Wcf: Supporting client endpoint identity certificate

Created on 6 Sep 2019 · 4Comments · Source: dotnet/wcf

I tried to create programmatically in .NET Core Preview 9 something similar to to the following .NET Framework code, since xml configurations are not supported.

var binding = new WSHttpBinding("WSHttpBinding_ICustomerService");
var cert = CreateCertificate();
var endpointAddress = new EndpointAddress(
    new Uri("url"),
    EndpointIdentity.CreateX509CertificateIdentity(cert));
var client = new CustomerService.CustomerServiceClient(binding, endpointAddress);

This is instead of the following client configuration:

<endpoint address="url" binding="wsHttpBinding" 
      bindingConfiguration="WSHttpBinding_ICustomerService" 
          contract="CustomerServiceDev.CustomerService" name="WSHttpBinding_ICustomerService">
    <identity>
        <certificate encodedValue="cert"/>
    </identity>
</endpoint>

It seems that .NET Core Preview 9 is missing the API to create the identity certificate with EndpointIdentity.CreateX509CertificateIdentity or with X509CertificateEndpointIdentity class, though the class is in this repository and it is public.

Is there a way in .NET Core 3 to achieve the same effect as what is done in the previous configuration? Maybe X509CertificateValidator? I am interested in any code for client to do service certificate validation.

I see that DnsEndpointIdentity made its way in Preview 9, maybe I can propose that one to my team to do the validation instead. Will it be officially supported in final release?

feature request priority 3

Source

cristicatalan

👍2

Most helpful comment

@cristicatalan
All of the WCF implementation code is in System.Private.ServiceModel but that package can't be referenced directly instead we determine what the WCF public surface area is via the 5 contracts that in turn reference S.P.ServiceModel.
The 5 contracts are...
S.ServiceModel.Duplex
S.ServiceModel.Http
S.ServiceModel.NetTcp
S.ServiceModel.Primitives
S.ServiceModel.Security

You can see the public surface area we support in the ref dir for each of them, for instance for System.ServiceModel.Primitives.

Regarding X509CertificateEndpointIdentity we should be able to add this to the public contract, and will plan on it for the .NET Core 3.1 release

If we can get it sooner than that in a preview package we will update this issue.

StephenBonikowsky on 10 Sep 2019

👍3

All 4 comments

You can see the public surface area we support in the ref dir for each of them, for instance for System.ServiceModel.Primitives.

Regarding X509CertificateEndpointIdentity we should be able to add this to the public contract, and will plan on it for the .NET Core 3.1 release

If we can get it sooner than that in a preview package we will update this issue.

StephenBonikowsky on 10 Sep 2019

👍3

All the code appears to be in-place.
We just need to expose the API to the public contract and add a scenario test for it.
Current plan is to do this for 5.0 in one of the upcoming previews.
We will need to add a scenario test for it as well.

@mconnew In the mean time, is there a workaround for this?

StephenBonikowsky on 3 Feb 2020

I thought there was an easy workaround, but there isn't an easy one. I can confirm that setting the endpoint identity to an instance of X509CertificateEndpointIdentity does simply wire up a certificate validator comparing the thumbprint's. The same effect can be achieved using a X509CertificateValidator. We have a small bug that we need to fix when we add the api. The code in this method (which is currently inaccessible due to X509CertificateEndpointIdentity not being available) isn't correctly wiring up a certificate validator using the certificate in the endpoint identity. So we will need to fix that at the same time as adding the api.