Closed danmoseley closed 7 years ago
weshaggard
commented
7 years ago I'm interested in opinions from @terrajobst @marek-safar @akoeplinger
Before we decide on this I want to do some analysis about usage and which platforms currently have these.
marek-safar
commented
7 years ago We have API surface for most of them (some of them are very easy to support) but not all API is working.
PaulHigin
commented
7 years ago @danmosemsft We (PowerShell) need the System.Security.Cryptography.RSACryptoServiceProvider for remoting key exchange, but we also need support for ephemeral keys (support for CRYPT_VERIFYCONTEXT) that doesn't appear to be supported in .NET. Will support for ephemeral keys be added?
bartonjs
commented
7 years ago @PaulHigin RSACryptoServiceProvider is the least useful implementation of RSA we have in .NET, so you should really try to wean off of it. And I don't know what you mean by not supporting ephemeral keys, but if it's something not working that'd be an issue to file in dotnet/corefx.
weshaggard
commented
7 years ago We should also look at https://github.com/dotnet/standard/issues/221 as part of this. In general we need to try and rationalize these Crypto APIs. We should do a diff and review to see if we have an set that we can at least rationalize in our heads.
PaulHigin
commented
7 years ago @bartonjs What do you suggest? PowerShell remoting currently uses RSACryptoServiceProvider (via Windows API PInvoke) and requires use of ephemeral keys. It is my understanding that .NET does not support this. Please correct me if I am wrong (and point me to documentation).
terrajobst
commented
7 years ago Looking at the usage, it looks like we want to do the following:
*CryptoServiceProvider types. Those are around since .NET Framework 1.0, and are widely used. They were also implemented by Mono, because it was the only way to support crypto until we added CNG.*Cng* types. CNG is the current Windows crypto API stack and was created in Vista/Win7 time frame. The types were added in .NET Framework 3.5. The usage is generally fairly low usage (max 1%). It's a Windows only technology and cannot be reasonably implemented everywhere.It looks like we want to do the following:
Registry.Follow-ups:
danmoseley
commented
7 years ago @karelz can someone on your team sign up to cost (1)?
bartonjs
commented
7 years ago @danmosemsft It's already tracked via https://github.com/dotnet/corefx/issues/16585.
weshaggard
commented
7 years ago @weshaggard will create a full diff of crypto between .NET Framework 4.6.1 and .NET Standard 2.0.
The APIs that are in .NET 4.6.1 that aren't part of the standard now (including my CNG removals) can be seen https://github.com/dotnet/standard/pull/272/files#diff-e31cb612517bf61cc7841e90885fca62.
I also did a diff of the API's that are still part of the standard against 4.6.1 and looked for member differences and the only ones that are missing things are removed because of CAS. So there isn't really anything more to expose there.
weshaggard
commented
7 years ago I believe the work targeting the standard repo is now complete so closing.
The following API are not implemented in netcoreapp for Unix targets. This appears to be the case for Xamarin also. If that's so we should remove from Standard if dependencies allow as we can't "make the Standard promise". If that's not so (Xamarin has them) we should invesitgate whether we should impelment them for Unix.
/cc @bartonjs