/// <summary>
/// Creates an ephemeral <see cref="IDataProtectionProvider"/> with logging.
/// </summary>
/// <param name="loggerFactory">The <see cref="ILoggerFactory" />.</param>
public EphemeralDataProtectionProvider(ILoggerFactory loggerFactory)
{
if (loggerFactory == null)
{
throw new ArgumentNullException(nameof(loggerFactory));
}
IKeyRingProvider keyringProvider;
if (OSVersionUtil.IsWindows())
{
// Assertion for platform compat analyzer
Debug.Assert(RuntimeInformation.IsOSPlatform(OSPlatform.Windows));
// Fastest implementation: AES-256-GCM [CNG]
keyringProvider = new EphemeralKeyRing <CngGcmAuthenticatedEncryptorConfiguration>(loggerFactory);
}
else
{
// Slowest implementation: AES-256-CBC + HMACSHA256 [Managed]
keyringProvider = new EphemeralKeyRing <ManagedAuthenticatedEncryptorConfiguration>(loggerFactory);
}
var logger = loggerFactory.CreateLogger <EphemeralDataProtectionProvider>();
logger.UsingEphemeralDataProtectionProvider();
_dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, loggerFactory);
}
public DefaultDataProtectionProvider(
[NotNull] IOptions <DataProtectionOptions> optionsAccessor,
[NotNull] IKeyManager keyManager)
{
KeyRingBasedDataProtectionProvider rootProvider = new KeyRingBasedDataProtectionProvider(new KeyRingProvider(keyManager));
var options = optionsAccessor.Options;
_innerProvider = (!String.IsNullOrEmpty(options.ApplicationDiscriminator))
? (IDataProtectionProvider)rootProvider.CreateProtector(options.ApplicationDiscriminator)
: rootProvider;
}
public EphemeralDataProtectionProvider()
{
IKeyRingProvider keyringProvider;
if (OSVersionUtil.IsBCryptOnWin7OrLaterAvailable())
{
// Fastest implementation: AES-GCM
keyringProvider = new EphemeralKeyRing <CngGcmAuthenticatedEncryptorConfigurationOptions>();
}
else
{
// Slowest implementation: managed CBC + HMAC
keyringProvider = new EphemeralKeyRing <ManagedAuthenticatedEncryptorConfigurationOptions>();
}
_dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider);
}
private static void AddDataProtectionServices(
IServiceCollection services
)
{
if (OSVersionUtil.IsWindows())
{
services.TryAddSingleton <IRegistryPolicyResolver, RegistryPolicyResolver>();
}
services.TryAddEnumerable(
ServiceDescriptor.Singleton <IConfigureOptions <KeyManagementOptions>, KeyManagementOptionsSetup>());
services.TryAddEnumerable(
ServiceDescriptor.Transient <IConfigureOptions <DataProtectionOptions>, DataProtectionOptionsSetup>());
services.TryAddSingleton <IKeyManager, XmlKeyManager>();
services.TryAddSingleton <IApplicationDiscriminator, HostingApplicationDiscriminator>();
services.TryAddEnumerable(ServiceDescriptor.Singleton <IStartupFilter, DataProtectionStartupFilter>());
// Internal services
services.TryAddSingleton <IDefaultKeyResolver, DefaultKeyResolver>();
services.TryAddSingleton <IKeyRingProvider, KeyRingProvider>();
services.TryAddSingleton <IDataProtectionProvider>(s =>
{
var dpOptions = s.GetRequiredService <IOptions <DataProtectionOptions> >();
var keyRingProvider = s.GetRequiredService <IKeyRingProvider>();
var loggerFactory = s.GetService <ILoggerFactory>() ?? NullLoggerFactory.Instance;
IDataProtectionProvider dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, loggerFactory);
// Link the provider to the supplied discriminator
if (!string.IsNullOrEmpty(dpOptions.Value.ApplicationDiscriminator))
{
dataProtectionProvider = dataProtectionProvider.CreateProtector(
dpOptions.Value.ApplicationDiscriminator
);
}
return(dataProtectionProvider);
});
services.TryAddSingleton <ICertificateResolver, CertificateResolver>();
}
internal static IDataProtectionProvider GetProviderFromServices(DataProtectionOptions options, IServiceProvider services, bool mustCreateImmediately)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
IDataProtectionProvider dataProtectionProvider = null;
// If we're being asked to create the provider immediately, then it means that
// we're already in a call to GetService, and we're responsible for supplying
// the default implementation ourselves. We can't call GetService again or
// else we risk stack diving.
if (!mustCreateImmediately)
{
dataProtectionProvider = services.GetService <IDataProtectionProvider>();
}
// If all else fails, create a keyring manually based on the other registered services.
if (dataProtectionProvider == null)
{
var keyRingProvider = new KeyRingProvider(
keyManager: services.GetRequiredService <IKeyManager>(),
keyManagementOptions: services.GetService <IOptions <KeyManagementOptions> >()?.Value, // might be null
services: services);
dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyRingProvider, services);
}
// Finally, link the provider to the supplied discriminator
if (!String.IsNullOrEmpty(options.ApplicationDiscriminator))
{
dataProtectionProvider = dataProtectionProvider.CreateProtector(options.ApplicationDiscriminator);
}
return(dataProtectionProvider);
}
/// <summary>
/// Creates an ephemeral <see cref="IDataProtectionProvider"/>, optionally providing
/// services (such as logging) for consumption by the provider.
/// </summary>
public EphemeralDataProtectionProvider(IServiceProvider services)
{
IKeyRingProvider keyringProvider;
if (OSVersionUtil.IsWindows())
{
// Fastest implementation: AES-256-GCM [CNG]
keyringProvider = new EphemeralKeyRing <CngGcmAuthenticatedEncryptionSettings>();
}
else
{
// Slowest implementation: AES-256-CBC + HMACSHA256 [Managed]
keyringProvider = new EphemeralKeyRing <ManagedAuthenticatedEncryptionSettings>();
}
var logger = services.GetLogger <EphemeralDataProtectionProvider>();
logger?.UsingEphemeralDataProtectionProvider();
_dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, services);
}
/// <summary>
/// Creates an ephemeral <see cref="IDataProtectionProvider"/>, optionally providing
/// services (such as logging) for consumption by the provider.
/// </summary>
public EphemeralDataProtectionProvider(IServiceProvider services)
{
IKeyRingProvider keyringProvider;
if (OSVersionUtil.IsWindows())
{
// Fastest implementation: AES-256-GCM [CNG]
keyringProvider = new EphemeralKeyRing <CngGcmAuthenticatedEncryptionOptions>();
}
else
{
// Slowest implementation: AES-256-CBC + HMACSHA256 [Managed]
keyringProvider = new EphemeralKeyRing <ManagedAuthenticatedEncryptionOptions>();
}
var logger = services.GetLogger <EphemeralDataProtectionProvider>();
if (logger.IsWarningLevelEnabled())
{
logger.LogWarning("Using ephemeral data protection provider. Payloads will be undecipherable upon application shutdown.");
}
_dataProtectionProvider = new KeyRingBasedDataProtectionProvider(keyringProvider, services);
}
