NServiceBus: Message level encryption
I have the requirement that the content of all messages must be encrypted in some way. For the actual encryption, I can probably leverage the built in X.509 encryption.
However, I'm wondering what the best way to do message level encryption is, without having to modify the messages themselves (so no WireEncryptedString
). I can see that the latest version in development will offer some more support for this in the form of IMutateOutgoingMessages
, IMutateIncomingMessages
and IMapOutgoingTransportMessages
. Especially the last one is interesting as it gets passed a Stream
that I'll be able to encrypt in its entirety (right?). I've seen this approach used here and he correctly mentions that there is no IMapIncomingTransportMessages
, so how would I go about decrypting the encrypted message on the receiving side without modifying NServiceBus code, or is that currently the only option until that gets fleshed out?
However, that's the future version of NServiceBus and I don't think it's a good idea to use that in a production scenario right now. How would I go about doing this in 2.0? To me, the best way seems to be to wri开发者_Python百科te a custom EncryptedSerializer
that gets passed in IMessageSerializer
and basically just wraps the Serialize
and Deserialize
methods of that IMessageSerializer
.
What I currently have:
public class EncryptedSerializer : IMessageSerializer
{
[Inject]
public MessageSerializer Serializer { get; set; }
public IMessage[] Deserialize(System.IO.Stream stream)
{
// decrypt magic happens here
return Serializer.Deserialize(stream);
}
public void Serialize(IMessage[] messages, System.IO.Stream stream)
{
Serializer.Serialize(messages, stream);
// encrypt magic happens here
}
}
But I can't figure out how to setup the NServiceBus configuration that it gets passed in an XmlSerializer that is correctly configured/injected as well. I've looked at the .XmlSerializer()
extension method and tried to replicate that, but with no luck. And ideally, I would want to have just a IMessageSerializer
instead of the concrete XML serializer, but that's of lesser concern.
I use Ninject and the Ninject object builder for NServiceBus from here: gist.github.com/326321. But I'm not sure if that's important.
If you're willing to give up having another message serializer injected into your own serializer and just wrap the concrete XML serializer, it would be easier. You'd also need to expose additional properties (the ones on the XML serializer) and then pass those through.
I know that this isn't particularly elegant and that's why we're improving the extensibility story in the next version to allow you to plug in encryption without fiddling with the serializer.
All that being said, it's likely that you don't need encryption between all endpoints, but rather only between those communicating outside the LAN. For those cases, you can use the Gateway process that comes with NServiceBus which enables HTTP-based communication which can then be configured to go over HTTPS. This solution would require less coding but would involve another process in your deployment.
精彩评论