/// <summary>
/// Open a properly configured <see cref="HMAC"/> conforming to the scheme
/// identified by <paramref name="aeMac"/>.
/// </summary>
/// <param name="aeMac">The message authentication mode to open.</param>
/// <param name="keyMac">The key data.</param>
/// <returns>
/// An HMAC object with the proper key, or <c>null</c> on unknown algorithms.
/// </returns>
private static HMAC GetMac(AeMac aeMac, byte[] keyMac)
{
HMAC hmac;
switch (aeMac)
{
case AeMac.HMACSHA256:
hmac = new HMACSHA256();
break;
case AeMac.HMACSHA384:
hmac = new HMACSHA384();
break;
case AeMac.HMACSHA512:
hmac = new HMACSHA512();
break;
default:
//An algorithm we don't understand
throw new CryptographicException("Invalid Mac algorithm");
}
hmac.Key = keyMac;
return(hmac);
}
public static byte[] Decrypt(byte[] keyEnc, byte[] keyMac, byte[] cipherText)
{
if (keyEnc == null)
{
throw new ArgumentNullException(nameof(keyEnc));
}
if (keyMac == null)
{
throw new ArgumentNullException(nameof(keyMac));
}
if (keyEnc.Length < 32)
{
throw new ArgumentOutOfRangeException(
nameof(keyEnc),
"Encryption Key must be at least 256 bits (32 bytes)");
}
if (keyMac.Length < 32)
{
throw new ArgumentOutOfRangeException(
nameof(keyMac),
"Mac Key must be at least 256 bits (32 bytes)");
}
if (cipherText == null)
{
throw new ArgumentNullException(nameof(cipherText));
}
// The format of this message is assumed to be public, so there's no harm in
// saying ahead of time that the message makes no sense.
if (cipherText.Length < 2)
{
throw new CryptographicException();
}
// Use the message algorithm headers to determine what cipher algorithm and
// MAC algorithm are going to be used. Since the same Key Derivation
// Functions (KDFs) are being used in Decrypt as Encrypt, the keys are also
// the same.
AeCipher aeCipher = (AeCipher)cipherText[0];
AeMac aeMac = (AeMac)cipherText[1];
using (SymmetricAlgorithm cipher = GetCipher(aeCipher, keyEnc))
using (HMAC tagGenerator = GetMac(aeMac, keyMac))
{
int blockSizeInBytes = cipher.BlockSize / 8;
int tagSizeInBytes = tagGenerator.HashSize / 8;
int headerSizeInBytes = 2;
int tagOffset = headerSizeInBytes;
int ivOffset = tagOffset + tagSizeInBytes;
int cipherTextOffset = ivOffset + blockSizeInBytes;
int cipherTextLength = cipherText.Length - cipherTextOffset;
int minLen = cipherTextOffset + blockSizeInBytes;
// Again, the minimum length is still assumed to be public knowledge,
// nothing has leaked out yet. The minimum length couldn't just be calculated
// without reading the header.
if (cipherText.Length < minLen)
{
throw new CryptographicException();
}
// It's very important that the MAC be calculated and verified before
// proceeding to decrypt the ciphertext, as this prevents any sort of
// information leaking out to an attacker.
//
// Don't include the tag in the calculation, though.
var data = new byte[cipherText.Length - tagSizeInBytes];
// First, everything before the tag (the cipher and MAC algorithm ids)
Buffer.BlockCopy(cipherText, 0, data, 0, tagOffset);
// Skip the data before the tag and the tag, then read everything that remains.
Buffer.BlockCopy(cipherText, (tagOffset + tagSizeInBytes), data, tagOffset, cipherText.Length - (tagOffset + tagSizeInBytes));
tagGenerator.AppendData(data);
byte[] generatedTag = tagGenerator.GetHashAndReset();
byte[] expectedPayload = new byte[tagSizeInBytes];
Buffer.BlockCopy(cipherText, tagOffset, expectedPayload, 0, tagSizeInBytes);
if (!CryptographicEquals(
generatedTag,
0,
cipherText,
tagOffset,
tagSizeInBytes))
{
// Assuming every tampered message (of the same length) took the same
// amount of time to process, we can now safely say
// "this data makes no sense" without giving anything away.
throw new CryptographicException("Mismatch in signed data");
}
// Restore the IV into the symmetricAlgorithm instance.
byte[] iv = new byte[blockSizeInBytes];
Buffer.BlockCopy(cipherText, ivOffset, iv, 0, iv.Length);
cipher.IV = iv;
using (ICryptoTransform decryptor = cipher.CreateDecryptor())
{
return(Transform(
decryptor,
cipherText,
cipherTextOffset,
cipherTextLength));
}
}
}
