public X509Reader(PublicKeyReaderRegistry keyReaderRegistry, byte[] input)
{
SecurityAssert.NotNull(input);
_keyReaderRegistry = keyReaderRegistry;
_input = input;
}
public RSAPrivateKey(ASN1Object asn1Key)
{
// NOTE: currently only supporting PKCS#1 without optional OtherPrimeInfos
var keySeq = asn1Key as ASN1Sequence;
SecurityAssert.NotNull(keySeq);
SecurityAssert.Assert(keySeq !.Count == 9);
Modulus = GetInteger(keySeq, 1);
var publicExponent = GetInteger(keySeq, 2);
Exponent = GetInteger(keySeq, 3);
var prime1 = GetInteger(keySeq, 4);
var prime2 = GetInteger(keySeq, 5);
var exponent1 = GetInteger(keySeq, 6);
var exponent2 = GetInteger(keySeq, 7);
// TODO var coefficent = GetInteger(keySeq, 8);
SecurityAssert.Assert(Modulus == prime1 * prime2);
SecurityAssert.Assert(exponent1 == Exponent % (prime1 - 1));
SecurityAssert.Assert(exponent2 == Exponent % (prime2 - 1));
// TODO assert Coefficent == ((inverse of q) mod p)
PublicKey = new RSAPublicKey(Modulus, publicExponent);
}
public void Decrypt(byte[] input, int inputOffset, byte[] output, int outputOffset, int length)
{
SecurityAssert.AssertBuffer(input, inputOffset, length);
SecurityAssert.NotNull(PrivateKey);
var k = PrivateKey !.Modulus.GetByteLength();
SecurityAssert.Assert(k >= 11);
SecurityAssert.Assert(length == k);
var c = OS2IP(input, inputOffset, length);
var m = DecryptPrimative(c, PrivateKey !);
var em = I2OSP(m, k);
SecurityAssert.Assert(em[0] == 0 && em[1] == 2);
var mIdx = 2;
while (mIdx < k && em[mIdx] != 0)
{
mIdx++;
}
SecurityAssert.Assert(mIdx - 2 > 8);
// advance past zero
mIdx++;
SecurityAssert.AssertBuffer(output, outputOffset, k - mIdx);
Array.Copy(em, mIdx, output, outputOffset, k - mIdx);
}
public PrivateKey ReadPrivateKey(X509AlgorithmIdentifier algorithm, byte[] input)
{
var parameters = CreateParameters(algorithm);
using (var ms = new MemoryStream(input))
{
var asn1 = new DERReader(ms).Read();
var seq = asn1 as ASN1Sequence;
SecurityAssert.NotNull(seq);
SecurityAssert.Assert(seq !.Count >= 2);
var version = seq !.Elements[0] as ASN1Integer;
SecurityAssert.NotNull(version);
SecurityAssert.Assert(version !.Value == 1);
var dString = seq !.Elements[1] as ASN1OctetString;
SecurityAssert.NotNull(dString);
var d = parameters.Field.Value(dString !.Value.ToBigInteger(Endianness.BigEndian));
var q = Point.Multiply(
parameters.Curve,
d,
parameters.Generator
);
var pub = new ECPublicKey(parameters, q);
return(new ECPrivateKey(pub, d));
}
}
public void Encrypt(byte[] input, int inputOffset, byte[] output, int outputOffset, int length)
{
SecurityAssert.AssertBuffer(input, inputOffset, length);
SecurityAssert.NotNull(PublicKey);
var k = PublicKey !.Modulus.GetByteLength();
SecurityAssert.Assert(length <= k - 11);
var ps = _random.RandomNonZeroBytes(k - length - 3);
SecurityAssert.Assert(ps.Length >= 8);
var em = new byte[k];
em[0] = 0;
em[1] = 2;
Array.Copy(ps, 0, em, 2, ps.Length);
em[ps.Length + 2] = 0;
Array.Copy(input, inputOffset, em, ps.Length + 3, length);
var m = OS2IP(em, 0, em.Length);
var c = EncryptPrimative(m, PublicKey !);
var result = I2OSP(c, k);
SecurityAssert.AssertBuffer(output, outputOffset, result.Length);
Array.Copy(result, 0, output, outputOffset, result.Length);
}
public CertificateMessage(IReadOnlyCollection <X509Certificate> certificates)
: base(HandshakeType.Certificate)
{
SecurityAssert.NotNull(certificates);
SecurityAssert.Assert(certificates.Count <= 0xFFFFFF);
Certificates = certificates;
}
public PrivateKey ReadKey(byte[] input)
{
// PKCS#8 only
var asn1 = GetASN1(input);
SecurityAssert.Assert(asn1.HasValue);
var seq = asn1.Value as ASN1Sequence;
SecurityAssert.NotNull(seq);
SecurityAssert.Assert(seq !.Count == 3);
var version = seq !.Elements[0] as ASN1Integer;
SecurityAssert.NotNull(version);
SecurityAssert.Assert(version !.Value == 0);
var algorithm = X509AlgorithmIdentifier.FromObject(seq.Elements[1]);
var keyOctetString = seq !.Elements[2] as ASN1OctetString;
SecurityAssert.NotNull(keyOctetString);
var reader = _keyReaderRegistry.Resolve(algorithm.Algorithm);
return(reader.ReadPrivateKey(algorithm, keyOctetString !.Value));
}
public RC4KeyParameter(byte[] key)
{
SecurityAssert.NotNull(key);
Key = new byte[key.Length];
Array.Copy(key, Key, key.Length);
}
public static byte[] GetBytes(string oid)
{
SecurityAssert.NotNull(oid);
SecurityAssert.Assert(oid.Length > 0);
var parts = oid.Split('.').Select(BigInteger.Parse).ToArray();
SecurityAssert.Assert(parts.Length >= 2);
var bytes = new List <byte>();
SecurityAssert.Assert(parts[0] >= 0 && parts[0] <= 6);
SecurityAssert.Assert(parts[1] >= 0 && parts[1] < 40);
var firstByte = parts[0] * 40 + parts[1];
bytes.Add((byte)firstByte);
for (var i = 2; i < parts.Length; i++)
{
SecurityAssert.Assert(parts[i] >= 0);
bytes.AddRange(EncodeBase128(parts[i]).Reverse());
}
return(bytes.ToArray());
}
public static string Format(byte[] bytes)
{
SecurityAssert.NotNull(bytes);
SecurityAssert.Assert(bytes.Length > 0);
var oid = new StringBuilder();
var firstOctet = bytes[0];
var index = 1;
oid.AppendFormat("{0}.{1}", firstOctet / 40, firstOctet % 40);
while (index < bytes.Length)
{
var value = new BigInteger();
while (true)
{
var b = bytes[index++];
if ((b & 0x80) == 0)
{
value = value << 7 | b;
break;
}
SecurityAssert.Assert(index < bytes.Length);
value = value << 7 | (b & 0x7F);
}
oid.AppendFormat(".{0}", value);
}
return(oid.ToString());
}
public PublicKey ReadPublicKey(X509AlgorithmIdentifier algorithm, BitArray bits)
{
SecurityAssert.Assert(IsRSAIdentifier(algorithm.Algorithm));
SecurityAssert.Assert(algorithm.Parameters.Count == 1 && algorithm.Parameters[0] is ASN1Null);
var data = bits.ToArray();
ASN1Object asn1;
using (var ms = new MemoryStream(data))
{
asn1 = new DERReader(ms).Read();
}
var keySeq = asn1 as ASN1Sequence;
SecurityAssert.Assert(keySeq != null && keySeq.Count == 2);
var modulusInt = keySeq !.Elements[0] as ASN1Integer;
SecurityAssert.NotNull(modulusInt);
var exponentInt = keySeq !.Elements[1] as ASN1Integer;
SecurityAssert.NotNull(exponentInt);
return(new RSAPublicKey(modulusInt !.Value, exponentInt !.Value));
}
public HelloExtension(ExtensionType type, byte[] data)
{
Type = type;
SecurityAssert.NotNull(data);
SecurityAssert.Assert(data.Length >= 0 && data.Length <= 0xFFFF);
Data = data;
}
public FinishedMessage(byte[] verifyActual, byte[] verifyExpectedHash) : base(HandshakeType.Finished)
{
SecurityAssert.NotNull(verifyActual);
SecurityAssert.Assert(verifyActual.Length == VerifyDataLength);
VerifyActual = verifyActual;
VerifyExpectedHash = verifyExpectedHash;
}
public Record(RecordType type, TLSVersion version, byte[] data)
{
Type = type;
Version = version;
SecurityAssert.NotNull(data);
Data = data;
}
public bool Verify(byte[] input, byte[] signature, IDigest hash)
{
if (_publicKey is null || _domain is null || _nField is null)
{
throw new InvalidOperationException("ECDSA not initialised");
}
FieldValue r, s;
using (var buffer = new MemoryStream(signature))
{
var reader = new DERReader(buffer);
var seq = reader.Read() as ASN1Sequence;
SecurityAssert.NotNull(seq);
SecurityAssert.Assert(seq !.Count == 2);
var ri = seq.Elements[0] as ASN1Integer;
SecurityAssert.NotNull(ri);
r = _nField.Value(ri !.Value);
SecurityAssert.Assert(r.Value == ri !.Value);
var si = seq.Elements[1] as ASN1Integer;
SecurityAssert.NotNull(si);
s = _nField.Value(si !.Value);
SecurityAssert.Assert(s.Value == si !.Value);
}
// check QA != O
// check QA is on curve
SecurityAssert.Assert(_domain.Curve.IsPointOnCurve(_publicKey));
// check n*QA = O
// check r and s are in [1, n-1]
// e = HASH(input)
hash.Update(input);
var e = hash.DigestBuffer();
// z = the Ln leftmost bits of e, where Ln is the bit length of the group order n.
var z = ToZ(e, _ln);
// w = 1/s (mod n)
var w = _nField.Divide(_nField.Value(1), s);
// u1 = zw (mod n)
var u1 = _nField.Multiply(w, z);
// u2 = rw (mod n)
var u2 = _nField.Multiply(w, r);
// (x1, y2) = u1 * G + u2 * QA
var point = Point.Add(_domain.Curve,
a: Point.Multiply(_domain.Curve, u1, _domain.Generator),
b: Point.Multiply(_domain.Curve, u2, _publicKey)) !;
// return r == x1 (mod n)
return(r == point.X);
}
private static T GetElement <T>(ASN1Object asn1, int index)
where T : ASN1Object
{
var obj = GetElement(asn1, index) as T;
SecurityAssert.NotNull(obj);
return(obj !);
}
private static ASN1Set ToSet(ASN1Object asn1, int minLength = 0, int maxLength = int.MaxValue)
{
var seq = asn1 as ASN1Set;
SecurityAssert.NotNull(seq);
SecurityAssert.Assert(seq !.Count >= minLength && seq !.Count <= maxLength);
return(seq);
}
public ICipherParameters Create(ConnectionEnd end, ConnectionDirection direction)
{
var key = GetKey(end, direction);
SecurityAssert.NotNull(key);
SecurityAssert.Assert(key.Length > 0);
return(new AESKeyParameter(key));
}
public TLSStream(Stream inner, IServiceProvider services)
{
SecurityAssert.NotNull(inner);
SecurityAssert.NotNull(services);
_inner = inner;
_servicesScope = services.CreateScope();
Services.GetRequiredService <IStreamAccessor>().Stream = _inner;
}
public void Put(byte[] data)
{
_write.Wait();
SecurityAssert.NotNull(data);
SecurityAssert.Assert(data.Length > 0);
_data.Enqueue(data);
_read.Release();
}
private BigInteger GetInteger(ASN1Sequence obj, int index)
{
SecurityAssert.Assert(index >= 0 && index < obj.Elements.Count);
var elem = obj.Elements[index];
var intElem = elem as ASN1Integer;
SecurityAssert.NotNull(intElem);
return(intElem !.Value);
}
private IDigest GetMAC(ConnectionDirection direction)
{
var digest = _cipherSuitesProvider.ResolveHashAlgorithm(_cipherSuiteConfig.CipherSuite);
var key = GetMACKey(direction);
SecurityAssert.NotNull(key);
SecurityAssert.Assert(key.Length > 0);
return(new HMAC(digest, key));
}
private DomainParameters CreateParameters(X509AlgorithmIdentifier algorithm)
{
// TODO support other formats
SecurityAssert.Assert(algorithm.Parameters.Count == 1);
var curve = algorithm.Parameters[0] as ASN1ObjectIdentifier;
SecurityAssert.NotNull(curve);
return(_namedCurvesRegistry.Resolve(curve !));
}
public ClientHelloMessage(TLSVersion version, byte[] randomBytes, byte[] sessionId, HelloExtension[] extensions, CipherSuite[] cipherSuites, CompressionMethod[] compressionMethods)
: base(HandshakeType.ClientHello, version, randomBytes, sessionId, extensions)
{
SecurityAssert.NotNull(cipherSuites);
SecurityAssert.Assert(cipherSuites.Length >= 2 && cipherSuites.Length <= 0xFFFE);
CipherSuites = cipherSuites;
SecurityAssert.NotNull(compressionMethods);
SecurityAssert.Assert(compressionMethods.Length >= 1 && cipherSuites.Length <= 0xFF);
CompressionMethods = compressionMethods;
}
protected Curve(IField field, FieldValue a, FieldValue b)
{
SecurityAssert.NotNull(field);
SecurityAssert.NotNull(a);
SecurityAssert.NotNull(b);
Field = field;
A = a;
B = b;
}
public GHash(byte[] key)
{
SecurityAssert.NotNull(key);
SecurityAssert.Assert(key.Length == 16);
_key = new byte[16];
Array.Copy(key, 0, _key, 0, 16);
_y = new byte[16];
Reset();
}
public DHPrivateKey(DHParameterConfig parameters, ASN1Object input)
{
var param = input as ASN1Integer;
SecurityAssert.NotNull(param);
X = param !.Value;
var y = BigInteger.ModPow(parameters.G, X, parameters.P);
DHPublicKey = new DHPublicKey(parameters, y);
}
public SignedStream(Stream inner, ISignatureCipher signAlgo, IDigest hashAlgo)
{
SecurityAssert.NotNull(inner);
SecurityAssert.Assert(inner.CanWrite);
InnerStream = inner;
SecurityAssert.NotNull(signAlgo);
SecurityAssert.NotNull(hashAlgo);
SignatureAlgorithm = signAlgo;
HashAlgorithm = hashAlgo;
}
public static X509AlgorithmIdentifier FromObject(ASN1Object asn1)
{
var seq = asn1 as ASN1Sequence;
SecurityAssert.NotNull(seq);
SecurityAssert.Assert(seq !.Count >= 1);
var algorithmOid = seq.Elements[0] as ASN1ObjectIdentifier;
SecurityAssert.NotNull(algorithmOid);
var parameters = seq.Elements.Skip(1).ToList();
return(new X509AlgorithmIdentifier(algorithmOid !, parameters));
}
public HMAC(IDigest digest, byte[] key)
{
SecurityAssert.NotNull(digest);
SecurityAssert.NotNull(key);
_digest = digest;
_key = new byte[digest.BlockSize / 8];
_state = HMACState.Uninitialised;
ProcessInputKey(key);
_state = HMACState.ProcessedKey;
Reset();
}
