.props" />
-
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
     <OutputType>exe</OutputType>
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index 21d821f5da..a1688c3d1b 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\dependencies.props" />
-
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
     <OutputType>exe</OutputType>
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index d2e3d9a672..5024468371 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\dependencies.props" />
-
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
     <OutputType>exe</OutputType>
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 58a63baa17..16736aec13 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -1,6 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <Import Project="..\..\build\dependencies.props" />
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
new file mode 100644
index 0000000000..d704a37df9
--- /dev/null
+++ b/src/Directory.Build.props
@@ -0,0 +1,7 @@
+<Project>
+  <Import Project="..\Directory.Build.props" />
+
+  <ItemGroup>
+    <PackageReference Include="Internal.AspNetCore.Sdk" Version="$(InternalAspNetCoreSdkVersion)" PrivateAssets="All" />
+  </ItemGroup>
+</Project>
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
index 8fe369a218..ff4ef3babe 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <Description>Infrastructure for ASP.NET Core cryptographic packages. Applications and libraries should not reference this package directly.</Description>
     <TargetFramework>netstandard2.0</TargetFramework>
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
index 478845ec47..14940b2c46 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <Description>ASP.NET Core utilities for key derivation.</Description>
     <TargetFramework>netstandard2.0</TargetFramework>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index 936785fab3..a6b020bcf8 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <Description>ASP.NET Core data protection abstractions.
 Commonly used types:
@@ -17,7 +15,7 @@ Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" Version="$(AspNetCoreVersion)" PrivateAssets="All"/>
+    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" Version="$(AspNetCoreVersion)" PrivateAssets="All" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
index 57a9cbc921..fb1f59cfe9 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <Description>Microsoft Azure Blob storrage support as key store.</Description>
     <TargetFramework>netstandard2.0</TargetFramework>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
index c5e139b89b..23cabc49ed 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <Description>Additional APIs for ASP.NET Core data protection.</Description>
     <TargetFramework>netstandard2.0</TargetFramework>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index a522675670..71ca540524 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <Description>Redis storage support as key store.</Description>
     <VersionPrefix>0.4.0</VersionPrefix>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
index 76f71bd615..0e49192de6 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <Description>A component to allow the ASP.NET Core data protection stack to work with the ASP.NET 4.x &lt;machineKey&gt; element.</Description>
     <TargetFramework>net461</TargetFramework>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index 6495b57699..961e01f740 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <Description>ASP.NET Core logic to protect and unprotect data, similar to DPAPI.</Description>
     <TargetFramework>netstandard2.0</TargetFramework>
diff --git a/test/Directory.Build.props b/test/Directory.Build.props
new file mode 100644
index 0000000000..cc247eb9cf
--- /dev/null
+++ b/test/Directory.Build.props
@@ -0,0 +1,12 @@
+<Project>
+  <Import Project="..\Directory.Build.props" />
+
+  <ItemGroup>
+    <PackageReference Include="Internal.AspNetCore.Sdk" Version="$(InternalAspNetCoreSdkVersion)" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+  </ItemGroup>
+</Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 6b455b9067..483ddeda3f 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
@@ -16,11 +14,4 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.Internal\Microsoft.AspNetCore.Cryptography.Internal.csproj" />
   </ItemGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitVersion)" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index a2b9f2d39c..31a604f305 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
@@ -17,11 +15,4 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.Cryptography.KeyDerivation\Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj" />
   </ItemGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitVersion)" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index 4a5375118b..ccb99debff 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
@@ -16,12 +14,4 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
   </ItemGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitVersion)" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index cafd48aa69..9adb802018 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
@@ -14,12 +12,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 3fe0d683b7..63889be38c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
@@ -16,12 +14,4 @@
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj" />
   </ItemGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitVersion)" />
-  </ItemGroup>
-
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 8760c8feb0..5a6fefaf14 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
@@ -17,12 +15,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 6dd58b3e0b..8197797b05 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -1,7 +1,5 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-  <Import Project="..\..\build\common.props" />
-
   <PropertyGroup>
     <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
     <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
@@ -18,12 +16,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Hosting" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitVersion)" />
   </ItemGroup>
 
 </Project>

From 9b45e7f118efa86af18027f461bfbd81fd17bbd4 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 29 Aug 2017 09:16:24 -0700
Subject: [PATCH 381/493] Use PackageLineup to manage PackageReference versions

---
 Directory.Build.props                             |  1 -
 Directory.Build.targets                           | 14 +++++++++++++-
 NuGet.config                                      |  1 -
 build/dependencies.props                          | 15 ---------------
 build/repo.props                                  |  6 ++++++
 samples/AzureBlob/AzureBlob.csproj                |  6 +++---
 .../CustomEncryptorSample.csproj                  |  4 ++--
 samples/Redis/Redis.csproj                        |  6 +++---
 src/Directory.Build.props                         |  2 +-
 ....AspNetCore.DataProtection.Abstractions.csproj |  2 +-
 ....AspNetCore.DataProtection.AzureStorage.csproj |  2 +-
 ...ft.AspNetCore.DataProtection.Extensions.csproj |  2 +-
 ...crosoft.AspNetCore.DataProtection.Redis.csproj |  2 +-
 ...oft.AspNetCore.DataProtection.SystemWeb.csproj |  2 +-
 .../Microsoft.AspNetCore.DataProtection.csproj    | 12 ++++++------
 test/Directory.Build.props                        | 12 ++++++------
 ...etCore.DataProtection.AzureStorage.Test.csproj |  2 +-
 ...ft.AspNetCore.DataProtection.Redis.Test.csproj |  2 +-
 ...icrosoft.AspNetCore.DataProtection.Test.csproj |  4 ++--
 19 files changed, 49 insertions(+), 48 deletions(-)
 delete mode 100644 build/dependencies.props
 create mode 100644 build/repo.props

diff --git a/Directory.Build.props b/Directory.Build.props
index 467b457623..3fd0dd0850 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -1,5 +1,4 @@
 <Project>
-  <Import Project="build\dependencies.props" />
   <Import Project="version.xml" />
 
   <PropertyGroup>
diff --git a/Directory.Build.targets b/Directory.Build.targets
index f75adf7e4d..bc118fd907 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -1,2 +1,14 @@
-<Project>
+<Project InitialTargets="EnsureKoreBuildRestored">
+  <Target Name="EnsureKoreBuildRestored" Condition=" '$(KoreBuildRestoreTargetsImported)' != 'true' AND '$(MSBuildProjectName)' != 'BenchmarkDotNet.Autogenerated'">
+    <PropertyGroup>
+      <_BootstrapperFile Condition=" $([MSBuild]::IsOSUnixLike()) ">build.sh</_BootstrapperFile>
+      <_BootstrapperFile Condition="! $([MSBuild]::IsOSUnixLike()) ">build.cmd</_BootstrapperFile>
+      <_BootstrapperError>
+        Package references have not been pinned. Run './$(_BootstrapperFile) /t:Pin'.
+        Also, you can run './$(_BootstrapperFile) /t:Restore' which will pin *and* restore packages. '$(_BootstrapperFile)' can be found in '$(MSBuildThisFileDirectory)'.
+      </_BootstrapperError>
+    </PropertyGroup>
+
+    <Error Code="KRB1001" Text="$(_BootstrapperError.Trim())" />
+  </Target>
 </Project>
diff --git a/NuGet.config b/NuGet.config
index 4e8a1f6de1..20060c934e 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -3,7 +3,6 @@
   <packageSources>
     <clear />
     <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
-    <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
diff --git a/build/dependencies.props b/build/dependencies.props
deleted file mode 100644
index a3bda1eab5..0000000000
--- a/build/dependencies.props
+++ /dev/null
@@ -1,15 +0,0 @@
-<Project>
-  <PropertyGroup>
-    <AspNetCoreVersion>2.1.0-*</AspNetCoreVersion>
-    <CoreFxVersion>4.4.0-*</CoreFxVersion>
-    <InternalAspNetCoreSdkVersion>2.1.1-*</InternalAspNetCoreSdkVersion>
-    <MoqVersion>4.7.49</MoqVersion>
-    <NETStandardImplicitPackageVersion>2.0.0-*</NETStandardImplicitPackageVersion>
-    <NETStandardLibraryNETFrameworkVersion>2.0.0-*</NETStandardLibraryNETFrameworkVersion>
-    <RedisVersion>1.2.4</RedisVersion>
-    <RuntimeFrameworkVersion Condition="'$(TargetFramework)'=='netcoreapp2.0'">2.0.0-*</RuntimeFrameworkVersion>
-    <TestSdkVersion>15.3.0</TestSdkVersion>
-    <XunitVersion>2.3.0-beta4-build3742</XunitVersion>
-    <WindowsAzureStorageVersion>8.1.4</WindowsAzureStorageVersion>
-  </PropertyGroup>
-</Project>
diff --git a/build/repo.props b/build/repo.props
new file mode 100644
index 0000000000..13fe1c296a
--- /dev/null
+++ b/build/repo.props
@@ -0,0 +1,6 @@
+<Project>
+  <ItemGroup>
+    <PackageLineup Include="Internal.AspNetCore.Universe.Lineup" Version="2.1.0-*" />
+    <PackageLineup Include="Internal.AspNetCore.Partners.Lineup" Version="2.1.0-*" />
+  </ItemGroup>
+</Project>
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index cf7a08f41a..36a54d88da 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -11,9 +11,9 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.Logging" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
   </ItemGroup>
 
 </Project>
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index e86fc74819..cd0cebef55 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -11,8 +11,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
   </ItemGroup>
 
 </Project>
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 16736aec13..780154b570 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -10,9 +10,9 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.Logging" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
index d704a37df9..9d9a3de33a 100644
--- a/src/Directory.Build.props
+++ b/src/Directory.Build.props
@@ -2,6 +2,6 @@
   <Import Project="..\Directory.Build.props" />
 
   <ItemGroup>
-    <PackageReference Include="Internal.AspNetCore.Sdk" Version="$(InternalAspNetCoreSdkVersion)" PrivateAssets="All" />
+    <PackageReference Include="Internal.AspNetCore.Sdk" PrivateAssets="All" />
   </ItemGroup>
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index a6b020bcf8..9865ffc812 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -15,7 +15,7 @@ Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" Version="$(AspNetCoreVersion)" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" PrivateAssets="All" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
index fb1f59cfe9..69013b6942 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -13,7 +13,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="WindowsAzure.Storage" Version="$(WindowsAzureStorageVersion)" />
+    <PackageReference Include="WindowsAzure.Storage" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
index 23cabc49ed..63778dca70 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
@@ -16,7 +16,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index 71ca540524..09231f21cd 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -15,7 +15,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="StackExchange.Redis.StrongName" Version="$(RedisVersion)" />
+    <PackageReference Include="StackExchange.Redis.StrongName" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
index 0e49192de6..6e013cd1c2 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
     <Reference Include="System.Configuration" />
     <Reference Include="System.Web" />
   </ItemGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index 961e01f740..8779798c57 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -19,12 +19,12 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.Options" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Win32.Registry" Version="$(CoreFxVersion)" />
-    <PackageReference Include="System.Security.Cryptography.Xml" Version="$(CoreFxVersion)" />
+    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.Options" />
+    <PackageReference Include="Microsoft.Win32.Registry" />
+    <PackageReference Include="System.Security.Cryptography.Xml" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Directory.Build.props b/test/Directory.Build.props
index cc247eb9cf..3a86391d57 100644
--- a/test/Directory.Build.props
+++ b/test/Directory.Build.props
@@ -2,11 +2,11 @@
   <Import Project="..\Directory.Build.props" />
 
   <ItemGroup>
-    <PackageReference Include="Internal.AspNetCore.Sdk" Version="$(InternalAspNetCoreSdkVersion)" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
-    <PackageReference Include="Moq" Version="$(MoqVersion)" />
-    <PackageReference Include="xunit" Version="$(XunitVersion)" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitVersion)" />
+    <PackageReference Include="Internal.AspNetCore.Sdk" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
+    <PackageReference Include="Moq" />
+    <PackageReference Include="xunit" />
+    <PackageReference Include="xunit.runner.visualstudio" />
   </ItemGroup>
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index 9adb802018..56872ed370 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -12,7 +12,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 5a6fefaf14..b5c4f54979 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -15,7 +15,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 8197797b05..77394665b2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -15,8 +15,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Hosting" Version="$(AspNetCoreVersion)" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(AspNetCoreVersion)" />
+    <PackageReference Include="Microsoft.AspNetCore.Hosting" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
   </ItemGroup>
 
 </Project>

From ee009982dc96171cf62ab4542aaf7c9cff984390 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Mon, 11 Sep 2017 08:51:56 -0700
Subject: [PATCH 382/493] Add KeyVault encryption to DataProtection (#273)

---
 DataProtection.sln                            |  39 +++++-
 samples/AzureKeyVault/AzureKeyVault.csproj    |  20 +++
 samples/AzureKeyVault/Program.cs              |  44 +++++++
 samples/AzureKeyVault/settings.json           |   5 +
 .../AzureDataProtectionBuilderExtensions.cs   | 118 ++++++++++++++++++
 .../AzureKeyVaultXmlDecryptor.cs              |  52 ++++++++
 .../AzureKeyVaultXmlEncryptor.cs              |  77 ++++++++++++
 .../IKeyVaultWrappingClient.cs                |  14 +++
 .../KeyVaultClientWrapper.cs                  |  29 +++++
 ...etCore.DataProtection.AzureKeyVault.csproj |  20 +++
 .../Properties/AssemblyInfo.cs                |   9 ++
 .../XmlEncryption/XmlEncryptionExtensions.cs  |   1 -
 .../AzureKeyVaultXmlEncryptorTests.cs         |  78 ++++++++++++
 ...e.DataProtection.AzureKeyVault.Test.csproj |  18 +++
 14 files changed, 521 insertions(+), 3 deletions(-)
 create mode 100644 samples/AzureKeyVault/AzureKeyVault.csproj
 create mode 100644 samples/AzureKeyVault/Program.cs
 create mode 100644 samples/AzureKeyVault/settings.json
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj

diff --git a/DataProtection.sln b/DataProtection.sln
index ead0e13a92..4c1adcfabb 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,6 +1,6 @@
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
-VisualStudioVersion = 15.0.26504.1
+VisualStudioVersion = 15.0.26814.1
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
@@ -10,7 +10,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5A3A
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{E1D86B1B-41D8-43C9-97FD-C2BF65C414E2}"
 	ProjectSection(SolutionItems) = preProject
-		build\common.props = build\common.props
 		build\dependencies.props = build\dependencies.props
 		NuGet.config = NuGet.config
 	EndProjectSection
@@ -55,6 +54,12 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "KeyManagementSample", "samp
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "CustomEncryptorSample", "samples\CustomEncryptorSample\CustomEncryptorSample.csproj", "{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.AzureKeyVault", "src\Microsoft.AspNetCore.DataProtection.AzureKeyVault\Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj", "{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AzureKeyVault", "samples\AzureKeyVault\AzureKeyVault.csproj", "{295E8539-5450-4764-B3F5-51F968628022}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test", "test\Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test\Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj", "{C85ED942-8121-453F-8308-9DB730843B63}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -219,6 +224,30 @@ Global
 		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Release|Any CPU.Build.0 = Release|Any CPU
 		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Release|x86.ActiveCfg = Release|Any CPU
 		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151}.Release|x86.Build.0 = Release|Any CPU
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}.Debug|x86.Build.0 = Debug|Any CPU
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}.Release|x86.ActiveCfg = Release|Any CPU
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9}.Release|x86.Build.0 = Release|Any CPU
+		{295E8539-5450-4764-B3F5-51F968628022}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{295E8539-5450-4764-B3F5-51F968628022}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{295E8539-5450-4764-B3F5-51F968628022}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{295E8539-5450-4764-B3F5-51F968628022}.Debug|x86.Build.0 = Debug|Any CPU
+		{295E8539-5450-4764-B3F5-51F968628022}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{295E8539-5450-4764-B3F5-51F968628022}.Release|Any CPU.Build.0 = Release|Any CPU
+		{295E8539-5450-4764-B3F5-51F968628022}.Release|x86.ActiveCfg = Release|Any CPU
+		{295E8539-5450-4764-B3F5-51F968628022}.Release|x86.Build.0 = Release|Any CPU
+		{C85ED942-8121-453F-8308-9DB730843B63}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C85ED942-8121-453F-8308-9DB730843B63}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{C85ED942-8121-453F-8308-9DB730843B63}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{C85ED942-8121-453F-8308-9DB730843B63}.Debug|x86.Build.0 = Debug|Any CPU
+		{C85ED942-8121-453F-8308-9DB730843B63}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C85ED942-8121-453F-8308-9DB730843B63}.Release|Any CPU.Build.0 = Release|Any CPU
+		{C85ED942-8121-453F-8308-9DB730843B63}.Release|x86.ActiveCfg = Release|Any CPU
+		{C85ED942-8121-453F-8308-9DB730843B63}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -244,5 +273,11 @@ Global
 		{32CF970B-E2F1-4CD9-8DB3-F5715475373A} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 		{6E066F8D-2910-404F-8949-F58125E28495} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 		{F4D59BBD-6145-4EE0-BA6E-AD03605BF151} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
+		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{295E8539-5450-4764-B3F5-51F968628022} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
+		{C85ED942-8121-453F-8308-9DB730843B63} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {DD305D75-BD1B-43AE-BF04-869DA6A0858F}
 	EndGlobalSection
 EndGlobal
diff --git a/samples/AzureKeyVault/AzureKeyVault.csproj b/samples/AzureKeyVault/AzureKeyVault.csproj
new file mode 100644
index 0000000000..4907ff7925
--- /dev/null
+++ b/samples/AzureKeyVault/AzureKeyVault.csproj
@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp2.0</TargetFramework>
+    <OutputType>exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.AzureKeyVault\Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.Configuration" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Json" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.Logging" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/AzureKeyVault/Program.cs b/samples/AzureKeyVault/Program.cs
new file mode 100644
index 0000000000..7d6299f3e5
--- /dev/null
+++ b/samples/AzureKeyVault/Program.cs
@@ -0,0 +1,44 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace ConsoleApplication
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            var builder = new ConfigurationBuilder();
+            builder.SetBasePath(Directory.GetCurrentDirectory());
+            builder.AddJsonFile("settings.json");
+            var config = builder.Build();
+
+            var store = new X509Store(StoreLocation.CurrentUser);
+            store.Open(OpenFlags.ReadOnly);
+            var cert = store.Certificates.Find(X509FindType.FindByThumbprint, config["CertificateThumbprint"], false);
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddLogging();
+            serviceCollection.AddDataProtection()
+                .PersistKeysToFileSystem(new DirectoryInfo("."))
+                .ProtectKeysWithAzureKeyVault(config["KeyId"], config["ClientId"], cert.OfType<X509Certificate2>().Single());
+
+            var serviceProvider = serviceCollection.BuildServiceProvider();
+
+            var loggerFactory = serviceProvider.GetService<ILoggerFactory>();
+            loggerFactory.AddConsole();
+
+            var protector = serviceProvider.GetDataProtector("Test");
+
+            Console.WriteLine(protector.Protect("Hello world"));
+        }
+    }
+}
diff --git a/samples/AzureKeyVault/settings.json b/samples/AzureKeyVault/settings.json
new file mode 100644
index 0000000000..ef7d4d81b8
--- /dev/null
+++ b/samples/AzureKeyVault/settings.json
@@ -0,0 +1,5 @@
+{
+  "CertificateThumbprint": "",
+  "KeyId": "",
+  "ClientId": ""
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
new file mode 100644
index 0000000000..0701220b4b
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
@@ -0,0 +1,118 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.DataProtection.AzureKeyVault;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Azure.KeyVault;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    /// <summary>
+    /// Contains Azure KeyVault-specific extension methods for modifying a <see cref="IDataProtectionBuilder"/>.
+    /// </summary>
+    public static class AzureDataProtectionBuilderExtensions
+    {
+        /// <summary>
+        /// Configures the data protection system to protect keys with specified key in Azure KeyVault.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="keyIdentifier">The Azure KeyVault key identifier used for key encryption.</param>
+        /// <param name="clientId">The application client id.</param>
+        /// <param name="certificate"></param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, string clientId, X509Certificate2 certificate)
+        {
+            if (string.IsNullOrEmpty(clientId))
+            {
+                throw new ArgumentException(nameof(clientId));
+            }
+            if (certificate == null)
+            {
+                throw new ArgumentNullException(nameof(certificate));
+            }
+
+            KeyVaultClient.AuthenticationCallback callback =
+                (authority, resource, scope) => GetTokenFromClientCertificate(authority, resource, clientId, certificate);
+
+            return ProtectKeysWithAzureKeyVault(builder, new KeyVaultClient(callback), keyIdentifier);
+        }
+
+        private static async Task<string> GetTokenFromClientCertificate(string authority, string resource, string clientId, X509Certificate2 certificate)
+        {
+            var authContext = new AuthenticationContext(authority);
+            var result = await authContext.AcquireTokenAsync(resource, new ClientAssertionCertificate(clientId, certificate));
+            return result.AccessToken;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to protect keys with specified key in Azure KeyVault.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="keyIdentifier">The Azure KeyVault key identifier used for key encryption.</param>
+        /// <param name="clientId">The application client id.</param>
+        /// <param name="clientSecret">The client secret to use for authentication.</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, string clientId, string clientSecret)
+        {
+            if (string.IsNullOrEmpty(clientId))
+            {
+                throw new ArgumentNullException(nameof(clientId));
+            }
+            if (string.IsNullOrEmpty(clientSecret))
+            {
+                throw new ArgumentNullException(nameof(clientSecret));
+            }
+
+            KeyVaultClient.AuthenticationCallback callback =
+                (authority, resource, scope) => GetTokenFromClientSecret(authority, resource, clientId, clientSecret);
+
+            return ProtectKeysWithAzureKeyVault(builder, new KeyVaultClient(callback), keyIdentifier);
+        }
+
+        private static async Task<string> GetTokenFromClientSecret(string authority, string resource, string clientId, string clientSecret)
+        {
+            var authContext = new AuthenticationContext(authority);
+            var clientCred = new ClientCredential(clientId, clientSecret);
+            var result = await authContext.AcquireTokenAsync(resource, clientCred);
+            return result.AccessToken;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to protect keys with specified key in Azure KeyVault.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="client">The <see cref="KeyVaultClient"/> to use for KeyVault access.</param>
+        /// <param name="keyIdentifier">The Azure KeyVault key identifier used for key encryption.</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, KeyVaultClient client, string keyIdentifier)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+            if (client == null)
+            {
+                throw new ArgumentNullException(nameof(client));
+            }
+            if (string.IsNullOrEmpty(keyIdentifier))
+            {
+                throw new ArgumentException(nameof(keyIdentifier));
+            }
+
+            var vaultClientWrapper = new KeyVaultClientWrapper(client);
+
+            builder.Services.AddSingleton<IKeyVaultWrappingClient>(vaultClientWrapper);
+            builder.Services.Configure<KeyManagementOptions>(options =>
+            {
+                options.XmlEncryptor = new AzureKeyVaultXmlEncryptor(vaultClientWrapper, keyIdentifier);
+            });
+
+            return builder;
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
new file mode 100644
index 0000000000..b9942fa84f
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
@@ -0,0 +1,52 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Threading.Tasks;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.AspNetCore.DataProtection.AzureKeyVault
+{
+    internal class AzureKeyVaultXmlDecryptor: IXmlDecryptor
+    {
+        private readonly IKeyVaultWrappingClient _client;
+
+        public AzureKeyVaultXmlDecryptor(IServiceProvider serviceProvider)
+        {
+            _client = serviceProvider.GetService<IKeyVaultWrappingClient>();
+        }
+
+        public XElement Decrypt(XElement encryptedElement)
+        {
+            return DecryptAsync(encryptedElement).GetAwaiter().GetResult();
+        }
+
+        private async Task<XElement> DecryptAsync(XElement encryptedElement)
+        {
+            var kid = (string)encryptedElement.Element("kid");
+            var symmetricKey = Convert.FromBase64String((string)encryptedElement.Element("key"));
+            var symmetricIV = Convert.FromBase64String((string)encryptedElement.Element("iv"));
+
+            var encryptedValue = Convert.FromBase64String((string)encryptedElement.Element("value"));
+
+            var result = await _client.UnwrapKeyAsync(kid, AzureKeyVaultXmlEncryptor.DefaultKeyEncryption, symmetricKey);
+
+            byte[] decryptedValue;
+            using (var symmetricAlgorithm = AzureKeyVaultXmlEncryptor.DefaultSymmetricAlgorithmFactory())
+            {
+                using (var decryptor = symmetricAlgorithm.CreateDecryptor(result.Result, symmetricIV))
+                {
+                    decryptedValue = decryptor.TransformFinalBlock(encryptedValue, 0, encryptedValue.Length);
+                }
+            }
+
+            using (var memoryStream = new MemoryStream(decryptedValue))
+            {
+                return XElement.Load(memoryStream);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
new file mode 100644
index 0000000000..3451c3ded2
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
@@ -0,0 +1,77 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Azure.KeyVault.WebKey;
+
+namespace Microsoft.AspNetCore.DataProtection.AzureKeyVault
+{
+    internal class AzureKeyVaultXmlEncryptor : IXmlEncryptor
+    {
+        internal static string DefaultKeyEncryption = JsonWebKeyEncryptionAlgorithm.RSAOAEP;
+        internal static Func<SymmetricAlgorithm> DefaultSymmetricAlgorithmFactory = Aes.Create;
+
+        private readonly RandomNumberGenerator _randomNumberGenerator;
+        private readonly IKeyVaultWrappingClient _client;
+        private readonly string _keyId;
+
+        public AzureKeyVaultXmlEncryptor(IKeyVaultWrappingClient client, string keyId)
+            : this(client, keyId, RandomNumberGenerator.Create())
+        {
+        }
+
+        internal AzureKeyVaultXmlEncryptor(IKeyVaultWrappingClient client, string keyId, RandomNumberGenerator randomNumberGenerator)
+        {
+            _client = client;
+            _keyId = keyId;
+            _randomNumberGenerator = randomNumberGenerator;
+        }
+
+        public EncryptedXmlInfo Encrypt(XElement plaintextElement)
+        {
+            return EncryptAsync(plaintextElement).GetAwaiter().GetResult();
+        }
+
+        private async Task<EncryptedXmlInfo> EncryptAsync(XElement plaintextElement)
+        {
+            byte[] value;
+            using (var memoryStream = new MemoryStream())
+            {
+                plaintextElement.Save(memoryStream, SaveOptions.DisableFormatting);
+                value = memoryStream.ToArray();
+            }
+
+            using (var symmetricAlgorithm = DefaultSymmetricAlgorithmFactory())
+            {
+                var symmetricBlockSize = symmetricAlgorithm.BlockSize / 8;
+                var symmetricKey = new byte[symmetricBlockSize];
+                var symmetricIV = new byte[symmetricBlockSize];
+                _randomNumberGenerator.GetBytes(symmetricKey);
+                _randomNumberGenerator.GetBytes(symmetricIV);
+
+                byte[] encryptedValue;
+                using (var encryptor = symmetricAlgorithm.CreateEncryptor(symmetricKey, symmetricIV))
+                {
+                    encryptedValue = encryptor.TransformFinalBlock(value, 0, value.Length);
+                }
+
+                var wrappedKey = await _client.WrapKeyAsync(_keyId, DefaultKeyEncryption, symmetricKey);
+
+                var element = new XElement("encryptedKey",
+                    new XComment(" This key is encrypted with Azure KeyVault. "),
+                    new XElement("kid", wrappedKey.Kid),
+                    new XElement("key", Convert.ToBase64String(wrappedKey.Result)),
+                    new XElement("iv", Convert.ToBase64String(symmetricIV)),
+                    new XElement("value", Convert.ToBase64String(encryptedValue)));
+
+                return new EncryptedXmlInfo(element, typeof(AzureKeyVaultXmlDecryptor));
+            }
+
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
new file mode 100644
index 0000000000..2347460dc3
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
@@ -0,0 +1,14 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Threading.Tasks;
+using Microsoft.Azure.KeyVault.Models;
+
+namespace Microsoft.AspNetCore.DataProtection.AzureKeyVault
+{
+    internal interface IKeyVaultWrappingClient
+    {
+        Task<KeyOperationResult> UnwrapKeyAsync(string keyIdentifier, string algorithm, byte[] cipherText);
+        Task<KeyOperationResult> WrapKeyAsync(string keyIdentifier, string algorithm, byte[] cipherText);
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
new file mode 100644
index 0000000000..82fe0649e2
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
@@ -0,0 +1,29 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Threading.Tasks;
+using Microsoft.Azure.KeyVault;
+using Microsoft.Azure.KeyVault.Models;
+
+namespace Microsoft.AspNetCore.DataProtection.AzureKeyVault
+{
+    internal class KeyVaultClientWrapper : IKeyVaultWrappingClient
+    {
+        private readonly KeyVaultClient _client;
+
+        public KeyVaultClientWrapper(KeyVaultClient client)
+        {
+            _client = client;
+        }
+
+        public Task<KeyOperationResult> UnwrapKeyAsync(string keyIdentifier, string algorithm, byte[] cipherText)
+        {
+            return _client.UnwrapKeyAsync(keyIdentifier, algorithm, cipherText);
+        }
+
+        public Task<KeyOperationResult> WrapKeyAsync(string keyIdentifier, string algorithm, byte[] cipherText)
+        {
+            return _client.WrapKeyAsync(keyIdentifier, algorithm, cipherText);
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
new file mode 100644
index 0000000000..ee7b42ab87
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <Description>Microsoft Azure KeyVault key encryption support.</Description>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection;azure;keyvault</PackageTags>
+    <EnableApiCheck>false</EnableApiCheck>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" />
+    <PackageReference Include="Microsoft.Azure.KeyVault" />
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..c23a3410b7
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
@@ -0,0 +1,9 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Reflection;
+using System.Resources;
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+[assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
index 74189cfad1..cfc65a44a2 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
@@ -46,7 +46,6 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                 // the original document or other data structures. The element we pass to
                 // the decryptor should be the child of the 'encryptedSecret' element.
                 var clonedElementWhichRequiresDecryption = new XElement(elementWhichRequiresDecryption);
-                var innerDoc = new XDocument(clonedElementWhichRequiresDecryption);
                 string decryptorTypeName = (string)clonedElementWhichRequiresDecryption.Attribute(XmlConstants.DecryptorTypeAttributeName);
                 var decryptorInstance = activator.CreateInstance<IXmlDecryptor>(decryptorTypeName);
                 var decryptedElement = decryptorInstance.Decrypt(clonedElementWhichRequiresDecryption.Elements().Single());
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
new file mode 100644
index 0000000000..faa9bd1c96
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
@@ -0,0 +1,78 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Linq;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+using System.Xml.Linq;
+using Microsoft.Azure.KeyVault.Models;
+using Microsoft.Azure.KeyVault.WebKey;
+using Microsoft.Extensions.DependencyInjection;
+using Moq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test
+{
+    public class AzureKeyVaultXmlEncryptorTests
+    {
+        [Fact]
+        public void UsesKeyVaultToEncryptKey()
+        {
+            var mock = new Mock<IKeyVaultWrappingClient>();
+            mock.Setup(client => client.WrapKeyAsync("key", JsonWebKeyEncryptionAlgorithm.RSAOAEP, It.IsAny<byte[]>()))
+                .Returns<string, string, byte[]>((_, __, data) => Task.FromResult(new KeyOperationResult("KeyId", data.Reverse().ToArray())));
+
+            var encryptor = new AzureKeyVaultXmlEncryptor(mock.Object, "key", new MockNumberGenerator());
+            var result = encryptor.Encrypt(new XElement("Element"));
+
+            var encryptedElement = result.EncryptedElement;
+            var value = encryptedElement.Element("value");
+
+            mock.VerifyAll();
+            Assert.NotNull(result);
+            Assert.NotNull(value);
+            Assert.Equal(typeof(AzureKeyVaultXmlDecryptor), result.DecryptorType);
+            Assert.Equal("VfLYL2prdymawfucH3Goso0zkPbQ4/GKqUsj2TRtLzsBPz7p7cL1SQaY6I29xSlsPQf6IjxHSz4sDJ427GvlLQ==", encryptedElement.Element("value").Value);
+            Assert.Equal("AAECAwQFBgcICQoLDA0ODw==", encryptedElement.Element("iv").Value);
+            Assert.Equal("Dw4NDAsKCQgHBgUEAwIBAA==", encryptedElement.Element("key").Value);
+            Assert.Equal("KeyId", encryptedElement.Element("kid").Value);
+        }
+
+        [Fact]
+        public void UsesKeyVaultToDecryptKey()
+        {
+            var mock = new Mock<IKeyVaultWrappingClient>();
+            mock.Setup(client => client.UnwrapKeyAsync("KeyId", JsonWebKeyEncryptionAlgorithm.RSAOAEP, It.IsAny<byte[]>()))
+                .Returns<string, string, byte[]>((_, __, data) => Task.FromResult(new KeyOperationResult(null, data.Reverse().ToArray())))
+                .Verifiable();
+
+            var serviceCollection = new ServiceCollection();
+            serviceCollection.AddSingleton(mock.Object);
+
+            var encryptor = new AzureKeyVaultXmlDecryptor(serviceCollection.BuildServiceProvider());
+
+            var result = encryptor.Decrypt(XElement.Parse(
+                @"<encryptedKey>
+                  <kid>KeyId</kid>
+                  <key>Dw4NDAsKCQgHBgUEAwIBAA==</key>
+                  <iv>AAECAwQFBgcICQoLDA0ODw==</iv>
+                  <value>VfLYL2prdymawfucH3Goso0zkPbQ4/GKqUsj2TRtLzsBPz7p7cL1SQaY6I29xSlsPQf6IjxHSz4sDJ427GvlLQ==</value>
+                </encryptedKey>"));
+
+            mock.VerifyAll();
+            Assert.NotNull(result);
+            Assert.Equal("<Element />", result.ToString());
+        }
+
+        private class MockNumberGenerator : RandomNumberGenerator
+        {
+            public override void GetBytes(byte[] data)
+            {
+                for (int i = 0; i < data.Length; i++)
+                {
+                    data[i] = (byte)i;
+                }
+            }
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
new file mode 100644
index 0000000000..6983aebb33
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.AzureKeyVault\Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+  </ItemGroup>
+
+</Project>

From 46dadbb18683164a918873f43624aee3b5b0510c Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Mon, 18 Sep 2017 13:43:45 -0700
Subject: [PATCH 383/493] Make RegistryPolicyResolver an interface to fix 3d
 party DI (#275)

---
 .../DataProtectionServiceCollectionExtensions.cs    |  2 +-
 .../IRegistryPolicyResolver.cs                      | 13 +++++++++++++
 .../Internal/KeyManagementOptionsSetup.cs           |  6 +++---
 .../RegistryPolicyResolver.cs                       | 10 ++--------
 4 files changed, 19 insertions(+), 12 deletions(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
index e951736e1f..b112e9ac68 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
@@ -67,7 +67,7 @@ namespace Microsoft.Extensions.DependencyInjection
         {
             if (OSVersionUtil.IsWindows())
             {
-                services.TryAddSingleton<RegistryPolicyResolver>();
+                services.TryAddSingleton<IRegistryPolicyResolver, RegistryPolicyResolver>();
             }
 
             services.TryAddEnumerable(
diff --git a/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs
new file mode 100644
index 0000000000..b188bf40f7
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs
@@ -0,0 +1,13 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    // Single implementation of this interface is conditionally added to DI on Windows
+    // We have to use interface because some DI implementations would try to activate class
+    // even if it was not registered causing problems crossplat
+    internal interface IRegistryPolicyResolver
+    {
+        RegistryPolicy ResolvePolicy();
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs b/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
index a197b7ceba..10707c9cab 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
@@ -13,7 +13,7 @@ namespace Microsoft.AspNetCore.DataProtection.Internal
 {
     internal class KeyManagementOptionsSetup : IConfigureOptions<KeyManagementOptions>
     {
-        private readonly RegistryPolicyResolver _registryPolicyResolver;
+        private readonly IRegistryPolicyResolver _registryPolicyResolver;
         private readonly ILoggerFactory _loggerFactory;
 
         public KeyManagementOptionsSetup()
@@ -26,12 +26,12 @@ namespace Microsoft.AspNetCore.DataProtection.Internal
         {
         }
 
-        public KeyManagementOptionsSetup(RegistryPolicyResolver registryPolicyResolver)
+        public KeyManagementOptionsSetup(IRegistryPolicyResolver registryPolicyResolver)
             : this(NullLoggerFactory.Instance, registryPolicyResolver)
         {
         }
 
-        public KeyManagementOptionsSetup(ILoggerFactory loggerFactory, RegistryPolicyResolver registryPolicyResolver)
+        public KeyManagementOptionsSetup(ILoggerFactory loggerFactory, IRegistryPolicyResolver registryPolicyResolver)
         {
             _loggerFactory = loggerFactory;
             _registryPolicyResolver = registryPolicyResolver;
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
index a6f63ee9a1..d3357fa34d 100644
--- a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
@@ -17,7 +17,7 @@ namespace Microsoft.AspNetCore.DataProtection
     /// <summary>
     /// A type which allows reading policy from the system registry.
     /// </summary>
-    internal sealed class RegistryPolicyResolver
+    internal sealed class RegistryPolicyResolver: IRegistryPolicyResolver
     {
         private readonly Func<RegistryKey> _getPolicyRegKey;
         private readonly IActivator _activator;
@@ -88,13 +88,7 @@ namespace Microsoft.AspNetCore.DataProtection
             return sinks;
         }
 
-        /// <summary>
-        /// Returns a <see cref="RegistryPolicy"/> from the default registry location.
-        /// </summary>
-        public static RegistryPolicy ResolveDefaultPolicy(IActivator activator)
-            => new RegistryPolicyResolver(activator).ResolvePolicy();
-
-        internal RegistryPolicy ResolvePolicy()
+        public RegistryPolicy ResolvePolicy()
         {
             using (var registryKey = _getPolicyRegKey())
             {

From 20be69a075da2c4330b138c37e86a4973382bfdf Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 20 Sep 2017 17:16:17 -0700
Subject: [PATCH 384/493] Bump version to 2.0.1 and update build scripts,
 tools, and dependencies for 2.0.x

---
 .gitignore                                    |   4 +
 Directory.Build.targets                       |   4 +
 NuGet.config                                  |   1 +
 build.cmd                                     |   2 +-
 build.ps1                                     | 223 ++++++++++++----
 build.sh                                      | 248 +++++++++++++++---
 build/common.props                            |   1 -
 build/dependencies.targets                    | 142 ++++++++++
 korebuild.json                                |   4 +
 ...oft.AspNetCore.DataProtection.Redis.csproj |   2 +-
 version.props                                 |   8 +-
 11 files changed, 545 insertions(+), 94 deletions(-)
 create mode 100644 Directory.Build.targets
 create mode 100644 build/dependencies.targets
 create mode 100644 korebuild.json

diff --git a/.gitignore b/.gitignore
index 5af949b050..6e67c4a464 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,7 @@ project.lock.json
 .testPublish/
 samples/**/temp-keys/
 global.json
+
+korebuild-lock.txt
+*.g.targets
+
diff --git a/Directory.Build.targets b/Directory.Build.targets
new file mode 100644
index 0000000000..d8f1db62cd
--- /dev/null
+++ b/Directory.Build.targets
@@ -0,0 +1,4 @@
+<Project>
+  <Import Project="build\dependencies.targets" />
+  <Import Project="build\dependencies.g.targets" Condition="Exists('build\dependencies.g.targets') AND '$(DesignTimeBuild)' != 'true'" />
+</Project>
diff --git a/NuGet.config b/NuGet.config
index 6a62aeda63..21510b3a41 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -2,6 +2,7 @@
 <configuration>
   <packageSources>
     <clear />
+    <add key="AspNetCorePatch" value="https://dotnet.myget.org/F/aspnet-2-0-2-october2017-patch/api/v3/index.json" />
     <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-master/api/v3/index.json" />
     <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
diff --git a/build.cmd b/build.cmd
index 7d4894cb4a..b6c8d24864 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,2 +1,2 @@
 @ECHO OFF
-PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0build.ps1' %*; exit $LASTEXITCODE"
\ No newline at end of file
+PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0build.ps1' %*; exit $LASTEXITCODE"
diff --git a/build.ps1 b/build.ps1
index 1785334385..b7081bc1c2 100644
--- a/build.ps1
+++ b/build.ps1
@@ -1,67 +1,186 @@
-$ErrorActionPreference = "Stop"
+#!/usr/bin/env powershell
+#requires -version 4
 
-function DownloadWithRetry([string] $url, [string] $downloadLocation, [int] $retries)
+<#
+.SYNOPSIS
+Build this repository
+
+.DESCRIPTION
+Downloads korebuild if required. Then builds the repository.
+
+.PARAMETER Path
+The folder to build. Defaults to the folder containing this script.
+
+.PARAMETER Channel
+The channel of KoreBuild to download. Overrides the value from the config file.
+
+.PARAMETER DotNetHome
+The directory where .NET Core tools will be stored.
+
+.PARAMETER ToolsSource
+The base url where build tools can be downloaded. Overrides the value from the config file.
+
+.PARAMETER Update
+Updates KoreBuild to the latest version even if a lock file is present.
+
+.PARAMETER ConfigFile
+The path to the configuration file that stores values. Defaults to version.props.
+
+.PARAMETER MSBuildArgs
+Arguments to be passed to MSBuild
+
+.NOTES
+This function will create a file $PSScriptRoot/korebuild-lock.txt. This lock file can be committed to source, but does not have to be.
+When the lockfile is not present, KoreBuild will create one using latest available version from $Channel.
+
+The $ConfigFile is expected to be an JSON file. It is optional, and the configuration values in it are optional as well. Any options set
+in the file are overridden by command line parameters.
+
+.EXAMPLE
+Example config file:
+```json
 {
-    while($true)
-    {
-        try
-        {
-            Invoke-WebRequest $url -OutFile $downloadLocation
-            break
-        }
-        catch
-        {
-            $exceptionMessage = $_.Exception.Message
-            Write-Host "Failed to download '$url': $exceptionMessage"
-            if ($retries -gt 0) {
-                $retries--
-                Write-Host "Waiting 10 seconds before retrying. Retries left: $retries"
-                Start-Sleep -Seconds 10
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
+  "channel": "dev",
+  "toolsSource": "https://aspnetcore.blob.core.windows.net/buildtools"
+}
+```
+#>
+[CmdletBinding(PositionalBinding = $false)]
+param(
+    [string]$Path = $PSScriptRoot,
+    [Alias('c')]
+    [string]$Channel,
+    [Alias('d')]
+    [string]$DotNetHome,
+    [Alias('s')]
+    [string]$ToolsSource,
+    [Alias('u')]
+    [switch]$Update,
+    [string]$ConfigFile = $null,
+    [Parameter(ValueFromRemainingArguments = $true)]
+    [string[]]$MSBuildArgs
+)
 
+Set-StrictMode -Version 2
+$ErrorActionPreference = 'Stop'
+
+#
+# Functions
+#
+
+function Get-KoreBuild {
+
+    $lockFile = Join-Path $Path 'korebuild-lock.txt'
+
+    if (!(Test-Path $lockFile) -or $Update) {
+        Get-RemoteFile "$ToolsSource/korebuild/channels/$Channel/latest.txt" $lockFile
+    }
+
+    $version = Get-Content $lockFile | Where-Object { $_ -like 'version:*' } | Select-Object -first 1
+    if (!$version) {
+        Write-Error "Failed to parse version from $lockFile. Expected a line that begins with 'version:'"
+    }
+    $version = $version.TrimStart('version:').Trim()
+    $korebuildPath = Join-Paths $DotNetHome ('buildtools', 'korebuild', $version)
+
+    if (!(Test-Path $korebuildPath)) {
+        Write-Host -ForegroundColor Magenta "Downloading KoreBuild $version"
+        New-Item -ItemType Directory -Path $korebuildPath | Out-Null
+        $remotePath = "$ToolsSource/korebuild/artifacts/$version/korebuild.$version.zip"
+
+        try {
+            $tmpfile = Join-Path ([IO.Path]::GetTempPath()) "KoreBuild-$([guid]::NewGuid()).zip"
+            Get-RemoteFile $remotePath $tmpfile
+            if (Get-Command -Name 'Expand-Archive' -ErrorAction Ignore) {
+                # Use built-in commands where possible as they are cross-plat compatible
+                Expand-Archive -Path $tmpfile -DestinationPath $korebuildPath
             }
-            else
-            {
-                $exception = $_.Exception
-                throw $exception
+            else {
+                # Fallback to old approach for old installations of PowerShell
+                Add-Type -AssemblyName System.IO.Compression.FileSystem
+                [System.IO.Compression.ZipFile]::ExtractToDirectory($tmpfile, $korebuildPath)
             }
         }
+        catch {
+            remove-item -Recurse -Force $korebuildPath -ErrorAction Ignore
+            throw
+        }
+        finally {
+            remove-item $tmpfile -ErrorAction Ignore
+        }
+    }
+
+    return $korebuildPath
+}
+
+function Join-Paths([string]$path, [string[]]$childPaths) {
+    $childPaths | ForEach-Object { $path = Join-Path $path $_ }
+    return $path
+}
+
+function Get-RemoteFile([string]$RemotePath, [string]$LocalPath) {
+    if ($RemotePath -notlike 'http*') {
+        Copy-Item $RemotePath $LocalPath
+        return
+    }
+
+    $retries = 10
+    while ($retries -gt 0) {
+        $retries -= 1
+        try {
+            Invoke-WebRequest -UseBasicParsing -Uri $RemotePath -OutFile $LocalPath
+            return
+        }
+        catch {
+            Write-Verbose "Request failed. $retries retries remaining"
+        }
+    }
+
+    Write-Error "Download failed: '$RemotePath'."
+}
+
+#
+# Main
+#
+
+# Load configuration or set defaults
+
+$Path = Resolve-Path $Path
+if (!$ConfigFile) { $ConfigFile = Join-Path $Path 'korebuild.json' }
+
+if (Test-Path $ConfigFile) {
+    try {
+        $config = Get-Content -Raw -Encoding UTF8 -Path $ConfigFile | ConvertFrom-Json
+        if ($config) {
+            if (!($Channel) -and (Get-Member -Name 'channel' -InputObject $config)) { [string] $Channel = $config.channel }
+            if (!($ToolsSource) -and (Get-Member -Name 'toolsSource' -InputObject $config)) { [string] $ToolsSource = $config.toolsSource}
+        }
+    } catch {
+        Write-Warning "$ConfigFile could not be read. Its settings will be ignored."
+        Write-Warning $Error[0]
     }
 }
 
-cd $PSScriptRoot
-
-$repoFolder = $PSScriptRoot
-$env:REPO_FOLDER = $repoFolder
-
-$koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/2.0.0.zip"
-if ($env:KOREBUILD_ZIP)
-{
-    $koreBuildZip=$env:KOREBUILD_ZIP
+if (!$DotNetHome) {
+    $DotNetHome = if ($env:DOTNET_HOME) { $env:DOTNET_HOME } `
+        elseif ($env:USERPROFILE) { Join-Path $env:USERPROFILE '.dotnet'} `
+        elseif ($env:HOME) {Join-Path $env:HOME '.dotnet'}`
+        else { Join-Path $PSScriptRoot '.dotnet'}
 }
 
-$buildFolder = ".build"
-$buildFile="$buildFolder\KoreBuild.ps1"
+if (!$Channel) { $Channel = 'dev' }
+if (!$ToolsSource) { $ToolsSource = 'https://aspnetcore.blob.core.windows.net/buildtools' }
 
-if (!(Test-Path $buildFolder)) {
-    Write-Host "Downloading KoreBuild from $koreBuildZip"
+# Execute
 
-    $tempFolder=$env:TEMP + "\KoreBuild-" + [guid]::NewGuid()
-    New-Item -Path "$tempFolder" -Type directory | Out-Null
+$korebuildPath = Get-KoreBuild
+Import-Module -Force -Scope Local (Join-Path $korebuildPath 'KoreBuild.psd1')
 
-    $localZipFile="$tempFolder\korebuild.zip"
-
-    DownloadWithRetry -url $koreBuildZip -downloadLocation $localZipFile -retries 6
-
-    Add-Type -AssemblyName System.IO.Compression.FileSystem
-    [System.IO.Compression.ZipFile]::ExtractToDirectory($localZipFile, $tempFolder)
-
-    New-Item -Path "$buildFolder" -Type directory | Out-Null
-    copy-item "$tempFolder\**\build\*" $buildFolder -Recurse
-
-    # Cleanup
-    if (Test-Path $tempFolder) {
-        Remove-Item -Recurse -Force $tempFolder
-    }
+try {
+    Install-Tools $ToolsSource $DotNetHome
+    Invoke-RepositoryBuild $Path @MSBuildArgs
+}
+finally {
+    Remove-Module 'KoreBuild' -ErrorAction Ignore
 }
-
-&"$buildFile" @args
diff --git a/build.sh b/build.sh
index 5e27ed8efb..5138fc4f22 100755
--- a/build.sh
+++ b/build.sh
@@ -1,46 +1,220 @@
 #!/usr/bin/env bash
-repoFolder="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-cd $repoFolder
 
-koreBuildZip="https://github.com/aspnet/KoreBuild/archive/rel/2.0.0.zip"
-if [ ! -z $KOREBUILD_ZIP ]; then
-    koreBuildZip=$KOREBUILD_ZIP
-fi
+set -euo pipefail
 
-buildFolder=".build"
-buildFile="$buildFolder/KoreBuild.sh"
+#
+# variables
+#
 
-if test ! -d $buildFolder; then
-    echo "Downloading KoreBuild from $koreBuildZip"
+RESET="\033[0m"
+RED="\033[0;31m"
+YELLOW="\033[0;33m"
+MAGENTA="\033[0;95m"
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+[ -z "${DOTNET_HOME:-}"] && DOTNET_HOME="$HOME/.dotnet"
+config_file="$DIR/korebuild.json"
+verbose=false
+update=false
+repo_path="$DIR"
+channel=''
+tools_source=''
 
-    tempFolder="/tmp/KoreBuild-$(uuidgen)"
-    mkdir $tempFolder
+#
+# Functions
+#
+__usage() {
+    echo "Usage: $(basename "${BASH_SOURCE[0]}") [options] [[--] <MSBUILD_ARG>...]"
+    echo ""
+    echo "Arguments:"
+    echo "    <MSBUILD_ARG>...         Arguments passed to MSBuild. Variable number of arguments allowed."
+    echo ""
+    echo "Options:"
+    echo "    --verbose                Show verbose output."
+    echo "    -c|--channel <CHANNEL>   The channel of KoreBuild to download. Overrides the value from the config file.."
+    echo "    --config-file <FILE>     The path to the configuration file that stores values. Defaults to korebuild.json."
+    echo "    -d|--dotnet-home <DIR>   The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
+    echo "    --path <PATH>            The directory to build. Defaults to the directory containing the script."
+    echo "    -s|--tools-source <URL>  The base url where build tools can be downloaded. Overrides the value from the config file."
+    echo "    -u|--update              Update to the latest KoreBuild even if the lock file is present."
+    echo ""
+    echo "Description:"
+    echo "    This function will create a file \$DIR/korebuild-lock.txt. This lock file can be committed to source, but does not have to be."
+    echo "    When the lockfile is not present, KoreBuild will create one using latest available version from \$channel."
 
-    localZipFile="$tempFolder/korebuild.zip"
-
-    retries=6
-    until (wget -O $localZipFile $koreBuildZip 2>/dev/null || curl -o $localZipFile --location $koreBuildZip 2>/dev/null)
-    do
-        echo "Failed to download '$koreBuildZip'"
-        if [ "$retries" -le 0 ]; then
-            exit 1
-        fi
-        retries=$((retries - 1))
-        echo "Waiting 10 seconds before retrying. Retries left: $retries"
-        sleep 10s
-    done
-
-    unzip -q -d $tempFolder $localZipFile
-
-    mkdir $buildFolder
-    cp -r $tempFolder/**/build/** $buildFolder
-
-    chmod +x $buildFile
-
-    # Cleanup
-    if test -d $tempFolder; then
-        rm -rf $tempFolder
+    if [[ "${1:-}" != '--no-exit' ]]; then
+        exit 2
     fi
+}
+
+get_korebuild() {
+    local version
+    local lock_file="$repo_path/korebuild-lock.txt"
+    if [ ! -f "$lock_file" ] || [ "$update" = true ]; then
+        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file"
+    fi
+    version="$(grep 'version:*' -m 1 "$lock_file")"
+    if [[ "$version" == '' ]]; then
+        __error "Failed to parse version from $lock_file. Expected a line that begins with 'version:'"
+        return 1
+    fi
+    version="$(echo "${version#version:}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+    local korebuild_path="$DOTNET_HOME/buildtools/korebuild/$version"
+
+    {
+        if [ ! -d "$korebuild_path" ]; then
+            mkdir -p "$korebuild_path"
+            local remote_path="$tools_source/korebuild/artifacts/$version/korebuild.$version.zip"
+            tmpfile="$(mktemp)"
+            echo -e "${MAGENTA}Downloading KoreBuild ${version}${RESET}"
+            if __get_remote_file "$remote_path" "$tmpfile"; then
+                unzip -q -d "$korebuild_path" "$tmpfile"
+            fi
+            rm "$tmpfile" || true
+        fi
+
+        source "$korebuild_path/KoreBuild.sh"
+    } || {
+        if [ -d "$korebuild_path" ]; then
+            echo "Cleaning up after failed installation"
+            rm -rf "$korebuild_path" || true
+        fi
+        return 1
+    }
+}
+
+__error() {
+    echo -e "${RED}error: $*${RESET}" 1>&2
+}
+
+__warn() {
+    echo -e "${YELLOW}warning: $*${RESET}"
+}
+
+__machine_has() {
+    hash "$1" > /dev/null 2>&1
+    return $?
+}
+
+__get_remote_file() {
+    local remote_path=$1
+    local local_path=$2
+
+    if [[ "$remote_path" != 'http'* ]]; then
+        cp "$remote_path" "$local_path"
+        return 0
+    fi
+
+    local failed=false
+    if __machine_has wget; then
+        wget --tries 10 --quiet -O "$local_path" "$remote_path" || failed=true
+    else
+        failed=true
+    fi
+
+    if [ "$failed" = true ] && __machine_has curl; then
+        failed=false
+        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" || failed=true
+    fi
+
+    if [ "$failed" = true ]; then
+        __error "Download failed: $remote_path" 1>&2
+        return 1
+    fi
+}
+
+#
+# main
+#
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -\?|-h|--help)
+            __usage --no-exit
+            exit 0
+            ;;
+        -c|--channel|-Channel)
+            shift
+            channel="${1:-}"
+            [ -z "$channel" ] && __usage
+            ;;
+        --config-file|-ConfigFile)
+            shift
+            config_file="${1:-}"
+            [ -z "$config_file" ] && __usage
+            if [ ! -f "$config_file" ]; then
+                __error "Invalid value for --config-file. $config_file does not exist."
+                exit 1
+            fi
+            ;;
+        -d|--dotnet-home|-DotNetHome)
+            shift
+            DOTNET_HOME="${1:-}"
+            [ -z "$DOTNET_HOME" ] && __usage
+            ;;
+        --path|-Path)
+            shift
+            repo_path="${1:-}"
+            [ -z "$repo_path" ] && __usage
+            ;;
+        -s|--tools-source|-ToolsSource)
+            shift
+            tools_source="${1:-}"
+            [ -z "$tools_source" ] && __usage
+            ;;
+        -u|--update|-Update)
+            update=true
+            ;;
+        --verbose|-Verbose)
+            verbose=true
+            ;;
+        --)
+            shift
+            break
+            ;;
+        *)
+            break
+            ;;
+    esac
+    shift
+done
+
+if ! __machine_has unzip; then
+    __error 'Missing required command: unzip'
+    exit 1
 fi
 
-$buildFile -r $repoFolder "$@"
+if ! __machine_has curl && ! __machine_has wget; then
+    __error 'Missing required command. Either wget or curl is required.'
+    exit 1
+fi
+
+[ -z "${config_file:-}" ] && config_file="$repo_path/korebuild.json"
+if [ -f "$config_file" ]; then
+    if __machine_has jq ; then
+        if jq '.' "$config_file" >/dev/null ; then
+            config_channel="$(jq -r 'select(.channel!=null) | .channel' "$config_file")"
+            config_tools_source="$(jq -r 'select(.toolsSource!=null) | .toolsSource' "$config_file")"
+        else
+            __warn "$config_file is invalid JSON. Its settings will be ignored."
+        fi
+    elif __machine_has python ; then
+        if python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'))" >/dev/null ; then
+            config_channel="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
+            config_tools_source="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
+        else
+            __warn "$config_file is invalid JSON. Its settings will be ignored."
+        fi
+    else
+        __warn 'Missing required command: jq or pyton. Could not parse the JSON file. Its settings will be ignored.'
+    fi
+
+    [ ! -z "${config_channel:-}" ] && channel="$config_channel"
+    [ ! -z "${config_tools_source:-}" ] && tools_source="$config_tools_source"
+fi
+
+[ -z "$channel" ] && channel='dev'
+[ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
+
+get_korebuild
+install_tools "$tools_source" "$DOTNET_HOME"
+invoke_repository_build "$repo_path" "$@"
diff --git a/build/common.props b/build/common.props
index a865ed071e..ee921ae666 100644
--- a/build/common.props
+++ b/build/common.props
@@ -9,7 +9,6 @@
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)Key.snk</AssemblyOriginatorKeyFile>
     <SignAssembly>true</SignAssembly>
     <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
-    <VersionSuffix Condition="'$(VersionSuffix)'!='' AND '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
diff --git a/build/dependencies.targets b/build/dependencies.targets
new file mode 100644
index 0000000000..d7f6b7b254
--- /dev/null
+++ b/build/dependencies.targets
@@ -0,0 +1,142 @@
+<Project>
+  <PropertyGroup />
+  <ItemGroup>
+    <PackageReference Update="Microsoft.AspNet.Identity.AspNetCoreCompat" Version="0.3.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.All" Version="2.0.2-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Antiforgery" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.ApplicationInsights.HostingStartup" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.Cookies" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.Core" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.Facebook" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.Google" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.JwtBearer" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.MicrosoftAccount" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.OAuth" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.Twitter" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authorization" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Authorization.Policy" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.AzureAppServices.HostingStartup" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.AzureAppServices.SiteExtension" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.AzureAppServicesIntegration" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Buffering" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Certificates.Configuration.Sources" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.ChunkingCookieManager.Sources" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.CookiePolicy" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Cors" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Diagnostics" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Diagnostics.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Diagnostics.Elm" Version="0.3.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Diagnostics.Identity.Service" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Hosting" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Hosting.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Hosting.Server.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Hosting.WindowsServices" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Http" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Http.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Http.Extensions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Http.Features" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.HttpOverrides" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Service" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Service.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Service.AzureKeyVault" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Service.Core" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Service.EntityFrameworkCore" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Service.IntegratedWebClient" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Service.Mvc" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Service.Specification.Tests" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.Specification.Tests" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Localization" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Localization.Routing" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.MiddlewareAnalysis" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.ApiExplorer" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Core" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Cors" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.DataAnnotations" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Formatters.Json" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Formatters.Xml" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Localization" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Razor" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Razor.Extensions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Razor.ViewCompilation" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.RazorPages" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.TagHelpers" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.Testing" Version="2.0.1-alpha1-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.ViewFeatures" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Mvc.WebApiCompatShim" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.NodeServices" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.NodeServices.Sockets" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Owin" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Proxy" Version="0.3.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.RangeHelper.Sources" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Razor" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Razor.Language" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Razor.Runtime" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Razor.TagHelpers.Testing.Sources" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.ResponseCaching" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.ResponseCaching.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.ResponseCompression" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Rewrite" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Routing" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Routing.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Routing.DecisionTree.Sources" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.HttpSys" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.IISIntegration" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.IntegrationTesting" Version="0.4.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.Kestrel" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.Kestrel.Core" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.Kestrel.Https" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.Session" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.SpaServices" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.StaticFiles" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.TestHost" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.WebSockets" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.AspNetCore.WebUtilities" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.CodeAnalysis.Razor" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.CodeAnalysis.Razor.Workspaces" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.CodeAnalysis.Remote.Razor" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Design" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.InMemory" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Relational" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Relational.Design.Specification.Tests" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Relational.Specification.Tests" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Specification.Tests" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Sqlite" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Sqlite.Core" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.SqlServer" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Tools" Version="2.0.1-rtm-*" />
+    <DotNetCliToolReference Update="Microsoft.EntityFrameworkCore.Tools.DotNet" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.Extensions.Hosting.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.Extensions.Identity.Core" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.Extensions.Identity.Stores" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.Extensions.Localization" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.Extensions.Localization.Abstractions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.Net.Http.Headers" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.Owin.Security.Interop" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.LanguageServices.Razor" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.BrowserLink" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.CodeGeneration" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.CodeGeneration.Contracts" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.CodeGeneration.Core" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.CodeGeneration.EntityFrameworkCore" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.CodeGeneration.Templating" Version="2.0.1-rtm-*" />
+    <DotNetCliToolReference Update="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.CodeGeneration.Utils" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.VisualStudio.Web.CodeGenerators.Mvc" Version="2.0.1-rtm-*" />
+    <PackageReference Update="Microsoft.Web.Xdt.Extensions" Version="2.0.1-rtm-*" />
+    <PackageReference Update="RazorPageGenerator" Version="2.0.1-rtm-*" />
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/korebuild.json b/korebuild.json
new file mode 100644
index 0000000000..6bbc5eeb9c
--- /dev/null
+++ b/korebuild.json
@@ -0,0 +1,4 @@
+{
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/rel/2.0.2/tools/korebuild.schema.json",
+  "channel": "rel/2.0.2"
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index 2b0006adaf..4cb00eaf80 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -3,8 +3,8 @@
   <Import Project="..\..\build\common.props" />
 
   <PropertyGroup>
+    <VersionPrefix Condition="'$(ExperimentalProjectVersionPrefix)' != ''">$(ExperimentalProjectVersionPrefix)</VersionPrefix>
     <Description>Redis storage support as key store.</Description>
-    <VersionPrefix>0.3.0</VersionPrefix>
     <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
diff --git a/version.props b/version.props
index e69e2c659c..3e4b5d6f6d 100644
--- a/version.props
+++ b/version.props
@@ -1,6 +1,10 @@
-<!-- This file may be overwritten by automation. Only values allowed here are VersionPrefix and VersionSuffix.  -->
 <Project>
   <PropertyGroup>
-    <VersionPrefix>2.0.0</VersionPrefix>
+    <VersionPrefix>2.0.1</VersionPrefix>
+    <ExperimentalProjectVersionPrefix>0.3.1</ExperimentalProjectVersionPrefix>
+    <VersionSuffix>rtm</VersionSuffix>
+    <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
+    <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
+    <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
   </PropertyGroup>
 </Project>

From ed827c001213781c775f8bc9256a97837c498edf Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 21 Sep 2017 10:04:33 -0700
Subject: [PATCH 385/493] Fix bug in test data

---
 .../TypeForwardingActivatorTests.cs                             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
index d985c130f3..ab5252b1f2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
@@ -146,7 +146,7 @@ namespace Microsoft.AspNetCore.DataProtection
                     new Version(Math.Max(0, current.Major - 1), 0, 0, 0),
                     new Version(current.Major + 1, 0, 0, 0),
                     new Version(current.Major, current.Minor + 1, 0, 0),
-                    new Version(current.Major, current.Minor, current.Revision + 1, 0),
+                    new Version(current.Major, current.Minor, current.Build + 1, 0),
                 };
             }
         }

From 0164e8f863e9d6b75d551afa06b494539e073e40 Mon Sep 17 00:00:00 2001
From: Justin Kotalik <jukotali@microsoft.com>
Date: Thu, 21 Sep 2017 17:45:55 -0700
Subject: [PATCH 386/493] Increase Minimum Version of Visual Studio to 15.3.0

---
 DataProtection.sln | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DataProtection.sln b/DataProtection.sln
index 4c1adcfabb..c4bc85e46d 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -1,7 +1,7 @@
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
 VisualStudioVersion = 15.0.26814.1
-MinimumVisualStudioVersion = 10.0.40219.1
+MinimumVisualStudioVersion = 15.0.26730.03
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"

From 9d3a55a1f40d0bc976c5a987dce2032ed2512002 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Fri, 27 Oct 2017 11:52:29 -0700
Subject: [PATCH 387/493] Update bootstrapper

---
 .appveyor.yml        |   2 +-
 build.cmd            |   2 +-
 build.sh             | 197 +-------------------------------------
 run.cmd              |   2 +
 build.ps1 => run.ps1 |  56 +++++++----
 run.sh               | 223 +++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 265 insertions(+), 217 deletions(-)
 create mode 100644 run.cmd
 rename build.ps1 => run.ps1 (73%)
 create mode 100644 run.sh

diff --git a/.appveyor.yml b/.appveyor.yml
index 4f85bae466..e6fa444db3 100644
--- a/.appveyor.yml
+++ b/.appveyor.yml
@@ -8,7 +8,7 @@ branches:
     - /^(.*\/)?ci-.*$/
     - /^rel\/.*/
 build_script:
-  - ps: .\build.ps1
+  - ps: .\run.ps1 default-build
 clone_depth: 1
 environment:
   global:
diff --git a/build.cmd b/build.cmd
index b6c8d24864..c0050bda12 100644
--- a/build.cmd
+++ b/build.cmd
@@ -1,2 +1,2 @@
 @ECHO OFF
-PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0build.ps1' %*; exit $LASTEXITCODE"
+PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0run.ps1' default-build %*; exit $LASTEXITCODE"
diff --git a/build.sh b/build.sh
index 11cdbe5504..98a4b22765 100755
--- a/build.sh
+++ b/build.sh
@@ -1,199 +1,8 @@
 #!/usr/bin/env bash
 
 set -euo pipefail
-
-#
-# variables
-#
-
-RESET="\033[0m"
-RED="\033[0;31m"
-MAGENTA="\033[0;95m"
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-[ -z "${DOTNET_HOME:-}" ] && DOTNET_HOME="$HOME/.dotnet"
-config_file="$DIR/version.xml"
-verbose=false
-update=false
-repo_path="$DIR"
-channel=''
-tools_source=''
 
-#
-# Functions
-#
-__usage() {
-    echo "Usage: $(basename "${BASH_SOURCE[0]}") [options] [[--] <MSBUILD_ARG>...]"
-    echo ""
-    echo "Arguments:"
-    echo "    <MSBUILD_ARG>...         Arguments passed to MSBuild. Variable number of arguments allowed."
-    echo ""
-    echo "Options:"
-    echo "    --verbose                Show verbose output."
-    echo "    -c|--channel <CHANNEL>   The channel of KoreBuild to download. Overrides the value from the config file.."
-    echo "    --config-file <FILE>     TThe path to the configuration file that stores values. Defaults to version.xml."
-    echo "    -d|--dotnet-home <DIR>   The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
-    echo "    --path <PATH>            The directory to build. Defaults to the directory containing the script."
-    echo "    -s|--tools-source <URL>  The base url where build tools can be downloaded. Overrides the value from the config file."
-    echo "    -u|--update              Update to the latest KoreBuild even if the lock file is present."
-    echo ""
-    echo "Description:"
-    echo "    This function will create a file \$DIR/korebuild-lock.txt. This lock file can be committed to source, but does not have to be."
-    echo "    When the lockfile is not present, KoreBuild will create one using latest available version from \$channel."
-
-    if [[ "${1:-}" != '--no-exit' ]]; then
-        exit 2
-    fi
-}
-
-get_korebuild() {
-    local version
-    local lock_file="$repo_path/korebuild-lock.txt"
-    if [ ! -f "$lock_file" ] || [ "$update" = true ]; then
-        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file"
-    fi
-    version="$(grep 'version:*' -m 1 "$lock_file")"
-    if [[ "$version" == '' ]]; then
-        __error "Failed to parse version from $lock_file. Expected a line that begins with 'version:'"
-        return 1
-    fi
-    version="$(echo "${version#version:}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
-    local korebuild_path="$DOTNET_HOME/buildtools/korebuild/$version"
-
-    {
-        if [ ! -d "$korebuild_path" ]; then
-            mkdir -p "$korebuild_path"
-            local remote_path="$tools_source/korebuild/artifacts/$version/korebuild.$version.zip"
-            tmpfile="$(mktemp)"
-            echo -e "${MAGENTA}Downloading KoreBuild ${version}${RESET}"
-            if __get_remote_file "$remote_path" "$tmpfile"; then
-                unzip -q -d "$korebuild_path" "$tmpfile"
-            fi
-            rm "$tmpfile" || true
-        fi
-
-        source "$korebuild_path/KoreBuild.sh"
-    } || {
-        if [ -d "$korebuild_path" ]; then
-            echo "Cleaning up after failed installation"
-            rm -rf "$korebuild_path" || true
-        fi
-        return 1
-    }
-}
-
-__error() {
-    echo -e "${RED}$*${RESET}" 1>&2
-}
-
-__machine_has() {
-    hash "$1" > /dev/null 2>&1
-    return $?
-}
-
-__get_remote_file() {
-    local remote_path=$1
-    local local_path=$2
-
-    if [[ "$remote_path" != 'http'* ]]; then
-        cp "$remote_path" "$local_path"
-        return 0
-    fi
-
-    local failed=false
-    if __machine_has wget; then
-        wget --tries 10 --quiet -O "$local_path" "$remote_path" || failed=true
-    else
-        failed=true
-    fi
-
-    if [ "$failed" = true ] && __machine_has curl; then
-        failed=false
-        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" || failed=true
-    fi
-
-    if [ "$failed" = true ]; then
-        __error "Download failed: $remote_path" 1>&2
-        return 1
-    fi
-}
-
-__read_dom () { local IFS=\> ; read -r -d \< ENTITY CONTENT ;}
-
-#
-# main
-#
-
-while [[ $# -gt 0 ]]; do
-    case $1 in
-        -\?|-h|--help)
-            __usage --no-exit
-            exit 0
-            ;;
-        -c|--channel|-Channel)
-            shift
-            channel="${1:-}"
-            [ -z "$channel" ] && __usage
-            ;;
-        --config-file|-ConfigFile)
-            shift
-            config_file="${1:-}"
-            [ -z "$config_file" ] && __usage
-            ;;
-        -d|--dotnet-home|-DotNetHome)
-            shift
-            DOTNET_HOME="${1:-}"
-            [ -z "$DOTNET_HOME" ] && __usage
-            ;;
-        --path|-Path)
-            shift
-            repo_path="${1:-}"
-            [ -z "$repo_path" ] && __usage
-            ;;
-        -s|--tools-source|-ToolsSource)
-            shift
-            tools_source="${1:-}"
-            [ -z "$tools_source" ] && __usage
-            ;;
-        -u|--update|-Update)
-            update=true
-            ;;
-        --verbose|-Verbose)
-            verbose=true
-            ;;
-        --)
-            shift
-            break
-            ;;
-        *)
-            break
-            ;;
-    esac
-    shift
-done
-
-if ! __machine_has unzip; then
-    __error 'Missing required command: unzip'
-    exit 1
-fi
-
-if ! __machine_has curl && ! __machine_has wget; then
-    __error 'Missing required command. Either wget or curl is required.'
-    exit 1
-fi
-
-if [ -f "$config_file" ]; then
-    comment=false
-    while __read_dom; do
-        if [ "$comment" = true ]; then [[ $CONTENT == *'-->'* ]] && comment=false ; continue; fi
-        if [[ $ENTITY == '!--'* ]]; then comment=true; continue; fi
-        if [ -z "$channel" ] && [[ $ENTITY == "KoreBuildChannel" ]]; then channel=$CONTENT; fi
-        if [ -z "$tools_source" ] && [[ $ENTITY == "KoreBuildToolsSource" ]]; then tools_source=$CONTENT; fi
-    done < "$config_file"
-fi
-
-[ -z "$channel" ] && channel='dev'
-[ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
-
-get_korebuild
-install_tools "$tools_source" "$DOTNET_HOME"
-invoke_repository_build "$repo_path" "$@"
+# Call "sync" between "chmod" and execution to prevent "text file busy" error in Docker (aufs)
+chmod +x "$DIR/run.sh"; sync
+"$DIR/run.sh" default-build "$@"
diff --git a/run.cmd b/run.cmd
new file mode 100644
index 0000000000..d52d5c7e68
--- /dev/null
+++ b/run.cmd
@@ -0,0 +1,2 @@
+@ECHO OFF
+PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0run.ps1' %*; exit $LASTEXITCODE"
diff --git a/build.ps1 b/run.ps1
similarity index 73%
rename from build.ps1
rename to run.ps1
index d5eb4d5cf2..49c2899856 100644
--- a/build.ps1
+++ b/run.ps1
@@ -3,10 +3,13 @@
 
 <#
 .SYNOPSIS
-Build this repository
+Executes KoreBuild commands.
 
 .DESCRIPTION
-Downloads korebuild if required. Then builds the repository.
+Downloads korebuild if required. Then executes the KoreBuild command. To see available commands, execute with `-Command help`.
+
+.PARAMETER Command
+The KoreBuild command to run.
 
 .PARAMETER Path
 The folder to build. Defaults to the folder containing this script.
@@ -24,31 +27,32 @@ The base url where build tools can be downloaded. Overrides the value from the c
 Updates KoreBuild to the latest version even if a lock file is present.
 
 .PARAMETER ConfigFile
-The path to the configuration file that stores values. Defaults to version.xml.
+The path to the configuration file that stores values. Defaults to korebuild.json.
 
-.PARAMETER MSBuildArgs
-Arguments to be passed to MSBuild
+.PARAMETER Arguments
+Arguments to be passed to the command
 
 .NOTES
 This function will create a file $PSScriptRoot/korebuild-lock.txt. This lock file can be committed to source, but does not have to be.
 When the lockfile is not present, KoreBuild will create one using latest available version from $Channel.
 
-The $ConfigFile is expected to be an XML file. It is optional, and the configuration values in it are optional as well.
+The $ConfigFile is expected to be an JSON file. It is optional, and the configuration values in it are optional as well. Any options set
+in the file are overridden by command line parameters.
 
 .EXAMPLE
 Example config file:
-```xml
-<!-- version.xml -->
-<Project>
-  <PropertyGroup>
-    <KoreBuildChannel>dev</KoreBuildChannel>
-    <KoreBuildToolsSource>https://aspnetcore.blob.core.windows.net/buildtools</KoreBuildToolsSource>
-  </PropertyGroup>
-</Project>
+```json
+{
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
+  "channel": "dev",
+  "toolsSource": "https://aspnetcore.blob.core.windows.net/buildtools"
+}
 ```
 #>
 [CmdletBinding(PositionalBinding = $false)]
 param(
+    [Parameter(Mandatory=$true, Position = 0)]
+    [string]$Command,
     [string]$Path = $PSScriptRoot,
     [Alias('c')]
     [string]$Channel,
@@ -58,9 +62,9 @@ param(
     [string]$ToolsSource,
     [Alias('u')]
     [switch]$Update,
-    [string]$ConfigFile = (Join-Path $PSScriptRoot 'version.xml'),
+    [string]$ConfigFile,
     [Parameter(ValueFromRemainingArguments = $true)]
-    [string[]]$MSBuildArgs
+    [string[]]$Arguments
 )
 
 Set-StrictMode -Version 2
@@ -147,10 +151,20 @@ function Get-RemoteFile([string]$RemotePath, [string]$LocalPath) {
 
 # Load configuration or set defaults
 
+$Path = Resolve-Path $Path
+if (!$ConfigFile) { $ConfigFile = Join-Path $Path 'korebuild.json' }
+
 if (Test-Path $ConfigFile) {
-    [xml] $config = Get-Content $ConfigFile
-    if (!($Channel)) { [string] $Channel = Select-Xml -Xml $config -XPath '/Project/PropertyGroup/KoreBuildChannel' }
-    if (!($ToolsSource)) { [string] $ToolsSource = Select-Xml -Xml $config -XPath '/Project/PropertyGroup/KoreBuildToolsSource' }
+    try {
+        $config = Get-Content -Raw -Encoding UTF8 -Path $ConfigFile | ConvertFrom-Json
+        if ($config) {
+            if (!($Channel) -and (Get-Member -Name 'channel' -InputObject $config)) { [string] $Channel = $config.channel }
+            if (!($ToolsSource) -and (Get-Member -Name 'toolsSource' -InputObject $config)) { [string] $ToolsSource = $config.toolsSource}
+        }
+    } catch {
+        Write-Warning "$ConfigFile could not be read. Its settings will be ignored."
+        Write-Warning $Error[0]
+    }
 }
 
 if (!$DotNetHome) {
@@ -169,8 +183,8 @@ $korebuildPath = Get-KoreBuild
 Import-Module -Force -Scope Local (Join-Path $korebuildPath 'KoreBuild.psd1')
 
 try {
-    Install-Tools $ToolsSource $DotNetHome
-    Invoke-RepositoryBuild $Path @MSBuildArgs
+    Set-KoreBuildSettings -ToolsSource $ToolsSource -DotNetHome $DotNetHome -RepoPath $Path -ConfigFile $ConfigFile
+    Invoke-KoreBuildCommand $Command @Arguments
 }
 finally {
     Remove-Module 'KoreBuild' -ErrorAction Ignore
diff --git a/run.sh b/run.sh
new file mode 100644
index 0000000000..c278423acc
--- /dev/null
+++ b/run.sh
@@ -0,0 +1,223 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+#
+# variables
+#
+
+RESET="\033[0m"
+RED="\033[0;31m"
+YELLOW="\033[0;33m"
+MAGENTA="\033[0;95m"
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+[ -z "${DOTNET_HOME:-}" ] && DOTNET_HOME="$HOME/.dotnet"
+verbose=false
+update=false
+repo_path="$DIR"
+channel=''
+tools_source=''
+
+#
+# Functions
+#
+__usage() {
+    echo "Usage: $(basename "${BASH_SOURCE[0]}") command [options] [[--] <Arguments>...]"
+    echo ""
+    echo "Arguments:"
+    echo "    command                The command to be run."
+    echo "    <Arguments>...         Arguments passed to the command. Variable number of arguments allowed."
+    echo ""
+    echo "Options:"
+    echo "    --verbose                                 Show verbose output."
+    echo "    -c|--channel <CHANNEL>                    The channel of KoreBuild to download. Overrides the value from the config file.."
+    echo "    --config-file <FILE>                      The path to the configuration file that stores values. Defaults to korebuild.json."
+    echo "    -d|--dotnet-home <DIR>                    The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
+    echo "    --path <PATH>                             The directory to build. Defaults to the directory containing the script."
+    echo "    -s|--tools-source|-ToolsSource <URL>      The base url where build tools can be downloaded. Overrides the value from the config file."
+    echo "    -u|--update                               Update to the latest KoreBuild even if the lock file is present."
+    echo ""
+    echo "Description:"
+    echo "    This function will create a file \$DIR/korebuild-lock.txt. This lock file can be committed to source, but does not have to be."
+    echo "    When the lockfile is not present, KoreBuild will create one using latest available version from \$channel."
+
+    if [[ "${1:-}" != '--no-exit' ]]; then
+        exit 2
+    fi
+}
+
+get_korebuild() {
+    local version
+    local lock_file="$repo_path/korebuild-lock.txt"
+    if [ ! -f "$lock_file" ] || [ "$update" = true ]; then
+        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file"
+    fi
+    version="$(grep 'version:*' -m 1 "$lock_file")"
+    if [[ "$version" == '' ]]; then
+        __error "Failed to parse version from $lock_file. Expected a line that begins with 'version:'"
+        return 1
+    fi
+    version="$(echo "${version#version:}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+    local korebuild_path="$DOTNET_HOME/buildtools/korebuild/$version"
+
+    {
+        if [ ! -d "$korebuild_path" ]; then
+            mkdir -p "$korebuild_path"
+            local remote_path="$tools_source/korebuild/artifacts/$version/korebuild.$version.zip"
+            tmpfile="$(mktemp)"
+            echo -e "${MAGENTA}Downloading KoreBuild ${version}${RESET}"
+            if __get_remote_file "$remote_path" "$tmpfile"; then
+                unzip -q -d "$korebuild_path" "$tmpfile"
+            fi
+            rm "$tmpfile" || true
+        fi
+
+        source "$korebuild_path/KoreBuild.sh"
+    } || {
+        if [ -d "$korebuild_path" ]; then
+            echo "Cleaning up after failed installation"
+            rm -rf "$korebuild_path" || true
+        fi
+        return 1
+    }
+}
+
+__error() {
+    echo -e "${RED}error: $*${RESET}" 1>&2
+}
+
+__warn() {
+    echo -e "${YELLOW}warning: $*${RESET}"
+}
+
+__machine_has() {
+    hash "$1" > /dev/null 2>&1
+    return $?
+}
+
+__get_remote_file() {
+    local remote_path=$1
+    local local_path=$2
+
+    if [[ "$remote_path" != 'http'* ]]; then
+        cp "$remote_path" "$local_path"
+        return 0
+    fi
+
+    local failed=false
+    if __machine_has wget; then
+        wget --tries 10 --quiet -O "$local_path" "$remote_path" || failed=true
+    else
+        failed=true
+    fi
+
+    if [ "$failed" = true ] && __machine_has curl; then
+        failed=false
+        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" || failed=true
+    fi
+
+    if [ "$failed" = true ]; then
+        __error "Download failed: $remote_path" 1>&2
+        return 1
+    fi
+}
+
+#
+# main
+#
+
+command="${1:-}"
+shift
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -\?|-h|--help)
+            __usage --no-exit
+            exit 0
+            ;;
+        -c|--channel|-Channel)
+            shift
+            channel="${1:-}"
+            [ -z "$channel" ] && __usage
+            ;;
+        --config-file|-ConfigFile)
+            shift
+            config_file="${1:-}"
+            [ -z "$config_file" ] && __usage
+            if [ ! -f "$config_file" ]; then
+                __error "Invalid value for --config-file. $config_file does not exist."
+                exit 1
+            fi
+            ;;
+        -d|--dotnet-home|-DotNetHome)
+            shift
+            DOTNET_HOME="${1:-}"
+            [ -z "$DOTNET_HOME" ] && __usage
+            ;;
+        --path|-Path)
+            shift
+            repo_path="${1:-}"
+            [ -z "$repo_path" ] && __usage
+            ;;
+        -s|--tools-source|-ToolsSource)
+            shift
+            tools_source="${1:-}"
+            [ -z "$tools_source" ] && __usage
+            ;;
+        -u|--update|-Update)
+            update=true
+            ;;
+        --verbose|-Verbose)
+            verbose=true
+            ;;
+        --)
+            shift
+            break
+            ;;
+        *)
+            break
+            ;;
+    esac
+    shift
+done
+
+if ! __machine_has unzip; then
+    __error 'Missing required command: unzip'
+    exit 1
+fi
+
+if ! __machine_has curl && ! __machine_has wget; then
+    __error 'Missing required command. Either wget or curl is required.'
+    exit 1
+fi
+
+[ -z "${config_file:-}" ] && config_file="$repo_path/korebuild.json"
+if [ -f "$config_file" ]; then
+    if __machine_has jq ; then
+        if jq '.' "$config_file" >/dev/null ; then
+            config_channel="$(jq -r 'select(.channel!=null) | .channel' "$config_file")"
+            config_tools_source="$(jq -r 'select(.toolsSource!=null) | .toolsSource' "$config_file")"
+        else
+            __warn "$config_file is invalid JSON. Its settings will be ignored."
+        fi
+    elif __machine_has python ; then
+        if python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'))" >/dev/null ; then
+            config_channel="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
+            config_tools_source="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
+        else
+            __warn "$config_file is invalid JSON. Its settings will be ignored."
+        fi
+    else
+        __warn 'Missing required command: jq or pyton. Could not parse the JSON file. Its settings will be ignored.'
+    fi
+
+    [ ! -z "${config_channel:-}" ] && channel="$config_channel"
+    [ ! -z "${config_tools_source:-}" ] && tools_source="$config_tools_source"
+fi
+
+[ -z "$channel" ] && channel='dev'
+[ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
+
+get_korebuild
+set_korebuildsettings "$tools_source" "$DOTNET_HOME" "$repo_path" "$config_file"
+invoke_korebuild_command "$command" "$@"

From 49b2e22ab30239ed63d3f3b9478e7563e9a93ed9 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 1 Nov 2017 09:09:28 -0700
Subject: [PATCH 388/493] Pin tool and package versions to make builds more
 repeatable

---
 .gitignore                                    |  1 -
 Directory.Build.props                         |  4 +--
 Directory.Build.targets                       | 17 +++-------
 NuGet.config                                  |  1 +
 build/dependencies.props                      | 32 +++++++++++++++++++
 build/repo.props                              |  9 +++---
 korebuild-lock.txt                            |  2 ++
 korebuild.json                                |  4 +++
 samples/AzureBlob/AzureBlob.csproj            |  6 ++--
 samples/AzureKeyVault/AzureKeyVault.csproj    | 10 +++---
 .../CustomEncryptorSample.csproj              |  4 +--
 samples/Redis/Redis.csproj                    |  6 ++--
 src/Directory.Build.props                     |  4 +--
 ...NetCore.DataProtection.Abstractions.csproj |  2 +-
 ...etCore.DataProtection.AzureKeyVault.csproj |  4 +--
 ...NetCore.DataProtection.AzureStorage.csproj |  2 +-
 ...spNetCore.DataProtection.Extensions.csproj |  2 +-
 ...oft.AspNetCore.DataProtection.Redis.csproj |  5 +--
 ...AspNetCore.DataProtection.SystemWeb.csproj |  2 +-
 ...Microsoft.AspNetCore.DataProtection.csproj | 12 +++----
 test/Directory.Build.props                    | 14 ++++----
 ...e.DataProtection.AzureKeyVault.Test.csproj |  2 +-
 ...re.DataProtection.AzureStorage.Test.csproj |  2 +-
 ...spNetCore.DataProtection.Redis.Test.csproj |  2 +-
 ...soft.AspNetCore.DataProtection.Test.csproj |  4 +--
 version.props                                 | 11 +++++++
 version.xml                                   |  8 -----
 27 files changed, 103 insertions(+), 69 deletions(-)
 create mode 100644 build/dependencies.props
 create mode 100644 korebuild-lock.txt
 create mode 100644 korebuild.json
 create mode 100644 version.props
 delete mode 100644 version.xml

diff --git a/.gitignore b/.gitignore
index c632acb4ef..5af949b050 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,4 +30,3 @@ project.lock.json
 .testPublish/
 samples/**/temp-keys/
 global.json
-korebuild-lock.txt
diff --git a/Directory.Build.props b/Directory.Build.props
index 3fd0dd0850..fb41a88333 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -1,5 +1,6 @@
 <Project>
-  <Import Project="version.xml" />
+  <Import Project="version.props" />
+  <Import Project="build\dependencies.props" />
 
   <PropertyGroup>
     <Product>Microsoft ASP.NET Core</Product>
@@ -8,7 +9,6 @@
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)build\Key.snk</AssemblyOriginatorKeyFile>
     <SignAssembly>true</SignAssembly>
     <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
-    <VersionSuffix Condition="'$(VersionSuffix)'!='' AND '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
diff --git a/Directory.Build.targets b/Directory.Build.targets
index bc118fd907..e83ff95e39 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -1,14 +1,5 @@
-<Project InitialTargets="EnsureKoreBuildRestored">
-  <Target Name="EnsureKoreBuildRestored" Condition=" '$(KoreBuildRestoreTargetsImported)' != 'true' AND '$(MSBuildProjectName)' != 'BenchmarkDotNet.Autogenerated'">
-    <PropertyGroup>
-      <_BootstrapperFile Condition=" $([MSBuild]::IsOSUnixLike()) ">build.sh</_BootstrapperFile>
-      <_BootstrapperFile Condition="! $([MSBuild]::IsOSUnixLike()) ">build.cmd</_BootstrapperFile>
-      <_BootstrapperError>
-        Package references have not been pinned. Run './$(_BootstrapperFile) /t:Pin'.
-        Also, you can run './$(_BootstrapperFile) /t:Restore' which will pin *and* restore packages. '$(_BootstrapperFile)' can be found in '$(MSBuildThisFileDirectory)'.
-      </_BootstrapperError>
-    </PropertyGroup>
-
-    <Error Code="KRB1001" Text="$(_BootstrapperError.Trim())" />
-  </Target>
+<Project>
+  <PropertyGroup>
+    <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(MicrosoftNETCoreApp20PackageVersion)</RuntimeFrameworkVersion>
+  </PropertyGroup>
 </Project>
diff --git a/NuGet.config b/NuGet.config
index 20060c934e..4e8a1f6de1 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -3,6 +3,7 @@
   <packageSources>
     <clear />
     <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
+    <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
     <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
 </configuration>
diff --git a/build/dependencies.props b/build/dependencies.props
new file mode 100644
index 0000000000..0f9bd07181
--- /dev/null
+++ b/build/dependencies.props
@@ -0,0 +1,32 @@
+<Project>
+  <PropertyGroup>
+    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
+  </PropertyGroup>
+  <PropertyGroup Label="Package Versions">
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15549</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27488</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27488</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27488</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.1</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
+    <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
+    <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.4.0</MicrosoftWin32RegistryPackageVersion>
+    <MoqPackageVersion>4.7.49</MoqPackageVersion>
+    <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.4.0</SystemSecurityCryptographyXmlPackageVersion>
+    <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
+    <XunitPackageVersion>2.3.0</XunitPackageVersion>
+    <XunitRunnerVisualStudioPackageVersion>2.3.0</XunitRunnerVisualStudioPackageVersion>
+  </PropertyGroup>
+  <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
+</Project>
diff --git a/build/repo.props b/build/repo.props
index 13fe1c296a..b55e651b87 100644
--- a/build/repo.props
+++ b/build/repo.props
@@ -1,6 +1,7 @@
 <Project>
-  <ItemGroup>
-    <PackageLineup Include="Internal.AspNetCore.Universe.Lineup" Version="2.1.0-*" />
-    <PackageLineup Include="Internal.AspNetCore.Partners.Lineup" Version="2.1.0-*" />
-  </ItemGroup>
+  <PropertyGroup>
+    <!-- These properties are use by the automation that updates dependencies.props -->
+    <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
+    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json</LineupPackageRestoreSource>
+  </PropertyGroup>
 </Project>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
new file mode 100644
index 0000000000..45463cc71e
--- /dev/null
+++ b/korebuild-lock.txt
@@ -0,0 +1,2 @@
+version:2.1.0-preview1-15549
+commithash:f570e08585fec510dd60cd4bfe8795388b757a95
diff --git a/korebuild.json b/korebuild.json
new file mode 100644
index 0000000000..bd5d51a51b
--- /dev/null
+++ b/korebuild.json
@@ -0,0 +1,4 @@
+{
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
+  "channel": "dev"
+}
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index 36a54d88da..a9388ad953 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -11,9 +11,9 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
-    <PackageReference Include="Microsoft.Extensions.Logging" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(MicrosoftExtensionsLoggingPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(MicrosoftExtensionsLoggingConsolePackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/samples/AzureKeyVault/AzureKeyVault.csproj b/samples/AzureKeyVault/AzureKeyVault.csproj
index 4907ff7925..a4ca09bc1e 100644
--- a/samples/AzureKeyVault/AzureKeyVault.csproj
+++ b/samples/AzureKeyVault/AzureKeyVault.csproj
@@ -10,11 +10,11 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Configuration" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.Json" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
-    <PackageReference Include="Microsoft.Extensions.Logging" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
+    <PackageReference Include="Microsoft.Extensions.Configuration" Version="$(MicrosoftExtensionsConfigurationPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="$(MicrosoftExtensionsConfigurationJsonPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(MicrosoftExtensionsLoggingPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(MicrosoftExtensionsLoggingConsolePackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index cd0cebef55..d6978a8494 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -11,8 +11,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Logging" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(MicrosoftExtensionsLoggingPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(MicrosoftExtensionsLoggingConsolePackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 780154b570..cbaea96c41 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -10,9 +10,9 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
-    <PackageReference Include="Microsoft.Extensions.Logging" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(MicrosoftExtensionsLoggingPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(MicrosoftExtensionsLoggingConsolePackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
index 9d9a3de33a..4b89a431e7 100644
--- a/src/Directory.Build.props
+++ b/src/Directory.Build.props
@@ -1,7 +1,7 @@
-<Project>
+<Project>
   <Import Project="..\Directory.Build.props" />
 
   <ItemGroup>
-    <PackageReference Include="Internal.AspNetCore.Sdk" PrivateAssets="All" />
+    <PackageReference Include="Internal.AspNetCore.Sdk" PrivateAssets="All" Version="$(InternalAspNetCoreSdkPackageVersion)" />
   </ItemGroup>
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index 9865ffc812..24bd9f5fb6 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -15,7 +15,7 @@ Microsoft.AspNetCore.DataProtection.IDataProtector</Description>
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.Extensions.WebEncoders.Sources" PrivateAssets="All" Version="$(MicrosoftExtensionsWebEncodersSourcesPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
index ee7b42ab87..0c7b084a2a 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
@@ -13,8 +13,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" />
-    <PackageReference Include="Microsoft.Azure.KeyVault" />
+    <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" Version="$(MicrosoftIdentityModelClientsActiveDirectoryPackageVersion)" />
+    <PackageReference Include="Microsoft.Azure.KeyVault" Version="$(MicrosoftAzureKeyVaultPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
index 69013b6942..ceb83f3925 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
@@ -13,7 +13,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="WindowsAzure.Storage" />
+    <PackageReference Include="WindowsAzure.Storage" Version="$(WindowsAzureStoragePackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
index 63778dca70..44885e5711 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
@@ -16,7 +16,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index 09231f21cd..86fc1f8fb7 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -2,7 +2,8 @@
 
   <PropertyGroup>
     <Description>Redis storage support as key store.</Description>
-    <VersionPrefix>0.4.0</VersionPrefix>
+    <VersionPrefix Condition="'$(ExperimentalProjectVersionPrefix)' != ''">$(ExperimentalProjectVersionPrefix)</VersionPrefix>
+    <VerifyVersion Condition="'$(ExperimentalProjectVersionPrefix)' != ''">false</VerifyVersion>
     <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
@@ -15,7 +16,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="StackExchange.Redis.StrongName" />
+    <PackageReference Include="StackExchange.Redis.StrongName" Version="$(StackExchangeRedisStrongNamePackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
index 6e013cd1c2..a40024990e 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
     <Reference Include="System.Configuration" />
     <Reference Include="System.Web" />
   </ItemGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index 8779798c57..d9ba04d1a9 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -19,12 +19,12 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
-    <PackageReference Include="Microsoft.Extensions.Options" />
-    <PackageReference Include="Microsoft.Win32.Registry" />
-    <PackageReference Include="System.Security.Cryptography.Xml" />
+    <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" Version="$(MicrosoftAspNetCoreHostingAbstractionsPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(MicrosoftExtensionsLoggingAbstractionsPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Options" Version="$(MicrosoftExtensionsOptionsPackageVersion)" />
+    <PackageReference Include="Microsoft.Win32.Registry" Version="$(MicrosoftWin32RegistryPackageVersion)" />
+    <PackageReference Include="System.Security.Cryptography.Xml" Version="$(SystemSecurityCryptographyXmlPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Directory.Build.props b/test/Directory.Build.props
index 3a86391d57..8a1b153e10 100644
--- a/test/Directory.Build.props
+++ b/test/Directory.Build.props
@@ -1,12 +1,12 @@
-<Project>
+<Project>
   <Import Project="..\Directory.Build.props" />
 
   <ItemGroup>
-    <PackageReference Include="Internal.AspNetCore.Sdk" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.AspNetCore.Testing" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" />
-    <PackageReference Include="Moq" />
-    <PackageReference Include="xunit" />
-    <PackageReference Include="xunit.runner.visualstudio" />
+    <PackageReference Include="Internal.AspNetCore.Sdk" PrivateAssets="All" Version="$(InternalAspNetCoreSdkPackageVersion)" />
+    <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(MicrosoftAspNetCoreTestingPackageVersion)" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNETTestSdkPackageVersion)" />
+    <PackageReference Include="Moq" Version="$(MoqPackageVersion)" />
+    <PackageReference Include="xunit" Version="$(XunitPackageVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVisualStudioPackageVersion)" />
   </ItemGroup>
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
index 6983aebb33..753d0a1041 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
@@ -12,7 +12,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index 56872ed370..018c5da2fc 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -12,7 +12,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index b5c4f54979..75af7061ff 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -15,7 +15,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 77394665b2..1ce0d35680 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -15,8 +15,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Hosting" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <PackageReference Include="Microsoft.AspNetCore.Hosting" Version="$(MicrosoftAspNetCoreHostingPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/version.props b/version.props
new file mode 100644
index 0000000000..d1791a6a89
--- /dev/null
+++ b/version.props
@@ -0,0 +1,11 @@
+<Project>
+  <PropertyGroup>
+    <VersionPrefix>2.1.0</VersionPrefix>
+    <ExperimentalProjectVersionPrefix>0.4.0</ExperimentalProjectVersionPrefix>
+    <VersionSuffix>preview1</VersionSuffix>
+    <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
+    <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
+    <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>
+    <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+  </PropertyGroup>
+</Project>
diff --git a/version.xml b/version.xml
deleted file mode 100644
index 3c05022b7d..0000000000
--- a/version.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<!-- This file may be overwritten by automation. -->
-<Project>
-  <PropertyGroup>
-    <KoreBuildChannel>dev</KoreBuildChannel>
-    <VersionPrefix>2.1.0</VersionPrefix>
-    <VersionSuffix>preview1</VersionSuffix>
-  </PropertyGroup>
-</Project>

From f0fef3f20dacd0760cffa57e657a35329f865def Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Mon, 13 Nov 2017 15:27:54 -0800
Subject: [PATCH 389/493] Update samples and tests to target netcoreapp2.1

---
 Directory.Build.props                                      | 4 ++++
 korebuild-lock.txt                                         | 4 ++--
 samples/AzureBlob/AzureBlob.csproj                         | 2 +-
 samples/AzureKeyVault/AzureKeyVault.csproj                 | 2 +-
 samples/CustomEncryptorSample/CustomEncryptorSample.csproj | 2 +-
 samples/KeyManagementSample/KeyManagementSample.csproj     | 2 +-
 samples/NonDISample/NonDISample.csproj                     | 2 +-
 samples/Redis/Redis.csproj                                 | 2 +-
 test/Directory.Build.props                                 | 7 +++++++
 .../Microsoft.AspNetCore.Cryptography.Internal.Test.csproj | 3 +--
 ...osoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj | 3 +--
 ...soft.AspNetCore.DataProtection.Abstractions.Test.csproj | 3 +--
 ...oft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj | 3 +--
 ...soft.AspNetCore.DataProtection.AzureStorage.Test.csproj | 3 +--
 ...rosoft.AspNetCore.DataProtection.Extensions.Test.csproj | 3 +--
 .../Microsoft.AspNetCore.DataProtection.Redis.Test.csproj  | 3 +--
 .../AnonymousImpersonation.cs                              | 2 +-
 .../Microsoft.AspNetCore.DataProtection.Test.csproj        | 3 +--
 .../TypeForwardingActivatorTests.cs                        | 2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs               | 2 +-
 20 files changed, 30 insertions(+), 27 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index fb41a88333..1bcd7ca437 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -1,4 +1,8 @@
 <Project>
+  <Import
+    Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), AspNetCoreSettings.props))\AspNetCoreSettings.props"
+    Condition=" '$(CI)' != 'true' AND '$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), AspNetCoreSettings.props))' != '' " />
+
   <Import Project="version.props" />
   <Import Project="build\dependencies.props" />
 
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 45463cc71e..95f4613014 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15549
-commithash:f570e08585fec510dd60cd4bfe8795388b757a95
+version:2.1.0-preview1-15567
+commithash:903e3104807b1bb8cddd28bdef205b1e2dc021d1
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index a9388ad953..8ba3d51f0f 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp2.0</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/AzureKeyVault/AzureKeyVault.csproj b/samples/AzureKeyVault/AzureKeyVault.csproj
index a4ca09bc1e..ce4ae01408 100644
--- a/samples/AzureKeyVault/AzureKeyVault.csproj
+++ b/samples/AzureKeyVault/AzureKeyVault.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp2.0</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index d6978a8494..1cfe237b50 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index a1688c3d1b..e240e30b6d 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index 5024468371..168e26a249 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index cbaea96c41..dc79399c6c 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/test/Directory.Build.props b/test/Directory.Build.props
index 8a1b153e10..9d4d4a902c 100644
--- a/test/Directory.Build.props
+++ b/test/Directory.Build.props
@@ -1,6 +1,13 @@
 <Project>
   <Import Project="..\Directory.Build.props" />
 
+  <PropertyGroup>
+    <DeveloperBuildTestTfms>netcoreapp2.1</DeveloperBuildTestTfms>
+    <StandardTestTfms>$(DeveloperBuildTestTfms)</StandardTestTfms>
+    <StandardTestTfms Condition=" '$(DeveloperBuild)' != 'true' ">netcoreapp2.1;netcoreapp2.0</StandardTestTfms>
+    <StandardTestTfms Condition=" '$(DeveloperBuild)' != 'true' AND '$(OS)' == 'Windows_NT' ">$(StandardTestTfms);net461</StandardTestTfms>
+  </PropertyGroup>
+
   <ItemGroup>
     <PackageReference Include="Internal.AspNetCore.Sdk" PrivateAssets="All" Version="$(InternalAspNetCoreSdkPackageVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Testing" Version="$(MicrosoftAspNetCoreTestingPackageVersion)" />
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
index 483ddeda3f..759f10679d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
index 31a604f305..a475ac199d 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
index ccb99debff..1da22cec0d 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
index 753d0a1041..c5ffd2f4e3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
index 018c5da2fc..8644347572 100644
--- a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 63889be38c..29cf82928f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index 75af7061ff..d359ab936e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
index 15fd53ee6a..b8ecc36c26 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
@@ -86,7 +86,7 @@ namespace Microsoft.AspNetCore.DataProtection
         }
     }
 }
-#elif NETCOREAPP2_0
+#elif NETCOREAPP2_0 || NETCOREAPP2_1
 #else
 #error Target framework needs to be updated
 #endif
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 1ce0d35680..54469e4063 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
index ab5252b1f2..2b8931c98e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
@@ -113,7 +113,7 @@ namespace Microsoft.AspNetCore.DataProtection
             var domain = AppDomain.CreateDomain("TestDomain", null, setupInfo);
             var wrappedTestClass = (TypeForwardingActivatorTests)domain.CreateInstanceAndUnwrap(GetType().Assembly.FullName, typeof(TypeForwardingActivatorTests).FullName);
             wrappedTestClass.CreateInstance_ForwardsAcrossVersionChangesImpl(version);
-#elif NETCOREAPP2_0
+#elif NETCOREAPP2_0 || NETCOREAPP2_1
             CreateInstance_ForwardsAcrossVersionChangesImpl(version);
 #else
 #error Target framework should be updated
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 6806048d55..79dcff64af 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -53,7 +53,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             ExceptionAssert2.ThrowsCryptographicException(() =>
                 AnonymousImpersonation.Run(() => decryptor.Decrypt(encryptedXmlInfo.EncryptedElement)));
         }
-#elif NETCOREAPP2_0
+#elif NETCOREAPP2_0 || NETCOREAPP2_1
 #else
 #error Target framework needs to be updated
 #endif

From 50017d97771822b6d5afc7026c7ade612555ed74 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 17 Nov 2017 13:00:24 -0800
Subject: [PATCH 390/493] Use MicrosoftNETCoreApp21PackageVersion to determine
 the runtime framework in netcoreapp2.1

---
 Directory.Build.targets  | 1 +
 build/dependencies.props | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Directory.Build.targets b/Directory.Build.targets
index e83ff95e39..894b1d0cf8 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -1,5 +1,6 @@
 <Project>
   <PropertyGroup>
     <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(MicrosoftNETCoreApp20PackageVersion)</RuntimeFrameworkVersion>
+    <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.1' ">$(MicrosoftNETCoreApp21PackageVersion)</RuntimeFrameworkVersion>
   </PropertyGroup>
 </Project>
diff --git a/build/dependencies.props b/build/dependencies.props
index 0f9bd07181..d1d1597538 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -19,6 +19,7 @@
     <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.1</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-25907-02</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.4.0</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>

From 1021dc41ece759347c4ddafab5c0f15750935069 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Mon, 20 Nov 2017 12:15:45 -0800
Subject: [PATCH 391/493] Use MSBuild to set NuGet feeds instead of
 NuGet.config

---
 Directory.Build.props |  1 +
 NuGet.config          |  4 +---
 build/sources.props   | 16 ++++++++++++++++
 3 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 build/sources.props

diff --git a/Directory.Build.props b/Directory.Build.props
index 1bcd7ca437..bcfd221f4f 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -5,6 +5,7 @@
 
   <Import Project="version.props" />
   <Import Project="build\dependencies.props" />
+  <Import Project="build\sources.props" />
 
   <PropertyGroup>
     <Product>Microsoft ASP.NET Core</Product>
diff --git a/NuGet.config b/NuGet.config
index 4e8a1f6de1..e32bddfd51 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -2,8 +2,6 @@
 <configuration>
   <packageSources>
     <clear />
-    <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json" />
-    <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
-    <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
+    <!-- Restore sources should be defined in build/sources.props. -->
   </packageSources>
 </configuration>
diff --git a/build/sources.props b/build/sources.props
new file mode 100644
index 0000000000..c03f3ddb60
--- /dev/null
+++ b/build/sources.props
@@ -0,0 +1,16 @@
+<Project>
+  <Import Project="$(DotNetRestoreSourcePropsPath)" Condition="'$(DotNetRestoreSourcePropsPath)' != ''"/>
+
+  <PropertyGroup Label="RestoreSources">
+    <RestoreSources>$(DotNetRestoreSources)</RestoreSources>
+    <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true' AND '$(AspNetUniverseBuildOffline)' != 'true' ">
+      $(RestoreSources);
+      https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json;
+      https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json;
+    </RestoreSources>
+    <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true'">
+      $(RestoreSources);
+      https://api.nuget.org/v3/index.json;
+    </RestoreSources>
+  </PropertyGroup>
+</Project>

From b5bb233fe23151d65ffdd2554c40083baf1064de Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 21 Nov 2017 16:27:03 -0800
Subject: [PATCH 392/493] Replace aspnetcore-ci-dev feed with aspnetcore-dev

---
 build/dependencies.props | 28 ++++++++++++++--------------
 build/repo.props         |  2 +-
 build/sources.props      |  2 +-
 korebuild-lock.txt       |  4 ++--
 4 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index d1d1597538..ba7eafc781 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,22 +1,22 @@
-<Project>
+<Project>
   <PropertyGroup>
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15549</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27488</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27488</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27488</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15576</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27644</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27644</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27644</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27488</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.1</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-25907-02</MicrosoftNETCoreApp21PackageVersion>
diff --git a/build/repo.props b/build/repo.props
index b55e651b87..07c5f08325 100644
--- a/build/repo.props
+++ b/build/repo.props
@@ -2,6 +2,6 @@
   <PropertyGroup>
     <!-- These properties are use by the automation that updates dependencies.props -->
     <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
-    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json</LineupPackageRestoreSource>
+    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json</LineupPackageRestoreSource>
   </PropertyGroup>
 </Project>
diff --git a/build/sources.props b/build/sources.props
index c03f3ddb60..9feff29d09 100644
--- a/build/sources.props
+++ b/build/sources.props
@@ -5,7 +5,7 @@
     <RestoreSources>$(DotNetRestoreSources)</RestoreSources>
     <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true' AND '$(AspNetUniverseBuildOffline)' != 'true' ">
       $(RestoreSources);
-      https://dotnet.myget.org/F/aspnetcore-ci-dev/api/v3/index.json;
+      https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json;
       https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json;
     </RestoreSources>
     <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true'">
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 95f4613014..1a99066b7c 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15567
-commithash:903e3104807b1bb8cddd28bdef205b1e2dc021d1
+version:2.1.0-preview1-15576
+commithash:2f3856d2ba4f659fcb9253215b83946a06794a27

From c91075928da86e604a84932a619b76327c26a46c Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 29 Nov 2017 14:09:25 -0800
Subject: [PATCH 393/493] Specify runtime versions to install

---
 build/repo.props | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/build/repo.props b/build/repo.props
index 07c5f08325..78b0ce5879 100644
--- a/build/repo.props
+++ b/build/repo.props
@@ -1,7 +1,14 @@
 <Project>
+  <Import Project="dependencies.props" />
+
   <PropertyGroup>
     <!-- These properties are use by the automation that updates dependencies.props -->
     <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
     <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json</LineupPackageRestoreSource>
   </PropertyGroup>
+
+  <ItemGroup>
+    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp20PackageVersion)" />
+    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp21PackageVersion)" />
+  </ItemGroup>
 </Project>

From 2ea7c0cea31e6dd345dfdcfad79f7163f763b88e Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Fri, 1 Dec 2017 10:22:28 -0800
Subject: [PATCH 394/493] Update bootstrappers

---
 run.ps1 | 17 +++++++++++------
 run.sh  | 30 +++++++++++++++++++-----------
 2 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/run.ps1 b/run.ps1
index 49c2899856..27dcf848f8 100644
--- a/run.ps1
+++ b/run.ps1
@@ -29,6 +29,9 @@ Updates KoreBuild to the latest version even if a lock file is present.
 .PARAMETER ConfigFile
 The path to the configuration file that stores values. Defaults to korebuild.json.
 
+.PARAMETER ToolsSourceSuffix
+The Suffix to append to the end of the ToolsSource. Useful for query strings in blob stores.
+
 .PARAMETER Arguments
 Arguments to be passed to the command
 
@@ -51,7 +54,7 @@ Example config file:
 #>
 [CmdletBinding(PositionalBinding = $false)]
 param(
-    [Parameter(Mandatory=$true, Position = 0)]
+    [Parameter(Mandatory = $true, Position = 0)]
     [string]$Command,
     [string]$Path = $PSScriptRoot,
     [Alias('c')]
@@ -63,6 +66,7 @@ param(
     [Alias('u')]
     [switch]$Update,
     [string]$ConfigFile,
+    [string]$ToolsSourceSuffix,
     [Parameter(ValueFromRemainingArguments = $true)]
     [string[]]$Arguments
 )
@@ -79,7 +83,7 @@ function Get-KoreBuild {
     $lockFile = Join-Path $Path 'korebuild-lock.txt'
 
     if (!(Test-Path $lockFile) -or $Update) {
-        Get-RemoteFile "$ToolsSource/korebuild/channels/$Channel/latest.txt" $lockFile
+        Get-RemoteFile "$ToolsSource/korebuild/channels/$Channel/latest.txt" $lockFile $ToolsSourceSuffix
     }
 
     $version = Get-Content $lockFile | Where-Object { $_ -like 'version:*' } | Select-Object -first 1
@@ -96,7 +100,7 @@ function Get-KoreBuild {
 
         try {
             $tmpfile = Join-Path ([IO.Path]::GetTempPath()) "KoreBuild-$([guid]::NewGuid()).zip"
-            Get-RemoteFile $remotePath $tmpfile
+            Get-RemoteFile $remotePath $tmpfile $ToolsSourceSuffix
             if (Get-Command -Name 'Expand-Archive' -ErrorAction Ignore) {
                 # Use built-in commands where possible as they are cross-plat compatible
                 Expand-Archive -Path $tmpfile -DestinationPath $korebuildPath
@@ -124,7 +128,7 @@ function Join-Paths([string]$path, [string[]]$childPaths) {
     return $path
 }
 
-function Get-RemoteFile([string]$RemotePath, [string]$LocalPath) {
+function Get-RemoteFile([string]$RemotePath, [string]$LocalPath, [string]$RemoteSuffix) {
     if ($RemotePath -notlike 'http*') {
         Copy-Item $RemotePath $LocalPath
         return
@@ -134,7 +138,7 @@ function Get-RemoteFile([string]$RemotePath, [string]$LocalPath) {
     while ($retries -gt 0) {
         $retries -= 1
         try {
-            Invoke-WebRequest -UseBasicParsing -Uri $RemotePath -OutFile $LocalPath
+            Invoke-WebRequest -UseBasicParsing -Uri $($RemotePath + $RemoteSuffix) -OutFile $LocalPath
             return
         }
         catch {
@@ -161,7 +165,8 @@ if (Test-Path $ConfigFile) {
             if (!($Channel) -and (Get-Member -Name 'channel' -InputObject $config)) { [string] $Channel = $config.channel }
             if (!($ToolsSource) -and (Get-Member -Name 'toolsSource' -InputObject $config)) { [string] $ToolsSource = $config.toolsSource}
         }
-    } catch {
+    }
+    catch {
         Write-Warning "$ConfigFile could not be read. Its settings will be ignored."
         Write-Warning $Error[0]
     }
diff --git a/run.sh b/run.sh
index c278423acc..834961fc3a 100644
--- a/run.sh
+++ b/run.sh
@@ -17,6 +17,7 @@ update=false
 repo_path="$DIR"
 channel=''
 tools_source=''
+tools_source_suffix=''
 
 #
 # Functions
@@ -29,13 +30,14 @@ __usage() {
     echo "    <Arguments>...         Arguments passed to the command. Variable number of arguments allowed."
     echo ""
     echo "Options:"
-    echo "    --verbose                                 Show verbose output."
-    echo "    -c|--channel <CHANNEL>                    The channel of KoreBuild to download. Overrides the value from the config file.."
-    echo "    --config-file <FILE>                      The path to the configuration file that stores values. Defaults to korebuild.json."
-    echo "    -d|--dotnet-home <DIR>                    The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
-    echo "    --path <PATH>                             The directory to build. Defaults to the directory containing the script."
-    echo "    -s|--tools-source|-ToolsSource <URL>      The base url where build tools can be downloaded. Overrides the value from the config file."
-    echo "    -u|--update                               Update to the latest KoreBuild even if the lock file is present."
+    echo "    --verbose                                             Show verbose output."
+    echo "    -c|--channel <CHANNEL>                                The channel of KoreBuild to download. Overrides the value from the config file.."
+    echo "    --config-file <FILE>                                  The path to the configuration file that stores values. Defaults to korebuild.json."
+    echo "    -d|--dotnet-home <DIR>                                The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
+    echo "    --path <PATH>                                         The directory to build. Defaults to the directory containing the script."
+    echo "    -s|--tools-source|-ToolsSource <URL>                  The base url where build tools can be downloaded. Overrides the value from the config file."
+    echo "    --tools-source-suffix|-ToolsSourceSuffix <SUFFIX>     The suffix to append to tools-source. Useful for query strings."
+    echo "    -u|--update                                           Update to the latest KoreBuild even if the lock file is present."
     echo ""
     echo "Description:"
     echo "    This function will create a file \$DIR/korebuild-lock.txt. This lock file can be committed to source, but does not have to be."
@@ -50,7 +52,7 @@ get_korebuild() {
     local version
     local lock_file="$repo_path/korebuild-lock.txt"
     if [ ! -f "$lock_file" ] || [ "$update" = true ]; then
-        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file"
+        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file" "$tools_source_suffix"
     fi
     version="$(grep 'version:*' -m 1 "$lock_file")"
     if [[ "$version" == '' ]]; then
@@ -66,7 +68,7 @@ get_korebuild() {
             local remote_path="$tools_source/korebuild/artifacts/$version/korebuild.$version.zip"
             tmpfile="$(mktemp)"
             echo -e "${MAGENTA}Downloading KoreBuild ${version}${RESET}"
-            if __get_remote_file "$remote_path" "$tmpfile"; then
+            if __get_remote_file "$remote_path" "$tmpfile" "$tools_source_suffix"; then
                 unzip -q -d "$korebuild_path" "$tmpfile"
             fi
             rm "$tmpfile" || true
@@ -98,6 +100,7 @@ __machine_has() {
 __get_remote_file() {
     local remote_path=$1
     local local_path=$2
+    local remote_path_suffix=$3
 
     if [[ "$remote_path" != 'http'* ]]; then
         cp "$remote_path" "$local_path"
@@ -106,14 +109,14 @@ __get_remote_file() {
 
     local failed=false
     if __machine_has wget; then
-        wget --tries 10 --quiet -O "$local_path" "$remote_path" || failed=true
+        wget --tries 10 --quiet -O "$local_path" "${remote_path}${remote_path_suffix}" || failed=true
     else
         failed=true
     fi
 
     if [ "$failed" = true ] && __machine_has curl; then
         failed=false
-        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "$remote_path" || failed=true
+        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "${remote_path}${remote_path_suffix}" || failed=true
     fi
 
     if [ "$failed" = true ]; then
@@ -164,6 +167,11 @@ while [[ $# -gt 0 ]]; do
             tools_source="${1:-}"
             [ -z "$tools_source" ] && __usage
             ;;
+        --tools-source-suffix|-ToolsSourceSuffix)
+            shift
+            tools_source_suffix="${1:-}"
+            [ -z "$tools_source_suffix" ] && __usage
+            ;;
         -u|--update|-Update)
             update=true
             ;;

From 2623f5e02d1c6402fb374f75fee0b1c40c87b7c7 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 10 Dec 2017 12:18:13 -0800
Subject: [PATCH 395/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 36 ++++++++++++++++++------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index ba7eafc781..e98d8320d0 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,31 +3,31 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15576</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27644</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27644</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27644</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15618</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27773</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27773</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27773</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27644</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.1</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-25907-02</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-25915-01</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.4.0</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-25914-04</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.4.0</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-25914-04</SystemSecurityCryptographyXmlPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
-    <XunitPackageVersion>2.3.0</XunitPackageVersion>
-    <XunitRunnerVisualStudioPackageVersion>2.3.0</XunitRunnerVisualStudioPackageVersion>
+    <XunitPackageVersion>2.3.1</XunitPackageVersion>
+    <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
   </PropertyGroup>
   <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
 </Project>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 1a99066b7c..e7cce93009 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15576
-commithash:2f3856d2ba4f659fcb9253215b83946a06794a27
+version:2.1.0-preview1-15618
+commithash:00ce1383114015fe89b221146036e59e6bc11219

From 667d42b654c9ebdbefd7fffa89be1f6bcb49b93c Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Wed, 13 Dec 2017 20:24:06 +0000
Subject: [PATCH 396/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 32 ++++++++++++++++----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index e98d8320d0..2ca688f24f 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,28 +3,28 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15618</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27773</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27773</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27773</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15626</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27807</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27807</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27807</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27773</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.1</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-25915-01</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26008-01</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-25914-04</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26006-06</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-25914-04</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26006-06</SystemSecurityCryptographyXmlPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index e7cce93009..8d52a6128c 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15618
-commithash:00ce1383114015fe89b221146036e59e6bc11219
+version:2.1.0-preview1-15626
+commithash:fd6410e9c90c428bc01238372303ad09cb9ec889

From e73a289b3d222c45f2bef0fda322413dadbd5f8b Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Wed, 13 Dec 2017 15:00:37 -0800
Subject: [PATCH 397/493] Inclue RepositoryRoot

---
 Directory.Build.props | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Directory.Build.props b/Directory.Build.props
index bcfd221f4f..67065031f3 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -11,6 +11,7 @@
     <Product>Microsoft ASP.NET Core</Product>
     <RepositoryUrl>https://github.com/aspnet/DataProtection</RepositoryUrl>
     <RepositoryType>git</RepositoryType>
+    <RepositoryRoot>$(MSBuildThisFileDirectory)</RepositoryRoot>
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)build\Key.snk</AssemblyOriginatorKeyFile>
     <SignAssembly>true</SignAssembly>
     <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>

From d93a3c4a37c572bbb8d547d16e982b8e2ea3e7d3 Mon Sep 17 00:00:00 2001
From: Barry Dorrans <github.com@idunno.org>
Date: Mon, 18 Dec 2017 11:00:48 -0800
Subject: [PATCH 398/493] Add community projects section

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 622d2e229d..7d9704e3f7 100644
--- a/README.md
+++ b/README.md
@@ -6,5 +6,8 @@ Travis:   [![Travis](https://travis-ci.org/aspnet/DataProtection.svg?branch=dev)
 
 Data Protection APIs for protecting and unprotecting data.
 
-
 This project is part of ASP.NET Core. You can find documentation for Data Protection in the [ASP.NET Core Documentation](http://docs.asp.net/en/latest/security/data-protection/index.html). You can find samples, documentation and getting started instructions for ASP.NET Core at the [Home](https://github.com/aspnet/home) repo. 
+
+## Community Maintained Data Protection Providers & Projects
+
+ - [ASP.NET Core DataProtection for Service Fabric](https://github.com/MedAnd/AspNetCore.DataProtection.ServiceFabric)

From 303396d8fc528e33bd98bb7be9b6c8acdfeb6162 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Mon, 18 Dec 2017 16:37:06 -0800
Subject: [PATCH 399/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 2ca688f24f..f350a45969 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,27 +4,27 @@
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
     <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15626</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27807</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27807</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27807</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27849</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27849</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27849</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27807</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.1</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26008-01</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26016-05</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26006-06</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26016-05</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26006-06</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26016-05</SystemSecurityCryptographyXmlPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>

From 2c3c2c081f44239348c264410d6f236e34cb1d4e Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 31 Dec 2017 20:38:24 +0000
Subject: [PATCH 400/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 28 ++++++++++++++--------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index f350a45969..3d70479dc3 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,21 +3,21 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15626</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27849</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27849</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27849</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15651</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27942</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27942</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27942</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27849</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
-    <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.1</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26016-05</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 8d52a6128c..7c2e97aa79 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15626
-commithash:fd6410e9c90c428bc01238372303ad09cb9ec889
+version:2.1.0-preview1-15651
+commithash:ebf2365121c2c6a6a0fbfa9b0f37bb5effc89323

From 7ccc1b5a868e1b9625b4026712e64cc9aa75393a Mon Sep 17 00:00:00 2001
From: Eilon Lipton <Eilon@users.noreply.github.com>
Date: Tue, 2 Jan 2018 14:22:44 -0800
Subject: [PATCH 401/493] Create ISSUE_TEMPLATE.md

---
 .github/ISSUE_TEMPLATE.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE.md

diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
new file mode 100644
index 0000000000..101a084f0a
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,3 @@
+THIS ISSUE TRACKER IS CLOSED - please log new issues here: https://github.com/aspnet/Home/issues
+
+For information about this change, see https://github.com/aspnet/Announcements/issues/283

From eca8f9b65418bfa0b2d66ed7b770354d9871b538 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Thu, 4 Jan 2018 00:43:48 +0000
Subject: [PATCH 402/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 3d70479dc3..ed26e26727 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,19 +4,19 @@
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
     <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15651</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27942</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27942</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27942</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27965</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27965</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27965</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27942</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26016-05</MicrosoftNETCoreApp21PackageVersion>

From 980ba44531a4c56d0eb9df5cc87e822d890d214e Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sat, 6 Jan 2018 14:15:25 -0800
Subject: [PATCH 403/493] Update dependencies.props

[auto-updated: dependencies]
---
 korebuild-lock.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 7c2e97aa79..2146d006d7 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15651
-commithash:ebf2365121c2c6a6a0fbfa9b0f37bb5effc89323
+version:2.1.0-preview1-15661
+commithash:c9349d4c8a495d3085d9b879214d80f2f45e2193

From f8192fd63c885625e813daa65ad76f4f53a01106 Mon Sep 17 00:00:00 2001
From: Pavel Krymets <pavel@krymets.com>
Date: Wed, 17 Jan 2018 10:39:07 -0800
Subject: [PATCH 404/493] Workaround corefx/26390 (#295)

---
 build/dependencies.props                      | 33 ++++++++++---------
 korebuild-lock.txt                            |  4 +--
 ...Microsoft.AspNetCore.DataProtection.csproj |  1 +
 3 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index ed26e26727..52c5cde4e8 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,28 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15651</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-27965</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-27965</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-27965</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15675</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-27965</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26016-05</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26115-03</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26016-05</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26112-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26016-05</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26112-01</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview1-26112-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 2146d006d7..a1f0faa2a3 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15661
-commithash:c9349d4c8a495d3085d9b879214d80f2f45e2193
+version:2.1.0-preview1-15675
+commithash:2ae69024f0d302f71128d9d0f1aeb99f199be47a
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
index d9ba04d1a9..3d3d87f25b 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
@@ -25,6 +25,7 @@
     <PackageReference Include="Microsoft.Extensions.Options" Version="$(MicrosoftExtensionsOptionsPackageVersion)" />
     <PackageReference Include="Microsoft.Win32.Registry" Version="$(MicrosoftWin32RegistryPackageVersion)" />
     <PackageReference Include="System.Security.Cryptography.Xml" Version="$(SystemSecurityCryptographyXmlPackageVersion)" />
+    <PackageReference Include="System.Security.Principal.Windows" Version="$(SystemSecurityPrincipalWindowsPackageVersion)" />
   </ItemGroup>
 
 </Project>

From 5ca8d3131fd26894b05c3d9644c2a28a6e93d50a Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 23 Jan 2018 15:30:30 -0800
Subject: [PATCH 405/493] Branching for 2.1.0-preview1

---
 build/dependencies.props | 26 +++++++++++++-------------
 build/repo.props         |  4 ++--
 build/sources.props      |  4 ++--
 korebuild-lock.txt       |  4 ++--
 4 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 52c5cde4e8..e17d551df9 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15675</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15679</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-28153</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-28153</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-28153</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26115-03</MicrosoftNETCoreApp21PackageVersion>
diff --git a/build/repo.props b/build/repo.props
index 78b0ce5879..d94ff7d00d 100644
--- a/build/repo.props
+++ b/build/repo.props
@@ -1,10 +1,10 @@
-<Project>
+<Project>
   <Import Project="dependencies.props" />
 
   <PropertyGroup>
     <!-- These properties are use by the automation that updates dependencies.props -->
     <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
-    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json</LineupPackageRestoreSource>
+    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-release/api/v3/index.json</LineupPackageRestoreSource>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/build/sources.props b/build/sources.props
index 9feff29d09..5d66393335 100644
--- a/build/sources.props
+++ b/build/sources.props
@@ -1,11 +1,11 @@
-<Project>
+<Project>
   <Import Project="$(DotNetRestoreSourcePropsPath)" Condition="'$(DotNetRestoreSourcePropsPath)' != ''"/>
 
   <PropertyGroup Label="RestoreSources">
     <RestoreSources>$(DotNetRestoreSources)</RestoreSources>
     <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true' AND '$(AspNetUniverseBuildOffline)' != 'true' ">
       $(RestoreSources);
-      https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json;
+      https://dotnet.myget.org/F/aspnetcore-release/api/v3/index.json;
       https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json;
     </RestoreSources>
     <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true'">
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index a1f0faa2a3..a474bc0e35 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15675
-commithash:2ae69024f0d302f71128d9d0f1aeb99f199be47a
+version:2.1.0-preview1-15679
+commithash:5347461137cb45a77ddcc0b55b2478092de43338

From dadc853efdb9eb8f15143dee145854df009efdd3 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 24 Jan 2018 15:00:26 -0800
Subject: [PATCH 406/493] Updating version to preview2

---
 version.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.props b/version.props
index d1791a6a89..6025bea086 100644
--- a/version.props
+++ b/version.props
@@ -2,7 +2,7 @@
   <PropertyGroup>
     <VersionPrefix>2.1.0</VersionPrefix>
     <ExperimentalProjectVersionPrefix>0.4.0</ExperimentalProjectVersionPrefix>
-    <VersionSuffix>preview1</VersionSuffix>
+    <VersionSuffix>preview2</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>

From 232329866788d50eb349ac3ce460f3bd292965ad Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 31 Jan 2018 15:01:10 -0800
Subject: [PATCH 407/493] Update dependencies.props to 2.1.0-preview-28193,
 build tools to 2.1.0-preview1-1010 [ci skip]

Scripted changes:
- updated travis and appveyor.yml files to only build dev, ci, and release branches
- updated dependencies.props
- updated korebuild-lock.txt
- updated korebuild.json to release/2.1 channel
---
 .appveyor.yml            | 18 ++++++++----------
 .travis.yml              | 24 ++++++++++++------------
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 korebuild.json           |  4 ++--
 run.sh                   |  0
 6 files changed, 41 insertions(+), 43 deletions(-)
 mode change 100644 => 100755 run.sh

diff --git a/.appveyor.yml b/.appveyor.yml
index e6fa444db3..4eea96ab69 100644
--- a/.appveyor.yml
+++ b/.appveyor.yml
@@ -1,19 +1,17 @@
-init:
-  - git config --global core.autocrlf true
+init:
+- git config --global core.autocrlf true
 branches:
   only:
-    - master
-    - release
-    - dev
-    - /^(.*\/)?ci-.*$/
-    - /^rel\/.*/
+  - dev
+  - /^release\/.*$/
+  - /^(.*\/)?ci-.*$/
 build_script:
-  - ps: .\run.ps1 default-build
+- ps: .\run.ps1 default-build
 clone_depth: 1
 environment:
   global:
     DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
     DOTNET_CLI_TELEMETRY_OPTOUT: 1
-test: off
-deploy: off
+test: 'off'
+deploy: 'off'
 os: Visual Studio 2017
diff --git a/.travis.yml b/.travis.yml
index 6c59666f3a..64bdbb4441 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -3,25 +3,25 @@ sudo: false
 dist: trusty
 env:
   global:
-    - DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-    - DOTNET_CLI_TELEMETRY_OPTOUT: 1
+  - DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+  - DOTNET_CLI_TELEMETRY_OPTOUT: 1
 mono: none
 os:
-  - linux
-  - osx
+- linux
+- osx
 osx_image: xcode8.2
 addons:
   apt:
     packages:
-      - libunwind8
+    - libunwind8
 branches:
   only:
-    - master
-    - release
-    - dev
-    - /^(.*\/)?ci-.*$/
-    - /^rel\/.*/
+  - dev
+  - /^release\/.*$/
+  - /^(.*\/)?ci-.*$/
 before_install:
-  - if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/; fi
+- if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s
+  /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib
+  /usr/local/lib/; fi
 script:
-  - ./build.sh
+- ./build.sh
diff --git a/build/dependencies.props b/build/dependencies.props
index e17d551df9..23d21e6505 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,29 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15679</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-28153</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-28153</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-28153</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-1010</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-28193</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-28193</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-28193</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-28153</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26115-03</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26122-01</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26112-01</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26119-06</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26112-01</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview1-26112-01</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26119-06</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview1-26119-06</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index a474bc0e35..851bfbf203 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15679
-commithash:5347461137cb45a77ddcc0b55b2478092de43338
+version:2.1.0-preview1-1010
+commithash:75ca924dfbd673c38841025b04c4dcd93b84f56d
diff --git a/korebuild.json b/korebuild.json
index bd5d51a51b..678d8bb948 100644
--- a/korebuild.json
+++ b/korebuild.json
@@ -1,4 +1,4 @@
 {
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
-  "channel": "dev"
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/release/2.1/tools/korebuild.schema.json",
+  "channel": "release/2.1"
 }
diff --git a/run.sh b/run.sh
old mode 100644
new mode 100755

From 5c53031d9bee0e3c69a1f1e12eb0ce076da62e96 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Thu, 1 Feb 2018 03:00:51 +0000
Subject: [PATCH 408/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 52c5cde4e8..8b4b533bfa 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,29 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-15675</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-28099</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15692</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-28215</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-28215</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-28215</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-28099</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26115-03</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26130-04</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26112-01</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26130-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26112-01</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview1-26112-01</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26130-01</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26130-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index a1f0faa2a3..232cb858c2 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview1-15675
-commithash:2ae69024f0d302f71128d9d0f1aeb99f199be47a
+version:2.1.0-preview2-15692
+commithash:5d9f445ce3f8492451a6f461df7e739bbed6a7f8

From d0dea3ca5fb605b8d6f22f410e1baf3917e55aa6 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sat, 3 Feb 2018 02:39:43 +0000
Subject: [PATCH 409/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 8b4b533bfa..586398bb7d 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15692</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-28215</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-28215</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-28215</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15694</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30020</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30020</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30020</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-28215</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26130-04</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 232cb858c2..6f294ef0e6 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15692
-commithash:5d9f445ce3f8492451a6f461df7e739bbed6a7f8
+version:2.1.0-preview2-15694
+commithash:f61af02b48e89592c9aadb7ebaebe84228666c3b

From 5aa3529dcb781ce9e07c16b1caa4fd2b4aec8125 Mon Sep 17 00:00:00 2001
From: PRIYANSHU AGRAWAL <priyanshuagrawal@outlook.com>
Date: Tue, 6 Feb 2018 21:48:12 +0530
Subject: [PATCH 410/493] Merge PR #297 - minor code cleanup - remove duplicate
 allocation of DateTimeOffset

---
 .../TimeLimitedDataProtector.cs                                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
index 2037ce5f05..71e9c3c553 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
@@ -100,7 +100,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 // Not expired - split and return payload
                 byte[] retVal = new byte[plaintextWithHeader.Length - 8];
                 Buffer.BlockCopy(plaintextWithHeader, 8, retVal, 0, retVal.Length);
-                expiration = new DateTimeOffset((long)utcTicksExpiration, TimeSpan.Zero);
+                expiration = embeddedExpiration;
                 return retVal;
             }
             catch (Exception ex) when (ex.RequiresHomogenization())

From a178c8c5af30c38847351915800aeb7098967b02 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Fri, 9 Feb 2018 11:36:57 -0800
Subject: [PATCH 411/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 586398bb7d..2666fc0153 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15694</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30020</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30020</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30020</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15698</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30066</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30066</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30066</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30020</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26130-04</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 6f294ef0e6..3e2b56b91b 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15694
-commithash:f61af02b48e89592c9aadb7ebaebe84228666c3b
+version:2.1.0-preview2-15698
+commithash:7216e5068cb1957e09d45fcbe58a744dd5c2de73

From 99165207bb304851679c6803879c8dac264e39d3 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 11 Feb 2018 12:18:18 -0800
Subject: [PATCH 412/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 2666fc0153..50980f8914 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,19 +4,19 @@
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
     <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15698</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30066</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30066</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30066</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30077</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30077</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30077</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30066</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26130-04</MicrosoftNETCoreApp21PackageVersion>
@@ -28,7 +28,7 @@
     <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26130-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
-    <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
+    <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
   </PropertyGroup>
   <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
 </Project>

From a6165304b34db6a788df4d48cea0f649b0d41761 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Wed, 14 Feb 2018 11:55:47 -0800
Subject: [PATCH 413/493] Add ExperimentalPackageVersion

---
 build/dependencies.props                      | 32 +++++++++----------
 ...oft.AspNetCore.DataProtection.Redis.csproj |  6 ++--
 version.props                                 |  6 +++-
 3 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 23d21e6505..9351042b07 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,28 +4,28 @@
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
     <InternalAspNetCoreSdkPackageVersion>2.1.0-preview1-1010</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-28193</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-28193</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-28193</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview1-28274</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview1-28274</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview1-28274</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-28193</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview1-28274</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26122-01</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview1-26208-06</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26119-06</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview1-26208-08</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26119-06</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview1-26119-06</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview1-26208-08</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview1-26208-08</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.3.1</XunitRunnerVisualStudioPackageVersion>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index 86fc1f8fb7..3cad440e37 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -2,8 +2,10 @@
 
   <PropertyGroup>
     <Description>Redis storage support as key store.</Description>
-    <VersionPrefix Condition="'$(ExperimentalProjectVersionPrefix)' != ''">$(ExperimentalProjectVersionPrefix)</VersionPrefix>
-    <VerifyVersion Condition="'$(ExperimentalProjectVersionPrefix)' != ''">false</VerifyVersion>
+    <VersionPrefix Condition="'$(ExperimentalVersionPrefix)' != ''">$(ExperimentalVersionPrefix)</VersionPrefix>
+    <VersionSuffix Condition="'$(ExperimentalVersionSuffix)' != ''">$(ExperimentalVersionSuffix)</VersionSuffix>
+    <VerifyVersion Condition="'$(ExperimentalVersionPrefix)' != ''">false</VerifyVersion>
+    <PackageVersion>$(ExperimentalPackageVersion)</PackageVersion>
     <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
diff --git a/version.props b/version.props
index d1791a6a89..c7cd83f3b4 100644
--- a/version.props
+++ b/version.props
@@ -1,11 +1,15 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.1.0</VersionPrefix>
-    <ExperimentalProjectVersionPrefix>0.4.0</ExperimentalProjectVersionPrefix>
+    <ExperimentalVersionPrefix>0.4.0</ExperimentalVersionPrefix>
     <VersionSuffix>preview1</VersionSuffix>
+    <ExperimentalVersionSuffix>alpha1</ExperimentalVersionSuffix>
+    <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true'">$(ExperimentalVersionPrefix)-$(ExperimentalVersionSuffix)-final</ExperimentalPackageVersion>
+
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+    <ExperimentalVersionSuffix Condition="'$(ExperimentalVersionSuffix)' != '' And '$(BuildNumber)' != ''">$(ExperimentalVersionSuffix)-$(BuildNumber)</ExperimentalVersionSuffix>
   </PropertyGroup>
 </Project>

From e2373fc4a5a1f81b9a07200de7366ecb22392707 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 14 Feb 2018 16:45:43 -0800
Subject: [PATCH 414/493] Upgrade dependencies and build tools

---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 run.sh                   |  0
 3 files changed, 15 insertions(+), 15 deletions(-)
 mode change 100644 => 100755 run.sh

diff --git a/build/dependencies.props b/build/dependencies.props
index 50980f8914..d043d048bc 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15698</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30077</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30077</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30077</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15704</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30103</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30103</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30103</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30077</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26130-04</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 3e2b56b91b..565ec4224a 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15698
-commithash:7216e5068cb1957e09d45fcbe58a744dd5c2de73
+version:2.1.0-preview2-15704
+commithash:21fdd9f5254226f407a2b4b3ef963693c2fd7998
diff --git a/run.sh b/run.sh
old mode 100644
new mode 100755

From eea8c1a146a1d32c91412a07e41d1844caa2baa3 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Fri, 16 Feb 2018 11:54:13 -0800
Subject: [PATCH 415/493] Support decrypting keys with X509Certificate that is
 not in the X509Store

The default implementation of EncryptedXml doesn't support using the RSA
key from X509Certificate to decrypt xml unless that cert is in the X509
CurrentUser\My or Localmachine\My store. This adds support for
decrypting with the X509Certificate directly. This is useful for Linux
(often Docker) scenarios, where the user already has a .pfx file, but
may not have added it to X509Store.
---
 .../DataProtectionBuilderExtensions.cs        |   2 +
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  93 +++++++++++++++++-
 .../XmlEncryption/XmlKeyDecryptionOptions.cs  |  27 +++++
 test/CreateTestCert.ps1                       |  14 +++
 .../DataProtectionProviderTests.cs            |  54 ++++++----
 ...Core.DataProtection.Extensions.Test.csproj |   1 +
 .../TestFiles/TestCert2.pfx                   | Bin 0 -> 2670 bytes
 .../KeyManagement/XmlKeyManagerTests.cs       |   4 +-
 ...soft.AspNetCore.DataProtection.Test.csproj |   1 +
 .../TestFiles/TestCert1.PublicKeyOnly.cer     | Bin 0 -> 796 bytes
 .../TestFiles/TestCert1.pfx                   | Bin 0 -> 2670 bytes
 .../TestFiles/TestCert2.pfx                   | Bin 0 -> 2662 bytes
 .../CertificateXmlEncryptionTests.cs          |   1 -
 .../EncryptedXmlDecryptorTests.cs             |  91 +++++++++++++++++
 14 files changed, 266 insertions(+), 22 deletions(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
 create mode 100644 test/CreateTestCert.ps1
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
index ec1d1136dd..f37dab4331 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -274,6 +274,8 @@ namespace Microsoft.AspNetCore.DataProtection
                 });
             });
 
+            builder.Services.Configure<XmlKeyDecryptionOptions>(o => o.AddKeyDecryptionCertificate(certificate));
+
             return builder;
         }
 
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index 6bc280900c..e020ac7bb0 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -2,10 +2,14 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
 {
@@ -15,6 +19,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
     public sealed class EncryptedXmlDecryptor : IInternalEncryptedXmlDecryptor, IXmlDecryptor
     {
         private readonly IInternalEncryptedXmlDecryptor _decryptor;
+        private readonly XmlKeyDecryptionOptions _options;
 
         /// <summary>
         /// Creates a new instance of an <see cref="EncryptedXmlDecryptor"/>.
@@ -31,6 +36,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         public EncryptedXmlDecryptor(IServiceProvider services)
         {
             _decryptor = services?.GetService<IInternalEncryptedXmlDecryptor>() ?? this;
+            _options = services?.GetService<IOptions<XmlKeyDecryptionOptions>>()?.Value;
         }
 
         /// <summary>
@@ -57,8 +63,10 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             var elementToDecrypt = (XmlElement)xmlDocument.DocumentElement.FirstChild;
 
             // Perform the decryption and update the document in-place.
-            var encryptedXml = new EncryptedXml(xmlDocument);
+            var decryptionCerts = _options?.KeyDecryptionCertificates;
+            var encryptedXml = new EncryptedXmlWithCertificateKeys(decryptionCerts, xmlDocument);
             _decryptor.PerformPreDecryptionSetup(encryptedXml);
+
             encryptedXml.DecryptDocument();
 
             // Strip the <root /> element back off and convert the XmlDocument to an XElement.
@@ -69,5 +77,88 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         {
             // no-op
         }
+
+        /// <summary>
+        /// Can decrypt the XML key data from an <see cref="X509Certificate2"/> that is not in stored in <see cref="X509Store"/>.
+        /// </summary>
+        private class EncryptedXmlWithCertificateKeys : EncryptedXml
+        {
+            private readonly IReadOnlyDictionary<string, X509Certificate2> _certificates;
+
+            public EncryptedXmlWithCertificateKeys(IReadOnlyDictionary<string, X509Certificate2> certificates, XmlDocument document)
+                : base(document)
+            {
+                _certificates = certificates;
+            }
+
+            public override byte[] DecryptEncryptedKey(EncryptedKey encryptedKey)
+            {
+                byte[] key = base.DecryptEncryptedKey(encryptedKey);
+                if (key != null)
+                {
+                    return key;
+                }
+
+                if (_certificates == null || _certificates.Count == 0)
+                {
+                    return null;
+                }
+
+                var keyInfoEnum = encryptedKey.KeyInfo?.GetEnumerator();
+                if (keyInfoEnum == null)
+                {
+                    return null;
+                }
+
+                while (keyInfoEnum.MoveNext())
+                {
+                    if (!(keyInfoEnum.Current is KeyInfoX509Data kiX509Data))
+                    {
+                        continue;
+                    }
+
+                    key = GetKeyFromCert(encryptedKey, kiX509Data);
+                    if (key != null)
+                    {
+                        return key;
+                    }
+                }
+
+                return null;
+            }
+
+            private byte[] GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
+            {
+                var certEnum = keyInfo.Certificates?.GetEnumerator();
+                if (certEnum == null)
+                {
+                    return null;
+                }
+
+                while (certEnum.MoveNext())
+                {
+                    if (!(certEnum.Current is X509Certificate2 certInfo))
+                    {
+                        continue;
+                    }
+
+                    if (!_certificates.TryGetValue(certInfo.Thumbprint, out var certificate))
+                    {
+                        continue;
+                    }
+
+                    using (RSA privateKey = certificate.GetRSAPrivateKey())
+                    {
+                        if (privateKey != null)
+                        {
+                            var useOAEP = encryptedKey.EncryptionMethod?.KeyAlgorithm == XmlEncRSAOAEPUrl;
+                            return DecryptKey(encryptedKey.CipherData.CipherValue, privateKey, useOAEP);
+                        }
+                    }
+                }
+
+                return null;
+            }
+        }
     }
 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
new file mode 100644
index 0000000000..01999c224d
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
@@ -0,0 +1,27 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
+{
+    /// <summary>
+    /// Specifies settings for how to decrypt XML keys.
+    /// </summary>
+    internal class XmlKeyDecryptionOptions
+    {
+        private readonly Dictionary<string, X509Certificate2> _certs = new Dictionary<string, X509Certificate2>(StringComparer.Ordinal);
+
+        /// <summary>
+        /// A mapping of key thumbprint to the X509Certificate2
+        /// </summary>
+        public IReadOnlyDictionary<string, X509Certificate2> KeyDecryptionCertificates => _certs;
+
+        public void AddKeyDecryptionCertificate(X509Certificate2 certificate)
+        {
+            _certs[certificate.Thumbprint] = certificate;
+        }
+    }
+}
diff --git a/test/CreateTestCert.ps1 b/test/CreateTestCert.ps1
new file mode 100644
index 0000000000..a85a040f05
--- /dev/null
+++ b/test/CreateTestCert.ps1
@@ -0,0 +1,14 @@
+#
+# Generates a new test cert in a .pfx file
+# Obviously, don't actually use this to produce production certs
+#
+
+param(
+    [Parameter(Mandatory = $true)]
+    $OutFile
+)
+
+$password = ConvertTo-SecureString -Force -AsPlainText -String "password"
+$cert = New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation Cert:\CurrentUser\My\
+Export-PfxCertificate -Cert $cert -Password $password -FilePath $OutFile
+Remove-Item "Cert:\CurrentUser\My\$($cert.Thumbprint)"
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index fc73e1397d..ad3dbb3a27 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -5,6 +5,7 @@ using System;
 using System.IO;
 using System.Reflection;
 using System.Runtime.InteropServices;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
@@ -155,6 +156,39 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
+        [Fact]
+        public void System_UsesInMemoryCertificate()
+        {
+            var filePath = Path.Combine(GetTestFilesPath(), "TestCert2.pfx");
+            var certificate = new X509Certificate2(filePath, "password");
+
+            using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
+            {
+                store.Open(OpenFlags.ReadOnly);
+                // ensure this cert is not in the x509 store
+                Assert.Empty(store.Certificates.Find(X509FindType.FindByThumbprint, certificate.Thumbprint, false));
+            }
+
+            WithUniqueTempDirectory(directory =>
+            {
+                    // Step 1: directory should be completely empty
+                    directory.Create();
+                Assert.Empty(directory.GetFiles());
+
+                    // Step 2: instantiate the system and round-trip a payload
+                    var protector = DataProtectionProvider.Create(directory, certificate).CreateProtector("purpose");
+                Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
+
+                    // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate
+                    var allFiles = directory.GetFiles();
+                Assert.Single(allFiles);
+                Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
+                string fileText = File.ReadAllText(allFiles[0].FullName);
+                Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                Assert.Contains("X509Certificate", fileText, StringComparison.Ordinal);
+            });
+        }
+
         /// <summary>
         /// Runs a test and cleans up the temp directory afterward.
         /// </summary>
@@ -177,24 +211,6 @@ namespace Microsoft.AspNetCore.DataProtection
         }
 
         private static string GetTestFilesPath()
-        {
-            var projectName = typeof(DataProtectionProviderTests).GetTypeInfo().Assembly.GetName().Name;
-            var projectPath = RecursiveFind(projectName, Path.GetFullPath("."));
-
-            return Path.Combine(projectPath, projectName, "TestFiles");
-        }
-
-        private static string RecursiveFind(string path, string start)
-        {
-            var test = Path.Combine(start, path);
-            if (Directory.Exists(test))
-            {
-                return start;
-            }
-            else
-            {
-                return RecursiveFind(path, new DirectoryInfo(start).Parent.FullName);
-            }
-        }
+            => Path.Combine(AppContext.BaseDirectory, "TestFiles");
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
index 29cf82928f..16a4f12c98 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
@@ -6,6 +6,7 @@
 
   <ItemGroup>
     <Compile Include="..\shared\*.cs" />
+    <Content Include="TestFiles\**\*" CopyToOutputDirectory="PreserveNewest" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..4ed9bbe3947198f2158ca74183b849ee4751d631
GIT binary patch
literal 2670
zcmZWpcQoAF7XA%mL>ojG?MBULql+%1MDHR()Mz0XHA*mA)F7gc7DPq~x!hnf7!xI0
z5MA^hL81gfc$2LA?p<%ab=E$6pYQwjKIf0KJ~)cfg9JnhM^OquC}43n<Bn)R<e*{{
zB?}lu$v}i@;V203KNQ(67)7=XN0EId#wvvB?=EUe5J@o#d=5u}Pv9I7%KyT|;ZX3U
z-Hqp+m%no+k&uuNfl=Vel8~JXqe|AAAeS16bSI;bFpCbyTGd^7P99i=!N78(#@dPL
zF5hNRtn^SvxM8bDYwOhAZe}FuEBLdn_MU_mzK{MtYiMTZ7kBO&GS!ti#hPn#CuCGS
z_m9^v-sJZer$=T<w@V6rl2y0<(VMDs>qgW4GUr4qn3x%qTU1Sgc3NE|eMWp*Y0LR*
zto(tVKwp1;n7*6ps;c0f)f7!5mKyJ@P`c;X3uFuXdS^$JgZ27!z}`2>7(Y2|cAG3*
zcNKZtuCvjap|u=W%PQE&4!3-OvrpDUd{GZ+TOGsdCUGU!F?x43ap1KR*KV|UrpXbe
zjjxITQE}1JGgfz1Gx!428QqUAnFojo=j#Tm=oG|yl_3h4dsEUxGu0lki&dm(xZ#KS
zik0Z(OKH=VCmV$_SGks@ZIdorW`L6P!yD#ap0ye?Q|3Eab#+%b#%}R2K>WNfR@a%*
zR>Zv`aVt{<g>WZ2p%qN6rB1uitTqMMl$)RJ35;8lN%YTq_kuj794rJ0Z*s;CwEj}2
zO7F<6zI%(W+i1X}`rv^n*6m=NnRzwd-m>cMWEb?Xq^WO(MlfW25>qW%u`!c3-&V+^
zQVxrvvkg*y#;5vvWeFKIcqFoZnr5n`uZxF_U*C{#tZg!KE;aT5t{HFyvnLitl>g`y
zxqpCZC@_}PVR_wVpk+xl8W9iwg0>TUs}h_anY^W&pL)QTb)=rD=q>d<JU!+qKi849
zSJYHQ0qtSpvWdnl#=mKtmNU#WH|ro3t=KE;lea>$eik1t>iu}&B{;uiiHrZ|W^m55
zg4)lrx-tRK7PO*W5hrLZtXTK`3bQ$juu=xa;8qq>sIB*Bm;{*S)}_PF`@&5s>19V2
z#=LEfs?Hyzu8>j4i@RUXInRV3Pl|dI#@OQCbW6Y67CrN;9kPtwt)&eQuQ)JQ)6ZNJ
z^IW$3q<FdL(-^ZSwPb8D)<l|Jp->5rr<1Dxx*D*(aKvi`oA5PfQSBAiW|k-plxH4M
zQ@hZph6N6`)RP(J_q-y}Z$0Zs&OOJTnh%@Jw$`=R@o|A|w{uT}#2NK&qdBoYhZ7W9
z7tUtOr-+J3`q~rhSnz8OzMC2rk5L@On(pY+stmX>c0OfGzbl6tS_X#w3>-M~i6{B#
zP5q!Q`Qn{l?IBu&jGO1qDS7p|*Ard|L1;{tnp%D?j$yRxT9wJRB%QCJ#y++tFJ&@T
zp|pa!*(a5jaCL3YVoB4NQ3!qP)RfKw3;+2dbjPfDBAU(gIiP9{xPMqED9&`Zs!-j8
zkjAp|+q5lnGEsBswy#Q**FKcD+#ha|R3F%DwYDcIj}U>%P2*Y-2wXfFX8Nqs=WEuf
z3Sq@B(dhvpPS0=AygTa!zJky-tXG13PB$`i4RiIWW3ml($@;KygBl-Apx9rs$`0@7
zT1@j1*)nOurt|s3A$>ZM8bS}02kPG>Yb`p6eL3!PZ>r3as2sgVV$$~5T&@CYmrtEP
z5tF)ld>_%i4(zPxe5kTpa3QFO#2z(FPm0$Roam@wl@}@C1CpGO0GH|$zeL(SwTaY=
zJKbMoc>;Fc&P6HH%r+SwriM%0rYd|gAwpOTc00GbvOIT9lp1QyWl{80n!$TK^xL{2
z&21#-xtjSvr$p2UoZ%n4q+pVOfWaUD0N}R&f{YTzT!w%@a1Rg#Bmfye5|9I=erG2l
zA`7?x*MVP^G*RJ9T%v$H5pn!oNfUMVh^#aKC&n+O6miM_8ZQh1fk7xadeHCj27o(J
zh6KC;KVrBLuj2vC{;q-m2O@Kii0BdbhrbzrB8Md6uD@~P-<^TP8P3ErlIZE=|Gb|Z
zQj8)!hNDOiNI(EFZU4)F{@?hA&>LBg%GVrz8Gj^-6hA3AU8T@de->>%uvkJ9cM@JR
zxt?2@BQ_$K>r!COTXX$#1ouFfIsRIu64!Up?K~Ndhqe*DB`xq2KtOs#A-8y|PLlhq
z0*BTT-I?Ng!=^y*W@Ra`Yn0HXZ5w*qGd(>e2RfE^4cjYLfX_Y6v#r|_=75RqVAPui
z^CU@<Xs_3#eg5;Wk}Sji0k4ixP4%6*tM>0b^=%qqH8+m+w?@~*JmkJ7d&xySPV9K+
zQsAKkrd$7n>Nar|!w;Cr2+D*nA*kdqJTH8bGua31ZDDiZ2*bSQFg75h2v)P8J|0d;
zopQ0$_S35)jmSx(pJFqX@+{=A$KS>5UEPzbZ7z;xJ-e!X6wO@#3bKjU72j73{76&7
zu3Q!BLI<NWyRrO3RG}f}rm$XYF!EqEfplHia0x41xUzfyvi$tGp+utz&RpTqxACbv
z&HT<ZjOR<bLWkRPgWY|L&8taO^seb49<n3X*=OUl9h4lyzu9hH@OQl&sz!#;2X;QT
zN576oY9ZV@r>aR671n|xJNQD$C8!1kss$`C0d*VXkm@1!NdIj8g8;3zRI{oToqiu3
zSJ#MA+lfC$m240z@v6QJP&#81nfGRcO})sY_Ju%cP#E`qUCHZ5^MD;qX00p)L70!~
z<34SWy`vc<1WVq_-`dGVAh5I}R~8&^eBTj!k>&~(+*8-CHdtn*b1&M8YG_k(-*a6e
zZ5GCRKJ0P()|kYbA42!3hzA{bzSa}fR;Dw9bbWSn1OFtUI5FG2y*eqQp6S(C7|W}V
zo8MTcoUjZzZi9BOF`v$Z-*2?2sNXEDR_vJ~lnNVN4C*FizpQ6`k74-YP^Vk4d-}&t
z{3PMaXttcsk6GXC5Rth{x$LQtcD)Z9oOY_*KYtWr67<W!>Ad5fFk`?1hC1tx2HD26
zbM;;dJu<z}d7Bei2IfGHr{O=&y!e=uHxp(R)&8{UedEA~i^fNP*nx}UHullCb48>3
zdA!v<>?;rLRvzKKV<LMk6Q5z8T|xUXEFALMiPbaOF2_mZl#zGTc{&m826(^HW$Bn7
zGc%I=mz5EiNy_;B!_1<mvfFXa)yvL==(lW&g6oO!rT$x~$Bjjdi$d041Kqag-;8T+
zaI(R0@<*wbyvhqe&Cf|6PBU3=bP1zl2XwQCD|XpOv-YiKvR1!U7idgsiAu#c#?ei|
zfCY|Wd}0vnYw^Og%b|w&KU)^J!qBW{D~{*`e#SP0WC!>Cz5XJ1ITupZ^|bwRBaCfd
z<;S-K*IBqCoEuIKArpp@lCXmrS*I!+vlHAh;%y2FTe%^%nszs%z>Hna!&mzCPP%6>
Rj%Cne6{f;j4cA`=@E;W(z}^4=

literal 0
HcmV?d00001

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
index ba9f21be61..c6a2e068a3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
@@ -4,6 +4,8 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.Xml;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography.Cng;
@@ -347,7 +349,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
                     <expirationDate>2015-06-01T00:00:00Z</expirationDate>
                     <descriptor deserializerType='deserializer-B'>
                       <elementB />
-                    </descriptor>    
+                    </descriptor>
                   </key>
                 </root>";
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
index 54469e4063..bf45498fbf 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
@@ -7,6 +7,7 @@
 
   <ItemGroup>
     <Compile Include="..\shared\*.cs" />
+    <Content Include="TestFiles\**" CopyToOutputDirectory="PreserveNewest" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer b/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer
new file mode 100644
index 0000000000000000000000000000000000000000..329c90a83b9e9f8d8d872a622c989a843c34284e
GIT binary patch
literal 796
zcmXqLVwNyyVq#dp%*4pVB;Y+u=HvT>)|rm{p5^5kE*A`V**LY@JlekVGBR?rG8l*$
z3K<BnF^94+^Kj<mCnx4)<QJD1$cghBS{N7^ni*P{S{NEf0lAi7uB9P}i$hlvqY|?5
zjI0dIO^o~u22G4yOihf84C@%TSUh;qFFDom1+TED4&TzQ)`LOCmu(+ZWPiN)*+QE0
zPJy$TYMzzH1OLhiQ?Kbiy2`mcJHPkU1O=JLTXOD(#W6j&vs^;xPCNHM2T$XJj-UA?
zH?6VF<SEIzGx70<H>tk<*_Tqawr|*+8qzMM=eaaTHKB7=<n{{}!kLTS{5l-6=}Wtt
z==oiVXB|`y>3f=Rv4pQqHDtJASoMp8IVd_NWd7DEzDK4_ogu2UAVi(#+?VS1jw;oU
zZJ&9*g*CQpJv;O7<|SE+TPD0a@T~mG1x|VP>awG}&psTP=<;?)bJz4KQg8OZ+cEcF
zY$xaPGL5zQF{iJx`TSWkB}S#5U!GAu=CCUhGb01z;xvO413qAg%knca{%2ufW@24n
zAPeHFvWOXouyJU!F|x9<Gc&<ij6hMKv>*$w0e2HpB!M;Yv52vVL@W`k3^%ShzrC}k
z*NodyQ&EI#8gfhkBN`YJj12yV3_mTIeqU>^$UC03r=F~F%Xyq<P~oxGx@5xZ!-lQG
zsxzNSHEqd1d(1xI?8-=;TbGm`E<3nF?(kHJ&Uf;G0dDD0dz$l>Zfh!c4cW)JRpkEX
z3vX}#nsrKONsO*_MxU2y0KcPo&mHc7Y2FMOhraJ+EtB(Ir8EDPx#YCvx`Dr}_OV=v
z<9<9Lf_=tGj?EIDm+Go&E^<C#61leP<epz)lfP*>IQ%~UF7oa9i}&5Wq#6bL7dTZd
z-?whQbU0(I@zvi9lNb9wllhvUv29nb{i*4{UdqYsy1w-G^#4)smi&6yac1K|Q`z0U
i-q$qN1j)w6PMjh(*XF9h)WWxs%NI9@IjC|iECm2C>^N)y

literal 0
HcmV?d00001

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx b/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..8bf695f1d6df5c48b720bb18859e0519bc6ff03b
GIT binary patch
literal 2670
zcmZWpXEfZ~9{o=<j50%n$jB&BBN#GzqDA!XivFUD-iZ=nbfbnSi6Ejxuj3IlA|w|h
z2+^ZO^cL-^Z*JCo_pZ0zhkbtg?7e>boKG8zM>v5&5G)?SLqT;TN;T?`76b?7;StPG
zJmL~rMq=?4!2ejV9Vi~QfyKjC$oNh{{nr)^0tC*(L(j2z=rNX+0`Xs&98L$NOi^ki
zo><a#gTe66P&{-DYa(SV6UE~*jS_y<6Pjo@iU|81t&!cwIg_S^g5e_0>KY1;Ec;nF
zXK)PEJuxLpG@-iY3i+0Vryi(VDOE|}v@>x&pHEsPeCT<8-V}}n|9H5#F)Nc5C?(pX
zp{=>P5zWkAKLg9<uizN7p^-WRRg73p_rOOsQ}#N4x}1KciB3@VU>KR0xC_nNQkdJ{
z5w1O8_W1oEJVFW#0ZJn`D^|GJEx)v=C-`4`0d*5xty(nwkX&CBY9#l;SAyisz-@I=
zb45$<qZZVns4$jjA*OfRdCF*@0*=dg*?uEF+hQ4ATUORM3-Z4*h;e^KBRG96ZNsMS
z4Ue{qq>rVuXPmfWq5lH-dda!4(u9akjG0-?<~KH3vqvd*#$Syq2Av`g9t_HQ>i)=*
zHxxxqQOfjzi~r@svJ=I<5!Bat#yirqWS}}@-w(d|Fxh*fbNE|#6SkI#c>-fxY1aYB
z)EB<<Px&4wTM>ce;%Ez*c%Byhs%_jlre=)gUV+2g8Oa{AlB0~hr@WY;J2&sGo!;>f
zl1s~qj%~VON*xmXCTZk7#KsF<!+kBw+}EZl>yKC^%Fnbm7x7K;Xv+d-8y<7sYXVnu
z*0ck*<I*Wsv|}1%!Av);o_$$pl)g>PokpbWKwQUq#8mU^P{sc?v_0m0y^R5mQ{hd0
z=5QUW_+xfBr&m6$seCcNFl~g1UA}z)@Ar7^YkayoYu1d43H|v@{2s|$LLhS4!EHx+
zOL%#(=UMuyu6NQ6bHFlLZ^Qa)HK%^c22rLMk-*K}pS+Z3B;0jjxJHY$LAf;<FXjf^
zwPZfRx<4viS)ZUIRqzbDNOoSdx-Nr+vU_@Vn)@c{UNXz;<TYTtN2-J}CLg5cd7Yj-
zUj3eVO1l|XUCC`ZDOVtqX!+*aKtkxw`q-o{7uAORTDHvRx;$-1{ZTFAOI9lG6=YGo
zhqufX-gNoRg@VpV=Y}<c>P^^>?Y>I7BFW#x0#v*Qn)*B4ALh&jhez=y4%3LRGmgDd
zOTZvS9r~SI8&SpyYEPY({q&ViT?5VMWHd+UtwHy0Z>?9n+p^mOjyf>`$(z-$Z!!pt
z>@5n!Db7+uxx+7~q>+ZXhSF<{75#9ZomA#p+zPSHT~17oqPErOsYes;!&`EiLp-Ut
zue<{#5M!$}_mGT<I`-L4!kbGUqE02OYNFM4Q<BiucY1hJT0M`gjvEsP4r!ckX}0EI
zs=Ii0-w@-dgLgFDVzlQ33yQfDd|BjbF7knfl52hkExQf<81bV?*iU-(w6)@g6(@Ew
z8)vT>YDIl2M0seL#?|iZ6AlT7YAT0vT|;%bV+woH>JnT*M%LC+^_)p0?SC7LzX<F&
zf5yftx=b7-a896mi9y}rNjZva#q-ecZ<`H9HMOWbE@H;pW;WH!hQSr4Qq#d1SkO}(
z*KDiCo}L;f-6zwNoY*A;XC;Bil_#O0@`@q95w<1>3RR{ik0de52Zl(^^=b7~O#kXE
z&yM(cYuGyxpHYlW?`Ry41XKO3sg!LF1cn7Y<XU=xR4a9f%6&&cAAT71b}i>P0<IQR
zBgJj1@yYo045@uX-mOzQZ*Rx}`d&bg$KZt9aj6#uy~nWpxc0cwK-RzI+4$|%Qi#sw
zE>u{PzJN&BF!s{lbxCzugaQf$0RVut_(x<E(Zy&3K7bt{2uK1pfEZu}*peX*h>#T=
zS;GOhelaWZv?4PpvM&aRl9?!gB}0t7D*{N6VMXSWfbF000u&%92roeo`W3GQIFh5i
z0C&Kf414l(?0~^v%%8mGMUG$xG{|SbFUN=Md69L8U%KwEO+RvmE&1+6?sWLy|A$lL
z;UPy@JY)|H0?1?I9|!dR#h<-9m%io7c=TuShvFd}`RQC%sZy<~_L(h_T5nl)pWIy|
z@q4zE2OOERwn9$XSLHrt0+fCHS<wVK##D%y%ckNdPnLXs%5@kPb$+IIKPH@d1z{HZ
z^T*3ap--vXUrs-W?buL#0bn!PbJVO-L)AO+Qk<T=vo7ui{v4p`5an92^8*OVT~yH#
zC$@?*exH0BJ}F#$#H8FtiWGQn8&8wtDVOsgF=u6?^xT<|`I5qi7mrn+NaDC6Qah*>
zAL8hc3=@3wVAkDz%@?pcoSIv^qATL3XK~}-Dy0?q==8_Ssu_#r%}8748h0--Hv9JV
zwX950_(PQX1X@(j0>gqef-G;gp0F)M^B=7(??|KRYK8cPSVq+aY}@^;3&!&QXh+0c
z2J_D?zTO^xH^L0>wqPY;EQiC9w7G#r^?XzXhlA^)(U0JbOmo_>WMF45SvhRwNo8Q#
z0Ykywyy<a|XJ*%97v+_oH9xrQGbxm04MG&*U!(OX>Eptl^C%{%OPrWIVbEQary4qz
z(JCv9lTBPmwG}K5()OD>Nq#<hKe$wN55@UL@1$nR!m)Y{*L_>(mWBeM!Fr%eO8EhL
z{sz^@LQ_=ZLPQ7gDttz3jnZw0Fv&?51IJw$v&p!!efe2Ao=abRp5yX;!2W)jE@^aT
z*0eOkzxR?wYwA4`LR|I7l6p`9R6clf^p#V;JIsX2s+^^NAJGUlIbh+c0Yy%ws<(j^
zs-zOddd_S5UPWECaqcN$T9OAdIWpgOFpD=q?^R1jwF{%)Yq}9Xd)HBM&Gn!84DwS}
zXNTCh1mw=Fe#-OKs@88o?DIR4+$cHOAhiN?<wkFr|4?guu74u0-%u^bM-ZBm_3daw
zO-`O%0?JfRHd;w}Etza4u%rCu2e7mJ^iqR2_)|xlTG~#wc*DVDH$~Y&R@cZ8gLn$x
zwaVtw%!tNz;xs6b&{Ls@#rOwp3oQmH4vDL;_ALFYyH`mxqBr(BVqaTMFk+q7{PmS`
zBe9I@Du-s&aU7rq%a0Z+lZ58eTq^}gxs&a4&r-?JpG8Sb4CS4bPk6tf*Y0W%iW}U{
zpW|O9Bb9ab)~i`jnJoT}nSBYSeh_o<eb-fUxxn`xw=X+2)?7(_>J-wDg;Yu(5f&H|
z3P}GX$dB~L*(n)S^&9@~Rau`pKxzO}rnOO56Tdi|yq)mTT9Q(&K|$H>qNVH0G2M@i
zdv)s)naYNZj&qdLIV;BtS<X4PkxJ3fTk`i=W9ZGXIv&aWOjc9-2twkiW3gY5f<}oT
zst#(6mBF%M;S?|dItchGl#%mcX+@a@hX>=j^yX|)_PpUdk1v!F*_MgpW1mtX_V*{f
PMjX121mCd#vjF}BxA3SM

literal 0
HcmV?d00001

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx b/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..a54c93ba34964934f35d3101e3c0469319437ccf
GIT binary patch
literal 2662
zcmZWpc{tQ-8~zPrCWGuIOJk74gi-c=&%P&Ri%>{0wyZIjv1B=OvURLONcL)MW2Z)q
z!q6hc5V9Z3$rgQ6*ZI!5zU#Z*>v^B&z3=C_pZBjDjfHtKftb-)7y`m7gEPVHaDbqo
z5-f}pjD@i=U?>{Pvim<2%OV)dGRJ`FjQ9j$`+JHV24X6~g1@1$;7zm$1omH;A$}Zu
zY`o)p6$R5Y#KZ(024lg)KDhoHmTQ*x5~`K+IC%X+47mN=<~aEJA7_vCIP<9DK!;(4
z^R4EXsjk=j8z^DP(p7-eUe;0y@^mw;EvUx6FiWAC@+5!Yw&_gw92DB<32Z%izf={3
z&{H(fD~R)@kV2?uvyI6{BvFs&DOdMZy*~01l}bd-q=|9bU4z;0BT;gJ=R_*c?V~1E
zMN``EthoLza&jaE_B|$-2tD#D!Xz1Xku?j>*@Udi6otmG-Sx;>eQ45<@8F!U-e*hk
z7qxjNQtPvSP+u|7b;EOHw_cDA{SqO)lINH!$@VgP@Xc9~LR;~jipK#{1WKeEasrOY
z=$q+ZY~nZ&wwp(C%!l_<p3F@eUc6X!-W}0)B;%cXI-&_JuGiKda{Mb(T;#}yr$g6p
z5#+EC4P4asOS8vMIhgUsjFMym>n3kIn6id<=UtwhqT&%jQf@8H$)+pmeVufe0wGrG
ztBFQ$$~C!aW)M<&`eR20J%048g>u@X)eJQja6;;BSMkwtElhDm?IVhOy5xpR?gd>H
zHj6=hiB~GayV*857gIY;Xt3GMQ+QeRGLo^2z{bR_@lj$yLP=nuzFmgevn_WcAKx`a
z*%8j-V#D$(F7Ai*Gj?C$_fu%7yVlCOma=p>4_V48M&mm;UE>PvoA`mB)Ir2?@}WVR
z`0Y)b-TV)nh)?+iRl!Mv$d;vg|D~;dEi=s^{zwk{@z?TA&YhPAvsy)BDkbY~wi=v~
zzhbt0p@CjHfdk{$ndrUZ>;e7RqvsQd3RLM^88BriiN;A!1pK1<t;$0>u|Dc`IVAZX
zFYJ?^jD#Aq8~RdCJ)ElkD!l{^`1HK$@O6p`j(V_C>d=wkQmYkm(Jk`#o8gEs%ID_y
z{;im#9_#HjSKnv>gn%rYc&#9cT_^nME|Rc(_1&hQH{@noIg2p6pxJfekem6BQyXIo
z32}n=GZWQKbjUT2g%m#k$hK=1>tUOfwp@3tDi^F1jyC4+!pzCiJkr>m%r{f})KYpG
z8XABvSjAQ18(od9({L<5LiuB(d)x5x=8Z#jG0CjPSbVs>P*$owN|Oet%Q1g@G?c2s
zBIi2v*);mgPFrGdx{PGV=LphER%hbeTHAZ(u}4$4UG^Vs^-Hr!iBacE4B-12-z*y!
zFI=fJr&1bcb#Glb5x*!!T8xUp-0jd<<0i3^d4yesa^YZdkHey7m;ZSE1EbO8g7)#1
zm40|kW+iFSsa?L4Qw{1a;a)Qz_ZwG|E^;&&C(zZa<R8dmQk-`uKIxhM<J#6eOUH>x
z{#m6Natb_-RC$DHo+gaZNOz>G**9V4{)$1D4@V&RA?-mOFtIZWYpxnw)3&lI()X60
z_H|Pfl=R<d2Am5rg=lLeuk!)P)bUW=-j^Xu9qyK#v3mn(_)*iFl3qm16c_%jy{QYT
zmWiOCWGiiWnBA@!+pRHDFny}He)x!Z#VNHr&bl<by~TU$#8!G2TZYbo=(hP;Jv}RL
z^RN#1$gE{tq4b<OrW|2{T(XeKeHY~nm5qCnnk9VRM~-mS{TNn;<1lr&YFyEYqbJGE
zgg=^A>=856TzP6!=jI+%dp*<^?(w}Iq~k0jTS(!3E^<0%XTfE<<SoX$SSOi$s$C(T
zhUWdpCRzCvAYd>E006Y>zaXE24Z;ct0lWcOK#6e_7~u^l1FFC^2I9e}&;Q~S0W}7v
z$iUPXtQz3OsD5TNqf>#=agK4TFhUhj`zeotfWRQE3ODGNyd~hvki!7CfnY}XFxDXf
z`@gGj#u5xe0122g?ucJZ2!q2g@aw;Dn_rV*3=J>F8^iE&=s*95LQ1gAyJ#%)HWLV7
zq}6{J(El6$W4M^@NW0ziPs5MHGIwt~9Xk`$+xl_VP``};Y@2dCT2!3&yAdlOrcRnb
zep+Qc$0zCL&!;YNnR`?Z`&NewgPa{oCkU~C_B*&+R2=z&b|lD5>g7Tm0Jl&U7i%Q1
zUfrjV;GjaE^Yka-KhU~T79Ay~iOY}`j_4U~N*0G_o3nM44jEsHrpXk+zFGDaZ5^Ej
zC9X}h<<W*K^(8i#-WY8fd@i6g2NUv8p*I>)pKoT^EnLVfu9!DzpWA+SNge|w<<#Yk
zRm~{H`#pEc6Wj=f+;VcvX|B<q*z==+M8NjOYHb8bszGGp<WyjDSqql3^Y}{Y*ygLe
zc<X*$)60p~ZP)$5PtG(o7PRCCwW@V8wIA;)f{9E>YQ>IbpI&a_vrm%tMf4tn;a}w7
zIW-Gs)&g1#&8%t{yn`)f;zpkiXgAz(WY3*veJ$uAe;>F)EwX<__o+Hljm{KhURBG?
zpIEBbGffizM7L^akaLS9KBzMrazMzb+MY-V^!a|#q(Sggi{uNF48j17xUXAlA~Zj$
zA2pGM(Dyg2Tdt6B5XEDHnph-e8oEX9SN?TZPPtnGGzTj6@)|!~UpB|}<0bDi0MSU(
zhunIxyh=F}YlV{Od7s9T41M)-POM5Y|Li@%(St0F8<R!ChC^5XaE7SgimhmxR50eK
zWn&hS(}<l5L|N7!>13!Lqber*4CI^qIlJ)AQk)vYJV6JNpI*xFU>O?I^S0r6*vFwz
zb2_*7de4#uo!aLq!1MLNEN*-x$LXbK=-slQLc+-(Hy$r#UKxa0Wp1aHI?#=_Ri$_E
zZ5GCbS@y~gMQ}0N0%NQ>VMeoCYE$FlR68QS)SL%P`Sh1`ukW3{%hRtNvb2&D2Y%ap
z+ZZ+937Wnc9ab2xt?*^W7ygm?WWn$^+aR_PmoUY*6U)#l-{Q9k$-|-+hqfG!F+{j_
zGgJAAJCHxc&T>Dki7B-)A}-Uy*0eA5*vj(G<sW)@IZAL<=ZZ+->vo0aooKdj(Xu&1
z`{rfI@C<TVL%Y9ieRN@I{$FeNVr%$Q32lzrEqahYe-9A2U;aeBsxtbr^+#|j9oeBY
zUG!P)f_{><-wD1@zjdXZFx*3*g0+<z>=_96xcEXn_dU&BVoq~*l>wPQ;En-SvV_cA
z6p%5+Js7Yw{U%LLv80<9xe1yTv@A)C6vQ9KJ%9PJ>f8;nG2CA9BbR|A;nXaD8DY5l
z7d5NX>zTM`HIX%ketNTO5QL(}UeV1;6-jGCzy}@qCxvp$3xz2%20FgOJ*V;A185Dj
zC>jc3K^<pi5(4u*_@itzE0(B53pEh&zb3cKW&qCx^Rc=`)Q`v*{MMDc7l8un-4E!I
Ja`<Tg{{hf&unGVG

literal 0
HcmV?d00001

diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
index 9c5cd6b9c7..425e15f51c 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
@@ -7,7 +7,6 @@ using System.Security.Cryptography.Xml;
 using System.Xml;
 using System.Xml.Linq;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using Moq;
 using Xunit;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs
new file mode 100644
index 0000000000..5d3bb6943a
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs
@@ -0,0 +1,91 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.Test.XmlEncryption
+{
+    public class EncryptedXmlDecryptorTests
+    {
+        [Fact]
+        public void ThrowsIfCannotDecrypt()
+        {
+            var testCert1 = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "TestFiles", "TestCert1.pfx"), "password");
+            var encryptor = new CertificateXmlEncryptor(testCert1, NullLoggerFactory.Instance);
+            var data = new XElement("SampleData", "Lorem ipsum");
+            var encryptedXml = encryptor.Encrypt(data);
+            var decryptor = new EncryptedXmlDecryptor();
+
+            var ex = Assert.Throws<CryptographicException>(() =>
+                decryptor.Decrypt(encryptedXml.EncryptedElement));
+            Assert.Equal("Unable to retrieve the decryption key.", ex.Message);
+        }
+
+        [Fact]
+        public void ThrowsIfProvidedCertificateDoesNotMatch()
+        {
+            var testCert1 = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "TestFiles", "TestCert1.pfx"), "password");
+            var testCert2 = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "TestFiles", "TestCert2.pfx"), "password");
+            var services = new ServiceCollection()
+                .Configure<XmlKeyDecryptionOptions>(o => o.AddKeyDecryptionCertificate(testCert2))
+                .BuildServiceProvider();
+            var encryptor = new CertificateXmlEncryptor(testCert1, NullLoggerFactory.Instance);
+            var data = new XElement("SampleData", "Lorem ipsum");
+            var encryptedXml = encryptor.Encrypt(data);
+            var decryptor = new EncryptedXmlDecryptor(services);
+
+            var ex = Assert.Throws<CryptographicException>(() =>
+                    decryptor.Decrypt(encryptedXml.EncryptedElement));
+            Assert.Equal("Unable to retrieve the decryption key.", ex.Message);
+        }
+
+        [Fact]
+        public void ThrowsIfProvidedCertificateDoesHavePrivateKey()
+        {
+            var fullCert = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "TestFiles", "TestCert1.pfx"), "password");
+            var publicKeyOnly = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "TestFiles", "TestCert1.PublicKeyOnly.cer"), "");
+            var services = new ServiceCollection()
+                .Configure<XmlKeyDecryptionOptions>(o => o.AddKeyDecryptionCertificate(publicKeyOnly))
+                .BuildServiceProvider();
+            var encryptor = new CertificateXmlEncryptor(fullCert, NullLoggerFactory.Instance);
+            var data = new XElement("SampleData", "Lorem ipsum");
+            var encryptedXml = encryptor.Encrypt(data);
+            var decryptor = new EncryptedXmlDecryptor(services);
+
+            var ex = Assert.Throws<CryptographicException>(() =>
+                    decryptor.Decrypt(encryptedXml.EncryptedElement));
+            Assert.Equal("Unable to retrieve the decryption key.", ex.Message);
+        }
+
+        [Fact]
+        public void XmlCanRoundTrip()
+        {
+            var testCert1 = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "TestFiles", "TestCert1.pfx"), "password");
+            var testCert2 = new X509Certificate2(Path.Combine(AppContext.BaseDirectory, "TestFiles", "TestCert2.pfx"), "password");
+            var services = new ServiceCollection()
+                .Configure<XmlKeyDecryptionOptions>(o =>
+                {
+                    o.AddKeyDecryptionCertificate(testCert1);
+                    o.AddKeyDecryptionCertificate(testCert2);
+                })
+                .BuildServiceProvider();
+            var encryptor = new CertificateXmlEncryptor(testCert1, NullLoggerFactory.Instance);
+            var data = new XElement("SampleData", "Lorem ipsum");
+            var encryptedXml = encryptor.Encrypt(data);
+            var decryptor = new EncryptedXmlDecryptor(services);
+
+            var decrypted = decryptor.Decrypt(encryptedXml.EncryptedElement);
+
+            Assert.Equal("SampleData", decrypted.Name);
+            Assert.Equal("Lorem ipsum", decrypted.Value);
+        }
+    }
+}

From 4a9debcea840e23a9ba233cf6c6d3f0595333e7b Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 18 Feb 2018 12:13:17 -0800
Subject: [PATCH 416/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index d043d048bc..1b95364204 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15704</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30103</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30103</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30103</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15707</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30131</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30131</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30131</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30103</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26130-04</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 565ec4224a..538f6228c3 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15704
-commithash:21fdd9f5254226f407a2b4b3ef963693c2fd7998
+version:2.1.0-preview2-15707
+commithash:e74e53f129ab34332947fea7ac7b7591b027cb22

From 3d30ea824908f3e110ff4ebcb2110a84c6823530 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Wed, 21 Feb 2018 18:26:52 -0800
Subject: [PATCH 417/493] Use FeatureBranchVersionSuffix when generating
 VersionSuffix

---
 version.props | 1 +
 1 file changed, 1 insertion(+)

diff --git a/version.props b/version.props
index 6025bea086..f9146b2125 100644
--- a/version.props
+++ b/version.props
@@ -6,6 +6,7 @@
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>
+    <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(FeatureBranchVersionSuffix)' != ''">$(VersionSuffix)-$([System.Text.RegularExpressions.Regex]::Replace('$(FeatureBranchVersionSuffix)', '[^\w-]', '-'))</VersionSuffix>
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
   </PropertyGroup>
 </Project>

From 70dcbf6ed640e171913f61ae6e93028bd72b5ba7 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 20 Feb 2018 15:34:56 -0800
Subject: [PATCH 418/493] Add UnprotectKeysWithAnyCertificate

---
 .../DataProtectionBuilderExtensions.cs        | 27 +++++++++++
 .../DataProtectionProviderTests.cs            | 46 ++++++++++++++++---
 2 files changed, 67 insertions(+), 6 deletions(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
index f37dab4331..7789ca074f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
@@ -320,6 +320,33 @@ namespace Microsoft.AspNetCore.DataProtection
             return builder;
         }
 
+        /// <summary>
+        /// Configures certificates which can be used to decrypt keys loaded from storage.
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
+        /// <param name="certificates">Certificates that can be used to decrypt key data.</param>
+        /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
+        public static IDataProtectionBuilder UnprotectKeysWithAnyCertificate(this IDataProtectionBuilder builder, params X509Certificate2[] certificates)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            builder.Services.Configure<XmlKeyDecryptionOptions>(o =>
+            {
+                if (certificates != null)
+                {
+                    foreach (var certificate in certificates)
+                    {
+                        o.AddKeyDecryptionCertificate(certificate);
+                    }
+                }
+            });
+
+            return builder;
+        }
+
         /// <summary>
         /// Configures keys to be encrypted with Windows DPAPI before being persisted to
         /// storage. The encrypted key will only be decryptable by the current Windows user account.
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index ad3dbb3a27..63931f2f8f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -171,16 +171,16 @@ namespace Microsoft.AspNetCore.DataProtection
 
             WithUniqueTempDirectory(directory =>
             {
-                    // Step 1: directory should be completely empty
-                    directory.Create();
+                // Step 1: directory should be completely empty
+                directory.Create();
                 Assert.Empty(directory.GetFiles());
 
-                    // Step 2: instantiate the system and round-trip a payload
-                    var protector = DataProtectionProvider.Create(directory, certificate).CreateProtector("purpose");
+                // Step 2: instantiate the system and round-trip a payload
+                var protector = DataProtectionProvider.Create(directory, certificate).CreateProtector("purpose");
                 Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
 
-                    // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate
-                    var allFiles = directory.GetFiles();
+                // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate
+                var allFiles = directory.GetFiles();
                 Assert.Single(allFiles);
                 Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
                 string fileText = File.ReadAllText(allFiles[0].FullName);
@@ -189,6 +189,40 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
+        [Fact]
+        public void System_CanUnprotectWithCert()
+        {
+            var filePath = Path.Combine(GetTestFilesPath(), "TestCert2.pfx");
+            var certificate = new X509Certificate2(filePath, "password");
+
+            WithUniqueTempDirectory(directory =>
+            {
+                // Step 1: directory should be completely empty
+                directory.Create();
+                Assert.Empty(directory.GetFiles());
+
+                // Step 2: instantiate the system and create some data
+                var protector = DataProtectionProvider
+                    .Create(directory, certificate)
+                    .CreateProtector("purpose");
+
+                var data = protector.Protect("payload");
+
+                // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate
+                var allFiles = directory.GetFiles();
+                Assert.Single(allFiles);
+                Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
+                string fileText = File.ReadAllText(allFiles[0].FullName);
+                Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                Assert.Contains("X509Certificate", fileText, StringComparison.Ordinal);
+
+                // Step 4: setup a second system and validate it can decrypt keys and unprotect data
+                var unprotector = DataProtectionProvider.Create(directory,
+                    b => b.UnprotectKeysWithAnyCertificate(certificate));
+                Assert.Equal("payload", unprotector.CreateProtector("purpose").Unprotect(data));
+            });
+        }
+
         /// <summary>
         /// Runs a test and cleans up the temp directory afterward.
         /// </summary>

From 68bff8e05e0ca4e7e72efdb0803ec613216af9f0 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Mon, 26 Feb 2018 10:56:57 -0800
Subject: [PATCH 419/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 28 ++++++++++++++--------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 1b95364204..51265d017b 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,24 +3,24 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15707</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30131</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30131</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30131</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15721</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30187</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30187</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30187</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30131</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26130-04</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETTestSdkPackageVersion>15.3.0</MicrosoftNETTestSdkPackageVersion>
+    <MicrosoftNETTestSdkPackageVersion>15.6.0</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26130-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 538f6228c3..563446a93f 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15707
-commithash:e74e53f129ab34332947fea7ac7b7591b027cb22
+version:2.1.0-preview2-15721
+commithash:f9bb4be59e39938ec59a6975257e26099b0d03c1

From 0ec64af67cc84bb1947435da226cd8f833ac0e79 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 4 Mar 2018 12:11:40 -0800
Subject: [PATCH 420/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 51265d017b..c8221f3c84 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,29 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15721</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30187</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30187</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30187</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15726</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30230</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30230</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30230</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30187</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26130-04</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26225-03</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26130-01</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26224-02</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26130-01</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26130-01</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26224-02</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26224-02</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 563446a93f..ad1d7d3c02 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15721
-commithash:f9bb4be59e39938ec59a6975257e26099b0d03c1
+version:2.1.0-preview2-15726
+commithash:599e691c41f502ed9e062b1822ce13b673fc916e

From e552b5861a9f35a3daa3079d0e56b011f907daed Mon Sep 17 00:00:00 2001
From: Nate McMaster <natemcmaster@users.noreply.github.com>
Date: Tue, 6 Mar 2018 09:31:03 -0800
Subject: [PATCH 421/493] Switch default implementation of Pbkdf2 on
 Linux/macOS to Rfc2898DeriveBytes (#301)

Requires adding .NET Core 2.0 target framework to the package because only SHA1 is supported in .NET Standard 2.0
---
 DataProtection.sln                            | 17 +++++
 .../KeyDerivationPrf.cs                       |  2 -
 ...pNetCore.Cryptography.KeyDerivation.csproj |  2 +-
 .../PBKDF2/NetCorePbkdf2Provider.cs           | 71 +++++++++++++++++++
 .../PBKDF2/Pbkdf2Util.cs                      | 18 ++++-
 .../Pbkdf2Tests.cs                            | 62 +++++++++++++++-
 6 files changed, 164 insertions(+), 8 deletions(-)
 create mode 100644 src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs

diff --git a/DataProtection.sln b/DataProtection.sln
index c4bc85e46d..c08ab6a1ce 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -5,13 +5,30 @@ MinimumVisualStudioVersion = 15.0.26730.03
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{60336AB3-948D-4D15-A5FB-F32A2B91E814}"
+	ProjectSection(SolutionItems) = preProject
+		test\CreateTestCert.ps1 = test\CreateTestCert.ps1
+		test\Directory.Build.props = test\Directory.Build.props
+	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{5A3A5DE3-49AD-431C-971D-B01B62D94AE2}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{E1D86B1B-41D8-43C9-97FD-C2BF65C414E2}"
 	ProjectSection(SolutionItems) = preProject
+		.appveyor.yml = .appveyor.yml
+		.gitattributes = .gitattributes
+		.gitignore = .gitignore
+		.travis.yml = .travis.yml
+		CONTRIBUTING.md = CONTRIBUTING.md
 		build\dependencies.props = build\dependencies.props
+		Directory.Build.props = Directory.Build.props
+		Directory.Build.targets = Directory.Build.targets
+		korebuild.json = korebuild.json
+		LICENSE.txt = LICENSE.txt
 		NuGet.config = NuGet.config
+		NuGetPackageVerifier.json = NuGetPackageVerifier.json
+		Provision-AutoGenKeys.ps1 = Provision-AutoGenKeys.ps1
+		README.md = README.md
+		version.props = version.props
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection", "src\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj", "{1E570CD4-6F12-44F4-961E-005EE2002BC2}"
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
index fdd2f4881c..57e740f04b 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
@@ -1,8 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
-
 namespace Microsoft.AspNetCore.Cryptography.KeyDerivation
 {
     /// <summary>
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
index 14940b2c46..70205f1754 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <Description>ASP.NET Core utilities for key derivation.</Description>
-    <TargetFramework>netstandard2.0</TargetFramework>
+    <TargetFrameworks>netstandard2.0;netcoreapp2.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection</PackageTags>
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs
new file mode 100644
index 0000000000..2aaf445dda
--- /dev/null
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs
@@ -0,0 +1,71 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+#if NETCOREAPP2_0
+// Rfc2898DeriveBytes in .NET Standard 2.0 only supports SHA1
+
+using System;
+using System.Diagnostics;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2
+{
+    /// <summary>
+    /// Implements Pbkdf2 using <see cref="Rfc2898DeriveBytes"/>.
+    /// </summary>
+    internal sealed class NetCorePbkdf2Provider : IPbkdf2Provider
+    {
+        private static readonly ManagedPbkdf2Provider _fallbackProvider = new ManagedPbkdf2Provider();
+
+        public byte[] DeriveKey(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
+        {
+            Debug.Assert(password != null);
+            Debug.Assert(salt != null);
+            Debug.Assert(iterationCount > 0);
+            Debug.Assert(numBytesRequested > 0);
+
+            if (salt.Length < 8)
+            {
+                // Rfc2898DeriveBytes enforces the 8 byte recommendation.
+                // To maintain compatibility, we call into ManagedPbkdf2Provider for salts shorter than 8 bytes
+                // because we can't use Rfc2898DeriveBytes with this salt.
+                return _fallbackProvider.DeriveKey(password, salt, prf, iterationCount, numBytesRequested);
+            }
+            else
+            {
+                return DeriveKeyImpl(password, salt, prf, iterationCount, numBytesRequested);
+            }
+        }
+
+        private static byte[] DeriveKeyImpl(string password, byte[] salt, KeyDerivationPrf prf, int iterationCount, int numBytesRequested)
+        {
+            HashAlgorithmName algorithmName;
+            switch (prf)
+            {
+                case KeyDerivationPrf.HMACSHA1:
+                    algorithmName = HashAlgorithmName.SHA1;
+                    break;
+                case KeyDerivationPrf.HMACSHA256:
+                    algorithmName = HashAlgorithmName.SHA256;
+                    break;
+                case KeyDerivationPrf.HMACSHA512:
+                    algorithmName = HashAlgorithmName.SHA512;
+                    break;
+                default:
+                    throw new ArgumentOutOfRangeException();
+            }
+
+            var passwordBytes = Encoding.UTF8.GetBytes(password);
+            using (var rfc = new Rfc2898DeriveBytes(passwordBytes, salt, iterationCount, algorithmName))
+            {
+                return rfc.GetBytes(numBytesRequested);
+            }
+        }
+    }
+}
+
+#elif NETSTANDARD2_0
+#else
+#error Update target frameworks
+#endif
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
index dbe5a4120d..f7c99c4bcb 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
@@ -1,7 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using Microsoft.AspNetCore.Cryptography.Cng;
 
 namespace Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2
@@ -20,15 +19,28 @@ namespace Microsoft.AspNetCore.Cryptography.KeyDerivation.PBKDF2
             {
                 // fastest implementation
                 return new Win8Pbkdf2Provider();
-            } else if (OSVersionUtil.IsWindows())
+            }
+            else if (OSVersionUtil.IsWindows())
             {
                 // acceptable implementation
                 return new Win7Pbkdf2Provider();
-            } else
+            }
+#if NETCOREAPP2_0
+            else
+            {
+                // fastest implementation on .NET Core for Linux/macOS.
+                // Not supported on .NET Framework
+                return new NetCorePbkdf2Provider();
+            }
+#elif NETSTANDARD2_0
+            else
             {
                 // slowest implementation
                 return new ManagedPbkdf2Provider();
             }
+#else
+#error Update target frameworks
+#endif
         }
     }
 }
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
index 2ded2300ab..6c78225a92 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
@@ -12,6 +12,58 @@ namespace Microsoft.AspNetCore.Cryptography.KeyDerivation
 {
     public class Pbkdf2Tests
     {
+
+#if NET461
+#elif NETCOREAPP2_0 || NETCOREAPP2_1
+        // The 'numBytesRequested' parameters below are chosen to exercise code paths where
+        // this value straddles the digest length of the PRF. We only use 5 iterations so
+        // that our unit tests are fast.
+
+        // This provider is only available in .NET Core because .NET Standard only supports HMACSHA1
+        [Theory]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 - 1, "efmxNcKD/U1urTEDGvsThlPnHA==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 + 0, "efmxNcKD/U1urTEDGvsThlPnHDI=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA1, 5, 160 / 8 + 1, "efmxNcKD/U1urTEDGvsThlPnHDLk")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 - 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRA==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 + 0, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLo=")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA256, 5, 256 / 8 + 1, "JRNz8bPKS02EG1vf7eWjA64IeeI+TI8gBEwb1oVvRLpk")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 - 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm9")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 + 0, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Q==")]
+        [InlineData("my-password", KeyDerivationPrf.HMACSHA512, 5, 512 / 8 + 1, "ZTallQJrFn0279xIzaiA1XqatVTGei+ZjKngA7bIMtKMDUw6YJeGUQpFG8iGTgN+ri3LNDktNbzwfcSyZmm90Wk=")]
+        public void RunTest_Normal_NetCore(string password, KeyDerivationPrf prf, int iterationCount, int numBytesRequested, string expectedValueAsBase64)
+        {
+            // Arrange
+            byte[] salt = new byte[256];
+            for (int i = 0; i < salt.Length; i++)
+            {
+                salt[i] = (byte)i;
+            }
+
+            // Act & assert
+            TestProvider<NetCorePbkdf2Provider>(password, salt, prf, iterationCount, numBytesRequested, expectedValueAsBase64);
+        }
+
+        [Fact]
+        public void RunTest_WithLongPassword_NetCore_FallbackToManaged()
+        {
+            // salt is less than 8 bytes
+            byte[] salt = Encoding.UTF8.GetBytes("salt");
+            const string expectedDerivedKeyBase64 = "Sc+V/c3fiZq5Z5qH3iavAiojTsW97FAp2eBNmCQAwCNzA8hfhFFYyQLIMK65qPnBFHOHXQPwAxNQNhaEAH9hzfiaNBSRJpF9V4rpl02d5ZpI6cZbsQFF7TJW7XJzQVpYoPDgJlg0xVmYLhn1E9qMtUVUuXsBjOOdd7K1M+ZI00c=";
+
+            RunTest_WithLongPassword_Impl<NetCorePbkdf2Provider>(salt, expectedDerivedKeyBase64);
+        }
+
+        [Fact]
+        public void RunTest_WithLongPassword_NetCore()
+        {
+            // salt longer than 8 bytes
+            var salt = Encoding.UTF8.GetBytes("abcdefghijkl");
+            RunTest_WithLongPassword_Impl<NetCorePbkdf2Provider>(salt, "NGJtFzYUaaSxu+3ZsMeZO5d/qPJDUYW4caLkFlaY0cLSYdh1PN4+nHUVp4pUUubJWu3UeXNMnHKNDfnn8GMfnDVrAGTv1lldszsvUJ0JQ6p4+daQEYBc//Tj/ejuB3luwW0IinyE7U/ViOQKbfi5pCZFMQ0FFx9I+eXRlyT+I74=");
+        }
+#else
+#error Update target framework
+#endif
+
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF. We only use 5 iterations so
         // that our unit tests are fast.
@@ -115,10 +167,16 @@ namespace Microsoft.AspNetCore.Cryptography.KeyDerivation
         private static void RunTest_WithLongPassword_Impl<TProvider>()
             where TProvider : IPbkdf2Provider, new()
         {
-            // Arrange
-            string password = new String('x', 50000); // 50,000 char password
             byte[] salt = Encoding.UTF8.GetBytes("salt");
             const string expectedDerivedKeyBase64 = "Sc+V/c3fiZq5Z5qH3iavAiojTsW97FAp2eBNmCQAwCNzA8hfhFFYyQLIMK65qPnBFHOHXQPwAxNQNhaEAH9hzfiaNBSRJpF9V4rpl02d5ZpI6cZbsQFF7TJW7XJzQVpYoPDgJlg0xVmYLhn1E9qMtUVUuXsBjOOdd7K1M+ZI00c=";
+            RunTest_WithLongPassword_Impl<TProvider>(salt, expectedDerivedKeyBase64);
+        }
+
+        private static void RunTest_WithLongPassword_Impl<TProvider>(byte[] salt, string expectedDerivedKeyBase64)
+           where TProvider : IPbkdf2Provider, new()
+        {
+            // Arrange
+            string password = new String('x', 50000); // 50,000 char password
             const KeyDerivationPrf prf = KeyDerivationPrf.HMACSHA256;
             const int iterationCount = 5;
             const int numBytesRequested = 128;

From b5d672cd4880408b8e754a769a524808c2f3435e Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 6 Mar 2018 10:03:04 -0800
Subject: [PATCH 422/493] Use dotnet-core feed in repos

---
 build/sources.props | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build/sources.props b/build/sources.props
index 9feff29d09..9215df9751 100644
--- a/build/sources.props
+++ b/build/sources.props
@@ -1,10 +1,11 @@
-<Project>
+<Project>
   <Import Project="$(DotNetRestoreSourcePropsPath)" Condition="'$(DotNetRestoreSourcePropsPath)' != ''"/>
 
   <PropertyGroup Label="RestoreSources">
     <RestoreSources>$(DotNetRestoreSources)</RestoreSources>
     <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true' AND '$(AspNetUniverseBuildOffline)' != 'true' ">
       $(RestoreSources);
+      https://dotnet.myget.org/F/dotnet-core/api/v3/index.json;
       https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json;
       https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json;
     </RestoreSources>

From fe447472c5dae1f6ba94d5c5075edf1a8040e80a Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Tue, 6 Mar 2018 10:03:04 -0800
Subject: [PATCH 423/493] Prepend FeatureBranchVersionPrefix if
 FeatureBranchVersionSuffix is specified

---
 version.props | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/version.props b/version.props
index 7377a3af54..b9dfed9383 100644
--- a/version.props
+++ b/version.props
@@ -5,7 +5,8 @@
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>
-    <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(FeatureBranchVersionSuffix)' != ''">$(VersionSuffix)-$([System.Text.RegularExpressions.Regex]::Replace('$(FeatureBranchVersionSuffix)', '[^\w-]', '-'))</VersionSuffix>
+    <FeatureBranchVersionPrefix Condition="'$(FeatureBranchVersionPrefix)' == ''">a-</FeatureBranchVersionPrefix>
+    <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(FeatureBranchVersionSuffix)' != ''">$(FeatureBranchVersionPrefix)$(VersionSuffix)-$([System.Text.RegularExpressions.Regex]::Replace('$(FeatureBranchVersionSuffix)', '[^\w-]', '-'))</VersionSuffix>
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
 
     <ExperimentalVersionPrefix>0.4.0</ExperimentalVersionPrefix>

From 8a42c24f46d728b4728e6b20febd0a11c1111df2 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Thu, 8 Mar 2018 12:55:33 -0800
Subject: [PATCH 424/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index c8221f3c84..8838a65685 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15726</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30230</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30230</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30230</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15728</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30230</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26225-03</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index ad1d7d3c02..5ace9326ce 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15726
-commithash:599e691c41f502ed9e062b1822ce13b673fc916e
+version:2.1.0-preview2-15728
+commithash:393377068ddcf51dfee0536536d455f57a828b06

From 514bc00947507e1d057dfc36714b82cb7bf67be8 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 16 Mar 2018 11:13:47 -0700
Subject: [PATCH 425/493] Branching for 2.1.0-preview2

---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 build/repo.props         |  4 ++--
 build/sources.props      |  2 +-
 korebuild-lock.txt       |  4 ++--
 4 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 8838a65685..49ce2ca752 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,29 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15728</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15742</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26225-03</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26314-02</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26224-02</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26313-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26224-02</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26224-02</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26313-01</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26313-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/build/repo.props b/build/repo.props
index 78b0ce5879..d94ff7d00d 100644
--- a/build/repo.props
+++ b/build/repo.props
@@ -1,10 +1,10 @@
-<Project>
+<Project>
   <Import Project="dependencies.props" />
 
   <PropertyGroup>
     <!-- These properties are use by the automation that updates dependencies.props -->
     <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
-    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json</LineupPackageRestoreSource>
+    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-release/api/v3/index.json</LineupPackageRestoreSource>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/build/sources.props b/build/sources.props
index 9215df9751..36045f12b5 100644
--- a/build/sources.props
+++ b/build/sources.props
@@ -6,7 +6,7 @@
     <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true' AND '$(AspNetUniverseBuildOffline)' != 'true' ">
       $(RestoreSources);
       https://dotnet.myget.org/F/dotnet-core/api/v3/index.json;
-      https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json;
+      https://dotnet.myget.org/F/aspnetcore-release/api/v3/index.json;
       https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json;
     </RestoreSources>
     <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true'">
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 5ace9326ce..e761020952 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15728
-commithash:393377068ddcf51dfee0536536d455f57a828b06
+version:2.1.0-preview2-15742
+commithash:21fbb0f2c3fe4a9216e2d59632b98cfd7d685962

From ed46a4c64f30eceee833c3c4990e624aa687f18f Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 16 Mar 2018 11:25:40 -0700
Subject: [PATCH 426/493] Update version prefix to preview3

---
 version.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.props b/version.props
index b9dfed9383..36fad116cd 100644
--- a/version.props
+++ b/version.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.1.0</VersionPrefix>
-    <VersionSuffix>preview2</VersionSuffix>
+    <VersionSuffix>preview3</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>

From f5e790298aeb96649f5e60a8ae2443cf9d90c0e8 Mon Sep 17 00:00:00 2001
From: Pranav K <prkrishn@hotmail.com>
Date: Fri, 16 Mar 2018 12:28:29 -0700
Subject: [PATCH 427/493] Update KoreBuild channel

---
 korebuild.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/korebuild.json b/korebuild.json
index bd5d51a51b..678d8bb948 100644
--- a/korebuild.json
+++ b/korebuild.json
@@ -1,4 +1,4 @@
 {
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
-  "channel": "dev"
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/release/2.1/tools/korebuild.schema.json",
+  "channel": "release/2.1"
 }

From 5e9dd7a5fc085914fda8632e74743053ee3c5ef4 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Wed, 14 Mar 2018 15:33:31 -0700
Subject: [PATCH 428/493] Set 2.0 baselines

---
 build/dependencies.props                      |    2 +-
 korebuild-lock.txt                            |    4 +-
 .../baseline.netcore.json                     |    2 +-
 .../baseline.netcore.json                     |    2 +-
 .../baseline.netcore.json                     |    2 +-
 .../baseline.netcore.json                     |    2 +-
 .../baseline.netcore.json                     |    2 +-
 .../baseline.netframework.json                |    2 +-
 .../baseline.netcore.json                     | 1996 ++++++-----------
 .../breakingchanges.netcore.json              |  242 --
 10 files changed, 658 insertions(+), 1598 deletions(-)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json

diff --git a/build/dependencies.props b/build/dependencies.props
index 49ce2ca752..3e6631b87d 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,7 +3,7 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15742</InternalAspNetCoreSdkPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15743</InternalAspNetCoreSdkPackageVersion>
     <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
     <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreHostingPackageVersion>
     <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreTestingPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index e761020952..c4944f7079 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15742
-commithash:21fbb0f2c3fe4a9216e2d59632b98cfd7d685962
+version:2.1.0-preview2-15743
+commithash:9e15cb6062ab5b9790d3fa699e018543a6950713
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
index 4e3124a689..563c54fe42 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
@@ -1,4 +1,4 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": []
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
index 93e2b1bed7..378802da59 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivation",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
index 6d0d722ddc..68bea8bca0 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
index 77f138be32..ab0417d009 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.AzureStorage, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.AzureStorage, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.AzureDataProtectionBuilderExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
index 93502e6e6e..ed597ef1dc 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionAdvancedExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
index 14bac24d73..c068f832bb 100644
--- a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
+++ b/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.SystemWeb, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.SystemWeb, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.SystemWeb.CompatibilityDataProtector",
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
index 17dd37fc63..e8466d99d1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=1.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServiceCollectionExtensions",
@@ -47,27 +47,6 @@
       ],
       "GenericParameters": []
     },
-    {
-      "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServices",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetDefaultServices",
-          "Parameters": [],
-          "ReturnType": "System.Collections.Generic.IEnumerable<Microsoft.Extensions.DependencyInjection.ServiceDescriptor>",
-          "Static": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
     {
       "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
       "Visibility": "Public",
@@ -368,8 +347,8 @@
               "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
             },
             {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration"
             }
           ],
           "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
@@ -387,8 +366,8 @@
               "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
             },
             {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration"
             }
           ],
           "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
@@ -406,8 +385,8 @@
               "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
             },
             {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration"
             }
           ],
           "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
@@ -425,8 +404,8 @@
               "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
             },
             {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration"
             }
           ],
           "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
@@ -554,8 +533,8 @@
           "Name": ".ctor",
           "Parameters": [
             {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
           "Visibility": "Public",
@@ -853,38 +832,10 @@
             {
               "Name": "certificateResolver",
               "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "thumbprint",
-              "Type": "System.String"
             },
             {
-              "Name": "certificateResolver",
-              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "certificate",
-              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
           "Visibility": "Public",
@@ -899,8 +850,8 @@
               "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2"
             },
             {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
           "Visibility": "Public",
@@ -1023,26 +974,10 @@
             {
               "Name": "flags",
               "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "protectionDescriptorRule",
-              "Type": "System.String"
             },
             {
-              "Name": "flags",
-              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
           "Visibility": "Public",
@@ -1123,18 +1058,6 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "protectToLocalMachine",
-              "Type": "System.Boolean"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
         {
           "Kind": "Constructor",
           "Name": ".ctor",
@@ -1144,8 +1067,8 @@
               "Type": "System.Boolean"
             },
             {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
           "Visibility": "Public",
@@ -1417,14 +1340,6 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
-        {
-          "Kind": "Method",
-          "Name": "get_Services",
-          "Parameters": [],
-          "ReturnType": "System.IServiceProvider",
-          "Visibility": "Protected",
-          "GenericParameter": []
-        },
         {
           "Kind": "Method",
           "Name": "GetAllElements",
@@ -1454,18 +1369,6 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "directory",
-              "Type": "System.IO.DirectoryInfo"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
         {
           "Kind": "Constructor",
           "Name": ".ctor",
@@ -1475,8 +1378,8 @@
               "Type": "System.IO.DirectoryInfo"
             },
             {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
           "Visibility": "Public",
@@ -1543,14 +1446,6 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
-        {
-          "Kind": "Method",
-          "Name": "get_Services",
-          "Parameters": [],
-          "ReturnType": "System.IServiceProvider",
-          "Visibility": "Protected",
-          "GenericParameter": []
-        },
         {
           "Kind": "Method",
           "Name": "GetAllElements",
@@ -1580,18 +1475,6 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "registryKey",
-              "Type": "Microsoft.Win32.RegistryKey"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
         {
           "Kind": "Constructor",
           "Name": ".ctor",
@@ -1601,8 +1484,8 @@
               "Type": "Microsoft.Win32.RegistryKey"
             },
             {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
           "Visibility": "Public",
@@ -1655,7 +1538,14 @@
         },
         {
           "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
+          "Name": "get_Descriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptor",
           "Parameters": [],
           "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
           "GenericParameter": []
@@ -1811,6 +1701,85 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
+        {
+          "Kind": "Method",
+          "Name": "get_AuthenticatedEncryptorConfiguration",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AlgorithmConfiguration",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_AuthenticatedEncryptorConfiguration",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AlgorithmConfiguration"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_KeyEscrowSinks",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IList<Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyEscrowSink>",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_XmlRepository",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_XmlRepository",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_XmlEncryptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_XmlEncryptor",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_AuthenticatedEncryptorFactories",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IList<Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory>",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
         {
           "Kind": "Constructor",
           "Name": ".ctor",
@@ -1920,289 +1889,32 @@
           "Name": ".ctor",
           "Parameters": [
             {
-              "Name": "repository",
-              "Type": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+              "Name": "keyManagementOptions",
+              "Type": "Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.DataProtection.KeyManagement.KeyManagementOptions>"
             },
             {
-              "Name": "configuration",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
+              "Name": "activator",
+              "Type": "Microsoft.AspNetCore.DataProtection.Internal.IActivator"
             }
           ],
           "Visibility": "Public",
           "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution",
-      "Visibility": "Public",
-      "Kind": "Struct",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Field",
-          "Name": "DefaultKey",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Field",
-          "Name": "FallbackKey",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Field",
-          "Name": "ShouldGenerateNewKey",
-          "Parameters": [],
-          "ReturnType": "System.Boolean",
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.ICacheableKeyRingProvider",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetCacheableKeyRing",
-          "Parameters": [
-            {
-              "Name": "now",
-              "Type": "System.DateTimeOffset"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.CacheableKeyRing",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IDefaultKeyResolver",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ResolveDefaultKeyPolicy",
-          "Parameters": [
-            {
-              "Name": "now",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "allKeys",
-              "Type": "System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.DataProtection.KeyManagement.IKey>"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.DefaultKeyResolution",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IDefaultKeyServices",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetKeyEncryptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetKeyRepository",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateNewKey",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "creationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "activationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "expirationDate",
-              "Type": "System.DateTimeOffset"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "DeserializeDescriptorFromKeyElement",
-          "Parameters": [
-            {
-              "Name": "keyElement",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "RevokeSingleKey",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "revocationDate",
-              "Type": "System.DateTimeOffset"
-            },
-            {
-              "Name": "reason",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRing",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_DefaultAuthenticatedEncryptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "get_DefaultKeyId",
-          "Parameters": [],
-          "ReturnType": "System.Guid",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "GetAuthenticatedEncryptorByKeyId",
-          "Parameters": [
-            {
-              "Name": "keyId",
-              "Type": "System.Guid"
-            },
-            {
-              "Name": "isRevoked",
-              "Type": "System.Boolean",
-              "Direction": "Out"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRingProvider",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetCurrentKeyRing",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IKeyRing",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.Internal.DataProtectionBuilder",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Services",
-          "Parameters": [],
-          "ReturnType": "Microsoft.Extensions.DependencyInjection.IServiceCollection",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Visibility": "Public",
-          "GenericParameter": []
         },
         {
           "Kind": "Constructor",
           "Name": ".ctor",
           "Parameters": [
             {
-              "Name": "services",
-              "Type": "Microsoft.Extensions.DependencyInjection.IServiceCollection"
+              "Name": "keyManagementOptions",
+              "Type": "Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.DataProtection.KeyManagement.KeyManagementOptions>"
+            },
+            {
+              "Name": "activator",
+              "Type": "Microsoft.AspNetCore.DataProtection.Internal.IActivator"
+            },
+            {
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
           "Visibility": "Public",
@@ -2212,40 +1924,183 @@
       "GenericParameters": []
     },
     {
-      "Name": "Microsoft.AspNetCore.DataProtection.Internal.IActivator",
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptorFactory",
       "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory"
+      ],
       "Members": [
         {
           "Kind": "Method",
-          "Name": "CreateInstance",
+          "Name": "CreateEncryptorInstance",
           "Parameters": [
             {
-              "Name": "expectedBaseType",
-              "Type": "System.Type"
-            },
-            {
-              "Name": "implementationTypeName",
-              "Type": "System.String"
+              "Name": "key",
+              "Type": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey"
             }
           ],
-          "ReturnType": "System.Object",
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
+            }
+          ],
+          "Visibility": "Public",
           "GenericParameter": []
         }
       ],
       "GenericParameters": []
     },
     {
-      "Name": "Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase",
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptorFactory",
       "Visibility": "Public",
       "Kind": "Class",
-      "Abstract": true,
+      "Sealed": true,
       "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor",
-        "System.IDisposable"
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory"
       ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [
+            {
+              "Name": "key",
+              "Type": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [
+            {
+              "Name": "key",
+              "Type": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Field",
+          "Name": "AES_128_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_192_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_256_CBC",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "2"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_128_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "3"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_192_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "4"
+        },
+        {
+          "Kind": "Field",
+          "Name": "AES_256_GCM",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "5"
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
       "Members": [
         {
           "Kind": "Method",
@@ -2261,133 +2116,130 @@
             }
           ],
           "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "Encrypt",
+          "Parameters": [
+            {
+              "Name": "plaintext",
+              "Type": "System.ArraySegment<System.Byte>"
+            },
+            {
+              "Name": "additionalAuthenticatedData",
+              "Type": "System.ArraySegment<System.Byte>"
+            }
+          ],
+          "ReturnType": "System.Byte[]",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [
+            {
+              "Name": "key",
+              "Type": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptorFactory",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateEncryptorInstance",
+          "Parameters": [
+            {
+              "Name": "key",
+              "Type": "Microsoft.AspNetCore.DataProtection.KeyManagement.IKey"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
           "Sealed": true,
           "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptorFactory",
           "Visibility": "Public",
           "GenericParameter": []
         },
         {
-          "Kind": "Method",
-          "Name": "DecryptImpl",
+          "Kind": "Constructor",
+          "Name": ".ctor",
           "Parameters": [
             {
-              "Name": "pbCiphertext",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "cbCiphertext",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "pbAdditionalAuthenticatedData",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "cbAdditionalAuthenticatedData",
-              "Type": "System.UInt32"
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
             }
           ],
-          "ReturnType": "System.Byte[]",
-          "Virtual": true,
-          "Abstract": true,
-          "Visibility": "Protected",
+          "Visibility": "Public",
           "GenericParameter": []
-        },
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm",
+      "Visibility": "Public",
+      "Kind": "Enumeration",
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
         {
-          "Kind": "Method",
-          "Name": "Dispose",
+          "Kind": "Field",
+          "Name": "HMACSHA256",
           "Parameters": [],
-          "ReturnType": "System.Void",
+          "GenericParameter": [],
+          "Literal": "0"
+        },
+        {
+          "Kind": "Field",
+          "Name": "HMACSHA512",
+          "Parameters": [],
+          "GenericParameter": [],
+          "Literal": "1"
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AlgorithmConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "CreateNewDescriptor",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
           "Virtual": true,
           "Abstract": true,
-          "ImplementedInterface": "System.IDisposable",
           "Visibility": "Public",
           "GenericParameter": []
         },
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "preBufferSize",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "postBufferSize",
-              "Type": "System.UInt32"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "EncryptImpl",
-          "Parameters": [
-            {
-              "Name": "pbPlaintext",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "cbPlaintext",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "pbAdditionalAuthenticatedData",
-              "Type": "System.Byte*"
-            },
-            {
-              "Name": "cbAdditionalAuthenticatedData",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "cbPreBuffer",
-              "Type": "System.UInt32"
-            },
-            {
-              "Name": "cbPostBuffer",
-              "Type": "System.UInt32"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "Virtual": true,
-          "Abstract": true,
-          "Visibility": "Protected",
-          "GenericParameter": []
-        },
         {
           "Kind": "Constructor",
           "Name": ".ctor",
@@ -2399,12 +2251,13 @@
       "GenericParameters": []
     },
     {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings",
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration",
       "Visibility": "Public",
       "Kind": "Class",
       "Sealed": true,
+      "BaseType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AlgorithmConfiguration",
       "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAlgorithmConfiguration"
       ],
       "Members": [
         {
@@ -2451,12 +2304,11 @@
         },
         {
           "Kind": "Method",
-          "Name": "Validate",
+          "Name": "CreateNewDescriptor",
           "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
           "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Override": true,
           "Visibility": "Public",
           "GenericParameter": []
         },
@@ -2471,12 +2323,87 @@
       "GenericParameters": []
     },
     {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings",
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor",
       "Visibility": "Public",
       "Kind": "Class",
       "Sealed": true,
       "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "BaseType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AlgorithmConfiguration",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAlgorithmConfiguration"
       ],
       "Members": [
         {
@@ -2586,12 +2513,11 @@
         },
         {
           "Kind": "Method",
-          "Name": "Validate",
+          "Name": "CreateNewDescriptor",
           "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
           "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Override": true,
           "Visibility": "Public",
           "GenericParameter": []
         },
@@ -2606,12 +2532,87 @@
       "GenericParameters": []
     },
     {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings",
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor",
       "Visibility": "Public",
       "Kind": "Class",
       "Sealed": true,
       "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "BaseType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AlgorithmConfiguration",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAlgorithmConfiguration"
       ],
       "Members": [
         {
@@ -2679,12 +2680,11 @@
         },
         {
           "Kind": "Method",
-          "Name": "Validate",
+          "Name": "CreateNewDescriptor",
           "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
           "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
+          "Override": true,
           "Visibility": "Public",
           "GenericParameter": []
         },
@@ -2699,59 +2699,81 @@
       "GenericParameters": []
     },
     {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm",
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor",
       "Visibility": "Public",
-      "Kind": "Enumeration",
+      "Kind": "Class",
       "Sealed": true,
-      "ImplementedInterfaces": [],
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
+      ],
       "Members": [
         {
-          "Kind": "Field",
-          "Name": "AES_128_CBC",
+          "Kind": "Method",
+          "Name": "ExportToXml",
           "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "0"
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Visibility": "Public",
+          "GenericParameter": []
         },
         {
-          "Kind": "Field",
-          "Name": "AES_192_CBC",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "1"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_256_CBC",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "2"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_128_GCM",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "3"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_192_GCM",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "4"
-        },
-        {
-          "Kind": "Field",
-          "Name": "AES_256_GCM",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "5"
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration"
+            },
+            {
+              "Name": "masterKey",
+              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
         }
       ],
       "GenericParameters": []
     },
     {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Sealed": true,
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
       "Visibility": "Public",
       "Kind": "Interface",
       "Abstract": true,
@@ -2759,46 +2781,44 @@
       "Members": [
         {
           "Kind": "Method",
-          "Name": "Decrypt",
-          "Parameters": [
-            {
-              "Name": "ciphertext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "Encrypt",
-          "Parameters": [
-            {
-              "Name": "plaintext",
-              "Type": "System.ArraySegment<System.Byte>"
-            },
-            {
-              "Name": "additionalAuthenticatedData",
-              "Type": "System.ArraySegment<System.Byte>"
-            }
-          ],
-          "ReturnType": "System.Byte[]",
+          "Name": "ExportToXml",
+          "Parameters": [],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
           "GenericParameter": []
         }
       ],
       "GenericParameters": []
     },
     {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings",
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "ImportFromXml",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration",
       "Visibility": "Public",
       "Kind": "Class",
       "Sealed": true,
+      "BaseType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AlgorithmConfiguration",
       "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings"
+        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAlgorithmConfiguration"
       ],
       "Members": [
         {
@@ -2864,202 +2884,13 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
-        {
-          "Kind": "Method",
-          "Name": "Validate",
-          "Parameters": [],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ValidationAlgorithm",
-      "Visibility": "Public",
-      "Kind": "Enumeration",
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Field",
-          "Name": "HMACSHA256",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "0"
-        },
-        {
-          "Kind": "Field",
-          "Name": "HMACSHA512",
-          "Parameters": [],
-          "GenericParameter": [],
-          "Literal": "1"
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Settings",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
         {
           "Kind": "Method",
           "Name": "CreateNewDescriptor",
           "Parameters": [],
           "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
           "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
+          "Override": true,
           "Visibility": "Public",
           "GenericParameter": []
         },
@@ -3069,492 +2900,6 @@
           "Parameters": [],
           "Visibility": "Public",
           "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Settings",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Settings",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "ExportToXml",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.XmlSerializedDescriptorInfo",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-      "Visibility": "Public",
-      "Kind": "Interface",
-      "Abstract": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "ImportFromXml",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Sealed": true,
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Settings",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "CreateNewDescriptor",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
         }
       ],
       "GenericParameters": []
@@ -3568,17 +2913,6 @@
         "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor"
       ],
       "Members": [
-        {
-          "Kind": "Method",
-          "Name": "CreateEncryptorInstance",
-          "Parameters": [],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
         {
           "Kind": "Method",
           "Name": "ExportToXml",
@@ -3595,8 +2929,8 @@
           "Name": ".ctor",
           "Parameters": [
             {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
+              "Name": "configuration",
+              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration"
             },
             {
               "Name": "masterKey",
@@ -3605,26 +2939,6 @@
           ],
           "Visibility": "Public",
           "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "settings",
-              "Type": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings"
-            },
-            {
-              "Name": "masterKey",
-              "Type": "Microsoft.AspNetCore.DataProtection.ISecret"
-            },
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
         }
       ],
       "GenericParameters": []
@@ -3660,18 +2974,6 @@
           "Parameters": [],
           "Visibility": "Public",
           "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "services",
-              "Type": "System.IServiceProvider"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
         }
       ],
       "GenericParameters": []
diff --git a/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json b/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json
deleted file mode 100644
index 2c1b337ca5..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection/breakingchanges.netcore.json
+++ /dev/null
@@ -1,242 +0,0 @@
-[
-  {
-    "TypeId": "public interface Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration",
-    "Kind": "Removal"
-  },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorConfiguration : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorConfiguration : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorConfiguration : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorConfiguration : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IInternalAuthenticatedEncryptorConfiguration",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IInternalAuthenticatedEncryptionSettings",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public static class Microsoft.Extensions.DependencyInjection.DataProtectionServices",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public interface Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-      "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public interface Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-      "MemberId": "protected System.IServiceProvider get_Services()",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-      "MemberId": "public .ctor(System.IO.DirectoryInfo directory)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-      "MemberId": "public .ctor(System.IO.DirectoryInfo directory, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-      "MemberId": "protected System.IServiceProvider get_Services()",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-      "MemberId": "public .ctor(Microsoft.Win32.RegistryKey registryKey)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public class Microsoft.AspNetCore.DataProtection.Repositories.RegistryXmlRepository : Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-      "MemberId": "public .ctor(Microsoft.Win32.RegistryKey registryKey, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.EphemeralDataProtectionProvider : Microsoft.AspNetCore.DataProtection.IDataProtectionProvider",
-      "MemberId": "public .ctor(System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings settings, Microsoft.AspNetCore.DataProtection.ISecret masterKey, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptor : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor",
-      "MemberId": "public Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptorInstance()",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager : Microsoft.AspNetCore.DataProtection.KeyManagement.IKeyManager, Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager",
-      "MemberId": "public .ctor(Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository repository, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorConfiguration configuration, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "MemberId": "public .ctor(System.Boolean protectToLocalMachine)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "MemberId": "public .ctor(System.Boolean protectToLocalMachine, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-      "MemberId": "public .ctor(System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptorDeserializer : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-      "MemberId": "public .ctor(System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngGcmAuthenticatedEncryptorDescriptorDeserializer : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-      "MemberId": "public .ctor(System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.ManagedAuthenticatedEncryptorDescriptorDeserializer : Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptorDeserializer",
-      "MemberId": "public .ctor(System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor, Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "MemberId": "public .ctor(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor, Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "MemberId": "public .ctor(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor, Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "MemberId": "public .ctor(System.String thumbprint, Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver certificateResolver)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.CertificateXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IInternalCertificateXmlEncryptor, Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "MemberId": "public .ctor(System.String thumbprint, Microsoft.AspNetCore.DataProtection.XmlEncryption.ICertificateResolver certificateResolver, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "MemberId": "public .ctor(System.String protectionDescriptorRule, Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags flags)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public sealed class Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGXmlEncryptor : Microsoft.AspNetCore.DataProtection.XmlEncryption.IXmlEncryptor",
-      "MemberId": "public .ctor(System.String protectionDescriptorRule, Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags flags, System.IServiceProvider services)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public static class Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
-      "MemberId": "public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder UseCryptographicAlgorithms(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionSettings settings)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public static class Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
-      "MemberId": "public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder UseCustomCryptographicAlgorithms(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngCbcAuthenticatedEncryptionSettings settings)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public static class Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
-      "MemberId": "public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder UseCustomCryptographicAlgorithms(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptionSettings settings)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public static class Microsoft.AspNetCore.DataProtection.DataProtectionBuilderExtensions",
-      "MemberId": "public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder UseCustomCryptographicAlgorithms(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptionSettings settings)",
-      "Kind": "Removal"
-    },
-    {
-      "TypeId": "public interface Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-      "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.IAuthenticatedEncryptorDescriptor get_Descriptor()",
-      "Kind": "Addition"
-    },
-    {
-      "TypeId": "public interface Microsoft.AspNetCore.DataProtection.KeyManagement.IKey",
-      "MemberId": "Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor CreateEncryptor()",
-      "Kind": "Addition"
-    }
-  ]

From 8a566172eb19f559795f0a12a0ceef50057c9b4b Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 25 Mar 2018 15:33:36 -0700
Subject: [PATCH 429/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 36 ++++++++++++++++++------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 8838a65685..69288eedb1 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,29 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15728</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30272</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview3-17001</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30272</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26225-03</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETTestSdkPackageVersion>15.6.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26224-02</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26314-02</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26313-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26224-02</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26224-02</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26313-01</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26313-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 5ace9326ce..50ba1b5737 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15728
-commithash:393377068ddcf51dfee0536536d455f57a828b06
+version:2.1.0-preview3-17001
+commithash:dda68c56abf0d3b911fe6a2315872c446b314585

From db71d243d50fd2d26a415b1140c64ecb04338af3 Mon Sep 17 00:00:00 2001
From: "Nate McMaster (automated)" <nate.mcmaster@microsoft.com>
Date: Wed, 28 Mar 2018 10:38:46 -0700
Subject: [PATCH 430/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 36 ++++++++++++++++++------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 3e6631b87d..14763f38d3 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,29 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15743</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30355</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview2-15749</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview2-30478</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview2-30478</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview2-30478</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30355</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview2-30478</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26314-02</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETTestSdkPackageVersion>15.6.0</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26313-01</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26326-03</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26326-04</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26313-01</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26313-01</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26326-04</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26326-04</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index c4944f7079..76d2c851ca 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview2-15743
-commithash:9e15cb6062ab5b9790d3fa699e018543a6950713
+version:2.1.0-preview2-15749
+commithash:5544c9ab20fa5e24b9e155d8958a3c3b6f5f9df9

From a89fa5c8206e776b61146458be1133930be0aa9e Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Tue, 3 Apr 2018 22:20:55 +0000
Subject: [PATCH 431/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 69288eedb1..8f672e4d4d 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,29 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview3-17001</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview3-32037</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview3-17002</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview3-32110</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview3-32110</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview3-32110</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview3-32037</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview2-26314-02</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview3-26331-01</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview2-26313-01</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26331-02</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview2-26313-01</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview2-26313-01</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview3-26331-02</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview3-26331-02</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 50ba1b5737..c879a84a90 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview3-17001
-commithash:dda68c56abf0d3b911fe6a2315872c446b314585
+version:2.1.0-preview3-17002
+commithash:b8e4e6ab104adc94c0719bb74229870e9b584a7f

From 49bc8ba1fad57414bff1517df4e92389dea18765 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Fri, 6 Apr 2018 12:31:03 -0700
Subject: [PATCH 432/493] Ensure experimental package version is
 0.4.0-preview3-final, not 0.4.0-preview4-buildnumber-final

---
 version.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.props b/version.props
index 36fad116cd..9124b26738 100644
--- a/version.props
+++ b/version.props
@@ -10,7 +10,7 @@
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
 
     <ExperimentalVersionPrefix>0.4.0</ExperimentalVersionPrefix>
-    <ExperimentalVersionSuffix>$(VersionSuffix)</ExperimentalVersionSuffix>
+    <ExperimentalVersionSuffix>preview3</ExperimentalVersionSuffix>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' == 'rtm' ">$(ExperimentalVersionPrefix)</ExperimentalPackageVersion>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' != 'rtm' ">$(ExperimentalVersionPrefix)-$(ExperimentalVersionSuffix)-final</ExperimentalPackageVersion>
     <ExperimentalVersionSuffix Condition="'$(ExperimentalVersionSuffix)' != '' And '$(BuildNumber)' != ''">$(ExperimentalVersionSuffix)-$(BuildNumber)</ExperimentalVersionSuffix>

From faf2f3f065f91bf220b2e999ccfca7c2ea475e7b Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Fri, 13 Apr 2018 15:06:17 -0700
Subject: [PATCH 433/493] Attempt to workaround issues with File.Move on NFS
 file shares (aspnet/Home#2941)

---
 .../Repositories/FileSystemXmlRepository.cs                   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index a980e7f82c..914cc3f9ba 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -230,7 +230,9 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
                 // Once the file has been fully written, perform the rename.
                 // Renames are atomic operations on the file systems we support.
                 _logger.WritingDataToFile(finalFilename);
-                File.Move(tempFilename, finalFilename);
+
+                // Use File.Copy because File.Move on NFS shares has issues in .NET Core 2.0
+                File.Copy(tempFilename, finalFilename);
             }
             finally
             {

From a563e6e9661dd192dfb0565eae1a61618b8a85fd Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 15 Apr 2018 14:04:03 -0700
Subject: [PATCH 434/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 8f672e4d4d..7789adbcee 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,29 +3,29 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview3-17002</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview3-32110</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview3-32110</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview3-32110</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview3-17018</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview3-32233</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview3-32233</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview3-32233</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview3-32110</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview3-26331-01</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview3-26413-05</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26331-02</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26413-02</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview3-26331-02</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview3-26331-02</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview3-26413-02</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview3-26413-02</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index c879a84a90..ce2f277c53 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview3-17002
-commithash:b8e4e6ab104adc94c0719bb74229870e9b584a7f
+version:2.1.0-preview3-17018
+commithash:af264ca131f212b5ba8aafbc5110fc0fc510a2be

From ba3cf559bd5beb03d78293744a6f7474cacde7cb Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Mon, 16 Apr 2018 16:55:36 -0700
Subject: [PATCH 435/493] Branching for 2.1.0-rc1

---
 build/repo.props | 3 ++-
 korebuild.json   | 4 ++--
 version.props    | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/build/repo.props b/build/repo.props
index 78b0ce5879..dab1601c88 100644
--- a/build/repo.props
+++ b/build/repo.props
@@ -1,9 +1,10 @@
-<Project>
+<Project>
   <Import Project="dependencies.props" />
 
   <PropertyGroup>
     <!-- These properties are use by the automation that updates dependencies.props -->
     <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
+    <LineupPackageVersion>2.1.0-rc1-*</LineupPackageVersion>
     <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json</LineupPackageRestoreSource>
   </PropertyGroup>
 
diff --git a/korebuild.json b/korebuild.json
index bd5d51a51b..678d8bb948 100644
--- a/korebuild.json
+++ b/korebuild.json
@@ -1,4 +1,4 @@
 {
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
-  "channel": "dev"
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/release/2.1/tools/korebuild.schema.json",
+  "channel": "release/2.1"
 }
diff --git a/version.props b/version.props
index 9124b26738..6167eb653c 100644
--- a/version.props
+++ b/version.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.1.0</VersionPrefix>
-    <VersionSuffix>preview3</VersionSuffix>
+    <VersionSuffix>rc1</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>

From e195e1a8495e258d6e859bd0baaec1e63e149aff Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Mon, 16 Apr 2018 16:55:41 -0700
Subject: [PATCH 436/493] Update version number to 2.2.0

---
 version.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.props b/version.props
index 9124b26738..db5c0a52bf 100644
--- a/version.props
+++ b/version.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
-    <VersionPrefix>2.1.0</VersionPrefix>
-    <VersionSuffix>preview3</VersionSuffix>
+    <VersionPrefix>2.2.0</VersionPrefix>
+    <VersionSuffix>preview1</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>

From fb948aea7dda190c9ad55fb7ac37b84d936c1296 Mon Sep 17 00:00:00 2001
From: Nate McMaster <natemcmaster@users.noreply.github.com>
Date: Tue, 17 Apr 2018 08:38:59 -0700
Subject: [PATCH 437/493] Fix flaky test:
 System_NoKeysDirectoryProvided_UsesDefaultKeysDirectory (#305)

---
 .../DataProtectionProviderTests.cs                              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 63931f2f8f..7c7bcf9c36 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -45,7 +45,7 @@ namespace Microsoft.AspNetCore.DataProtection
             Assert.NotNull(FileSystemXmlRepository.DefaultKeyStorageDirectory);
 
             var keysPath = FileSystemXmlRepository.DefaultKeyStorageDirectory.FullName;
-            var tempPath = FileSystemXmlRepository.DefaultKeyStorageDirectory.FullName + "Temp";
+            var tempPath = FileSystemXmlRepository.DefaultKeyStorageDirectory.FullName + Path.GetRandomFileName();
 
             try
             {

From a0c62afacd9c274e9bcc5b41965097395f2dc192 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 19 Apr 2018 16:31:59 -0700
Subject: [PATCH 438/493] Set NETStandardImplicitPackageVersion via
 dependencies.props

---
 Directory.Build.targets  | 1 +
 build/dependencies.props | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Directory.Build.targets b/Directory.Build.targets
index 894b1d0cf8..53b3f6e1da 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -2,5 +2,6 @@
   <PropertyGroup>
     <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(MicrosoftNETCoreApp20PackageVersion)</RuntimeFrameworkVersion>
     <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.1' ">$(MicrosoftNETCoreApp21PackageVersion)</RuntimeFrameworkVersion>
+    <NETStandardImplicitPackageVersion Condition=" '$(TargetFramework)' == 'netstandard2.0' ">$(NETStandardLibrary20PackageVersion)</NETStandardImplicitPackageVersion>
   </PropertyGroup>
 </Project>
diff --git a/build/dependencies.props b/build/dependencies.props
index 7789adbcee..27bd66c349 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -21,6 +21,7 @@
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview3-26413-05</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
+    <NETStandardLibrary20PackageVersion>2.0.1</NETStandardLibrary20PackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26413-02</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>

From 03228f3b30eb025fb09135eaa8b341f873535677 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Thu, 19 Apr 2018 22:16:59 -0700
Subject: [PATCH 439/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 36 ++++++++++++++++++------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 27bd66c349..ad8dfe151b 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,30 +3,30 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-preview3-17018</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-preview3-32233</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-preview3-32233</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-preview3-32233</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-rc1-15774</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-preview3-32233</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview3-26413-05</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-rc1-26419-02</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <NETStandardLibrary20PackageVersion>2.0.1</NETStandardLibrary20PackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26413-02</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-rc1-26419-03</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
+    <NETStandardLibrary20PackageVersion>2.0.1</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview3-26413-02</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview3-26413-02</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-rc1-26419-03</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-rc1-26419-03</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index ce2f277c53..d35f5d62cf 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview3-17018
-commithash:af264ca131f212b5ba8aafbc5110fc0fc510a2be
+version:2.1.0-rc1-15774
+commithash:ed5ca9de3c652347dbb0158a9a65eff3471d2114

From 0991bd2d7dfb256e1f56816e77001113f5827e63 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Mon, 23 Apr 2018 12:03:32 -0700
Subject: [PATCH 440/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index ad8dfe151b..4a078620af 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,30 +3,30 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-rc1-15774</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17037</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34029</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34029</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34029</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-rc1-26419-02</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview3-26413-05</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-rc1-26419-03</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26413-02</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.1</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-rc1-26419-03</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-rc1-26419-03</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview3-26413-02</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview3-26413-02</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index ce2f277c53..790ae84e6d 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-preview3-17018
-commithash:af264ca131f212b5ba8aafbc5110fc0fc510a2be
+version:2.2.0-preview1-17037
+commithash:557055a86cbdc359c97d4fb1c2d23a3dc7ae731e

From fcf39ffaaa3c3f52293c09f3e230da5690cf8593 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 29 Apr 2018 12:11:18 -0700
Subject: [PATCH 441/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 36 ++++++++++++++++++------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 4a078620af..86d3a295ea 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,30 +3,30 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17037</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34029</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34029</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34029</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17042</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34066</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34066</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34066</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34029</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-preview3-26413-05</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.2.0-preview1-26424-04</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26413-02</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26423-04</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
-    <NETStandardLibrary20PackageVersion>2.0.1</NETStandardLibrary20PackageVersion>
+    <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview3-26413-02</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview3-26413-02</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview3-26423-04</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview3-26423-04</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 790ae84e6d..5a9689541e 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17037
-commithash:557055a86cbdc359c97d4fb1c2d23a3dc7ae731e
+version:2.2.0-preview1-17042
+commithash:edf0705d014293c260de763543784330514db9a3

From 1609514afec2161a8f462bfb2266368957178a11 Mon Sep 17 00:00:00 2001
From: "Nate McMaster (automated)" <nate.mcmaster@microsoft.com>
Date: Mon, 30 Apr 2018 14:51:38 -0700
Subject: [PATCH 442/493] Bump version to 2.1.0-rtm

---
 version.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.props b/version.props
index 6167eb653c..c8bf9b67b7 100644
--- a/version.props
+++ b/version.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.1.0</VersionPrefix>
-    <VersionSuffix>rc1</VersionSuffix>
+    <VersionSuffix>rtm</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>
@@ -10,7 +10,7 @@
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
 
     <ExperimentalVersionPrefix>0.4.0</ExperimentalVersionPrefix>
-    <ExperimentalVersionSuffix>preview3</ExperimentalVersionSuffix>
+    <ExperimentalVersionSuffix>rtm</ExperimentalVersionSuffix>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' == 'rtm' ">$(ExperimentalVersionPrefix)</ExperimentalPackageVersion>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' != 'rtm' ">$(ExperimentalVersionPrefix)-$(ExperimentalVersionSuffix)-final</ExperimentalPackageVersion>
     <ExperimentalVersionSuffix Condition="'$(ExperimentalVersionSuffix)' != '' And '$(BuildNumber)' != ''">$(ExperimentalVersionSuffix)-$(BuildNumber)</ExperimentalVersionSuffix>

From fb2f89ed5194fac3ed2bfa1e816d310347cb462c Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 1 May 2018 14:13:26 -0700
Subject: [PATCH 443/493] Factor out internal interface for default directory
 testing

Create an internal abstraction for finding the default directories for key storage. This allows us to run tests without squashing on keys on the developer machine. It also allows us to isolate test runs from reach other.
---
 .../DataProtectionProvider.cs                 |   2 +-
 .../KeyManagement/XmlKeyManager.cs            |  16 ++-
 .../Properties/AssemblyInfo.cs                |   1 +
 .../DefaultKeyStorageDirectories.cs           | 112 ++++++++++++++++++
 .../Repositories/FileSystemXmlRepository.cs   |  92 +-------------
 .../IDefaultKeyStorageDirectory.cs            |  17 +++
 .../DataProtectionProviderTests.cs            |  74 ++++++------
 .../TimeLimitedDataProtectorTests.cs          |   7 +-
 8 files changed, 187 insertions(+), 134 deletions(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs

diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
index 7b080a9a87..cc82fe9ef8 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
@@ -150,7 +150,7 @@ namespace Microsoft.AspNetCore.DataProtection
             return CreateProvider(keyDirectory, setupAction, certificate);
         }
 
-        private static IDataProtectionProvider CreateProvider(
+        internal static IDataProtectionProvider CreateProvider(
             DirectoryInfo keyDirectory,
             Action<IDataProtectionBuilder> setupAction,
             X509Certificate2 certificate)
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
index 66e7a96dcb..06baad13ed 100644
--- a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
@@ -53,6 +53,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         private readonly ILoggerFactory _loggerFactory;
         private readonly ILogger _logger;
         private readonly IEnumerable<IAuthenticatedEncryptorFactory> _encryptorFactories;
+        private readonly IDefaultKeyStorageDirectories _keyStorageDirectories;
 
         private CancellationTokenSource _cacheExpirationTokenSource;
 
@@ -62,7 +63,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         /// <param name="keyManagementOptions">The <see cref="IOptions{KeyManagementOptions}"/> instance that provides the configuration.</param>
         /// <param name="activator">The <see cref="IActivator"/>.</param>
         public XmlKeyManager(IOptions<KeyManagementOptions> keyManagementOptions, IActivator activator)
-            : this (keyManagementOptions, activator, NullLoggerFactory.Instance)
+            : this(keyManagementOptions, activator, NullLoggerFactory.Instance)
         { }
 
         /// <summary>
@@ -72,9 +73,18 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
         /// <param name="activator">The <see cref="IActivator"/>.</param>
         /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
         public XmlKeyManager(IOptions<KeyManagementOptions> keyManagementOptions, IActivator activator, ILoggerFactory loggerFactory)
+            : this(keyManagementOptions, activator, loggerFactory, DefaultKeyStorageDirectories.Instance)
+        { }
+
+        internal XmlKeyManager(
+            IOptions<KeyManagementOptions> keyManagementOptions,
+            IActivator activator,
+            ILoggerFactory loggerFactory,
+            IDefaultKeyStorageDirectories keyStorageDirectories)
         {
             _loggerFactory = loggerFactory ?? throw new ArgumentNullException(nameof(loggerFactory));
             _logger = _loggerFactory.CreateLogger<XmlKeyManager>();
+            _keyStorageDirectories = keyStorageDirectories ?? throw new ArgumentNullException(nameof(keyStorageDirectories));
 
             KeyRepository = keyManagementOptions.Value.XmlRepository;
             KeyEncryptor = keyManagementOptions.Value.XmlEncryptor;
@@ -469,7 +479,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             IXmlEncryptor encryptor = null;
 
             // If we're running in Azure Web Sites, the key repository goes in the %HOME% directory.
-            var azureWebSitesKeysFolder = FileSystemXmlRepository.GetKeyStorageDirectoryForAzureWebSites();
+            var azureWebSitesKeysFolder = _keyStorageDirectories.GetKeyStorageDirectoryForAzureWebSites();
             if (azureWebSitesKeysFolder != null)
             {
                 _logger.UsingAzureAsKeyRepository(azureWebSitesKeysFolder.FullName);
@@ -481,7 +491,7 @@ namespace Microsoft.AspNetCore.DataProtection.KeyManagement
             else
             {
                 // If the user profile is available, store keys in the user profile directory.
-                var localAppDataKeysFolder = FileSystemXmlRepository.DefaultKeyStorageDirectory;
+                var localAppDataKeysFolder = _keyStorageDirectories.GetKeyStorageDirectory();
                 if (localAppDataKeysFolder != null)
                 {
                     if (OSVersionUtil.IsWindows())
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
index 7816360b8b..614112bd73 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
@@ -4,5 +4,6 @@
 using System.Runtime.CompilerServices;
 
 // for unit testing
+[assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Extensions.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.DataProtection.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
 [assembly: InternalsVisibleTo("DynamicProxyGenAssembly2, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7")]
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs
new file mode 100644
index 0000000000..a0717263fb
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs
@@ -0,0 +1,112 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Diagnostics;
+using System.IO;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNetCore.DataProtection.Repositories
+{
+    internal sealed class DefaultKeyStorageDirectories : IDefaultKeyStorageDirectories
+    {
+        private static readonly Lazy<DirectoryInfo> _defaultDirectoryLazy = new Lazy<DirectoryInfo>(GetKeyStorageDirectoryImpl);
+
+        private DefaultKeyStorageDirectories()
+        {
+        }
+
+        public static IDefaultKeyStorageDirectories Instance { get; } = new DefaultKeyStorageDirectories();
+
+        /// <summary>
+        /// The default key storage directory.
+        /// On Windows, this currently corresponds to "Environment.SpecialFolder.LocalApplication/ASP.NET/DataProtection-Keys".
+        /// On Linux and macOS, this currently corresponds to "$HOME/.aspnet/DataProtection-Keys".
+        /// </summary>
+        /// <remarks>
+        /// This property can return null if no suitable default key storage directory can
+        /// be found, such as the case when the user profile is unavailable.
+        /// </remarks>
+        public DirectoryInfo GetKeyStorageDirectory() => _defaultDirectoryLazy.Value;
+
+        private static DirectoryInfo GetKeyStorageDirectoryImpl()
+        {
+            DirectoryInfo retVal;
+
+            // Environment.GetFolderPath returns null if the user profile isn't loaded.
+            var localAppDataFromSystemPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+            var localAppDataFromEnvPath = Environment.GetEnvironmentVariable("LOCALAPPDATA");
+            var userProfilePath = Environment.GetEnvironmentVariable("USERPROFILE");
+            var homePath = Environment.GetEnvironmentVariable("HOME");
+
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !string.IsNullOrEmpty(localAppDataFromSystemPath))
+            {
+                // To preserve backwards-compatibility with 1.x, Environment.SpecialFolder.LocalApplicationData
+                // cannot take precedence over $LOCALAPPDATA and $HOME/.aspnet on non-Windows platforms
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromSystemPath);
+            }
+            else if (localAppDataFromEnvPath != null)
+            {
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromEnvPath);
+            }
+            else if (userProfilePath != null)
+            {
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(Path.Combine(userProfilePath, "AppData", "Local"));
+            }
+            else if (homePath != null)
+            {
+                // If LOCALAPPDATA and USERPROFILE are not present but HOME is,
+                // it's a good guess that this is a *NIX machine.  Use *NIX conventions for a folder name.
+                retVal = new DirectoryInfo(Path.Combine(homePath, ".aspnet", DataProtectionKeysFolderName));
+            }
+            else if (!string.IsNullOrEmpty(localAppDataFromSystemPath))
+            {
+                // Starting in 2.x, non-Windows platforms may use Environment.SpecialFolder.LocalApplicationData
+                // but only after checking for $LOCALAPPDATA, $USERPROFILE, and $HOME.
+                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromSystemPath);
+            }
+            else
+            {
+                return null;
+            }
+
+            Debug.Assert(retVal != null);
+
+            try
+            {
+                retVal.Create(); // throws if we don't have access, e.g., user profile not loaded
+                return retVal;
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
+        public DirectoryInfo GetKeyStorageDirectoryForAzureWebSites()
+        {
+            // Azure Web Sites needs to be treated specially, as we need to store the keys in a
+            // correct persisted location. We use the existence of the %WEBSITE_INSTANCE_ID% env
+            // variable to determine if we're running in this environment, and if so we then use
+            // the %HOME% variable to build up our base key storage path.
+            if (!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("WEBSITE_INSTANCE_ID")))
+            {
+                var homeEnvVar = Environment.GetEnvironmentVariable("HOME");
+                if (!String.IsNullOrEmpty(homeEnvVar))
+                {
+                    return GetKeyStorageDirectoryFromBaseAppDataPath(homeEnvVar);
+                }
+            }
+
+            // nope
+            return null;
+        }
+
+        private const string DataProtectionKeysFolderName = "DataProtection-Keys";
+
+        private static DirectoryInfo GetKeyStorageDirectoryFromBaseAppDataPath(string basePath)
+        {
+            return new DirectoryInfo(Path.Combine(basePath, "ASP.NET", DataProtectionKeysFolderName));
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
index 914cc3f9ba..7ceede33d1 100644
--- a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
@@ -3,10 +3,8 @@
 
 using System;
 using System.Collections.Generic;
-using System.Diagnostics;
 using System.IO;
 using System.Linq;
-using System.Runtime.InteropServices;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.Extensions.Logging;
@@ -18,8 +16,6 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
     /// </summary>
     public class FileSystemXmlRepository : IXmlRepository
     {
-        private static readonly Lazy<DirectoryInfo> _defaultDirectoryLazy = new Lazy<DirectoryInfo>(GetDefaultKeyStorageDirectory);
-
         private readonly ILogger _logger;
 
         /// <summary>
@@ -29,12 +25,8 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
         public FileSystemXmlRepository(DirectoryInfo directory, ILoggerFactory loggerFactory)
         {
-            if (directory == null)
-            {
-                throw new ArgumentNullException(nameof(directory));
-            }
+            Directory = directory ?? throw new ArgumentNullException(nameof(directory));
 
-            Directory = directory;
             _logger = loggerFactory.CreateLogger<FileSystemXmlRepository>();
 
             try
@@ -63,20 +55,13 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
         /// This property can return null if no suitable default key storage directory can
         /// be found, such as the case when the user profile is unavailable.
         /// </remarks>
-        public static DirectoryInfo DefaultKeyStorageDirectory => _defaultDirectoryLazy.Value;
+        public static DirectoryInfo DefaultKeyStorageDirectory => DefaultKeyStorageDirectories.Instance.GetKeyStorageDirectory();
 
         /// <summary>
         /// The directory into which key material will be written.
         /// </summary>
         public DirectoryInfo Directory { get; }
 
-        private const string DataProtectionKeysFolderName = "DataProtection-Keys";
-
-        private static DirectoryInfo GetKeyStorageDirectoryFromBaseAppDataPath(string basePath)
-        {
-            return new DirectoryInfo(Path.Combine(basePath, "ASP.NET", DataProtectionKeysFolderName));
-        }
-
         public virtual IReadOnlyCollection<XElement> GetAllElements()
         {
             // forces complete enumeration
@@ -99,79 +84,6 @@ namespace Microsoft.AspNetCore.DataProtection.Repositories
             }
         }
 
-        private static DirectoryInfo GetDefaultKeyStorageDirectory()
-        {
-            DirectoryInfo retVal;
-
-            // Environment.GetFolderPath returns null if the user profile isn't loaded.
-            var localAppDataFromSystemPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
-            var localAppDataFromEnvPath = Environment.GetEnvironmentVariable("LOCALAPPDATA");
-            var userProfilePath = Environment.GetEnvironmentVariable("USERPROFILE");
-            var homePath = Environment.GetEnvironmentVariable("HOME");
-
-            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !string.IsNullOrEmpty(localAppDataFromSystemPath))
-            {
-                // To preserve backwards-compatibility with 1.x, Environment.SpecialFolder.LocalApplicationData
-                // cannot take precedence over $LOCALAPPDATA and $HOME/.aspnet on non-Windows platforms
-                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromSystemPath);
-            }
-            else if (localAppDataFromEnvPath != null)
-            {
-                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromEnvPath);
-            }
-            else if (userProfilePath != null)
-            {
-                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(Path.Combine(userProfilePath, "AppData", "Local"));
-            }
-            else if (homePath != null)
-            {
-                // If LOCALAPPDATA and USERPROFILE are not present but HOME is,
-                // it's a good guess that this is a *NIX machine.  Use *NIX conventions for a folder name.
-                retVal = new DirectoryInfo(Path.Combine(homePath, ".aspnet", DataProtectionKeysFolderName));
-            }
-            else if (!string.IsNullOrEmpty(localAppDataFromSystemPath))
-            {
-                // Starting in 2.x, non-Windows platforms may use Environment.SpecialFolder.LocalApplicationData
-                // but only after checking for $LOCALAPPDATA, $USERPROFILE, and $HOME.
-                retVal = GetKeyStorageDirectoryFromBaseAppDataPath(localAppDataFromSystemPath);
-            }
-            else
-            {
-                return null;
-            }
-
-            Debug.Assert(retVal != null);
-
-            try
-            {
-                retVal.Create(); // throws if we don't have access, e.g., user profile not loaded
-                return retVal;
-            }
-            catch
-            {
-                return null;
-            }
-        }
-
-        internal static DirectoryInfo GetKeyStorageDirectoryForAzureWebSites()
-        {
-            // Azure Web Sites needs to be treated specially, as we need to store the keys in a
-            // correct persisted location. We use the existence of the %WEBSITE_INSTANCE_ID% env
-            // variable to determine if we're running in this environment, and if so we then use
-            // the %HOME% variable to build up our base key storage path.
-            if (!String.IsNullOrEmpty(Environment.GetEnvironmentVariable("WEBSITE_INSTANCE_ID")))
-            {
-                var homeEnvVar = Environment.GetEnvironmentVariable("HOME");
-                if (!String.IsNullOrEmpty(homeEnvVar))
-                {
-                    return GetKeyStorageDirectoryFromBaseAppDataPath(homeEnvVar);
-                }
-            }
-
-            // nope
-            return null;
-        }
-
         private static bool IsSafeFilename(string filename)
         {
             // Must be non-empty and contain only a-zA-Z0-9, hyphen, and underscore.
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs b/src/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs
new file mode 100644
index 0000000000..e7e1410e79
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs
@@ -0,0 +1,17 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.IO;
+
+namespace Microsoft.AspNetCore.DataProtection.Repositories
+{
+    /// <summary>
+    /// This interface enables overridding the default storage location of keys on disk
+    /// </summary>
+    internal interface IDefaultKeyStorageDirectories
+    {
+        DirectoryInfo GetKeyStorageDirectory();
+
+        DirectoryInfo GetKeyStorageDirectoryForAzureWebSites();
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 7c7bcf9c36..40e470ea58 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -7,9 +7,16 @@ using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
+using Microsoft.AspNetCore.DataProtection.Internal;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing.xunit;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Moq;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection
@@ -42,49 +49,42 @@ namespace Microsoft.AspNetCore.DataProtection
         [Fact]
         public void System_NoKeysDirectoryProvided_UsesDefaultKeysDirectory()
         {
-            Assert.NotNull(FileSystemXmlRepository.DefaultKeyStorageDirectory);
+            var mock = new Mock<IDefaultKeyStorageDirectories>();
+            var keysPath = Path.Combine(AppContext.BaseDirectory, Path.GetRandomFileName());
+            mock.Setup(m => m.GetKeyStorageDirectory()).Returns(new DirectoryInfo(keysPath));
 
-            var keysPath = FileSystemXmlRepository.DefaultKeyStorageDirectory.FullName;
-            var tempPath = FileSystemXmlRepository.DefaultKeyStorageDirectory.FullName + Path.GetRandomFileName();
-
-            try
+            // Step 1: Instantiate the system and round-trip a payload
+            var provider = DataProtectionProvider.CreateProvider(
+                keyDirectory: null,
+                certificate: null,
+                setupAction: builder =>
             {
-                // Step 1: Move the current contents, if any, to a temporary directory.
-                if (Directory.Exists(keysPath))
-                {
-                    Directory.Move(keysPath, tempPath);
-                }
+                builder.SetApplicationName("TestApplication");
+                builder.Services.AddSingleton<IKeyManager>(s =>
+                    new XmlKeyManager(
+                        s.GetRequiredService<IOptions<KeyManagementOptions>>(),
+                        s.GetRequiredService<IActivator>(),
+                        NullLoggerFactory.Instance,
+                        mock.Object));
+            });
 
-                // Step 2: Instantiate the system and round-trip a payload
-                var protector = DataProtectionProvider.Create("TestApplication").CreateProtector("purpose");
-                Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
+            var protector = provider.CreateProtector("Protector");
+            Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
 
-                // Step 3: Validate that there's now a single key in the directory
-                var newFileName = Assert.Single(Directory.GetFiles(keysPath));
-                var file = new FileInfo(newFileName);
-                Assert.StartsWith("key-", file.Name, StringComparison.OrdinalIgnoreCase);
-                var fileText = File.ReadAllText(file.FullName);
-                // On Windows, validate that it's protected using Windows DPAPI.
-                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
-                {
-                    Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
-                    Assert.Contains("This key is encrypted with Windows DPAPI.", fileText, StringComparison.Ordinal);
-                }
-                else
-                {
-                    Assert.Contains("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
-                }
+            // Step 2: Validate that there's now a single key in the directory
+            var newFileName = Assert.Single(Directory.GetFiles(keysPath));
+            var file = new FileInfo(newFileName);
+            Assert.StartsWith("key-", file.Name, StringComparison.OrdinalIgnoreCase);
+            var fileText = File.ReadAllText(file.FullName);
+            // On Windows, validate that it's protected using Windows DPAPI.
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                Assert.DoesNotContain("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
+                Assert.Contains("This key is encrypted with Windows DPAPI.", fileText, StringComparison.Ordinal);
             }
-            finally
+            else
             {
-                if (Directory.Exists(keysPath))
-                {
-                    Directory.Delete(keysPath, recursive: true);
-                }
-                if (Directory.Exists(tempPath))
-                {
-                    Directory.Move(tempPath, keysPath);
-                }
+                Assert.Contains("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
             }
         }
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
index 6f71977154..47dfc26fd7 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
@@ -4,13 +4,14 @@
 using System;
 using System.Globalization;
 using System.Security.Cryptography;
-using Microsoft.AspNetCore.DataProtection.Extensions;
 using Microsoft.Extensions.Logging.Abstractions;
 using Moq;
 using Xunit;
+using ExtResources = Microsoft.AspNetCore.DataProtection.Extensions.Resources;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
+
     public class TimeLimitedDataProtectorTests
     {
         private const string TimeLimitedPurposeString = "Microsoft.AspNetCore.DataProtection.TimeLimitedDataProtector.v1";
@@ -106,7 +107,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 => timeLimitedProtector.UnprotectCore(new byte[] { 0x10, 0x11 }, now, out var _));
 
             // Assert
-            Assert.Equal(Resources.FormatTimeLimitedDataProtector_PayloadExpired(expectedExpiration), ex.Message);
+            Assert.Equal(ExtResources.FormatTimeLimitedDataProtector_PayloadExpired(expectedExpiration), ex.Message);
         }
 
         [Fact]
@@ -127,7 +128,7 @@ namespace Microsoft.AspNetCore.DataProtection
                 => timeLimitedProtector.Unprotect(new byte[] { 0x10, 0x11 }, out var _));
 
             // Assert
-            Assert.Equal(Resources.TimeLimitedDataProtector_PayloadInvalid, ex.Message);
+            Assert.Equal(ExtResources.TimeLimitedDataProtector_PayloadInvalid, ex.Message);
         }
 
         [Fact]

From 8851048872a4a68e85cea61d2c4a310a48aedca0 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Fri, 4 May 2018 07:30:06 -0700
Subject: [PATCH 444/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 36 ++++++++++++++++++------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index ad8dfe151b..d51c20e33c 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,30 +3,30 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-rc1-15774</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-rc1-30613</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.0-rtm-15783</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-rtm-30721</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-rtm-30721</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-rtm-30721</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-rc1-30613</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-rc1-26419-02</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-rtm-26502-02</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-rc1-26419-03</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0-rtm-26502-02</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
-    <NETStandardLibrary20PackageVersion>2.0.1</NETStandardLibrary20PackageVersion>
+    <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-rc1-26419-03</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-rc1-26419-03</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-rtm-26502-02</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-rtm-26502-02</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index d35f5d62cf..27e94579a9 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-rc1-15774
-commithash:ed5ca9de3c652347dbb0158a9a65eff3471d2114
+version:2.1.0-rtm-15783
+commithash:5fc2b2f607f542a2ffde11c19825e786fc1a3774

From b7e99bfb9cf9323d42eac2467293036f3d3d090a Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 6 May 2018 12:10:28 -0700
Subject: [PATCH 445/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 86d3a295ea..5619a809b0 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17042</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34066</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34066</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34066</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17047</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34135</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34135</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34135</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34066</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.2.0-preview1-26424-04</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 5a9689541e..18df6940ae 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17042
-commithash:edf0705d014293c260de763543784330514db9a3
+version:2.2.0-preview1-17047
+commithash:e1957b52ddc8b62bd39c5c400322fccb5364624c

From 15ff22bc5c5cc30c5be956258d3adde8d0c115d6 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Mon, 7 May 2018 15:09:53 -0700
Subject: [PATCH 446/493] Upgrade to netcoreapp22

---
 Directory.Build.targets                       |  5 +++-
 build/dependencies.props                      | 29 ++++++++++---------
 build/repo.props                              |  3 +-
 korebuild-lock.txt                            |  4 +--
 samples/AzureBlob/AzureBlob.csproj            |  4 +--
 samples/AzureKeyVault/AzureKeyVault.csproj    |  2 +-
 .../CustomEncryptorSample.csproj              |  4 +--
 .../KeyManagementSample.csproj                |  4 +--
 samples/NonDISample/NonDISample.csproj        |  4 +--
 samples/Redis/Redis.csproj                    |  4 +--
 test/Directory.Build.props                    |  4 +--
 .../Pbkdf2Tests.cs                            |  2 +-
 .../AnonymousImpersonation.cs                 |  2 +-
 .../TypeForwardingActivatorTests.cs           |  2 +-
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |  2 +-
 15 files changed, 40 insertions(+), 35 deletions(-)

diff --git a/Directory.Build.targets b/Directory.Build.targets
index 53b3f6e1da..78626b773e 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -1,7 +1,10 @@
-<Project>
+<Project>
   <PropertyGroup>
     <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(MicrosoftNETCoreApp20PackageVersion)</RuntimeFrameworkVersion>
     <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.1' ">$(MicrosoftNETCoreApp21PackageVersion)</RuntimeFrameworkVersion>
+    <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.2' ">$(MicrosoftNETCoreApp22PackageVersion)</RuntimeFrameworkVersion>
     <NETStandardImplicitPackageVersion Condition=" '$(TargetFramework)' == 'netstandard2.0' ">$(NETStandardLibrary20PackageVersion)</NETStandardImplicitPackageVersion>
+    <!-- aspnet/BuildTools#662 Don't police what version of NetCoreApp we use -->
+    <NETCoreAppMaximumVersion>99.9</NETCoreAppMaximumVersion>
   </PropertyGroup>
 </Project>
diff --git a/build/dependencies.props b/build/dependencies.props
index 5619a809b0..7fe4eab12b 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,25 +1,26 @@
-<Project>
+<Project>
   <PropertyGroup>
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17047</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34135</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34135</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34135</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17048</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34140</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34140</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34140</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34135</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.2.0-preview1-26424-04</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26502-01</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26423-04</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
diff --git a/build/repo.props b/build/repo.props
index 78b0ce5879..17a98ac7e7 100644
--- a/build/repo.props
+++ b/build/repo.props
@@ -1,4 +1,4 @@
-<Project>
+<Project>
   <Import Project="dependencies.props" />
 
   <PropertyGroup>
@@ -10,5 +10,6 @@
   <ItemGroup>
     <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp20PackageVersion)" />
     <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp21PackageVersion)" />
+    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp22PackageVersion)" />
   </ItemGroup>
 </Project>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 18df6940ae..da5dcd1202 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17047
-commithash:e1957b52ddc8b62bd39c5c400322fccb5364624c
+version:2.2.0-preview1-17048
+commithash:de14a0ee5fb48508ee8a29c14280a2928f8dabf8
diff --git a/samples/AzureBlob/AzureBlob.csproj b/samples/AzureBlob/AzureBlob.csproj
index 8ba3d51f0f..07c7a23911 100644
--- a/samples/AzureBlob/AzureBlob.csproj
+++ b/samples/AzureBlob/AzureBlob.csproj
@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
+    <TargetFramework>netcoreapp2.2</TargetFramework>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/AzureKeyVault/AzureKeyVault.csproj b/samples/AzureKeyVault/AzureKeyVault.csproj
index ce4ae01408..99f91f6158 100644
--- a/samples/AzureKeyVault/AzureKeyVault.csproj
+++ b/samples/AzureKeyVault/AzureKeyVault.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
+    <TargetFramework>netcoreapp2.2</TargetFramework>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
index 1cfe237b50..f2a6779bc4 100644
--- a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
+++ b/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.2</TargetFrameworks>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/samples/KeyManagementSample/KeyManagementSample.csproj
index e240e30b6d..981c40bd47 100644
--- a/samples/KeyManagementSample/KeyManagementSample.csproj
+++ b/samples/KeyManagementSample/KeyManagementSample.csproj
@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.2</TargetFrameworks>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/NonDISample/NonDISample.csproj b/samples/NonDISample/NonDISample.csproj
index 168e26a249..35d64cfd3f 100644
--- a/samples/NonDISample/NonDISample.csproj
+++ b/samples/NonDISample/NonDISample.csproj
@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.2</TargetFrameworks>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index dc79399c6c..072dc402a4 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
+    <TargetFrameworks>net461;netcoreapp2.2</TargetFrameworks>
     <OutputType>exe</OutputType>
   </PropertyGroup>
 
diff --git a/test/Directory.Build.props b/test/Directory.Build.props
index 9d4d4a902c..2b83ffeac1 100644
--- a/test/Directory.Build.props
+++ b/test/Directory.Build.props
@@ -2,9 +2,9 @@
   <Import Project="..\Directory.Build.props" />
 
   <PropertyGroup>
-    <DeveloperBuildTestTfms>netcoreapp2.1</DeveloperBuildTestTfms>
+    <DeveloperBuildTestTfms>netcoreapp2.2</DeveloperBuildTestTfms>
     <StandardTestTfms>$(DeveloperBuildTestTfms)</StandardTestTfms>
-    <StandardTestTfms Condition=" '$(DeveloperBuild)' != 'true' ">netcoreapp2.1;netcoreapp2.0</StandardTestTfms>
+
     <StandardTestTfms Condition=" '$(DeveloperBuild)' != 'true' AND '$(OS)' == 'Windows_NT' ">$(StandardTestTfms);net461</StandardTestTfms>
   </PropertyGroup>
 
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
index 6c78225a92..5b66a93510 100644
--- a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
+++ b/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
@@ -14,7 +14,7 @@ namespace Microsoft.AspNetCore.Cryptography.KeyDerivation
     {
 
 #if NET461
-#elif NETCOREAPP2_0 || NETCOREAPP2_1
+#elif NETCOREAPP2_2
         // The 'numBytesRequested' parameters below are chosen to exercise code paths where
         // this value straddles the digest length of the PRF. We only use 5 iterations so
         // that our unit tests are fast.
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
index b8ecc36c26..046fbcc24a 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
@@ -86,7 +86,7 @@ namespace Microsoft.AspNetCore.DataProtection
         }
     }
 }
-#elif NETCOREAPP2_0 || NETCOREAPP2_1
+#elif NETCOREAPP2_2
 #else
 #error Target framework needs to be updated
 #endif
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
index 2b8931c98e..b6ef8e9928 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
@@ -113,7 +113,7 @@ namespace Microsoft.AspNetCore.DataProtection
             var domain = AppDomain.CreateDomain("TestDomain", null, setupInfo);
             var wrappedTestClass = (TypeForwardingActivatorTests)domain.CreateInstanceAndUnwrap(GetType().Assembly.FullName, typeof(TypeForwardingActivatorTests).FullName);
             wrappedTestClass.CreateInstance_ForwardsAcrossVersionChangesImpl(version);
-#elif NETCOREAPP2_0 || NETCOREAPP2_1
+#elif NETCOREAPP2_2
             CreateInstance_ForwardsAcrossVersionChangesImpl(version);
 #else
 #error Target framework should be updated
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
index 79dcff64af..d12faeb148 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
@@ -53,7 +53,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             ExceptionAssert2.ThrowsCryptographicException(() =>
                 AnonymousImpersonation.Run(() => decryptor.Decrypt(encryptedXmlInfo.EncryptedElement)));
         }
-#elif NETCOREAPP2_0 || NETCOREAPP2_1
+#elif NETCOREAPP2_2
 #else
 #error Target framework needs to be updated
 #endif

From aef13f941bd4f7002de974660a038fd9a651e7ae Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 13 May 2018 14:03:47 -0700
Subject: [PATCH 447/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 38 +++++++++++++++++++-------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 7fe4eab12b..391cf88728 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -1,33 +1,33 @@
-<Project>
+<Project>
   <PropertyGroup>
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17048</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34140</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34140</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34140</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17051</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34184</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34184</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34184</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34140</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.2.0-preview1-26424-04</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26502-01</MicrosoftNETCoreApp22PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0-rc1</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26509-06</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-preview3-26423-04</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26508-04</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-preview3-26423-04</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-preview3-26423-04</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26508-04</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26508-04</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index da5dcd1202..56263a26fc 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17048
-commithash:de14a0ee5fb48508ee8a29c14280a2928f8dabf8
+version:2.2.0-preview1-17051
+commithash:253c3a480063bc3abaa5cde42f6e27b58457ef9b

From a3f7b16464411ffe3c94d89707baef028b60fb6c Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 20 May 2018 19:27:01 +0000
Subject: [PATCH 448/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 391cf88728..3f542a15e4 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17051</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34184</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34184</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34184</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17060</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34255</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34255</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34255</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34184</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-rc1</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 56263a26fc..06fc8a13e4 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17051
-commithash:253c3a480063bc3abaa5cde42f6e27b58457ef9b
+version:2.2.0-preview1-17060
+commithash:25b4b134d6f8f7b461928f0d495cfc695ccabb5b

From 4f576cde230329f7511db2a3a8e16daa8439bc42 Mon Sep 17 00:00:00 2001
From: "Nate McMaster (automated)" <nate.mcmaster@microsoft.com>
Date: Fri, 25 May 2018 16:13:34 -0700
Subject: [PATCH 449/493] Update bootstrapper scripts (automated commit) [ci
 skip]

---
 run.ps1 | 25 +++++++++++++++++++------
 run.sh  | 33 +++++++++++++++++++++++++++++----
 2 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/run.ps1 b/run.ps1
index 27dcf848f8..3b27382468 100644
--- a/run.ps1
+++ b/run.ps1
@@ -26,12 +26,18 @@ The base url where build tools can be downloaded. Overrides the value from the c
 .PARAMETER Update
 Updates KoreBuild to the latest version even if a lock file is present.
 
+.PARAMETER Reinstall
+Re-installs KoreBuild
+
 .PARAMETER ConfigFile
 The path to the configuration file that stores values. Defaults to korebuild.json.
 
 .PARAMETER ToolsSourceSuffix
 The Suffix to append to the end of the ToolsSource. Useful for query strings in blob stores.
 
+.PARAMETER CI
+Sets up CI specific settings and variables.
+
 .PARAMETER Arguments
 Arguments to be passed to the command
 
@@ -65,8 +71,10 @@ param(
     [string]$ToolsSource,
     [Alias('u')]
     [switch]$Update,
-    [string]$ConfigFile,
+    [switch]$Reinstall,
     [string]$ToolsSourceSuffix,
+    [string]$ConfigFile = $null,
+    [switch]$CI,
     [Parameter(ValueFromRemainingArguments = $true)]
     [string[]]$Arguments
 )
@@ -93,6 +101,10 @@ function Get-KoreBuild {
     $version = $version.TrimStart('version:').Trim()
     $korebuildPath = Join-Paths $DotNetHome ('buildtools', 'korebuild', $version)
 
+    if ($Reinstall -and (Test-Path $korebuildPath)) {
+        Remove-Item -Force -Recurse $korebuildPath
+    }
+
     if (!(Test-Path $korebuildPath)) {
         Write-Host -ForegroundColor Magenta "Downloading KoreBuild $version"
         New-Item -ItemType Directory -Path $korebuildPath | Out-Null
@@ -101,9 +113,9 @@ function Get-KoreBuild {
         try {
             $tmpfile = Join-Path ([IO.Path]::GetTempPath()) "KoreBuild-$([guid]::NewGuid()).zip"
             Get-RemoteFile $remotePath $tmpfile $ToolsSourceSuffix
-            if (Get-Command -Name 'Expand-Archive' -ErrorAction Ignore) {
+            if (Get-Command -Name 'Microsoft.PowerShell.Archive\Expand-Archive' -ErrorAction Ignore) {
                 # Use built-in commands where possible as they are cross-plat compatible
-                Expand-Archive -Path $tmpfile -DestinationPath $korebuildPath
+                Microsoft.PowerShell.Archive\Expand-Archive -Path $tmpfile -DestinationPath $korebuildPath
             }
             else {
                 # Fallback to old approach for old installations of PowerShell
@@ -167,8 +179,9 @@ if (Test-Path $ConfigFile) {
         }
     }
     catch {
-        Write-Warning "$ConfigFile could not be read. Its settings will be ignored."
-        Write-Warning $Error[0]
+        Write-Host -ForegroundColor Red $Error[0]
+        Write-Error "$ConfigFile contains invalid JSON."
+        exit 1
     }
 }
 
@@ -188,7 +201,7 @@ $korebuildPath = Get-KoreBuild
 Import-Module -Force -Scope Local (Join-Path $korebuildPath 'KoreBuild.psd1')
 
 try {
-    Set-KoreBuildSettings -ToolsSource $ToolsSource -DotNetHome $DotNetHome -RepoPath $Path -ConfigFile $ConfigFile
+    Set-KoreBuildSettings -ToolsSource $ToolsSource -DotNetHome $DotNetHome -RepoPath $Path -ConfigFile $ConfigFile -CI:$CI
     Invoke-KoreBuildCommand $Command @Arguments
 }
 finally {
diff --git a/run.sh b/run.sh
index 834961fc3a..02aac15874 100755
--- a/run.sh
+++ b/run.sh
@@ -14,10 +14,12 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 [ -z "${DOTNET_HOME:-}" ] && DOTNET_HOME="$HOME/.dotnet"
 verbose=false
 update=false
+reinstall=false
 repo_path="$DIR"
 channel=''
 tools_source=''
 tools_source_suffix=''
+ci=false
 
 #
 # Functions
@@ -38,6 +40,8 @@ __usage() {
     echo "    -s|--tools-source|-ToolsSource <URL>                  The base url where build tools can be downloaded. Overrides the value from the config file."
     echo "    --tools-source-suffix|-ToolsSourceSuffix <SUFFIX>     The suffix to append to tools-source. Useful for query strings."
     echo "    -u|--update                                           Update to the latest KoreBuild even if the lock file is present."
+    echo "    --reinstall                                           Reinstall KoreBuild."
+    echo "    --ci                                                  Apply CI specific settings and environment variables."
     echo ""
     echo "Description:"
     echo "    This function will create a file \$DIR/korebuild-lock.txt. This lock file can be committed to source, but does not have to be."
@@ -62,6 +66,10 @@ get_korebuild() {
     version="$(echo "${version#version:}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
     local korebuild_path="$DOTNET_HOME/buildtools/korebuild/$version"
 
+    if [ "$reinstall" = true ] && [ -d "$korebuild_path" ]; then
+        rm -rf "$korebuild_path"
+    fi
+
     {
         if [ ! -d "$korebuild_path" ]; then
             mkdir -p "$korebuild_path"
@@ -175,6 +183,12 @@ while [[ $# -gt 0 ]]; do
         -u|--update|-Update)
             update=true
             ;;
+        --reinstall|-[Rr]einstall)
+            reinstall=true
+            ;;
+        --ci|-[Cc][Ii])
+            ci=true
+            ;;
         --verbose|-Verbose)
             verbose=true
             ;;
@@ -206,17 +220,28 @@ if [ -f "$config_file" ]; then
             config_channel="$(jq -r 'select(.channel!=null) | .channel' "$config_file")"
             config_tools_source="$(jq -r 'select(.toolsSource!=null) | .toolsSource' "$config_file")"
         else
-            __warn "$config_file is invalid JSON. Its settings will be ignored."
+            _error "$config_file contains invalid JSON."
+            exit 1
         fi
     elif __machine_has python ; then
         if python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'))" >/dev/null ; then
             config_channel="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
             config_tools_source="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
         else
-            __warn "$config_file is invalid JSON. Its settings will be ignored."
+            _error "$config_file contains invalid JSON."
+            exit 1
+        fi
+    elif __machine_has python3 ; then
+        if python3 -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'))" >/dev/null ; then
+            config_channel="$(python3 -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
+            config_tools_source="$(python3 -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
+        else
+            _error "$config_file contains invalid JSON."
+            exit 1
         fi
     else
-        __warn 'Missing required command: jq or pyton. Could not parse the JSON file. Its settings will be ignored.'
+        _error 'Missing required command: jq or python. Could not parse the JSON file.'
+        exit 1
     fi
 
     [ ! -z "${config_channel:-}" ] && channel="$config_channel"
@@ -227,5 +252,5 @@ fi
 [ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
 
 get_korebuild
-set_korebuildsettings "$tools_source" "$DOTNET_HOME" "$repo_path" "$config_file"
+set_korebuildsettings "$tools_source" "$DOTNET_HOME" "$repo_path" "$config_file" "$ci"
 invoke_korebuild_command "$command" "$@"

From 70984e610005011dc79c7688622da6bfe6277cca Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 27 May 2018 19:09:53 +0000
Subject: [PATCH 450/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 3f542a15e4..2c12d3dfb0 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,31 +3,31 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17060</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34255</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34255</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34255</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17064</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34326</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34326</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34326</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34255</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0-rc1</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26509-06</MicrosoftNETCoreApp22PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26526-03</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26508-04</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26525-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26508-04</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26508-04</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26525-01</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26525-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 06fc8a13e4..de5df64434 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17060
-commithash:25b4b134d6f8f7b461928f0d495cfc695ccabb5b
+version:2.2.0-preview1-17064
+commithash:5380a2461b135b261646f31d1c919ab0a7b577a8

From 2ca26773880ecf7495e703769a13758eb9782597 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Tue, 29 May 2018 09:33:14 -0700
Subject: [PATCH 451/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index d51c20e33c..41c434c580 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,30 +3,30 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.0-rtm-15783</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0-rtm-30721</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0-rtm-30721</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0-rtm-30721</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.1-rtm-15790</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0-rtm-30721</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.0</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.0</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-rtm-26502-02</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0-rtm-26502-02</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0-rtm-26502-02</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0-rtm-26502-02</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 27e94579a9..de0eb84cf3 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.0-rtm-15783
-commithash:5fc2b2f607f542a2ffde11c19825e786fc1a3774
+version:2.1.1-rtm-15790
+commithash:274c65868e735f29f4078c1884c61c4371ee1fc0

From 4303def2ff90c281a455063b36f892400de54dff Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 3 Jun 2018 19:09:42 +0000
Subject: [PATCH 452/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 36 ++++++++++++++++++------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 2c12d3dfb0..eae699f6b9 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,31 +3,31 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17064</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34326</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34326</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34326</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17067</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34373</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34373</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34373</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34326</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0-rc1</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26526-03</MicrosoftNETCoreApp22PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.0</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26531-03</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26525-01</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26531-03</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26525-01</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26525-01</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26531-03</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26531-03</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index de5df64434..34bf7eb808 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17064
-commithash:5380a2461b135b261646f31d1c919ab0a7b577a8
+version:2.2.0-preview1-17067
+commithash:2af0e2e3d02329b4f0290061ab9bd8c7ca1aa26f

From a3667dab27535efe9815022305fc3f817e4a7780 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 5 Jun 2018 09:11:30 -0700
Subject: [PATCH 453/493] Bumping version from 2.1.0 to 2.1.1

---
 version.props | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/version.props b/version.props
index c8bf9b67b7..6ecf2553b6 100644
--- a/version.props
+++ b/version.props
@@ -1,6 +1,6 @@
-<Project>
+<Project>
   <PropertyGroup>
-    <VersionPrefix>2.1.0</VersionPrefix>
+    <VersionPrefix>2.1.1</VersionPrefix>
     <VersionSuffix>rtm</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
@@ -9,7 +9,7 @@
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(FeatureBranchVersionSuffix)' != ''">$(FeatureBranchVersionPrefix)$(VersionSuffix)-$([System.Text.RegularExpressions.Regex]::Replace('$(FeatureBranchVersionSuffix)', '[^\w-]', '-'))</VersionSuffix>
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
 
-    <ExperimentalVersionPrefix>0.4.0</ExperimentalVersionPrefix>
+    <ExperimentalVersionPrefix>0.4.1</ExperimentalVersionPrefix>
     <ExperimentalVersionSuffix>rtm</ExperimentalVersionSuffix>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' == 'rtm' ">$(ExperimentalVersionPrefix)</ExperimentalPackageVersion>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' != 'rtm' ">$(ExperimentalVersionPrefix)-$(ExperimentalVersionSuffix)-final</ExperimentalPackageVersion>

From 98925ab99f44fc14ea4eaccb6c3e27999e3ccc1a Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Tue, 5 Jun 2018 22:31:02 -0700
Subject: [PATCH 454/493] Add certificate names for code signing

---
 Directory.Build.props | 2 ++
 korebuild-lock.txt    | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 67065031f3..4ff4dd7472 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -14,6 +14,8 @@
     <RepositoryRoot>$(MSBuildThisFileDirectory)</RepositoryRoot>
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)build\Key.snk</AssemblyOriginatorKeyFile>
     <SignAssembly>true</SignAssembly>
+    <AssemblySigningCertName>Microsoft</AssemblySigningCertName>
+    <PackageSigningCertName>MicrosoftNuGet</PackageSigningCertName>
     <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 34bf7eb808..2dedb9dd4c 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17067
-commithash:2af0e2e3d02329b4f0290061ab9bd8c7ca1aa26f
+version:2.2.0-preview1-17075
+commithash:d9f07c7f313a0af1d49f003f5424b4dbbdd3e09f

From 57bf1ebd7e70e84a10656e9c8b539e062c8c4664 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Thu, 7 Jun 2018 19:30:29 +0000
Subject: [PATCH 455/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index eae699f6b9..97ee4bb58d 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,31 +3,31 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17067</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34373</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34373</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34373</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17081</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34411</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34411</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34411</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34373</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26531-03</MicrosoftNETCoreApp22PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26606-01</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26531-03</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26605-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26531-03</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26531-03</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26605-01</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26605-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 2dedb9dd4c..9592880b2a 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17075
-commithash:d9f07c7f313a0af1d49f003f5424b4dbbdd3e09f
+version:2.2.0-preview1-17081
+commithash:73f09c256e2a54270951562ecc0ef4a953926c36

From 72569151a650cc400884972abfdf6b131b59c302 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Thu, 7 Jun 2018 15:43:49 -0700
Subject: [PATCH 456/493] Adding VSTS file

---
 .vsts-pipelines/builds/ci-internal.yml | 13 +++++++++++++
 .vsts-pipelines/builds/ci-public.yml   | 15 +++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 .vsts-pipelines/builds/ci-internal.yml
 create mode 100644 .vsts-pipelines/builds/ci-public.yml

diff --git a/.vsts-pipelines/builds/ci-internal.yml b/.vsts-pipelines/builds/ci-internal.yml
new file mode 100644
index 0000000000..d7ceb76378
--- /dev/null
+++ b/.vsts-pipelines/builds/ci-internal.yml
@@ -0,0 +1,13 @@
+trigger:
+- dev
+- release/*
+
+resources:
+  repositories:
+  - repository: buildtools
+    type: git
+    name: aspnet-BuildTools
+    ref: refs/heads/dev
+
+phases:
+- template: .vsts-pipelines/templates/project-ci.yml@buildtools
diff --git a/.vsts-pipelines/builds/ci-public.yml b/.vsts-pipelines/builds/ci-public.yml
new file mode 100644
index 0000000000..b7f25723f8
--- /dev/null
+++ b/.vsts-pipelines/builds/ci-public.yml
@@ -0,0 +1,15 @@
+trigger:
+- dev
+- release/*
+
+# See https://github.com/aspnet/BuildTools
+resources:
+  repositories:
+  - repository: buildtools
+    type: github
+    endpoint: DotNet-Bot GitHub Connection
+    name: aspnet/BuildTools
+    ref: refs/heads/dev
+    
+phases:
+- template: .vsts-pipelines/templates/project-ci.yml@buildtools

From 3f3bfe05ec4c16b34845acc90ad40883a5aad9c7 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Fri, 8 Jun 2018 12:31:39 -0700
Subject: [PATCH 457/493] Add a test condition for skipping tests when the
 default keychain is missing for macOS

---
 .../DataProtectionProviderTests.cs            | 28 +++++++++---
 .../X509StoreIsAvailableAttribute.cs          | 43 +++++++++++++++++++
 2 files changed, 64 insertions(+), 7 deletions(-)
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs

diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index 40e470ea58..d20332c1e2 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -115,7 +115,8 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
-        [Fact]
+        [ConditionalFact]
+        [X509StoreIsAvailable(StoreName.My, StoreLocation.CurrentUser)]
         public void System_UsesProvidedDirectoryAndCertificate()
         {
             var filePath = Path.Combine(GetTestFilesPath(), "TestCert.pfx");
@@ -162,12 +163,7 @@ namespace Microsoft.AspNetCore.DataProtection
             var filePath = Path.Combine(GetTestFilesPath(), "TestCert2.pfx");
             var certificate = new X509Certificate2(filePath, "password");
 
-            using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
-            {
-                store.Open(OpenFlags.ReadOnly);
-                // ensure this cert is not in the x509 store
-                Assert.Empty(store.Certificates.Find(X509FindType.FindByThumbprint, certificate.Thumbprint, false));
-            }
+            AssetStoreDoesNotContain(certificate);
 
             WithUniqueTempDirectory(directory =>
             {
@@ -189,6 +185,24 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
+        private static void AssetStoreDoesNotContain(X509Certificate2 certificate)
+        {
+            using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
+            {
+                try
+                {
+                    store.Open(OpenFlags.ReadOnly);
+                }
+                catch
+                {
+                    return;
+                }
+
+                // ensure this cert is not in the x509 store
+                Assert.Empty(store.Certificates.Find(X509FindType.FindByThumbprint, certificate.Thumbprint, false));
+            }
+        }
+
         [Fact]
         public void System_CanUnprotectWithCert()
         {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs
new file mode 100644
index 0000000000..2181b4c24f
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs
@@ -0,0 +1,43 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.AspNetCore.Testing.xunit;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    [AttributeUsage(AttributeTargets.Method)]
+    public class X509StoreIsAvailableAttribute : Attribute, ITestCondition
+    {
+        public X509StoreIsAvailableAttribute(StoreName name, StoreLocation location)
+        {
+            Name = name;
+            Location = location;
+        }
+
+        public bool IsMet
+        {
+            get
+            {
+                try
+                {
+                    using (var store = new X509Store(Name, Location))
+                    {
+                        store.Open(OpenFlags.ReadWrite);
+                        return true;
+                    }
+                }
+                catch
+                {
+                    return false;
+                }
+            }
+        }
+
+        public string SkipReason => $"Skipping because the X509Store({Name}/{Location}) is not available on this machine.";
+
+        public StoreName Name { get; }
+        public StoreLocation Location { get; }
+    }
+}

From b40fa1bdfbaefd48064504d5cb993b6e36daf943 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Tue, 12 Jun 2018 19:14:57 +0000
Subject: [PATCH 458/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 41c434c580..718a972be0 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,23 +3,23 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.1-rtm-15790</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.0</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.0</MicrosoftAspNetCoreHostingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.1.1-rtm-15793</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.1</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.1</MicrosoftAspNetCoreHostingPackageVersion>
     <MicrosoftAspNetCoreTestingPackageVersion>2.1.0</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.0</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.0</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.0</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.0</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.0</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.0</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.0</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.0</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.0</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.1</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.1</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.1</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.1</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.1</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.1</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.1</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index de0eb84cf3..d2f4947bc8 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.1-rtm-15790
-commithash:274c65868e735f29f4078c1884c61c4371ee1fc0
+version:2.1.1-rtm-15793
+commithash:988313f4b064d6c69fc6f7b845b6384a6af3447a

From 3064b60b3455299caa91d70cfe91280aa29c45c4 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Wed, 13 Jun 2018 10:53:43 -0700
Subject: [PATCH 459/493] Set 2.1 baselines

---
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     | 44 ++++++++++++++-----
 6 files changed, 37 insertions(+), 17 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
index 563c54fe42..01daa339ee 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
@@ -1,4 +1,4 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": []
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
index 378802da59..ceddb40cc2 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivation",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
index 68bea8bca0..eb6e5030fe 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
index ab0417d009..09e208bfef 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.AzureStorage, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.AzureStorage, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.AzureDataProtectionBuilderExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
index ed597ef1dc..5bb3088d07 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionAdvancedExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
index e8466d99d1..6c7f96a387 100644
--- a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServiceCollectionExtensions",
@@ -247,6 +247,26 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
+        {
+          "Kind": "Method",
+          "Name": "UnprotectKeysWithAnyCertificate",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "certificates",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2[]",
+              "IsParams": true
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
         {
           "Kind": "Method",
           "Name": "ProtectKeysWithDpapi",
@@ -638,17 +658,6 @@
         "Microsoft.AspNetCore.DataProtection.ISecret"
       ],
       "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Length",
-          "Parameters": [],
-          "ReturnType": "System.Int32",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
         {
           "Kind": "Method",
           "Name": "Dispose",
@@ -660,6 +669,17 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
+        {
+          "Kind": "Method",
+          "Name": "get_Length",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
         {
           "Kind": "Method",
           "Name": "Random",

From 5bed1972fee7e2d8e8d062603c23d45e922bd482 Mon Sep 17 00:00:00 2001
From: Ryan Brandenburg <rybrande@microsoft.com>
Date: Wed, 13 Jun 2018 10:53:43 -0700
Subject: [PATCH 460/493] Set 2.1 baselines

---
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     |  2 +-
 .../baseline.netcore.json                     | 44 ++++++++++++++-----
 6 files changed, 37 insertions(+), 17 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
index 563c54fe42..01daa339ee 100644
--- a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
@@ -1,4 +1,4 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.Internal, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": []
 }
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
index 378802da59..ceddb40cc2 100644
--- a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.Cryptography.KeyDerivation, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.Cryptography.KeyDerivation.KeyDerivation",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
index 68bea8bca0..eb6e5030fe 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Abstractions, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
index ab0417d009..09e208bfef 100644
--- a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.AzureStorage, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.AzureStorage, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.AzureDataProtectionBuilderExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
index ed597ef1dc..5bb3088d07 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Extensions, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.AspNetCore.DataProtection.DataProtectionAdvancedExtensions",
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
index e8466d99d1..6c7f96a387 100644
--- a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
+++ b/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
@@ -1,5 +1,5 @@
 {
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=2.0.2.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection, Version=2.1.1.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
   "Types": [
     {
       "Name": "Microsoft.Extensions.DependencyInjection.DataProtectionServiceCollectionExtensions",
@@ -247,6 +247,26 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
+        {
+          "Kind": "Method",
+          "Name": "UnprotectKeysWithAnyCertificate",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "certificates",
+              "Type": "System.Security.Cryptography.X509Certificates.X509Certificate2[]",
+              "IsParams": true
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
         {
           "Kind": "Method",
           "Name": "ProtectKeysWithDpapi",
@@ -638,17 +658,6 @@
         "Microsoft.AspNetCore.DataProtection.ISecret"
       ],
       "Members": [
-        {
-          "Kind": "Method",
-          "Name": "get_Length",
-          "Parameters": [],
-          "ReturnType": "System.Int32",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
         {
           "Kind": "Method",
           "Name": "Dispose",
@@ -660,6 +669,17 @@
           "Visibility": "Public",
           "GenericParameter": []
         },
+        {
+          "Kind": "Method",
+          "Name": "get_Length",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.ISecret",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
         {
           "Kind": "Method",
           "Name": "Random",

From 678fe889c34275bf5b4d3769964790f9ec8c6095 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Mon, 25 Jun 2018 11:10:29 -0700
Subject: [PATCH 461/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 97ee4bb58d..2dfd1e361a 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,31 +3,31 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17081</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34411</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34411</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34411</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17090</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34530</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34530</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34530</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34411</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.0</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26606-01</MicrosoftNETCoreApp22PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26618-02</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26605-01</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26617-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26605-01</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26605-01</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26617-01</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26617-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 9592880b2a..3e694b2ed8 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17081
-commithash:73f09c256e2a54270951562ecc0ef4a953926c36
+version:2.2.0-preview1-17090
+commithash:b19e903e946579cd9482089bce7d917e8bacd765

From 7803b6ba25f7fd12828e5a09dbb321af129933b4 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 27 Jun 2018 13:39:44 -0700
Subject: [PATCH 462/493] Bumping version from 2.1.1 to 2.1.2

---
 version.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.props b/version.props
index 6ecf2553b6..5d8053aaec 100644
--- a/version.props
+++ b/version.props
@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <VersionPrefix>2.1.1</VersionPrefix>
+    <VersionPrefix>2.1.2</VersionPrefix>
     <VersionSuffix>rtm</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
@@ -9,7 +9,7 @@
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(FeatureBranchVersionSuffix)' != ''">$(FeatureBranchVersionPrefix)$(VersionSuffix)-$([System.Text.RegularExpressions.Regex]::Replace('$(FeatureBranchVersionSuffix)', '[^\w-]', '-'))</VersionSuffix>
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
 
-    <ExperimentalVersionPrefix>0.4.1</ExperimentalVersionPrefix>
+    <ExperimentalVersionPrefix>0.4.2</ExperimentalVersionPrefix>
     <ExperimentalVersionSuffix>rtm</ExperimentalVersionSuffix>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' == 'rtm' ">$(ExperimentalVersionPrefix)</ExperimentalPackageVersion>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' != 'rtm' ">$(ExperimentalVersionPrefix)-$(ExperimentalVersionSuffix)-final</ExperimentalPackageVersion>

From a5c86afe7d61e90ab7540008e52390fbcf938447 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 28 Jun 2018 16:19:16 -0700
Subject: [PATCH 463/493] Update infrastructure for the 2.2 release

---
 .vsts-pipelines/builds/ci-internal.yml | 4 ++--
 .vsts-pipelines/builds/ci-public.yml   | 6 +++---
 build/repo.props                       | 1 +
 korebuild.json                         | 4 ++--
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/.vsts-pipelines/builds/ci-internal.yml b/.vsts-pipelines/builds/ci-internal.yml
index d7ceb76378..dc7b8a3cb9 100644
--- a/.vsts-pipelines/builds/ci-internal.yml
+++ b/.vsts-pipelines/builds/ci-internal.yml
@@ -1,5 +1,5 @@
 trigger:
-- dev
+- master
 - release/*
 
 resources:
@@ -7,7 +7,7 @@ resources:
   - repository: buildtools
     type: git
     name: aspnet-BuildTools
-    ref: refs/heads/dev
+    ref: refs/heads/release/2.2
 
 phases:
 - template: .vsts-pipelines/templates/project-ci.yml@buildtools
diff --git a/.vsts-pipelines/builds/ci-public.yml b/.vsts-pipelines/builds/ci-public.yml
index b7f25723f8..f5087d9c30 100644
--- a/.vsts-pipelines/builds/ci-public.yml
+++ b/.vsts-pipelines/builds/ci-public.yml
@@ -1,5 +1,5 @@
 trigger:
-- dev
+- master
 - release/*
 
 # See https://github.com/aspnet/BuildTools
@@ -9,7 +9,7 @@ resources:
     type: github
     endpoint: DotNet-Bot GitHub Connection
     name: aspnet/BuildTools
-    ref: refs/heads/dev
-    
+    ref: refs/heads/release/2.2
+
 phases:
 - template: .vsts-pipelines/templates/project-ci.yml@buildtools
diff --git a/build/repo.props b/build/repo.props
index 17a98ac7e7..f1fe24dd27 100644
--- a/build/repo.props
+++ b/build/repo.props
@@ -4,6 +4,7 @@
   <PropertyGroup>
     <!-- These properties are use by the automation that updates dependencies.props -->
     <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
+    <LineupPackageVersion>2.2.0-*</LineupPackageVersion>
     <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json</LineupPackageRestoreSource>
   </PropertyGroup>
 
diff --git a/korebuild.json b/korebuild.json
index bd5d51a51b..d217d06e3e 100644
--- a/korebuild.json
+++ b/korebuild.json
@@ -1,4 +1,4 @@
 {
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
-  "channel": "dev"
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/release/2.2/tools/korebuild.schema.json",
+  "channel": "release/2.2"
 }

From 2af13658fcd601f951ed9ff60446b7a5241efbab Mon Sep 17 00:00:00 2001
From: Nate McMaster <natemcmaster@users.noreply.github.com>
Date: Thu, 5 Jul 2018 11:31:46 -0700
Subject: [PATCH 464/493] Unprotect key material with the local cache of
 certificates before checking the cert store

In some cases, private keys for certificates is not completely available. When attempting to decrypt key material,
this can cause 'CryptographicException: Keyset does not exist'. This changes the order in which key material
decryption looks up private keys to first key the certificate options provided explicitly to the API, and then
falling back to the cert store for decryption keys.
---
 .vscode/launch.json                           |  10 +++
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |  68 +++++++++---------
 .../XmlEncryption/XmlKeyDecryptionOptions.cs  |  24 +++++--
 .../DataProtectionProviderTests.cs            |  65 ++++++++++++++---
 .../TestFiles/TestCert3.pfx                   | Bin 0 -> 2429 bytes
 .../TestFiles/TestCert3WithoutPrivateKey.pfx  | Bin 0 -> 1040 bytes
 .../TestFiles/TestCertWithoutPrivateKey.pfx   | Bin 0 -> 968 bytes
 7 files changed, 118 insertions(+), 49 deletions(-)
 create mode 100644 .vscode/launch.json
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3.pfx
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3WithoutPrivateKey.pfx
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCertWithoutPrivateKey.pfx

diff --git a/.vscode/launch.json b/.vscode/launch.json
new file mode 100644
index 0000000000..f4fc2e3731
--- /dev/null
+++ b/.vscode/launch.json
@@ -0,0 +1,10 @@
+{
+    "configurations": [
+        {
+            "name": ".NET Core Attach",
+            "type": "coreclr",
+            "request": "attach",
+            "processId": "${command:pickProcess}"
+        }
+    ]
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
index e020ac7bb0..fee981b2d7 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
@@ -2,7 +2,6 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
-using System.Collections.Generic;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Security.Cryptography.Xml;
@@ -63,8 +62,7 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
             var elementToDecrypt = (XmlElement)xmlDocument.DocumentElement.FirstChild;
 
             // Perform the decryption and update the document in-place.
-            var decryptionCerts = _options?.KeyDecryptionCertificates;
-            var encryptedXml = new EncryptedXmlWithCertificateKeys(decryptionCerts, xmlDocument);
+            var encryptedXml = new EncryptedXmlWithCertificateKeys(_options, xmlDocument);
             _decryptor.PerformPreDecryptionSetup(encryptedXml);
 
             encryptedXml.DecryptDocument();
@@ -83,48 +81,40 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
         /// </summary>
         private class EncryptedXmlWithCertificateKeys : EncryptedXml
         {
-            private readonly IReadOnlyDictionary<string, X509Certificate2> _certificates;
+            private readonly XmlKeyDecryptionOptions _options;
 
-            public EncryptedXmlWithCertificateKeys(IReadOnlyDictionary<string, X509Certificate2> certificates, XmlDocument document)
+            public EncryptedXmlWithCertificateKeys(XmlKeyDecryptionOptions options, XmlDocument document)
                 : base(document)
             {
-                _certificates = certificates;
+                _options = options;
             }
 
             public override byte[] DecryptEncryptedKey(EncryptedKey encryptedKey)
             {
-                byte[] key = base.DecryptEncryptedKey(encryptedKey);
-                if (key != null)
+                if (_options != null && _options.KeyDecryptionCertificateCount > 0)
                 {
-                    return key;
-                }
-
-                if (_certificates == null || _certificates.Count == 0)
-                {
-                    return null;
-                }
-
-                var keyInfoEnum = encryptedKey.KeyInfo?.GetEnumerator();
-                if (keyInfoEnum == null)
-                {
-                    return null;
-                }
-
-                while (keyInfoEnum.MoveNext())
-                {
-                    if (!(keyInfoEnum.Current is KeyInfoX509Data kiX509Data))
+                    var keyInfoEnum = encryptedKey.KeyInfo?.GetEnumerator();
+                    if (keyInfoEnum == null)
                     {
-                        continue;
+                        return null;
                     }
 
-                    key = GetKeyFromCert(encryptedKey, kiX509Data);
-                    if (key != null)
+                    while (keyInfoEnum.MoveNext())
                     {
-                        return key;
+                        if (!(keyInfoEnum.Current is KeyInfoX509Data kiX509Data))
+                        {
+                            continue;
+                        }
+
+                        byte[] key = GetKeyFromCert(encryptedKey, kiX509Data);
+                        if (key != null)
+                        {
+                            return key;
+                        }
                     }
                 }
 
-                return null;
+                return base.DecryptEncryptedKey(encryptedKey);
             }
 
             private byte[] GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
@@ -142,17 +132,25 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
                         continue;
                     }
 
-                    if (!_certificates.TryGetValue(certInfo.Thumbprint, out var certificate))
+                    if (!_options.TryGetKeyDecryptionCertificates(certInfo, out var keyDecryptionCerts))
                     {
                         continue;
                     }
 
-                    using (RSA privateKey = certificate.GetRSAPrivateKey())
+                    foreach (var keyDecryptionCert in keyDecryptionCerts)
                     {
-                        if (privateKey != null)
+                        if (!keyDecryptionCert.HasPrivateKey)
                         {
-                            var useOAEP = encryptedKey.EncryptionMethod?.KeyAlgorithm == XmlEncRSAOAEPUrl;
-                            return DecryptKey(encryptedKey.CipherData.CipherValue, privateKey, useOAEP);
+                            continue;
+                        }
+
+                        using (RSA privateKey = keyDecryptionCert.GetRSAPrivateKey())
+                        {
+                            if (privateKey != null)
+                            {
+                                var useOAEP = encryptedKey.EncryptionMethod?.KeyAlgorithm == XmlEncRSAOAEPUrl;
+                                return DecryptKey(encryptedKey.CipherData.CipherValue, privateKey, useOAEP);
+                            }
                         }
                     }
                 }
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
index 01999c224d..7da598816f 100644
--- a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
@@ -12,16 +12,28 @@ namespace Microsoft.AspNetCore.DataProtection.XmlEncryption
     /// </summary>
     internal class XmlKeyDecryptionOptions
     {
-        private readonly Dictionary<string, X509Certificate2> _certs = new Dictionary<string, X509Certificate2>(StringComparer.Ordinal);
+        private readonly Dictionary<string, List<X509Certificate2>> _certs = new Dictionary<string, List<X509Certificate2>>(StringComparer.Ordinal);
 
-        /// <summary>
-        /// A mapping of key thumbprint to the X509Certificate2
-        /// </summary>
-        public IReadOnlyDictionary<string, X509Certificate2> KeyDecryptionCertificates => _certs;
+        public int KeyDecryptionCertificateCount => _certs.Count;
+
+        public bool TryGetKeyDecryptionCertificates(X509Certificate2 certInfo, out IReadOnlyList<X509Certificate2> keyDecryptionCerts)
+        {
+            var key = GetKey(certInfo);
+            var retVal = _certs.TryGetValue(key, out var keyDecryptionCertsRetVal);
+            keyDecryptionCerts = keyDecryptionCertsRetVal;
+            return retVal;
+        }
 
         public void AddKeyDecryptionCertificate(X509Certificate2 certificate)
         {
-            _certs[certificate.Thumbprint] = certificate;
+            var key = GetKey(certificate);
+            if (!_certs.TryGetValue(key, out var certificates))
+            {
+                certificates = _certs[key] = new List<X509Certificate2>();
+            }
+            certificates.Add(certificate);
         }
+
+        private string GetKey(X509Certificate2 cert) => cert.Thumbprint;
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
index d20332c1e2..a66ebec2e8 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
@@ -3,7 +3,6 @@
 
 using System;
 using System.IO;
-using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
@@ -13,7 +12,6 @@ using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.AspNetCore.DataProtection.Test.Shared;
 using Microsoft.AspNetCore.Testing.xunit;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Moq;
@@ -120,10 +118,12 @@ namespace Microsoft.AspNetCore.DataProtection
         public void System_UsesProvidedDirectoryAndCertificate()
         {
             var filePath = Path.Combine(GetTestFilesPath(), "TestCert.pfx");
-            var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
-            store.Open(OpenFlags.ReadWrite);
-            store.Add(new X509Certificate2(filePath, "password", X509KeyStorageFlags.Exportable));
-            store.Close();
+            using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
+            {
+                store.Open(OpenFlags.ReadWrite);
+                store.Add(new X509Certificate2(filePath, "password", X509KeyStorageFlags.Exportable));
+                store.Close();
+            }
 
             WithUniqueTempDirectory(directory =>
             {
@@ -139,7 +139,12 @@ namespace Microsoft.AspNetCore.DataProtection
 
                     // Step 2: instantiate the system and round-trip a payload
                     var protector = DataProtectionProvider.Create(directory, certificate).CreateProtector("purpose");
-                    Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
+                    var data = protector.Protect("payload");
+
+                    // add a cert without the private key to ensure the decryption will still fallback to the cert store
+                    var certWithoutKey = new X509Certificate2(Path.Combine(GetTestFilesPath(), "TestCertWithoutPrivateKey.pfx"), "password");
+                    var unprotector = DataProtectionProvider.Create(directory, o => o.UnprotectKeysWithAnyCertificate(certWithoutKey)).CreateProtector("purpose");
+                    Assert.Equal("payload", unprotector.Unprotect(data));
 
                     // Step 3: validate that there's now a single key in the directory and that it's is protected using the certificate
                     var allFiles = directory.GetFiles();
@@ -157,6 +162,50 @@ namespace Microsoft.AspNetCore.DataProtection
             });
         }
 
+        [ConditionalFact]
+        [X509StoreIsAvailable(StoreName.My, StoreLocation.CurrentUser)]
+        public void System_UsesProvidedCertificateNotFromStore()
+        {
+            using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
+            {
+                store.Open(OpenFlags.ReadWrite);
+                var certWithoutKey = new X509Certificate2(Path.Combine(GetTestFilesPath(), "TestCert3WithoutPrivateKey.pfx"), "password3", X509KeyStorageFlags.Exportable);
+                Assert.False(certWithoutKey.HasPrivateKey, "Cert should not have private key");
+                store.Add(certWithoutKey);
+                store.Close();
+            }
+
+            WithUniqueTempDirectory(directory =>
+            {
+                using (var certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
+                {
+                    certificateStore.Open(OpenFlags.ReadWrite);
+                    var certInStore = certificateStore.Certificates.Find(X509FindType.FindBySubjectName, "TestCert", false)[0];
+                    Assert.NotNull(certInStore);
+                    Assert.False(certInStore.HasPrivateKey);
+
+                    try
+                    {
+                        var certWithKey = new X509Certificate2(Path.Combine(GetTestFilesPath(), "TestCert3.pfx"), "password3");
+
+                        var protector = DataProtectionProvider.Create(directory, certWithKey).CreateProtector("purpose");
+                        var data = protector.Protect("payload");
+
+                        var keylessUnprotector = DataProtectionProvider.Create(directory).CreateProtector("purpose");
+                        Assert.Throws<CryptographicException>(() => keylessUnprotector.Unprotect(data));
+
+                        var unprotector = DataProtectionProvider.Create(directory, o => o.UnprotectKeysWithAnyCertificate(certInStore, certWithKey)).CreateProtector("purpose");
+                        Assert.Equal("payload", unprotector.Unprotect(data));
+                    }
+                    finally
+                    {
+                        certificateStore.Remove(certInStore);
+                        certificateStore.Close();
+                    }
+                }
+            });
+        }
+
         [Fact]
         public void System_UsesInMemoryCertificate()
         {
@@ -242,7 +291,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// </summary>
         private static void WithUniqueTempDirectory(Action<DirectoryInfo> testCode)
         {
-            string uniqueTempPath = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString());
+            string uniqueTempPath = Path.Combine(AppContext.BaseDirectory, Path.GetRandomFileName());
             var dirInfo = new DirectoryInfo(uniqueTempPath);
             try
             {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3.pfx b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..364251ba09d52ea927529d4f68f72a2553837e4e
GIT binary patch
literal 2429
zcmV-@34-=8f(dy70Ru3C2|or2Duzgg_YDCD0ic2jFa&}LEHHuzC@_Kp-v$XPhDe6@
z4FLxRpn?O?FoFZj0s#Opf&;|{2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=xW2oE
zTD6kL0s;sCfPw><@de?&A}mBRReUK4ay3K^7<Sr%3EW0RS0cK!^F2T}d}01CA(%=q
zJkRreKbWnqM)tZWtYPlp1$Og*EJ3?U%ms1`pQpt#LPAP9K;<<fcM0l0$6EC(ExnSI
zk1x{Fud01+m4ufZW&#X?qaKV{J_q0FNpv`I7R5|4B*tR0>0K3~=DIZp(2~?WxCqWH
zBF=MQEiEyJmp22`2;kO~)0ZgqoY%{8f6>x1WvsgJi%sv}1%;FmjLT)}Iz7;BYW8&W
zrYNIvYXSYWeC@x1E@JkE8n^r(YpMvj?BqujtU%J)uN*-V;}|)lkZt|z3~w|$a!Bt8
zvxvBT`0O#O(0B-x4oNgVWbFuao1XwMtOJFtW1B6nj1xTdH&(Z3NE>m&L9BM>h=rcH
z4h6X;Trc}1gqq4heR_k~HH1nx;XBqxr09ngLg8@+w#Z`^*%cR^8hvFO#?}UDoGs&0
z1hrzrls8VxMBsT|t3Kq=Ra-?xxNX((!?hAHr4iI6v1jZ$k7Q*9-3kUM2r3w!c!S=?
zDM&I!IH>(Ks1&viqm(CViF*3}<{b_0L?1jT1RKr6O-(iGG-;I%Kx>sKnp4n`_}dH(
zxs`nb#SzK|bH)caehl7BemJ6*HJ4?;*fk`iI4fQL8$DmM9kjE!rA(^FzyCHX=U`cJ
zlWY0y6m@xMlQ7UPK#-5IKD{04hEm=Bi%cTd%ku#gf4`Gi068?8X(`|rDxjGdiXqu2
z(+sI?dq}wh)5Tm4ET8eSVjVnhKH^#mAVJNuIDc>9(A;$TK>$XtoY5lxSUQsFpU>ZW
zd*3`t@^R&I2GrZX%Z|XA3moK_qor2ojh8!1uPI?$IW|4bx#8WbLfL&m@4*+&ZvFjk
z`PziR0dDFx=7kg_jRJh|3=_F9I3><`<o1zPOl(oXHfKt#m_SHG1%Kop9RadiWd7N+
z981(|#e8v!Yf)F^65zn(Kxlg2{pn2x$RGn{4m<=&W~5ZB{CxM9L01?lL$N5E#2_Kl
z3?VQNJtk8jx}$6fBAFX_&!2DWAq5=E)_){EB?(7~9%oB&?BNP_JIu)>5%6BU!iE_n
zFp(WH`q{(Vn49~)lqE3(7(UgrHfsIuKEVAdIRQ1GW#Db!LmEE3{W^oewY+kiWCgfD
zt)2?dT-9Hf#_o=el<k*0e#>r!i23?^<OvfBypWkUEL426v>JW#j-4)Ac#pC;FoFd^
z1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SMFoFc?FdPO7
zDuzgg_YDCI0Ru1&1PF(!yxZm@wSWQw2ml0v1jrlg&_^Rr(dA<9UgPG$jFRDlsAlc}
zy#}EF{e;{eQxrrJFlUP^LFULpjn(N-R~M?Z`R`G9*Op1l5LHaCtfGyz)_e3EcW_hD
z53$I*%s#_4(F&Ki{t?L8qKyHIt{O7>@!suzZD2uetj~f4YvN=S2`Qro*-galV3-Aj
zp3$Or`8i>Xx|tV1o2X%a`epELx&$F{ia+Icrbk5y{@Y2q9%Fo#{8HY1OO-u2;FOeZ
z$7yHc*Gs?r&dMu;pqHdTKhyMKv@c@Ws5Li}mU!3Q_Ls)i@o`v{sVmbF>@CSIbJr{A
zOfFnV`>KeQTl`vM40fm2?>;`&!I{!CDX$3-7@~j3PY2Gs+-A$x@}e6<3d`0itb#b7
z5ADOd=Q%#STsZ0_u}KyHtP&{ks4PEfe;)Q*jX68HH2|m#X!fY@QpQMSIz2V`dk>jD
zc~~1bJ3S0~+jzjBCb~Tpqfk(8=Ym$RJXqm)Ov=u`#_L?!pd<gg*uk|#jd;rWL@LW<
zepE32)Z7XSIsmL9?Rrpj?D$%V3WjWT7{hwKvFCidz!wmFL!L6p>HRov?=hDg_>x&#
zr9z=@K)B~0p6gMD;Fwr{b-O;bEzT~d7X{H>fE({WLSUM(F+p)v!>Gp@X!DX3?#s_S
zo_lARq!a*m4M0vx{gsr;Y+p<aZt69Dt#&?yeiN{UsSbu>v*;(NQZn#z7@XM#k3$)O
z{DlFjX`)dlHKC0j9JL0eC&<{i%>5Jms*eZbTMe%^M4wR#Oj=^|V^y|J6Z0j{@sdfx
zY=i64MbVC*rFb;vPX~ib%o)QSdmK_WyfjFHCXzWJ#yvU$M<I3XkYQuaPDxvlRQVsq
zC$)zYl+k55XdnUU4=$*1X4oXW8>>D;+VZcJzD6FKhsrxf%n1*Nd~)_e;RCqvCg)uM
zn+WN;y2Lt};`c%&Gi3`J8LBbWrg-gIO7A(#fv9vE@Y5;ctAylS988|;g&swD-QhRR
z7V&yrlQN@|9+s{gkD^rDOXGxu?CT0c($nEnS-m`gI6U$1HahGb?IIv(eK!YoVBN5C
zT%&8=YuhJ>gYJn>Y^gxnkoW}fFhe_XLprWO1g)fP7U?e<Rw=04j~!0Onya#ey05hg
zY11Fu+OA~Y#ieELuTk7um>D!CC_<dKON;kFU6yp!e&YtvT;{JBliZa;K7jBsd|$wc
zmqhcsT^8CA%kEMYuA2hp<D?O*n_*W07rVE_a0Y?psi_i=>zd>c><2S>V%0{Kr&7u(
zD+Oqz{!9IhupEwZVxFfQ4J^UsSYTEkpN;v5Y>i286(cB-zo^HUaPyhsu(Mxd9zGh=
zL8e|wfBT>nki`9d<5u#F0VEa-@0-TYCudi1VxC)d$VQl0Y{{X3JqWiY-md$qg#5n!
z10dZ?gIwim<eadf&Wi|(-4$Qrl>226<8kpq>0<YF;oa5^wUd<%B`0|yj^@6BXR%I(
zJ*Gr2S|!BUI6@lhmbEVQR6wT~RSD6J#aUjQPgXQIBl}B5b1!M_xb47#?N#eHF@Cv~
z$8|&YzAe9^A;j{$ZikiPS!*V|{F;`?XOrO@y8HMzObd3Oa!%h!K<!*XC*6Eb1L1xR
zKgR^jB^5CxFe3&DDuzgg_YDCF6)_eB6lzA}<@%jJO@YDaGd)i}V|JeG&oD7CAutIB
v1uG5%0vZJX1Qh3cp93pV`-fbuQHkh>xm!_xvEBp-YzCsze2}F@0s;sCiUVtk

literal 0
HcmV?d00001

diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3WithoutPrivateKey.pfx b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3WithoutPrivateKey.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..9776e9006d7edb14c0028c2327a4c3fe84580b0a
GIT binary patch
literal 1040
zcmV+r1n>JWf&>f#0Ru3C1JVWwDuzgg_YDCD0ic2d!vul@zc7LWyD)+Sw+0C+hDe6@
z4FLxRpn?OaFoFZ50s#Opf&-lf2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=%wa;7
zTh1~Y0s;sCfPw>X&|#mJ(eRet7OylA62aMH^7^9l!3u$nRoYoG%g3`FR7^+FUoNxk
zJ^?6t?sVe~hu~@2JNl@R{)@DW-BEk19C#~eAr&J!Ftpd96${sr{BTLWJ}m~GkRWUq
zoKPU(o{^8|%WpR<Qxcq_D2BcV^H=3>1|Qb;%9g$G_NM3u)Kb9%sLkuGh_td8zeuXO
zX6JkKXXTO5PyPuIu8k-i`#7!zW0$r$^!W+4w3jTbqT)#4r);P8i@53<+}d*gdw{JV
z)=Xi^Ah;rt%z<@C<f(H|b}Cft#k~goUqnWJquzJ1j=s~)x8Q|rQa~CV6l|~o#$Wav
z#x;PnLPr~%Et%tbl)>M_1aU+>zXaqf^@P}?>x~C`mBwrtXEzRe>Ye&X4S}(#_`+{s
z?<*5904^MyPzxdzcwdw=k#!W1z_PCG1)|=eYzAS#MvPoBVUmq*Bo?RPe>SO&z5eZ)
zE_EIMp?SuN#Z`Si*qpRuh$Al;=wLRVogPhiWOoT$d7CCS5!yLk2SFv<6M8SOUEGA^
z+zVWg)SqR1f{O-7>wmOC^`bwxO<rF(<mK(Vv0Z7FdeYDLV(qwd*3JC2gx~_*Zh*@L
zG2eP?frTA@GzTQ_%_+s$od$!~?(ky<qGdLA4ZXoXiyo+qqb?B-X1O>Tq$`h+^551b
z`K^_WT-kA;;^YDmQ;&nb1#U~Lj?4xHB?0u0%LjquG2PAq;5PR{7!$hG3P^cR4EmS9
zyn6@|XpmULlB|7}iY%PvVA@vymJ`72iv<XW`=|E9$((}Op!-oK`j-6zCDpj}OH%RK
zvMzlpk-lVp$f%G~EjW--k~kw>a!EioBBM8+di(Z>*VezdRUfhjRix6go(mW3=%jR7
z5apMV!g<+NSex6JxX`4XekrLw738PO^)HeMZ@%F^k`dRkMsWnwl1B52d&f9EV7FSE
z>?%h+$+#wiOT66M&_Dh1GlA?MY-FMlbLIy?`+r%+>YhU)jY(|s%lwnhh0J@MWd^s0
z{`4+|hK79yd}87N0t}3b_wl>-Q|&!%Tra#(0kM-t<O{LnL~UY%N2dAR;^d2b@&ynB
z5EgayDD3qyhA_(8j9X}?(s?BJ{;6S<Kx{1r%_(F5^Skg+j)Gofn=Zu+zk+D`E87Z!
z9O8@jq$=_bFflM8FbM_)D-Ht!8U+9Z6k;wNf33FOs-)mZ0leJHlv<Y=Cj<!kqUf1#
K7}nte0tf(Z3Gg)l

literal 0
HcmV?d00001

diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCertWithoutPrivateKey.pfx b/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCertWithoutPrivateKey.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..812374c50c364d17232d71284f846d7a6ad3836b
GIT binary patch
literal 968
zcmV;(12_CIf&;_?0Ru3C1BwO-Duzgg_YDCD0ic2ddjx_5cQAqjb1;GfZw3h}hDe6@
z4FLxRpn?NnFoFYI0s#Opf&*0s2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=F=SMz
zK6Y;T0s;sCfPw=kMh@j~tih0v)4e8gZc6&rpnxj`-KxEd<phCKb_(bc5w8=a+|6&3
zoAZiLWp<6u>S&UmapI8|6pO`Vnz$1hM<5(9=CwPx5KjWTk<dLUrG2As--)nM0;wYi
z0NY-luB~*aYcmMPt+l9@{!TY)X99%#S^}tLQaOK^`cQY#oYUBAL#Yf}ywtwFb&$9x
z`lW#Rt>;O#r{leMdJ}PKMPaNuyAzH?wdYY(cXA}K!5IFD8O0TTSdQO3e#qnQ$jh~F
zOy#>PLfh6`78i|*Z^;aN6qZ&9=6P5>g}uB6W$<Y2Lf=Tt3g+t2k(7_9$RFxlu)4eC
z0N?Eunqc~vFr>C)Z6SpH8DFdt@szD)n_Eo%qt%z`?WzFb>s%2~HpAn#9F3u1Ol(2O
z0!a=3MDXBt(w7MZCR?kw?W<KkS~3L;W0J$XQ53{~tqY`?{PZAr*2V&f?p9-ifOT0a
z0`oKL`T?&(SZL3_n~6kC9k$g*y6{tK)*hNZ5^5Y*S0d%EwKsf5=*R}kuWobGiJRLu
ztxUm2LgF23{pjzBI3~K;-zCfiC_FVaBa2MGct8rzUzU!(0h1brWmQs)<A@YxM$KAA
z`0`;p(mp$~Oij(qavDerqRg5#Ntt%d^r2u}0ji(eD%j(EaQ(6mvu0nzO8A-`{x|_x
z^fQpW5K^dFVQC6U5#A6e6UmWD)oX9Ik6P2G0JXGaRp#&@aNBbn6ok!frws9mTK|ZN
z$-RjO{VX)Q_Ad_mziMnxD&hcsIf`-gEEwXWJ1=xHxKmO`Y|K98S!hi#RcszaV;oY|
z;RK8p>%(sgVXsd?VAKX!wBoKL(u_LQEL_^6jn4>8<0&1Yo-g8pW`Lx!x8hYK?uA+0
zxOX~TJ=)@_f5@5>@@s?F7hkHJDpOqHHbs<s7b@;Z?cziEnZ~lEDsPnfEJuB?l{yc}
z>}PP&G1V<)H}S#wAO1yjp;q3c^$s0)wR0sp>A1Wg#qdyvsIb}9fNZf*C3aj;C?^$L
zu8p+5orz>6c}>0i)pW}SKPk1;lg9!HoO6z*OWFV_5-W}CD4y|RFflM8FbM_)D-Ht!
q8U+9Z6p}U?mQ(+72&RT0XI&*yC)8o$Hv|Z%W(LKg5515A0tf)#K)Xc%

literal 0
HcmV?d00001


From 2228213708c289139d0ac015e3a3dcaec41ae79d Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 8 Jul 2018 12:09:15 -0700
Subject: [PATCH 465/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 2dfd1e361a..8fe166b873 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,34 +3,34 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17090</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34530</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34530</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34530</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17099</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34640</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34640</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34640</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34530</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
-    <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.0</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp20PackageVersion>2.0.7</MicrosoftNETCoreApp20PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.1</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26618-02</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26617-01</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
-    <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
+    <StackExchangeRedisStrongNamePackageVersion>1.2.6</StackExchangeRedisStrongNamePackageVersion>
     <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26617-01</SystemSecurityCryptographyXmlPackageVersion>
     <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26617-01</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
-    <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
+    <XunitRunnerVisualStudioPackageVersion>2.4.0-rc.1.build4038</XunitRunnerVisualStudioPackageVersion>
   </PropertyGroup>
   <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
 </Project>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 3e694b2ed8..8b9d17825f 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17090
-commithash:b19e903e946579cd9482089bce7d917e8bacd765
+version:2.2.0-preview1-17099
+commithash:263ed1db9866b6b419b1f5d5189a712aa218acb3

From 91d97c7f1415e7e409538cdba35d73643cb02f05 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 11 Jul 2018 15:06:27 -0700
Subject: [PATCH 466/493] Reverting version from 2.1.2 back to 2.1.1

As a result of changing the way we apply servicing updates to aspnet core, this repo did not need the version bump because there are no planned product changes in this repo.
---
 version.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.props b/version.props
index 5d8053aaec..6ecf2553b6 100644
--- a/version.props
+++ b/version.props
@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <VersionPrefix>2.1.2</VersionPrefix>
+    <VersionPrefix>2.1.1</VersionPrefix>
     <VersionSuffix>rtm</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
@@ -9,7 +9,7 @@
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(FeatureBranchVersionSuffix)' != ''">$(FeatureBranchVersionPrefix)$(VersionSuffix)-$([System.Text.RegularExpressions.Regex]::Replace('$(FeatureBranchVersionSuffix)', '[^\w-]', '-'))</VersionSuffix>
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
 
-    <ExperimentalVersionPrefix>0.4.2</ExperimentalVersionPrefix>
+    <ExperimentalVersionPrefix>0.4.1</ExperimentalVersionPrefix>
     <ExperimentalVersionSuffix>rtm</ExperimentalVersionSuffix>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' == 'rtm' ">$(ExperimentalVersionPrefix)</ExperimentalPackageVersion>
     <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' != 'rtm' ">$(ExperimentalVersionPrefix)-$(ExperimentalVersionSuffix)-final</ExperimentalPackageVersion>

From 44973b77df6fa9d657c23a78a0923612c49ad395 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 11 Jul 2018 18:48:04 -0700
Subject: [PATCH 467/493] Updating dependencies to 2.1.2 and adding a section
 for pinned variable versions

---
 build/dependencies.props | 13 ++++++++++---
 korebuild-lock.txt       |  4 ++--
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 718a972be0..1151687f3f 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -2,8 +2,10 @@
   <PropertyGroup>
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
-  <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.1.1-rtm-15793</InternalAspNetCoreSdkPackageVersion>
+
+  <!-- These package versions may be overridden or updated by automation. -->
+  <PropertyGroup Label="Package Versions: Auto" />
+    <InternalAspNetCoreSdkPackageVersion>2.1.3-rtm-15802</InternalAspNetCoreSdkPackageVersion>
     <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.1</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
     <MicrosoftAspNetCoreHostingPackageVersion>2.1.1</MicrosoftAspNetCoreHostingPackageVersion>
     <MicrosoftAspNetCoreTestingPackageVersion>2.1.0</MicrosoftAspNetCoreTestingPackageVersion>
@@ -19,7 +21,7 @@
     <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.1</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.1</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
@@ -31,5 +33,10 @@
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
   </PropertyGroup>
+
+  <!-- This may import a generated file which may override the variables above. -->
   <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
+
+  <!-- These are package versions that should not be overridden or updated by automation. -->
+  <PropertyGroup Label="Package Versions: Pinned" />
 </Project>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index d2f4947bc8..1dfc352a0a 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.1.1-rtm-15793
-commithash:988313f4b064d6c69fc6f7b845b6384a6af3447a
+version:2.1.3-rtm-15802
+commithash:a7c08b45b440a7d2058a0aa1eaa3eb6ba811976a

From b62bb5778be59cbde9b2e6bbdef20f40eef42355 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 12 Jul 2018 11:51:46 -0700
Subject: [PATCH 468/493] Pin version variables to the ASP.NET Core 2.1.2
 baseline

This reverts our previous policy of cascading versions on all servicing updates.
This moves variables into the 'pinned' section, and points them to the latest
stable release (versions that were used at the time of the 2.1.2 release).
---
 build/dependencies.props | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 1151687f3f..85e623d5d6 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,21 +4,9 @@
   </PropertyGroup>
 
   <!-- These package versions may be overridden or updated by automation. -->
-  <PropertyGroup Label="Package Versions: Auto" />
+  <PropertyGroup Label="Package Versions: Auto">
     <InternalAspNetCoreSdkPackageVersion>2.1.3-rtm-15802</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.1</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.1</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.1</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.1</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.1</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.1</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.1</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.1</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
@@ -38,5 +26,18 @@
   <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
 
   <!-- These are package versions that should not be overridden or updated by automation. -->
-  <PropertyGroup Label="Package Versions: Pinned" />
-</Project>
+  <PropertyGroup Label="Package Versions: Pinned">
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.1</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.1</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.1</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.1</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.1</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.1</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.1</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.1</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+  </PropertyGroup>
+</Project>
\ No newline at end of file

From b53c1d58b285336db49f0f02e67aa8b363600591 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 15 Jul 2018 12:09:10 -0700
Subject: [PATCH 469/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 8fe166b873..6765e0928b 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,30 +4,30 @@
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
     <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17099</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34640</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34640</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34640</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34694</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34694</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34694</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34640</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
-    <MicrosoftNETCoreApp20PackageVersion>2.0.7</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.1</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
     <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26618-02</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.6.0-preview1-26617-01</MicrosoftWin32RegistryPackageVersion>
+    <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.6</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.6.0-preview1-26617-01</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.6.0-preview1-26617-01</SystemSecurityPrincipalWindowsPackageVersion>
+    <SystemSecurityCryptographyXmlPackageVersion>4.5.0</SystemSecurityCryptographyXmlPackageVersion>
+    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0-rc.1.build4038</XunitRunnerVisualStudioPackageVersion>

From 50b30c33968df874ae2317d889dc34372fe07780 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 22 Jul 2018 12:08:50 -0700
Subject: [PATCH 470/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 6765e0928b..1dac51c515 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,19 +4,19 @@
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
     <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17099</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34694</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34694</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34694</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34755</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34755</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34755</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34694</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>

From 2b486a004954ec172fdd614506b3dae677cadb57 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 29 Jul 2018 12:08:43 -0700
Subject: [PATCH 471/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 29 +++++++++++++++--------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 1dac51c515..cf8d747d54 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17099</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34755</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34755</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34755</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17102</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34823</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34823</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34823</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34755</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
@@ -30,7 +30,8 @@
     <SystemSecurityPrincipalWindowsPackageVersion>4.5.0</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
-    <XunitRunnerVisualStudioPackageVersion>2.4.0-rc.1.build4038</XunitRunnerVisualStudioPackageVersion>
+    <XunitRunnerVisualStudioPackageVersion>2.4.0</XunitRunnerVisualStudioPackageVersion>
   </PropertyGroup>
+  <PropertyGroup Label="Package Versions: Pinned" />
   <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
 </Project>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 8b9d17825f..28cd6a5b03 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17099
-commithash:263ed1db9866b6b419b1f5d5189a712aa218acb3
+version:2.2.0-preview1-17102
+commithash:e7e2b5a97ca92cfc6acc4def534cb0901a6d1eb9

From d5b68286bc09aa0f2c3ab8a1ce14b3204bd3df17 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 5 Aug 2018 19:10:13 +0000
Subject: [PATCH 472/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 26 +++++++++++++-------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index cf8d747d54..add3596b38 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,20 +3,20 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-17102</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34823</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34823</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34823</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180731.1</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34882</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34882</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34882</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34823</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 28cd6a5b03..b6efc7cfcb 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-17102
-commithash:e7e2b5a97ca92cfc6acc4def534cb0901a6d1eb9
+version:2.2.0-preview1-20180731.1
+commithash:29fde58465439f4bb9df40830635ed758e063daf

From 241155946f60d15e731f0a6965a95140c0d70f92 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Mon, 6 Aug 2018 20:32:30 +0000
Subject: [PATCH 473/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index add3596b38..c09050bb04 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,19 +4,19 @@
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
     <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180731.1</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34882</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34882</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34882</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34896</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34896</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34896</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34882</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>

From 9534c0814238b2bbe7d11c7c0e246a90ef05c267 Mon Sep 17 00:00:00 2001
From: Nate McMaster <natemcmaster@users.noreply.github.com>
Date: Fri, 10 Aug 2018 09:13:02 -0700
Subject: [PATCH 474/493] Change versioning of
 Microsoft.AspNetCore.DataProtection.Redis to 2.2 (#320)

---
 ...oft.AspNetCore.DataProtection.Redis.csproj |   7 +-
 .../baseline.netcore.json                     | 140 ++++++++++++++++++
 version.props                                 |   6 -
 3 files changed, 141 insertions(+), 12 deletions(-)
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/baseline.netcore.json

diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
index 3cad440e37..cab777d5f8 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
@@ -1,16 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <Description>Redis storage support as key store.</Description>
-    <VersionPrefix Condition="'$(ExperimentalVersionPrefix)' != ''">$(ExperimentalVersionPrefix)</VersionPrefix>
-    <VersionSuffix Condition="'$(ExperimentalVersionSuffix)' != ''">$(ExperimentalVersionSuffix)</VersionSuffix>
-    <VerifyVersion Condition="'$(ExperimentalVersionPrefix)' != ''">false</VerifyVersion>
-    <PackageVersion>$(ExperimentalPackageVersion)</PackageVersion>
+    <Description>Support for storing data protection keys in Redis.</Description>
     <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection;redis</PackageTags>
-    <EnableApiCheck>false</EnableApiCheck>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Redis/baseline.netcore.json
new file mode 100644
index 0000000000..3a7f2aba07
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.Redis/baseline.netcore.json
@@ -0,0 +1,140 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Redis, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.RedisDataProtectionBuilderExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToRedis",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "databaseFactory",
+              "Type": "System.Func<StackExchange.Redis.IDatabase>"
+            },
+            {
+              "Name": "key",
+              "Type": "StackExchange.Redis.RedisKey"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToRedis",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "connectionMultiplexer",
+              "Type": "StackExchange.Redis.IConnectionMultiplexer"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToRedis",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            },
+            {
+              "Name": "connectionMultiplexer",
+              "Type": "StackExchange.Redis.IConnectionMultiplexer"
+            },
+            {
+              "Name": "key",
+              "Type": "StackExchange.Redis.RedisKey"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.RedisXmlRepository",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "databaseFactory",
+              "Type": "System.Func<StackExchange.Redis.IDatabase>"
+            },
+            {
+              "Name": "key",
+              "Type": "StackExchange.Redis.RedisKey"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/version.props b/version.props
index 8e872d018e..44985cedb3 100644
--- a/version.props
+++ b/version.props
@@ -8,11 +8,5 @@
     <FeatureBranchVersionPrefix Condition="'$(FeatureBranchVersionPrefix)' == ''">a-</FeatureBranchVersionPrefix>
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(FeatureBranchVersionSuffix)' != ''">$(FeatureBranchVersionPrefix)$(VersionSuffix)-$([System.Text.RegularExpressions.Regex]::Replace('$(FeatureBranchVersionSuffix)', '[^\w-]', '-'))</VersionSuffix>
     <VersionSuffix Condition="'$(VersionSuffix)' != '' And '$(BuildNumber)' != ''">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
-
-    <ExperimentalVersionPrefix>0.5.0</ExperimentalVersionPrefix>
-    <ExperimentalVersionSuffix>preview1</ExperimentalVersionSuffix>
-    <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' == 'rtm' ">$(ExperimentalVersionPrefix)</ExperimentalPackageVersion>
-    <ExperimentalPackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(ExperimentalVersionSuffix)' != 'rtm' ">$(ExperimentalVersionPrefix)-$(ExperimentalVersionSuffix)-final</ExperimentalPackageVersion>
-    <ExperimentalVersionSuffix Condition="'$(ExperimentalVersionSuffix)' != '' And '$(BuildNumber)' != ''">$(ExperimentalVersionSuffix)-$(BuildNumber)</ExperimentalVersionSuffix>
   </PropertyGroup>
 </Project>

From e0235b1e2102a9bf700c8f40fc01884acec427ef Mon Sep 17 00:00:00 2001
From: Nate McMaster <natemcmaster@users.noreply.github.com>
Date: Fri, 10 Aug 2018 15:20:09 -0700
Subject: [PATCH 475/493] Fix aspnet/Home#3379 - add a functional test for
 Redis storage provider to ensure keys round-trip (#321)

---
 .vsts-pipelines/builds/ci-internal.yml        | 13 -----
 .vsts-pipelines/builds/ci-public.yml          | 16 ++++++
 build/dependencies.props                      |  1 +
 .../DataProtectionRedisTests.cs               | 51 +++++++++++++++++++
 ...spNetCore.DataProtection.Redis.Test.csproj |  8 +++
 .../TestRedisServer.cs                        | 28 ++++++++++
 .../TestRedisServerIsAvailableAttribute.cs    | 15 ++++++
 .../testconfig.json                           | 10 ++++
 8 files changed, 129 insertions(+), 13 deletions(-)
 delete mode 100644 .vsts-pipelines/builds/ci-internal.yml
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServer.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServerIsAvailableAttribute.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.Redis.Test/testconfig.json

diff --git a/.vsts-pipelines/builds/ci-internal.yml b/.vsts-pipelines/builds/ci-internal.yml
deleted file mode 100644
index dc7b8a3cb9..0000000000
--- a/.vsts-pipelines/builds/ci-internal.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-trigger:
-- master
-- release/*
-
-resources:
-  repositories:
-  - repository: buildtools
-    type: git
-    name: aspnet-BuildTools
-    ref: refs/heads/release/2.2
-
-phases:
-- template: .vsts-pipelines/templates/project-ci.yml@buildtools
diff --git a/.vsts-pipelines/builds/ci-public.yml b/.vsts-pipelines/builds/ci-public.yml
index f5087d9c30..554cc2be4c 100644
--- a/.vsts-pipelines/builds/ci-public.yml
+++ b/.vsts-pipelines/builds/ci-public.yml
@@ -13,3 +13,19 @@ resources:
 
 phases:
 - template: .vsts-pipelines/templates/project-ci.yml@buildtools
+- template: .vsts-pipelines/templates/phases/default-build.yml@buildtools
+  parameters:
+    phaseName: Linux_RedisTests
+    queueName: DotNetCore-Docker
+    agentOs: Linux
+    demands:
+    - docker
+    variables:
+      Test__Redis__Server: localhost:6379,127.0.0.1:6379
+    beforeBuild:
+    - script: docker run --rm -d --name test-redis-server -p 6379:6379 redis
+      displayName: Start Redis in Docker
+    afterBuild:
+    - script: docker stop test-redis-server
+      displayName: Stop Redis in Docker
+      condition: always()
diff --git a/build/dependencies.props b/build/dependencies.props
index c09050bb04..b2bb6f5bcc 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -8,6 +8,7 @@
     <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34896</MicrosoftAspNetCoreHostingPackageVersion>
     <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34896</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
     <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsConfigurationJsonPackageVersion>
     <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsConfigurationPackageVersion>
     <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
index 9e010090f8..c6bdad14cb 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
@@ -1,17 +1,29 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Linq;
+using System.Threading.Tasks;
 using System.Xml;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.Testing;
+using Microsoft.AspNetCore.Testing.xunit;
 using Moq;
 using StackExchange.Redis;
 using Xunit;
+using Xunit.Abstractions;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
     public class DataProtectionRedisTests
     {
+        private readonly ITestOutputHelper _output;
+
+        public DataProtectionRedisTests(ITestOutputHelper output)
+        {
+            _output = output;
+        }
+
         [Fact]
         public void GetAllElements_ReturnsAllXmlValuesForGivenKey()
         {
@@ -55,5 +67,44 @@ namespace Microsoft.AspNetCore.DataProtection
 
             database.Verify();
         }
+
+        [ConditionalFact]
+        [TestRedisServerIsAvailable]
+        public async Task XmlRoundTripsToActualRedisServer()
+        {
+            var connStr = TestRedisServer.GetConnectionString();
+
+            _output.WriteLine("Attempting to connect to " + connStr);
+
+            var guid = Guid.NewGuid().ToString();
+            RedisKey key = "Test:DP:Key" + guid;
+
+            try
+            {
+                using (var redis = await ConnectionMultiplexer.ConnectAsync(connStr).TimeoutAfter(TimeSpan.FromMinutes(1)))
+                {
+                    var repo = new RedisXmlRepository(() => redis.GetDatabase(), key);
+                    var element = new XElement("HelloRedis", guid);
+                    repo.StoreElement(element, guid);
+                }
+
+                using (var redis = await ConnectionMultiplexer.ConnectAsync(connStr).TimeoutAfter(TimeSpan.FromMinutes(1)))
+                {
+                    var repo = new RedisXmlRepository(() => redis.GetDatabase(), key);
+                    var elements = repo.GetAllElements();
+
+                    Assert.Contains(elements, e => e.Name == "HelloRedis" && e.Value == guid);
+                }
+            }
+            finally
+            {
+                // cleanup
+                using (var redis = await ConnectionMultiplexer.ConnectAsync(connStr).TimeoutAfter(TimeSpan.FromMinutes(1)))
+                {
+                    await redis.GetDatabase().KeyDeleteAsync(key);
+                }
+            }
+
+        }
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
index d359ab936e..5b2296721e 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
@@ -8,12 +8,20 @@
     <Compile Include="..\common\**\*.cs" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Content Include="testconfig.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </Content>
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="$(MicrosoftExtensionsConfigurationJsonPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="$(MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
   </ItemGroup>
 
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServer.cs b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServer.cs
new file mode 100644
index 0000000000..dfe369625a
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServer.cs
@@ -0,0 +1,28 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.Extensions.Configuration;
+using System;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    internal class TestRedisServer
+    {
+        public const string ConnectionStringKeyName = "Test:Redis:Server";
+        private static readonly IConfigurationRoot _config;
+
+        static TestRedisServer()
+        {
+            _config = new ConfigurationBuilder()
+                .SetBasePath(AppContext.BaseDirectory)
+                .AddJsonFile("testconfig.json")
+                .AddEnvironmentVariables()
+                .Build();
+        }
+
+        internal static string GetConnectionString()
+        {
+            return _config[ConnectionStringKeyName];
+        }
+    }
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServerIsAvailableAttribute.cs b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServerIsAvailableAttribute.cs
new file mode 100644
index 0000000000..04857c494b
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServerIsAvailableAttribute.cs
@@ -0,0 +1,15 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.Testing.xunit;
+using System;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    internal class TestRedisServerIsAvailableAttribute : Attribute, ITestCondition
+    {
+        public bool IsMet => !string.IsNullOrEmpty(TestRedisServer.GetConnectionString());
+
+        public string SkipReason => $"A test redis server must be configured to run. Set the connection string as an environment variable as {TestRedisServer.ConnectionStringKeyName.Replace(":", "__")} or in testconfig.json";
+    }
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/testconfig.json b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/testconfig.json
new file mode 100644
index 0000000000..2e2f447946
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.Redis.Test/testconfig.json
@@ -0,0 +1,10 @@
+{
+  "Test": {
+    "Redis": {
+      // You can setup a local Redis server easily with Docker by running
+      // docker run --rm -it -p 6379:6379 redis
+      // Then uncomment this config below
+      // "Server": "localhost:6379,127.0.0.1:6379"
+    }
+  }
+}
\ No newline at end of file

From 760efe303f2e909be5a97150ca16f73428d1c7f6 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 12 Aug 2018 19:09:13 +0000
Subject: [PATCH 476/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 28 ++++++++++++++--------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index b2bb6f5bcc..06597fadcb 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,21 +3,21 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180731.1</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34896</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34896</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34896</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180807.2</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34967</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34967</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34967</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34896</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index b6efc7cfcb..29a57027f1 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-20180731.1
-commithash:29fde58465439f4bb9df40830635ed758e063daf
+version:2.2.0-preview1-20180807.2
+commithash:11495dbd236104434e08cb1152fcb58cf2a20923

From c119bee8efb1632cfc3ff864ba2be704349efd26 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Tue, 21 Aug 2018 13:33:49 -0700
Subject: [PATCH 477/493] Update package branding for 2.2.0-preview2

---
 build/dependencies.props | 2 +-
 version.props            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 06597fadcb..9798c889a4 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -33,6 +33,6 @@
     <XunitPackageVersion>2.3.1</XunitPackageVersion>
     <XunitRunnerVisualStudioPackageVersion>2.4.0</XunitRunnerVisualStudioPackageVersion>
   </PropertyGroup>
-  <PropertyGroup Label="Package Versions: Pinned" />
   <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
+  <PropertyGroup Label="Package Versions: Pinned" />
 </Project>
diff --git a/version.props b/version.props
index 44985cedb3..15637ba785 100644
--- a/version.props
+++ b/version.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.2.0</VersionPrefix>
-    <VersionSuffix>preview1</VersionSuffix>
+    <VersionSuffix>preview2</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>

From 8f7d995508df0c4466b3ebc1bfbe1d215ce43565 Mon Sep 17 00:00:00 2001
From: "dan.s.ward" <dan.s.ward@gmail.com>
Date: Wed, 29 Aug 2018 17:04:37 -0400
Subject: [PATCH 478/493] Added Entity Framework Core backed IXmlRepository
 with tests and sample (#303)

---
 DataProtection.sln                            | 33 +++++++++
 build/dependencies.props                      |  2 +
 .../DataProtectionKeyContext.cs               | 21 ++++++
 .../EntityFrameworkCore.csproj                | 18 +++++
 samples/EntityFrameworkCore/Program.cs        | 33 +++++++++
 .../ConfigureKeyManagementOptions.cs          | 22 ++++++
 .../DataProtectionKey.cs                      | 31 +++++++++
 ...tyFrameworkCoreDataProtectionExtensions.cs | 46 +++++++++++++
 .../EntityFrameworkCoreXmlRepository.cs       | 69 +++++++++++++++++++
 .../IDataProtectionKeyContext.cs              | 18 +++++
 .../LoggingExtensions.cs                      | 31 +++++++++
 ....DataProtection.EntityFrameworkCore.csproj | 24 +++++++
 .../DataProtectionEntityFrameworkTests.cs     | 68 ++++++++++++++++++
 .../DataProtectionKeyContext.cs               | 14 ++++
 ...oreDataProtectionBuilderExtensionsTests.cs | 26 +++++++
 ...Protection.EntityFrameworkCore.Test.csproj | 15 ++++
 16 files changed, 471 insertions(+)
 create mode 100644 samples/EntityFrameworkCore/DataProtectionKeyContext.cs
 create mode 100644 samples/EntityFrameworkCore/EntityFrameworkCore.csproj
 create mode 100644 samples/EntityFrameworkCore/Program.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/ConfigureKeyManagementOptions.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
 create mode 100644 test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj

diff --git a/DataProtection.sln b/DataProtection.sln
index c08ab6a1ce..7b22058b82 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -77,6 +77,12 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AzureKeyVault", "samples\Az
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test", "test\Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test\Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj", "{C85ED942-8121-453F-8308-9DB730843B63}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test", "test\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj", "{06728BF2-C5EB-44C7-9F30-14FAA5649E14}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "EntityFrameworkCore", "samples\EntityFrameworkCore\EntityFrameworkCore.csproj", "{E837A2E3-FC93-494C-8689-5AF9C6802AD7}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore", "src\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj", "{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -265,6 +271,30 @@ Global
 		{C85ED942-8121-453F-8308-9DB730843B63}.Release|Any CPU.Build.0 = Release|Any CPU
 		{C85ED942-8121-453F-8308-9DB730843B63}.Release|x86.ActiveCfg = Release|Any CPU
 		{C85ED942-8121-453F-8308-9DB730843B63}.Release|x86.Build.0 = Release|Any CPU
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Debug|x86.Build.0 = Debug|Any CPU
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Release|Any CPU.Build.0 = Release|Any CPU
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Release|x86.ActiveCfg = Release|Any CPU
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Release|x86.Build.0 = Release|Any CPU
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Debug|x86.Build.0 = Debug|Any CPU
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Release|x86.ActiveCfg = Release|Any CPU
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Release|x86.Build.0 = Release|Any CPU
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Debug|x86.Build.0 = Debug|Any CPU
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Release|Any CPU.Build.0 = Release|Any CPU
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Release|x86.ActiveCfg = Release|Any CPU
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -293,6 +323,9 @@ Global
 		{4E76B2A8-9DC3-46E6-B5FC-097A1D1DFBE9} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{295E8539-5450-4764-B3F5-51F968628022} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 		{C85ED942-8121-453F-8308-9DB730843B63} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{06728BF2-C5EB-44C7-9F30-14FAA5649E14} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
+		{E837A2E3-FC93-494C-8689-5AF9C6802AD7} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
+		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {DD305D75-BD1B-43AE-BF04-869DA6A0858F}
diff --git a/build/dependencies.props b/build/dependencies.props
index 9798c889a4..06b0858ebe 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -8,6 +8,8 @@
     <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34967</MicrosoftAspNetCoreHostingPackageVersion>
     <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34967</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
+    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview1-34967</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
+    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview1-34967</MicrosoftEntityFrameworkCorePackageVersion>
     <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
     <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationJsonPackageVersion>
     <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationPackageVersion>
diff --git a/samples/EntityFrameworkCore/DataProtectionKeyContext.cs b/samples/EntityFrameworkCore/DataProtectionKeyContext.cs
new file mode 100644
index 0000000000..a84031ae50
--- /dev/null
+++ b/samples/EntityFrameworkCore/DataProtectionKeyContext.cs
@@ -0,0 +1,21 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore;
+
+namespace EntityFrameworkCore
+{
+    class DataProtectionKeyContext : DbContext, IDataProtectionKeyContext
+    {
+        public DataProtectionKeyContext(DbContextOptions<DataProtectionKeyContext> options) : base(options) { }
+        public DbSet<DataProtectionKey> DataProtectionKeys { get; set; }
+        protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
+        {
+            base.OnConfiguring(optionsBuilder);
+            optionsBuilder.UseInMemoryDatabase("DataProtection_EntityFrameworkCore");
+            optionsBuilder.UseQueryTrackingBehavior(QueryTrackingBehavior.NoTracking);
+            optionsBuilder.EnableSensitiveDataLogging();
+        }
+    }
+}
diff --git a/samples/EntityFrameworkCore/EntityFrameworkCore.csproj b/samples/EntityFrameworkCore/EntityFrameworkCore.csproj
new file mode 100644
index 0000000000..212ec9d566
--- /dev/null
+++ b/samples/EntityFrameworkCore/EntityFrameworkCore.csproj
@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>exe</OutputType>
+    <TargetFrameworks>net461;netcoreapp2.1</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="$(MicrosoftExtensionsDependencyInjectionPackageVersion)" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="$(MicrosoftEntityFrameworkCoreInMemoryPackageVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(MicrosoftExtensionsLoggingConsolePackageVersion)" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/EntityFrameworkCore/Program.cs b/samples/EntityFrameworkCore/Program.cs
new file mode 100644
index 0000000000..9e8a0d5ee1
--- /dev/null
+++ b/samples/EntityFrameworkCore/Program.cs
@@ -0,0 +1,33 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using System;
+
+namespace EntityFrameworkCore
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            // Configure
+            using (var services = new ServiceCollection()
+                .AddLogging(o => o.AddConsole().SetMinimumLevel(LogLevel.Debug))
+                .AddDbContext<DataProtectionKeyContext>()
+                .AddDataProtection()
+                .PersistKeysToDbContext<DataProtectionKeyContext>()
+                .SetDefaultKeyLifetime(TimeSpan.FromDays(7))
+                .Services
+                .BuildServiceProvider(validateScopes: true))
+            {
+                // Run a sample payload
+                var protector = services.GetDataProtector("sample-purpose");
+                var protectedData = protector.Protect("Hello world!");
+                Console.WriteLine(protectedData);
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/ConfigureKeyManagementOptions.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/ConfigureKeyManagementOptions.cs
new file mode 100644
index 0000000000..246aa3c1e5
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/ConfigureKeyManagementOptions.cs
@@ -0,0 +1,22 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using System;
+
+namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
+{
+    internal class ConfigureKeyManagementOptions : IConfigureOptions<KeyManagementOptions>
+    {
+        private readonly IServiceProvider _serviceProvider;
+
+        public ConfigureKeyManagementOptions(IServiceProvider serviceProvider)
+            => _serviceProvider = serviceProvider;
+
+        public void Configure(KeyManagementOptions options)
+            => options.XmlRepository = _serviceProvider.CreateScope().ServiceProvider.GetRequiredService<IXmlRepository>();
+    }
+}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
new file mode 100644
index 0000000000..b13a9fbd60
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
@@ -0,0 +1,31 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
+{
+    /// <summary>
+    /// Code first model used by <see cref="EntityFrameworkCoreXmlRepository{TContext}"/>.
+    /// </summary>
+    public class DataProtectionKey
+    {
+        /// <summary>
+        /// The entity identifier of the <see cref="DataProtectionKey"/>.
+        /// </summary>
+        [Key]
+        [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
+        public int Id { get; set; }
+
+        /// <summary>
+        /// The friendly name of the <see cref="DataProtectionKey"/>.
+        /// </summary>
+        public string FriendlyName { get; set; }
+
+        /// <summary>
+        /// The XML representation of the <see cref="DataProtectionKey"/>.
+        /// </summary>
+        public string Xml { get; set; }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
new file mode 100644
index 0000000000..a3577f0e6d
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
@@ -0,0 +1,46 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using System;
+
+namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
+{
+    /// <summary>
+    /// Extension method class for configuring instances of <see cref="EntityFrameworkCoreXmlRepository{TContext}"/>
+    /// </summary>
+    public static class EntityFrameworkCoreDataProtectionExtensions
+    {
+        /// <summary>
+        /// Configures the data protection system to persist keys to an EntityFrameworkCore datastore
+        /// </summary>
+        /// <param name="builder">The <see cref="IDataProtectionBuilder"/> instance to modify.</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        public static IDataProtectionBuilder PersistKeysToDbContext<TContext>(this IDataProtectionBuilder builder)
+            where TContext : DbContext, IDataProtectionKeyContext
+        {
+            var services = builder.Services;
+
+            services.AddScoped<Func<TContext>>(
+                provider => new Func<TContext>(
+                    () => provider.CreateScope().ServiceProvider.GetService<TContext>()));
+
+            services.AddScoped<IXmlRepository>(provider =>
+            {
+                var scope = provider.CreateScope();
+                return new EntityFrameworkCoreXmlRepository<TContext>(
+                    contextFactory: scope.ServiceProvider.GetRequiredService<Func<TContext>>(),
+                    loggerFactory: scope.ServiceProvider.GetService<ILoggerFactory>());
+            });
+
+            services.AddTransient<IConfigureOptions<KeyManagementOptions>, ConfigureKeyManagementOptions>();
+
+            return builder;
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
new file mode 100644
index 0000000000..6720c400b8
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
@@ -0,0 +1,69 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Xml.Linq;
+
+namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
+{
+    /// <summary>
+    /// An <see cref="IXmlRepository"/> backed by an EntityFrameworkCore datastore.
+    /// </summary>
+    public class EntityFrameworkCoreXmlRepository<TContext> : IXmlRepository
+        where TContext : DbContext, IDataProtectionKeyContext
+    {
+        private readonly ILoggerFactory _loggerFactory;
+        private readonly Func<TContext> _contextFactory;
+
+        private ILogger<EntityFrameworkCoreXmlRepository<TContext>> _logger => _loggerFactory?.CreateLogger<EntityFrameworkCoreXmlRepository<TContext>>();
+
+        private TContext _context => _contextFactory?.Invoke();
+
+        /// <summary>
+        /// Creates a new instance of the <see cref="EntityFrameworkCoreXmlRepository{TContext}"/>.
+        /// </summary>
+        /// <param name="contextFactory">The factory method that creates a context to store instances of <see cref="DataProtectionKey"/></param>
+        /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
+        public EntityFrameworkCoreXmlRepository(Func<TContext> contextFactory, ILoggerFactory loggerFactory = null)
+        {
+            _contextFactory = contextFactory ?? throw new ArgumentNullException(nameof(contextFactory));
+            _loggerFactory = loggerFactory;
+        }
+
+        /// <inheritdoc />
+        public virtual IReadOnlyCollection<XElement> GetAllElements()
+            => _context?.Set<DataProtectionKey>()?.AsNoTracking().Select(key => TryParseKeyXml(key.Xml)).ToList().AsReadOnly();
+
+        /// <inheritdoc />
+        public void StoreElement(XElement element, string friendlyName)
+        {
+            var newKey = new DataProtectionKey()
+            {
+                FriendlyName = friendlyName,
+                Xml = element.ToString(SaveOptions.DisableFormatting)
+            };
+            var context = _context;
+            context?.Set<DataProtectionKey>()?.Add(newKey);
+            _logger?.LogSavingKeyToDbContext(friendlyName, typeof(TContext).Name);
+            context?.SaveChanges();
+        }
+
+        private XElement TryParseKeyXml(string xml)
+        {
+            try
+            {
+                return XElement.Parse(xml);
+            }
+            catch (Exception e)
+            {
+                _logger?.LogExceptionWhileParsingKeyXml(xml, e);
+                return null;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs
new file mode 100644
index 0000000000..39998d2a79
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs
@@ -0,0 +1,18 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.EntityFrameworkCore;
+
+namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
+{
+    /// <summary>
+    /// Interface used to store instances of <see cref="DataProtectionKey"/> in a <see cref="DbContext"/>
+    /// </summary>
+    public interface IDataProtectionKeyContext
+    {
+        /// <summary>
+        /// A collection of <see cref="DataProtectionKey"/>
+        /// </summary>
+        DbSet<DataProtectionKey> DataProtectionKeys { get; }
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs
new file mode 100644
index 0000000000..d0aeb09271
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs
@@ -0,0 +1,31 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace Microsoft.Extensions.Logging
+{
+    internal static class LoggingExtensions
+    {
+        private static readonly Action<ILogger, string, Exception> _anExceptionOccurredWhileParsingKeyXml;
+        private static readonly Action<ILogger, string, string, Exception> _savingKeyToDbContext;
+
+        static LoggingExtensions()
+        {
+            _anExceptionOccurredWhileParsingKeyXml = LoggerMessage.Define<string>(
+                eventId: 1,
+                logLevel: LogLevel.Warning,
+                formatString: "An exception occurred while parsing the key xml '{Xml}'.");
+            _savingKeyToDbContext = LoggerMessage.Define<string, string>(
+                eventId: 2,
+                logLevel: LogLevel.Debug,
+                formatString: "Saving key '{FriendlyName}' to '{DbContext}'.");
+        }
+
+        public static void LogExceptionWhileParsingKeyXml(this ILogger logger, string keyXml, Exception exception)
+            => _anExceptionOccurredWhileParsingKeyXml(logger, keyXml, exception);
+
+        public static void LogSavingKeyToDbContext(this ILogger logger, string friendlyName, string contextName)
+            => _savingKeyToDbContext(logger, friendlyName, contextName, null);
+    }
+}
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
new file mode 100644
index 0000000000..966b1bfc78
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <Description>EntityFramworkCore storage support as key store.</Description>
+    <VersionPrefix Condition="'$(ExperimentalVersionPrefix)' != ''">$(ExperimentalVersionPrefix)</VersionPrefix>
+    <VersionSuffix Condition="'$(ExperimentalVersionSuffix)' != ''">$(ExperimentalVersionSuffix)</VersionSuffix>
+    <VerifyVersion Condition="'$(ExperimentalVersionPrefix)' != ''">false</VerifyVersion>
+    <PackageVersion>$(ExperimentalPackageVersion)</PackageVersion>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageTags>aspnetcore;dataprotection;entityframeworkcore</PackageTags>
+    <EnableApiCheck>false</EnableApiCheck>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Microsoft.AspNetCore.DataProtection\Microsoft.AspNetCore.DataProtection.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore" Version="$(MicrosoftEntityFrameworkCorePackageVersion)" />
+  </ItemGroup>
+
+</Project>
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
new file mode 100644
index 0000000000..31034c7f4c
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
@@ -0,0 +1,68 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test;
+using Microsoft.EntityFrameworkCore;
+using System;
+using System.Linq;
+using System.Xml.Linq;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection
+{
+    public class DataProtectionEntityFrameworkTests
+    {
+        [Fact]
+        public void CreateRepository_ThrowsIf_ContextIsNull()
+        {
+            Assert.Throws<ArgumentNullException>(() => new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(null));
+        }
+
+        [Fact]
+        public void StoreElement_PersistsData()
+        {
+            var element = XElement.Parse("<Element1/>");
+            var friendlyName = "Element1";
+            var key = new DataProtectionKey() { FriendlyName = friendlyName, Xml = element.ToString() };
+            using (var context = BuildDataProtectionKeyContext(nameof(StoreElement_PersistsData)))
+            {
+                var service = new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(() => context);
+                service.StoreElement(element, friendlyName);
+            }
+            // Use a separate instance of the context to verify correct data was saved to database
+            using (var context = BuildDataProtectionKeyContext(nameof(StoreElement_PersistsData)))
+            {
+                Assert.Equal(1, context.DataProtectionKeys.Count());
+                Assert.Equal(key.FriendlyName, context.DataProtectionKeys.Single()?.FriendlyName);
+                Assert.Equal(key.Xml, context.DataProtectionKeys.Single()?.Xml);
+            }
+        }
+
+        [Fact]
+        public void GetAllElements_ReturnsAllElements()
+        {
+            var element1 = XElement.Parse("<Element1/>");
+            var element2 = XElement.Parse("<Element2/>");
+            using (var context = BuildDataProtectionKeyContext(nameof(GetAllElements_ReturnsAllElements)))
+            {
+                var service = new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(() => context);
+                service.StoreElement(element1, "element1");
+                service.StoreElement(element2, "element2");
+            }
+            // Use a separate instance of the context to verify correct data was saved to database
+            using (var context = BuildDataProtectionKeyContext(nameof(GetAllElements_ReturnsAllElements)))
+            {
+                var service = new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(() => context);
+                var elements = service.GetAllElements();
+                Assert.Equal(2, elements.Count);
+            }
+        }
+
+        private DbContextOptions<DataProtectionKeyContext> BuildDbContextOptions(string databaseName)
+            => new DbContextOptionsBuilder<DataProtectionKeyContext>().UseInMemoryDatabase(databaseName: databaseName).Options;
+
+        private DataProtectionKeyContext BuildDataProtectionKeyContext(string databaseName)
+            => new DataProtectionKeyContext(BuildDbContextOptions(databaseName));
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs
new file mode 100644
index 0000000000..96151de0bb
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs
@@ -0,0 +1,14 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.EntityFrameworkCore;
+
+namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test
+{
+    class DataProtectionKeyContext : DbContext, IDataProtectionKeyContext
+    {
+        public DataProtectionKeyContext(DbContextOptions<DataProtectionKeyContext> options) : base(options) { }
+
+        public DbSet<DataProtectionKey> DataProtectionKeys { get; set; }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
new file mode 100644
index 0000000000..d04ccdde88
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
@@ -0,0 +1,26 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Xunit;
+
+namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test
+{
+    public class EntityFrameworkCoreDataProtectionBuilderExtensionsTests
+    {
+        [Fact]
+        public void PersistKeysToEntityFrameworkCore_UsesEntityFrameworkCoreXmlRepository()
+        {
+            var serviceCollection = new ServiceCollection();
+            serviceCollection
+                .AddDbContext<DataProtectionKeyContext>()
+                .AddDataProtection()
+                .PersistKeysToDbContext<DataProtectionKeyContext>();
+            var serviceProvider = serviceCollection.BuildServiceProvider();
+            var keyManagementOptions = serviceProvider.GetRequiredService<IOptions<KeyManagementOptions>>();
+            Assert.IsType<EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>>(keyManagementOptions.Value.XmlRepository);
+        }
+    }
+}
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj
new file mode 100644
index 0000000000..ed07b79f25
--- /dev/null
+++ b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj
@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>$(StandardTestTfms)</TargetFrameworks>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="$(MicrosoftEntityFrameworkCoreInMemoryPackageVersion)" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj" />
+  </ItemGroup>
+
+</Project>

From 7520ffa0efd04c18630c2612855cb590a94cc69a Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Wed, 29 Aug 2018 14:33:57 -0700
Subject: [PATCH 479/493] Fix up service scoping in the EF Core xml repository
 and update package version to 2.2

---
 DataProtection.sln                            |  22 +-
 .../DataProtectionKeyContext.cs               |  21 --
 .../EntityFrameworkCoreSample.csproj}         |   0
 .../Program.cs                                |  25 ++-
 samples/Redis/Program.cs                      |   2 +-
 .../ConfigureKeyManagementOptions.cs          |  22 --
 .../DataProtectionKey.cs                      |   5 -
 ...tyFrameworkCoreDataProtectionExtensions.cs |  25 +--
 .../EntityFrameworkCoreXmlRepository.cs       |  56 +++--
 ....DataProtection.EntityFrameworkCore.csproj |  11 +-
 .../baseline.netcore.json                     | 203 ++++++++++++++++++
 .../DataProtectionEntityFrameworkTests.cs     |  51 ++---
 ...oreDataProtectionBuilderExtensionsTests.cs |   2 +-
 13 files changed, 310 insertions(+), 135 deletions(-)
 delete mode 100644 samples/EntityFrameworkCore/DataProtectionKeyContext.cs
 rename samples/{EntityFrameworkCore/EntityFrameworkCore.csproj => EntityFrameworkCoreSample/EntityFrameworkCoreSample.csproj} (100%)
 rename samples/{EntityFrameworkCore => EntityFrameworkCoreSample}/Program.cs (56%)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/ConfigureKeyManagementOptions.cs
 create mode 100644 src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json

diff --git a/DataProtection.sln b/DataProtection.sln
index 7b22058b82..7fb7eb0592 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -79,10 +79,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataPr
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test", "test\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj", "{06728BF2-C5EB-44C7-9F30-14FAA5649E14}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "EntityFrameworkCore", "samples\EntityFrameworkCore\EntityFrameworkCore.csproj", "{E837A2E3-FC93-494C-8689-5AF9C6802AD7}"
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore", "src\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore\Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj", "{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "EntityFrameworkCoreSample", "samples\EntityFrameworkCoreSample\EntityFrameworkCoreSample.csproj", "{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -279,14 +279,6 @@ Global
 		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Release|Any CPU.Build.0 = Release|Any CPU
 		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Release|x86.ActiveCfg = Release|Any CPU
 		{06728BF2-C5EB-44C7-9F30-14FAA5649E14}.Release|x86.Build.0 = Release|Any CPU
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Debug|x86.Build.0 = Debug|Any CPU
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Release|Any CPU.Build.0 = Release|Any CPU
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Release|x86.ActiveCfg = Release|Any CPU
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7}.Release|x86.Build.0 = Release|Any CPU
 		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Debug|x86.ActiveCfg = Debug|Any CPU
@@ -295,6 +287,14 @@ Global
 		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Release|Any CPU.Build.0 = Release|Any CPU
 		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Release|x86.ActiveCfg = Release|Any CPU
 		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03}.Release|x86.Build.0 = Release|Any CPU
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Debug|x86.Build.0 = Debug|Any CPU
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Release|Any CPU.Build.0 = Release|Any CPU
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Release|x86.ActiveCfg = Release|Any CPU
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -324,8 +324,8 @@ Global
 		{295E8539-5450-4764-B3F5-51F968628022} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 		{C85ED942-8121-453F-8308-9DB730843B63} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{06728BF2-C5EB-44C7-9F30-14FAA5649E14} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
-		{E837A2E3-FC93-494C-8689-5AF9C6802AD7} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {DD305D75-BD1B-43AE-BF04-869DA6A0858F}
diff --git a/samples/EntityFrameworkCore/DataProtectionKeyContext.cs b/samples/EntityFrameworkCore/DataProtectionKeyContext.cs
deleted file mode 100644
index a84031ae50..0000000000
--- a/samples/EntityFrameworkCore/DataProtectionKeyContext.cs
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
-using Microsoft.EntityFrameworkCore;
-
-namespace EntityFrameworkCore
-{
-    class DataProtectionKeyContext : DbContext, IDataProtectionKeyContext
-    {
-        public DataProtectionKeyContext(DbContextOptions<DataProtectionKeyContext> options) : base(options) { }
-        public DbSet<DataProtectionKey> DataProtectionKeys { get; set; }
-        protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
-        {
-            base.OnConfiguring(optionsBuilder);
-            optionsBuilder.UseInMemoryDatabase("DataProtection_EntityFrameworkCore");
-            optionsBuilder.UseQueryTrackingBehavior(QueryTrackingBehavior.NoTracking);
-            optionsBuilder.EnableSensitiveDataLogging();
-        }
-    }
-}
diff --git a/samples/EntityFrameworkCore/EntityFrameworkCore.csproj b/samples/EntityFrameworkCoreSample/EntityFrameworkCoreSample.csproj
similarity index 100%
rename from samples/EntityFrameworkCore/EntityFrameworkCore.csproj
rename to samples/EntityFrameworkCoreSample/EntityFrameworkCoreSample.csproj
diff --git a/samples/EntityFrameworkCore/Program.cs b/samples/EntityFrameworkCoreSample/Program.cs
similarity index 56%
rename from samples/EntityFrameworkCore/Program.cs
rename to samples/EntityFrameworkCoreSample/Program.cs
index 9e8a0d5ee1..d4e978a7b8 100644
--- a/samples/EntityFrameworkCore/Program.cs
+++ b/samples/EntityFrameworkCoreSample/Program.cs
@@ -1,27 +1,35 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
-using System;
 
-namespace EntityFrameworkCore
+namespace EntityFrameworkCoreSample
 {
     class Program
     {
         static void Main(string[] args)
         {
             // Configure
-            using (var services = new ServiceCollection()
+            var services = new ServiceCollection()
                 .AddLogging(o => o.AddConsole().SetMinimumLevel(LogLevel.Debug))
-                .AddDbContext<DataProtectionKeyContext>()
+                .AddDbContext<DataProtectionKeyContext>(o =>
+                {
+                    o.UseInMemoryDatabase("DataProtection_EntityFrameworkCore");
+                    o.UseQueryTrackingBehavior(QueryTrackingBehavior.NoTracking);
+                    o.EnableSensitiveDataLogging();
+                })
                 .AddDataProtection()
                 .PersistKeysToDbContext<DataProtectionKeyContext>()
                 .SetDefaultKeyLifetime(TimeSpan.FromDays(7))
                 .Services
-                .BuildServiceProvider(validateScopes: true))
+                .BuildServiceProvider(validateScopes: true);
+
+            using(services)
             {
                 // Run a sample payload
                 var protector = services.GetDataProtector("sample-purpose");
@@ -30,4 +38,11 @@ namespace EntityFrameworkCore
             }
         }
     }
+
+    class DataProtectionKeyContext : DbContext, IDataProtectionKeyContext
+    {
+        public DataProtectionKeyContext(DbContextOptions<DataProtectionKeyContext> options) : base(options) { }
+
+        public DbSet<DataProtectionKey> DataProtectionKeys { get; set; }
+    }
 }
diff --git a/samples/Redis/Program.cs b/samples/Redis/Program.cs
index f8f213cfad..aa1cdf5164 100644
--- a/samples/Redis/Program.cs
+++ b/samples/Redis/Program.cs
@@ -7,7 +7,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using StackExchange.Redis;
 
-namespace Redis
+namespace RedisSample
 {
     public class Program
     {
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/ConfigureKeyManagementOptions.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/ConfigureKeyManagementOptions.cs
deleted file mode 100644
index 246aa3c1e5..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/ConfigureKeyManagementOptions.cs
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright (c) .NET Foundation. All rights reserved.
-// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
-
-using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.AspNetCore.DataProtection.Repositories;
-using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Options;
-using System;
-
-namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
-{
-    internal class ConfigureKeyManagementOptions : IConfigureOptions<KeyManagementOptions>
-    {
-        private readonly IServiceProvider _serviceProvider;
-
-        public ConfigureKeyManagementOptions(IServiceProvider serviceProvider)
-            => _serviceProvider = serviceProvider;
-
-        public void Configure(KeyManagementOptions options)
-            => options.XmlRepository = _serviceProvider.CreateScope().ServiceProvider.GetRequiredService<IXmlRepository>();
-    }
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
index b13a9fbd60..c236d5cb89 100644
--- a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
@@ -1,9 +1,6 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System.ComponentModel.DataAnnotations;
-using System.ComponentModel.DataAnnotations.Schema;
-
 namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
 {
     /// <summary>
@@ -14,8 +11,6 @@ namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
         /// <summary>
         /// The entity identifier of the <see cref="DataProtectionKey"/>.
         /// </summary>
-        [Key]
-        [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
         public int Id { get; set; }
 
         /// <summary>
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
index a3577f0e6d..ff24b58eb9 100644
--- a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
@@ -1,15 +1,15 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
-using Microsoft.AspNetCore.DataProtection.Repositories;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
-using System;
 
-namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
+namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Extension method class for configuring instances of <see cref="EntityFrameworkCoreXmlRepository{TContext}"/>
@@ -24,22 +24,15 @@ namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
         public static IDataProtectionBuilder PersistKeysToDbContext<TContext>(this IDataProtectionBuilder builder)
             where TContext : DbContext, IDataProtectionKeyContext
         {
-            var services = builder.Services;
-
-            services.AddScoped<Func<TContext>>(
-                provider => new Func<TContext>(
-                    () => provider.CreateScope().ServiceProvider.GetService<TContext>()));
-
-            services.AddScoped<IXmlRepository>(provider =>
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>>(services =>
             {
-                var scope = provider.CreateScope();
-                return new EntityFrameworkCoreXmlRepository<TContext>(
-                    contextFactory: scope.ServiceProvider.GetRequiredService<Func<TContext>>(),
-                    loggerFactory: scope.ServiceProvider.GetService<ILoggerFactory>());
+                var loggerFactory = services.GetService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
+                return new ConfigureOptions<KeyManagementOptions>(options =>
+                {
+                    options.XmlRepository = new EntityFrameworkCoreXmlRepository<TContext>(services, loggerFactory);
+                });
             });
 
-            services.AddTransient<IConfigureOptions<KeyManagementOptions>, ConfigureKeyManagementOptions>();
-
             return builder;
         }
     }
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
index 6720c400b8..62250cf3ef 100644
--- a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
@@ -1,13 +1,14 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using Microsoft.AspNetCore.DataProtection.Repositories;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.Extensions.Logging;
 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
 {
@@ -17,40 +18,51 @@ namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore
     public class EntityFrameworkCoreXmlRepository<TContext> : IXmlRepository
         where TContext : DbContext, IDataProtectionKeyContext
     {
-        private readonly ILoggerFactory _loggerFactory;
-        private readonly Func<TContext> _contextFactory;
-
-        private ILogger<EntityFrameworkCoreXmlRepository<TContext>> _logger => _loggerFactory?.CreateLogger<EntityFrameworkCoreXmlRepository<TContext>>();
-
-        private TContext _context => _contextFactory?.Invoke();
+        private readonly IServiceProvider _services;
+        private readonly ILogger _logger;
 
         /// <summary>
         /// Creates a new instance of the <see cref="EntityFrameworkCoreXmlRepository{TContext}"/>.
         /// </summary>
-        /// <param name="contextFactory">The factory method that creates a context to store instances of <see cref="DataProtectionKey"/></param>
+        /// <param name="services"></param>
         /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
-        public EntityFrameworkCoreXmlRepository(Func<TContext> contextFactory, ILoggerFactory loggerFactory = null)
+        public EntityFrameworkCoreXmlRepository(IServiceProvider services, ILoggerFactory loggerFactory)
         {
-            _contextFactory = contextFactory ?? throw new ArgumentNullException(nameof(contextFactory));
-            _loggerFactory = loggerFactory;
+            if (loggerFactory == null)
+            {
+                throw new ArgumentNullException(nameof(loggerFactory));
+            }
+
+            _logger = loggerFactory.CreateLogger<EntityFrameworkCoreXmlRepository<TContext>>();
+            _services = services ?? throw new ArgumentNullException(nameof(services));
         }
 
         /// <inheritdoc />
         public virtual IReadOnlyCollection<XElement> GetAllElements()
-            => _context?.Set<DataProtectionKey>()?.AsNoTracking().Select(key => TryParseKeyXml(key.Xml)).ToList().AsReadOnly();
+        {
+            using (var scope = _services.CreateScope())
+            {
+                var context = scope.ServiceProvider.GetRequiredService<TContext>();
+                return context.DataProtectionKeys.AsNoTracking().Select(key => TryParseKeyXml(key.Xml)).ToList().AsReadOnly();
+            }
+        }
 
         /// <inheritdoc />
         public void StoreElement(XElement element, string friendlyName)
         {
-            var newKey = new DataProtectionKey()
+            using (var scope = _services.CreateScope())
             {
-                FriendlyName = friendlyName,
-                Xml = element.ToString(SaveOptions.DisableFormatting)
-            };
-            var context = _context;
-            context?.Set<DataProtectionKey>()?.Add(newKey);
-            _logger?.LogSavingKeyToDbContext(friendlyName, typeof(TContext).Name);
-            context?.SaveChanges();
+                var context = scope.ServiceProvider.GetRequiredService<TContext>();
+                var newKey = new DataProtectionKey()
+                {
+                    FriendlyName = friendlyName,
+                    Xml = element.ToString(SaveOptions.DisableFormatting)
+                };
+
+                context.DataProtectionKeys.Add(newKey);
+                _logger.LogSavingKeyToDbContext(friendlyName, typeof(TContext).Name);
+                context.SaveChanges();
+            }
         }
 
         private XElement TryParseKeyXml(string xml)
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
index 966b1bfc78..e1715d94f2 100644
--- a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
@@ -1,16 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <Description>EntityFramworkCore storage support as key store.</Description>
-    <VersionPrefix Condition="'$(ExperimentalVersionPrefix)' != ''">$(ExperimentalVersionPrefix)</VersionPrefix>
-    <VersionSuffix Condition="'$(ExperimentalVersionSuffix)' != ''">$(ExperimentalVersionSuffix)</VersionSuffix>
-    <VerifyVersion Condition="'$(ExperimentalVersionPrefix)' != ''">false</VerifyVersion>
-    <PackageVersion>$(ExperimentalPackageVersion)</PackageVersion>
+    <Description>Support for storing keys using Entity Framework Core.</Description>
     <TargetFramework>netstandard2.0</TargetFramework>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <PackageTags>aspnetcore;dataprotection;entityframeworkcore</PackageTags>
-    <EnableApiCheck>false</EnableApiCheck>
   </PropertyGroup>
 
   <ItemGroup>
@@ -21,4 +16,8 @@
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="$(MicrosoftEntityFrameworkCorePackageVersion)" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Folder Include="Properties\" />
+  </ItemGroup>
+
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json
new file mode 100644
index 0000000000..9a9a7ebc1c
--- /dev/null
+++ b/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json
@@ -0,0 +1,203 @@
+{
+  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
+  "Types": [
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.EntityFrameworkCoreDataProtectionExtensions",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "Abstract": true,
+      "Static": true,
+      "Sealed": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "PersistKeysToDbContext<T0>",
+          "Parameters": [
+            {
+              "Name": "builder",
+              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
+            }
+          ],
+          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
+          "Static": true,
+          "Extension": true,
+          "Visibility": "Public",
+          "GenericParameter": [
+            {
+              "ParameterName": "TContext",
+              "ParameterPosition": 0,
+              "BaseTypeOrInterfaces": [
+                "Microsoft.EntityFrameworkCore.DbContext",
+                "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.IDataProtectionKeyContext"
+              ]
+            }
+          ]
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_Id",
+          "Parameters": [],
+          "ReturnType": "System.Int32",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_Id",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.Int32"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_FriendlyName",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_FriendlyName",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "get_Xml",
+          "Parameters": [],
+          "ReturnType": "System.String",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "set_Xml",
+          "Parameters": [
+            {
+              "Name": "value",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.EntityFrameworkCoreXmlRepository<T0>",
+      "Visibility": "Public",
+      "Kind": "Class",
+      "ImplementedInterfaces": [
+        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
+      ],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "GetAllElements",
+          "Parameters": [],
+          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Method",
+          "Name": "StoreElement",
+          "Parameters": [
+            {
+              "Name": "element",
+              "Type": "System.Xml.Linq.XElement"
+            },
+            {
+              "Name": "friendlyName",
+              "Type": "System.String"
+            }
+          ],
+          "ReturnType": "System.Void",
+          "Sealed": true,
+          "Virtual": true,
+          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
+          "Visibility": "Public",
+          "GenericParameter": []
+        },
+        {
+          "Kind": "Constructor",
+          "Name": ".ctor",
+          "Parameters": [
+            {
+              "Name": "services",
+              "Type": "System.IServiceProvider"
+            },
+            {
+              "Name": "loggerFactory",
+              "Type": "Microsoft.Extensions.Logging.ILoggerFactory"
+            }
+          ],
+          "Visibility": "Public",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": [
+        {
+          "ParameterName": "TContext",
+          "ParameterPosition": 0,
+          "BaseTypeOrInterfaces": [
+            "Microsoft.EntityFrameworkCore.DbContext",
+            "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.IDataProtectionKeyContext"
+          ]
+        }
+      ]
+    },
+    {
+      "Name": "Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.IDataProtectionKeyContext",
+      "Visibility": "Public",
+      "Kind": "Interface",
+      "Abstract": true,
+      "ImplementedInterfaces": [],
+      "Members": [
+        {
+          "Kind": "Method",
+          "Name": "get_DataProtectionKeys",
+          "Parameters": [],
+          "ReturnType": "Microsoft.EntityFrameworkCore.DbSet<Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey>",
+          "GenericParameter": []
+        }
+      ],
+      "GenericParameters": []
+    }
+  ]
+}
\ No newline at end of file
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
index 31034c7f4c..c298d8e64f 100644
--- a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
@@ -1,12 +1,14 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
-using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test;
-using Microsoft.EntityFrameworkCore;
 using System;
 using System.Linq;
 using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection
@@ -16,7 +18,7 @@ namespace Microsoft.AspNetCore.DataProtection
         [Fact]
         public void CreateRepository_ThrowsIf_ContextIsNull()
         {
-            Assert.Throws<ArgumentNullException>(() => new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(null));
+            Assert.Throws<ArgumentNullException>(() => new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(null, null));
         }
 
         [Fact]
@@ -25,13 +27,13 @@ namespace Microsoft.AspNetCore.DataProtection
             var element = XElement.Parse("<Element1/>");
             var friendlyName = "Element1";
             var key = new DataProtectionKey() { FriendlyName = friendlyName, Xml = element.ToString() };
-            using (var context = BuildDataProtectionKeyContext(nameof(StoreElement_PersistsData)))
-            {
-                var service = new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(() => context);
+
+            var services = GetServices(nameof(StoreElement_PersistsData));
+            var service = new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(services, NullLoggerFactory.Instance);
                 service.StoreElement(element, friendlyName);
-            }
+
             // Use a separate instance of the context to verify correct data was saved to database
-            using (var context = BuildDataProtectionKeyContext(nameof(StoreElement_PersistsData)))
+            using (var context = services.CreateScope().ServiceProvider.GetRequiredService< DataProtectionKeyContext>())
             {
                 Assert.Equal(1, context.DataProtectionKeys.Count());
                 Assert.Equal(key.FriendlyName, context.DataProtectionKeys.Single()?.FriendlyName);
@@ -44,25 +46,24 @@ namespace Microsoft.AspNetCore.DataProtection
         {
             var element1 = XElement.Parse("<Element1/>");
             var element2 = XElement.Parse("<Element2/>");
-            using (var context = BuildDataProtectionKeyContext(nameof(GetAllElements_ReturnsAllElements)))
-            {
-                var service = new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(() => context);
-                service.StoreElement(element1, "element1");
-                service.StoreElement(element2, "element2");
-            }
+
+            var services = GetServices(nameof(GetAllElements_ReturnsAllElements));
+            var service1 = CreateRepo(services);
+            service1.StoreElement(element1, "element1");
+            service1.StoreElement(element2, "element2");
+
             // Use a separate instance of the context to verify correct data was saved to database
-            using (var context = BuildDataProtectionKeyContext(nameof(GetAllElements_ReturnsAllElements)))
-            {
-                var service = new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(() => context);
-                var elements = service.GetAllElements();
-                Assert.Equal(2, elements.Count);
-            }
+            var service2 = CreateRepo(services);
+            var elements = service2.GetAllElements();
+            Assert.Equal(2, elements.Count);
         }
 
-        private DbContextOptions<DataProtectionKeyContext> BuildDbContextOptions(string databaseName)
-            => new DbContextOptionsBuilder<DataProtectionKeyContext>().UseInMemoryDatabase(databaseName: databaseName).Options;
+        private EntityFrameworkCoreXmlRepository<DataProtectionKeyContext> CreateRepo(IServiceProvider services)
+            => new EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>(services, NullLoggerFactory.Instance);
 
-        private DataProtectionKeyContext BuildDataProtectionKeyContext(string databaseName)
-            => new DataProtectionKeyContext(BuildDbContextOptions(databaseName));
+        private IServiceProvider GetServices(string dbName)
+            => new ServiceCollection()
+                .AddDbContext<DataProtectionKeyContext>(o => o.UseInMemoryDatabase(dbName))
+                .BuildServiceProvider(validateScopes: true);
     }
 }
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
index d04ccdde88..55b67d98e3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
@@ -18,7 +18,7 @@ namespace Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test
                 .AddDbContext<DataProtectionKeyContext>()
                 .AddDataProtection()
                 .PersistKeysToDbContext<DataProtectionKeyContext>();
-            var serviceProvider = serviceCollection.BuildServiceProvider();
+            var serviceProvider = serviceCollection.BuildServiceProvider(validateScopes: true);
             var keyManagementOptions = serviceProvider.GetRequiredService<IOptions<KeyManagementOptions>>();
             Assert.IsType<EntityFrameworkCoreXmlRepository<DataProtectionKeyContext>>(keyManagementOptions.Value.XmlRepository);
         }

From a1a52376131406735c9ab9d3c65b2dfa185f63dc Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 2 Sep 2018 12:08:40 -0700
Subject: [PATCH 480/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 32 ++++++++++++++++----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 06b0858ebe..f36815c57f 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,23 +3,23 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180807.2</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview1-34967</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview1-34967</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview1-34967</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180821.1</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview2-35143</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview2-35143</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview2-35143</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview1-34967</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
-    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview1-34967</MicrosoftEntityFrameworkCorePackageVersion>
-    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview1-34967</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview2-35143</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
+    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview2-35143</MicrosoftEntityFrameworkCorePackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 29a57027f1..524a2323d0 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-20180807.2
-commithash:11495dbd236104434e08cb1152fcb58cf2a20923
+version:2.2.0-preview1-20180821.1
+commithash:c8d0cc52cd1abb697be24e288ffd54f8fae8bf17

From acde45cf311d0f3b8f26a6ab10a829a6cf190c99 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Wed, 5 Sep 2018 16:33:50 -0700
Subject: [PATCH 481/493] Update branding to 2.2.0-preview3

---
 version.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.props b/version.props
index 15637ba785..704cac087b 100644
--- a/version.props
+++ b/version.props
@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <VersionPrefix>2.2.0</VersionPrefix>
-    <VersionSuffix>preview2</VersionSuffix>
+    <VersionSuffix>preview3</VersionSuffix>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' == 'rtm' ">$(VersionPrefix)</PackageVersion>
     <PackageVersion Condition="'$(IsFinalBuild)' == 'true' AND '$(VersionSuffix)' != 'rtm' ">$(VersionPrefix)-$(VersionSuffix)-final</PackageVersion>
     <BuildNumber Condition="'$(BuildNumber)' == ''">t000</BuildNumber>

From f80ae73f95195660ebf0d42b86c639fa77e0f9ce Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 9 Sep 2018 12:09:25 -0700
Subject: [PATCH 482/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 36 ++++++++++++++++++------------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index f36815c57f..e24e1c8522 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,27 +3,27 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180821.1</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview2-35143</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview2-35143</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview2-35143</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180907.8</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35202</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35202</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35202</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview2-35143</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
-    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview2-35143</MicrosoftEntityFrameworkCorePackageVersion>
-    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview2-35143</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35202</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
+    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35202</MicrosoftEntityFrameworkCorePackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview1-26618-02</MicrosoftNETCoreApp22PackageVersion>
+    <MicrosoftNETCoreApp21PackageVersion>2.1.3</MicrosoftNETCoreApp21PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview2-26905-02</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 524a2323d0..552300b0ce 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-20180821.1
-commithash:c8d0cc52cd1abb697be24e288ffd54f8fae8bf17
+version:2.2.0-preview1-20180907.8
+commithash:078918eb5c1f176ee1da351c584fb4a4d7491aa0

From 414305905420d19d2046579048303c6d55c0cde6 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 16 Sep 2018 12:08:16 -0700
Subject: [PATCH 483/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 32 ++++++++++++++++----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index e24e1c8522..82d96af72e 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,23 +3,23 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180907.8</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35202</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35202</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35202</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180911.1</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35252</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35252</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35252</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35202</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
-    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35202</MicrosoftEntityFrameworkCorePackageVersion>
-    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35202</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35252</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
+    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35252</MicrosoftEntityFrameworkCorePackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.3</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 552300b0ce..1090ad6a92 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-20180907.8
-commithash:078918eb5c1f176ee1da351c584fb4a4d7491aa0
+version:2.2.0-preview1-20180911.1
+commithash:ddfecdfc6e8e4859db5a0daea578070b862aac65

From d83e6a29c09622de819feb32ed328a5471d6824c Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 23 Sep 2018 19:09:59 +0000
Subject: [PATCH 484/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 32 ++++++++++++++++----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 82d96af72e..5827c261b9 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,23 +3,23 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180911.1</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35252</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35252</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35252</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180918.1</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35301</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35301</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35301</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35252</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
-    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35252</MicrosoftEntityFrameworkCorePackageVersion>
-    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35252</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35301</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
+    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35301</MicrosoftEntityFrameworkCorePackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.3</MicrosoftNETCoreApp21PackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 1090ad6a92..8491de70e6 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-20180911.1
-commithash:ddfecdfc6e8e4859db5a0daea578070b862aac65
+version:2.2.0-preview1-20180918.1
+commithash:ad5e3fc53442741a0dd49bce437d2ac72f4b5800

From 1135ed21ccde210128c874b04675271ff4877eba Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Fri, 28 Sep 2018 17:10:32 -0700
Subject: [PATCH 485/493] automated: bulk infrastructure updates. Update
 bootstrapper scripts and remove unnecessary signing properties

---
 Directory.Build.props |  3 ---
 run.ps1               |  6 +++---
 run.sh                | 10 +++++-----
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 4ff4dd7472..23c9a47ea4 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -14,9 +14,6 @@
     <RepositoryRoot>$(MSBuildThisFileDirectory)</RepositoryRoot>
     <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)build\Key.snk</AssemblyOriginatorKeyFile>
     <SignAssembly>true</SignAssembly>
-    <AssemblySigningCertName>Microsoft</AssemblySigningCertName>
-    <PackageSigningCertName>MicrosoftNuGet</PackageSigningCertName>
-    <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
 
diff --git a/run.ps1 b/run.ps1
index 3b27382468..34604c7175 100644
--- a/run.ps1
+++ b/run.ps1
@@ -52,8 +52,8 @@ in the file are overridden by command line parameters.
 Example config file:
 ```json
 {
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
-  "channel": "dev",
+  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/master/tools/korebuild.schema.json",
+  "channel": "master",
   "toolsSource": "https://aspnetcore.blob.core.windows.net/buildtools"
 }
 ```
@@ -192,7 +192,7 @@ if (!$DotNetHome) {
         else { Join-Path $PSScriptRoot '.dotnet'}
 }
 
-if (!$Channel) { $Channel = 'dev' }
+if (!$Channel) { $Channel = 'master' }
 if (!$ToolsSource) { $ToolsSource = 'https://aspnetcore.blob.core.windows.net/buildtools' }
 
 # Execute
diff --git a/run.sh b/run.sh
index 02aac15874..4c1fed5646 100755
--- a/run.sh
+++ b/run.sh
@@ -220,7 +220,7 @@ if [ -f "$config_file" ]; then
             config_channel="$(jq -r 'select(.channel!=null) | .channel' "$config_file")"
             config_tools_source="$(jq -r 'select(.toolsSource!=null) | .toolsSource' "$config_file")"
         else
-            _error "$config_file contains invalid JSON."
+            __error "$config_file contains invalid JSON."
             exit 1
         fi
     elif __machine_has python ; then
@@ -228,7 +228,7 @@ if [ -f "$config_file" ]; then
             config_channel="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
             config_tools_source="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
         else
-            _error "$config_file contains invalid JSON."
+            __error "$config_file contains invalid JSON."
             exit 1
         fi
     elif __machine_has python3 ; then
@@ -236,11 +236,11 @@ if [ -f "$config_file" ]; then
             config_channel="$(python3 -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
             config_tools_source="$(python3 -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
         else
-            _error "$config_file contains invalid JSON."
+            __error "$config_file contains invalid JSON."
             exit 1
         fi
     else
-        _error 'Missing required command: jq or python. Could not parse the JSON file.'
+        __error 'Missing required command: jq or python. Could not parse the JSON file.'
         exit 1
     fi
 
@@ -248,7 +248,7 @@ if [ -f "$config_file" ]; then
     [ ! -z "${config_tools_source:-}" ] && tools_source="$config_tools_source"
 fi
 
-[ -z "$channel" ] && channel='dev'
+[ -z "$channel" ] && channel='master'
 [ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
 
 get_korebuild

From 018a252560e6412b05586cd999866205b8d45e42 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 30 Sep 2018 12:10:12 -0700
Subject: [PATCH 486/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 5827c261b9..9e5db07060 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,27 +3,27 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180918.1</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35301</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35301</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35301</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180928.5</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35301</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
-    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35301</MicrosoftEntityFrameworkCorePackageVersion>
-    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35301</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35359</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
+    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35359</MicrosoftEntityFrameworkCorePackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.3</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview2-26905-02</MicrosoftNETCoreApp22PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview3-26927-02</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 8491de70e6..0507680073 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-20180918.1
-commithash:ad5e3fc53442741a0dd49bce437d2ac72f4b5800
+version:2.2.0-preview1-20180928.5
+commithash:43faa29f679f47b88689d645b39e6be5e0055d70

From 3acb4dd4e9a8dd55fc7a936bbe5659ab934b2310 Mon Sep 17 00:00:00 2001
From: "ASP.NET CI" <aspnetci@users.noreply.github.com>
Date: Sun, 7 Oct 2018 19:10:34 +0000
Subject: [PATCH 487/493] Update dependencies.props

[auto-updated: dependencies]
---
 build/dependencies.props | 34 +++++++++++++++++-----------------
 korebuild-lock.txt       |  4 ++--
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 9e5db07060..697407ea1f 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -3,27 +3,27 @@
     <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
   </PropertyGroup>
   <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview1-20180928.5</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35359</MicrosoftAspNetCoreTestingPackageVersion>
+    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview2-20181004.6</InternalAspNetCoreSdkPackageVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35425</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35425</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35425</MicrosoftAspNetCoreTestingPackageVersion>
     <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35359</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
-    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35359</MicrosoftEntityFrameworkCorePackageVersion>
-    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35359</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35425</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
+    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35425</MicrosoftEntityFrameworkCorePackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
     <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
     <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
     <MicrosoftNETCoreApp21PackageVersion>2.1.3</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview3-26927-02</MicrosoftNETCoreApp22PackageVersion>
+    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview3-27001-02</MicrosoftNETCoreApp22PackageVersion>
     <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
     <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
index 0507680073..3e92dd5543 100644
--- a/korebuild-lock.txt
+++ b/korebuild-lock.txt
@@ -1,2 +1,2 @@
-version:2.2.0-preview1-20180928.5
-commithash:43faa29f679f47b88689d645b39e6be5e0055d70
+version:2.2.0-preview2-20181004.6
+commithash:c04c4b2f5018632647f96210ab01876661302dac

From 3f5f419df8094be0203298a8001f721517d18a2c Mon Sep 17 00:00:00 2001
From: BrennanConroy <brecon@microsoft.com>
Date: Wed, 10 Oct 2018 16:40:52 -0700
Subject: [PATCH 488/493] Add Redis 2.0 package (#325)

---
 DataProtection.sln                            |  44 +++---
 build/dependencies.props                      |   1 +
 samples/Redis/Program.cs                      |   3 +-
 samples/Redis/Redis.csproj                    |   4 +-
 .../baseline.netcore.json                     | 140 ------------------
 ....DataProtection.StackExchangeRedis.csproj} |   2 +-
 .../RedisDataProtectionBuilderExtensions.cs   |  17 ++-
 .../RedisXmlRepository.cs                     |   4 +-
 .../DataProtectionRedisTests.cs               |   2 +-
 ...Protection.StackExchangeRedis.Test.csproj} |   2 +-
 ...edisDataProtectionBuilderExtensionsTest.cs |   4 +-
 .../TestRedisServer.cs                        |   0
 .../TestRedisServerIsAvailableAttribute.cs    |   0
 .../testconfig.json                           |   0
 14 files changed, 43 insertions(+), 180 deletions(-)
 delete mode 100644 src/Microsoft.AspNetCore.DataProtection.Redis/baseline.netcore.json
 rename src/{Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj => Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj} (82%)
 rename src/{Microsoft.AspNetCore.DataProtection.Redis => Microsoft.AspNetCore.DataProtection.StackExchangeRedis}/RedisDataProtectionBuilderExtensions.cs (73%)
 rename src/{Microsoft.AspNetCore.DataProtection.Redis => Microsoft.AspNetCore.DataProtection.StackExchangeRedis}/RedisXmlRepository.cs (94%)
 rename test/{Microsoft.AspNetCore.DataProtection.Redis.Test => Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test}/DataProtectionRedisTests.cs (98%)
 rename test/{Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj => Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj} (91%)
 rename test/{Microsoft.AspNetCore.DataProtection.Redis.Test => Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test}/RedisDataProtectionBuilderExtensionsTest.cs (88%)
 rename test/{Microsoft.AspNetCore.DataProtection.Redis.Test => Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test}/TestRedisServer.cs (100%)
 rename test/{Microsoft.AspNetCore.DataProtection.Redis.Test => Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test}/TestRedisServerIsAvailableAttribute.cs (100%)
 rename test/{Microsoft.AspNetCore.DataProtection.Redis.Test => Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test}/testconfig.json (100%)

diff --git a/DataProtection.sln b/DataProtection.sln
index 7fb7eb0592..3e9512f1d9 100644
--- a/DataProtection.sln
+++ b/DataProtection.sln
@@ -53,14 +53,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataPr
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Extensions", "src\Microsoft.AspNetCore.DataProtection.Extensions\Microsoft.AspNetCore.DataProtection.Extensions.csproj", "{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Redis", "src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj", "{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}"
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.AzureStorage", "src\Microsoft.AspNetCore.DataProtection.AzureStorage\Microsoft.AspNetCore.DataProtection.AzureStorage.csproj", "{CC799B57-81E2-4F45-8A32-0D5F49753C3F}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AzureBlob", "samples\AzureBlob\AzureBlob.csproj", "{B07435B3-CD81-4E3B-88A5-6384821E1C01}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.Redis.Test", "test\Microsoft.AspNetCore.DataProtection.Redis.Test\Microsoft.AspNetCore.DataProtection.Redis.Test.csproj", "{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}"
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.AzureStorage.Test", "test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test\Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj", "{8C41240E-48F8-402F-9388-74CFE27F4D76}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Redis", "samples\Redis\Redis.csproj", "{24AAEC96-DF46-4F61-B2FF-3D5E056685D9}"
@@ -83,6 +79,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataPr
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "EntityFrameworkCoreSample", "samples\EntityFrameworkCoreSample\EntityFrameworkCoreSample.csproj", "{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.StackExchangeRedis", "src\Microsoft.AspNetCore.DataProtection.StackExchangeRedis\Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj", "{57713B23-CCAB-44DB-A08D-55F9D236D05B}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test", "test\Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test\Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj", "{33BB1B86-64BF-45BB-A334-3E1A4802253C}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -175,14 +175,6 @@ Global
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|Any CPU.Build.0 = Release|Any CPU
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|x86.ActiveCfg = Release|Any CPU
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F}.Release|x86.Build.0 = Release|Any CPU
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Debug|x86.Build.0 = Debug|Any CPU
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|Any CPU.Build.0 = Release|Any CPU
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|x86.ActiveCfg = Release|Any CPU
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9}.Release|x86.Build.0 = Release|Any CPU
 		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{CC799B57-81E2-4F45-8A32-0D5F49753C3F}.Debug|x86.ActiveCfg = Debug|Any CPU
@@ -199,14 +191,6 @@ Global
 		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Release|Any CPU.Build.0 = Release|Any CPU
 		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Release|x86.ActiveCfg = Release|Any CPU
 		{B07435B3-CD81-4E3B-88A5-6384821E1C01}.Release|x86.Build.0 = Release|Any CPU
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Debug|x86.Build.0 = Debug|Any CPU
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|Any CPU.Build.0 = Release|Any CPU
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|x86.ActiveCfg = Release|Any CPU
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D}.Release|x86.Build.0 = Release|Any CPU
 		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{8C41240E-48F8-402F-9388-74CFE27F4D76}.Debug|x86.ActiveCfg = Debug|Any CPU
@@ -295,6 +279,22 @@ Global
 		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Release|Any CPU.Build.0 = Release|Any CPU
 		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Release|x86.ActiveCfg = Release|Any CPU
 		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76}.Release|x86.Build.0 = Release|Any CPU
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B}.Debug|x86.Build.0 = Debug|Any CPU
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B}.Release|x86.ActiveCfg = Release|Any CPU
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B}.Release|x86.Build.0 = Release|Any CPU
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C}.Debug|x86.Build.0 = Debug|Any CPU
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C}.Release|Any CPU.Build.0 = Release|Any CPU
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C}.Release|x86.ActiveCfg = Release|Any CPU
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -311,10 +311,8 @@ Global
 		{E3552DEB-4173-43AE-BF69-3C10DFF3BAB6} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{04AA8E60-A053-4D50-89FE-E76C3DF45200} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{BF8681DB-C28B-441F-BD92-0DCFE9537A9F} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
-		{0508ADB0-9D2E-4506-9AA3-C15D7BEAE7C9} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{CC799B57-81E2-4F45-8A32-0D5F49753C3F} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{B07435B3-CD81-4E3B-88A5-6384821E1C01} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
-		{ABCF00E5-5B2F-469C-90DC-908C5A04C08D} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{8C41240E-48F8-402F-9388-74CFE27F4D76} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{24AAEC96-DF46-4F61-B2FF-3D5E056685D9} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
 		{32CF970B-E2F1-4CD9-8DB3-F5715475373A} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
@@ -326,6 +324,8 @@ Global
 		{06728BF2-C5EB-44C7-9F30-14FAA5649E14} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 		{3E4CA7FE-741B-4C78-A775-220E0E3C1B03} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
 		{22BA4EAB-641E-42B2-BB37-9C3BCFD99F76} = {5A3A5DE3-49AD-431C-971D-B01B62D94AE2}
+		{57713B23-CCAB-44DB-A08D-55F9D236D05B} = {5FCB2DA3-5395-47F5-BCEE-E0EA319448EA}
+		{33BB1B86-64BF-45BB-A334-3E1A4802253C} = {60336AB3-948D-4D15-A5FB-F32A2B91E814}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {DD305D75-BD1B-43AE-BF04-869DA6A0858F}
diff --git a/build/dependencies.props b/build/dependencies.props
index 697407ea1f..df63bb1034 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -29,6 +29,7 @@
     <MoqPackageVersion>4.7.49</MoqPackageVersion>
     <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
     <StackExchangeRedisStrongNamePackageVersion>1.2.6</StackExchangeRedisStrongNamePackageVersion>
+    <StackExchangeRedisPackageVersion>2.0.513</StackExchangeRedisPackageVersion>
     <SystemSecurityCryptographyXmlPackageVersion>4.5.0</SystemSecurityCryptographyXmlPackageVersion>
     <SystemSecurityPrincipalWindowsPackageVersion>4.5.0</SystemSecurityPrincipalWindowsPackageVersion>
     <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
diff --git a/samples/Redis/Program.cs b/samples/Redis/Program.cs
index aa1cdf5164..57d910ae8f 100644
--- a/samples/Redis/Program.cs
+++ b/samples/Redis/Program.cs
@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.StackExchangeRedis;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using StackExchange.Redis;
@@ -20,7 +21,7 @@ namespace RedisSample
             using (var services = new ServiceCollection()
                 .AddLogging(o => o.AddConsole().SetMinimumLevel(LogLevel.Debug))
                 .AddDataProtection()
-                .PersistKeysToRedis(redis, "DataProtection-Keys")
+                .PersistKeysToStackExchangeRedis(redis, "DataProtection-Keys")
                 .Services
                 .BuildServiceProvider())
             {
diff --git a/samples/Redis/Redis.csproj b/samples/Redis/Redis.csproj
index 072dc402a4..39ba0fae98 100644
--- a/samples/Redis/Redis.csproj
+++ b/samples/Redis/Redis.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFrameworks>net461;netcoreapp2.2</TargetFrameworks>
@@ -6,7 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.StackExchangeRedis\Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/baseline.netcore.json b/src/Microsoft.AspNetCore.DataProtection.Redis/baseline.netcore.json
deleted file mode 100644
index 3a7f2aba07..0000000000
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/baseline.netcore.json
+++ /dev/null
@@ -1,140 +0,0 @@
-{
-  "AssemblyIdentity": "Microsoft.AspNetCore.DataProtection.Redis, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60",
-  "Types": [
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.RedisDataProtectionBuilderExtensions",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "Abstract": true,
-      "Static": true,
-      "Sealed": true,
-      "ImplementedInterfaces": [],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "PersistKeysToRedis",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "databaseFactory",
-              "Type": "System.Func<StackExchange.Redis.IDatabase>"
-            },
-            {
-              "Name": "key",
-              "Type": "StackExchange.Redis.RedisKey"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "PersistKeysToRedis",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "connectionMultiplexer",
-              "Type": "StackExchange.Redis.IConnectionMultiplexer"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "PersistKeysToRedis",
-          "Parameters": [
-            {
-              "Name": "builder",
-              "Type": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder"
-            },
-            {
-              "Name": "connectionMultiplexer",
-              "Type": "StackExchange.Redis.IConnectionMultiplexer"
-            },
-            {
-              "Name": "key",
-              "Type": "StackExchange.Redis.RedisKey"
-            }
-          ],
-          "ReturnType": "Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder",
-          "Static": true,
-          "Extension": true,
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    },
-    {
-      "Name": "Microsoft.AspNetCore.DataProtection.RedisXmlRepository",
-      "Visibility": "Public",
-      "Kind": "Class",
-      "ImplementedInterfaces": [
-        "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository"
-      ],
-      "Members": [
-        {
-          "Kind": "Method",
-          "Name": "GetAllElements",
-          "Parameters": [],
-          "ReturnType": "System.Collections.Generic.IReadOnlyCollection<System.Xml.Linq.XElement>",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Method",
-          "Name": "StoreElement",
-          "Parameters": [
-            {
-              "Name": "element",
-              "Type": "System.Xml.Linq.XElement"
-            },
-            {
-              "Name": "friendlyName",
-              "Type": "System.String"
-            }
-          ],
-          "ReturnType": "System.Void",
-          "Sealed": true,
-          "Virtual": true,
-          "ImplementedInterface": "Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository",
-          "Visibility": "Public",
-          "GenericParameter": []
-        },
-        {
-          "Kind": "Constructor",
-          "Name": ".ctor",
-          "Parameters": [
-            {
-              "Name": "databaseFactory",
-              "Type": "System.Func<StackExchange.Redis.IDatabase>"
-            },
-            {
-              "Name": "key",
-              "Type": "StackExchange.Redis.RedisKey"
-            }
-          ],
-          "Visibility": "Public",
-          "GenericParameter": []
-        }
-      ],
-      "GenericParameters": []
-    }
-  ]
-}
\ No newline at end of file
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj
similarity index 82%
rename from src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
rename to src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj
index cab777d5f8..1aa6874fff 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
+++ b/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj
@@ -13,7 +13,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="StackExchange.Redis.StrongName" Version="$(StackExchangeRedisStrongNamePackageVersion)" />
+    <PackageReference Include="StackExchange.Redis" Version="$(StackExchangeRedisPackageVersion)" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs b/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisDataProtectionBuilderExtensions.cs
similarity index 73%
rename from src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
rename to src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisDataProtectionBuilderExtensions.cs
index 97593cbb03..ead1b37db5 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisDataProtectionBuilderExtensions.cs
@@ -5,13 +5,14 @@ using System;
 using StackExchange.Redis;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.DataProtection.StackExchangeRedis;
 
 namespace Microsoft.AspNetCore.DataProtection
 {
     /// <summary>
     /// Contains Redis-specific extension methods for modifying a <see cref="IDataProtectionBuilder"/>.
     /// </summary>
-    public static class RedisDataProtectionBuilderExtensions
+    public static class StackExchangeRedisDataProtectionBuilderExtensions
     {
         private const string DataProtectionKeysName = "DataProtection-Keys";
 
@@ -22,7 +23,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <param name="databaseFactory">The delegate used to create <see cref="IDatabase"/> instances.</param>
         /// <param name="key">The <see cref="RedisKey"/> used to store key list.</param>
         /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
-        public static IDataProtectionBuilder PersistKeysToRedis(this IDataProtectionBuilder builder, Func<IDatabase> databaseFactory, RedisKey key)
+        public static IDataProtectionBuilder PersistKeysToStackExchangeRedis(this IDataProtectionBuilder builder, Func<IDatabase> databaseFactory, RedisKey key)
         {
             if (builder == null)
             {
@@ -32,7 +33,7 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 throw new ArgumentNullException(nameof(databaseFactory));
             }
-            return PersistKeysToRedisInternal(builder, databaseFactory, key);
+            return PersistKeysToStackExchangeRedisInternal(builder, databaseFactory, key);
         }
 
         /// <summary>
@@ -41,9 +42,9 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <param name="builder">The builder instance to modify.</param>
         /// <param name="connectionMultiplexer">The <see cref="IConnectionMultiplexer"/> for database access.</param>
         /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
-        public static IDataProtectionBuilder PersistKeysToRedis(this IDataProtectionBuilder builder, IConnectionMultiplexer connectionMultiplexer)
+        public static IDataProtectionBuilder PersistKeysToStackExchangeRedis(this IDataProtectionBuilder builder, IConnectionMultiplexer connectionMultiplexer)
         {
-            return PersistKeysToRedis(builder, connectionMultiplexer, DataProtectionKeysName);
+            return PersistKeysToStackExchangeRedis(builder, connectionMultiplexer, DataProtectionKeysName);
         }
 
         /// <summary>
@@ -53,7 +54,7 @@ namespace Microsoft.AspNetCore.DataProtection
         /// <param name="connectionMultiplexer">The <see cref="IConnectionMultiplexer"/> for database access.</param>
         /// <param name="key">The <see cref="RedisKey"/> used to store key list.</param>
         /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
-        public static IDataProtectionBuilder PersistKeysToRedis(this IDataProtectionBuilder builder, IConnectionMultiplexer connectionMultiplexer, RedisKey key)
+        public static IDataProtectionBuilder PersistKeysToStackExchangeRedis(this IDataProtectionBuilder builder, IConnectionMultiplexer connectionMultiplexer, RedisKey key)
         {
             if (builder == null)
             {
@@ -63,10 +64,10 @@ namespace Microsoft.AspNetCore.DataProtection
             {
                 throw new ArgumentNullException(nameof(connectionMultiplexer));
             }
-            return PersistKeysToRedisInternal(builder, () => connectionMultiplexer.GetDatabase(), key);
+            return PersistKeysToStackExchangeRedisInternal(builder, () => connectionMultiplexer.GetDatabase(), key);
         }
 
-        private static IDataProtectionBuilder PersistKeysToRedisInternal(IDataProtectionBuilder builder, Func<IDatabase> databaseFactory, RedisKey key)
+        private static IDataProtectionBuilder PersistKeysToStackExchangeRedisInternal(IDataProtectionBuilder builder, Func<IDatabase> databaseFactory, RedisKey key)
         {
             builder.Services.Configure<KeyManagementOptions>(options =>
             {
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs b/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisXmlRepository.cs
similarity index 94%
rename from src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs
rename to src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisXmlRepository.cs
index 87a9338f64..2665fd1408 100644
--- a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs
+++ b/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisXmlRepository.cs
@@ -8,12 +8,12 @@ using System.Xml.Linq;
 using StackExchange.Redis;
 using Microsoft.AspNetCore.DataProtection.Repositories;
 
-namespace Microsoft.AspNetCore.DataProtection
+namespace Microsoft.AspNetCore.DataProtection.StackExchangeRedis
 {
     /// <summary>
     /// An XML repository backed by a Redis list entry.
     /// </summary>
-    public class RedisXmlRepository: IXmlRepository
+    public class RedisXmlRepository : IXmlRepository
     {
         private readonly Func<IDatabase> _databaseFactory;
         private readonly RedisKey _key;
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/DataProtectionRedisTests.cs
similarity index 98%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
rename to test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/DataProtectionRedisTests.cs
index c6bdad14cb..a204050ad1 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/DataProtectionRedisTests.cs
@@ -13,7 +13,7 @@ using StackExchange.Redis;
 using Xunit;
 using Xunit.Abstractions;
 
-namespace Microsoft.AspNetCore.DataProtection
+namespace Microsoft.AspNetCore.DataProtection.StackExchangeRedis
 {
     public class DataProtectionRedisTests
     {
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj
similarity index 91%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
rename to test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj
index 5b2296721e..87f9f318bc 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
+++ b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj
@@ -16,7 +16,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Abstractions\Microsoft.AspNetCore.DataProtection.Abstractions.csproj" />
-    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.Redis\Microsoft.AspNetCore.DataProtection.Redis.csproj" />
+    <ProjectReference Include="..\..\src\Microsoft.AspNetCore.DataProtection.StackExchangeRedis\Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/RedisDataProtectionBuilderExtensionsTest.cs
similarity index 88%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs
rename to test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/RedisDataProtectionBuilderExtensionsTest.cs
index a3d8f82e33..2b4c2865c3 100644
--- a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs
+++ b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/RedisDataProtectionBuilderExtensionsTest.cs
@@ -8,7 +8,7 @@ using Moq;
 using StackExchange.Redis;
 using Xunit;
 
-namespace Microsoft.AspNetCore.DataProtection.Redis
+namespace Microsoft.AspNetCore.DataProtection.StackExchangeRedis
 {
     public class RedisDataProtectionBuilderExtensionsTest
     {
@@ -21,7 +21,7 @@ namespace Microsoft.AspNetCore.DataProtection.Redis
             var builder = serviceCollection.AddDataProtection();
 
             // Act
-            builder.PersistKeysToRedis(connection);
+            builder.PersistKeysToStackExchangeRedis(connection);
             var services = serviceCollection.BuildServiceProvider();
 
             // Assert
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServer.cs b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServer.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServer.cs
rename to test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServer.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServerIsAvailableAttribute.cs b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServerIsAvailableAttribute.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/TestRedisServerIsAvailableAttribute.cs
rename to test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServerIsAvailableAttribute.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/testconfig.json b/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/testconfig.json
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/testconfig.json
rename to test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/testconfig.json

From 4f14cda425b140d4c8d7acba57775d1196fab203 Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Thu, 11 Oct 2018 20:41:35 -0700
Subject: [PATCH 489/493] Reorganize source code from aspnet/DataProtection
 into a subfolder

Prior to reorg, this source existed at https://github.com/aspnet/DataProtection/tree/b62bb5778be59cbde9b2e6bbdef20f40eef42355
---
 .appveyor.yml                                 |  17 --
 .github/ISSUE_TEMPLATE.md                     |   3 -
 .travis.yml                                   |  27 --
 CONTRIBUTING.md                               |   4 -
 DataProtection.sln.DotSettings                |   2 -
 Directory.Build.props                         |  21 --
 Directory.Build.targets                       |   7 -
 LICENSE.txt                                   |  14 --
 NuGet.config                                  |   7 -
 NuGetPackageVerifier.json                     |   7 -
 README.md                                     |  13 -
 build.cmd                                     |   2 -
 build.sh                                      |   8 -
 build/Key.snk                                 | Bin 596 -> 0 bytes
 build/dependencies.props                      |  43 ----
 build/repo.props                              |  15 --
 build/sources.props                           |  17 --
 korebuild-lock.txt                            |   2 -
 korebuild.json                                |   4 -
 run.cmd                                       |   2 -
 run.ps1                                       | 196 ---------------
 run.sh                                        | 231 ------------------
 .../DataProtection/DataProtection.sln         |   0
 src/DataProtection/Directory.Build.props      |   8 +
 .../DataProtection/Provision-AutoGenKeys.ps1  |   0
 src/DataProtection/README.md                  |   8 +
 src/DataProtection/dependencies.props         |  29 +++
 .../samples}/AzureBlob/AzureBlob.csproj       |   0
 .../samples}/AzureBlob/Program.cs             |   0
 .../AzureKeyVault/AzureKeyVault.csproj        |   0
 .../samples}/AzureKeyVault/Program.cs         |   0
 .../samples}/AzureKeyVault/settings.json      |   0
 .../CustomBuilderExtensions.cs                |   0
 .../CustomEncryptorSample.csproj              |   0
 .../CustomXmlDecryptor.cs                     |   0
 .../CustomXmlEncryptor.cs                     |   0
 .../samples}/CustomEncryptorSample/Program.cs |   0
 .../KeyManagementSample.csproj                |   0
 .../samples}/KeyManagementSample/Program.cs   |   0
 .../samples}/NonDISample/NonDISample.csproj   |   0
 .../samples}/NonDISample/Program.cs           |   0
 .../DataProtection/samples}/Redis/Program.cs  |   0
 .../samples}/Redis/Redis.csproj               |   0
 .../DataProtection/shared}/EncodingUtil.cs    |   0
 .../shared}/ExceptionExtensions.cs            |   0
 .../src}/Directory.Build.props                |   0
 .../BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs  |   0
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs          |   0
 .../Cng/BCryptBuffer.cs                       |   0
 .../Cng/BCryptBufferDesc.cs                   |   0
 .../Cng/BCryptEncryptFlags.cs                 |   0
 .../Cng/BCryptGenRandomFlags.cs               |   0
 .../Cng/BCryptKeyDerivationBufferType.cs      |   0
 .../Cng/BCryptUtil.cs                         |   0
 .../Cng/CachedAlgorithmHandles.cs             |   0
 .../Cng/NCryptEncryptFlags.cs                 |   0
 .../Cng/OSVersionUtil.cs                      |   0
 .../Constants.cs                              |   0
 .../CryptoUtil.cs                             |   0
 .../DATA_BLOB.cs                              |   0
 ...ft.AspNetCore.Cryptography.Internal.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../Properties/Resources.Designer.cs          |   0
 .../Resources.resx                            |   0
 .../SafeHandles/BCryptAlgorithmHandle.cs      |   0
 .../SafeHandles/BCryptHandle.cs               |   0
 .../SafeHandles/BCryptHashHandle.cs           |   0
 .../SafeHandles/BCryptKeyHandle.cs            |   0
 .../SafeHandles/LocalAllocHandle.cs           |   0
 .../SafeHandles/NCryptDescriptorHandle.cs     |   0
 .../SafeHandles/SafeLibraryHandle.cs          |   0
 .../SafeHandles/SecureLocalAllocHandle.cs     |   0
 .../UnsafeBufferUtil.cs                       |   0
 .../UnsafeNativeMethods.cs                    |   0
 .../WeakReferenceHelpers.cs                   |   0
 .../baseline.netcore.json                     |   0
 .../KeyDerivation.cs                          |   0
 .../KeyDerivationPrf.cs                       |   0
 ...pNetCore.Cryptography.KeyDerivation.csproj |   0
 .../PBKDF2/IPbkdf2Provider.cs                 |   0
 .../PBKDF2/ManagedPbkdf2Provider.cs           |   0
 .../PBKDF2/NetCorePbkdf2Provider.cs           |   0
 .../PBKDF2/Pbkdf2Util.cs                      |   0
 .../PBKDF2/Win7Pbkdf2Provider.cs              |   0
 .../PBKDF2/Win8Pbkdf2Provider.cs              |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../baseline.netcore.json                     |   0
 .../CryptoUtil.cs                             |   0
 .../DataProtectionCommonExtensions.cs         |   0
 .../Error.cs                                  |   0
 .../IDataProtectionProvider.cs                |   0
 .../IDataProtector.cs                         |   0
 .../IApplicationDiscriminator.cs              |   0
 ...NetCore.DataProtection.Abstractions.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../Properties/Resources.Designer.cs          |   0
 .../Resources.resx                            |   0
 .../baseline.netcore.json                     |   0
 .../AzureDataProtectionBuilderExtensions.cs   |   0
 .../AzureKeyVaultXmlDecryptor.cs              |   0
 .../AzureKeyVaultXmlEncryptor.cs              |   0
 .../IKeyVaultWrappingClient.cs                |   0
 .../KeyVaultClientWrapper.cs                  |   0
 ...etCore.DataProtection.AzureKeyVault.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../AzureBlobXmlRepository.cs                 |   0
 .../AzureDataProtectionBuilderExtensions.cs   |   0
 ...NetCore.DataProtection.AzureStorage.csproj |   0
 .../baseline.netcore.json                     |   0
 .../BitHelpers.cs                             |   0
 .../DataProtectionAdvancedExtensions.cs       |   0
 .../DataProtectionProvider.cs                 |   0
 .../ITimeLimitedDataProtector.cs              |   0
 ...spNetCore.DataProtection.Extensions.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../Properties/Resources.Designer.cs          |   0
 .../Resources.resx                            |   0
 .../TimeLimitedDataProtector.cs               |   0
 .../baseline.netcore.json                     |   0
 ...oft.AspNetCore.DataProtection.Redis.csproj |   0
 .../RedisDataProtectionBuilderExtensions.cs   |   0
 .../RedisXmlRepository.cs                     |   0
 .../CompatibilityDataProtector.cs             |   0
 .../DataProtectionStartup.cs                  |   0
 ...AspNetCore.DataProtection.SystemWeb.csproj |   0
 .../Properties/Resources.Designer.cs          |   0
 .../Resources.resx                            |   0
 .../baseline.netframework.json                |   0
 .../web.config.transform                      |   0
 .../ActivatorExtensions.cs                    |   0
 .../ApplyPolicyAttribute.cs                   |   0
 .../ArraySegmentExtensions.cs                 |   0
 .../AlgorithmAssert.cs                        |   0
 .../AuthenticatedEncryptorExtensions.cs       |   0
 .../AuthenticatedEncryptorFactory.cs          |   0
 .../CngCbcAuthenticatedEncryptorFactory.cs    |   0
 .../CngGcmAuthenticatedEncryptorFactory.cs    |   0
 .../AlgorithmConfiguration.cs                 |   0
 .../AuthenticatedEncryptorConfiguration.cs    |   0
 .../AuthenticatedEncryptorDescriptor.cs       |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 ...gCbcAuthenticatedEncryptorConfiguration.cs |   0
 .../CngCbcAuthenticatedEncryptorDescriptor.cs |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 ...gGcmAuthenticatedEncryptorConfiguration.cs |   0
 .../CngGcmAuthenticatedEncryptorDescriptor.cs |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 .../IAuthenticatedEncryptorDescriptor.cs      |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 .../IInternalAlgorithmConfiguration.cs        |   0
 ...agedAuthenticatedEncryptorConfiguration.cs |   0
 ...ManagedAuthenticatedEncryptorDescriptor.cs |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 .../ConfigurationModel/SecretExtensions.cs    |   0
 .../ConfigurationModel/XmlExtensions.cs       |   0
 .../XmlSerializedDescriptorInfo.cs            |   0
 .../EncryptionAlgorithm.cs                    |   0
 .../IAuthenticatedEncryptor.cs                |   0
 .../IAuthenticatedEncryptorFactory.cs         |   0
 .../IOptimizedAuthenticatedEncryptor.cs       |   0
 .../ManagedAuthenticatedEncryptorFactory.cs   |   0
 .../ValidationAlgorithm.cs                    |   0
 .../BitHelpers.cs                             |   0
 .../Cng/BCryptGenRandomImpl.cs                |   0
 .../Cng/CbcAuthenticatedEncryptor.cs          |   0
 .../Cng/DpapiSecretSerializerHelper.cs        |   0
 .../Cng/GcmAuthenticatedEncryptor.cs          |   0
 .../Cng/IBCryptGenRandom.cs                   |   0
 .../Internal/CngAuthenticatedEncryptorBase.cs |   0
 .../DataProtectionBuilderExtensions.cs        |   0
 .../DataProtectionOptions.cs                  |   0
 ...taProtectionServiceCollectionExtensions.cs |   0
 .../DataProtectionUtilityExtensions.cs        |   0
 .../EphemeralDataProtectionProvider.cs        |   0
 .../Error.cs                                  |   0
 .../IDataProtectionBuilder.cs                 |   0
 .../IPersistedDataProtector.cs                |   0
 .../IRegistryPolicyResolver.cs                |   0
 .../ISecret.cs                                |   0
 .../Internal/DataProtectionBuilder.cs         |   0
 .../Internal/DataProtectionOptionsSetup.cs    |   0
 .../Internal/DataProtectionStartupFilter.cs   |   0
 .../Internal/DockerUtils.cs                   |   0
 .../HostingApplicationDiscriminator.cs        |   0
 .../Internal/IActivator.cs                    |   0
 .../Internal/KeyManagementOptionsSetup.cs     |   0
 .../KeyManagement/DefaultKeyResolver.cs       |   0
 .../KeyManagement/DeferredKey.cs              |   0
 .../KeyManagement/IKey.cs                     |   0
 .../KeyManagement/IKeyEscrowSink.cs           |   0
 .../KeyManagement/IKeyManager.cs              |   0
 .../Internal/CacheableKeyRing.cs              |   0
 .../Internal/DefaultKeyResolution.cs          |   0
 .../Internal/ICacheableKeyRingProvider.cs     |   0
 .../Internal/IDefaultKeyResolver.cs           |   0
 .../Internal/IInternalXmlKeyManager.cs        |   0
 .../KeyManagement/Internal/IKeyRing.cs        |   0
 .../Internal/IKeyRingProvider.cs              |   0
 .../KeyManagement/Key.cs                      |   0
 .../KeyManagement/KeyBase.cs                  |   0
 .../KeyEscrowServiceProviderExtensions.cs     |   0
 .../KeyManagement/KeyExtensions.cs            |   0
 .../KeyManagement/KeyManagementOptions.cs     |   0
 .../KeyManagement/KeyRing.cs                  |   0
 .../KeyRingBasedDataProtectionProvider.cs     |   0
 .../KeyRingBasedDataProtector.cs              |   0
 .../KeyManagement/KeyRingProvider.cs          |   0
 .../KeyManagement/XmlKeyManager.cs            |   0
 .../LoggingExtensions.cs                      |   0
 .../LoggingServiceProviderExtensions.cs       |   0
 .../Managed/HashAlgorithmExtensions.cs        |   0
 .../Managed/IManagedGenRandom.cs              |   0
 .../Managed/ManagedAuthenticatedEncryptor.cs  |   0
 .../Managed/ManagedGenRandomImpl.cs           |   0
 .../Managed/SymmetricAlgorithmExtensions.cs   |   0
 .../MemoryProtection.cs                       |   0
 ...Microsoft.AspNetCore.DataProtection.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../Properties/Resources.Designer.cs          |   0
 .../RegistryPolicy.cs                         |   0
 .../RegistryPolicyResolver.cs                 |   0
 .../Repositories/EphemeralXmlRepository.cs    |   0
 .../Repositories/FileSystemXmlRepository.cs   |   0
 .../Repositories/IXmlRepository.cs            |   0
 .../Repositories/RegistryXmlRepository.cs     |   0
 .../Resources.resx                            |   0
 .../ISP800_108_CTR_HMACSHA512Provider.cs      |   0
 .../ManagedSP800_108_CTR_HMACSHA512.cs        |   0
 .../SP800_108_CTR_HMACSHA512Extensions.cs     |   0
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |   0
 .../Win7SP800_108_CTR_HMACSHA512Provider.cs   |   0
 .../Win8SP800_108_CTR_HMACSHA512Provider.cs   |   0
 .../Secret.cs                                 |   0
 .../SimpleActivator.cs                        |   0
 .../TypeExtensions.cs                         |   0
 .../TypeForwardingActivator.cs                |   0
 .../XmlConstants.cs                           |   0
 .../XmlEncryption/CertificateResolver.cs      |   0
 .../XmlEncryption/CertificateXmlEncryptor.cs  |   0
 .../DpapiNGProtectionDescriptorFlags.cs       |   0
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |   0
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |   0
 .../XmlEncryption/DpapiXmlDecryptor.cs        |   0
 .../XmlEncryption/DpapiXmlEncryptor.cs        |   0
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |   0
 .../XmlEncryption/EncryptedXmlInfo.cs         |   0
 .../XmlEncryption/ICertificateResolver.cs     |   0
 .../IInternalCertificateXmlEncryptor.cs       |   0
 .../IInternalEncryptedXmlDecryptor.cs         |   0
 .../XmlEncryption/IXmlDecryptor.cs            |   0
 .../XmlEncryption/IXmlEncryptor.cs            |   0
 .../XmlEncryption/NullXmlDecryptor.cs         |   0
 .../XmlEncryption/NullXmlEncryptor.cs         |   0
 .../XmlEncryption/XmlEncryptionExtensions.cs  |   0
 .../XmlEncryption/XmlKeyDecryptionOptions.cs  |   0
 .../XmlExtensions.cs                          |   0
 .../baseline.netcore.json                     |   0
 .../DataProtection/test}/CreateTestCert.ps1   |   0
 .../test}/Directory.Build.props               |   0
 ...PT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs |   0
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs    |   0
 .../Cng/BCryptUtilTests.cs                    |   0
 .../Cng/CachedAlgorithmHandlesTests.cs        |   0
 .../CryptoUtilTests.cs                        |   0
 ...pNetCore.Cryptography.Internal.Test.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../SecureLocalAllocHandleTests.cs            |   0
 .../UnsafeBufferUtilTests.cs                  |   0
 .../WeakReferenceHelpersTests.cs              |   0
 ...ore.Cryptography.KeyDerivation.Test.csproj |   0
 .../Pbkdf2Tests.cs                            |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../DataProtectionCommonExtensionsTests.cs    |   0
 ...re.DataProtection.Abstractions.Test.csproj |   0
 .../AzureKeyVaultXmlEncryptorTests.cs         |   0
 ...e.DataProtection.AzureKeyVault.Test.csproj |   0
 .../AzureBlobXmlRepositoryTests.cs            |   0
 ...zureDataProtectionBuilderExtensionsTest.cs |   0
 ...re.DataProtection.AzureStorage.Test.csproj |   0
 .../DataProtectionAdvancedExtensionsTests.cs  |   0
 .../DataProtectionProviderTests.cs            |   0
 ...Core.DataProtection.Extensions.Test.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../TestFiles/TestCert.pfx                    | Bin
 .../TestFiles/TestCert2.pfx                   | Bin
 .../TimeLimitedDataProtectorTests.cs          |   0
 .../DataProtectionRedisTests.cs               |   0
 ...spNetCore.DataProtection.Redis.Test.csproj |   0
 ...edisDataProtectionBuilderExtensionsTest.cs |   0
 .../ActivatorTests.cs                         |   0
 .../AnonymousImpersonation.cs                 |   0
 ...CngCbcAuthenticatedEncryptorFactoryTest.cs |   0
 ...CngGcmAuthenticatedEncryptorFactoryTest.cs |   0
 ...tedEncryptorDescriptorDeserializerTests.cs |   0
 .../AuthenticatedEncryptorDescriptorTests.cs  |   0
 ...uthenticatedEncryptorConfigurationTests.cs |   0
 ...tedEncryptorDescriptorDeserializerTests.cs |   0
 ...bcAuthenticatedEncryptorDescriptorTests.cs |   0
 ...uthenticatedEncryptorConfigurationTests.cs |   0
 ...tedEncryptorDescriptorDeserializerTests.cs |   0
 ...cmAuthenticatedEncryptorDescriptorTests.cs |   0
 ...uthenticatedEncryptorConfigurationTests.cs |   0
 ...tedEncryptorDescriptorDeserializerTests.cs |   0
 ...edAuthenticatedEncryptorDescriptorTests.cs |   0
 ...anagedAuthenticatedEncryptorFactoryTest.cs |   0
 .../Cng/CbcAuthenticatedEncryptorTests.cs     |   0
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs |   0
 .../Cng/GcmAuthenticatedEncryptorTests.cs     |   0
 .../DataProtectionUtilityExtensionsTests.cs   |   0
 .../DockerUtilsTests.cs                       |   0
 .../EphemeralDataProtectionProviderTests.cs   |   0
 .../HostingTests.cs                           |   0
 .../Internal/KeyManagementOptionsSetupTest.cs |   0
 .../KeyManagement/CacheableKeyRingTests.cs    |   0
 .../KeyManagement/DefaultKeyResolverTests.cs  |   0
 .../KeyManagement/DeferredKeyTests.cs         |   0
 ...KeyEscrowServiceProviderExtensionsTests.cs |   0
 .../KeyRingBasedDataProtectorTests.cs         |   0
 .../KeyManagement/KeyRingProviderTests.cs     |   0
 .../KeyManagement/KeyRingTests.cs             |   0
 .../KeyManagement/KeyTests.cs                 |   0
 .../KeyManagement/XmlKeyManagerTests.cs       |   0
 .../ManagedAuthenticatedEncryptorTests.cs     |   0
 ...soft.AspNetCore.DataProtection.Test.csproj |   0
 .../MockExtensions.cs                         |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../RegistryPolicyResolverTests.cs            |   0
 .../EphemeralXmlRepositoryTests.cs            |   0
 .../FileSystemXmlRepositoryTests.cs           |   0
 .../RegistryXmlRepositoryTests.cs             |   0
 .../SP800_108/SP800_108Tests.cs               |   0
 .../SecretAssert.cs                           |   0
 .../SecretTests.cs                            |   0
 .../SequentialGenRandom.cs                    |   0
 .../ServiceCollectionTests.cs                 |   0
 .../StringLoggerFactory.cs                    |   0
 .../TestFiles/TestCert1.PublicKeyOnly.cer     | Bin
 .../TestFiles/TestCert1.pfx                   | Bin
 .../TestFiles/TestCert2.pfx                   | Bin
 .../TypeForwardingActivatorTests.cs           |   0
 .../XmlAssert.cs                              |   0
 .../CertificateXmlEncryptionTests.cs          |   0
 .../DpapiNGXmlEncryptionTests.cs              |   0
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |   0
 .../EncryptedXmlDecryptorTests.cs             |   0
 .../XmlEncryption/NullXmlEncryptionTests.cs   |   0
 .../XmlEncryptionExtensionsTests.cs           |   0
 ...onalRunTestOnlyWindows8OrLaterAttribute.cs |   0
 .../ConditionalRunTestOnlyWindowsAttribute.cs |   0
 .../test}/shared/ExceptionAssert2.cs          |   0
 .../DataProtection/version.props              |   0
 351 files changed, 45 insertions(+), 642 deletions(-)
 delete mode 100644 .appveyor.yml
 delete mode 100644 .github/ISSUE_TEMPLATE.md
 delete mode 100644 .travis.yml
 delete mode 100644 CONTRIBUTING.md
 delete mode 100644 DataProtection.sln.DotSettings
 delete mode 100644 Directory.Build.props
 delete mode 100644 Directory.Build.targets
 delete mode 100644 LICENSE.txt
 delete mode 100644 NuGet.config
 delete mode 100644 NuGetPackageVerifier.json
 delete mode 100644 README.md
 delete mode 100644 build.cmd
 delete mode 100755 build.sh
 delete mode 100644 build/Key.snk
 delete mode 100644 build/dependencies.props
 delete mode 100644 build/repo.props
 delete mode 100644 build/sources.props
 delete mode 100644 korebuild-lock.txt
 delete mode 100644 korebuild.json
 delete mode 100644 run.cmd
 delete mode 100644 run.ps1
 delete mode 100755 run.sh
 rename DataProtection.sln => src/DataProtection/DataProtection.sln (100%)
 create mode 100644 src/DataProtection/Directory.Build.props
 rename Provision-AutoGenKeys.ps1 => src/DataProtection/Provision-AutoGenKeys.ps1 (100%)
 create mode 100644 src/DataProtection/README.md
 create mode 100644 src/DataProtection/dependencies.props
 rename {samples => src/DataProtection/samples}/AzureBlob/AzureBlob.csproj (100%)
 rename {samples => src/DataProtection/samples}/AzureBlob/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/AzureKeyVault/AzureKeyVault.csproj (100%)
 rename {samples => src/DataProtection/samples}/AzureKeyVault/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/AzureKeyVault/settings.json (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/CustomBuilderExtensions.cs (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/CustomEncryptorSample.csproj (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/CustomXmlDecryptor.cs (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/CustomXmlEncryptor.cs (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/KeyManagementSample/KeyManagementSample.csproj (100%)
 rename {samples => src/DataProtection/samples}/KeyManagementSample/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/NonDISample/NonDISample.csproj (100%)
 rename {samples => src/DataProtection/samples}/NonDISample/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/Redis/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/Redis/Redis.csproj (100%)
 rename {shared => src/DataProtection/shared}/EncodingUtil.cs (100%)
 rename {shared => src/DataProtection/shared}/ExceptionExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Directory.Build.props (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/BitHelpers.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Error.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/ISecret.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Secret.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlConstants.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/baseline.netcore.json (100%)
 rename {test => src/DataProtection/test}/CreateTestCert.ps1 (100%)
 rename {test => src/DataProtection/test}/Directory.Build.props (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs (100%)
 rename {test => src/DataProtection/test}/shared/ConditionalRunTestOnlyWindowsAttribute.cs (100%)
 rename {test => src/DataProtection/test}/shared/ExceptionAssert2.cs (100%)
 rename version.props => src/DataProtection/version.props (100%)

diff --git a/.appveyor.yml b/.appveyor.yml
deleted file mode 100644
index 4eea96ab69..0000000000
--- a/.appveyor.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-init:
-- git config --global core.autocrlf true
-branches:
-  only:
-  - dev
-  - /^release\/.*$/
-  - /^(.*\/)?ci-.*$/
-build_script:
-- ps: .\run.ps1 default-build
-clone_depth: 1
-environment:
-  global:
-    DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-    DOTNET_CLI_TELEMETRY_OPTOUT: 1
-test: 'off'
-deploy: 'off'
-os: Visual Studio 2017
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
deleted file mode 100644
index 101a084f0a..0000000000
--- a/.github/ISSUE_TEMPLATE.md
+++ /dev/null
@@ -1,3 +0,0 @@
-THIS ISSUE TRACKER IS CLOSED - please log new issues here: https://github.com/aspnet/Home/issues
-
-For information about this change, see https://github.com/aspnet/Announcements/issues/283
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 64bdbb4441..0000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-language: csharp
-sudo: false
-dist: trusty
-env:
-  global:
-  - DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-  - DOTNET_CLI_TELEMETRY_OPTOUT: 1
-mono: none
-os:
-- linux
-- osx
-osx_image: xcode8.2
-addons:
-  apt:
-    packages:
-    - libunwind8
-branches:
-  only:
-  - dev
-  - /^release\/.*$/
-  - /^(.*\/)?ci-.*$/
-before_install:
-- if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s
-  /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib
-  /usr/local/lib/; fi
-script:
-- ./build.sh
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
deleted file mode 100644
index 64ff041d5c..0000000000
--- a/CONTRIBUTING.md
+++ /dev/null
@@ -1,4 +0,0 @@
-Contributing
-======
-
-Information on contributing to this repo is in the [Contributing Guide](https://github.com/aspnet/Home/blob/dev/CONTRIBUTING.md) in the Home repo.
diff --git a/DataProtection.sln.DotSettings b/DataProtection.sln.DotSettings
deleted file mode 100644
index c843b27a2b..0000000000
--- a/DataProtection.sln.DotSettings
+++ /dev/null
@@ -1,2 +0,0 @@
-<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
-	<s:Boolean x:Key="/Default/CodeStyle/CodeFormatting/CSharpFormat/WRAP_LINES/@EntryValue">False</s:Boolean></wpf:ResourceDictionary>
\ No newline at end of file
diff --git a/Directory.Build.props b/Directory.Build.props
deleted file mode 100644
index 67065031f3..0000000000
--- a/Directory.Build.props
+++ /dev/null
@@ -1,21 +0,0 @@
-<Project>
-  <Import
-    Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), AspNetCoreSettings.props))\AspNetCoreSettings.props"
-    Condition=" '$(CI)' != 'true' AND '$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), AspNetCoreSettings.props))' != '' " />
-
-  <Import Project="version.props" />
-  <Import Project="build\dependencies.props" />
-  <Import Project="build\sources.props" />
-
-  <PropertyGroup>
-    <Product>Microsoft ASP.NET Core</Product>
-    <RepositoryUrl>https://github.com/aspnet/DataProtection</RepositoryUrl>
-    <RepositoryType>git</RepositoryType>
-    <RepositoryRoot>$(MSBuildThisFileDirectory)</RepositoryRoot>
-    <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)build\Key.snk</AssemblyOriginatorKeyFile>
-    <SignAssembly>true</SignAssembly>
-    <PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
-    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-  </PropertyGroup>
-
-</Project>
diff --git a/Directory.Build.targets b/Directory.Build.targets
deleted file mode 100644
index 53b3f6e1da..0000000000
--- a/Directory.Build.targets
+++ /dev/null
@@ -1,7 +0,0 @@
-<Project>
-  <PropertyGroup>
-    <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(MicrosoftNETCoreApp20PackageVersion)</RuntimeFrameworkVersion>
-    <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.1' ">$(MicrosoftNETCoreApp21PackageVersion)</RuntimeFrameworkVersion>
-    <NETStandardImplicitPackageVersion Condition=" '$(TargetFramework)' == 'netstandard2.0' ">$(NETStandardLibrary20PackageVersion)</NETStandardImplicitPackageVersion>
-  </PropertyGroup>
-</Project>
diff --git a/LICENSE.txt b/LICENSE.txt
deleted file mode 100644
index 7b2956ecee..0000000000
--- a/LICENSE.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-Copyright (c) .NET Foundation and Contributors
-
-All rights reserved.
-
-Licensed under the Apache License, Version 2.0 (the "License"); you may not use
-this file except in compliance with the License. You may obtain a copy of the
-License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software distributed
-under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-CONDITIONS OF ANY KIND, either express or implied. See the License for the
-specific language governing permissions and limitations under the License.
diff --git a/NuGet.config b/NuGet.config
deleted file mode 100644
index e32bddfd51..0000000000
--- a/NuGet.config
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<configuration>
-  <packageSources>
-    <clear />
-    <!-- Restore sources should be defined in build/sources.props. -->
-  </packageSources>
-</configuration>
diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
deleted file mode 100644
index b153ab1515..0000000000
--- a/NuGetPackageVerifier.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-    "Default": {
-        "rules": [
-            "DefaultCompositeRule"
-        ]
-    }
-}
\ No newline at end of file
diff --git a/README.md b/README.md
deleted file mode 100644
index 7d9704e3f7..0000000000
--- a/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-DataProtection
-==============
-AppVeyor: [![AppVeyor](https://ci.appveyor.com/api/projects/status/4mki61bux5vby6it/branch/dev?svg=true)](https://ci.appveyor.com/project/aspnetci/DataProtection/branch/dev)
-
-Travis:   [![Travis](https://travis-ci.org/aspnet/DataProtection.svg?branch=dev)](https://travis-ci.org/aspnet/DataProtection)
-
-Data Protection APIs for protecting and unprotecting data.
-
-This project is part of ASP.NET Core. You can find documentation for Data Protection in the [ASP.NET Core Documentation](http://docs.asp.net/en/latest/security/data-protection/index.html). You can find samples, documentation and getting started instructions for ASP.NET Core at the [Home](https://github.com/aspnet/home) repo. 
-
-## Community Maintained Data Protection Providers & Projects
-
- - [ASP.NET Core DataProtection for Service Fabric](https://github.com/MedAnd/AspNetCore.DataProtection.ServiceFabric)
diff --git a/build.cmd b/build.cmd
deleted file mode 100644
index c0050bda12..0000000000
--- a/build.cmd
+++ /dev/null
@@ -1,2 +0,0 @@
-@ECHO OFF
-PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0run.ps1' default-build %*; exit $LASTEXITCODE"
diff --git a/build.sh b/build.sh
deleted file mode 100755
index 98a4b22765..0000000000
--- a/build.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# Call "sync" between "chmod" and execution to prevent "text file busy" error in Docker (aufs)
-chmod +x "$DIR/run.sh"; sync
-"$DIR/run.sh" default-build "$@"
diff --git a/build/Key.snk b/build/Key.snk
deleted file mode 100644
index e10e4889c125d3120cd9e81582243d70f7cbb806..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 596
zcmV-a0;~N80ssI2Bme+XQ$aES1ONa50098=Iw=HCsn<ZsvmrW@<$Q#+a>z~#iVhm&
zj%TU(_THUee?3yHBjk$37y<Fzl?uL)9ivSuo;#}B6dD)De)Gj;-CpGdOOelGyF6;R
zKXR)&ujxGx!@@L+c2BRcvA}aZ<rG=2t43G@guk71#NvTux6R^5_>sB?i5#7WD$={H
zV4B!OxRPrb|8)HPg~A}8P>^=#y<)56#=E&NzcjOtPK~<4n6GHt=K$ro*T(lhby_@U
zEk(hLzk1H)0yXj<Uf8HnEtBu!TuA*PmAf$cXle6YkpNq+@Z60ghGtVxe6)1Ajj1}d
ztgvi4bgJz|V`P;etzc8pF-FM#N`%JUpHzaYX*mMNIn*G};u}`O51u$`rvZggFup%y
z5Uu>{A_5>fk-TgNoP|q6(tP2xo8zt8i%212CWM#AeCd?`hS|4~L({h~Moo(~vy&3Z
z1uI}`fd^*>o=rwbAGymj6RM^pZm(*Kfhs+Y1#`-2JPWZMK8@;ZW<LR4v7CQcE4@!q
z)U49ij|+<|%~kIOLZlXjf9x6h%%!xHcL2a{5I|b;$2l^>Ck2+9bX4YP);~fj-BU*R
zQPvW<DAZ8Z6e#YE!zCp+7M)hVxqP}{4}~6lG=>v$89!{R<a!lIoEa{Dc+j_%E<}+-
z!)tmG_q8@!i7JE*V%)C;o#1~$Q2B~A145=eCJ9-fwL>l9wM+zR>_TSkn^voYxA?2G
iKnV#iZ6Ah`K>b=@=IjYJXrxL124zR(38)nxe+&q_$QXwJ

diff --git a/build/dependencies.props b/build/dependencies.props
deleted file mode 100644
index 85e623d5d6..0000000000
--- a/build/dependencies.props
+++ /dev/null
@@ -1,43 +0,0 @@
-<Project>
-  <PropertyGroup>
-    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
-  </PropertyGroup>
-
-  <!-- These package versions may be overridden or updated by automation. -->
-  <PropertyGroup Label="Package Versions: Auto">
-    <InternalAspNetCoreSdkPackageVersion>2.1.3-rtm-15802</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
-    <MicrosoftNETCoreApp20PackageVersion>2.0.0</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.2</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
-    <MoqPackageVersion>4.7.49</MoqPackageVersion>
-    <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
-    <StackExchangeRedisStrongNamePackageVersion>1.2.4</StackExchangeRedisStrongNamePackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0</SystemSecurityPrincipalWindowsPackageVersion>
-    <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
-    <XunitPackageVersion>2.3.1</XunitPackageVersion>
-    <XunitRunnerVisualStudioPackageVersion>2.4.0-beta.1.build3945</XunitRunnerVisualStudioPackageVersion>
-  </PropertyGroup>
-
-  <!-- This may import a generated file which may override the variables above. -->
-  <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
-
-  <!-- These are package versions that should not be overridden or updated by automation. -->
-  <PropertyGroup Label="Package Versions: Pinned">
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.1</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.1.1</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0</MicrosoftAspNetCoreTestingPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.1</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.1.1</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.1</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.1.1</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.1.1</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.1</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
-  </PropertyGroup>
-</Project>
\ No newline at end of file
diff --git a/build/repo.props b/build/repo.props
deleted file mode 100644
index dab1601c88..0000000000
--- a/build/repo.props
+++ /dev/null
@@ -1,15 +0,0 @@
-<Project>
-  <Import Project="dependencies.props" />
-
-  <PropertyGroup>
-    <!-- These properties are use by the automation that updates dependencies.props -->
-    <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
-    <LineupPackageVersion>2.1.0-rc1-*</LineupPackageVersion>
-    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json</LineupPackageRestoreSource>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp20PackageVersion)" />
-    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp21PackageVersion)" />
-  </ItemGroup>
-</Project>
diff --git a/build/sources.props b/build/sources.props
deleted file mode 100644
index 9215df9751..0000000000
--- a/build/sources.props
+++ /dev/null
@@ -1,17 +0,0 @@
-<Project>
-  <Import Project="$(DotNetRestoreSourcePropsPath)" Condition="'$(DotNetRestoreSourcePropsPath)' != ''"/>
-
-  <PropertyGroup Label="RestoreSources">
-    <RestoreSources>$(DotNetRestoreSources)</RestoreSources>
-    <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true' AND '$(AspNetUniverseBuildOffline)' != 'true' ">
-      $(RestoreSources);
-      https://dotnet.myget.org/F/dotnet-core/api/v3/index.json;
-      https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json;
-      https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json;
-    </RestoreSources>
-    <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true'">
-      $(RestoreSources);
-      https://api.nuget.org/v3/index.json;
-    </RestoreSources>
-  </PropertyGroup>
-</Project>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
deleted file mode 100644
index 1dfc352a0a..0000000000
--- a/korebuild-lock.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-version:2.1.3-rtm-15802
-commithash:a7c08b45b440a7d2058a0aa1eaa3eb6ba811976a
diff --git a/korebuild.json b/korebuild.json
deleted file mode 100644
index 678d8bb948..0000000000
--- a/korebuild.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/release/2.1/tools/korebuild.schema.json",
-  "channel": "release/2.1"
-}
diff --git a/run.cmd b/run.cmd
deleted file mode 100644
index d52d5c7e68..0000000000
--- a/run.cmd
+++ /dev/null
@@ -1,2 +0,0 @@
-@ECHO OFF
-PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0run.ps1' %*; exit $LASTEXITCODE"
diff --git a/run.ps1 b/run.ps1
deleted file mode 100644
index 27dcf848f8..0000000000
--- a/run.ps1
+++ /dev/null
@@ -1,196 +0,0 @@
-#!/usr/bin/env powershell
-#requires -version 4
-
-<#
-.SYNOPSIS
-Executes KoreBuild commands.
-
-.DESCRIPTION
-Downloads korebuild if required. Then executes the KoreBuild command. To see available commands, execute with `-Command help`.
-
-.PARAMETER Command
-The KoreBuild command to run.
-
-.PARAMETER Path
-The folder to build. Defaults to the folder containing this script.
-
-.PARAMETER Channel
-The channel of KoreBuild to download. Overrides the value from the config file.
-
-.PARAMETER DotNetHome
-The directory where .NET Core tools will be stored.
-
-.PARAMETER ToolsSource
-The base url where build tools can be downloaded. Overrides the value from the config file.
-
-.PARAMETER Update
-Updates KoreBuild to the latest version even if a lock file is present.
-
-.PARAMETER ConfigFile
-The path to the configuration file that stores values. Defaults to korebuild.json.
-
-.PARAMETER ToolsSourceSuffix
-The Suffix to append to the end of the ToolsSource. Useful for query strings in blob stores.
-
-.PARAMETER Arguments
-Arguments to be passed to the command
-
-.NOTES
-This function will create a file $PSScriptRoot/korebuild-lock.txt. This lock file can be committed to source, but does not have to be.
-When the lockfile is not present, KoreBuild will create one using latest available version from $Channel.
-
-The $ConfigFile is expected to be an JSON file. It is optional, and the configuration values in it are optional as well. Any options set
-in the file are overridden by command line parameters.
-
-.EXAMPLE
-Example config file:
-```json
-{
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/dev/tools/korebuild.schema.json",
-  "channel": "dev",
-  "toolsSource": "https://aspnetcore.blob.core.windows.net/buildtools"
-}
-```
-#>
-[CmdletBinding(PositionalBinding = $false)]
-param(
-    [Parameter(Mandatory = $true, Position = 0)]
-    [string]$Command,
-    [string]$Path = $PSScriptRoot,
-    [Alias('c')]
-    [string]$Channel,
-    [Alias('d')]
-    [string]$DotNetHome,
-    [Alias('s')]
-    [string]$ToolsSource,
-    [Alias('u')]
-    [switch]$Update,
-    [string]$ConfigFile,
-    [string]$ToolsSourceSuffix,
-    [Parameter(ValueFromRemainingArguments = $true)]
-    [string[]]$Arguments
-)
-
-Set-StrictMode -Version 2
-$ErrorActionPreference = 'Stop'
-
-#
-# Functions
-#
-
-function Get-KoreBuild {
-
-    $lockFile = Join-Path $Path 'korebuild-lock.txt'
-
-    if (!(Test-Path $lockFile) -or $Update) {
-        Get-RemoteFile "$ToolsSource/korebuild/channels/$Channel/latest.txt" $lockFile $ToolsSourceSuffix
-    }
-
-    $version = Get-Content $lockFile | Where-Object { $_ -like 'version:*' } | Select-Object -first 1
-    if (!$version) {
-        Write-Error "Failed to parse version from $lockFile. Expected a line that begins with 'version:'"
-    }
-    $version = $version.TrimStart('version:').Trim()
-    $korebuildPath = Join-Paths $DotNetHome ('buildtools', 'korebuild', $version)
-
-    if (!(Test-Path $korebuildPath)) {
-        Write-Host -ForegroundColor Magenta "Downloading KoreBuild $version"
-        New-Item -ItemType Directory -Path $korebuildPath | Out-Null
-        $remotePath = "$ToolsSource/korebuild/artifacts/$version/korebuild.$version.zip"
-
-        try {
-            $tmpfile = Join-Path ([IO.Path]::GetTempPath()) "KoreBuild-$([guid]::NewGuid()).zip"
-            Get-RemoteFile $remotePath $tmpfile $ToolsSourceSuffix
-            if (Get-Command -Name 'Expand-Archive' -ErrorAction Ignore) {
-                # Use built-in commands where possible as they are cross-plat compatible
-                Expand-Archive -Path $tmpfile -DestinationPath $korebuildPath
-            }
-            else {
-                # Fallback to old approach for old installations of PowerShell
-                Add-Type -AssemblyName System.IO.Compression.FileSystem
-                [System.IO.Compression.ZipFile]::ExtractToDirectory($tmpfile, $korebuildPath)
-            }
-        }
-        catch {
-            Remove-Item -Recurse -Force $korebuildPath -ErrorAction Ignore
-            throw
-        }
-        finally {
-            Remove-Item $tmpfile -ErrorAction Ignore
-        }
-    }
-
-    return $korebuildPath
-}
-
-function Join-Paths([string]$path, [string[]]$childPaths) {
-    $childPaths | ForEach-Object { $path = Join-Path $path $_ }
-    return $path
-}
-
-function Get-RemoteFile([string]$RemotePath, [string]$LocalPath, [string]$RemoteSuffix) {
-    if ($RemotePath -notlike 'http*') {
-        Copy-Item $RemotePath $LocalPath
-        return
-    }
-
-    $retries = 10
-    while ($retries -gt 0) {
-        $retries -= 1
-        try {
-            Invoke-WebRequest -UseBasicParsing -Uri $($RemotePath + $RemoteSuffix) -OutFile $LocalPath
-            return
-        }
-        catch {
-            Write-Verbose "Request failed. $retries retries remaining"
-        }
-    }
-
-    Write-Error "Download failed: '$RemotePath'."
-}
-
-#
-# Main
-#
-
-# Load configuration or set defaults
-
-$Path = Resolve-Path $Path
-if (!$ConfigFile) { $ConfigFile = Join-Path $Path 'korebuild.json' }
-
-if (Test-Path $ConfigFile) {
-    try {
-        $config = Get-Content -Raw -Encoding UTF8 -Path $ConfigFile | ConvertFrom-Json
-        if ($config) {
-            if (!($Channel) -and (Get-Member -Name 'channel' -InputObject $config)) { [string] $Channel = $config.channel }
-            if (!($ToolsSource) -and (Get-Member -Name 'toolsSource' -InputObject $config)) { [string] $ToolsSource = $config.toolsSource}
-        }
-    }
-    catch {
-        Write-Warning "$ConfigFile could not be read. Its settings will be ignored."
-        Write-Warning $Error[0]
-    }
-}
-
-if (!$DotNetHome) {
-    $DotNetHome = if ($env:DOTNET_HOME) { $env:DOTNET_HOME } `
-        elseif ($env:USERPROFILE) { Join-Path $env:USERPROFILE '.dotnet'} `
-        elseif ($env:HOME) {Join-Path $env:HOME '.dotnet'}`
-        else { Join-Path $PSScriptRoot '.dotnet'}
-}
-
-if (!$Channel) { $Channel = 'dev' }
-if (!$ToolsSource) { $ToolsSource = 'https://aspnetcore.blob.core.windows.net/buildtools' }
-
-# Execute
-
-$korebuildPath = Get-KoreBuild
-Import-Module -Force -Scope Local (Join-Path $korebuildPath 'KoreBuild.psd1')
-
-try {
-    Set-KoreBuildSettings -ToolsSource $ToolsSource -DotNetHome $DotNetHome -RepoPath $Path -ConfigFile $ConfigFile
-    Invoke-KoreBuildCommand $Command @Arguments
-}
-finally {
-    Remove-Module 'KoreBuild' -ErrorAction Ignore
-}
diff --git a/run.sh b/run.sh
deleted file mode 100755
index 834961fc3a..0000000000
--- a/run.sh
+++ /dev/null
@@ -1,231 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-#
-# variables
-#
-
-RESET="\033[0m"
-RED="\033[0;31m"
-YELLOW="\033[0;33m"
-MAGENTA="\033[0;95m"
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-[ -z "${DOTNET_HOME:-}" ] && DOTNET_HOME="$HOME/.dotnet"
-verbose=false
-update=false
-repo_path="$DIR"
-channel=''
-tools_source=''
-tools_source_suffix=''
-
-#
-# Functions
-#
-__usage() {
-    echo "Usage: $(basename "${BASH_SOURCE[0]}") command [options] [[--] <Arguments>...]"
-    echo ""
-    echo "Arguments:"
-    echo "    command                The command to be run."
-    echo "    <Arguments>...         Arguments passed to the command. Variable number of arguments allowed."
-    echo ""
-    echo "Options:"
-    echo "    --verbose                                             Show verbose output."
-    echo "    -c|--channel <CHANNEL>                                The channel of KoreBuild to download. Overrides the value from the config file.."
-    echo "    --config-file <FILE>                                  The path to the configuration file that stores values. Defaults to korebuild.json."
-    echo "    -d|--dotnet-home <DIR>                                The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
-    echo "    --path <PATH>                                         The directory to build. Defaults to the directory containing the script."
-    echo "    -s|--tools-source|-ToolsSource <URL>                  The base url where build tools can be downloaded. Overrides the value from the config file."
-    echo "    --tools-source-suffix|-ToolsSourceSuffix <SUFFIX>     The suffix to append to tools-source. Useful for query strings."
-    echo "    -u|--update                                           Update to the latest KoreBuild even if the lock file is present."
-    echo ""
-    echo "Description:"
-    echo "    This function will create a file \$DIR/korebuild-lock.txt. This lock file can be committed to source, but does not have to be."
-    echo "    When the lockfile is not present, KoreBuild will create one using latest available version from \$channel."
-
-    if [[ "${1:-}" != '--no-exit' ]]; then
-        exit 2
-    fi
-}
-
-get_korebuild() {
-    local version
-    local lock_file="$repo_path/korebuild-lock.txt"
-    if [ ! -f "$lock_file" ] || [ "$update" = true ]; then
-        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file" "$tools_source_suffix"
-    fi
-    version="$(grep 'version:*' -m 1 "$lock_file")"
-    if [[ "$version" == '' ]]; then
-        __error "Failed to parse version from $lock_file. Expected a line that begins with 'version:'"
-        return 1
-    fi
-    version="$(echo "${version#version:}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
-    local korebuild_path="$DOTNET_HOME/buildtools/korebuild/$version"
-
-    {
-        if [ ! -d "$korebuild_path" ]; then
-            mkdir -p "$korebuild_path"
-            local remote_path="$tools_source/korebuild/artifacts/$version/korebuild.$version.zip"
-            tmpfile="$(mktemp)"
-            echo -e "${MAGENTA}Downloading KoreBuild ${version}${RESET}"
-            if __get_remote_file "$remote_path" "$tmpfile" "$tools_source_suffix"; then
-                unzip -q -d "$korebuild_path" "$tmpfile"
-            fi
-            rm "$tmpfile" || true
-        fi
-
-        source "$korebuild_path/KoreBuild.sh"
-    } || {
-        if [ -d "$korebuild_path" ]; then
-            echo "Cleaning up after failed installation"
-            rm -rf "$korebuild_path" || true
-        fi
-        return 1
-    }
-}
-
-__error() {
-    echo -e "${RED}error: $*${RESET}" 1>&2
-}
-
-__warn() {
-    echo -e "${YELLOW}warning: $*${RESET}"
-}
-
-__machine_has() {
-    hash "$1" > /dev/null 2>&1
-    return $?
-}
-
-__get_remote_file() {
-    local remote_path=$1
-    local local_path=$2
-    local remote_path_suffix=$3
-
-    if [[ "$remote_path" != 'http'* ]]; then
-        cp "$remote_path" "$local_path"
-        return 0
-    fi
-
-    local failed=false
-    if __machine_has wget; then
-        wget --tries 10 --quiet -O "$local_path" "${remote_path}${remote_path_suffix}" || failed=true
-    else
-        failed=true
-    fi
-
-    if [ "$failed" = true ] && __machine_has curl; then
-        failed=false
-        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "${remote_path}${remote_path_suffix}" || failed=true
-    fi
-
-    if [ "$failed" = true ]; then
-        __error "Download failed: $remote_path" 1>&2
-        return 1
-    fi
-}
-
-#
-# main
-#
-
-command="${1:-}"
-shift
-
-while [[ $# -gt 0 ]]; do
-    case $1 in
-        -\?|-h|--help)
-            __usage --no-exit
-            exit 0
-            ;;
-        -c|--channel|-Channel)
-            shift
-            channel="${1:-}"
-            [ -z "$channel" ] && __usage
-            ;;
-        --config-file|-ConfigFile)
-            shift
-            config_file="${1:-}"
-            [ -z "$config_file" ] && __usage
-            if [ ! -f "$config_file" ]; then
-                __error "Invalid value for --config-file. $config_file does not exist."
-                exit 1
-            fi
-            ;;
-        -d|--dotnet-home|-DotNetHome)
-            shift
-            DOTNET_HOME="${1:-}"
-            [ -z "$DOTNET_HOME" ] && __usage
-            ;;
-        --path|-Path)
-            shift
-            repo_path="${1:-}"
-            [ -z "$repo_path" ] && __usage
-            ;;
-        -s|--tools-source|-ToolsSource)
-            shift
-            tools_source="${1:-}"
-            [ -z "$tools_source" ] && __usage
-            ;;
-        --tools-source-suffix|-ToolsSourceSuffix)
-            shift
-            tools_source_suffix="${1:-}"
-            [ -z "$tools_source_suffix" ] && __usage
-            ;;
-        -u|--update|-Update)
-            update=true
-            ;;
-        --verbose|-Verbose)
-            verbose=true
-            ;;
-        --)
-            shift
-            break
-            ;;
-        *)
-            break
-            ;;
-    esac
-    shift
-done
-
-if ! __machine_has unzip; then
-    __error 'Missing required command: unzip'
-    exit 1
-fi
-
-if ! __machine_has curl && ! __machine_has wget; then
-    __error 'Missing required command. Either wget or curl is required.'
-    exit 1
-fi
-
-[ -z "${config_file:-}" ] && config_file="$repo_path/korebuild.json"
-if [ -f "$config_file" ]; then
-    if __machine_has jq ; then
-        if jq '.' "$config_file" >/dev/null ; then
-            config_channel="$(jq -r 'select(.channel!=null) | .channel' "$config_file")"
-            config_tools_source="$(jq -r 'select(.toolsSource!=null) | .toolsSource' "$config_file")"
-        else
-            __warn "$config_file is invalid JSON. Its settings will be ignored."
-        fi
-    elif __machine_has python ; then
-        if python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'))" >/dev/null ; then
-            config_channel="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
-            config_tools_source="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
-        else
-            __warn "$config_file is invalid JSON. Its settings will be ignored."
-        fi
-    else
-        __warn 'Missing required command: jq or pyton. Could not parse the JSON file. Its settings will be ignored.'
-    fi
-
-    [ ! -z "${config_channel:-}" ] && channel="$config_channel"
-    [ ! -z "${config_tools_source:-}" ] && tools_source="$config_tools_source"
-fi
-
-[ -z "$channel" ] && channel='dev'
-[ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
-
-get_korebuild
-set_korebuildsettings "$tools_source" "$DOTNET_HOME" "$repo_path" "$config_file"
-invoke_korebuild_command "$command" "$@"
diff --git a/DataProtection.sln b/src/DataProtection/DataProtection.sln
similarity index 100%
rename from DataProtection.sln
rename to src/DataProtection/DataProtection.sln
diff --git a/src/DataProtection/Directory.Build.props b/src/DataProtection/Directory.Build.props
new file mode 100644
index 0000000000..deb7bb4ee6
--- /dev/null
+++ b/src/DataProtection/Directory.Build.props
@@ -0,0 +1,8 @@
+<Project>
+
+  <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory)..\, Directory.Build.props))\Directory.Build.props" />
+
+  <Import Project="version.props" />
+  <Import Project="dependencies.props" />
+
+</Project>
diff --git a/Provision-AutoGenKeys.ps1 b/src/DataProtection/Provision-AutoGenKeys.ps1
similarity index 100%
rename from Provision-AutoGenKeys.ps1
rename to src/DataProtection/Provision-AutoGenKeys.ps1
diff --git a/src/DataProtection/README.md b/src/DataProtection/README.md
new file mode 100644
index 0000000000..cd58074d9e
--- /dev/null
+++ b/src/DataProtection/README.md
@@ -0,0 +1,8 @@
+DataProtection
+==============
+
+Data Protection APIs for protecting and unprotecting data. You can find documentation for Data Protection in the [ASP.NET Core Documentation](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/).
+
+## Community Maintained Data Protection Providers & Projects
+
+ - [ASP.NET Core DataProtection for Service Fabric](https://github.com/MedAnd/AspNetCore.DataProtection.ServiceFabric)
diff --git a/src/DataProtection/dependencies.props b/src/DataProtection/dependencies.props
new file mode 100644
index 0000000000..7a7089d81f
--- /dev/null
+++ b/src/DataProtection/dependencies.props
@@ -0,0 +1,29 @@
+<Project>
+  <PropertyGroup>
+    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <!-- Fallback when not building from command line. -->
+    <InternalAspNetCoreSdkPackageVersion Condition="'$(InternalAspNetCoreSdkPackageVersion)' == ''">2.1.3-rtm-15822</InternalAspNetCoreSdkPackageVersion>
+  </PropertyGroup>
+
+  <!--
+    The versions are present to maintain compatibility with the 2.1.1 release of DataProtection,
+    even though source code and infrastructure has changed.
+   -->
+  <PropertyGroup Label="Package Versions: Overrides">
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.1.1</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion>2.1.1</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion>2.1.0</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.1.1</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion>2.1.1</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.1.1</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.1.1</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion>2.1.1</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion>2.1.1</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion>2.1.1</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.1.1</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
+  </PropertyGroup>
+</Project>
diff --git a/samples/AzureBlob/AzureBlob.csproj b/src/DataProtection/samples/AzureBlob/AzureBlob.csproj
similarity index 100%
rename from samples/AzureBlob/AzureBlob.csproj
rename to src/DataProtection/samples/AzureBlob/AzureBlob.csproj
diff --git a/samples/AzureBlob/Program.cs b/src/DataProtection/samples/AzureBlob/Program.cs
similarity index 100%
rename from samples/AzureBlob/Program.cs
rename to src/DataProtection/samples/AzureBlob/Program.cs
diff --git a/samples/AzureKeyVault/AzureKeyVault.csproj b/src/DataProtection/samples/AzureKeyVault/AzureKeyVault.csproj
similarity index 100%
rename from samples/AzureKeyVault/AzureKeyVault.csproj
rename to src/DataProtection/samples/AzureKeyVault/AzureKeyVault.csproj
diff --git a/samples/AzureKeyVault/Program.cs b/src/DataProtection/samples/AzureKeyVault/Program.cs
similarity index 100%
rename from samples/AzureKeyVault/Program.cs
rename to src/DataProtection/samples/AzureKeyVault/Program.cs
diff --git a/samples/AzureKeyVault/settings.json b/src/DataProtection/samples/AzureKeyVault/settings.json
similarity index 100%
rename from samples/AzureKeyVault/settings.json
rename to src/DataProtection/samples/AzureKeyVault/settings.json
diff --git a/samples/CustomEncryptorSample/CustomBuilderExtensions.cs b/src/DataProtection/samples/CustomEncryptorSample/CustomBuilderExtensions.cs
similarity index 100%
rename from samples/CustomEncryptorSample/CustomBuilderExtensions.cs
rename to src/DataProtection/samples/CustomEncryptorSample/CustomBuilderExtensions.cs
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/src/DataProtection/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
similarity index 100%
rename from samples/CustomEncryptorSample/CustomEncryptorSample.csproj
rename to src/DataProtection/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
diff --git a/samples/CustomEncryptorSample/CustomXmlDecryptor.cs b/src/DataProtection/samples/CustomEncryptorSample/CustomXmlDecryptor.cs
similarity index 100%
rename from samples/CustomEncryptorSample/CustomXmlDecryptor.cs
rename to src/DataProtection/samples/CustomEncryptorSample/CustomXmlDecryptor.cs
diff --git a/samples/CustomEncryptorSample/CustomXmlEncryptor.cs b/src/DataProtection/samples/CustomEncryptorSample/CustomXmlEncryptor.cs
similarity index 100%
rename from samples/CustomEncryptorSample/CustomXmlEncryptor.cs
rename to src/DataProtection/samples/CustomEncryptorSample/CustomXmlEncryptor.cs
diff --git a/samples/CustomEncryptorSample/Program.cs b/src/DataProtection/samples/CustomEncryptorSample/Program.cs
similarity index 100%
rename from samples/CustomEncryptorSample/Program.cs
rename to src/DataProtection/samples/CustomEncryptorSample/Program.cs
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/src/DataProtection/samples/KeyManagementSample/KeyManagementSample.csproj
similarity index 100%
rename from samples/KeyManagementSample/KeyManagementSample.csproj
rename to src/DataProtection/samples/KeyManagementSample/KeyManagementSample.csproj
diff --git a/samples/KeyManagementSample/Program.cs b/src/DataProtection/samples/KeyManagementSample/Program.cs
similarity index 100%
rename from samples/KeyManagementSample/Program.cs
rename to src/DataProtection/samples/KeyManagementSample/Program.cs
diff --git a/samples/NonDISample/NonDISample.csproj b/src/DataProtection/samples/NonDISample/NonDISample.csproj
similarity index 100%
rename from samples/NonDISample/NonDISample.csproj
rename to src/DataProtection/samples/NonDISample/NonDISample.csproj
diff --git a/samples/NonDISample/Program.cs b/src/DataProtection/samples/NonDISample/Program.cs
similarity index 100%
rename from samples/NonDISample/Program.cs
rename to src/DataProtection/samples/NonDISample/Program.cs
diff --git a/samples/Redis/Program.cs b/src/DataProtection/samples/Redis/Program.cs
similarity index 100%
rename from samples/Redis/Program.cs
rename to src/DataProtection/samples/Redis/Program.cs
diff --git a/samples/Redis/Redis.csproj b/src/DataProtection/samples/Redis/Redis.csproj
similarity index 100%
rename from samples/Redis/Redis.csproj
rename to src/DataProtection/samples/Redis/Redis.csproj
diff --git a/shared/EncodingUtil.cs b/src/DataProtection/shared/EncodingUtil.cs
similarity index 100%
rename from shared/EncodingUtil.cs
rename to src/DataProtection/shared/EncodingUtil.cs
diff --git a/shared/ExceptionExtensions.cs b/src/DataProtection/shared/ExceptionExtensions.cs
similarity index 100%
rename from shared/ExceptionExtensions.cs
rename to src/DataProtection/shared/ExceptionExtensions.cs
diff --git a/src/Directory.Build.props b/src/DataProtection/src/Directory.Build.props
similarity index 100%
rename from src/Directory.Build.props
rename to src/DataProtection/src/Directory.Build.props
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Redis/Microsoft.AspNetCore.DataProtection.Redis.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Redis/RedisDataProtectionBuilderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Redis/RedisXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
diff --git a/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Error.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Error.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Error.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Error.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/ISecret.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ISecret.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/ISecret.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ISecret.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Resources.resx
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Secret.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Secret.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Secret.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Secret.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
diff --git a/test/CreateTestCert.ps1 b/src/DataProtection/test/CreateTestCert.ps1
similarity index 100%
rename from test/CreateTestCert.ps1
rename to src/DataProtection/test/CreateTestCert.ps1
diff --git a/test/Directory.Build.props b/src/DataProtection/test/Directory.Build.props
similarity index 100%
rename from test/Directory.Build.props
rename to src/DataProtection/test/Directory.Build.props
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Redis.Test/DataProtectionRedisTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Redis.Test/Microsoft.AspNetCore.DataProtection.Redis.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Redis.Test/RedisDataProtectionBuilderExtensionsTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
diff --git a/test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs b/src/DataProtection/test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
similarity index 100%
rename from test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
rename to src/DataProtection/test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
diff --git a/test/shared/ConditionalRunTestOnlyWindowsAttribute.cs b/src/DataProtection/test/shared/ConditionalRunTestOnlyWindowsAttribute.cs
similarity index 100%
rename from test/shared/ConditionalRunTestOnlyWindowsAttribute.cs
rename to src/DataProtection/test/shared/ConditionalRunTestOnlyWindowsAttribute.cs
diff --git a/test/shared/ExceptionAssert2.cs b/src/DataProtection/test/shared/ExceptionAssert2.cs
similarity index 100%
rename from test/shared/ExceptionAssert2.cs
rename to src/DataProtection/test/shared/ExceptionAssert2.cs
diff --git a/version.props b/src/DataProtection/version.props
similarity index 100%
rename from version.props
rename to src/DataProtection/version.props

From f4026cc10080373f2c43cec3196ab63db2e5841f Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Fri, 12 Oct 2018 13:14:22 -0700
Subject: [PATCH 490/493] Reorganize source code from aspnet/DataProtection
 into a subfolder

Prior to reorg, this source existed at https://github.com/aspnet/DataProtection/tree/3f5f419df8094be0203298a8001f721517d18a2c
---
 .appveyor.yml                                 |  17 --
 .github/ISSUE_TEMPLATE.md                     |   3 -
 .travis.yml                                   |  27 --
 .vscode/launch.json                           |  10 -
 .vsts-pipelines/builds/ci-public.yml          |  31 ---
 CONTRIBUTING.md                               |   4 -
 DataProtection.sln.DotSettings                |   2 -
 Directory.Build.props                         |  20 --
 Directory.Build.targets                       |  10 -
 LICENSE.txt                                   |  14 -
 NuGet.config                                  |   7 -
 NuGetPackageVerifier.json                     |   7 -
 README.md                                     |  13 -
 build.cmd                                     |   2 -
 build.sh                                      |   8 -
 build/Key.snk                                 | Bin 596 -> 0 bytes
 build/dependencies.props                      |  41 ---
 build/repo.props                              |  16 --
 build/sources.props                           |  17 --
 korebuild-lock.txt                            |   2 -
 korebuild.json                                |   4 -
 run.cmd                                       |   2 -
 run.ps1                                       | 209 --------------
 run.sh                                        | 256 ------------------
 .../DataProtection/DataProtection.sln         |   0
 src/DataProtection/Directory.Build.props      |   8 +
 .../DataProtection/Provision-AutoGenKeys.ps1  |   0
 src/DataProtection/README.md                  |   8 +
 src/DataProtection/dependencies.props         |  17 ++
 .../samples}/AzureBlob/AzureBlob.csproj       |   0
 .../samples}/AzureBlob/Program.cs             |   0
 .../AzureKeyVault/AzureKeyVault.csproj        |   0
 .../samples}/AzureKeyVault/Program.cs         |   0
 .../samples}/AzureKeyVault/settings.json      |   0
 .../CustomBuilderExtensions.cs                |   0
 .../CustomEncryptorSample.csproj              |   0
 .../CustomXmlDecryptor.cs                     |   0
 .../CustomXmlEncryptor.cs                     |   0
 .../samples}/CustomEncryptorSample/Program.cs |   0
 .../EntityFrameworkCoreSample.csproj          |   0
 .../EntityFrameworkCoreSample/Program.cs      |   0
 .../KeyManagementSample.csproj                |   0
 .../samples}/KeyManagementSample/Program.cs   |   0
 .../samples}/NonDISample/NonDISample.csproj   |   0
 .../samples}/NonDISample/Program.cs           |   0
 .../DataProtection/samples}/Redis/Program.cs  |   0
 .../samples}/Redis/Redis.csproj               |   0
 .../DataProtection/shared}/EncodingUtil.cs    |   0
 .../shared}/ExceptionExtensions.cs            |   0
 .../src}/Directory.Build.props                |   0
 .../BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs  |   0
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs          |   0
 .../Cng/BCryptBuffer.cs                       |   0
 .../Cng/BCryptBufferDesc.cs                   |   0
 .../Cng/BCryptEncryptFlags.cs                 |   0
 .../Cng/BCryptGenRandomFlags.cs               |   0
 .../Cng/BCryptKeyDerivationBufferType.cs      |   0
 .../Cng/BCryptUtil.cs                         |   0
 .../Cng/CachedAlgorithmHandles.cs             |   0
 .../Cng/NCryptEncryptFlags.cs                 |   0
 .../Cng/OSVersionUtil.cs                      |   0
 .../Constants.cs                              |   0
 .../CryptoUtil.cs                             |   0
 .../DATA_BLOB.cs                              |   0
 ...ft.AspNetCore.Cryptography.Internal.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../Properties/Resources.Designer.cs          |   0
 .../Resources.resx                            |   0
 .../SafeHandles/BCryptAlgorithmHandle.cs      |   0
 .../SafeHandles/BCryptHandle.cs               |   0
 .../SafeHandles/BCryptHashHandle.cs           |   0
 .../SafeHandles/BCryptKeyHandle.cs            |   0
 .../SafeHandles/LocalAllocHandle.cs           |   0
 .../SafeHandles/NCryptDescriptorHandle.cs     |   0
 .../SafeHandles/SafeLibraryHandle.cs          |   0
 .../SafeHandles/SecureLocalAllocHandle.cs     |   0
 .../UnsafeBufferUtil.cs                       |   0
 .../UnsafeNativeMethods.cs                    |   0
 .../WeakReferenceHelpers.cs                   |   0
 .../baseline.netcore.json                     |   0
 .../KeyDerivation.cs                          |   0
 .../KeyDerivationPrf.cs                       |   0
 ...pNetCore.Cryptography.KeyDerivation.csproj |   0
 .../PBKDF2/IPbkdf2Provider.cs                 |   0
 .../PBKDF2/ManagedPbkdf2Provider.cs           |   0
 .../PBKDF2/NetCorePbkdf2Provider.cs           |   0
 .../PBKDF2/Pbkdf2Util.cs                      |   0
 .../PBKDF2/Win7Pbkdf2Provider.cs              |   0
 .../PBKDF2/Win8Pbkdf2Provider.cs              |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../baseline.netcore.json                     |   0
 .../CryptoUtil.cs                             |   0
 .../DataProtectionCommonExtensions.cs         |   0
 .../Error.cs                                  |   0
 .../IDataProtectionProvider.cs                |   0
 .../IDataProtector.cs                         |   0
 .../IApplicationDiscriminator.cs              |   0
 ...NetCore.DataProtection.Abstractions.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../Properties/Resources.Designer.cs          |   0
 .../Resources.resx                            |   0
 .../baseline.netcore.json                     |   0
 .../AzureDataProtectionBuilderExtensions.cs   |   0
 .../AzureKeyVaultXmlDecryptor.cs              |   0
 .../AzureKeyVaultXmlEncryptor.cs              |   0
 .../IKeyVaultWrappingClient.cs                |   0
 .../KeyVaultClientWrapper.cs                  |   0
 ...etCore.DataProtection.AzureKeyVault.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../AzureBlobXmlRepository.cs                 |   0
 .../AzureDataProtectionBuilderExtensions.cs   |   0
 ...NetCore.DataProtection.AzureStorage.csproj |   0
 .../baseline.netcore.json                     |   0
 .../DataProtectionKey.cs                      |   0
 ...tyFrameworkCoreDataProtectionExtensions.cs |   0
 .../EntityFrameworkCoreXmlRepository.cs       |   0
 .../IDataProtectionKeyContext.cs              |   0
 .../LoggingExtensions.cs                      |   0
 ....DataProtection.EntityFrameworkCore.csproj |   0
 .../baseline.netcore.json                     |   0
 .../BitHelpers.cs                             |   0
 .../DataProtectionAdvancedExtensions.cs       |   0
 .../DataProtectionProvider.cs                 |   0
 .../ITimeLimitedDataProtector.cs              |   0
 ...spNetCore.DataProtection.Extensions.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../Properties/Resources.Designer.cs          |   0
 .../Resources.resx                            |   0
 .../TimeLimitedDataProtector.cs               |   0
 .../baseline.netcore.json                     |   0
 ...e.DataProtection.StackExchangeRedis.csproj |   0
 .../RedisDataProtectionBuilderExtensions.cs   |   0
 .../RedisXmlRepository.cs                     |   0
 .../CompatibilityDataProtector.cs             |   0
 .../DataProtectionStartup.cs                  |   0
 ...AspNetCore.DataProtection.SystemWeb.csproj |   0
 .../Properties/Resources.Designer.cs          |   0
 .../Resources.resx                            |   0
 .../baseline.netframework.json                |   0
 .../web.config.transform                      |   0
 .../ActivatorExtensions.cs                    |   0
 .../ApplyPolicyAttribute.cs                   |   0
 .../ArraySegmentExtensions.cs                 |   0
 .../AlgorithmAssert.cs                        |   0
 .../AuthenticatedEncryptorExtensions.cs       |   0
 .../AuthenticatedEncryptorFactory.cs          |   0
 .../CngCbcAuthenticatedEncryptorFactory.cs    |   0
 .../CngGcmAuthenticatedEncryptorFactory.cs    |   0
 .../AlgorithmConfiguration.cs                 |   0
 .../AuthenticatedEncryptorConfiguration.cs    |   0
 .../AuthenticatedEncryptorDescriptor.cs       |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 ...gCbcAuthenticatedEncryptorConfiguration.cs |   0
 .../CngCbcAuthenticatedEncryptorDescriptor.cs |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 ...gGcmAuthenticatedEncryptorConfiguration.cs |   0
 .../CngGcmAuthenticatedEncryptorDescriptor.cs |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 .../IAuthenticatedEncryptorDescriptor.cs      |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 .../IInternalAlgorithmConfiguration.cs        |   0
 ...agedAuthenticatedEncryptorConfiguration.cs |   0
 ...ManagedAuthenticatedEncryptorDescriptor.cs |   0
 ...nticatedEncryptorDescriptorDeserializer.cs |   0
 .../ConfigurationModel/SecretExtensions.cs    |   0
 .../ConfigurationModel/XmlExtensions.cs       |   0
 .../XmlSerializedDescriptorInfo.cs            |   0
 .../EncryptionAlgorithm.cs                    |   0
 .../IAuthenticatedEncryptor.cs                |   0
 .../IAuthenticatedEncryptorFactory.cs         |   0
 .../IOptimizedAuthenticatedEncryptor.cs       |   0
 .../ManagedAuthenticatedEncryptorFactory.cs   |   0
 .../ValidationAlgorithm.cs                    |   0
 .../BitHelpers.cs                             |   0
 .../Cng/BCryptGenRandomImpl.cs                |   0
 .../Cng/CbcAuthenticatedEncryptor.cs          |   0
 .../Cng/DpapiSecretSerializerHelper.cs        |   0
 .../Cng/GcmAuthenticatedEncryptor.cs          |   0
 .../Cng/IBCryptGenRandom.cs                   |   0
 .../Internal/CngAuthenticatedEncryptorBase.cs |   0
 .../DataProtectionBuilderExtensions.cs        |   0
 .../DataProtectionOptions.cs                  |   0
 ...taProtectionServiceCollectionExtensions.cs |   0
 .../DataProtectionUtilityExtensions.cs        |   0
 .../EphemeralDataProtectionProvider.cs        |   0
 .../Error.cs                                  |   0
 .../IDataProtectionBuilder.cs                 |   0
 .../IPersistedDataProtector.cs                |   0
 .../IRegistryPolicyResolver.cs                |   0
 .../ISecret.cs                                |   0
 .../Internal/DataProtectionBuilder.cs         |   0
 .../Internal/DataProtectionOptionsSetup.cs    |   0
 .../Internal/DataProtectionStartupFilter.cs   |   0
 .../Internal/DockerUtils.cs                   |   0
 .../HostingApplicationDiscriminator.cs        |   0
 .../Internal/IActivator.cs                    |   0
 .../Internal/KeyManagementOptionsSetup.cs     |   0
 .../KeyManagement/DefaultKeyResolver.cs       |   0
 .../KeyManagement/DeferredKey.cs              |   0
 .../KeyManagement/IKey.cs                     |   0
 .../KeyManagement/IKeyEscrowSink.cs           |   0
 .../KeyManagement/IKeyManager.cs              |   0
 .../Internal/CacheableKeyRing.cs              |   0
 .../Internal/DefaultKeyResolution.cs          |   0
 .../Internal/ICacheableKeyRingProvider.cs     |   0
 .../Internal/IDefaultKeyResolver.cs           |   0
 .../Internal/IInternalXmlKeyManager.cs        |   0
 .../KeyManagement/Internal/IKeyRing.cs        |   0
 .../Internal/IKeyRingProvider.cs              |   0
 .../KeyManagement/Key.cs                      |   0
 .../KeyManagement/KeyBase.cs                  |   0
 .../KeyEscrowServiceProviderExtensions.cs     |   0
 .../KeyManagement/KeyExtensions.cs            |   0
 .../KeyManagement/KeyManagementOptions.cs     |   0
 .../KeyManagement/KeyRing.cs                  |   0
 .../KeyRingBasedDataProtectionProvider.cs     |   0
 .../KeyRingBasedDataProtector.cs              |   0
 .../KeyManagement/KeyRingProvider.cs          |   0
 .../KeyManagement/XmlKeyManager.cs            |   0
 .../LoggingExtensions.cs                      |   0
 .../LoggingServiceProviderExtensions.cs       |   0
 .../Managed/HashAlgorithmExtensions.cs        |   0
 .../Managed/IManagedGenRandom.cs              |   0
 .../Managed/ManagedAuthenticatedEncryptor.cs  |   0
 .../Managed/ManagedGenRandomImpl.cs           |   0
 .../Managed/SymmetricAlgorithmExtensions.cs   |   0
 .../MemoryProtection.cs                       |   0
 ...Microsoft.AspNetCore.DataProtection.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../Properties/Resources.Designer.cs          |   0
 .../RegistryPolicy.cs                         |   0
 .../RegistryPolicyResolver.cs                 |   0
 .../DefaultKeyStorageDirectories.cs           |   0
 .../Repositories/EphemeralXmlRepository.cs    |   0
 .../Repositories/FileSystemXmlRepository.cs   |   0
 .../IDefaultKeyStorageDirectory.cs            |   0
 .../Repositories/IXmlRepository.cs            |   0
 .../Repositories/RegistryXmlRepository.cs     |   0
 .../Resources.resx                            |   0
 .../ISP800_108_CTR_HMACSHA512Provider.cs      |   0
 .../ManagedSP800_108_CTR_HMACSHA512.cs        |   0
 .../SP800_108_CTR_HMACSHA512Extensions.cs     |   0
 .../SP800_108/SP800_108_CTR_HMACSHA512Util.cs |   0
 .../Win7SP800_108_CTR_HMACSHA512Provider.cs   |   0
 .../Win8SP800_108_CTR_HMACSHA512Provider.cs   |   0
 .../Secret.cs                                 |   0
 .../SimpleActivator.cs                        |   0
 .../TypeExtensions.cs                         |   0
 .../TypeForwardingActivator.cs                |   0
 .../XmlConstants.cs                           |   0
 .../XmlEncryption/CertificateResolver.cs      |   0
 .../XmlEncryption/CertificateXmlEncryptor.cs  |   0
 .../DpapiNGProtectionDescriptorFlags.cs       |   0
 .../XmlEncryption/DpapiNGXmlDecryptor.cs      |   0
 .../XmlEncryption/DpapiNGXmlEncryptor.cs      |   0
 .../XmlEncryption/DpapiXmlDecryptor.cs        |   0
 .../XmlEncryption/DpapiXmlEncryptor.cs        |   0
 .../XmlEncryption/EncryptedXmlDecryptor.cs    |   0
 .../XmlEncryption/EncryptedXmlInfo.cs         |   0
 .../XmlEncryption/ICertificateResolver.cs     |   0
 .../IInternalCertificateXmlEncryptor.cs       |   0
 .../IInternalEncryptedXmlDecryptor.cs         |   0
 .../XmlEncryption/IXmlDecryptor.cs            |   0
 .../XmlEncryption/IXmlEncryptor.cs            |   0
 .../XmlEncryption/NullXmlDecryptor.cs         |   0
 .../XmlEncryption/NullXmlEncryptor.cs         |   0
 .../XmlEncryption/XmlEncryptionExtensions.cs  |   0
 .../XmlEncryption/XmlKeyDecryptionOptions.cs  |   0
 .../XmlExtensions.cs                          |   0
 .../baseline.netcore.json                     |   0
 .../DataProtection/test}/CreateTestCert.ps1   |   0
 .../test}/Directory.Build.props               |   0
 ...PT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs |   0
 .../Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs    |   0
 .../Cng/BCryptUtilTests.cs                    |   0
 .../Cng/CachedAlgorithmHandlesTests.cs        |   0
 .../CryptoUtilTests.cs                        |   0
 ...pNetCore.Cryptography.Internal.Test.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../SecureLocalAllocHandleTests.cs            |   0
 .../UnsafeBufferUtilTests.cs                  |   0
 .../WeakReferenceHelpersTests.cs              |   0
 ...ore.Cryptography.KeyDerivation.Test.csproj |   0
 .../Pbkdf2Tests.cs                            |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../DataProtectionCommonExtensionsTests.cs    |   0
 ...re.DataProtection.Abstractions.Test.csproj |   0
 .../AzureKeyVaultXmlEncryptorTests.cs         |   0
 ...e.DataProtection.AzureKeyVault.Test.csproj |   0
 .../AzureBlobXmlRepositoryTests.cs            |   0
 ...zureDataProtectionBuilderExtensionsTest.cs |   0
 ...re.DataProtection.AzureStorage.Test.csproj |   0
 .../DataProtectionEntityFrameworkTests.cs     |   0
 .../DataProtectionKeyContext.cs               |   0
 ...oreDataProtectionBuilderExtensionsTests.cs |   0
 ...Protection.EntityFrameworkCore.Test.csproj |   0
 .../DataProtectionAdvancedExtensionsTests.cs  |   0
 .../DataProtectionProviderTests.cs            |   0
 ...Core.DataProtection.Extensions.Test.csproj |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../TestFiles/TestCert.pfx                    | Bin
 .../TestFiles/TestCert2.pfx                   | Bin
 .../TestFiles/TestCert3.pfx                   | Bin
 .../TestFiles/TestCert3WithoutPrivateKey.pfx  | Bin
 .../TestFiles/TestCertWithoutPrivateKey.pfx   | Bin
 .../TimeLimitedDataProtectorTests.cs          |   0
 .../X509StoreIsAvailableAttribute.cs          |   0
 .../DataProtectionRedisTests.cs               |   0
 ...aProtection.StackExchangeRedis.Test.csproj |   0
 ...edisDataProtectionBuilderExtensionsTest.cs |   0
 .../TestRedisServer.cs                        |   0
 .../TestRedisServerIsAvailableAttribute.cs    |   0
 .../testconfig.json                           |   0
 .../ActivatorTests.cs                         |   0
 .../AnonymousImpersonation.cs                 |   0
 ...CngCbcAuthenticatedEncryptorFactoryTest.cs |   0
 ...CngGcmAuthenticatedEncryptorFactoryTest.cs |   0
 ...tedEncryptorDescriptorDeserializerTests.cs |   0
 .../AuthenticatedEncryptorDescriptorTests.cs  |   0
 ...uthenticatedEncryptorConfigurationTests.cs |   0
 ...tedEncryptorDescriptorDeserializerTests.cs |   0
 ...bcAuthenticatedEncryptorDescriptorTests.cs |   0
 ...uthenticatedEncryptorConfigurationTests.cs |   0
 ...tedEncryptorDescriptorDeserializerTests.cs |   0
 ...cmAuthenticatedEncryptorDescriptorTests.cs |   0
 ...uthenticatedEncryptorConfigurationTests.cs |   0
 ...tedEncryptorDescriptorDeserializerTests.cs |   0
 ...edAuthenticatedEncryptorDescriptorTests.cs |   0
 ...anagedAuthenticatedEncryptorFactoryTest.cs |   0
 .../Cng/CbcAuthenticatedEncryptorTests.cs     |   0
 .../Cng/CngAuthenticatedEncryptorBaseTests.cs |   0
 .../Cng/GcmAuthenticatedEncryptorTests.cs     |   0
 .../DataProtectionUtilityExtensionsTests.cs   |   0
 .../DockerUtilsTests.cs                       |   0
 .../EphemeralDataProtectionProviderTests.cs   |   0
 .../HostingTests.cs                           |   0
 .../Internal/KeyManagementOptionsSetupTest.cs |   0
 .../KeyManagement/CacheableKeyRingTests.cs    |   0
 .../KeyManagement/DefaultKeyResolverTests.cs  |   0
 .../KeyManagement/DeferredKeyTests.cs         |   0
 ...KeyEscrowServiceProviderExtensionsTests.cs |   0
 .../KeyRingBasedDataProtectorTests.cs         |   0
 .../KeyManagement/KeyRingProviderTests.cs     |   0
 .../KeyManagement/KeyRingTests.cs             |   0
 .../KeyManagement/KeyTests.cs                 |   0
 .../KeyManagement/XmlKeyManagerTests.cs       |   0
 .../ManagedAuthenticatedEncryptorTests.cs     |   0
 ...soft.AspNetCore.DataProtection.Test.csproj |   0
 .../MockExtensions.cs                         |   0
 .../Properties/AssemblyInfo.cs                |   0
 .../RegistryPolicyResolverTests.cs            |   0
 .../EphemeralXmlRepositoryTests.cs            |   0
 .../FileSystemXmlRepositoryTests.cs           |   0
 .../RegistryXmlRepositoryTests.cs             |   0
 .../SP800_108/SP800_108Tests.cs               |   0
 .../SecretAssert.cs                           |   0
 .../SecretTests.cs                            |   0
 .../SequentialGenRandom.cs                    |   0
 .../ServiceCollectionTests.cs                 |   0
 .../StringLoggerFactory.cs                    |   0
 .../TestFiles/TestCert1.PublicKeyOnly.cer     | Bin
 .../TestFiles/TestCert1.pfx                   | Bin
 .../TestFiles/TestCert2.pfx                   | Bin
 .../TypeForwardingActivatorTests.cs           |   0
 .../XmlAssert.cs                              |   0
 .../CertificateXmlEncryptionTests.cs          |   0
 .../DpapiNGXmlEncryptionTests.cs              |   0
 .../XmlEncryption/DpapiXmlEncryptionTests.cs  |   0
 .../EncryptedXmlDecryptorTests.cs             |   0
 .../XmlEncryption/NullXmlEncryptionTests.cs   |   0
 .../XmlEncryptionExtensionsTests.cs           |   0
 ...onalRunTestOnlyWindows8OrLaterAttribute.cs |   0
 .../ConditionalRunTestOnlyWindowsAttribute.cs |   0
 .../test}/shared/ExceptionAssert2.cs          |   0
 .../DataProtection/version.props              |   0
 375 files changed, 33 insertions(+), 722 deletions(-)
 delete mode 100644 .appveyor.yml
 delete mode 100644 .github/ISSUE_TEMPLATE.md
 delete mode 100644 .travis.yml
 delete mode 100644 .vscode/launch.json
 delete mode 100644 .vsts-pipelines/builds/ci-public.yml
 delete mode 100644 CONTRIBUTING.md
 delete mode 100644 DataProtection.sln.DotSettings
 delete mode 100644 Directory.Build.props
 delete mode 100644 Directory.Build.targets
 delete mode 100644 LICENSE.txt
 delete mode 100644 NuGet.config
 delete mode 100644 NuGetPackageVerifier.json
 delete mode 100644 README.md
 delete mode 100644 build.cmd
 delete mode 100755 build.sh
 delete mode 100644 build/Key.snk
 delete mode 100644 build/dependencies.props
 delete mode 100644 build/repo.props
 delete mode 100644 build/sources.props
 delete mode 100644 korebuild-lock.txt
 delete mode 100644 korebuild.json
 delete mode 100644 run.cmd
 delete mode 100644 run.ps1
 delete mode 100755 run.sh
 rename DataProtection.sln => src/DataProtection/DataProtection.sln (100%)
 create mode 100644 src/DataProtection/Directory.Build.props
 rename Provision-AutoGenKeys.ps1 => src/DataProtection/Provision-AutoGenKeys.ps1 (100%)
 create mode 100644 src/DataProtection/README.md
 create mode 100644 src/DataProtection/dependencies.props
 rename {samples => src/DataProtection/samples}/AzureBlob/AzureBlob.csproj (100%)
 rename {samples => src/DataProtection/samples}/AzureBlob/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/AzureKeyVault/AzureKeyVault.csproj (100%)
 rename {samples => src/DataProtection/samples}/AzureKeyVault/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/AzureKeyVault/settings.json (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/CustomBuilderExtensions.cs (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/CustomEncryptorSample.csproj (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/CustomXmlDecryptor.cs (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/CustomXmlEncryptor.cs (100%)
 rename {samples => src/DataProtection/samples}/CustomEncryptorSample/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/EntityFrameworkCoreSample/EntityFrameworkCoreSample.csproj (100%)
 rename {samples => src/DataProtection/samples}/EntityFrameworkCoreSample/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/KeyManagementSample/KeyManagementSample.csproj (100%)
 rename {samples => src/DataProtection/samples}/KeyManagementSample/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/NonDISample/NonDISample.csproj (100%)
 rename {samples => src/DataProtection/samples}/NonDISample/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/Redis/Program.cs (100%)
 rename {samples => src/DataProtection/samples}/Redis/Redis.csproj (100%)
 rename {shared => src/DataProtection/shared}/EncodingUtil.cs (100%)
 rename {shared => src/DataProtection/shared}/ExceptionExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Directory.Build.props (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisDataProtectionBuilderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/BitHelpers.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Error.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/ISecret.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Resources.resx (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/Secret.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlConstants.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs (100%)
 rename src/{ => DataProtection/src}/Microsoft.AspNetCore.DataProtection/baseline.netcore.json (100%)
 rename {test => src/DataProtection/test}/CreateTestCert.ps1 (100%)
 rename {test => src/DataProtection/test}/Directory.Build.props (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3WithoutPrivateKey.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCertWithoutPrivateKey.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/DataProtectionRedisTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/RedisDataProtectionBuilderExtensionsTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServer.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServerIsAvailableAttribute.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/testconfig.json (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs (100%)
 rename {test => src/DataProtection/test}/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs (100%)
 rename {test => src/DataProtection/test}/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs (100%)
 rename {test => src/DataProtection/test}/shared/ConditionalRunTestOnlyWindowsAttribute.cs (100%)
 rename {test => src/DataProtection/test}/shared/ExceptionAssert2.cs (100%)
 rename version.props => src/DataProtection/version.props (100%)

diff --git a/.appveyor.yml b/.appveyor.yml
deleted file mode 100644
index 4eea96ab69..0000000000
--- a/.appveyor.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-init:
-- git config --global core.autocrlf true
-branches:
-  only:
-  - dev
-  - /^release\/.*$/
-  - /^(.*\/)?ci-.*$/
-build_script:
-- ps: .\run.ps1 default-build
-clone_depth: 1
-environment:
-  global:
-    DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-    DOTNET_CLI_TELEMETRY_OPTOUT: 1
-test: 'off'
-deploy: 'off'
-os: Visual Studio 2017
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
deleted file mode 100644
index 101a084f0a..0000000000
--- a/.github/ISSUE_TEMPLATE.md
+++ /dev/null
@@ -1,3 +0,0 @@
-THIS ISSUE TRACKER IS CLOSED - please log new issues here: https://github.com/aspnet/Home/issues
-
-For information about this change, see https://github.com/aspnet/Announcements/issues/283
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 64bdbb4441..0000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-language: csharp
-sudo: false
-dist: trusty
-env:
-  global:
-  - DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
-  - DOTNET_CLI_TELEMETRY_OPTOUT: 1
-mono: none
-os:
-- linux
-- osx
-osx_image: xcode8.2
-addons:
-  apt:
-    packages:
-    - libunwind8
-branches:
-  only:
-  - dev
-  - /^release\/.*$/
-  - /^(.*\/)?ci-.*$/
-before_install:
-- if test "$TRAVIS_OS_NAME" == "osx"; then brew update; brew install openssl; ln -s
-  /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/; ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib
-  /usr/local/lib/; fi
-script:
-- ./build.sh
diff --git a/.vscode/launch.json b/.vscode/launch.json
deleted file mode 100644
index f4fc2e3731..0000000000
--- a/.vscode/launch.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "configurations": [
-        {
-            "name": ".NET Core Attach",
-            "type": "coreclr",
-            "request": "attach",
-            "processId": "${command:pickProcess}"
-        }
-    ]
-}
diff --git a/.vsts-pipelines/builds/ci-public.yml b/.vsts-pipelines/builds/ci-public.yml
deleted file mode 100644
index 554cc2be4c..0000000000
--- a/.vsts-pipelines/builds/ci-public.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-trigger:
-- master
-- release/*
-
-# See https://github.com/aspnet/BuildTools
-resources:
-  repositories:
-  - repository: buildtools
-    type: github
-    endpoint: DotNet-Bot GitHub Connection
-    name: aspnet/BuildTools
-    ref: refs/heads/release/2.2
-
-phases:
-- template: .vsts-pipelines/templates/project-ci.yml@buildtools
-- template: .vsts-pipelines/templates/phases/default-build.yml@buildtools
-  parameters:
-    phaseName: Linux_RedisTests
-    queueName: DotNetCore-Docker
-    agentOs: Linux
-    demands:
-    - docker
-    variables:
-      Test__Redis__Server: localhost:6379,127.0.0.1:6379
-    beforeBuild:
-    - script: docker run --rm -d --name test-redis-server -p 6379:6379 redis
-      displayName: Start Redis in Docker
-    afterBuild:
-    - script: docker stop test-redis-server
-      displayName: Stop Redis in Docker
-      condition: always()
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
deleted file mode 100644
index 64ff041d5c..0000000000
--- a/CONTRIBUTING.md
+++ /dev/null
@@ -1,4 +0,0 @@
-Contributing
-======
-
-Information on contributing to this repo is in the [Contributing Guide](https://github.com/aspnet/Home/blob/dev/CONTRIBUTING.md) in the Home repo.
diff --git a/DataProtection.sln.DotSettings b/DataProtection.sln.DotSettings
deleted file mode 100644
index c843b27a2b..0000000000
--- a/DataProtection.sln.DotSettings
+++ /dev/null
@@ -1,2 +0,0 @@
-<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
-	<s:Boolean x:Key="/Default/CodeStyle/CodeFormatting/CSharpFormat/WRAP_LINES/@EntryValue">False</s:Boolean></wpf:ResourceDictionary>
\ No newline at end of file
diff --git a/Directory.Build.props b/Directory.Build.props
deleted file mode 100644
index 23c9a47ea4..0000000000
--- a/Directory.Build.props
+++ /dev/null
@@ -1,20 +0,0 @@
-<Project>
-  <Import
-    Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), AspNetCoreSettings.props))\AspNetCoreSettings.props"
-    Condition=" '$(CI)' != 'true' AND '$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), AspNetCoreSettings.props))' != '' " />
-
-  <Import Project="version.props" />
-  <Import Project="build\dependencies.props" />
-  <Import Project="build\sources.props" />
-
-  <PropertyGroup>
-    <Product>Microsoft ASP.NET Core</Product>
-    <RepositoryUrl>https://github.com/aspnet/DataProtection</RepositoryUrl>
-    <RepositoryType>git</RepositoryType>
-    <RepositoryRoot>$(MSBuildThisFileDirectory)</RepositoryRoot>
-    <AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)build\Key.snk</AssemblyOriginatorKeyFile>
-    <SignAssembly>true</SignAssembly>
-    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-  </PropertyGroup>
-
-</Project>
diff --git a/Directory.Build.targets b/Directory.Build.targets
deleted file mode 100644
index 78626b773e..0000000000
--- a/Directory.Build.targets
+++ /dev/null
@@ -1,10 +0,0 @@
-<Project>
-  <PropertyGroup>
-    <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.0' ">$(MicrosoftNETCoreApp20PackageVersion)</RuntimeFrameworkVersion>
-    <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.1' ">$(MicrosoftNETCoreApp21PackageVersion)</RuntimeFrameworkVersion>
-    <RuntimeFrameworkVersion Condition=" '$(TargetFramework)' == 'netcoreapp2.2' ">$(MicrosoftNETCoreApp22PackageVersion)</RuntimeFrameworkVersion>
-    <NETStandardImplicitPackageVersion Condition=" '$(TargetFramework)' == 'netstandard2.0' ">$(NETStandardLibrary20PackageVersion)</NETStandardImplicitPackageVersion>
-    <!-- aspnet/BuildTools#662 Don't police what version of NetCoreApp we use -->
-    <NETCoreAppMaximumVersion>99.9</NETCoreAppMaximumVersion>
-  </PropertyGroup>
-</Project>
diff --git a/LICENSE.txt b/LICENSE.txt
deleted file mode 100644
index 7b2956ecee..0000000000
--- a/LICENSE.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-Copyright (c) .NET Foundation and Contributors
-
-All rights reserved.
-
-Licensed under the Apache License, Version 2.0 (the "License"); you may not use
-this file except in compliance with the License. You may obtain a copy of the
-License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software distributed
-under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-CONDITIONS OF ANY KIND, either express or implied. See the License for the
-specific language governing permissions and limitations under the License.
diff --git a/NuGet.config b/NuGet.config
deleted file mode 100644
index e32bddfd51..0000000000
--- a/NuGet.config
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<configuration>
-  <packageSources>
-    <clear />
-    <!-- Restore sources should be defined in build/sources.props. -->
-  </packageSources>
-</configuration>
diff --git a/NuGetPackageVerifier.json b/NuGetPackageVerifier.json
deleted file mode 100644
index b153ab1515..0000000000
--- a/NuGetPackageVerifier.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-    "Default": {
-        "rules": [
-            "DefaultCompositeRule"
-        ]
-    }
-}
\ No newline at end of file
diff --git a/README.md b/README.md
deleted file mode 100644
index 7d9704e3f7..0000000000
--- a/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-DataProtection
-==============
-AppVeyor: [![AppVeyor](https://ci.appveyor.com/api/projects/status/4mki61bux5vby6it/branch/dev?svg=true)](https://ci.appveyor.com/project/aspnetci/DataProtection/branch/dev)
-
-Travis:   [![Travis](https://travis-ci.org/aspnet/DataProtection.svg?branch=dev)](https://travis-ci.org/aspnet/DataProtection)
-
-Data Protection APIs for protecting and unprotecting data.
-
-This project is part of ASP.NET Core. You can find documentation for Data Protection in the [ASP.NET Core Documentation](http://docs.asp.net/en/latest/security/data-protection/index.html). You can find samples, documentation and getting started instructions for ASP.NET Core at the [Home](https://github.com/aspnet/home) repo. 
-
-## Community Maintained Data Protection Providers & Projects
-
- - [ASP.NET Core DataProtection for Service Fabric](https://github.com/MedAnd/AspNetCore.DataProtection.ServiceFabric)
diff --git a/build.cmd b/build.cmd
deleted file mode 100644
index c0050bda12..0000000000
--- a/build.cmd
+++ /dev/null
@@ -1,2 +0,0 @@
-@ECHO OFF
-PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0run.ps1' default-build %*; exit $LASTEXITCODE"
diff --git a/build.sh b/build.sh
deleted file mode 100755
index 98a4b22765..0000000000
--- a/build.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# Call "sync" between "chmod" and execution to prevent "text file busy" error in Docker (aufs)
-chmod +x "$DIR/run.sh"; sync
-"$DIR/run.sh" default-build "$@"
diff --git a/build/Key.snk b/build/Key.snk
deleted file mode 100644
index e10e4889c125d3120cd9e81582243d70f7cbb806..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 596
zcmV-a0;~N80ssI2Bme+XQ$aES1ONa50098=Iw=HCsn<ZsvmrW@<$Q#+a>z~#iVhm&
zj%TU(_THUee?3yHBjk$37y<Fzl?uL)9ivSuo;#}B6dD)De)Gj;-CpGdOOelGyF6;R
zKXR)&ujxGx!@@L+c2BRcvA}aZ<rG=2t43G@guk71#NvTux6R^5_>sB?i5#7WD$={H
zV4B!OxRPrb|8)HPg~A}8P>^=#y<)56#=E&NzcjOtPK~<4n6GHt=K$ro*T(lhby_@U
zEk(hLzk1H)0yXj<Uf8HnEtBu!TuA*PmAf$cXle6YkpNq+@Z60ghGtVxe6)1Ajj1}d
ztgvi4bgJz|V`P;etzc8pF-FM#N`%JUpHzaYX*mMNIn*G};u}`O51u$`rvZggFup%y
z5Uu>{A_5>fk-TgNoP|q6(tP2xo8zt8i%212CWM#AeCd?`hS|4~L({h~Moo(~vy&3Z
z1uI}`fd^*>o=rwbAGymj6RM^pZm(*Kfhs+Y1#`-2JPWZMK8@;ZW<LR4v7CQcE4@!q
z)U49ij|+<|%~kIOLZlXjf9x6h%%!xHcL2a{5I|b;$2l^>Ck2+9bX4YP);~fj-BU*R
zQPvW<DAZ8Z6e#YE!zCp+7M)hVxqP}{4}~6lG=>v$89!{R<a!lIoEa{Dc+j_%E<}+-
z!)tmG_q8@!i7JE*V%)C;o#1~$Q2B~A145=eCJ9-fwL>l9wM+zR>_TSkn^voYxA?2G
iKnV#iZ6Ah`K>b=@=IjYJXrxL124zR(38)nxe+&q_$QXwJ

diff --git a/build/dependencies.props b/build/dependencies.props
deleted file mode 100644
index df63bb1034..0000000000
--- a/build/dependencies.props
+++ /dev/null
@@ -1,41 +0,0 @@
-<Project>
-  <PropertyGroup>
-    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
-  </PropertyGroup>
-  <PropertyGroup Label="Package Versions">
-    <InternalAspNetCoreSdkPackageVersion>2.2.0-preview2-20181004.6</InternalAspNetCoreSdkPackageVersion>
-    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion>2.2.0-preview3-35425</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
-    <MicrosoftAspNetCoreHostingPackageVersion>2.2.0-preview3-35425</MicrosoftAspNetCoreHostingPackageVersion>
-    <MicrosoftAspNetCoreTestingPackageVersion>2.2.0-preview3-35425</MicrosoftAspNetCoreTestingPackageVersion>
-    <MicrosoftAzureKeyVaultPackageVersion>2.3.2</MicrosoftAzureKeyVaultPackageVersion>
-    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion>2.2.0-preview3-35425</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
-    <MicrosoftEntityFrameworkCorePackageVersion>2.2.0-preview3-35425</MicrosoftEntityFrameworkCorePackageVersion>
-    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
-    <MicrosoftExtensionsConfigurationJsonPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsConfigurationJsonPackageVersion>
-    <MicrosoftExtensionsConfigurationPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsConfigurationPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
-    <MicrosoftExtensionsDependencyInjectionPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsDependencyInjectionPackageVersion>
-    <MicrosoftExtensionsLoggingAbstractionsPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
-    <MicrosoftExtensionsLoggingConsolePackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsLoggingConsolePackageVersion>
-    <MicrosoftExtensionsLoggingPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsLoggingPackageVersion>
-    <MicrosoftExtensionsOptionsPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsOptionsPackageVersion>
-    <MicrosoftExtensionsWebEncodersSourcesPackageVersion>2.2.0-preview3-35425</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
-    <MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>3.14.2</MicrosoftIdentityModelClientsActiveDirectoryPackageVersion>
-    <MicrosoftNETCoreApp20PackageVersion>2.0.9</MicrosoftNETCoreApp20PackageVersion>
-    <MicrosoftNETCoreApp21PackageVersion>2.1.3</MicrosoftNETCoreApp21PackageVersion>
-    <MicrosoftNETCoreApp22PackageVersion>2.2.0-preview3-27001-02</MicrosoftNETCoreApp22PackageVersion>
-    <MicrosoftNETTestSdkPackageVersion>15.6.1</MicrosoftNETTestSdkPackageVersion>
-    <MicrosoftWin32RegistryPackageVersion>4.5.0</MicrosoftWin32RegistryPackageVersion>
-    <MoqPackageVersion>4.7.49</MoqPackageVersion>
-    <NETStandardLibrary20PackageVersion>2.0.3</NETStandardLibrary20PackageVersion>
-    <StackExchangeRedisStrongNamePackageVersion>1.2.6</StackExchangeRedisStrongNamePackageVersion>
-    <StackExchangeRedisPackageVersion>2.0.513</StackExchangeRedisPackageVersion>
-    <SystemSecurityCryptographyXmlPackageVersion>4.5.0</SystemSecurityCryptographyXmlPackageVersion>
-    <SystemSecurityPrincipalWindowsPackageVersion>4.5.0</SystemSecurityPrincipalWindowsPackageVersion>
-    <WindowsAzureStoragePackageVersion>8.1.4</WindowsAzureStoragePackageVersion>
-    <XunitPackageVersion>2.3.1</XunitPackageVersion>
-    <XunitRunnerVisualStudioPackageVersion>2.4.0</XunitRunnerVisualStudioPackageVersion>
-  </PropertyGroup>
-  <Import Project="$(DotNetPackageVersionPropsPath)" Condition=" '$(DotNetPackageVersionPropsPath)' != '' " />
-  <PropertyGroup Label="Package Versions: Pinned" />
-</Project>
diff --git a/build/repo.props b/build/repo.props
deleted file mode 100644
index f1fe24dd27..0000000000
--- a/build/repo.props
+++ /dev/null
@@ -1,16 +0,0 @@
-<Project>
-  <Import Project="dependencies.props" />
-
-  <PropertyGroup>
-    <!-- These properties are use by the automation that updates dependencies.props -->
-    <LineupPackageId>Internal.AspNetCore.Universe.Lineup</LineupPackageId>
-    <LineupPackageVersion>2.2.0-*</LineupPackageVersion>
-    <LineupPackageRestoreSource>https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json</LineupPackageRestoreSource>
-  </PropertyGroup>
-
-  <ItemGroup>
-    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp20PackageVersion)" />
-    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp21PackageVersion)" />
-    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp22PackageVersion)" />
-  </ItemGroup>
-</Project>
diff --git a/build/sources.props b/build/sources.props
deleted file mode 100644
index 9215df9751..0000000000
--- a/build/sources.props
+++ /dev/null
@@ -1,17 +0,0 @@
-<Project>
-  <Import Project="$(DotNetRestoreSourcePropsPath)" Condition="'$(DotNetRestoreSourcePropsPath)' != ''"/>
-
-  <PropertyGroup Label="RestoreSources">
-    <RestoreSources>$(DotNetRestoreSources)</RestoreSources>
-    <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true' AND '$(AspNetUniverseBuildOffline)' != 'true' ">
-      $(RestoreSources);
-      https://dotnet.myget.org/F/dotnet-core/api/v3/index.json;
-      https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json;
-      https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json;
-    </RestoreSources>
-    <RestoreSources Condition="'$(DotNetBuildOffline)' != 'true'">
-      $(RestoreSources);
-      https://api.nuget.org/v3/index.json;
-    </RestoreSources>
-  </PropertyGroup>
-</Project>
diff --git a/korebuild-lock.txt b/korebuild-lock.txt
deleted file mode 100644
index 3e92dd5543..0000000000
--- a/korebuild-lock.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-version:2.2.0-preview2-20181004.6
-commithash:c04c4b2f5018632647f96210ab01876661302dac
diff --git a/korebuild.json b/korebuild.json
deleted file mode 100644
index d217d06e3e..0000000000
--- a/korebuild.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/release/2.2/tools/korebuild.schema.json",
-  "channel": "release/2.2"
-}
diff --git a/run.cmd b/run.cmd
deleted file mode 100644
index d52d5c7e68..0000000000
--- a/run.cmd
+++ /dev/null
@@ -1,2 +0,0 @@
-@ECHO OFF
-PowerShell -NoProfile -NoLogo -ExecutionPolicy unrestricted -Command "[System.Threading.Thread]::CurrentThread.CurrentCulture = ''; [System.Threading.Thread]::CurrentThread.CurrentUICulture = '';& '%~dp0run.ps1' %*; exit $LASTEXITCODE"
diff --git a/run.ps1 b/run.ps1
deleted file mode 100644
index 34604c7175..0000000000
--- a/run.ps1
+++ /dev/null
@@ -1,209 +0,0 @@
-#!/usr/bin/env powershell
-#requires -version 4
-
-<#
-.SYNOPSIS
-Executes KoreBuild commands.
-
-.DESCRIPTION
-Downloads korebuild if required. Then executes the KoreBuild command. To see available commands, execute with `-Command help`.
-
-.PARAMETER Command
-The KoreBuild command to run.
-
-.PARAMETER Path
-The folder to build. Defaults to the folder containing this script.
-
-.PARAMETER Channel
-The channel of KoreBuild to download. Overrides the value from the config file.
-
-.PARAMETER DotNetHome
-The directory where .NET Core tools will be stored.
-
-.PARAMETER ToolsSource
-The base url where build tools can be downloaded. Overrides the value from the config file.
-
-.PARAMETER Update
-Updates KoreBuild to the latest version even if a lock file is present.
-
-.PARAMETER Reinstall
-Re-installs KoreBuild
-
-.PARAMETER ConfigFile
-The path to the configuration file that stores values. Defaults to korebuild.json.
-
-.PARAMETER ToolsSourceSuffix
-The Suffix to append to the end of the ToolsSource. Useful for query strings in blob stores.
-
-.PARAMETER CI
-Sets up CI specific settings and variables.
-
-.PARAMETER Arguments
-Arguments to be passed to the command
-
-.NOTES
-This function will create a file $PSScriptRoot/korebuild-lock.txt. This lock file can be committed to source, but does not have to be.
-When the lockfile is not present, KoreBuild will create one using latest available version from $Channel.
-
-The $ConfigFile is expected to be an JSON file. It is optional, and the configuration values in it are optional as well. Any options set
-in the file are overridden by command line parameters.
-
-.EXAMPLE
-Example config file:
-```json
-{
-  "$schema": "https://raw.githubusercontent.com/aspnet/BuildTools/master/tools/korebuild.schema.json",
-  "channel": "master",
-  "toolsSource": "https://aspnetcore.blob.core.windows.net/buildtools"
-}
-```
-#>
-[CmdletBinding(PositionalBinding = $false)]
-param(
-    [Parameter(Mandatory = $true, Position = 0)]
-    [string]$Command,
-    [string]$Path = $PSScriptRoot,
-    [Alias('c')]
-    [string]$Channel,
-    [Alias('d')]
-    [string]$DotNetHome,
-    [Alias('s')]
-    [string]$ToolsSource,
-    [Alias('u')]
-    [switch]$Update,
-    [switch]$Reinstall,
-    [string]$ToolsSourceSuffix,
-    [string]$ConfigFile = $null,
-    [switch]$CI,
-    [Parameter(ValueFromRemainingArguments = $true)]
-    [string[]]$Arguments
-)
-
-Set-StrictMode -Version 2
-$ErrorActionPreference = 'Stop'
-
-#
-# Functions
-#
-
-function Get-KoreBuild {
-
-    $lockFile = Join-Path $Path 'korebuild-lock.txt'
-
-    if (!(Test-Path $lockFile) -or $Update) {
-        Get-RemoteFile "$ToolsSource/korebuild/channels/$Channel/latest.txt" $lockFile $ToolsSourceSuffix
-    }
-
-    $version = Get-Content $lockFile | Where-Object { $_ -like 'version:*' } | Select-Object -first 1
-    if (!$version) {
-        Write-Error "Failed to parse version from $lockFile. Expected a line that begins with 'version:'"
-    }
-    $version = $version.TrimStart('version:').Trim()
-    $korebuildPath = Join-Paths $DotNetHome ('buildtools', 'korebuild', $version)
-
-    if ($Reinstall -and (Test-Path $korebuildPath)) {
-        Remove-Item -Force -Recurse $korebuildPath
-    }
-
-    if (!(Test-Path $korebuildPath)) {
-        Write-Host -ForegroundColor Magenta "Downloading KoreBuild $version"
-        New-Item -ItemType Directory -Path $korebuildPath | Out-Null
-        $remotePath = "$ToolsSource/korebuild/artifacts/$version/korebuild.$version.zip"
-
-        try {
-            $tmpfile = Join-Path ([IO.Path]::GetTempPath()) "KoreBuild-$([guid]::NewGuid()).zip"
-            Get-RemoteFile $remotePath $tmpfile $ToolsSourceSuffix
-            if (Get-Command -Name 'Microsoft.PowerShell.Archive\Expand-Archive' -ErrorAction Ignore) {
-                # Use built-in commands where possible as they are cross-plat compatible
-                Microsoft.PowerShell.Archive\Expand-Archive -Path $tmpfile -DestinationPath $korebuildPath
-            }
-            else {
-                # Fallback to old approach for old installations of PowerShell
-                Add-Type -AssemblyName System.IO.Compression.FileSystem
-                [System.IO.Compression.ZipFile]::ExtractToDirectory($tmpfile, $korebuildPath)
-            }
-        }
-        catch {
-            Remove-Item -Recurse -Force $korebuildPath -ErrorAction Ignore
-            throw
-        }
-        finally {
-            Remove-Item $tmpfile -ErrorAction Ignore
-        }
-    }
-
-    return $korebuildPath
-}
-
-function Join-Paths([string]$path, [string[]]$childPaths) {
-    $childPaths | ForEach-Object { $path = Join-Path $path $_ }
-    return $path
-}
-
-function Get-RemoteFile([string]$RemotePath, [string]$LocalPath, [string]$RemoteSuffix) {
-    if ($RemotePath -notlike 'http*') {
-        Copy-Item $RemotePath $LocalPath
-        return
-    }
-
-    $retries = 10
-    while ($retries -gt 0) {
-        $retries -= 1
-        try {
-            Invoke-WebRequest -UseBasicParsing -Uri $($RemotePath + $RemoteSuffix) -OutFile $LocalPath
-            return
-        }
-        catch {
-            Write-Verbose "Request failed. $retries retries remaining"
-        }
-    }
-
-    Write-Error "Download failed: '$RemotePath'."
-}
-
-#
-# Main
-#
-
-# Load configuration or set defaults
-
-$Path = Resolve-Path $Path
-if (!$ConfigFile) { $ConfigFile = Join-Path $Path 'korebuild.json' }
-
-if (Test-Path $ConfigFile) {
-    try {
-        $config = Get-Content -Raw -Encoding UTF8 -Path $ConfigFile | ConvertFrom-Json
-        if ($config) {
-            if (!($Channel) -and (Get-Member -Name 'channel' -InputObject $config)) { [string] $Channel = $config.channel }
-            if (!($ToolsSource) -and (Get-Member -Name 'toolsSource' -InputObject $config)) { [string] $ToolsSource = $config.toolsSource}
-        }
-    }
-    catch {
-        Write-Host -ForegroundColor Red $Error[0]
-        Write-Error "$ConfigFile contains invalid JSON."
-        exit 1
-    }
-}
-
-if (!$DotNetHome) {
-    $DotNetHome = if ($env:DOTNET_HOME) { $env:DOTNET_HOME } `
-        elseif ($env:USERPROFILE) { Join-Path $env:USERPROFILE '.dotnet'} `
-        elseif ($env:HOME) {Join-Path $env:HOME '.dotnet'}`
-        else { Join-Path $PSScriptRoot '.dotnet'}
-}
-
-if (!$Channel) { $Channel = 'master' }
-if (!$ToolsSource) { $ToolsSource = 'https://aspnetcore.blob.core.windows.net/buildtools' }
-
-# Execute
-
-$korebuildPath = Get-KoreBuild
-Import-Module -Force -Scope Local (Join-Path $korebuildPath 'KoreBuild.psd1')
-
-try {
-    Set-KoreBuildSettings -ToolsSource $ToolsSource -DotNetHome $DotNetHome -RepoPath $Path -ConfigFile $ConfigFile -CI:$CI
-    Invoke-KoreBuildCommand $Command @Arguments
-}
-finally {
-    Remove-Module 'KoreBuild' -ErrorAction Ignore
-}
diff --git a/run.sh b/run.sh
deleted file mode 100755
index 4c1fed5646..0000000000
--- a/run.sh
+++ /dev/null
@@ -1,256 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-#
-# variables
-#
-
-RESET="\033[0m"
-RED="\033[0;31m"
-YELLOW="\033[0;33m"
-MAGENTA="\033[0;95m"
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-[ -z "${DOTNET_HOME:-}" ] && DOTNET_HOME="$HOME/.dotnet"
-verbose=false
-update=false
-reinstall=false
-repo_path="$DIR"
-channel=''
-tools_source=''
-tools_source_suffix=''
-ci=false
-
-#
-# Functions
-#
-__usage() {
-    echo "Usage: $(basename "${BASH_SOURCE[0]}") command [options] [[--] <Arguments>...]"
-    echo ""
-    echo "Arguments:"
-    echo "    command                The command to be run."
-    echo "    <Arguments>...         Arguments passed to the command. Variable number of arguments allowed."
-    echo ""
-    echo "Options:"
-    echo "    --verbose                                             Show verbose output."
-    echo "    -c|--channel <CHANNEL>                                The channel of KoreBuild to download. Overrides the value from the config file.."
-    echo "    --config-file <FILE>                                  The path to the configuration file that stores values. Defaults to korebuild.json."
-    echo "    -d|--dotnet-home <DIR>                                The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
-    echo "    --path <PATH>                                         The directory to build. Defaults to the directory containing the script."
-    echo "    -s|--tools-source|-ToolsSource <URL>                  The base url where build tools can be downloaded. Overrides the value from the config file."
-    echo "    --tools-source-suffix|-ToolsSourceSuffix <SUFFIX>     The suffix to append to tools-source. Useful for query strings."
-    echo "    -u|--update                                           Update to the latest KoreBuild even if the lock file is present."
-    echo "    --reinstall                                           Reinstall KoreBuild."
-    echo "    --ci                                                  Apply CI specific settings and environment variables."
-    echo ""
-    echo "Description:"
-    echo "    This function will create a file \$DIR/korebuild-lock.txt. This lock file can be committed to source, but does not have to be."
-    echo "    When the lockfile is not present, KoreBuild will create one using latest available version from \$channel."
-
-    if [[ "${1:-}" != '--no-exit' ]]; then
-        exit 2
-    fi
-}
-
-get_korebuild() {
-    local version
-    local lock_file="$repo_path/korebuild-lock.txt"
-    if [ ! -f "$lock_file" ] || [ "$update" = true ]; then
-        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file" "$tools_source_suffix"
-    fi
-    version="$(grep 'version:*' -m 1 "$lock_file")"
-    if [[ "$version" == '' ]]; then
-        __error "Failed to parse version from $lock_file. Expected a line that begins with 'version:'"
-        return 1
-    fi
-    version="$(echo "${version#version:}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
-    local korebuild_path="$DOTNET_HOME/buildtools/korebuild/$version"
-
-    if [ "$reinstall" = true ] && [ -d "$korebuild_path" ]; then
-        rm -rf "$korebuild_path"
-    fi
-
-    {
-        if [ ! -d "$korebuild_path" ]; then
-            mkdir -p "$korebuild_path"
-            local remote_path="$tools_source/korebuild/artifacts/$version/korebuild.$version.zip"
-            tmpfile="$(mktemp)"
-            echo -e "${MAGENTA}Downloading KoreBuild ${version}${RESET}"
-            if __get_remote_file "$remote_path" "$tmpfile" "$tools_source_suffix"; then
-                unzip -q -d "$korebuild_path" "$tmpfile"
-            fi
-            rm "$tmpfile" || true
-        fi
-
-        source "$korebuild_path/KoreBuild.sh"
-    } || {
-        if [ -d "$korebuild_path" ]; then
-            echo "Cleaning up after failed installation"
-            rm -rf "$korebuild_path" || true
-        fi
-        return 1
-    }
-}
-
-__error() {
-    echo -e "${RED}error: $*${RESET}" 1>&2
-}
-
-__warn() {
-    echo -e "${YELLOW}warning: $*${RESET}"
-}
-
-__machine_has() {
-    hash "$1" > /dev/null 2>&1
-    return $?
-}
-
-__get_remote_file() {
-    local remote_path=$1
-    local local_path=$2
-    local remote_path_suffix=$3
-
-    if [[ "$remote_path" != 'http'* ]]; then
-        cp "$remote_path" "$local_path"
-        return 0
-    fi
-
-    local failed=false
-    if __machine_has wget; then
-        wget --tries 10 --quiet -O "$local_path" "${remote_path}${remote_path_suffix}" || failed=true
-    else
-        failed=true
-    fi
-
-    if [ "$failed" = true ] && __machine_has curl; then
-        failed=false
-        curl --retry 10 -sSL -f --create-dirs -o "$local_path" "${remote_path}${remote_path_suffix}" || failed=true
-    fi
-
-    if [ "$failed" = true ]; then
-        __error "Download failed: $remote_path" 1>&2
-        return 1
-    fi
-}
-
-#
-# main
-#
-
-command="${1:-}"
-shift
-
-while [[ $# -gt 0 ]]; do
-    case $1 in
-        -\?|-h|--help)
-            __usage --no-exit
-            exit 0
-            ;;
-        -c|--channel|-Channel)
-            shift
-            channel="${1:-}"
-            [ -z "$channel" ] && __usage
-            ;;
-        --config-file|-ConfigFile)
-            shift
-            config_file="${1:-}"
-            [ -z "$config_file" ] && __usage
-            if [ ! -f "$config_file" ]; then
-                __error "Invalid value for --config-file. $config_file does not exist."
-                exit 1
-            fi
-            ;;
-        -d|--dotnet-home|-DotNetHome)
-            shift
-            DOTNET_HOME="${1:-}"
-            [ -z "$DOTNET_HOME" ] && __usage
-            ;;
-        --path|-Path)
-            shift
-            repo_path="${1:-}"
-            [ -z "$repo_path" ] && __usage
-            ;;
-        -s|--tools-source|-ToolsSource)
-            shift
-            tools_source="${1:-}"
-            [ -z "$tools_source" ] && __usage
-            ;;
-        --tools-source-suffix|-ToolsSourceSuffix)
-            shift
-            tools_source_suffix="${1:-}"
-            [ -z "$tools_source_suffix" ] && __usage
-            ;;
-        -u|--update|-Update)
-            update=true
-            ;;
-        --reinstall|-[Rr]einstall)
-            reinstall=true
-            ;;
-        --ci|-[Cc][Ii])
-            ci=true
-            ;;
-        --verbose|-Verbose)
-            verbose=true
-            ;;
-        --)
-            shift
-            break
-            ;;
-        *)
-            break
-            ;;
-    esac
-    shift
-done
-
-if ! __machine_has unzip; then
-    __error 'Missing required command: unzip'
-    exit 1
-fi
-
-if ! __machine_has curl && ! __machine_has wget; then
-    __error 'Missing required command. Either wget or curl is required.'
-    exit 1
-fi
-
-[ -z "${config_file:-}" ] && config_file="$repo_path/korebuild.json"
-if [ -f "$config_file" ]; then
-    if __machine_has jq ; then
-        if jq '.' "$config_file" >/dev/null ; then
-            config_channel="$(jq -r 'select(.channel!=null) | .channel' "$config_file")"
-            config_tools_source="$(jq -r 'select(.toolsSource!=null) | .toolsSource' "$config_file")"
-        else
-            __error "$config_file contains invalid JSON."
-            exit 1
-        fi
-    elif __machine_has python ; then
-        if python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'))" >/dev/null ; then
-            config_channel="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
-            config_tools_source="$(python -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
-        else
-            __error "$config_file contains invalid JSON."
-            exit 1
-        fi
-    elif __machine_has python3 ; then
-        if python3 -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'))" >/dev/null ; then
-            config_channel="$(python3 -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['channel'] if 'channel' in obj else '')")"
-            config_tools_source="$(python3 -c "import json,codecs;obj=json.load(codecs.open('$config_file', 'r', 'utf-8-sig'));print(obj['toolsSource'] if 'toolsSource' in obj else '')")"
-        else
-            __error "$config_file contains invalid JSON."
-            exit 1
-        fi
-    else
-        __error 'Missing required command: jq or python. Could not parse the JSON file.'
-        exit 1
-    fi
-
-    [ ! -z "${config_channel:-}" ] && channel="$config_channel"
-    [ ! -z "${config_tools_source:-}" ] && tools_source="$config_tools_source"
-fi
-
-[ -z "$channel" ] && channel='master'
-[ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
-
-get_korebuild
-set_korebuildsettings "$tools_source" "$DOTNET_HOME" "$repo_path" "$config_file" "$ci"
-invoke_korebuild_command "$command" "$@"
diff --git a/DataProtection.sln b/src/DataProtection/DataProtection.sln
similarity index 100%
rename from DataProtection.sln
rename to src/DataProtection/DataProtection.sln
diff --git a/src/DataProtection/Directory.Build.props b/src/DataProtection/Directory.Build.props
new file mode 100644
index 0000000000..deb7bb4ee6
--- /dev/null
+++ b/src/DataProtection/Directory.Build.props
@@ -0,0 +1,8 @@
+<Project>
+
+  <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory)..\, Directory.Build.props))\Directory.Build.props" />
+
+  <Import Project="version.props" />
+  <Import Project="dependencies.props" />
+
+</Project>
diff --git a/Provision-AutoGenKeys.ps1 b/src/DataProtection/Provision-AutoGenKeys.ps1
similarity index 100%
rename from Provision-AutoGenKeys.ps1
rename to src/DataProtection/Provision-AutoGenKeys.ps1
diff --git a/src/DataProtection/README.md b/src/DataProtection/README.md
new file mode 100644
index 0000000000..cd58074d9e
--- /dev/null
+++ b/src/DataProtection/README.md
@@ -0,0 +1,8 @@
+DataProtection
+==============
+
+Data Protection APIs for protecting and unprotecting data. You can find documentation for Data Protection in the [ASP.NET Core Documentation](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/).
+
+## Community Maintained Data Protection Providers & Projects
+
+ - [ASP.NET Core DataProtection for Service Fabric](https://github.com/MedAnd/AspNetCore.DataProtection.ServiceFabric)
diff --git a/src/DataProtection/dependencies.props b/src/DataProtection/dependencies.props
new file mode 100644
index 0000000000..02e944fdb3
--- /dev/null
+++ b/src/DataProtection/dependencies.props
@@ -0,0 +1,17 @@
+<Project>
+  <PropertyGroup>
+    <MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <!-- Fallback when not building from command line. -->
+    <InternalAspNetCoreSdkPackageVersion Condition="'$(InternalAspNetCoreSdkPackageVersion)' == ''">2.2.0-preview2-20181004.6</InternalAspNetCoreSdkPackageVersion>
+  </PropertyGroup>
+
+  <!--
+    The versions are present to maintain compatibility with the 2.2.0 release of DataProtection,
+    even though source code and infrastructure has changed.
+   -->
+  <PropertyGroup Label="Package Versions: Overrides">
+  </PropertyGroup>
+</Project>
diff --git a/samples/AzureBlob/AzureBlob.csproj b/src/DataProtection/samples/AzureBlob/AzureBlob.csproj
similarity index 100%
rename from samples/AzureBlob/AzureBlob.csproj
rename to src/DataProtection/samples/AzureBlob/AzureBlob.csproj
diff --git a/samples/AzureBlob/Program.cs b/src/DataProtection/samples/AzureBlob/Program.cs
similarity index 100%
rename from samples/AzureBlob/Program.cs
rename to src/DataProtection/samples/AzureBlob/Program.cs
diff --git a/samples/AzureKeyVault/AzureKeyVault.csproj b/src/DataProtection/samples/AzureKeyVault/AzureKeyVault.csproj
similarity index 100%
rename from samples/AzureKeyVault/AzureKeyVault.csproj
rename to src/DataProtection/samples/AzureKeyVault/AzureKeyVault.csproj
diff --git a/samples/AzureKeyVault/Program.cs b/src/DataProtection/samples/AzureKeyVault/Program.cs
similarity index 100%
rename from samples/AzureKeyVault/Program.cs
rename to src/DataProtection/samples/AzureKeyVault/Program.cs
diff --git a/samples/AzureKeyVault/settings.json b/src/DataProtection/samples/AzureKeyVault/settings.json
similarity index 100%
rename from samples/AzureKeyVault/settings.json
rename to src/DataProtection/samples/AzureKeyVault/settings.json
diff --git a/samples/CustomEncryptorSample/CustomBuilderExtensions.cs b/src/DataProtection/samples/CustomEncryptorSample/CustomBuilderExtensions.cs
similarity index 100%
rename from samples/CustomEncryptorSample/CustomBuilderExtensions.cs
rename to src/DataProtection/samples/CustomEncryptorSample/CustomBuilderExtensions.cs
diff --git a/samples/CustomEncryptorSample/CustomEncryptorSample.csproj b/src/DataProtection/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
similarity index 100%
rename from samples/CustomEncryptorSample/CustomEncryptorSample.csproj
rename to src/DataProtection/samples/CustomEncryptorSample/CustomEncryptorSample.csproj
diff --git a/samples/CustomEncryptorSample/CustomXmlDecryptor.cs b/src/DataProtection/samples/CustomEncryptorSample/CustomXmlDecryptor.cs
similarity index 100%
rename from samples/CustomEncryptorSample/CustomXmlDecryptor.cs
rename to src/DataProtection/samples/CustomEncryptorSample/CustomXmlDecryptor.cs
diff --git a/samples/CustomEncryptorSample/CustomXmlEncryptor.cs b/src/DataProtection/samples/CustomEncryptorSample/CustomXmlEncryptor.cs
similarity index 100%
rename from samples/CustomEncryptorSample/CustomXmlEncryptor.cs
rename to src/DataProtection/samples/CustomEncryptorSample/CustomXmlEncryptor.cs
diff --git a/samples/CustomEncryptorSample/Program.cs b/src/DataProtection/samples/CustomEncryptorSample/Program.cs
similarity index 100%
rename from samples/CustomEncryptorSample/Program.cs
rename to src/DataProtection/samples/CustomEncryptorSample/Program.cs
diff --git a/samples/EntityFrameworkCoreSample/EntityFrameworkCoreSample.csproj b/src/DataProtection/samples/EntityFrameworkCoreSample/EntityFrameworkCoreSample.csproj
similarity index 100%
rename from samples/EntityFrameworkCoreSample/EntityFrameworkCoreSample.csproj
rename to src/DataProtection/samples/EntityFrameworkCoreSample/EntityFrameworkCoreSample.csproj
diff --git a/samples/EntityFrameworkCoreSample/Program.cs b/src/DataProtection/samples/EntityFrameworkCoreSample/Program.cs
similarity index 100%
rename from samples/EntityFrameworkCoreSample/Program.cs
rename to src/DataProtection/samples/EntityFrameworkCoreSample/Program.cs
diff --git a/samples/KeyManagementSample/KeyManagementSample.csproj b/src/DataProtection/samples/KeyManagementSample/KeyManagementSample.csproj
similarity index 100%
rename from samples/KeyManagementSample/KeyManagementSample.csproj
rename to src/DataProtection/samples/KeyManagementSample/KeyManagementSample.csproj
diff --git a/samples/KeyManagementSample/Program.cs b/src/DataProtection/samples/KeyManagementSample/Program.cs
similarity index 100%
rename from samples/KeyManagementSample/Program.cs
rename to src/DataProtection/samples/KeyManagementSample/Program.cs
diff --git a/samples/NonDISample/NonDISample.csproj b/src/DataProtection/samples/NonDISample/NonDISample.csproj
similarity index 100%
rename from samples/NonDISample/NonDISample.csproj
rename to src/DataProtection/samples/NonDISample/NonDISample.csproj
diff --git a/samples/NonDISample/Program.cs b/src/DataProtection/samples/NonDISample/Program.cs
similarity index 100%
rename from samples/NonDISample/Program.cs
rename to src/DataProtection/samples/NonDISample/Program.cs
diff --git a/samples/Redis/Program.cs b/src/DataProtection/samples/Redis/Program.cs
similarity index 100%
rename from samples/Redis/Program.cs
rename to src/DataProtection/samples/Redis/Program.cs
diff --git a/samples/Redis/Redis.csproj b/src/DataProtection/samples/Redis/Redis.csproj
similarity index 100%
rename from samples/Redis/Redis.csproj
rename to src/DataProtection/samples/Redis/Redis.csproj
diff --git a/shared/EncodingUtil.cs b/src/DataProtection/shared/EncodingUtil.cs
similarity index 100%
rename from shared/EncodingUtil.cs
rename to src/DataProtection/shared/EncodingUtil.cs
diff --git a/shared/ExceptionExtensions.cs b/src/DataProtection/shared/ExceptionExtensions.cs
similarity index 100%
rename from shared/ExceptionExtensions.cs
rename to src/DataProtection/shared/ExceptionExtensions.cs
diff --git a/src/Directory.Build.props b/src/DataProtection/src/Directory.Build.props
similarity index 100%
rename from src/Directory.Build.props
rename to src/DataProtection/src/Directory.Build.props
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCRYPT_KEY_LENGTHS_STRUCT.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBuffer.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptBufferDesc.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptEncryptFlags.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptGenRandomFlags.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptKeyDerivationBufferType.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/BCryptUtil.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/CachedAlgorithmHandles.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/NCryptEncryptFlags.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Cng/OSVersionUtil.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Constants.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/CryptoUtil.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/DATA_BLOB.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Microsoft.AspNetCore.Cryptography.Internal.csproj
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/Resources.resx
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptAlgorithmHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptHashHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/BCryptKeyHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/LocalAllocHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/NCryptDescriptorHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SafeLibraryHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/SafeHandles/SecureLocalAllocHandle.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeBufferUtil.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/UnsafeNativeMethods.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/WeakReferenceHelpers.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.Internal/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivation.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/KeyDerivationPrf.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Microsoft.AspNetCore.Cryptography.KeyDerivation.csproj
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/IPbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/ManagedPbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/NetCorePbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Pbkdf2Util.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win7Pbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/PBKDF2/Win8Pbkdf2Provider.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.Cryptography.KeyDerivation/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/CryptoUtil.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/DataProtectionCommonExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Error.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/IDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Infrastructure/IApplicationDiscriminator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/Resources.resx
diff --git a/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Abstractions/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureDataProtectionBuilderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/AzureKeyVaultXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/IKeyVaultWrappingClient.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/KeyVaultClientWrapper.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Microsoft.AspNetCore.DataProtection.AzureKeyVault.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureKeyVault/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureBlobXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/AzureDataProtectionBuilderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/Microsoft.AspNetCore.DataProtection.AzureStorage.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.AzureStorage/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/DataProtectionKey.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreDataProtectionExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/EntityFrameworkCoreXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/IDataProtectionKeyContext.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/LoggingExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/BitHelpers.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionAdvancedExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/DataProtectionProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/ITimeLimitedDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Microsoft.AspNetCore.DataProtection.Extensions.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/Resources.resx
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/TimeLimitedDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.Extensions/baseline.netcore.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisDataProtectionBuilderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisDataProtectionBuilderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisDataProtectionBuilderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisDataProtectionBuilderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.StackExchangeRedis/RedisXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/CompatibilityDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/DataProtectionStartup.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Microsoft.AspNetCore.DataProtection.SystemWeb.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/Resources.resx
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/baseline.netframework.json
diff --git a/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection.SystemWeb/web.config.transform
diff --git a/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ActivatorExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ApplyPolicyAttribute.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ArraySegmentExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AlgorithmAssert.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/AuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AlgorithmConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/IInternalAlgorithmConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/SecretExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ConfigurationModel/XmlSerializedDescriptorInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/EncryptionAlgorithm.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IAuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/AuthenticatedEncryption/ValidationAlgorithm.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/BitHelpers.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/BCryptGenRandomImpl.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/CbcAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/DpapiSecretSerializerHelper.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/GcmAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/IBCryptGenRandom.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Cng/Internal/CngAuthenticatedEncryptorBase.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionBuilderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionOptions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionServiceCollectionExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/DataProtectionUtilityExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/EphemeralDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Error.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Error.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Error.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Error.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IDataProtectionBuilder.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IPersistedDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/IRegistryPolicyResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/ISecret.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ISecret.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/ISecret.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/ISecret.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionBuilder.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionOptionsSetup.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DataProtectionStartupFilter.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/DockerUtils.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/HostingApplicationDiscriminator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/IActivator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Internal/KeyManagementOptionsSetup.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DefaultKeyResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/DeferredKey.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKey.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyEscrowSink.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/IKeyManager.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/CacheableKeyRing.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/DefaultKeyResolution.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/ICacheableKeyRingProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IDefaultKeyResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IInternalXmlKeyManager.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRing.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Internal/IKeyRingProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/Key.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyBase.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyEscrowServiceProviderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyManagementOptions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRing.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtectionProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingBasedDataProtector.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/KeyRingProvider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/KeyManagement/XmlKeyManager.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/LoggingExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/LoggingServiceProviderExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/HashAlgorithmExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/IManagedGenRandom.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedAuthenticatedEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/ManagedGenRandomImpl.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Managed/SymmetricAlgorithmExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/MemoryProtection.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Microsoft.AspNetCore.DataProtection.csproj
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Properties/AssemblyInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Properties/Resources.Designer.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/RegistryPolicy.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/RegistryPolicyResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/DefaultKeyStorageDirectories.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/EphemeralXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/FileSystemXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/IDefaultKeyStorageDirectory.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/IXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Repositories/RegistryXmlRepository.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Resources.resx b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Resources.resx
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Resources.resx
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Resources.resx
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/ISP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/SP800_108_CTR_HMACSHA512Util.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win7SP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SP800_108/Win8SP800_108_CTR_HMACSHA512Provider.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/Secret.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Secret.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/Secret.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/Secret.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/SimpleActivator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/TypeExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/TypeForwardingActivator.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlConstants.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/CertificateXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGProtectionDescriptorFlags.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiNGXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/DpapiXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/EncryptedXmlInfo.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/ICertificateResolver.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalCertificateXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IInternalEncryptedXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/IXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlDecryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/NullXmlEncryptor.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlEncryptionExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlEncryption/XmlKeyDecryptionOptions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/XmlExtensions.cs
diff --git a/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json b/src/DataProtection/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
similarity index 100%
rename from src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
rename to src/DataProtection/src/Microsoft.AspNetCore.DataProtection/baseline.netcore.json
diff --git a/test/CreateTestCert.ps1 b/src/DataProtection/test/CreateTestCert.ps1
similarity index 100%
rename from test/CreateTestCert.ps1
rename to src/DataProtection/test/CreateTestCert.ps1
diff --git a/test/Directory.Build.props b/src/DataProtection/test/Directory.Build.props
similarity index 100%
rename from test/Directory.Build.props
rename to src/DataProtection/test/Directory.Build.props
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_Tests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCRYPT_KEY_LENGTHS_STRUCT_Tests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/BCryptUtilTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Cng/CachedAlgorithmHandlesTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/CryptoUtilTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Microsoft.AspNetCore.Cryptography.Internal.Test.csproj
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/SafeHandles/SecureLocalAllocHandleTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/UnsafeBufferUtilTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.Internal.Test/WeakReferenceHelpersTests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test.csproj
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Pbkdf2Tests.cs
diff --git a/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs b/src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.Cryptography.KeyDerivation.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/DataProtectionCommonExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Abstractions.Test/Microsoft.AspNetCore.DataProtection.Abstractions.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/AzureKeyVaultXmlEncryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test/Microsoft.AspNetCore.DataProtection.AzureKeyVault.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureBlobXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/AzureDataProtectionBuilderExtensionsTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test/Microsoft.AspNetCore.DataProtection.AzureStorage.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionEntityFrameworkTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/DataProtectionKeyContext.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/EntityFrameworkCoreDataProtectionBuilderExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test/Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionAdvancedExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/DataProtectionProviderTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Microsoft.AspNetCore.DataProtection.Extensions.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert2.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3WithoutPrivateKey.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3WithoutPrivateKey.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3WithoutPrivateKey.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCert3WithoutPrivateKey.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCertWithoutPrivateKey.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCertWithoutPrivateKey.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCertWithoutPrivateKey.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TestFiles/TestCertWithoutPrivateKey.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/TimeLimitedDataProtectorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Extensions.Test/X509StoreIsAvailableAttribute.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/DataProtectionRedisTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/DataProtectionRedisTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/DataProtectionRedisTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/DataProtectionRedisTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/RedisDataProtectionBuilderExtensionsTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/RedisDataProtectionBuilderExtensionsTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/RedisDataProtectionBuilderExtensionsTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/RedisDataProtectionBuilderExtensionsTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServer.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServer.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServer.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServer.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServerIsAvailableAttribute.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServerIsAvailableAttribute.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServerIsAvailableAttribute.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/TestRedisServerIsAvailableAttribute.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/testconfig.json b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/testconfig.json
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/testconfig.json
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Test/testconfig.json
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/ActivatorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AnonymousImpersonation.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactoryTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactoryTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfigurationTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/AuthenticatedEncryption/ManagedAuthenticatedEncryptorFactoryTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CbcAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/CngAuthenticatedEncryptorBaseTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Cng/GcmAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/DataProtectionUtilityExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/DockerUtilsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/EphemeralDataProtectionProviderTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/HostingTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Internal/KeyManagementOptionsSetupTest.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/CacheableKeyRingTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DefaultKeyResolverTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/DeferredKeyTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyEscrowServiceProviderExtensionsTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingBasedDataProtectorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingProviderTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyRingTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/KeyTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/KeyManagement/XmlKeyManagerTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Managed/ManagedAuthenticatedEncryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Microsoft.AspNetCore.DataProtection.Test.csproj
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/MockExtensions.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Properties/AssemblyInfo.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/RegistryPolicyResolverTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/EphemeralXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/FileSystemXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/Repositories/RegistryXmlRepositoryTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SP800_108/SP800_108Tests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SecretAssert.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SecretTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/SequentialGenRandom.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/ServiceCollectionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/StringLoggerFactory.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.PublicKeyOnly.cer
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert1.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TestFiles/TestCert2.pfx
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/TypeForwardingActivatorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlAssert.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/CertificateXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiNGXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/DpapiXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/EncryptedXmlDecryptorTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/NullXmlEncryptionTests.cs
diff --git a/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs b/src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
similarity index 100%
rename from test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
rename to src/DataProtection/test/Microsoft.AspNetCore.DataProtection.Test/XmlEncryption/XmlEncryptionExtensionsTests.cs
diff --git a/test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs b/src/DataProtection/test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
similarity index 100%
rename from test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
rename to src/DataProtection/test/shared/ConditionalRunTestOnlyWindows8OrLaterAttribute.cs
diff --git a/test/shared/ConditionalRunTestOnlyWindowsAttribute.cs b/src/DataProtection/test/shared/ConditionalRunTestOnlyWindowsAttribute.cs
similarity index 100%
rename from test/shared/ConditionalRunTestOnlyWindowsAttribute.cs
rename to src/DataProtection/test/shared/ConditionalRunTestOnlyWindowsAttribute.cs
diff --git a/test/shared/ExceptionAssert2.cs b/src/DataProtection/test/shared/ExceptionAssert2.cs
similarity index 100%
rename from test/shared/ExceptionAssert2.cs
rename to src/DataProtection/test/shared/ExceptionAssert2.cs
diff --git a/version.props b/src/DataProtection/version.props
similarity index 100%
rename from version.props
rename to src/DataProtection/version.props

From 4dfd351c8489cd5f5c4d45266c9fbbf6122923fe Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Mon, 15 Oct 2018 09:46:20 -0700
Subject: [PATCH 491/493] Remove DataProtection submodule and update path to DP
 source code to local folder

---
 .gitmodules                         |  4 ----
 build/RepositoryBuild.targets       |  3 +++
 build/buildorder.props              | 11 ++++++++---
 build/submodules.props              |  2 +-
 modules/DataProtection              |  1 -
 src/DataProtection/build/repo.props |  6 ++++++
 6 files changed, 18 insertions(+), 9 deletions(-)
 delete mode 160000 modules/DataProtection
 create mode 100644 src/DataProtection/build/repo.props

diff --git a/.gitmodules b/.gitmodules
index ed8ae26eba..972b9ce3f8 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -38,10 +38,6 @@
 	path = modules/CORS
 	url = https://github.com/aspnet/CORS.git
 	branch = release/2.1
-[submodule "modules/DataProtection"]
-	path = modules/DataProtection
-	url = https://github.com/aspnet/DataProtection.git
-	branch = release/2.1
 [submodule "modules/DependencyInjection"]
 	path = modules/DependencyInjection
 	url = https://github.com/aspnet/DependencyInjection.git
diff --git a/build/RepositoryBuild.targets b/build/RepositoryBuild.targets
index be43e8dc75..a97112a561 100644
--- a/build/RepositoryBuild.targets
+++ b/build/RepositoryBuild.targets
@@ -11,6 +11,9 @@
 
   <Target Name="GetRepoBatches" DependsOnTargets="GeneratePropsFiles;ComputeGraph">
     <ItemGroup>
+      <RepositoryBuildOrder Condition="'%(RootPath)' == ''">
+        <RootPath>$(SubmoduleRoot)%(Identity)\</RootPath>
+      </RepositoryBuildOrder>
       <BatchedRepository Include="$(MSBuildProjectFullPath)">
         <BuildGroup>%(RepositoryBuildOrder.Order)</BuildGroup>
         <Repository>%(RepositoryBuildOrder.Identity)</Repository>
diff --git a/build/buildorder.props b/build/buildorder.props
index 0c20ba10c9..c8b166f55b 100644
--- a/build/buildorder.props
+++ b/build/buildorder.props
@@ -1,4 +1,11 @@
 <Project>
+  <ItemDefinitionGroup>
+    <RepositoryBuildOrder>
+      <Order></Order>
+      <RootPath></RootPath>
+    </RepositoryBuildOrder>
+  </ItemDefinitionGroup>
+
   <ItemGroup>
     <RepositoryBuildOrder Include="Common" Order="1" />
     <RepositoryBuildOrder Include="Microsoft.Data.Sqlite" Order="1" />
@@ -17,7 +24,7 @@
     <RepositoryBuildOrder Include="HttpAbstractions" Order="6" />
     <RepositoryBuildOrder Include="HttpClientFactory" Order="6" />
     <RepositoryBuildOrder Include="Hosting" Order="7" />
-    <RepositoryBuildOrder Include="DataProtection" Order="8" />
+    <RepositoryBuildOrder Include="DataProtection" Order="8" RootPath="$(RepositoryRoot)src\DataProtection\" />
     <RepositoryBuildOrder Include="KestrelHttpServer" Order="8" />
     <RepositoryBuildOrder Include="EntityFrameworkCore" Order="8" />
     <RepositoryBuildOrder Include="HttpSysServer" Order="8" />
@@ -47,7 +54,5 @@
     <RepositoryBuildOrder Include="SignalR" Order="16" />
     <RepositoryBuildOrder Include="AuthSamples" Order="16" />
     <RepositoryBuildOrder Include="Templating" Order="17" />
-
-    <RepositoryBuildOrder Update="@(RepositoryBuildOrder)" RootPath="$(SubmoduleRoot)%(Identity)" />
   </ItemGroup>
 </Project>
diff --git a/build/submodules.props b/build/submodules.props
index 2a0bf13984..cc0a5c1603 100644
--- a/build/submodules.props
+++ b/build/submodules.props
@@ -57,7 +57,7 @@
     <ShippedRepository Include="Caching" />
     <ShippedRepository Include="Configuration" />
     <ShippedRepository Include="CORS" />
-    <ShippedRepository Include="DataProtection" />
+    <ShippedRepository Include="DataProtection" RootPath="$(RepositoryRoot)src\DataProtection\" />
     <ShippedRepository Include="DependencyInjection" />
     <ShippedRepository Include="Diagnostics" />
     <ShippedRepository Include="DotNetTools" />
diff --git a/modules/DataProtection b/modules/DataProtection
deleted file mode 160000
index b62bb5778b..0000000000
--- a/modules/DataProtection
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit b62bb5778be59cbde9b2e6bbdef20f40eef42355
diff --git a/src/DataProtection/build/repo.props b/src/DataProtection/build/repo.props
new file mode 100644
index 0000000000..59ae0807d3
--- /dev/null
+++ b/src/DataProtection/build/repo.props
@@ -0,0 +1,6 @@
+<Project>
+  <PropertyGroup>
+    <!-- TODO: temporary while we reorganize source code and refactor dependency management -->
+    <DisablePackageReferenceRestrictions>true</DisablePackageReferenceRestrictions>
+  </PropertyGroup>
+</Project>

From a673bfd741df5728a5b50eb6b20e6bd70941e6cc Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Mon, 15 Oct 2018 10:03:59 -0700
Subject: [PATCH 492/493] Add build script and CI config for the DataProtection
 folder

---
 .azure/pipelines/fast-pr-validation.yml | 11 +++++++++++
 run.ps1                                 | 15 +++++++++------
 run.sh                                  | 17 ++++++++++++-----
 src/DataProtection/build.cmd            |  3 +++
 src/DataProtection/build.sh             |  7 +++++++
 5 files changed, 42 insertions(+), 11 deletions(-)
 create mode 100644 src/DataProtection/build.cmd
 create mode 100755 src/DataProtection/build.sh

diff --git a/.azure/pipelines/fast-pr-validation.yml b/.azure/pipelines/fast-pr-validation.yml
index 426b7a79a8..e91c970c6b 100644
--- a/.azure/pipelines/fast-pr-validation.yml
+++ b/.azure/pipelines/fast-pr-validation.yml
@@ -15,3 +15,14 @@ phases:
 - template: .vsts-pipelines/templates/project-ci.yml@buildtools
   parameters:
     buildArgs: "/t:CheckUniverse"
+- phase: DataProtection
+  queue: Hosted VS2017
+  steps:
+  - script: src/DataProtection/build.cmd -ci
+    displayName: Run src/DataProtection/build.cmd
+  - task: PublishTestResults@2
+    displayName: Publish test results
+    condition: always()
+    inputs:
+      testRunner: vstest
+      testResultsFiles: 'src/DataProtection/artifacts/logs/**/*.trx'
diff --git a/run.ps1 b/run.ps1
index 60e533097c..6b7e36c6cf 100644
--- a/run.ps1
+++ b/run.ps1
@@ -14,6 +14,9 @@ The KoreBuild command to run.
 .PARAMETER Path
 The folder to build. Defaults to the folder containing this script.
 
+.PARAMETER LockFile
+The path to the korebuild-lock.txt file. Defaults to $Path/korebuild-lock.txt
+
 .PARAMETER Channel
 The channel of KoreBuild to download. Overrides the value from the config file.
 
@@ -75,6 +78,7 @@ param(
     [Parameter(Mandatory=$true, Position = 0)]
     [string]$Command,
     [string]$Path = $PSScriptRoot,
+    [string]$LockFile,
     [Alias('c')]
     [string]$Channel,
     [Alias('d')]
@@ -104,15 +108,13 @@ $ErrorActionPreference = 'Stop'
 
 function Get-KoreBuild {
 
-    $lockFile = Join-Path $Path 'korebuild-lock.txt'
-
-    if (!(Test-Path $lockFile) -or $Update) {
-        Get-RemoteFile "$ToolsSource/korebuild/channels/$Channel/latest.txt" $lockFile
+    if (!(Test-Path $LockFile) -or $Update) {
+        Get-RemoteFile "$ToolsSource/korebuild/channels/$Channel/latest.txt" $LockFile
     }
 
-    $version = Get-Content $lockFile | Where-Object { $_ -like 'version:*' } | Select-Object -first 1
+    $version = Get-Content $LockFile | Where-Object { $_ -like 'version:*' } | Select-Object -first 1
     if (!$version) {
-        Write-Error "Failed to parse version from $lockFile. Expected a line that begins with 'version:'"
+        Write-Error "Failed to parse version from $LockFile. Expected a line that begins with 'version:'"
     }
     $version = $version.TrimStart('version:').Trim()
     $korebuildPath = Join-Paths $DotNetHome ('buildtools', 'korebuild', $version)
@@ -207,6 +209,7 @@ if (!$DotNetHome) {
         else { Join-Path $PSScriptRoot '.dotnet'}
 }
 
+if (!$LockFile) { $LockFile = Join-Path $Path 'korebuild-lock.txt' }
 if (!$Channel) { $Channel = 'master' }
 if (!$ToolsSource) { $ToolsSource = 'https://aspnetcore.blob.core.windows.net/buildtools' }
 
diff --git a/run.sh b/run.sh
index beaca3094f..cfc0a36904 100755
--- a/run.sh
+++ b/run.sh
@@ -15,6 +15,7 @@ verbose=false
 update=false
 reinstall=false
 repo_path="$DIR"
+lockfile_path=''
 channel=''
 tools_source=''
 ci=false
@@ -41,6 +42,7 @@ __usage() {
     echo "    --config-file <FILE>                      The path to the configuration file that stores values. Defaults to korebuild.json."
     echo "    -d|--dotnet-home <DIR>                    The directory where .NET Core tools will be stored. Defaults to '\$DOTNET_HOME' or '\$HOME/.dotnet."
     echo "    --path <PATH>                             The directory to build. Defaults to the directory containing the script."
+    echo "    --lockfile <PATH>                         The path to the korebuild-lock.txt file. Defaults to \$repo_path/korebuild-lock.txt"
     echo "    -s|--tools-source|-ToolsSource <URL>      The base url where build tools can be downloaded. Overrides the value from the config file."
     echo "    --package-version-props-url <URL>         The url of the package versions props path containing dependency versions."
     echo "    --access-token <Token>                    The query string to append to any blob store access for PackageVersionPropsUrl, if any."
@@ -61,13 +63,12 @@ __usage() {
 
 get_korebuild() {
     local version
-    local lock_file="$repo_path/korebuild-lock.txt"
-    if [ ! -f "$lock_file" ] || [ "$update" = true ]; then
-        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lock_file"
+    if [ ! -f "$lockfile_path" ] || [ "$update" = true ]; then
+        __get_remote_file "$tools_source/korebuild/channels/$channel/latest.txt" "$lockfile_path"
     fi
-    version="$(grep 'version:*' -m 1 "$lock_file")"
+    version="$(grep 'version:*' -m 1 "$lockfile_path")"
     if [[ "$version" == '' ]]; then
-        __error "Failed to parse version from $lock_file. Expected a line that begins with 'version:'"
+        __error "Failed to parse version from $lockfile_path. Expected a line that begins with 'version:'"
         return 1
     fi
     version="$(echo "${version#version:}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
@@ -176,6 +177,11 @@ while [[ $# -gt 0 ]]; do
             repo_path="${1:-}"
             [ -z "$repo_path" ] && __error "Missing value for parameter --path" && __usage
             ;;
+        --[Ll]ock[Ff]ile)
+            shift
+            lockfile_path="${1:-}"
+            [ -z "$lockfile_path" ] && __error "Missing value for parameter --lockfile" && __usage
+            ;;
         -s|--tools-source|-ToolsSource)
             shift
             tools_source="${1:-}"
@@ -296,6 +302,7 @@ if [ ! -z "$product_build_id" ]; then
     msbuild_args[${#msbuild_args[*]}]="-p:DotNetProductBuildId=$product_build_id"
 fi
 
+[ -z "$lockfile_path" ] && lockfile_path="$repo_path/korebuild-lock.txt"
 [ -z "$channel" ] && channel='master'
 [ -z "$tools_source" ] && tools_source='https://aspnetcore.blob.core.windows.net/buildtools'
 
diff --git a/src/DataProtection/build.cmd b/src/DataProtection/build.cmd
new file mode 100644
index 0000000000..f4169ea5e4
--- /dev/null
+++ b/src/DataProtection/build.cmd
@@ -0,0 +1,3 @@
+@ECHO OFF
+SET RepoRoot="%~dp0..\.."
+%RepoRoot%\build.cmd -LockFile %RepoRoot%\korebuild-lock.txt -Path %~dp0 %*
diff --git a/src/DataProtection/build.sh b/src/DataProtection/build.sh
new file mode 100755
index 0000000000..d5bb0cf631
--- /dev/null
+++ b/src/DataProtection/build.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+repo_root="$DIR/../.."
+"$repo_root/build.sh" --path "$DIR" --lockfile "$repo_root/korebuild-lock.txt" "$@"

From 6a14b47ccdaa111e959dcffba4a53727a99b53bf Mon Sep 17 00:00:00 2001
From: Nate McMaster <nate.mcmaster@microsoft.com>
Date: Mon, 15 Oct 2018 10:56:55 -0700
Subject: [PATCH 493/493] Add infrastructure changes to src/DataProtection can
 build on its own

---
 src/DataProtection/NuGetPackageVerifier.json |  7 +++++++
 src/DataProtection/build/repo.props          |  4 ++++
 src/DataProtection/dependencies.props        | 16 ++++++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 src/DataProtection/NuGetPackageVerifier.json

diff --git a/src/DataProtection/NuGetPackageVerifier.json b/src/DataProtection/NuGetPackageVerifier.json
new file mode 100644
index 0000000000..22ef3c09c0
--- /dev/null
+++ b/src/DataProtection/NuGetPackageVerifier.json
@@ -0,0 +1,7 @@
+{
+  "Default": {
+    "rules": [
+      "DefaultCompositeRule"
+    ]
+  }
+}
diff --git a/src/DataProtection/build/repo.props b/src/DataProtection/build/repo.props
index 59ae0807d3..3fa98a9b36 100644
--- a/src/DataProtection/build/repo.props
+++ b/src/DataProtection/build/repo.props
@@ -1,6 +1,10 @@
 <Project>
+  <Import Project="..\..\..\build\dependencies.props" />
   <PropertyGroup>
     <!-- TODO: temporary while we reorganize source code and refactor dependency management -->
     <DisablePackageReferenceRestrictions>true</DisablePackageReferenceRestrictions>
   </PropertyGroup>
+  <ItemGroup>
+    <DotNetCoreRuntime Include="$(MicrosoftNETCoreApp22PackageVersion)" />
+  </ItemGroup>
 </Project>
diff --git a/src/DataProtection/dependencies.props b/src/DataProtection/dependencies.props
index 02e944fdb3..687186b112 100644
--- a/src/DataProtection/dependencies.props
+++ b/src/DataProtection/dependencies.props
@@ -6,6 +6,22 @@
   <PropertyGroup>
     <!-- Fallback when not building from command line. -->
     <InternalAspNetCoreSdkPackageVersion Condition="'$(InternalAspNetCoreSdkPackageVersion)' == ''">2.2.0-preview2-20181004.6</InternalAspNetCoreSdkPackageVersion>
+    <LastGoodAspBuildVersion>2.2.0-preview3-35497</LastGoodAspBuildVersion>
+    <MicrosoftAspNetCoreHostingAbstractionsPackageVersion Condition=" '$(MicrosoftAspNetCoreHostingAbstractionsPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftAspNetCoreHostingAbstractionsPackageVersion>
+    <MicrosoftAspNetCoreHostingPackageVersion Condition=" '$(MicrosoftAspNetCoreHostingPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftAspNetCoreHostingPackageVersion>
+    <MicrosoftAspNetCoreTestingPackageVersion Condition=" '$(MicrosoftAspNetCoreTestingPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftAspNetCoreTestingPackageVersion>
+    <MicrosoftEntityFrameworkCoreInMemoryPackageVersion Condition=" '$(MicrosoftEntityFrameworkCoreInMemoryPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftEntityFrameworkCoreInMemoryPackageVersion>
+    <MicrosoftEntityFrameworkCorePackageVersion Condition=" '$(MicrosoftEntityFrameworkCorePackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftEntityFrameworkCorePackageVersion>
+    <MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion Condition=" '$(MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsConfigurationEnvironmentVariablesPackageVersion>
+    <MicrosoftExtensionsConfigurationJsonPackageVersion Condition=" '$(MicrosoftExtensionsConfigurationJsonPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsConfigurationJsonPackageVersion>
+    <MicrosoftExtensionsConfigurationPackageVersion Condition=" '$(MicrosoftExtensionsConfigurationPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsConfigurationPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion Condition=" '$(MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsDependencyInjectionAbstractionsPackageVersion>
+    <MicrosoftExtensionsDependencyInjectionPackageVersion Condition=" '$(MicrosoftExtensionsDependencyInjectionPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsDependencyInjectionPackageVersion>
+    <MicrosoftExtensionsLoggingAbstractionsPackageVersion Condition=" '$(MicrosoftExtensionsLoggingAbstractionsPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsLoggingAbstractionsPackageVersion>
+    <MicrosoftExtensionsLoggingConsolePackageVersion Condition=" '$(MicrosoftExtensionsLoggingConsolePackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsLoggingConsolePackageVersion>
+    <MicrosoftExtensionsLoggingPackageVersion Condition=" '$(MicrosoftExtensionsLoggingPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsLoggingPackageVersion>
+    <MicrosoftExtensionsOptionsPackageVersion Condition=" '$(MicrosoftExtensionsOptionsPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsOptionsPackageVersion>
+    <MicrosoftExtensionsWebEncodersSourcesPackageVersion Condition=" '$(MicrosoftExtensionsWebEncodersSourcesPackageVersion)' == '' ">$(LastGoodAspBuildVersion)</MicrosoftExtensionsWebEncodersSourcesPackageVersion>
   </PropertyGroup>
 
   <!--