XML Encryption 1.1 - Required block encryption algorithms AES128-GCM missing

[dhcgn]

The required (defined in spec XMLEncrypt 1.1) block encryption algorithms AES128-GCM (http://www.w3.org/2009/xmlenc11#aes128-gcm) is missing in System.Security.Cryptography.Xml.

Dokumentation in docs.microsoft.com for EncryptedXml

The .NET Framework XML encryption classes implement the World Wide Web Consortium (W3C) XML Encryption Syntax and Processing Version 1.1 specification.

W3C XML Encryption Syntax and Processing Version 1.1

Block Encryption

1. required TRIPLEDES
   http://www.w3.org/2001/04/xmlenc#tripledes-cbc
2. required AES-128
   http://www.w3.org/2001/04/xmlenc#aes128-cbc
3. required AES-256
   http://www.w3.org/2001/04/xmlenc#aes256-cbc
4. required AES128-GCM
   http://www.w3.org/2009/xmlenc11#aes128-gcm
5. optional AES-192
   http://www.w3.org/2001/04/xmlenc#aes192-cbc
6. optional AES192-GCM
   http://www.w3.org/2009/xmlenc11#aes192-gcm
7. optional AES256-GCM
   http://www.w3.org/2009/xmlenc11#aes256-gcm

System.Security.Cryptography.Xml

runtime/src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/EncryptedXml.cs

Lines 24 to 32 in 6072e4d

	//
	// Symmetric Block Encryption
	//
	public const string XmlEncDESUrl = "http://www.w3.org/2001/04/xmlenc#des-cbc";
	public const string XmlEncTripleDESUrl = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
	public const string XmlEncAES128Url = "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
	public const string XmlEncAES256Url = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
	public const string XmlEncAES192Url = "http://www.w3.org/2001/04/xmlenc#aes192-cbc";

[ghost]

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @jeffhandley
See info in area-owners.md if you want to be subscribed.

[krwq]

@dhcgn would you be interested in making PR for this?

[dhcgn]

@dhcgn would you be interested in making PR for this?

Yes, I'm interested. I keep you updated in this issue.

[krwq]

Awesome, you will likely need to create some kind of internal wrapper on top of AesGcm to implement SymmetricAlgorithm, edit

runtime/src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/CryptoHelpers.cs

Line 10 in 6072e4d

public static object CreateFromKnownName(string name) =>

and likely need to special case it to store tag somewhere.

[vcsjones]

Yay!

I think if we are going to do work for this in this issue, then perhaps we can roll #34784 in to here.

[bartonjs]

FWIW, I'm pretty sure that we only do version 1.0, and that it's just a doc bug that it says 1.1 ("xmlenc11" only appears in this issue, nowhere in code). So adding AES-GCM might imply (or require) that everything from the "required" portions of 1.1 be implemented.

[dhcgn]

@bartonjs you are right, the identifier http://www.w3.org/2009/ is not present at all. Which indicates the absence of any implementation of XML Encryption 1.1. And this overstrains my ability to deliver a good implementation here.

I will make a pull request to https://github.com/dotnet/dotnet-api-docs/blob/master/xml/System.Security.Cryptography.Xml/EncryptedXml.xml

After a short trip to System.Security.Cryptography.Xml on main branch I had a not so great onboarding experience with the latest Visual Studio 2019 Enterprise Preview. A few Failing unit tests, an unresponding IDE, at some point unable to build the solution with no code changes. Is there are a good way to get around with the code base?

[bartonjs]

Is there are a good way to get around with the code base?

Since we're the bottom of the pipeline things are a bit special in this repository. But if you first run build.cmd -rc Release -s clr,libs from the repository root then all of the projects in src\libraries should work. (That's "build the CLR as release, and only build clr and libraries, don't worry about all the other kinds of things").

[bartonjs]

Since the main problem was a docs error (it said we implemented 1.1, which required GCM, but we didn't) and the docs error is now fixed, closing this issue in favor of #34784 (same request, but older).