public JToken DecryptResourceData(JToken item)
{
const string encryptedContentProperty = "encryptedContent";
const string certificateIdProperty = "encryptionCertificateId";
const string symmetricKeyProperty = "dataKey";
const string encryptedPayloadProperty = "data";
const string signatureProperty = "dataSignature";
var encryptedContent = item[encryptedContentProperty];
string certificateId = encryptedContent[certificateIdProperty]?.Value <string>() ?? throw new InvalidOperationException("Encryption key id does not exist in the notification payload");
string encryptedSymmetricKey = encryptedContent[symmetricKeyProperty]?.Value <string>() ?? throw new InvalidOperationException("Symmetric key does not exist in the notification payload");
string encryptedPayload = encryptedContent[encryptedPayloadProperty]?.Value <string>() ?? throw new InvalidOperationException("Encrypted payload ;sdoes not exist in the notification payload");
string hashMac = encryptedContent[signatureProperty]?.Value <string>() ?? throw new InvalidOperationException("Encrypted signature does not exist in the notification payload");
var payloadBytes = Convert.FromBase64String(encryptedPayload);
var signatureBytes = Convert.FromBase64String(hashMac);
// descrypt the symetric key
var symmetricKey = AsymmetricDecryptor.Decrypt(Convert.FromBase64String(encryptedSymmetricKey), certificateId);
// verify signature using the symmetric key
SymmetricDecryptor.VerifyHMACSignature(payloadBytes, symmetricKey, signatureBytes);
// decrypt payload using symmetric key
string plainText = SymmetricDecryptor.Decrypt(payloadBytes, symmetricKey);
return(JToken.Parse(plainText));
}
public static byte[] SymmetricDecrypt(SymmetricAlgorithm algorithm,
byte[] data)
{
ValidateParameters(algorithm, data);
SymmetricDecryptor decryptor =
new SymmetricDecryptor(algorithm, data);
return(decryptor.GetDecryptedBytes());
}
public static string SymmetricDecrypt(SymmetricAlgorithm algorithm,
string data)
{
ValidateParameters(algorithm, data);
SymmetricDecryptor decryptor =
new SymmetricDecryptor(algorithm, data);
return(decryptor.GetDecryptedString());
}
/// <summary>
/// Returns the original string given the encrypted form and provided key
/// and iv, and specified symmetric encrpytion algorithm.
/// </summary>
public static string SymmetricDecrypt <T>(string data, byte[] key,
byte[] iv) where T : SymmetricAlgorithm
{
ValidateParameters(data, key, iv);
SymmetricAlgorithm algorithm = Activator.CreateInstance <T>();
SymmetricDecryptor decryptor =
new SymmetricDecryptor(algorithm, data, key, iv);
return(decryptor.GetDecryptedString());
}
public void DecryptByByteArrayReturnsTheCipherTextParameterWhenItIsNotLongEnoughForTheHeader()
{
var credential = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
var symmetricDecryptor = new SymmetricDecryptor(credential, Encoding.UTF8);
var plaintext = new byte[] { 1, 16 };
var decrypted = symmetricDecryptor.Decrypt(plaintext);
decrypted.Should().BeSameAs(plaintext);
}
public void DecryptByStringReturnsTheCipherTextParameterWhenItIsNotBase64Encoded()
{
var credential = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
var symmetricDecryptor = new SymmetricDecryptor(credential, Encoding.UTF8);
var plaintext = "This is not a base-64 encoded string.";
var decrypted = symmetricDecryptor.Decrypt(plaintext);
decrypted.Should().BeSameAs(plaintext);
}
public void CanDecryptByString()
{
var credential = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
var symmetricDecryptor = new SymmetricDecryptor(credential, Encoding.UTF8);
var encrypted = "ARAAR0wt0bewMNdNByQ5OuJmKj6AfWMNWYSIrPaLR0h/bBF4fcSjCXwJrxZ1upPDByFp";
var decrypted = symmetricDecryptor.Decrypt(encrypted);
decrypted.Should().NotBeNullOrEmpty();
decrypted.Should().NotBe(encrypted);
}
public void CanDecryptByString()
{
var credentialMock = new Mock <ICredential>();
credentialMock.Setup(cm => cm.Algorithm).Returns(SymmetricAlgorithm.Aes);
credentialMock.Setup(cm => cm.IVSize).Returns(16);
credentialMock.Setup(cm => cm.GetKey()).Returns(new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 });
var symmetricEncryptor = new SymmetricDecryptor(credentialMock.Object, Encoding.UTF8);
var unencrypted = "ARAAR0wt0bewMNdNByQ5OuJmKj6AfWMNWYSIrPaLR0h/bBF4fcSjCXwJrxZ1upPDByFp";
var encrypted = symmetricEncryptor.Decrypt(unencrypted);
encrypted.Should().NotBeNullOrEmpty();
encrypted.Should().NotBe(unencrypted);
}
public static void MismatchedEncodingCausesEncodingDiscrepency()
{
var credential = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
using var symmetricEncryptor = new SymmetricEncryptor(credential, Encoding.UTF8);
using var symmetricDecryptor = new SymmetricDecryptor(credential, Encoding.UTF32);
var unencrypted = "This is some string. 😂🤣";
var encrypted = symmetricEncryptor.Encrypt(unencrypted);
var decrypted = symmetricDecryptor.Decrypt(encrypted);
encrypted.Should().NotBe(unencrypted);
decrypted.Should().NotBe(encrypted);
decrypted.Should().NotBe(unencrypted);
}
public static void CanRoundTripByString()
{
var credential = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
using var symmetricEncryptor = new SymmetricEncryptor(credential, Encoding.UTF8);
using var symmetricDecryptor = new SymmetricDecryptor(credential, Encoding.UTF8);
var unencrypted = "This is some string";
var encrypted = symmetricEncryptor.Encrypt(unencrypted);
var decrypted = symmetricDecryptor.Decrypt(encrypted);
encrypted.Should().NotBe(unencrypted);
decrypted.Should().NotBe(encrypted);
decrypted.Should().Be(unencrypted);
}
public void CanRoundTripByByteArray()
{
var credential = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
var symmetricEncryptor = new SymmetricEncryptor(credential, Encoding.UTF8);
var symmetricDecryptor = new SymmetricDecryptor(credential, Encoding.UTF8);
var unencryptedString = "This is some string";
var unencrypted = Encoding.UTF8.GetBytes(unencryptedString);
var encrypted = symmetricEncryptor.Encrypt(unencrypted);
var decrypted = symmetricDecryptor.Decrypt(encrypted);
encrypted.Should().NotEqual(unencrypted);
decrypted.Should().NotEqual(encrypted);
decrypted.Should().Equal(unencrypted);
}
public static void CannotRoundTripByStringWithMismatchedCredentials()
{
var credential1 = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
var credential2 = new Credential(
() => new byte[] { 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x9, 0x8, 0x7, 0x6, 0x5, 0x4, 0x3, 0x2, 0x1, 0x0 },
SymmetricAlgorithm.Aes, 16);
using var symmetricEncryptor = new SymmetricEncryptor(credential1, Encoding.UTF8);
using var symmetricDecryptor = new SymmetricDecryptor(credential2, Encoding.UTF8);
var unencrypted = "This is some string";
var encrypted = symmetricEncryptor.Encrypt(unencrypted);
var action = () => symmetricDecryptor.Decrypt(encrypted);
action.Should().Throw <CryptographicException>();
}
public void DecryptByByteArrayReturnsTheCipherTextParameterWhenTheVersionIsNot1()
{
var credential = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
var symmetricDecryptor = new SymmetricDecryptor(credential, Encoding.UTF8);
for (int i = 0; i < 256; i++)
{
if (i == 1)
{
continue;
}
var plaintext = new byte[] { (byte)i, 16, 0, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 };
var decrypted = symmetricDecryptor.Decrypt(plaintext);
decrypted.Should().BeSameAs(plaintext);
}
}
public static void DecryptByByteArrayReturnsTheCipherTextParameterWhenTheIVSizeIsNot8Or16()
{
var credential = new Credential(
() => new byte[] { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15 },
SymmetricAlgorithm.Aes, 16);
using var symmetricDecryptor = new SymmetricDecryptor(credential, Encoding.UTF8);
for (int i = 0; i < 256; i++)
{
for (int j = 0; j < 256; j++)
{
if ((i == 8 || i == 16) && j == 0)
{
continue;
}
var plaintext = new byte[] { 1, (byte)i, (byte)j, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 };
var decrypted = symmetricDecryptor.Decrypt(plaintext);
decrypted.Should().BeSameAs(plaintext);
}
}
}
