public static void Main(string[] args)
{
// get the path to %LOCALAPPDATA%\myapp-keys
string destFolder = Path.Combine(
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
"myapp-keys");
// instantiate the data protection system at this folder
var dataProtectionProvider = new DataProtectionProvider(
new DirectoryInfo(destFolder),
configuration =>
{
configuration.SetApplicationName("my app name");
configuration.ProtectKeysWithDpapi();
});
var protector = dataProtectionProvider.CreateProtector("Program.No-DI");
Console.Write("Enter input: ");
string input = Console.ReadLine();
// protect the payload
string protectedPayload = protector.Protect(input);
Console.WriteLine($"Protect returned: {protectedPayload}");
// unprotect the payload
string unprotectedPayload = protector.Unprotect(protectedPayload);
Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
}
internal static IDataProtectionProvider GetDataProtectionProvider()
{
IDataProtectionProvider dataProtectionProvider = null;
DirectoryInfo azureWebSitesKeysFolder = GetKeyStorageDirectoryForAzureWebSites();
if (azureWebSitesKeysFolder != null)
{
// TODO: look for a X509 Cert Thumbprint and if found wire that up. Otherwise log stern warning
dataProtectionProvider = new DataProtectionProvider(
azureWebSitesKeysFolder,
options =>
{
options.SetApplicationName(ApplicationName);
});
azureWebSitesKeysFolder.Create();
return dataProtectionProvider;
}
DirectoryInfo localAppDataKeysFolder = GetDefaultKeyStorageDirectory();
if (localAppDataKeysFolder != null)
{
dataProtectionProvider = new DataProtectionProvider(
localAppDataKeysFolder,
options =>
{
options.SetApplicationName(ApplicationName);
options.ProtectKeysWithDpapi();
});
localAppDataKeysFolder.Create();
return dataProtectionProvider;
}
return null;
}
static void Main(string[] args)
{
const string keyStore = "dataProtectionSamples";
const string appName = "SimpleFileSystemNoDI";
const string purpose = "Demonstration";
var programKeyStore =
Path.Combine(
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
$"{keyStore}\\{appName}");
Console.WriteLine($"Keys stored in\n{programKeyStore}");
// instantiate the data protection system at this folder
var dataProtectionProvider = new DataProtectionProvider(new DirectoryInfo(programKeyStore),
options =>
{
options.SetApplicationName(appName);
});
var protector = dataProtectionProvider.CreateProtector(purpose);
Console.Write("Enter input: ");
string input = Console.ReadLine();
// protect the payload
string protectedPayload = protector.Protect(input);
Console.WriteLine($"Protect returned: {protectedPayload}");
// unprotect the payload
string unprotectedPayload = protector.Unprotect(protectedPayload);
Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
Console.ReadLine();
}
public static void Main(string[] args)
{
// create a protector for my application
var provider = new DataProtectionProvider(new DirectoryInfo(@"c:\myapp-keys\"));
var baseProtector = provider.CreateProtector("Contoso.TimeLimitedSample");
// convert the normal protector into a time-limited protector
var timeLimitedProtector = baseProtector.ToTimeLimitedDataProtector();
// get some input and protect it for five seconds
Console.Write("Enter input: ");
string input = Console.ReadLine();
string protectedData = timeLimitedProtector.Protect(input, lifetime: TimeSpan.FromSeconds(5));
Console.WriteLine($"Protected data: {protectedData}");
// unprotect it to demonstrate that round-tripping works properly
string roundtripped = timeLimitedProtector.Unprotect(protectedData);
Console.WriteLine($"Round-tripped data: {roundtripped}");
// wait 6 seconds and perform another unprotect, demonstrating that the payload self-expires
Console.WriteLine("Waiting 6 seconds...");
Thread.Sleep(6000);
timeLimitedProtector.Unprotect(protectedData);
}
static void Main(string[] args)
{
const string keyStore = "dataProtectionSamples";
const string appName = "X509ProtectedFileSystemNoDI";
const string purpose = "Demonstration";
var programKeyStore =
Path.Combine(
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
$"{keyStore}\\{appName}");
Console.WriteLine($"Keys stored in\n{programKeyStore}");
// Normally you'd have the certificate in the user certificate store, this is just for demo purposes.
// Don't hardcode certificate passwords!
// Certificate was generated with
// makecert -r -pe -n "CN=Data Protection" -b 07/01/2015 -e 07/01/2020 -sky exchange -eku 1.3.6.1.4.1.311.10.3.12 -ss my
var encryptingCertificate = new X509Certificate2(
"protectionCertificate.pfx",
"password",
X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
// You must put the cert in the store for unprotect to work. This is a limitation of the EncryptedXml class used to store the cert.
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
store.Add(encryptingCertificate);
store.Close();
// instantiate the data protection system at this folder
var dataProtectionProvider = new DataProtectionProvider(new DirectoryInfo(programKeyStore),
options =>
{
// As we're using a self signed certificate we need to provide an instance of the certificate.
// Thumb-print look-ups are restricted to "valid" certs (i.e. ones chained to a trusted root and which haven't expired)
options.ProtectKeysWithCertificate(encryptingCertificate);
options.SetApplicationName(appName);
}
);
var protector = dataProtectionProvider.CreateProtector(purpose);
Console.Write("Enter input: ");
string input = Console.ReadLine();
// protect the payload
string protectedPayload = protector.Protect(input);
Console.WriteLine($"Protect returned: {protectedPayload}");
// unprotect the payload
string unprotectedPayload = protector.Unprotect(protectedPayload);
Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
// Clean up certificate store.
store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
store.Remove(encryptingCertificate);
Console.ReadLine();
}
public static IAppBuilder UseCookieAuthentication(
this IAppBuilder app,
CookieAuthenticationOptions options,
DataProtectionProvider dataProtectionProvider,
PipelineStage stage = PipelineStage.Authenticate)
{
var dataProtector = dataProtectionProvider.CreateProtector(
"Microsoft.AspNet.Authentication.Cookies.CookieAuthenticationMiddleware", // full name of the ASP.NET 5 type
options.AuthenticationType, "v2");
options.TicketDataFormat = new AspNetTicketDataFormat(new DataProtectorShim(dataProtector));
return app.UseCookieAuthentication(options, stage);
}
public TicketDataFormatTokenValidator(IDataProtectionProvider dataProtectionProvider)
{
if (dataProtectionProvider == null)
{
#if DNXCORE50
dataProtectionProvider = new DataProtectionProvider(new DirectoryInfo(Environment.GetEnvironmentVariable("Temp"))).CreateProtector("OAuth.AspNet.AuthServer");
#else
dataProtectionProvider = new DataProtectionProvider(new DirectoryInfo(Environment.GetEnvironmentVariable("Temp", EnvironmentVariableTarget.Machine))).CreateProtector("OAuth.AspNet.AuthServer");
#endif
}
_ticketDataFormat = new TicketDataFormat(dataProtectionProvider.CreateProtector("Access_Token", "v1"));
}
public void System_UsesProvidedDirectory()
{
WithUniqueTempDirectory(directory =>
{
// Step 1: directory should be completely empty
directory.Create();
Assert.Empty(directory.GetFiles());
// Step 2: instantiate the system and round-trip a payload
var protector = new DataProtectionProvider(directory).CreateProtector("purpose");
Assert.Equal("payload", protector.Unprotect(protector.Protect("payload")));
// Step 3: validate that there's now a single key in the directory and that it's not protected
var allFiles = directory.GetFiles();
Assert.Equal(1, allFiles.Length);
Assert.StartsWith("key-", allFiles[0].Name, StringComparison.OrdinalIgnoreCase);
string fileText = File.ReadAllText(allFiles[0].FullName);
Assert.Contains("Warning: the key below is in an unencrypted form.", fileText, StringComparison.Ordinal);
Assert.DoesNotContain("Windows DPAPI", fileText, StringComparison.Ordinal);
});
}
static void Main(string[] args)
{
const string keyStore = "dataProtectionSamples";
const string appName = "X509ProtectedFileSystemNoDI";
const string purpose = "Demonstration";
var programKeyStore =
Path.Combine(
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
$"{keyStore}\\{appName}");
Console.WriteLine($"Keys stored in\n{programKeyStore}");
// Certificate was generated with
// makecert -r -pe -n "CN=Data Protection" -b 07/01/2015 -e 07/01/2020 -sky exchange -eku 1.3.6.1.4.1.311.10.3.12 -ss my
var certificateStore = new X509Store(StoreLocation.CurrentUser);
certificateStore.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
var encryptingCertificates =
certificateStore.Certificates.Find(
X509FindType.FindBySubjectDistinguishedName,
"CN=Data Protection",
false); // Must be false for self signed certs.
certificateStore.Close();
if (encryptingCertificates == null || encryptingCertificates.Count == 0)
{
Console.WriteLine("Couldn't find the encryption certificate.");
Environment.Exit(-1);
}
var encryptingCertificate = encryptingCertificates[0];
if (encryptingCertificate.PrivateKey == null)
{
Console.WriteLine("No private key available.");
Environment.Exit(-1);
}
// instantiate the data protection system at this folder
var dataProtectionProvider = new DataProtectionProvider(new DirectoryInfo(programKeyStore),
options =>
{
// As we're using a self signed certificate we need to provide an instance of the certificate.
// Thumb-print look-ups are restricted to "valid" certs (i.e. ones chained to a trusted root and which haven't expired)
options.ProtectKeysWithCertificate(encryptingCertificate);
options.SetApplicationName(appName);
}
);
var protector = dataProtectionProvider.CreateProtector(purpose);
Console.Write("Enter input: ");
string input = Console.ReadLine();
// protect the payload
string protectedPayload = protector.Protect(input);
Console.WriteLine($"Protect returned: {protectedPayload}");
// unprotect the payload
string unprotectedPayload = protector.Unprotect(protectedPayload);
Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
Console.ReadLine();
}
