* Cryptography
In the .NET framework cryptography can be found under a number of
- namespaces in several assemblies.
+ namespaces in several assemblies. Mono also has it's own assemblies
+ to provide missing security functionalities from the .NET framework.
** Assembly: corlib
**** Status
<ul>
- * All classes are present.
+ * All classes are present. Most of them have (minimal)
+ documentation in <b>monodoc</b>.
* Most classes have their unit tests. Some tests like <code>
SymmetricAlgorithmTest</code> are generated by external
tools.
</ul>
-**** TODO
- <ul>
- * Keypair persistance for RSA and DSA. This persistance must
- somehow be linked with X509 certificate stores (in planning).
-
- * <code>PasswordDeriveBytes.CryptDeriveKey</code> is included
- in MS BCL to provide compatibility with existing Windows
- applications. The main problem is that the key derivation
- algorithm can be different for every CSP (Crypto Service
- Provider). However for compatibility we should provide an
- implementation compatible with the MS CSP (most likely used).
- </ul>
-
-**** Notes
- <ul>
- * All cryptographic algorithms are entirely managed, including
- classes named <code>*CryptoServiceProvider</code>, with the
- exception of <code>RNGCryptoServiceProvider</code> for which
- parts of the implementation resides in the runtime.
-
- * There is a bug in the <code>PKCS1MaskGenerationMethod</code>
- class (in both framework 1.0 and 1.1). This means our
- implementation isn't compatible with MS (but is compatible with
- PKCS#1 v.2.1). However we get OAEP padding for every platform!
-
- * Look at assembly Mono.Security.Win32 if you require more
- compatiblity with the Microsoft implementation (like accessing
- a particuliar keypair container inside a specific CSP).
- </ul>
-
-
*** Namespace: <b>System.Security.Cryptography.X509Certificates</b>
**** Status
**** Notes
<ul>
- * Except for their structure <b>there are no validation of the
- certificates</b> done by this class (this is by design and
- isn't a restriction of Mono!). This means that certificate
- signatures and validity dates are <b>never</b> checked
- (except when used for Authenticode, i.e.
- <code>CreateFromSignedFile</code>).
-
- * The newer X509Certificate class included in Microsoft's Web
- Service Enhancement (WSE) is a little better (as it includes
- CryptoAPI's validation) when <code>IsCurrent</code> is called.
- See assembly <b>Microsoft.Web.Services</b> for more details.
-
* The class Mono.Security.X509.X509Certificate (in Mono.Security
assembly) is becoming a much better alternative - and will
continue to evolve to support the security tools.
-
- * Microsoft implementation of <code>X509Certificate</code> is
- done by using CryptoAPI (unmanaged code). Based on the
- exceptions thrown, Authenticode(tm) support is done via COM.
</ul>
<hr>
**** Status
<ul>
- * All classes are present but some Transforms are only stubbed.
-
- * We now have a fully managed C14N implementation.
-
- * Most classes have their unit tests.
- </ul>
-
-**** TODO
- <ul>
- * Complete all Transform derived classes.
+ * We pass the fifteen tests from Merlin's xmldsig suite with
+ success. Which is funny because Microsoft fails in one case
+ where both a X509Certificate and an X509CRL are present in
+ an X509Data. We also pass most Phaos tests.
+
+ * Most classes have their unit tests. Some standalone tests
+ are also in CVS to test C14N and both Merlin and Phaos test
+ suites.
</ul>
<hr>
</ul>
*** Namespace: Mono.Security.Protocol.*
<ul>
- * Tls: An 100% managed TLS implementation from Carlos Guzman
- Alvarez.
+ * Tls: An 100% managed SSLv3 and TLSv1 implementation from
+ Carlos Guzman Alvarez.
* Ntlm: NTLM authentication (used for HTTP and SQL Server).
</ul>
-*** Namespace: Mono.Security.X509
+*** Namespace: Mono.Security.X509.*
<ul>
* X.509 structures (certificate, CRL...) building and decoding.
- * PKCS#12 decoding.
- </ul>
-*** Namespace: Mono.Security.X509.Extensions
- <ul>
+ * PKCS#12 decoding and encoding.
* X.509 extensions (from public X.509 to private PKIX, Netsapce,
Microsoft, Entrust...).
</ul>
corlib (which depends on Mono's runtime).
* Unit test coverage isn't (yet) complete.
+
+ * Most classes have minimal documentation available in
+ <b>monodoc</b>.
</ul>
<hr>
**** Status
<ul>
- * A RNGCryptoServiceProvider built on top of CryptoAPI. This
- allows Windows users to get around the limitation of the
- runtime RNG (which requires <code>/dev/[u]random/</code>).
+ * A RNGCryptoServiceProvider built on top of CryptoAPI.
* Wrapper classes for unmanaged versions of hash algorithms:
MD2, MD4, MD5 and SHA1 are supported. <b>note</b>: some
included to preserve interoperability with older applications
(e.g. some old, but still valid, X.509 certificates use MD2,
MD4 is required for NTLM authentication ...).
+
+ * Classes have minimal documentation available in
+ <b>monodoc</b>.
</ul>
**** TODO
*** Notes
<ul>
- * Microsoft has <a href="http://microsoft.com/downloads/details.aspx?FamilyId=21FB9B9A-C5F6-4C95-87B7-FC7AB49B3EDD&displaylang=en">released</a>
- a technical preview of WSE 2. <b>Note that WSDK (the technical
- preview of WSE) had A LOT of changes before it's initial
- release!</b>
+ * Microsoft has released WSE 2.
</ul>
<hr>
** Tools
There are many tools in the .NET framework that indirectly interacts
- with some cryptographic classes. Mono will eventually need these tools.
- Unless noted the tools should work on any CLR (tested with both Mono
- and Microsoft).
+ with some cryptographic classes. Unless noted the tools should work on
+ any CLR (tested with both Mono and Microsoft).
**** Status
* <code>sn</code> is a clone of the <code>sn</code> to manage
strongnames. Current version can create, convert, sign and
verify strongnames signatures. Some configuration options
- are still missing.
+ are still missing, some will only works with Mono.
* <code>signcode</code> and <code>chktrust</code> for signing
and validating Authenticode(tm) signatures on assemblies (or
any PE file) are now working (signature and timestamps) but
some options aren't yet supported.
+
+ * <code>setreg</code> can change some cryptographic parameters
+ of the runtime. Currently it can add or remove two root test
+ certificates (the one used by Mono's <code>makecert</code>,
+ the other used by Microsoft's <code>makecert</code>).
+
+ * <code>certmgr</code> can add and remove certificates from
+ the stores. Most common use is to add new trusted certificates
+ or remove them.
</ul>
Somewhat usable, somewhat incomplete:
<code>System.Windows.Forms</code> (right now only working on
Windows), while <code>gcertview</code> is the same viewer
implemented for GTK# (working on both Windows and Linux).
-
- * <code>monosn</code> is a clone of the <code>sn</code> to manage
- strongnames. This tools is part of the runtime (not the class
- library) and as such is written in C and won't run without Mono.
</ul>
(using the unit tests) carefully - it's so fast to break an
algorithm ;-).
- * Write some documentation on the cryptographic classes for
- <b>monodoc</b>.
+ * Write some documentation or add some sample code for the
+ cryptographic classes in <b>monodoc</b>.
</ul>
<hr>
-Last reviewed: February 2, 2004 (mono 0.30)
+Last reviewed: June 26, 2004 (mono release candidate 1)