Handle RsaSha1 properly in .NET Core 2.0 #1097
Conversation
There are some issues on .NET's side about the missing functionality of RSACryptoServiceProvider ToXmlString/FromXmlString: * https://github.com/dotnet/corefx/issues/23686 * dotnet/core#874 So, let's do it ourselves, and if in the future we'll get it in the .NET itself, we can remove this code
|
I see two failing tests, but they are not really related to anything I have changed... |
|
Can you make |
alexeyzimarev
requested review from
mjwsteenbergen
and removed request for
mjwsteenbergen
|
@alexeyzimarev I am not sure how we can get rid of the pragma condition, since we only have one assembly. Unless we always use that extension method? Or put the pragma in the extension method? Extracted the method into an extensions class, and moved the pragma there, so in OAuthTools it looks like a simple call |
|
Timotei, thank you for your PR! Some thinks worry me though:
This is a library that is used by multiple companies in productions and we must be do everything to make sure that their data is protected and safe using this library. This change does the opposite. |
|
@mjwsteenbergen I actually disagree here:
|
|
@mjwsteenbergen the referenced issues provide similar solutions and it seems no one from Microsoft or outside have complained: https://github.com/dotnet/corefx/issues/23686 All implementations that I can find look very similar, like here dazinator/rhino-licensing@1524fc1 |
|
@mjwsteenbergen It seems Alexey already responded similarly to what I wanted to say. The issue with Bouncy Castle is that it's not fully supported on .NET Core either, for example it doesn't have some of the RSA utilities. Besides this, I was cautious not to introduce another library as dependency. |
Sure, I can totally see that there is a usecase for supporting RSA-SHA1
I also totally agree that less dependencies is better.
True, but has nothing to do with if this implementation is secure.
Right now we are saying that this library does not support SHA-1 for dotnet-core, because msft is not supporting it yet. With this pr we want to start supporting it. To do this we need to make sure that it works and is secure. I have not seen any proof of this. There are 0 tests that prove this. There are 0 people qualified looking at this. This is what worries me.
Yes, because they took it from that same issue. They even mention it in the original issue.
With many issues this can be a valid strategy, but with crypto I would highly recommend the opposite strategy: seeing if someone gives the ok on the code. How do you know that the guy from the original issue didn't just copied the code without looking carefully at it? How do you know everyone that found this issue didn't just copy the code without writing an exhausting test-suite to test if the implementation is correct? We can't and therefore I would highly recommend that a lot of testing is to be done before this pr is merged. |
|
I agree that we need tests. @timotei can you add tests to the PR? |
|
@mjwsteenbergen I agree that I can add some tests, but this is not (so much) crypto-oriented as it is reading an XML document and parsing the relevant information out of it :) @alexeyzimarev Sure. |
|
@alexeyzimarev @mjwsteenbergen I added a test that verifies that we get the same result as the .NET-based one. I think nothing can beat that, right? :) Also, it seems that generating a wrong RsaParameters (maybe didn't put enough effort in it) triggeres an exception when we try to use them |
Description
There are some issues on .NET's side about the
missing functionality of RSACryptoServiceProvider
ToXmlString/FromXmlString:
So, let's do it ourselves, and if in the future we'll
get it in the .NET itself, we can remove this code
Purpose
This pull request is a:
Checklist
@alexeyzimarev Would be awesome if we could get a release with this fix, right now we can't use the library in a .NET Core 2.0 & OAuth 1 app .