public void TestSignAndCheckWithPublicKey() { var message = DateTime.Now.ToString(); //"string to be encrypted"; var _rsau = new RsaUtils(); var signMessage = _rsau.SignData(message); Assert.IsNotNull(signMessage); Assert.IsTrue(signMessage.Length > 0); var _rsau2 = new RsaUtils(); _rsau2.SetKeys(_rsau.GetKeyInformation(false)); var verifyData = _rsau2.CheckSign(message, signMessage); Assert.IsTrue(verifyData); }
public void GetField() { _parent.doc.fat_inte = Int32.Parse(m_cli_cod.Text); _parent.doc.fat_dest = Int32.Parse(m_dst_cod.Text); try { int num = m_n_doc.Value == null ? 0 : Convert.ToInt32(m_n_doc.Value); _parent.doc.fat_n_doc = RsaUtils.GetStoredNumDoc(num, fat_registro.Text); } catch (Exception ex) { Debug.WriteLine(ex.Message); } _parent.doc.fat_registro = fat_registro.Text; _parent.doc.fat_d_doc = m_d_doc.Date; }
/// <summary> /// Calculates the size of the footer with an asymmetric signature. /// </summary> protected int GetAsymmetricSignatureSize(X509Certificate2 senderCertificate) { switch (SecurityPolicyUri) { case SecurityPolicies.Basic128Rsa15: case SecurityPolicies.Basic256: case SecurityPolicies.Basic256Sha256: { return(RsaUtils.GetSignatureLength(senderCertificate)); } default: case SecurityPolicies.None: { return(0); } } }
/// <summary> /// Get public key parameters from a X509Certificate2 /// </summary> private static RsaKeyParameters GetPublicKeyParameter(X509Certificate2 certificate) { RSA rsa = null; try { rsa = certificate.GetRSAPublicKey(); RSAParameters rsaParams = rsa.ExportParameters(false); return(new RsaKeyParameters( false, new BigInteger(1, rsaParams.Modulus), new BigInteger(1, rsaParams.Exponent))); } finally { RsaUtils.RSADispose(rsa); } }
public void Can_Send_Encrypted_Message() { var client = CreateClient(); var request = new HelloSecure { Name = "World" }; byte[] cryptKey, authKey, iv; AesUtils.CreateCryptAuthKeysAndIv(out cryptKey, out authKey, out iv); var cryptAuthKeys = cryptKey.Combine(authKey); var rsaEncCryptAuthKeys = RsaUtils.Encrypt(cryptAuthKeys, SecureConfig.PublicKeyXml); var authRsaEncCryptAuthKeys = HmacUtils.Authenticate(rsaEncCryptAuthKeys, authKey, iv); var timestamp = DateTime.UtcNow.ToUnixTime(); var requestBody = timestamp + " POST " + typeof(HelloSecure).Name + " " + request.ToJson(); var encryptedBytes = AesUtils.Encrypt(requestBody.ToUtf8Bytes(), cryptKey, iv); var authEncryptedBytes = HmacUtils.Authenticate(encryptedBytes, authKey, iv); var encryptedMessage = new EncryptedMessage { EncryptedSymmetricKey = Convert.ToBase64String(authRsaEncCryptAuthKeys), EncryptedBody = Convert.ToBase64String(authEncryptedBytes), }; var encResponse = client.Post(encryptedMessage); authEncryptedBytes = Convert.FromBase64String(encResponse.EncryptedBody); if (!HmacUtils.Verify(authEncryptedBytes, authKey)) { throw new Exception("Invalid EncryptedBody"); } var decryptedBytes = HmacUtils.DecryptAuthenticated(authEncryptedBytes, cryptKey); var responseJson = decryptedBytes.FromUtf8Bytes(); var response = responseJson.FromJson <HelloSecureResponse>(); Assert.That(response.Result, Is.EqualTo("Hello, World!")); }
public void TestSetPublicKey() { var _rsau = new RsaUtils(); var origKeys = _rsau.GetKeyInformation(false); var _rsau2 = new RsaUtils(); var origKeys2 = _rsau2.GetKeyInformation(false); Assert.IsNotNull(origKeys); Assert.IsNotNull(origKeys2); Assert.IsFalse(origKeys.Equals(origKeys2)); _rsau2.SetKeys(origKeys); var origKeys2_2 = _rsau2.GetKeyInformation(false); Assert.IsNotNull(origKeys2_2); Assert.IsFalse(origKeys2.Equals(origKeys2_2)); Assert.IsTrue(origKeys.Equals(origKeys2_2)); }
/// <summary> /// Verify RSA key pair of two certificates. /// </summary> private static bool VerifyRSAKeyPair( X509Certificate2 certWithPublicKey, X509Certificate2 certWithPrivateKey, bool throwOnError = false) { bool result = false; try { // verify the public and private key match using (RSA rsaPrivateKey = certWithPrivateKey.GetRSAPrivateKey()) { using (RSA rsaPublicKey = certWithPublicKey.GetRSAPublicKey()) { Opc.Ua.Test.RandomSource randomSource = new Opc.Ua.Test.RandomSource(); int blockSize = RsaUtils.GetPlainTextBlockSize(rsaPrivateKey, true); byte[] testBlock = new byte[blockSize]; randomSource.NextBytes(testBlock, 0, blockSize); byte[] encryptedBlock = rsaPublicKey.Encrypt(testBlock, RSAEncryptionPadding.OaepSHA1); byte[] decryptedBlock = rsaPrivateKey.Decrypt(encryptedBlock, RSAEncryptionPadding.OaepSHA1); if (decryptedBlock != null) { result = Utils.IsEqual(testBlock, decryptedBlock); } } } } catch (Exception e) { if (throwOnError) { throw e; } } finally { if (!result && throwOnError) { throw new CryptographicException("The public/private key pair in the certficates do not match."); } } return(result); }
public void xxx() { var privKeyStr = @"MIICXQIBAAKBgQDEuMdX757iaBkrxN51IQMILf+o7nJhfddEQ8gurVNYgoGxg19N ZtrJaegAiv6lbFO4jhkKzLX9mHXZrvxL+UD5lr458BA8vwm+ws7lxu+10exq0Xns H26ekvBveDcbndhX+fbc34HhZlJCib6MKMzUGebwckGbZK3oz4WCZc3QoQIDAQAB AoGBALBWWgpPNwMIARgk3qvrrYYVhYhuRYVyghYlFDoTEBTU12DBvBnrys6k6lwi O+UY12slpPjzS2dI1MsOegW4Ji5/6w/rZC8BoyvOADSVWKc71eaQ8d9IqjjWKp0+ cL9hgI8s/DDYUtqmrqsxqPGkxOx8NSD7VcSID7xbbqK/v5uJAkEA+hurMyJUPRCD Uyfie1m+cfQKjc4j4zN32KrbceG25QJq8Y/lpQSq0POSsmvaIxGkRJtTIoB6T/co TYvox/kUiwJBAMlbJvyjm2KY12CTFjN7apmnMIRoYmI9z8n4hLl2h8852s+Ljdjn MrCOcsL0T0kvxLlAKDwAeVWtjil3A9/DGQMCQAJPERSGw5pQtbWlz5xt5qkspJBM j95AEmIoqZ/ygnq4u/4A4xDT6zPEm90Ty865EfgkKu9NmlN0p6WXng2CiiMCQEND nQmGihDs5/4OBLub/edob4+74ynYZkKdL5FZJFM4i30LrI4J5egPHg08WgQj3f7Y jNhGfEH/4V6+sF+eqAsCQQCTl/A2JqF6CThIdk6zLF40cJGRFOkAcRqsrV3Q64XD C2rpXXqnjJlqysIFEmnUmxm64ckMyg96b1CxeW0F4Tr7"; var privKey = Convert.FromBase64String(privKeyStr); var prvRsa = RsaUtils.LoadPrivateKey(privKey); }
public void Does_Hybrid_RSA_Crypt_and_Auth_AES_with_HMAC_SHA256() { var request = new HelloSecure { Name = "World" }; var timestamp = DateTime.UtcNow.ToUnixTime(); var msg = timestamp + " POST " + request.GetType().Name + " " + request.ToJson(); var msgBytes = msg.ToUtf8Bytes(); byte[] cryptKey, authKey, iv; AesUtils.CreateCryptAuthKeysAndIv(out cryptKey, out authKey, out iv); var encryptedBytes = AesUtils.Encrypt(msgBytes, cryptKey, iv); var decryptedBytes = AesUtils.Decrypt(encryptedBytes, cryptKey, iv); Assert.That(decryptedBytes, Is.EquivalentTo(msgBytes)); var authEncryptedBytes = HmacUtils.Authenticate(encryptedBytes, authKey, iv); var cryptAuthKeys = cryptKey.Combine(authKey); var rsaEncCryptAuthKeys = RsaUtils.Encrypt(cryptAuthKeys, SecureConfig.PublicKeyXml); var authRsaEncCryptAuthKeys = HmacUtils.Authenticate(rsaEncCryptAuthKeys, authKey, iv); var decryptedMsg = ValidateAndDecrypt(authRsaEncCryptAuthKeys, authEncryptedBytes); var parts = decryptedMsg.SplitOnFirst(' '); Assert.That(long.Parse(parts[0]), Is.EqualTo(timestamp)); parts = parts[1].SplitOnFirst(' '); Assert.That(parts[0], Is.EqualTo("POST")); parts = parts[1].SplitOnFirst(' '); Assert.That(parts[0], Is.EqualTo(request.GetType().Name)); var decryptedJson = parts[1]; var decryptedRequest = decryptedJson.FromJson <HelloSecure>(); Assert.That(decryptedRequest.Name, Is.EqualTo(request.Name)); }
public void Can_Send_Encrypted_Message() { var client = new JsonServiceClient(Config.AbsoluteBaseUri); var request = new HelloSecure { Name = "World" }; var encRequest = RsaUtils.Encrypt(request.ToJson(), SecureConfig.PublicKeyXml); var encResponse = client.Post(new BasicEncryptedMessage { OperationName = typeof(HelloSecure).Name, EncryptedBody = encRequest }); var responseJson = RsaUtils.Decrypt(encResponse.EncryptedBody, SecureConfig.PrivateKeyXml); var response = responseJson.FromJson <HelloSecureResponse>(); Assert.That(response.Result, Is.EqualTo("Hello, World!")); }
/// <summary> /// Verifies an RSA PKCS#1 v1.5 or PSS signature of a hash algorithm for the stream. /// </summary> private static bool Rsa_Verify( ArraySegment <byte> dataToVerify, byte[] signature, X509Certificate2 signingCertificate, HashAlgorithmName algorithm, RSASignaturePadding padding) { RSA rsa = null; try { // extract the public key. rsa = signingCertificate.GetRSAPublicKey(); if (rsa == null) { throw ServiceResultException.Create(StatusCodes.BadSecurityChecksFailed, "No public key for certificate."); } // verify signature. if (!rsa.VerifyData(dataToVerify.Array, dataToVerify.Offset, dataToVerify.Count, signature, algorithm, padding)) { string messageType = new UTF8Encoding().GetString(dataToVerify.Array, dataToVerify.Offset, 4); int messageLength = BitConverter.ToInt32(dataToVerify.Array, dataToVerify.Offset + 4); string actualSignature = Utils.ToHexString(signature); Utils.Trace( "Could not validate signature.\r\nCertificate={0}, MessageType={1}, Length={2}\r\nActualSignature={3}", signingCertificate.Subject, messageType, messageLength, actualSignature); return(false); } return(true); } finally { RsaUtils.RSADispose(rsa); } }
public void Does_throw_on_replayed_messages() { var client = CreateClient(); var request = new HelloSecure { Name = "World" }; var aes = new AesManaged { KeySize = AesUtils.KeySize }; var aesKeyBytes = aes.Key.Combine(aes.IV); var rsaEncAesKeyBytes = RsaUtils.Encrypt(aesKeyBytes, SecureConfig.PublicKeyXml); var timestamp = DateTime.UtcNow.ToUnixTime(); var requestBody = timestamp + " POST " + typeof(HelloSecure).Name + " " + request.ToJson(); var encryptedMessage = new EncryptedMessage { EncryptedSymmetricKey = Convert.ToBase64String(rsaEncAesKeyBytes), EncryptedBody = AesUtils.Encrypt(requestBody, aes.Key, aes.IV) }; var encResponse = client.Post(encryptedMessage); try { client.Post(encryptedMessage); Assert.Fail("Should throw"); } catch (WebServiceException ex) { ex.StatusDescription.Print(); var errorResponse = (EncryptedMessageResponse)ex.ResponseDto; var responseJson = AesUtils.Decrypt(errorResponse.EncryptedBody, aes.Key, aes.IV); var response = responseJson.FromJson <ErrorResponse>(); Assert.That(response.ResponseStatus.Message, Is.EqualTo("Nonce already seen")); } }
public void CreateTestLicenseFile() { var rsau = new RsaUtils(); rsau.SetKeys(@"<RSAKeyValue><Modulus>2OO32RsAa73GjFw171YUkwOTyguKeT3N1zjAZY04/f4TdpRABfNBs1aHICepzhQ1gy1TBnYX3K95b+qD7u6CczU65JzormbqlgY1rweG+HNwGcn36g0M66k7qwfFSjZhbmlGTvedD7xo4L/pSf91p7KwjzLt6ac8+UAdqVfKsu0=</Modulus><Exponent>AQAB</Exponent><P>5P3vNrTqC9JeXmyJSQrfmQN3tYdr5Kc7OoRb0HqK11tc1grGZ1rDmSTQ6OFtqpzCiJyz2oH1BHA16WC2UbVftw==</P><Q>8nherC7UVWiuG8suixZtYL5CTK/CJVpf4GVrRZOb2slbL0sojgq7QQG5sZfQ4PIFHhfzgVM4uTkHNaFJUTv6ew==</Q><DP>zTNg8b0dHordVfAc9f9wb0XUOC+qV7QkN0P0otWtJV8RyhzNvkBvlwSO0KFyDLl8+b6yzNQ4JEoJhaDMwFuv8Q==</DP><DQ>rhlR2Q4y9jSYt2o3vDTZSpqyHkAhBhMTPptz39xyDzF/YMD1mLAJ7k5f2C2rFKmSlR4bgSORWiWhkJeDfmmzmw==</DQ><InverseQ>NLinNiXw75D8kOGhz2Z9hJR6tU0t1fuh9xVwAQSZomMFqTYEaGwekFIWA/7olAqR5b/oigGndS8F5L1tVDWqrg==</InverseQ><D>AmH+ExSI3KYpGEGrFgYME9FmPkICM3LKYCLvei4jAidYb2URjv8tKZs5wNCuvOTb8aT91IRXnsUOwHwDFwznwfcVwdIpW7m0Q/6Vu7GE3G1pzQOUynv+E9R8cdSl/m3lfNt8OJHNqnnR4MBoirerQargCZwDWY0nYlm6xBKIkME=</D></RSAKeyValue>"); var dt1 = (new DateTime(2022, 01, 01)).ToString("yyyyMMdd"); var dt2 = (new DateTime(2021, 02, 10)).ToString("yyyyMMdd"); var dt1Sign = rsau.SignData(dt1); var dt2Sigh = rsau.SignData(dt2); Console.WriteLine($"1: {dt1}:{dt1Sign}"); Console.WriteLine($"2: {dt2}:{dt2Sigh}"); var rsau2 = new RsaUtils(); rsau2.SetKeys(@"<RSAKeyValue><Modulus>2OO32RsAa73GjFw171YUkwOTyguKeT3N1zjAZY04/f4TdpRABfNBs1aHICepzhQ1gy1TBnYX3K95b+qD7u6CczU65JzormbqlgY1rweG+HNwGcn36g0M66k7qwfFSjZhbmlGTvedD7xo4L/pSf91p7KwjzLt6ac8+UAdqVfKsu0=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"); Assert.IsTrue(rsau2.CheckSign(dt1, dt1Sign)); Assert.IsTrue(rsau2.CheckSign(dt2, dt2Sigh)); }
/// <summary>Check if the encryption was correct</summary> /// <param name="file">The file to decrypt</param> /// <param name="key">The key file</param> /// <param name="error">A error to return</param> /// <param name="path">The path for the new file</param> /// <returns>True if is correct, otherwise false</returns> private bool DidEncryption(HttpPostedFileBase file, HttpPostedFileBase key, ref string error, ref string path) { if (fileUtils.IsFileTypeCorrect(file, ".txt", ref error) && fileUtils.IsFileTypeCorrect(key, ".key", ref error)) { string uploadedFile = fileUtils.SaveFile(file, "~/App_Data/Uploads"); string uploadedKey = fileUtils.SaveFile(key, "~/App_Data/Uploads"); RsaUtils rsa = new RsaUtils(); if (rsa.Encrypt(uploadedFile, uploadedKey, ref path)) { return(true); } else { error = "Bad Encryption"; return(false); } } else { return(false); } }
/// <summary> /// Returns the cipher text block size for key in the specified certificate. /// </summary> protected int GetCipherTextBlockSize(X509Certificate2 receiverCertificate) { switch (SecurityPolicyUri) { case SecurityPolicies.Basic256: case SecurityPolicies.Basic256Sha256: { return(RsaUtils.GetCipherTextBlockSize(receiverCertificate, true)); } case SecurityPolicies.Basic128Rsa15: { return(RsaUtils.GetCipherTextBlockSize(receiverCertificate, false)); } default: case SecurityPolicies.None: { return(1); } } }
public void TestSign() { //2048 ¹«Ô¿ string publicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoQh0wEqx/R2H1v00IU12Oc30fosRC/frhH89L6G+fzeaqI19MYQhEPMU13wpeqRONCUta+2iC1sgCNQ9qGGf19yGdZUfueaB1Nu9rdueQKXgVurGHJ+5N71UFm+OP1XcnFUCK4wT5d7ZIifXxuqLehP9Ts6sNjhVfa+yU+VjF5HoIe69OJEPo7OxRZcRTe17khc93Ic+PfyqswQJJlY/bgpcLJQnM+QuHmxNtF7/FpAx9YEQsShsGpVo7JaKgLo+s6AFoJ4QldQKir2vbN9vcKRbG3piElPilWDpjXQkOJZhUloh/jd7QrKFimZFldJ1r6Q59QYUyGKZARUe0KZpMQIDAQAB"; //2048 ˽Կ string privateKey = "MIIEpAIBAAKCAQEAoQh0wEqx/R2H1v00IU12Oc30fosRC/frhH89L6G+fzeaqI19MYQhEPMU13wpeqRONCUta+2iC1sgCNQ9qGGf19yGdZUfueaB1Nu9rdueQKXgVurGHJ+5N71UFm+OP1XcnFUCK4wT5d7ZIifXxuqLehP9Ts6sNjhVfa+yU+VjF5HoIe69OJEPo7OxRZcRTe17khc93Ic+PfyqswQJJlY/bgpcLJQnM+QuHmxNtF7/FpAx9YEQsShsGpVo7JaKgLo+s6AFoJ4QldQKir2vbN9vcKRbG3piElPilWDpjXQkOJZhUloh/jd7QrKFimZFldJ1r6Q59QYUyGKZARUe0KZpMQIDAQABAoIBAQCRZLUlOUvjIVqYvhznRK1OG6p45s8JY1r+UnPIId2Bt46oSLeUkZvZVeCnfq9k0Bzb8AVGwVPhtPEDh73z3dEYcT/lwjLXAkyPB6gG5ZfI/vvC/k7JYV01+neFmktw2/FIJWjEMMF2dvLNZ/Pm4bX1Dz9SfD/45Hwr8wqrvRzvFZsj5qqOxv9RPAudOYwCwZskKp/GF+L+3Ycod1Wu98imzMZUH+L5dQuDGg3kvf3ljIAegTPoqYBg0imNPYY/EGoFKnbxlK5S5/5uAFb16dGJqAz3XQCz9Is/IWrOTu0etteqV2Ncs8uqPdjed+b0j8CMsr4U1xjwPQ8WwdaJtTkRAoGBANAndgiGZkCVcc9975/AYdgFp35W6D+hGQAZlL6DmnucUFdXbWa/x2rTSEXlkvgk9X/PxOptUYsLJkzysTgfDywZwuIXLm9B3oNmv3bVgPXsgDsvDfaHYCgz0nHK6NSrX2AeX3yO/dFuoZsuk+J+UyRigMqYj0wjmxUlqj183hinAoGBAMYMOBgF77OXRII7GAuEut/nBeh2sBrgyzR7FmJMs5kvRh6Ck8wp3ysgMvX4lxh1ep8iCw1R2cguqNATr1klOdsCTOE9RrhuvOp3JrYzuIAK6MpH/uBICy4w1rW2+gQySsHcH40r+tNaTFQ7dQ1tef//iy/IW8v8i0t+csztE1JnAoGABdtWYt8FOYP688+jUmdjWWSvVcq0NjYeMfaGTOX/DsNTL2HyXhW/Uq4nNnBDNmAz2CjMbZwt0y+5ICkj+2REVQVUinAEinTcAe5+LKXNPx4sbX3hcrJUbk0m+rSu4G0B/f5cyXBsi9wFCAzDdHgBduCepxSr04Sc9Hde1uQQi7kCgYB0U20HP0Vh+TG2RLuE2HtjVDD2L/CUeQEiXEHzjxXWnhvTg+MIAnggvpLwQwmMxkQ2ACr5sd/3YuCpB0bxV5o594nsqq9FWVYBaecFEjAGlWHSnqMoXWijwu/6X/VOTbP3VjH6G6ECT4GR4DKKpokIQrMgZ9DzaezvdOA9WesFdQKBgQCWfeOQTitRJ0NZACFUn3Fs3Rvgc9eN9YSWj4RtqkmGPMPvguWo+SKhlk3IbYjrRBc5WVOdoX8JXb2/+nAGhPCuUZckWVmZe5pMSr4EkNQdYeY8kOXGSjoTOUH34ZdKeS+e399BkBWIiXUejX/Srln0H4KoHnTWgxwNpTsBCgXu8Q=="; var rsa = new RsaUtils(RSAType.RSA2, Encoding.UTF8, privateKey, publicKey); string str = "²©¿ÍÔ° http://www.cnblogs.com/"; Console.WriteLine("Ôʼ×Ö·û´®£º" + str); //¼ÓÃÜ string enStr = rsa.Encrypt(str); Console.WriteLine("¼ÓÃÜ×Ö·û´®£º" + enStr); //½âÃÜ string deStr = rsa.Decrypt(enStr); Console.WriteLine("½âÃÜ×Ö·û´®£º" + deStr); //˽ԿǩÃû string signStr = rsa.Sign(str); Console.WriteLine("×Ö·û´®Ç©Ãû£º" + signStr); //¹«Ô¿Ñé֤ǩÃû bool signVerify = rsa.Verify(str, signStr); Console.WriteLine("Ñé֤ǩÃû£º" + signVerify); Console.ReadKey(); Console.ReadKey(true); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { // Add framework services. services.AddDbContext <AuthDbContext>(builder => { builder.UseSqlite("Filename=./jwt.db"); }); string keyDir = PlatformServices.Default.Application.ApplicationBasePath; if (RsaUtils.TryGetKeyParameters(keyDir, true, out RSAParameters keyParams) == false) { keyParams = RsaUtils.GenerateAndSaveKey(keyDir); } _tokenOptions.Key = new RsaSecurityKey(keyParams); _tokenOptions.Issuer = "TestIssuer"; _tokenOptions.Credentials = new SigningCredentials(_tokenOptions.Key, SecurityAlgorithms.RsaSha256Signature); services.AddSingleton(_tokenOptions); services.AddAuthorization(auth => { auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder() .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme) .RequireAuthenticatedUser() .Build()); }); services.AddAuthentication().AddJwtBearer(jwtOptions => { jwtOptions.TokenValidationParameters = new TokenValidationParameters { IssuerSigningKey = _tokenOptions.Key, ValidAudience = _tokenOptions.Audience, ValidIssuer = _tokenOptions.Issuer, ValidateLifetime = true }; }); services.AddMvc(); }
public void SetField() { m_cli_cod.Text = "0"; m_dst_cod.Text = "0"; if (_cli != null) { m_cli_cod.Text = _cli.cli_codice.ToString(); cli_desc.Text = _cli.cli_desc; cli_indirizzo.Text = _cli.cli_indirizzo; cli_citta.Text = _cli.cli_citta; } else { m_cli_cod.Text = "0"; cli_desc.Text = ""; cli_indirizzo.Text = ""; cli_citta.Text = ""; } if (_dst != null) { m_dst_cod.Text = _dst.dst_codice.ToString(); dst_desc.Text = _dst.dst_desc; dst_indirizzo.Text = _dst.dst_indirizzo; dst_citta.Text = _dst.dst_citta; } else { m_dst_cod.Text = "0"; dst_desc.Text = ""; dst_indirizzo.Text = ""; dst_citta.Text = ""; } m_n_doc.Value = RsaUtils.GetShowedNumDoc(_parent.doc.fat_n_doc); m_d_doc.Date = _parent.doc.fat_d_doc; fat_registro.Text = _parent.doc.fat_registro; }
/// <summary> /// Validates the cert and extracts the token from the cert. /// </summary> private static string CheckForToken(X509Certificate2 cert, string name) { if ((cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase)) && (DateTime.Now < cert.NotAfter)) { RSA rsa = cert.GetRSAPrivateKey(); if (rsa != null) { foreach (System.Security.Cryptography.X509Certificates.X509Extension extension in cert.Extensions) { // check for instruction code extension if ((extension.Oid.Value == "2.5.29.23") && (extension.RawData.Length >= 4)) { byte[] bytes = new byte[extension.RawData.Length - 4]; Array.Copy(extension.RawData, 4, bytes, 0, bytes.Length); byte[] token = rsa.Decrypt(bytes, RSAEncryptionPadding.OaepSHA1); return(Encoding.ASCII.GetString(token)); } } RsaUtils.RSADispose(rsa); } } return(null); }
/// <summary> /// Creates an RSA PKCS#1 v1.5 signature of a hash algorithm for the stream. /// </summary> private static byte[] RsaPkcs15_Sign( ArraySegment <byte> dataToSign, X509Certificate2 signingCertificate, HashAlgorithmName algorithm) { RSA rsa = null; try { // extract the private key. rsa = signingCertificate.GetRSAPrivateKey(); if (rsa == null) { throw ServiceResultException.Create(StatusCodes.BadSecurityChecksFailed, "No private key for certificate."); } // create the signature. return(rsa.SignData(dataToSign.Array, dataToSign.Offset, dataToSign.Count, algorithm, RSASignaturePadding.Pkcs1)); } finally { RsaUtils.RSADispose(rsa); } }
public static string CreateEncryptedJweToken(JsonObject jwtPayload, RSAParameters publicKey) { //From: http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-09.html#RSACBCExample var jweHeader = new JsonObject { { "alg", "RSA-OAEP" }, { "enc", "A128CBC-HS256" }, { "kid", Convert.ToBase64String(publicKey.Modulus).Substring(0, 3) }, }; var jweHeaderBase64Url = jweHeader.ToJson().ToUtf8Bytes().ToBase64UrlSafe(); var authKey = new byte[128 / 8]; var cryptKey = new byte[128 / 8]; var cryptAuthKeys256 = AesUtils.CreateKey(); Buffer.BlockCopy(cryptAuthKeys256, 0, authKey, 0, authKey.Length); Buffer.BlockCopy(cryptAuthKeys256, authKey.Length, cryptKey, 0, cryptKey.Length); var aes = Aes.Create(); aes.KeySize = 128; aes.BlockSize = 128; aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; using (aes) { aes.GenerateIV(); var iv = aes.IV; aes.Key = cryptKey; var jweEncKey = RsaUtils.Encrypt(cryptAuthKeys256, publicKey, UseRsaKeyLength); var jweEncKeyBase64Url = jweEncKey.ToBase64UrlSafe(); var ivBase64Url = iv.ToBase64UrlSafe(); var aad = jweHeaderBase64Url + "." + jweEncKeyBase64Url; var aadBytes = aad.ToUtf8Bytes(); var payloadBytes = jwtPayload.ToJson().ToUtf8Bytes(); using (var cipherStream = MemoryStreamFactory.GetStream()) using (var encrypter = aes.CreateEncryptor(cryptKey, iv)) using (var cryptoStream = new CryptoStream(cipherStream, encrypter, CryptoStreamMode.Write)) using (var writer = new BinaryWriter(cryptoStream)) { writer.Write(payloadBytes); cryptoStream.FlushFinalBlock(); using (var hmac = new HMACSHA256(authKey)) using (var encryptedStream = MemoryStreamFactory.GetStream()) using (var bw = new BinaryWriter(encryptedStream)) { bw.Write(aadBytes); bw.Write(iv); bw.Write(cipherStream.GetBuffer(), 0, (int)cipherStream.Length); bw.Flush(); var tag = hmac.ComputeHash(encryptedStream.GetBuffer(), 0, (int)encryptedStream.Length); var cipherTextBase64Url = cipherStream.ToBase64UrlSafe(); var tagBase64Url = tag.ToBase64UrlSafe(); var jweToken = jweHeaderBase64Url + "." + jweEncKeyBase64Url + "." + ivBase64Url + "." + cipherTextBase64Url + "." + tagBase64Url; return(jweToken); } } } }
public void PreAuthenticate(IRequest req, IResponse res) { if (req.OperationName != null && IgnoreForOperationTypes.Contains(req.OperationName)) { return; } var bearerToken = req.GetBearerToken() ?? req.GetCookieValue(Keywords.TokenCookie); if (bearerToken != null) { var parts = bearerToken.Split('.'); if (parts.Length == 3) { if (RequireSecureConnection && !req.IsSecureConnection) { throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection); } var header = parts[0]; var payload = parts[1]; var signatureBytes = parts[2].FromBase64UrlSafe(); var headerJson = header.FromBase64UrlSafe().FromUtf8Bytes(); var payloadBytes = payload.FromBase64UrlSafe(); var headerData = headerJson.FromJson <Dictionary <string, string> >(); var bytesToSign = string.Concat(header, ".", payload).ToUtf8Bytes(); var algorithm = headerData["alg"]; //Potential Security Risk for relying on user-specified algorithm: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ if (RequireHashAlgorithm && algorithm != HashAlgorithm) { throw new NotSupportedException("Invalid algoritm '{0}', expected '{1}'".Fmt(algorithm, HashAlgorithm)); } if (!VerifyPayload(algorithm, bytesToSign, signatureBytes)) { return; } var payloadJson = payloadBytes.FromUtf8Bytes(); var jwtPayload = JsonObject.Parse(payloadJson); var session = CreateSessionFromPayload(req, jwtPayload); req.Items[Keywords.Session] = session; } else if (parts.Length == 5) //Encrypted JWE Token { if (RequireSecureConnection && !req.IsSecureConnection) { throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection); } if (PrivateKey == null || PublicKey == null) { throw new NotSupportedException("PrivateKey is required to DecryptPayload"); } var jweHeaderBase64Url = parts[0]; var jweEncKeyBase64Url = parts[1]; var ivBase64Url = parts[2]; var cipherTextBase64Url = parts[3]; var tagBase64Url = parts[4]; var sentTag = tagBase64Url.FromBase64UrlSafe(); var aadBytes = (jweHeaderBase64Url + "." + jweEncKeyBase64Url).ToUtf8Bytes(); var iv = ivBase64Url.FromBase64UrlSafe(); var cipherText = cipherTextBase64Url.FromBase64UrlSafe(); var jweEncKey = jweEncKeyBase64Url.FromBase64UrlSafe(); var cryptAuthKeys256 = RsaUtils.Decrypt(jweEncKey, PrivateKey.Value, UseRsaKeyLength); var authKey = new byte[128 / 8]; var cryptKey = new byte[128 / 8]; Buffer.BlockCopy(cryptAuthKeys256, 0, authKey, 0, authKey.Length); Buffer.BlockCopy(cryptAuthKeys256, authKey.Length, cryptKey, 0, cryptKey.Length); using (var hmac = new HMACSHA256(authKey)) using (var encryptedStream = new MemoryStream()) { using (var writer = new BinaryWriter(encryptedStream)) { writer.Write(aadBytes); writer.Write(iv); writer.Write(cipherText); writer.Flush(); var calcTag = hmac.ComputeHash(encryptedStream.ToArray()); if (!calcTag.EquivalentTo(sentTag)) { return; } } } JsonObject jwtPayload; var aes = Aes.Create(); aes.KeySize = 128; aes.BlockSize = 128; aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; using (aes) using (var decryptor = aes.CreateDecryptor(cryptKey, iv)) using (var ms = MemoryStreamFactory.GetStream(cipherText)) using (var cryptStream = new CryptoStream(ms, decryptor, CryptoStreamMode.Read)) { var jwtPayloadBytes = cryptStream.ReadFully(); jwtPayload = JsonObject.Parse(jwtPayloadBytes.FromUtf8Bytes()); } var session = CreateSessionFromPayload(req, jwtPayload); req.Items[Keywords.Session] = session; } } }
internal static async Task <string> DoRequest(string path, string method, Dictionary <string, object> param = null) { if (string.IsNullOrEmpty(ApiKey)) { throw new PingppException("No API key provided. (HINT: set your API key using " + "\"Pingpp::setApiKey(<API-KEY>)\". You can generate API keys from " + "the Pingpp web interface. See https://pingxx.com/document/api for " + "details."); } try { HttpContent httpContent = null; string sign = string.Empty; if (method.ToUpper() == "POST" || method.ToUpper() == "PUT") { if (param == null) { throw new PingppException("Request params is empty"); } string jsonBody = JsonConvert.SerializeObject(param, Formatting.Indented); try { sign = RsaUtils.RsaSign(jsonBody, PrivateKey); } catch (System.Exception e) { throw new PingppException("Sign request error." + e.Message); } httpContent = new StringContent(jsonBody); httpContent.Headers.ContentType = MediaTypeHeaderValue.Parse("application/json;charset=utf-8"); } HttpClient req; HttpResponseMessage res; method = method.ToUpper(); switch (method) { case "GET": req = GetRequest(""); using (res = await req.GetAsync(path)) { return(await res.Content.ReadAsStringAsync()); } case "DELETE": req = GetRequest(""); using (res = await req.DeleteAsync(path)) { return(await res.Content.ReadAsStringAsync()); } case "POST": req = GetRequest(sign); using (res = await req.PostAsync(path, httpContent)) { return(await res.Content.ReadAsStringAsync()); } case "PUT": req = GetRequest(sign); using (res = await req.PutAsync(path, httpContent)) { return(await res.Content.ReadAsStringAsync()); } default: return(null); } } catch (WebException e) { if (e.Response == null) { throw new WebException(e.Message); } var statusCode = ((HttpWebResponse)e.Response).StatusCode; var errors = Mapper <Error> .MapFromJson(ReadStream(e.Response.GetResponseStream()), "error"); throw new PingppException(errors, statusCode, errors.ErrorType, errors.Message); } }
public void PreAuthenticate(IRequest req, IResponse res) { if (req.OperationName != null && IgnoreForOperationTypes.Contains(req.OperationName)) { return; } var bearerToken = req.GetJwtToken(); if (bearerToken != null) { var parts = bearerToken.Split('.'); if (parts.Length == 3) { if (RequireSecureConnection && !req.IsSecureConnection) { throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection); } var jwtPayload = GetVerifiedJwtPayload(parts); if (jwtPayload == null) //not verified { return; } if (ValidateToken != null) { if (!ValidateToken(jwtPayload, req)) { throw HttpError.Forbidden(ErrorMessages.TokenInvalid); } } var session = CreateSessionFromPayload(req, jwtPayload); req.Items[Keywords.Session] = session; } else if (parts.Length == 5) //Encrypted JWE Token { if (RequireSecureConnection && !req.IsSecureConnection) { throw HttpError.Forbidden(ErrorMessages.JwtRequiresSecureConnection); } if (PrivateKey == null || PublicKey == null) { throw new NotSupportedException("PrivateKey is required to DecryptPayload"); } var jweHeaderBase64Url = parts[0]; var jweEncKeyBase64Url = parts[1]; var ivBase64Url = parts[2]; var cipherTextBase64Url = parts[3]; var tagBase64Url = parts[4]; var sentTag = tagBase64Url.FromBase64UrlSafe(); var aadBytes = (jweHeaderBase64Url + "." + jweEncKeyBase64Url).ToUtf8Bytes(); var iv = ivBase64Url.FromBase64UrlSafe(); var cipherText = cipherTextBase64Url.FromBase64UrlSafe(); var jweEncKey = jweEncKeyBase64Url.FromBase64UrlSafe(); var cryptAuthKeys256 = RsaUtils.Decrypt(jweEncKey, PrivateKey.Value, UseRsaKeyLength); var authKey = new byte[128 / 8]; var cryptKey = new byte[128 / 8]; Buffer.BlockCopy(cryptAuthKeys256, 0, authKey, 0, authKey.Length); Buffer.BlockCopy(cryptAuthKeys256, authKey.Length, cryptKey, 0, cryptKey.Length); using (var hmac = new HMACSHA256(authKey)) using (var encryptedStream = new MemoryStream()) { using (var writer = new BinaryWriter(encryptedStream)) { writer.Write(aadBytes); writer.Write(iv); writer.Write(cipherText); writer.Flush(); var calcTag = hmac.ComputeHash(encryptedStream.ToArray()); if (!calcTag.EquivalentTo(sentTag)) { return; } } } JsonObject jwtPayload; var aes = Aes.Create(); aes.KeySize = 128; aes.BlockSize = 128; aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; using (aes) using (var decryptor = aes.CreateDecryptor(cryptKey, iv)) using (var ms = MemoryStreamFactory.GetStream(cipherText)) using (var cryptStream = new CryptoStream(ms, decryptor, CryptoStreamMode.Read)) { var jwtPayloadBytes = cryptStream.ReadFully(); jwtPayload = JsonObject.Parse(jwtPayloadBytes.FromUtf8Bytes()); } if (ValidateToken != null) { if (!ValidateToken(jwtPayload, req)) { throw HttpError.Forbidden(ErrorMessages.TokenInvalid); } } var session = CreateSessionFromPayload(req, jwtPayload); req.Items[Keywords.Session] = session; } } }
public void Generate_new_Key() { RsaUtils.CreatePrivateKeyParams().ToPrivateKeyXml().Replace("\"", "\\\"").Print(); }
/// <summary> /// Decrypts the message using RSA PKCS#1 v1.5 encryption. /// </summary> private ArraySegment <byte> Rsa_Decrypt( ArraySegment <byte> dataToDecrypt, ArraySegment <byte> headerToCopy, X509Certificate2 encryptingCertificate, bool useOaep) { RSA rsa = null; try { // get the encrypting key. rsa = encryptingCertificate.GetRSAPrivateKey(); if (rsa == null) { throw ServiceResultException.Create(StatusCodes.BadSecurityChecksFailed, "No private key for certificate."); } int inputBlockSize = RsaUtils.GetCipherTextBlockSize(rsa, useOaep); int outputBlockSize = RsaUtils.GetPlainTextBlockSize(rsa, useOaep); // verify the input data is the correct block size. if (dataToDecrypt.Count % inputBlockSize != 0) { Utils.Trace("Message is not an integral multiple of the block size. Length = {0}, BlockSize = {1}.", dataToDecrypt.Count, inputBlockSize); } byte[] decryptedBuffer = BufferManager.TakeBuffer(SendBufferSize, "Rsa_Decrypt"); Array.Copy(headerToCopy.Array, headerToCopy.Offset, decryptedBuffer, 0, headerToCopy.Count); using (MemoryStream ostrm = new MemoryStream( decryptedBuffer, headerToCopy.Count, decryptedBuffer.Length - headerToCopy.Count)) { // decrypt body. byte[] input = new byte[inputBlockSize]; for (int ii = dataToDecrypt.Offset; ii < dataToDecrypt.Offset + dataToDecrypt.Count; ii += inputBlockSize) { Array.Copy(dataToDecrypt.Array, ii, input, 0, input.Length); if (useOaep == true) { byte[] plainText = rsa.Decrypt(input, RSAEncryptionPadding.OaepSHA1); ostrm.Write(plainText, 0, plainText.Length); } else { byte[] plainText = rsa.Decrypt(input, RSAEncryptionPadding.Pkcs1); ostrm.Write(plainText, 0, plainText.Length); } } } // return buffers. return(new ArraySegment <byte>(decryptedBuffer, 0, (dataToDecrypt.Count / inputBlockSize) * outputBlockSize + headerToCopy.Count)); } finally { RsaUtils.RSADispose(rsa); } }
/// <summary> /// 个性化配置 /// 用户初始化服务器需要的IOC资源 /// </summary> public override void Configure(Container container) { //注册模板页面 SetConfig(new HostConfig { //调试模式 DebugMode = AppSettings.Get("DebugMode", false), ////隐藏metadata page页面 //EnableFeatures = Feature.All.Remove(Feature.Metadata), //没有登录可以使用?authsecret=xxx方式,和登录效果一致 AdminAuthSecret = AppSettings.Get("AdminAuthSecret", "secretz"), //注册网页根目录 //WebHostPhysicalPath = MapProjectPath("~/my-project/dist"), //WebHostPhysicalPath = MapProjectPath("~/wwwroot"), AddRedirectParamsToQueryString = true, //UseCamelCase = true, //注册接口服务地址 HandlerFactoryPath = "api", DefaultContentType = MimeTypes.Json, }); //注册测试页 Plugins.Add(new TemplatePagesFeature()); Plugins.Add(new AdminFeature()); Plugins.Add(new AutoQueryFeature { MaxLimit = 100 }); //Plugins.Add(new BasicAuthFeature()); //添加一个request filter 确认用户的登录session //this.GlobalRequestFilters.Add((req, res, requestDto) => //{ // if (!req.GetSession().IsAuthenticated) // { // res.ReturnAuthRequired(); // } //}); //container.Register<IAuthProvider>(r => new myAuthProvider()); //获取连接字符串 var connectionString = ConfigurationManager.ConnectionStrings["DbContext"].ConnectionString; //注册数据库连接工厂 container.Register <IDbConnectionFactory>(c => new OrmLiteConnectionFactory(connectionString, SqlServerDialect.Provider)); //注册数据库连接 container.Register <IAuthRepository>(c => new OrmLiteAuthRepository(c.Resolve <IDbConnectionFactory>()) { UseDistinctRoleTables = true }); //获取用户表的数据库连接,如果没有生成表则自动生成 container.Resolve <IAuthRepository>().InitSchema(); //Also store User Sessions in SQL Server container.RegisterAs <OrmLiteCacheClient, ICacheClient>(); container.Resolve <ICacheClient>().InitSchema(); //获取数据库的配置连接 //container.Register<IAppSettings>(c => new OrmLiteAppSettings(c.Resolve<IDbConnectionFactory>())); //container.Register<IAppSettings>(c => new AppSettings()); //获取配置 //var appsetting = (AppSettings)container.Resolve<IAppSettings>(); //初始化数据表 //appsetting.InitSchema(); //appsetting.Get("test", "test"); var privateKey = RsaUtils.CreatePrivateKeyParams(RsaKeyLengths.Bit2048); var publicKeyXml = privateKey.ToPublicKeyXml(); //所有需要用账号访问的方法,都会调用认证界面CustomUserSession,myAuthProvider为自定义的方法 //Add Support for Plugins.Add(new AuthFeature(() => new AuthUserSession(), new IAuthProvider[] { new JwtAuthProvider(AppSettings) { AuthKey = AesUtils.CreateKey(), RequireSecureConnection = false, AllowInQueryString = true, SessionExpiry = TimeSpan.FromDays(1), //RedirectUrl = "www.baidu.com", ExpireRefreshTokensIn = TimeSpan.FromDays(1), ExpireTokensIn = TimeSpan.FromDays(100), CreatePayloadFilter = (payload, session) => { if (session.IsAuthenticated) { payload["CreatedAt"] = session.CreatedAt.ToUnixTime().ToString(); payload["exp"] = DateTime.UtcNow.AddYears(1).ToUnixTime().ToString(); } }, //AuthKeyBase64 = "Base64AuthKey",//AppSettings.GetString("AuthKeyBase64") //"Base64AuthKey", //HashAlgorithm = "RS256", //PrivateKeyXml ="PrivateKey2016Xml", //AppSettings.GetString("PrivateKeyXml") }, new ApiKeyAuthProvider(AppSettings) { RequireSecureConnection = false, ExpireKeysAfter = TimeSpan.FromDays(100), SessionCacheDuration = TimeSpan.FromMinutes(10), InitSchema = true, AllowInHttpParams = true, //KeyTypes = new[] { "secret", "publishable" }, }, //Sign-in with API Key new CredentialsAuthProvider(), //Sign-in with UserName/Password credentials new BasicAuthProvider(), //Sign-in with HTTP Basic Auth }) { IncludeRegistrationService = true, IncludeAssignRoleServices = true, IncludeAuthMetadataProvider = true, ValidateUniqueEmails = true, ValidateUniqueUserNames = true, DeleteSessionCookiesOnLogout = true, SaveUserNamesInLowerCase = true, GenerateNewSessionCookiesOnAuthentication = true, }); //Default route: /register //Plugins.Add(new RegistrationFeature() { AllowUpdates = true }); ////The IAuthRepository is used to store the user credentials etc. ////Implement this interface to adjust it to your app's data storage //CreateUser(10, "jinchaoqian1", "*****@*****.**", "j4012693", new List<string> { "TheRole" }, new List<string> { "ThePermission" }); //记录日志 LogManager.LogFactory = new MyLoggerFactory(); //启用日志 Plugins.Add(new RequestLogsFeature() { EnableRequestBodyTracking = true, EnableResponseTracking = true, EnableSessionTracking = true, EnableErrorTracking = true, }); //启用跨域访问 this.Plugins.Add(new CorsFeature(allowedMethods: "GET, POST")); //注册Swagger插件进行API的Web调试 Plugins.Add(new SwaggerFeature()); //启用验证插件 Plugins.Add(new ValidationFeature()); //注册验证插件 container.RegisterValidators(typeof(LoginValidator).Assembly); ////自动扫描验证插件 //Plugins.Add(new ValidationFeature //{ // ScanAppHostAssemblies = true //}); //JsConfig.EmitLowercaseUnderscoreNames = true; //JsConfig.ExcludeDefaultValues = true; //序列化时的日期格式 JsConfig <DateTime> .SerializeFn = dateTime => dateTime.ToString("yyyy-MM-dd"); JsConfig <TimeSpan> .SerializeFn = time => (time.Ticks < 0 ? "-" : "") + time.ToString("hh':'mm':'ss'.'fffffff"); //container.Register<ICacheClient>(c => new OrmLiteCacheClient(){DbFactory = c.Resolve<IDbConnectionFactory>()}); //var cache = container.Resolve<OrmLiteCacheClient>(); //cache.DbFactory = container.Resolve<IDbConnectionFactory>(); //container.RegisterAs<OrmLiteCacheClient, ICacheClient>(); ////Create 'CacheEntry' RDBMS table if it doesn't exist already //container.Resolve<ICacheClient>().InitSchema(); container.Register <ICacheClient>(new MemoryCacheClient()); //虚拟目录,使用插件方式或者是重载GetVirtualFileSources //Plugins.Add(new Disk1Plugin()); //捕捉到被处理过的错误 this.ServiceExceptionHandlers.Add((httpReq, request, exception) => { //记录错误信息 //TODO: System.Diagnostics.Debug.WriteLine(exception.Message); return(null); //返回默认错误 //或者自定义错误 //return DtoUtils.CreateErrorResponse(request, exception); }); //处理未被系统处理的错误 //E.g. Exceptions during Request binding or in filters: this.UncaughtExceptionHandlers.Add((req, res, operationName, ex) => { res.WriteAsync($"Error: {ex.GetType().Name}: {ex.Message}"); res.EndRequest(skipHeaders: true); }); AfterInitCallbacks.Add(host => { var authProvider = (ApiKeyAuthProvider) AuthenticateService.GetAuthProvider(ApiKeyAuthProvider.Name); using (var db = host.TryResolve <IDbConnectionFactory>().Open()) { var userWithKeysIds = db.Column <string>(db.From <ApiKey>() .SelectDistinct(x => x.UserAuthId)).Map(int.Parse); var userIdsMissingKeys = db.Column <string>(db.From <UserAuth>() .Where(x => userWithKeysIds.Count == 0 || !userWithKeysIds.Contains(x.Id)) .Select(x => x.Id)); var authRepo = (IManageApiKeys)host.TryResolve <IAuthRepository>(); foreach (var userId in userIdsMissingKeys) { var apiKeys = authProvider.GenerateNewApiKeys(userId.ToString()); authRepo.StoreAll(apiKeys); } } }); }
public JsonObject GetVerifiedJwtPayload(string[] parts) { if (parts.Length == 3) { var header = parts[0]; var payload = parts[1]; var signatureBytes = parts[2].FromBase64UrlSafe(); var headerJson = header.FromBase64UrlSafe().FromUtf8Bytes(); var payloadBytes = payload.FromBase64UrlSafe(); var headerData = headerJson.FromJson <Dictionary <string, string> >(); var bytesToSign = string.Concat(header, ".", payload).ToUtf8Bytes(); var algorithm = headerData["alg"]; //Potential Security Risk for relying on user-specified algorithm: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ if (RequireHashAlgorithm && algorithm != HashAlgorithm) { throw new NotSupportedException($"Invalid algoritm '{algorithm}', expected '{HashAlgorithm}'"); } if (!VerifyPayload(algorithm, bytesToSign, signatureBytes)) { return(null); } var payloadJson = payloadBytes.FromUtf8Bytes(); var jwtPayload = JsonObject.Parse(payloadJson); return(jwtPayload); } if (parts.Length == 5) //Encrypted JWE Token { var jweHeaderBase64Url = parts[0]; var jweEncKeyBase64Url = parts[1]; var ivBase64Url = parts[2]; var cipherTextBase64Url = parts[3]; var tagBase64Url = parts[4]; var sentTag = tagBase64Url.FromBase64UrlSafe(); var aadBytes = (jweHeaderBase64Url + "." + jweEncKeyBase64Url).ToUtf8Bytes(); var iv = ivBase64Url.FromBase64UrlSafe(); var cipherText = cipherTextBase64Url.FromBase64UrlSafe(); var jweEncKey = jweEncKeyBase64Url.FromBase64UrlSafe(); var cryptAuthKeys256 = RsaUtils.Decrypt(jweEncKey, PrivateKey.Value, UseRsaKeyLength); var authKey = new byte[128 / 8]; var cryptKey = new byte[128 / 8]; Buffer.BlockCopy(cryptAuthKeys256, 0, authKey, 0, authKey.Length); Buffer.BlockCopy(cryptAuthKeys256, authKey.Length, cryptKey, 0, cryptKey.Length); using (var hmac = new HMACSHA256(authKey)) using (var encryptedStream = new MemoryStream()) { using (var writer = new BinaryWriter(encryptedStream)) { writer.Write(aadBytes); writer.Write(iv); writer.Write(cipherText); writer.Flush(); var calcTag = hmac.ComputeHash(encryptedStream.ToArray()); if (!calcTag.EquivalentTo(sentTag)) { return(null); } } } var aes = Aes.Create(); aes.KeySize = 128; aes.BlockSize = 128; aes.Mode = CipherMode.CBC; aes.Padding = PaddingMode.PKCS7; using (aes) using (var decryptor = aes.CreateDecryptor(cryptKey, iv)) using (var ms = MemoryStreamFactory.GetStream(cipherText)) using (var cryptStream = new CryptoStream(ms, decryptor, CryptoStreamMode.Read)) { var jwtPayloadBytes = cryptStream.ReadFully(); return(JsonObject.Parse(jwtPayloadBytes.FromUtf8Bytes())); } } throw new ArgumentException(ErrorMessages.TokenInvalid); }
/// <summary> /// Creates a cert with the connectionstring (token) and stores it in the given cert store. /// </summary> public async static Task WriteAsync(string name, string connectionString, string storeType, string storePath) { if (string.IsNullOrEmpty(connectionString)) { throw new ArgumentException("Token not found in X509Store and no new token provided!"); } SecureRandom random = new SecureRandom(); KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, 2048); RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator(); keyPairGenerator.Init(keyGenerationParameters); AsymmetricCipherKeyPair keys = keyPairGenerator.GenerateKeyPair(); ArrayList nameOids = new ArrayList(); nameOids.Add(X509Name.CN); ArrayList nameValues = new ArrayList(); nameValues.Add(name); X509Name subjectDN = new X509Name(nameOids, nameValues); X509Name issuerDN = subjectDN; X509V3CertificateGenerator cg = new X509V3CertificateGenerator(); cg.SetSerialNumber(BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random)); cg.SetIssuerDN(issuerDN); cg.SetSubjectDN(subjectDN); cg.SetNotBefore(DateTime.Now); cg.SetNotAfter(DateTime.Now.AddMonths(12)); cg.SetPublicKey(keys.Public); cg.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.DataEncipherment)); // encrypt the token with the public key so only the owner of the assoc. private key can decrypt it and // "hide" it in the instruction code cert extension RSA rsa = RSA.Create(); RSAParameters rsaParams = new RSAParameters(); RsaKeyParameters keyParams = (RsaKeyParameters)keys.Public; rsaParams.Modulus = new byte[keyParams.Modulus.ToByteArrayUnsigned().Length]; keyParams.Modulus.ToByteArrayUnsigned().CopyTo(rsaParams.Modulus, 0); rsaParams.Exponent = new byte[keyParams.Exponent.ToByteArrayUnsigned().Length]; keyParams.Exponent.ToByteArrayUnsigned().CopyTo(rsaParams.Exponent, 0); rsa.ImportParameters(rsaParams); if (rsa != null) { byte[] bytes = rsa.Encrypt(Encoding.ASCII.GetBytes(connectionString), RSAEncryptionPadding.OaepSHA1); if (bytes != null) { cg.AddExtension(X509Extensions.InstructionCode, false, bytes); } else { RsaUtils.RSADispose(rsa); throw new CryptographicException("Can not encrypt IoTHub security token using generated public key!"); } } RsaUtils.RSADispose(rsa); // sign the cert with the private key ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA256WITHRSA", keys.Private, random); Org.BouncyCastle.X509.X509Certificate x509 = cg.Generate(signatureFactory); // create a PKCS12 store for the cert and its private key X509Certificate2 certificate = null; using (MemoryStream pfxData = new MemoryStream()) { Pkcs12StoreBuilder builder = new Pkcs12StoreBuilder(); builder.SetUseDerEncoding(true); Pkcs12Store pkcsStore = builder.Build(); X509CertificateEntry[] chain = new X509CertificateEntry[1]; string passcode = Guid.NewGuid().ToString(); chain[0] = new X509CertificateEntry(x509); pkcsStore.SetKeyEntry(name, new AsymmetricKeyEntry(keys.Private), chain); pkcsStore.Save(pfxData, passcode.ToCharArray(), random); // create X509Certificate2 object from PKCS12 file certificate = CertificateFactory.CreateCertificateFromPKCS12(pfxData.ToArray(), passcode); // handle each store type differently switch (storeType) { case CertificateStoreType.Directory: { // Add to DirectoryStore using (DirectoryCertificateStore store = new DirectoryCertificateStore()) { store.Open(storePath); X509CertificateCollection certificates = await store.Enumerate(); // remove any existing cert with our name from the store foreach (X509Certificate2 cert in certificates) { if (cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase)) { await store.Delete(cert.Thumbprint); } } // add new one await store.Add(certificate); } break; } case CertificateStoreType.X509Store: { // Add to X509Store using (X509Store store = new X509Store(storePath, StoreLocation.CurrentUser)) { store.Open(OpenFlags.ReadWrite); // remove any existing cert with our name from the store foreach (X509Certificate2 cert in store.Certificates) { if (cert.SubjectName.Decode(X500DistinguishedNameFlags.None | X500DistinguishedNameFlags.DoNotUseQuotes).Equals("CN=" + name, StringComparison.OrdinalIgnoreCase)) { store.Remove(cert); } } // add new cert to store try { store.Add(certificate); } catch (Exception e) { throw new Exception($"Not able to add cert to the requested store type '{storeType}' (exception message: '{e.Message}'."); } } break; } default: { throw new Exception($"The requested store type '{storeType}' is not supported. Please change."); } } return; } }
internal static string DoRequest(string path, string method, Dictionary <string, object> param = null, bool isValidateUri = true) { if (string.IsNullOrEmpty(ApiKey)) { throw new PingppException("No API key provided. (HINT: set your API key using " + "\"Pingpp::setApiKey(<API-KEY>)\". You can generate API keys from " + "the Pingpp web interface. See https://pingxx.com/document/api for " + "details."); } try { HttpWebRequest req; HttpWebResponse res; method = method.ToUpper(); string body = "", sign = ""; string timestamp = ((DateTime.Now.ToUniversalTime().Ticks - 621355968000000000) / 10000000).ToString(); if ((method.Equals("POST") || method.Equals("PUT")) && param != null) { body = JsonConvert.SerializeObject(param, Formatting.Indented); } // Sign the request try { if (PrivateKey != null) { var uri = isValidateUri ? path : ""; sign = RsaUtils.RsaSign(body + uri + timestamp, PrivateKey); } } catch (System.Exception e) { throw new PingppException("Sign request error." + e.Message); } req = GetRequest(path, method, timestamp, sign); if (method.Equals("POST") || method.Equals("PUT")) { using (var streamWriter = new StreamWriter(req.GetRequestStream())) { streamWriter.Write(body); streamWriter.Flush(); streamWriter.Close(); } } using (res = req.GetResponse() as HttpWebResponse) { return(res == null ? null : ReadStream(res.GetResponseStream())); } } catch (WebException e) { if (e.Response == null) { throw new WebException(e.Message); } var statusCode = ((HttpWebResponse)e.Response).StatusCode; if ((int)statusCode == 502 && BadGateWayMatch && MaxRetry < MaxNetworkRetries) { MaxRetry++; DoRequest(path, method, param, isValidateUri); } var errors = Mapper <Error> .MapFromJson(ReadStream(e.Response.GetResponseStream()), "error"); throw new PingppException(errors, statusCode, errors.ErrorType, errors.Message); } }