[Mono-devel-list] Corlib feature survey (security stuff)

Sebastien Pouliot spouliot at videotron.ca
Thu Aug 7 22:56:57 EDT 2003 

>System.Security.Cryptography:
>        * DSACryptoServiceProvider, PasswordDeriveBytes,
>        RNGCryptoServiceProvider, RSACryptoServiceProvider: 4 TODOs
>        * SignatureDescription: one TODO constructor

Details
	- DSA|RSACryptoServiceProvider: missing key persistance
		My plan is to get something modular (configurable in machine.config)
		? anyone has an idea how to protect the keypairs (user/machine) under
Linux ?
	- PasswordDeriveBytes
		- PKCS#5 derivation is implemented (including MS extensions)
		? CryptDeriveBytes calls the specified CSP (mostly proprietary) algorithms
	- RNGCryptoServiceProvider: lots of constructor for seeding the RNG
		? I don't think that /dev/[u]random requires application seeding (but it
may be supported)
		? The current RNG (residing in the runtime) doesn't work on Windows
	- SignatureDescription: construct from XML (SecurityElement)
		? I don't know the required format (undocumented anywhere on the Internet)
		? There's no way to GET a XML representation of SignatureDescription from
the framework

>System.Security.Cryptography.X509Certificates:
>        * X509Certificates: one TODO (CreateFromSignedFile)

Details
	- Code already exists to do this but requires some refactoring (and MUCH
more error checks).

Note: Most of the System.Security.Cryptography limitations are documented in
http://www.go-mono.com/crypto.html


>System.Security.Permissions:
>        * lots of types missing IBuiltinPermission (no docs)
>        * missing CreatePermission methods in attributes.
>        * FromXml and ToXml marked TODO in multiple Permissions.

Duncan and me commited many patches (IBuiltInPermission and From/ToXml)
recently (not visible on the status page yet). But there are still some
missing methods (and stubbed ones). Many classes don't have unit tests right
now.

>System.Security.Policy:
>        * 7 missing types, PermissionRequestEvidence, Site,
>        SiteMembershipCondition, StrongNameMembershipCondition,
>        UnionCodeGroup, Url, UrlMembershipCondition,
>ZoneMembershipCondition.
>        * missing IConstantMembershipCondition in Condition classes, no
>docs.
>        * PolicyLevel: needs impl.

Duncan did add much code lately in the Policy namespace.
Unit tests are also lagging in this area.

>System.Security.Principal:
>        * Missing WindowsPrincipal.
>        * WindowsIdentity: only stubs.
>        * WindowsImpersonationContext: only stubs

This is very Windows-related. I don't know enough on Linux to implement
something similar.

>System.Security.Util:
>        * we have nothing, no docs either.

Neither I :-(
but that's probably only internal stuff that we do not require to
implement...

Sebastien Pouliot
Security Architect, Motus Technologies, http://www.motus.com/
work: spouliot at motus.com
home: spouliot at videotron.ca

More information about the Mono-devel-list mailing list