public void RSALocalKeyDecryptionPaddingHashInvalidThrows()
{
byte[] toEncrypt = new byte[] { 1, 2, 3, 4 };
ManagedRSAEncryption util = new ManagedRSAEncryption();
byte[] encrypted = util.EncryptWithLocalKey(TestProvider, TestKeyName, toEncrypt, "Not a real padding hash function", PaddingFlags.OAEPPadding);
}
public void ProviderKeyCleanup(string providerName, string keyName)
{
//Clear out the test key
ManagedRSAEncryption managedRSA = new ManagedRSAEncryption();
managedRSA.DestroyLocalRSAKey(providerName, keyName);
}
public void RSALocalKeyDecryptionPaddingInvalidThrows()
{
byte[] toEncrypt = new byte[] { 1, 2, 3, 4 };
ManagedRSAEncryption util = new ManagedRSAEncryption();
byte[] encrypted = util.EncryptWithLocalKey(TestProvider, TestKeyName, toEncrypt, null, PaddingFlags.PSSPadding + 10000);
}
public void TestCleanup()
{
//Clear out the test key
ManagedRSAEncryption managedRSA = new ManagedRSAEncryption();
managedRSA.DestroyLocalRSAKey(TestProvider, TestKeyName);
}
public void TestInitialize()
{
ManagedRSAEncryption utility = new ManagedRSAEncryption();
//Create the test key
utility.TryGenerateLocalRSAKey(TestProvider, TestKeyName);
}
public void RSALocalKeyDecryptionProviderMissingThrows()
{
byte[] toEncrypt = new byte[] { 1, 2, 3, 4 };
ManagedRSAEncryption util = new ManagedRSAEncryption();
byte[] encrypted = util.EncryptWithLocalKey(TestProvider, TestKeyName, toEncrypt);
byte[] decrypted = util.DecryptWithLocalKey("FakeProviderName", TestKeyName, encrypted);
}
public void TestCleanup()
{
ManagedRSAEncryption utility = new ManagedRSAEncryption();
//Destroy the test key
utility.DestroyLocalRSAKey(TestProvider, TestKeyName);
}
public void TestLine(string line)
{
eventLog1.WriteEntry(string.Format("Testing Line:{0}", line));
string[] split = line.Split(TestFileSeparator);
if (split.Length != 6)
{
StringBuilder testFormatBuilder = new StringBuilder();
testFormatBuilder.AppendLine(string.Format("Test line is of incorrect format, should be of format unencrypted{0}encrypted{0}providername{0}keyname{0}hashalgorithm{0}paddingflags for line {1}", TestFileSeparator, line));
testFormatBuilder.AppendLine(string.Format("Encrypted value should be Base64 encoded"));
testFormatBuilder.AppendLine(string.Format("HashAlgorithm can be SHA1, SHA256, SHA384, SHA512"));
testFormatBuilder.AppendLine(string.Format("PaddingFlags can be 1, 2, 4, 8"));
eventLog1.WriteEntry(testFormatBuilder.ToString(), EventLogEntryType.Error);
return;
}
string unencrypted = split[0];
string encrypted = split[1];
string provider = split[2];
string keyname = split[3];
string hashAlgorithm = split[4];
int paddingFlags = int.Parse(split[5]);
byte[] encryptedAsBytes = Convert.FromBase64String(encrypted);
string resultString = "";
EventLogEntryType entryType = EventLogEntryType.Information;
ManagedRSAEncryption crypto = new ManagedRSAEncryption();
try
{
byte[] decrypted = crypto.DecryptWithLocalKey(provider, keyname, encryptedAsBytes, hashAlgorithm, paddingFlags);
string decryptedString = Encoding.ASCII.GetString(decrypted);
if (String.Equals(unencrypted, decryptedString))
{
resultString = string.Format("Successfully decrypted to value {0} for line {1}", unencrypted, line);
}
else
{
resultString = string.Format("Failed to decrypt to value {0}, decrypted value was {1} for line {2}", unencrypted, decryptedString, line);
entryType = EventLogEntryType.Error;
}
}
catch (Exception e)
{
resultString = string.Format("Failed to decrypt line with exception {0} the line was: {1}", e, line);
entryType = EventLogEntryType.Error;
}
eventLog1.WriteEntry(resultString, entryType);
string assemblyPath = Path.GetDirectoryName(typeof(IntunePFXCertConnectorValidationService).Assembly.Location);
eventLog1.WriteEntry(string.Format("Wrinting results to {0}", Path.Combine(assemblyPath, ResultFile)));
File.WriteAllText(Path.Combine(assemblyPath, ResultFile), contents: resultString);
}
private void ValidatePasswordDecryptable(UserPFXCertificate userPFXResult, string expectedPassword, string hashAlgorithm, int paddingFlags)
{
ManagedRSAEncryption encryptionUtility = new ManagedRSAEncryption();
byte[] passwordBytes = Convert.FromBase64String(userPFXResult.EncryptedPfxPassword);
byte[] unencryptedPassword = encryptionUtility.DecryptWithLocalKey(userPFXResult.ProviderName, userPFXResult.KeyName, passwordBytes, hashAlgorithm, paddingFlags);
string clearTextPassword = Encoding.ASCII.GetString(unencryptedPassword);
Assert.AreEqual(clearTextPassword, expectedPassword);
}
private void ProviderKeyInitialize(string providerName, string keyName, string algorithmName)
{
ManagedRSAEncryption managedRSA = new ManagedRSAEncryption();
if (!managedRSA.TryGenerateLocalRSAKey(providerName, keyName))
{
//Delete and try again
managedRSA.DestroyLocalRSAKey(providerName, keyName);
managedRSA.TryGenerateLocalRSAKey(providerName, keyName);
}
}
public void TestInitialize()
{
ManagedRSAEncryption managedRSA = new ManagedRSAEncryption();
if (!managedRSA.TryGenerateLocalRSAKey(TestProvider, TestKeyName))
{
//Delete and try again
managedRSA.DestroyLocalRSAKey(TestProvider, TestKeyName);
managedRSA.TryGenerateLocalRSAKey(TestProvider, TestKeyName);
}
}
public void CertKeyEncryptionE2E()
{
byte[] toEncrypt = new byte[] { 1, 2, 3, 4 };
ManagedRSAEncryption managed = new ManagedRSAEncryption();
X509Certificate2 testCert = new X509Certificate2(Convert.FromBase64String(TestCertBase64Encoded), TestCertPassword);
byte[] encrypted = managed.EncryptWithCertificate(toEncrypt, testCert);
byte[] decrypted = managed.DecryptWithCertificate(encrypted, testCert);
CollectionAssert.AreNotEqual(toEncrypt, encrypted);
CollectionAssert.AreNotEqual(encrypted, decrypted);
CollectionAssert.AreEqual(toEncrypt, decrypted);
}
protected override void ProcessRecord()
{
ManagedRSAEncryption managedRSA = new ManagedRSAEncryption();
if (!managedRSA.ImportKeyToKSP(ProviderName, KeyName, FilePath, MakeExportable.IsPresent))
{
//Creation failed, likely already exists
this.WriteError(
new ErrorRecord(
new InvalidOperationException("Key Import failed"),
"KeyImportFailure",
ErrorCategory.InvalidOperation,
null));
}
}
public void EncryptionUtilitiesFullE2E()
{
byte[] originalData = new byte[] { 1, 2, 3, 4 };
ManagedRSAEncryption managed = new ManagedRSAEncryption();
X509Certificate2 testCert = new X509Certificate2(Convert.FromBase64String(TestCertBase64Encoded), TestCertPassword);
byte[] encryptedWithLocal = managed.EncryptWithLocalKey(TestProvider, TestKeyName, originalData);
byte[] recryptedWithDeviceCert = managed.RecryptPfxImportMessage(encryptedWithLocal, testCert, TestProvider, TestKeyName);
byte[] decryptedWithDeviceCert = managed.DecryptWithCertificate(recryptedWithDeviceCert, testCert);
CollectionAssert.AreEqual(originalData, decryptedWithDeviceCert);
CollectionAssert.AreNotEqual(originalData, encryptedWithLocal);
CollectionAssert.AreNotEqual(originalData, recryptedWithDeviceCert);
CollectionAssert.AreNotEqual(encryptedWithLocal, recryptedWithDeviceCert);
CollectionAssert.AreNotEqual(encryptedWithLocal, decryptedWithDeviceCert);
CollectionAssert.AreNotEqual(recryptedWithDeviceCert, decryptedWithDeviceCert);
}
public void RSALocalKeyEncryptionDecryptionE2E()
{
byte[] toEncrypt = new byte[] { 1, 2, 3, 4 };
ManagedRSAEncryption util = new ManagedRSAEncryption();
byte[] encrypted = util.EncryptWithLocalKey(TestProvider, TestKeyName, toEncrypt);
byte[] decrypted = util.DecryptWithLocalKey(TestProvider, TestKeyName, encrypted);
CollectionAssert.AreNotEqual(encrypted, toEncrypt);
CollectionAssert.AreNotEqual(encrypted, decrypted);
CollectionAssert.AreEqual(toEncrypt, decrypted);
Assert.AreNotEqual(0, encrypted.Length);
Assert.AreNotEqual(0, decrypted.Length);
Assert.IsNotNull(encrypted);
Assert.IsNotNull(decrypted);
}
public void RSALocalKeyEncryptionDecryptionOAEPE2E()
{
byte[] toEncrypt = new byte[] { 1, 2, 3, 4 };
ManagedRSAEncryption util = new ManagedRSAEncryption();
byte[] encrypted = util.EncryptWithLocalKey(TestProvider, TestKeyName, toEncrypt, PaddingHashAlgorithmNames.SHA256, PaddingFlags.OAEPPadding);
byte[] decrypted = util.DecryptWithLocalKey(TestProvider, TestKeyName, encrypted, PaddingHashAlgorithmNames.SHA256, PaddingFlags.OAEPPadding);
CollectionAssert.AreNotEqual(encrypted, toEncrypt);
CollectionAssert.AreNotEqual(encrypted, decrypted);
CollectionAssert.AreEqual(toEncrypt, decrypted);
Assert.AreNotEqual(0, encrypted.Length);
Assert.AreNotEqual(0, decrypted.Length);
Assert.IsNotNull(encrypted);
Assert.IsNotNull(decrypted);
}
protected override void ProcessRecord()
{
ManagedRSAEncryption managedRSA = new ManagedRSAEncryption();
if (managedRSA.TryGenerateLocalRSAKey(ProviderName, KeyName, KeyLength))
{
//Creation succeeded
}
else
{
//Creation failed, likely already exists
this.WriteError(
new ErrorRecord(
new InvalidOperationException("Key Creation failed, it likely already exists"),
"KeyAlreadyExists",
ErrorCategory.InvalidOperation,
null));
}
}
public void ExportImportEncryptTest()
{
byte[] toEncrypt = new byte[] { 1, 2, 3, 4 };
string filePath = @".\TestPublic.Key";
try
{
File.Delete(filePath);
}
catch (Exception) { }
ManagedRSAEncryption util = new ManagedRSAEncryption();
util.ExportPublicKeytoFile(TestProvider, TestKeyName, filePath);
Assert.IsTrue(File.Exists(filePath));
byte[] encryptedBytes = util.EncryptWithFileKey(filePath, toEncrypt);
Assert.IsNotNull(encryptedBytes);
byte[] decryptedBytes = util.DecryptWithLocalKey(TestProvider, TestKeyName, encryptedBytes);
Assert.AreEqual(System.Convert.ToBase64String(toEncrypt), System.Convert.ToBase64String(decryptedBytes));
try
{
File.Delete(filePath);
}
catch (Exception) { }
}
protected override void ProcessRecord()
{
ManagedRSAEncryption managedRSA = new ManagedRSAEncryption();
managedRSA.ExportPublicKeytoFile(ProviderName, KeyName, FilePath, FileFormat);
}
protected override void ProcessRecord()
{
byte[] pfxData;
if (this.ParameterSetName == PFXBase64String)
{
pfxData = Convert.FromBase64String(Base64EncodedPfx);
}
else
{
pfxData = File.ReadAllBytes(PathToPfxFile);
}
X509Certificate2 pfxCert = new X509Certificate2();
try
{
pfxCert.Import(pfxData, PfxPassword, X509KeyStorageFlags.DefaultKeySet);
}
catch (CryptographicException ex)
{
if (ex.HResult == ErrorCodeCantOpenFile)
{
ThrowTerminatingError(
new ErrorRecord(
new ArgumentException(
string.Format("Could not Read Thumbprint on file at path: '{0}'. File must be a certificate.", PathToPfxFile), ex),
Guid.NewGuid().ToString(),
ErrorCategory.InvalidArgument,
null));
}
else if (ex.HResult == ErrorCodeNetworkPasswordIncorrect)
{
ThrowTerminatingError(
new ErrorRecord(
new ArgumentException("Could not Read Thumbprint. Verify Password is Correct.", ex),
Guid.NewGuid().ToString(),
ErrorCategory.InvalidArgument,
null));
}
else
{
ThrowTerminatingError(
new ErrorRecord(
new ArgumentException("Could not Read Thumbprint. Unknown Cause", ex),
Guid.NewGuid().ToString(),
ErrorCategory.InvalidArgument,
null));
}
}
ManagedRSAEncryption encryptUtility = new ManagedRSAEncryption();
byte[] password = new byte[PfxPassword.Length];
GCHandle pinnedPasswordHandle = GCHandle.Alloc(password, GCHandleType.Pinned);
byte[] encryptedPassword = null;
try
{
ConvertSecureStringToByteArray(PfxPassword, ref password);
string hashAlgorithm;
int paddingFlags;
switch (PaddingScheme)
{
case UserPfxPaddingScheme.Pkcs1:
case UserPfxPaddingScheme.OaepSha1:
ThrowTerminatingError(
new ErrorRecord(
new ArgumentException("Pkcs1 and OaepSha1 are no longer supported."),
Guid.NewGuid().ToString(),
ErrorCategory.InvalidArgument,
null));
return;
case UserPfxPaddingScheme.OaepSha256:
hashAlgorithm = PaddingHashAlgorithmNames.SHA256;
paddingFlags = PaddingFlags.OAEPPadding;
break;
case UserPfxPaddingScheme.OaepSha384:
hashAlgorithm = PaddingHashAlgorithmNames.SHA384;
paddingFlags = PaddingFlags.OAEPPadding;
break;
case UserPfxPaddingScheme.None:
PaddingScheme = UserPfxPaddingScheme.OaepSha512;
goto default; // Since C# doesn't allow switch-case fall-through!
case UserPfxPaddingScheme.OaepSha512:
default:
hashAlgorithm = PaddingHashAlgorithmNames.SHA512;
paddingFlags = PaddingFlags.OAEPPadding;
break;
}
if (KeyFilePath != null)
{
encryptedPassword = encryptUtility.EncryptWithFileKey(KeyFilePath, password, hashAlgorithm, paddingFlags);
}
else
{
encryptedPassword = encryptUtility.EncryptWithLocalKey(ProviderName, KeyName, password, hashAlgorithm, paddingFlags);
}
}
finally
{
if (password != null)
{
password.ZeroFill();
}
if (pinnedPasswordHandle.IsAllocated)
{
pinnedPasswordHandle.Free();
}
}
string encryptedPasswordString = Convert.ToBase64String(encryptedPassword);
UserPFXCertificate userPfxCertifiate = new UserPFXCertificate();
userPfxCertifiate.Thumbprint = pfxCert.Thumbprint.ToLowerInvariant();
userPfxCertifiate.IntendedPurpose = (UserPfxIntendedPurpose)IntendedPurpose;
userPfxCertifiate.PaddingScheme = (UserPfxPaddingScheme)PaddingScheme;
userPfxCertifiate.KeyName = KeyName;
userPfxCertifiate.UserPrincipalName = UPN;
userPfxCertifiate.ProviderName = ProviderName;
userPfxCertifiate.StartDateTime = Convert.ToDateTime(pfxCert.GetEffectiveDateString(), CultureInfo.CurrentCulture);
userPfxCertifiate.ExpirationDateTime = Convert.ToDateTime(pfxCert.GetExpirationDateString(), CultureInfo.CurrentCulture);
userPfxCertifiate.CreatedDateTime = DateTime.Now;
userPfxCertifiate.LastModifiedDateTime = DateTime.Now;
userPfxCertifiate.EncryptedPfxPassword = encryptedPasswordString;
userPfxCertifiate.EncryptedPfxBlob = pfxData;
WriteObject(userPfxCertifiate);
}
protected override void ProcessRecord()
{
ManagedRSAEncryption managedRSA = new ManagedRSAEncryption();
managedRSA.ExportPrivateKeytoFile(ProviderName, KeyName, FilePath);
}
