New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[API Proposal]: Add public [Compute/Verify]IntegrityCheck methods to NegotiateAuthentication #86950
Comments
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones Issue DetailsBackground and motivationThe One omission in the original proposal and its later updates are the The operations implemented by the API are generating a "message integrity code" on one side of the communication protocol and verifying it on the other side. It is usually implemented as cryptographic signing operation with a negotiated key. API Proposalnamespace System.Net.Security;
public sealed class NegotiateAuthentication : IDisposable
{
/// <summary>
/// Computes the message integrity check of a given message.
/// </summary>
/// <param name="message">Input message for MIC calculation.</param>
/// <param name="signature">Buffer writer where the MIC is written.</param>
/// <remarks>
/// The method modifies the internal state and may update sequence numbers depending on the
/// selected algorithm. Two successive invocations thus don't produce the same result and
/// it's important to carefully pair GetMIC and VerifyMIC calls on the both sides of the
/// authenticated session.
/// </remarks>
internal void GetMIC(ReadOnlySpan<byte> message, IBufferWriter<byte> signature);
/// <summary>
/// Verifies the message integrity check of a given message.
/// </summary>
/// <param name="message">Input message for MIC calculation.</param>
/// <param name="signature">MIC to be verified.</param>
/// <returns>For successfully verified MIC, the method returns true.</returns>
/// <remarks>
/// The method modifies the internal state and may update sequence numbers depending on the
/// selected algorithm. Two successive invocations thus don't produce the same result and
/// it's important to carefully pair GetMIC and VerifyMIC calls on the both sides of the
/// authenticated session.
/// </remarks>
internal bool VerifyMIC(ReadOnlySpan<byte> message, ReadOnlySpan<byte> signature);
} API UsageTBD Alternative DesignsNo response RisksNo response
|
I assume we have internal implementation already for |
We have it on Unix and managed, it is somewhat trivial on Windows and introduced in #86948.
Correct. It's primarily to expose everything through testable public APIs on |
|
You don't know the size of the signature upfront. That's a similar issue like in the existing
I don't see the need if
I don't have strong opinion about naming. |
Acronyms/abbreviations/initialisms are generally discouraged.
|
That would have been my second choice if I had to name it. 😅 The only reason going for |
I updated the names and added API usage. |
If you're going for completeness you should probably include overloads that do expose the QOS and sequence parameters here. |
Fair point. We don't fully expose |
Kerberos does and since machines can have arbitrary negotiate subpackages installed, we can't necessarily dictate that they should or should not support it at the SSPI level. NTLM is its own brand of stupid. |
I'll update the proposal with an added |
On second thought, GSSAPI doesn't have the concept of user-supplied sequence numbers. That would make SSPI the odd one out, since both GSSAPI and the Managed NTLM would ignore the parameter.
|
Yes, correct. |
I don't think we even added the constructors for datagram-based operations, and we certainly don't have any use cases for it. Let's address it if someone asks for a datagram API :-) |
I assume this is not critical for 8.0 so I'll move to future even if the actual work seems reasonable small. |
It is not critical but I am happy to implement it once it goes through API review. |
namespace System.Net.Security;
public sealed class NegotiateAuthentication : IDisposable
{
/// <summary>
/// Computes the message integrity check of a given message.
/// </summary>
/// <param name="message">Input message for MIC calculation.</param>
/// <param name="signatureWriter">Buffer writer where the MIC is written.</param>
/// <remarks>
/// Implements the GSSAPI GetMIC operation.
///
/// The method modifies the internal state and may update sequence numbers depending on the
/// selected algorithm. Two successive invocations thus don't produce the same result and
/// it's important to carefully pair GetMIC and VerifyMIC calls on the both sides of the
/// authenticated session.
/// </remarks>
public void ComputeIntegrityCheck(ReadOnlySpan<byte> message, IBufferWriter<byte> signatureWriter);
/// <summary>
/// Verifies the message integrity check of a given message.
/// </summary>
/// <param name="message">Input message for MIC calculation.</param>
/// <param name="signature">MIC to be verified.</param>
/// <returns>For successfully verified MIC, the method returns true.</returns>
/// <remarks>
/// Implements the GSSAPI VerifyMIC operation.
///
/// The method modifies the internal state and may update sequence numbers depending on the
/// selected algorithm. Two successive invocations thus don't produce the same result and
/// it's important to carefully pair GetMIC and VerifyMIC calls on the both sides of the
/// authenticated session.
/// </remarks>
public bool VerifyIntegrityCheck(ReadOnlySpan<byte> message, ReadOnlySpan<byte> signature);
} |
Background and motivation
The
NegotiateAuthentication
API (#69920) was added in .NET 7. It exposes functionality for Negotiate, NTLM and Kerberos authentication. It's implemented as a wrapper over GSSAPI (Unix), SSPI (Windows), and there's managed NTLM implementation for other platforms (Android, tvOS) where native API is not available. The initial API shape was driven by the goal of removing reflection access to internalNTAuthentication
class, with focus on meeting the needs of email protocols (SASL in context of IMAP, SMTP), SQL protocols (SQL Server and PostgreSQL), client-side HTTP, and server-side HTTP in ASP.NET.One omission in the original proposal and its later updates are the
GetMIC
andVerifyMIC
operations defined in GSSAPI (https://datatracker.ietf.org/doc/html/rfc2743). These APIs are not used in any of the scenarios above, but they are needed for more specialized protocols, like the NegotiateStream. It is thus desirable to expose them for public use as well.The operations implemented by the API are generating a "message integrity code" on one side of the communication protocol and verifying it on the other side. It is usually implemented as cryptographic signing operation with a negotiated key.
API Proposal
API Usage
Alternative Designs
No response
Risks
No response
The text was updated successfully, but these errors were encountered: