Add RSA.Create() to utilize the correct platform-dependent RSA implementation #15087
Comments
|
Any update on this? |
|
@xanather Not really. Now that the packaging story is crystallizing we'll be able to figure out what work is actually required; everything until now has been sort of vague and hand-wavy (all the way up to a doodle on a whiteboard!) 😄. What's your actual scenario, though? Most asymmetric keys are encountered via certificates; and the certificates layer does the right thing. If you have an Don't get me wrong, I want the methods to exist, but with no really understood scenario it'll likely slip against other issues. |
|
I just wanted to make my own basic authentication mechanism top of a TCP connection without having to use certificates/SSL etc... Only sometimes will the TCP connection be encrypting messages, and I would need a asymmetric algorithm to set that up securely. |
Here's a concrete use case: in ASOS (https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server), we need to dynamically generate a RSA key to sign the security tokens issued by the server. Until now, we've been using Until Such a method would also be extremely useful in IdentityModel: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#179 (comment) |
|
@PinpointTownes The notion of dynamically creating a signature proof seems odd, since I don't see how someone else would trust it; but maybe the public key of the dynamically generated key is transported via another authenticated mechanism. But, okay, sounds like both you and @xanather want platform-agnostic dynamic asymmetric key generation, so there are uses and I'll do what I can to land this thing :). |
The RSA key is dynamically created the first time the server is started, encrypted by ASP.NET 5's new data protection stack and stored locally. The public part is exposed to the world using the JWKS endpoint (yeah, JSON keys are a thing! 😄) so client applications can easily verify the tokens issued by the server (you can find more info here: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
Thanks! 🎉 |
|
Sorry, guys; this doesn't look like it's going to make it. We tried doing some "cleverness" with package dependencies and reflection, and it bit us (me) in the keister. Plan B ballooned in cost once I got into it, and the calendar says there's no Plan C before the end of v1 (all Plan Cs are too large to do this close to shipping). I'm planning on making a little factory package to solve the problem here; but it'll be as me, not corefx. Once we can get v1 out the door we can figure out how to best solve this in the near-after. |
😢
Curious: any chance you could share a bit more details about Plan B? 😄 |
|
Plan B was "compile enough of the code into the Algorithms library to make it capable of returning a workable private-typed RSA object"... so, like we did for symmetric algorithms. For Unix that ended up being not all that terribly large. For Windows it started dragging in all of CngKey; or would have required a large rewrite to separate the usage of handles from rich key typed objects. |
|
Apparently, shortly after me identifying that there wasn't enough time to get this for RTM, RTM moved to be a bit further away. Bringing it back in scope. (Huzzah!) |
We don't currently have a cross-platform API for folks to use to create and RSA object https://github.com/dotnet/corefx/issues/2953, and dotnet cli doesn't yet support folks cross compiling by platform https://github.com/dotnet/cli/issues/465. As a result, this package was failing to restore when dotnet CLI switched to NuGet which will detect missing support at build time instead of allowing a file-not-found at runtime. Temporarily unblock installation of this package on Windows so that folks can consume the package until we have an x-plat API.
|
Wooooooooooooooot, thanks @bartonjs! 👏 |
|
Thanks for this :) |
ghost
locked as resolved and limited conversation to collaborators
No description provided.
The text was updated successfully, but these errors were encountered: