search

dotnet / wcf

This repo contains the client-oriented WCF libraries that enable applications built on .NET Core to communicate with WCF services.
MIT License
1.72k stars 558 forks source link

SecurityBindingElement.CreateMutualCertificateDuplexBindingElement in DotNetCore #2265

Open inlineHamed opened 7 years ago

inlineHamed commented 7 years ago

I am trying to use a WSDL service in dot net core that works fine in previous version of dotnet. As I described in https://github.com/dotnet/wcf/issues/2259 and https://github.com/dotnet/wcf/issues/2258 first I tried the 'Microsoft WCF Web Service Reference Provider' Extension that result to some errors. then I tried 'SvcUtil.exe' and put generated source and config file in a DotNetFramework Console App and was able to successfully connect to the service. but as DotNetCore does not support config file I tried to turn my App.config '' section into code that finally results in this:

        var binding = new CustomBinding()
        {
            Name = "GetCustomsPermitServiceSoapBinding",
        };

        var seq = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(
             MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);

        seq.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256Rsa15;
        seq.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        seq.IncludeTimestamp = true;
        seq.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
        seq.RequireSignatureConfirmation = false;
        seq.SetKeyDerivation(requireDerivedKeys: false);
        seq.LocalClientSettings.DetectReplays = true;
        seq.LocalServiceSettings.DetectReplays = true;

        binding.Elements.Add(seq);

        binding.Elements.Add(new TextMessageEncodingBindingElement());
        binding.Elements.Add(new HttpTransportBindingElement());

        var endpointAddress = new EndpointAddress(new Uri("http://servicebus.ecogif.ir/IRICA/GetCustomsPermit/4"),
            new DnsEndpointIdentity("servicebus.ecogif.ir"));

        var client = new GetCustomsPermitClient(binding, endpointAddress);
        client.ClientCredentials.ClientCertificate.SetCertificate(storeLocation: StoreLocation.LocalMachine, storeName: StoreName.My, findType: X509FindType.FindBySubjectName,
            findValue: "tamliki.ir");
        client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(storeLocation: StoreLocation.LocalMachine, storeName: StoreName.TrustedPeople, findType: X509FindType.FindBySubjectName,
            findValue: "servicebus.ecogif.ir");

        var pate = client.getCustomsPermitByCustomsPermitNumber("20306133132", "1");`

And It works properly

then I copied this code into a DotNetCore Console App but it seems somethings must be changed as there is no "CreateMutualCertificateDuplexBindingElement" and no "SecurityAlgorithmSuite"

What is the equivalent of this code in DotNetCore?

zhenlan commented 7 years ago

@hmdhasani, as message security is not supported in WCF on .NET Core, this code won't work.

The only workaround at this point is to change your service to use transport security and not message security. I understand this is not always an option...

WCF is not able to support message security currently is because underlying key functionalities (mostly in System.IdentityModel) is not available on .NET Core. FYI, this is tracked in #3, #4, #8.

inlineHamed commented 7 years ago

Thank you @zhenlan for response. Is there any hope that this will be available in near future?

zhenlan commented 7 years ago

I won't say no hope for future :), but at this point we don't have any concrete plan yet.

inlineHamed commented 6 years ago

Hi @zhenlan After Almost a year... :smiley: Is there any update on this?

Lxiamail commented 6 years ago

@hmdhasani I'm afraid that we don't have further update on this at this point.

sudilravindranpk commented 5 years ago

@hmdhasani @zhenlan @Lxiamail do you have any work around, other than moving the service from message security to transport security (in my case service is a third party , I cannot modify them). I am worried, only option before me is moving out of .net core , back to .net framework .

fulghumd commented 5 years ago

@hmdhasani @zhenlan @Lxiamail do you have any work around, other than moving the service from message security to transport security (in my case service is a third party , I cannot modify them). I am worried, only option before me is moving out of .net core , back to .net framework .

We are also hitting this same road block. Hopefully support for message security can be made a priority soon!

Lxiamail commented 5 years ago

@fulghumd @sudilravindranpk , unfortunately, the status hasn't changed. Due to the underlying System.IdentityModel is not supported on .NET Core, this item is blocked.

umitakkaya commented 5 years ago

Given that the #3 and #8 is closed, and #4 is in the backlog when can we expect this feature to be supported?

mconnew commented 5 years ago

It's not completely obvious to me whether your usage scenario falls under MessageSecurity of TransportWithMessageCredentials. I suspect it's the former as your endpoint address is using http and not https. TransportWithMessageCredentials requires the transport layer to provide the secrecy and integrity part of security and this is generally provided by TLS over https. As you are using http, I believe this means you require full MessageSecurity which encrypts and signs the payload to provide secrecy and integrity. This capability is provided by System.IdentityModel on .NET Framework. We simply don't have the resources to take ownership of this code on .NET Core, we're a small team. The team which does own it has decided not to port and support it on .NET Core. I was able to get TransportWithMessageCredentials to work as there is actually two implementations of SignedXml in the .NET Framework. One is in System.IdentityModel and is internal (and used by WCF on .NET Framework), the other lives in the System.Security.Cryptography.Xml and is public. There is sufficient implementation of various signed xml standards in the public implementation that I was able to refactor WCF to use that instead. Unfortunately it doesn't implement enough of the signed xml standards to be able to use it for full MessageSecurity.
I have some ideas on how to get full MessageSecurity working, which is why this issue hasn't been closed. But it will be quite a while and quite a lot of work (major refactoring of the entire feature internals of WCF) if I can even do it. It hasn't even been scheduled to be prototyped so don't expect anything in at least the next 12 months.

kfrancis commented 4 years ago

@mconnew Any news on this?

mconnew commented 4 years ago

I'm sorry, not yet.

ChrisIsidora commented 4 years ago

Is this implemented in .NET 5.0?

kfrancis commented 4 years ago

Is this implemented in .NET 5.0?

Doubt it, wcf isn't part of the framework anymore - it's separate.

dhruvb14 commented 3 years ago

Any updates on this? Are we forever stuck in .Net with no way to move to core/5?

xts-velkumars commented 9 months ago

@HongGit, any updates on this?

It would be great, if you have anything on this.

mconnew commented 8 months ago

@birojnayak from AWS is currently working on adding support for full Message security for CoreWCF. Once that work is complete, we should be able to reuse a lot of what he implements to bring the same functionality to the WCF client. No schedule or concrete plan yet, but it is forward progress.