Expose a high level NTAuth Negotiate API #29270
Description
Please expose a high level API for managing Negotiate/NTLM/Kerberos authentication handshakes. This is not the same as https://github.com/dotnet/corefx/issues/32291, which wants a low level Kerberos specific API.
There is an internal API today called NTAuthentication that is used by HttpClient, HttpListener, and NegotiateStream to exchange opaque auth blobs, negotiate the authentication protocol, and identify the client to the server. ASP.NET Core also wants to expose this functionality for our cross platform server Kestrel. It could use the same NTAuthentication APIs and handle the HTTP aspect itself.
This is related to https://github.com/dotnet/corefx/issues/8221 for cross platform server support.
A general purpose API that could be used by NegotiateStream, SocketsHttpHandler, and HttpListener would be like this:
// System.Net.Security assembly and namespace
public class NegotiateAuthState : IDisposable
{
public NegotiateAuthState(bool isServer, string package, NetworkCredential credential, string spn, ContextFlagsPal requestedContextFlags, ChannelBinding channelBinding);
public bool IsCompleted { get; }
public string Package { get; }
public string ClientSpecifiedSpn { get; }
public IIdentity GetIdentity();
public string GetOutgoingBlob(string incomingBlob);
// SmtpOnly:
public int VerifySignature(byte[] buffer, int offset, int count);
public int MakeSignature(byte[] buffer, int offset, int count, ref byte[] output);
// NegotiateStream only:
public ContextFlagsPal NegotiatedFlags { get; }
public byte[] GetOutgoingBlob(byte[] incomingBlob, bool thrownOnError);
public int Encrypt(byte[] buffer, int offset, int count, ref byte[] output, uint sequenceNumber)
public int Decrypt(byte[] payload, int offset, int count, out int newOffset, uint expectedSeqNumber)
}Note this does expose ContextFlagsPal. I only see the constructor parameter used once or twice and it could likely be abstracted to a bool or similar.