Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support security mode Message #3424

Open
mconnew opened this issue Mar 1, 2019 · 11 comments
Open

Support security mode Message #3424

mconnew opened this issue Mar 1, 2019 · 11 comments
Labels
Blocked Issues blocked from completion for some specific reason. Known Issue Known WCF issues\

Comments

@mconnew
Copy link
Member

mconnew commented Mar 1, 2019

Splitting issue #8 into two. This issue will be for full Message security including signing and encrypting as the SOAP message level.
@mconnew mconnew mentioned this issue Mar 1, 2019
Closed
@Lxiamail Lxiamail added this to the Future milestone Mar 1, 2019
@easyest
Copy link

easyest commented Mar 9, 2019
edited
Loading

Core is unusable till there will be a way to consume WCF services. Therefor ASP.NET Core is unusable also. So stuck in 2019 with 2013 technology. GG.

@StephenBonikowsky StephenBonikowsky added the Backlog Legitimate tasks of lower priority not in current dev schedule. label May 23, 2019
@StephenBonikowsky StephenBonikowsky mentioned this issue Jul 22, 2019
Closed
@NCRKRK NCRKRK mentioned this issue Aug 1, 2019
Closed
@StephenBonikowsky
Copy link
Member

Want to get this done for 5.0 if possible but we have a dependency on some external APIs that would have to be provided in order for us to get this working. (such as SignedXml).

@StephenBonikowsky StephenBonikowsky modified the milestones: Future, 5.0 Oct 30, 2019
This was referenced Oct 30, 2019
Closed
Closed
@StephenBonikowsky
Copy link
Member

Tagging @krispenner

@StephenBonikowsky StephenBonikowsky removed this from the 5.0 milestone Mar 5, 2020
@StephenBonikowsky StephenBonikowsky added Blocked Issues blocked from completion for some specific reason. and removed Backlog Legitimate tasks of lower priority not in current dev schedule. Known Issue 1.0.0 labels Mar 5, 2020
@krispenner
Copy link

krispenner commented Jun 10, 2021
edited
Loading

Hi @mconnew and @StephenBonikowsky, are there any updates on this task? It has been blocked for over a year so I'm just checking in again :)

Can you also confirm that this task, when or if completed, will resolve the issue @mconnew discusses with me here?

I believe usage of AsymmetricSecurityBindingElement implies full message security which we still don't have any concrete plans to be able to support.

We depend on code which isn't in .NET Core to achieve message security. There is a potential path to bring the feature, but I'll be honest it will be a while before we can consider thinking about trying to get everything lined up for that.

I assume the blocker here is due to the code that isn't yet in .NET Core? If so, any update or timeline (.NET 6, 7, ... 10) on that would be much appreciated.

@mconnew
Copy link
Member Author

mconnew commented Jun 10, 2021

Sorry, no update on the timeline. One of the blockers is absence of an implementation of the STR Transform for signed XML.
There are two potential paths forward. The first is to implement the STR Transform for use with the System.Security.Cryptography.Xml.SignedXml implementation. I don't know how big of a task that is, or if it's something I'd be willing to accept into this repo. I have a pretty strong policy of not directly owning any security primitives in this repo. This is because it's a minefield of potential problems, and without a lot of eyes on an implementation and without it being used in multiple contexts, it's easy for security bugs to go uncaught. So I would need to evaluate if there's any crypto aspect to the transform. Even when there isn't directly, sometimes you can affect crypto indirectly by providing the incorrect input to something that is crypto related. The implementation in .NET Framework that WCF uses is a cheater implementation taking some shortcuts and isn't a full implementation, but I don't think we can get away with doing the same thing using the public crypto SignedXml implementation. There is an implementation which shipped with WSE3.0 but I tried for 2 days to unpick it from the rest of WSE but it had too much interdependency on other classes, but I didn't really understand what the transform does so that made it harder to work out how to prune the dependencies.
The second option is that I've been told there's a full implementation of signed XML in the new Microsoft.IdentityModel.* packages, but I don't know if it includes the STR Transform. If it does, I don't know if it's exposed in a usable way. I would need to evaluate that and potentially negotiate exposure via public api. This might be the better option long term, but it will take time and nobody else has been inclined to volunteer to dig in and work this out.

There is also another unknown, which is the encryption part. There is an implementation of xml encryption in System.Security.Cryptography.Xml.EncryptedXml which I would hope would do the job. I don't know if this has all the capabilities needed, but I have no reason to believe it doesn't. But you never know until you try to use it.

I'm sorry I don't have a better answer for you. Realistically it's really unlikely to be done for .NET 7 as other large tasks are in the pipe before that. I can't speak to priorities beyond that.

@krispenner
Copy link

Thank you very much @mconnew for the detailed and honest update.

@HongGit HongGit mentioned this issue Nov 2, 2021
Closed
@mconnew mconnew mentioned this issue Jun 29, 2022
Closed
@brianwaynerogers
Copy link

@mconnew
This is a pain point for me, b/c I have one WCF dependency where the service, which I do not control, is using Message security, so I have to still support a client running .NET Framework. I know this issue blocked, and you have recently referenced your comment above on the status, but I wanted to let you know that if you find a way to get this done, it will be appreciated, for whatever that is worth.

@dzambo2302
Copy link

@brianwaynerogers
The same situation over here.

@HongGit HongGit mentioned this issue Apr 6, 2023
Closed
@DonKedero
Copy link

Same situation here, using .NET 7; AsymmetricSecurityBindingElement is not present.
API (SOAP) is from the government ... so it's a bit blocking the migration from a .NET Framework 4.8 project. Looking into some creative stuff like a .NET Framework 4.8 WebApi which is called locally from .NET 7, or some namedpipes, ...

@awroggeband
Copy link

awroggeband commented Feb 7, 2024
edited
Loading

Same situation here, using .NET 7; AsymmetricSecurityBindingElement is not present. API (SOAP) is from the government ... so it's a bit blocking the migration from a .NET Framework 4.8 project. Looking into some creative stuff like a .NET Framework 4.8 WebApi which is called locally from .NET 7, or some namedpipes, ...

The workaround that I used to access the unmoveable government API is to create a .Net 4.8 self hosted service with the same API interface that receives requests from .Net 7.0 clients and proxies them to the gov't API

@delixfe
Copy link

delixfe commented Nov 7, 2024

Add to: Support for Message Security #5641

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Blocked Issues blocked from completion for some specific reason. Known Issue Known WCF issues\
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@delixfe @easyest @Lxiamail @mconnew @krispenner @StephenBonikowsky @DonKedero @brianwaynerogers @dzambo2302 @awroggeband