public void TestEncryptedKeysetForNonEncryptedData()
{
var nonEncryptedPath = Util.TestDataPath(TEST_DATA, "rsa");
using (var pbereader = KeySet.LayerSecurity(
FileSystemKeySet.Creator(nonEncryptedPath),
PbeKeySet.Creator(() => "dummy")
))
{
var key = pbereader.GetKey(1);
Expect(key, Is.Not.Null);
}
using (var crypter = new Crypter(nonEncryptedPath))
using (var encreader = KeySet.LayerSecurity(
FileSystemKeySet.Creator(nonEncryptedPath),
EncryptedKeySet.Creator(crypter)
))
{
var key = encreader.GetKey(1);
Expect(key, Is.Not.Null);
}
}
public void JWTIOVerifyKeyczarTest(string testData, bool pub)
{
var dataPath = Path.Combine(GetTestDirPath(), "jwt.io", testData + ".jwt");
var keySetPath = Path.Combine(GetTestDirPath(), "jwt.io", pub ? testData + ".pub" : testData);
using (var ks = KeySet.LayerSecurity(FileSystemKeySet.Creator(keySetPath)))
using (var jwtVerifier = new JwtVerifier(ks))
{
var jwt = File.ReadAllText(dataPath).Trim();
var result = jwtVerifier.VerifyCompact(jwt);
Expect(result, Is.True);
}
}
public void TestSign()
{
using (var stream = File.OpenRead(Util.TestDataPath(TEST_DATA, "cryptkey.zip")))
using (var keySet = new BlobKeySet(stream))
using (var crypter = new Crypter(keySet))
using (var signstream = File.OpenRead(Util.TestDataPath(TEST_DATA, "signkey.zip")))
using (var signkeySet = KeySet.LayerSecurity(
BlobKeySet.Creator(signstream),
EncryptedKeySet.Creator(crypter)
))
using (var verifier = new Verifier(signkeySet))
{
var sig = (WebBase64)File.ReadAllText(Util.TestDataPath(TEST_DATA, "sign.out"));
Expect(verifier.Verify(input, sig), Is.True);
}
}
public void BasicThumbprintTest()
{
var dataPath = Path.Combine(GetTestDirPath(), "aes-gcm-certcrypted");
var activeCiphertext = (WebBase64)File.ReadAllLines(Path.Combine(dataPath, "1.out")).First();
var primaryCiphertext = (WebBase64)File.ReadAllLines(Path.Combine(dataPath, "2.out")).First();
using (var ks = KeySet.LayerSecurity(FileSystemKeySet.Creator(dataPath),
CertEncryptedKeySet.Creator(GetThumbprint())))
using (var crypter = new Crypter(ks))
{
var activeDecrypted = crypter.Decrypt(activeCiphertext);
Expect(activeDecrypted, Is.EqualTo(CertEncryptedTest.Input));
var primaryDecrypted = crypter.Decrypt(primaryCiphertext);
Expect(primaryDecrypted, Is.EqualTo(CertEncryptedTest.Input));
}
}
public void BasicPfxTestPublicVerify()
{
var dataPath = Path.Combine(GetTestDirPath(), "rsa-sign-certcrypted");
var keySetPath = Path.Combine(GetTestDirPath(), "rsa-sign-certcrypted.public");
var activeSig = (WebBase64)File.ReadAllLines(Path.Combine(dataPath, "1.out")).First();
var primarySig = (WebBase64)File.ReadAllLines(Path.Combine(dataPath, "2.out")).First();
using (var ks = KeySet.LayerSecurity(FileSystemKeySet.Creator(keySetPath)))
using (var verifier = new Verifier(ks))
{
var activeDecrypted = verifier.Verify(Input, activeSig);
Expect(activeDecrypted, Is.True);
var primaryDecrypted = verifier.Verify(Input, primarySig);
Expect(primaryDecrypted, Is.True);
}
}
public void TestAesEncryptedKeyDecrypt(string subDir, string nestedDir)
{
// Test reading and using encrypted keys
var basePath = Util.TestDataPath(TEST_DATA, nestedDir);
var keyPath = Path.Combine(basePath, subDir);
var dataPath = Path.Combine(basePath, subDir + "-crypted");
using (var keyDecrypter = new Crypter(keyPath))
using (var ks = KeySet.LayerSecurity(FileSystemKeySet.Creator(dataPath),
EncryptedKeySet.Creator(keyDecrypter)))
using (var dataDecrypter = new Crypter(ks))
{
HelperDecrypt(dataDecrypter, dataPath);
}
}
public void JWTBasicVerifyTest(string testDta, bool certCrypted)
{
var keySetPath = Path.Combine(GetTestDirPath(), testDta);
var issueDate = DateTime.UtcNow;
var expireDate = issueDate.AddDays(1);
using (var pfxStream = File.OpenRead(PfxPath()))
{
var layers = new List <Func <IKeySet, ILayeredKeySet> >();
if (certCrypted)
{
layers.Add(CertEncryptedKeySet.Creator(pfxStream, () => PfxPass));
}
using (var ks = KeySet.LayerSecurity(FileSystemKeySet.Creator(keySetPath), layers.ToArray()))
{
var signingKey = new KeyzureSigningCredentials(ks);
var token = new JwtSecurityToken("http://test.issue", "http://test.audience",
new ClaimsIdentity().Claims, issueDate,
expireDate, signingKey);
var handler = new JwtSecurityTokenHandler();
var jwt = handler.WriteToken(token);
Console.WriteLine(jwt);
var param = new TokenValidationParameters
{
IssuerSigningKey = new KeySetKey(ks),
ValidAudience = "http://test.audience",
ValidIssuer = "http://test.issue",
};
var result = handler.ValidateToken(jwt, param, out var token2);
Expect(result, Is.Not.Null);
}
}
}
public void Decrypt()
{
var keyPath = TestData("aes");
var dataPath = TestData("aes-crypted");
var activeCiphertext = (WebBase64)File.ReadAllLines(Path.Combine(dataPath, "1.out")).First();
var primaryCiphertext = (WebBase64)File.ReadAllLines(Path.Combine(dataPath, "2.out")).First();
using (var keyDecrypter = new Crypter(keyPath))
using (var ks = KeySet.LayerSecurity(FileSystemKeySet.Creator(dataPath),
EncryptedKeySet.Creator(keyDecrypter)))
using (var crypter = new Crypter(ks))
{
var activeDecrypted = crypter.Decrypt(activeCiphertext);
Expect(activeDecrypted, Is.EqualTo(Input));
var primaryDecrypted = crypter.Decrypt(primaryCiphertext);
Expect(primaryDecrypted, Is.EqualTo(Input));
}
}
protected IKeySet ProduceKeySet(string location, string crypterLocation, bool password, out IDisposable d1, out IDisposable d2, out IDisposable d3)
{
if (String.IsNullOrWhiteSpace(location))
{
d1 = null;
d2 = null;
d3 = null;
return(null);
}
Crypter crypter = null;
IKeySet ks = new FileSystemKeySet(location);
Func <string> prompt = CachedPrompt.Password(Util.PromptForPassword).Prompt;
IDisposable dks = null;
if (!String.IsNullOrWhiteSpace(crypterLocation))
{
if (password)
{
var cks = KeySet.LayerSecurity(FileSystemKeySet.Creator(crypterLocation),
PbeKeySet.Creator(prompt)
);
crypter = new Crypter(cks);
dks = cks;
}
else
{
crypter = new Crypter(crypterLocation);
}
ks = new EncryptedKeySet(ks, crypter);
}
else if (_password)
{
ks = new PbeKeySet(ks, prompt);
}
d1 = crypter;
d2 = dks;
d3 = ks;
return(ks);
}
public void CreatePbeKeySet()
{
var kspath = Util.TestDataPath(WRITE_DATA, "pbe_json");
var writer = new FileSystemKeySetWriter(kspath, overwrite: true);
Func <string> passPrompt = () => "cartman"; //hardcoded because this is a test;
using (var encwriter = new PbeKeySetWriter(writer, passPrompt))
{
using (var ks = CreateNewKeySet(KeyKind.Symmetric, KeyPurpose.DecryptAndEncrypt))
{
var success = ks.Save(writer);
Expect(success, Is.True);
}
using (var eks = KeySet.LayerSecurity(
FileSystemKeySet.Creator(kspath),
PbeKeySet.Creator(passPrompt)))
{
HelperCryptCreate(encwriter, eks, kspath, KeyType.Aes);
}
}
}
public void CreateAndCrypted(string keyType, string topDir, string subDir)
{
KeyType type = keyType;
var kspath = Util.TestDataPath(WRITE_DATA, topDir, subDir);
var writer = new FileSystemKeySetWriter(kspath, overwrite: true);
using (var ks = CreateNewKeySet(type.Kind, KeyPurpose.DecryptAndEncrypt))
{
var success = ks.Save(writer);
Expect(success, Is.True);
}
HelperCryptCreate(writer, new FileSystemKeySet(kspath), kspath, type);
var kscryptpath = Util.TestDataPath(WRITE_DATA, topDir + "-crypted", subDir);
var baseWriter = new FileSystemKeySetWriter(kscryptpath, overwrite: true);
using (var ks = CreateNewKeySet(type.Kind, KeyPurpose.DecryptAndEncrypt))
{
var success = ks.Save(baseWriter);
Expect(success, Is.True);
}
using (var encrypter = new Crypter(kspath))
{
var cryptedwriter = new EncryptedKeySetWriter(baseWriter, encrypter);
using (var eks = KeySet.LayerSecurity(FileSystemKeySet.Creator(kscryptpath),
EncryptedKeySet.Creator(encrypter)))
{
HelperCryptCreate(cryptedwriter, eks, kscryptpath, type,
new FileSystemKeySet(kscryptpath), baseWriter);
}
}
}
public void JWTIOVerifyOwinTest(string testData, bool pub)
{
var dataPath = Path.Combine(GetTestDirPath(), "jwt.io", testData + ".jwt");
var keySetPath = Path.Combine(GetTestDirPath(), "jwt.io", pub ? testData + ".pub" : testData);
using (var ks = KeySet.LayerSecurity(FileSystemKeySet.Creator(keySetPath)))
{
var jwt = File.ReadAllText(dataPath).Trim();
var handler = new JwtSecurityTokenHandler();
var param = new TokenValidationParameters
{
IssuerSigningKey = new KeySetKey(ks),
ValidateLifetime = false,
ValidateAudience = false,
ValidateIssuer = false,
};
var result = handler.ValidateToken(jwt, param, out var token);
Expect(result, Is.Not.Null);
}
}
public void TestPbeKeysetRead()
{
Func <string> password = () => "cartman"; //Hardcoded because this is a test
using (var reader = KeySet.LayerSecurity(FileSystemKeySet.Creator(Util.TestDataPath(TEST_DATA, "pbe_json")),
PbeKeySet.Creator(password)
))
{
Expect(reader.Metadata.Encrypted, Is.True);
var data1 = Encoding.UTF8.GetString(reader.GetKeyData(1));
var data2 = Encoding.UTF8.GetString(reader.GetKeyData(1));
var token1 = JToken.Parse(data1);
var size = token1["size"];
Expect(size.ToString(), Is.EqualTo("128"));
var token2 = JToken.Parse(data2);
var mode = token2["mode"];
Expect(mode.ToString(), Is.EqualTo("CBC"));
}
}
public override int Run(string[] remainingArguments)
{
var ret = 0;
Crypter crypter = null;
IKeySet ks = new FileSystemKeySet(_location);
Func <string> crypterPrompt = CachedPrompt.Password(Util.PromptForPassword).Prompt;
var prompt = ks.Metadata.Encrypted
? new Func <string>(CachedPrompt.Password(Util.PromptForPassword).Prompt)
: new Func <string>(CachedPrompt.Password(Util.DoublePromptForPassword).Prompt);
IDisposable dks = null;
if (!String.IsNullOrWhiteSpace(_crypterLocation))
{
if (_password)
{
var cks = KeySet.LayerSecurity(
FileSystemKeySet.Creator(_crypterLocation),
PbeKeySet.Creator(crypterPrompt)
);
crypter = new Crypter(cks);
dks = cks;
}
else
{
crypter = new Crypter(_crypterLocation);
}
ks = new EncryptedKeySet(ks, crypter);
}
else if (_password)
{
ks = new PbeKeySet(ks, prompt);
}
var d2ks = ks as IDisposable;
using (crypter)
using (dks)
using (d2ks)
using (var keySet = new MutableKeySet(ks))
{
if (_status != KeyStatus.Primary && _status != KeyStatus.Active)
{
Console.WriteLine("{0} {1}.", Localized.MsgInvalidStatus, _status.Identifier);
return(-1);
}
object options = null;
if (!String.IsNullOrWhiteSpace(_padding))
{
options = new { Padding = _padding };
}
int ver;
var type = KeyTypeForString(_type);
if (ks.Metadata.OriginallyOfficial && ks.Metadata.ValidOfficial())
{
var keytype = ks.Metadata.OfficialKeyType();
if (type == null)
{
type = keytype;
}
else if (type != keytype && !_force)
{
throw new ConsoleHelpAsException(String.Format(Localized.MsgMismatchedType, type, keytype));
}
}
try
{
ver = keySet.AddKey(_status, _size, type, options);
}
#pragma warning disable 168
catch (InvalidKeyTypeException ex)
#pragma warning restore 168
{
throw new ConsoleHelpAsException(String.Format(Localized.MsgMismatchedKind, type?.Kind, keySet.Metadata.Kind));
}
IKeySetWriter writer = new FileSystemKeySetWriter(_location, overwrite: true);
if (crypter != null)
{
writer = new EncryptedKeySetWriter(writer, crypter);
}
else if (_password)
{
writer = new PbeKeySetWriter(writer, prompt);
}
using (writer as IDisposable)
{
try
{
if (keySet.Save(writer))
{
Console.WriteLine("{0} {1}.", Localized.MsgCreatedKey, ver);
ret = 0;
}
else
{
ret = -1;
}
}
catch
{
ret = -1;
}
}
}
if (ret != 0)
{
Console.WriteLine("{0} {1}.", Localized.MsgCouldNotWrite, _location);
}
return(ret);
}
public override int Run(string[] remainingArguments)
{
var ret = 0;
Crypter crypter = null;
IKeySet ks = new FileSystemKeySet(_location);
Func <string> singlePrompt = CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForKeySet);
return(Util.PromptForPassword());
}).Prompt;
var prompt = ks.Metadata.Encrypted
? singlePrompt
: CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForKeySet);
return(Util.PromptForPassword());
}).Prompt;
IDisposable dks = null;
if (!String.IsNullOrWhiteSpace(_crypterLocation))
{
if (_password)
{
var cks = KeySet.LayerSecurity(FileSystemKeySet.Creator(_crypterLocation),
PbeKeySet.Creator(singlePrompt));
crypter = new Crypter(cks);
dks = cks;
}
else
{
crypter = new Crypter(_crypterLocation);
}
ks = new EncryptedKeySet(ks, crypter);
}
else if (_password)
{
ks = new PbeKeySet(ks, prompt);
}
var d2ks = ks as IDisposable;
using (crypter)
using (dks)
using (d2ks)
using (var keySet = new MutableKeySet(ks))
{
var official = keySet.Metadata.OriginallyOfficial && keySet.Metadata.ValidOfficial() && !_force;
KeyType hint = null;
if (!String.IsNullOrWhiteSpace(_type))
{
hint = AddKey.KeyTypeForString(_type);
}
if (_status != KeyStatus.Primary && _status != KeyStatus.Active)
{
Console.WriteLine("{0} {1}.", Localized.Status, _status.Identifier);
return(-1);
}
ImportedKeySet importedKeySet = null;
try
{
importedKeySet = ImportedKeySet.Import.X509Certificate(keySet.Metadata.Purpose, _importLocation, official, hint);
}
catch
{
if (_importLocation.EndsWith("pfx", StringComparison.Ordinal) ||
_importLocation.EndsWith("p12", StringComparison.Ordinal)
)
{
importedKeySet = ImportedKeySet.Import.Pkcs12Keys(
keySet.Metadata.Purpose, _importLocation,
CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForImport);
return(Util.PromptForPassword());
}).Prompt, official, hint);
}
else
{
importedKeySet = ImportedKeySet.Import.PkcsKey(
keySet.Metadata.Purpose, _importLocation,
CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForImport);
return(Util.PromptForPassword());
}).Prompt, official, hint);
}
}
if (importedKeySet == null)
{
Console.WriteLine(Localized.MsgUnparsableImport);
ret = -1;
}
else
{
if (keySet.Metadata.OriginallyOfficial && keySet.Metadata.ValidOfficial())
{
if (!_force && !importedKeySet.Metadata.ValidOfficial())
{
var keySetKeyType = keySet.Metadata.OfficialKeyType();
ret = -1;
Console.WriteLine(Localized.MsgMismatchedType,
"Multiple Types",
keySetKeyType);
}
else
{
var importedKeyType = importedKeySet.Metadata.OfficialKeyType();
var keySetKeyType = keySet.Metadata.OfficialKeyType();
if (importedKeyType != keySetKeyType && !_force)
{
ret = -1;
Console.WriteLine(Localized.MsgMismatchedType,
importedKeyType,
keySetKeyType);
}
}
}
if (keySet.Metadata.Kind != importedKeySet.Metadata.Kind)
{
if (!keySet.Metadata.Versions.Any())
{
keySet.Metadata.Kind = importedKeySet.Metadata.Kind;
}
else
{
ret = -1;
Console.WriteLine(Localized.MsgConflictingKeyTypes,
keySet.Metadata.Kind.Identifier,
importedKeySet.Metadata.Kind);
}
}
using (importedKeySet)
{
if (ret != -1)
{
var count = importedKeySet.Metadata.Versions.Count();
var outMsg = "";
foreach (var v in importedKeySet.Metadata.Versions)
{
var status = v.Status;
if (count == 1 || _status != KeyStatus.Primary)
{
status = _status;
}
var ver = keySet.AddKey(status, importedKeySet.GetKey(v.VersionNumber));
outMsg = ver.ToString();
}
if (count > 1)
{
outMsg = $"{count} keys";
}
IKeySetWriter writer = new FileSystemKeySetWriter(_location, overwrite: true);
if (crypter != null)
{
writer = new EncryptedKeySetWriter(writer, crypter);
}
else if (_password)
{
writer = new PbeKeySetWriter(writer, prompt);
}
if (keySet.Save(writer))
{
Console.WriteLine("{0} {1}.", Localized.MsgImportedNewKey, outMsg);
ret = 0;
}
else
{
ret = -1;
}
}
}
}
}
return(ret);
}
public override int Run(string[] remainingArguments)
{
var ret = 0;
Crypter crypter = null;
IKeySet ks = new FileSystemKeySet(_location);
Func <string> prompt = CachedPrompt.Password(Util.PromptForPassword).Prompt;
IDisposable dks = null;
if (!String.IsNullOrWhiteSpace(_crypterLocation))
{
if (_password)
{
var cks = KeySet.LayerSecurity(FileSystemKeySet.Creator(_crypterLocation),
PbeKeySet.Creator(prompt)
);
crypter = new Crypter(cks);
dks = cks;
}
else
{
crypter = new Crypter(_crypterLocation);
}
ks = new EncryptedKeySet(ks, crypter);
}
else if (_password)
{
ks = new PbeKeySet(ks, prompt);
}
var d2ks = ks as IDisposable;
using (crypter)
using (dks)
using (d2ks)
using (var keySet = new MutableKeySet(ks))
{
var pubKeySet = keySet.PublicKey();
if (pubKeySet != null)
{
using (pubKeySet)
{
IKeySetWriter writer = new FileSystemKeySetWriter(_destination, overwrite: false);
if (pubKeySet.Save(writer))
{
Console.WriteLine(Localized.MsgNewPublicKeySet);
ret = 0;
}
else
{
ret = -1;
}
}
}
else
{
ret = -1;
}
}
return(ret);
}
public override int Run(string[] remainingArguments)
{
var ret = 0;
Crypter crypter = null;
IKeySet ks = new FileSystemKeySet(_location);
Func <string> prompt = CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForKeySet);
return(Util.PromptForPassword());
}).Prompt;
IDisposable dks = null;
if (!String.IsNullOrWhiteSpace(_crypterLocation))
{
if (_password)
{
var cks = KeySet.LayerSecurity(FileSystemKeySet.Creator(_crypterLocation),
PbeKeySet.Creator(prompt)
);
crypter = new Crypter(cks);
dks = cks;
}
else
{
crypter = new Crypter(_crypterLocation);
}
ks = new EncryptedKeySet(ks, crypter);
}
else if (_password)
{
ks = new PbeKeySet(ks, prompt);
}
var d2ks = ks as IDisposable;
using (crypter)
using (dks)
using (d2ks)
{
if (_pkcs12)
{
if (!ks.ExportAsPkcs12(_destination, CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForExport);
return(Util.DoublePromptForPassword
());
}).Prompt))
{
ret = -1;
}
else
{
Console.WriteLine(Localized.MsgExportedPem);
}
}
else
{
if (!ks.ExportPrimaryAsPkcs(_destination, CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForExport);
return(Util.DoublePromptForPassword());
}).Prompt))
{
ret = -1;
}
else
{
Console.WriteLine(Localized.MsgExportedPem);
}
}
}
return(ret);
}
public void TestOperateOnPbeKeys()
{
string result;
var pathc = Util.TestDataPath(TEST_DATA, "rsa-pbe");
if (Directory.Exists(pathc))
{
Directory.Delete(pathc, true);
}
result = Util.KeyczarTool(create: null, location: pathc, purpose: "crypt", asymmetric: null);
Expect(result, Does.Contain(KeyczarTool.Localized.MsgCreatedKeySet));
result = Util.KeyczarTool("cartman", "cartman", addkey: null, location: pathc, password: null,
status: "primary");
Expect(result, Does.Contain(KeyczarTool.Localized.MsgCreatedKey));
var pathi = Path.Combine(pathc, "out.pem");
result = Util.KeyczarTool(
"cartman",
"pass",
"pass",
export: null,
location: pathc,
password: null,
destination: pathi);
Expect(result, Does.Contain(KeyczarTool.Localized.MsgExportedPem));
result = Util.KeyczarTool("cartman", "pass",
importkey: null,
location: pathc,
status: "primary",
password: null,
importlocation: pathi);
Expect(result, Does.Contain(KeyczarTool.Localized.MsgImportedNewKey));
var pathp = Path.Combine(pathc, "export");
result = Util.KeyczarTool(
"cartman",
pubkey: null,
location: pathc,
password: null,
destination: pathp
);
Expect(result, Does.Contain(KeyczarTool.Localized.MsgNewPublicKeySet));
var patho = Path.Combine(pathc, "1.out");
result = Util.KeyczarTool(
"cartman",
usekey: null,
location: pathc,
password: null,
destination: patho,
additionalArgs: new[] { input }
);
using (var pks = KeySet.LayerSecurity(
FileSystemKeySet.Creator(pathc),
PbeKeySet.Creator(() => "cartman" /*hardcoding because this is a test*/)))
using (var crypter = new Crypter(pks))
{
Expect(pks.Metadata.Encrypted, Is.True);
result = crypter.Decrypt((WebBase64)File.ReadAllText(patho));
Expect(result, Is.EqualTo(input));
}
Directory.Delete(pathc, true);
}
