SecurityBindingElement.CreateMutualCertificateDuplexBindingElement in DotNetCore

[inlineHamed]

I am trying to use a WSDL service in dot net core that works fine in previous version of dotnet.
As I described in #2259 and #2258 first I tried the 'Microsoft WCF Web Service Reference Provider' Extension that result to some errors. then I tried 'SvcUtil.exe' and put generated source and config file in a DotNetFramework Console App and was able to successfully connect to the service. but as DotNetCore does not support config file I tried to turn my App.config '<system.serviceModel>' section into code that finally results in this:

        var binding = new CustomBinding()
        {
            Name = "GetCustomsPermitServiceSoapBinding",
        };
        
        var seq = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(
             MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);

        seq.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256Sha256Rsa15;
        seq.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
        seq.IncludeTimestamp = true;
        seq.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
        seq.RequireSignatureConfirmation = false;
        seq.SetKeyDerivation(requireDerivedKeys: false);
        seq.LocalClientSettings.DetectReplays = true;
        seq.LocalServiceSettings.DetectReplays = true;

        binding.Elements.Add(seq);

        binding.Elements.Add(new TextMessageEncodingBindingElement());
        binding.Elements.Add(new HttpTransportBindingElement());

        var endpointAddress = new EndpointAddress(new Uri("http://servicebus.ecogif.ir/IRICA/GetCustomsPermit/4"),
            new DnsEndpointIdentity("servicebus.ecogif.ir"));

        var client = new GetCustomsPermitClient(binding, endpointAddress);
        client.ClientCredentials.ClientCertificate.SetCertificate(storeLocation: StoreLocation.LocalMachine, storeName: StoreName.My, findType: X509FindType.FindBySubjectName,
            findValue: "tamliki.ir");
        client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(storeLocation: StoreLocation.LocalMachine, storeName: StoreName.TrustedPeople, findType: X509FindType.FindBySubjectName,
            findValue: "servicebus.ecogif.ir");

        var pate = client.getCustomsPermitByCustomsPermitNumber("20306133132", "1");`

And It works properly

then I copied this code into a DotNetCore Console App but it seems somethings must be changed as there is no "CreateMutualCertificateDuplexBindingElement" and no "SecurityAlgorithmSuite"

What is the equivalent of this code in DotNetCore?

[zhenlan]

@hmdhasani, as message security is not supported in WCF on .NET Core, this code won't work.

The only workaround at this point is to change your service to use transport security and not message security. I understand this is not always an option...

WCF is not able to support message security currently is because underlying key functionalities (mostly in System.IdentityModel) is not available on .NET Core. FYI, this is tracked in #3, #4, #8.

[inlineHamed]

Thank you @zhenlan for response.
Is there any hope that this will be available in near future?

[zhenlan]

I won't say no hope for future :), but at this point we don't have any concrete plan yet.

[inlineHamed]

Hi @zhenlan
After Almost a year... 😃
Is there any update on this?

[Lxiamail]

@hmdhasani I'm afraid that we don't have further update on this at this point.

[sudilravindranpk]

@hmdhasani @zhenlan @Lxiamail do you have any work around, other than moving the service from message security to transport security (in my case service is a third party , I cannot modify them). I am worried, only option before me is moving out of .net core , back to .net framework .

[fulghumd]

@hmdhasani @zhenlan @Lxiamail do you have any work around, other than moving the service from message security to transport security (in my case service is a third party , I cannot modify them). I am worried, only option before me is moving out of .net core , back to .net framework .

We are also hitting this same road block. Hopefully support for message security can be made a priority soon!

[Lxiamail]

@fulghumd @sudilravindranpk , unfortunately, the status hasn't changed. Due to the underlying System.IdentityModel is not supported on .NET Core, this item is blocked.

[umitakkaya]

Given that the #3 and #8 is closed, and #4 is in the backlog when can we expect this feature to be supported?

[mconnew]

It's not completely obvious to me whether your usage scenario falls under MessageSecurity of TransportWithMessageCredentials. I suspect it's the former as your endpoint address is using http and not https. TransportWithMessageCredentials requires the transport layer to provide the secrecy and integrity part of security and this is generally provided by TLS over https. As you are using http, I believe this means you require full MessageSecurity which encrypts and signs the payload to provide secrecy and integrity. This capability is provided by System.IdentityModel on .NET Framework. We simply don't have the resources to take ownership of this code on .NET Core, we're a small team. The team which does own it has decided not to port and support it on .NET Core. I was able to get TransportWithMessageCredentials to work as there is actually two implementations of SignedXml in the .NET Framework. One is in System.IdentityModel and is internal (and used by WCF on .NET Framework), the other lives in the System.Security.Cryptography.Xml and is public. There is sufficient implementation of various signed xml standards in the public implementation that I was able to refactor WCF to use that instead. Unfortunately it doesn't implement enough of the signed xml standards to be able to use it for full MessageSecurity.
I have some ideas on how to get full MessageSecurity working, which is why this issue hasn't been closed. But it will be quite a while and quite a lot of work (major refactoring of the entire feature internals of WCF) if I can even do it. It hasn't even been scheduled to be prototyped so don't expect anything in at least the next 12 months.

[kfrancis]

@mconnew Any news on this?

[mconnew]

I'm sorry, not yet.

[ChrisIsidora]

Is this implemented in .NET 5.0?

[kfrancis]

Is this implemented in .NET 5.0?

Doubt it, wcf isn't part of the framework anymore - it's separate.

[dhruvb14]

Any updates on this? Are we forever stuck in .Net with no way to move to core/5?

[xts-velkumars]

@HongGit, any updates on this?

It would be great, if you have anything on this.

[mconnew]

@birojnayak from AWS is currently working on adding support for full Message security for CoreWCF. Once that work is complete, we should be able to reuse a lot of what he implements to bring the same functionality to the WCF client. No schedule or concrete plan yet, but it is forward progress.