/// <inheritdoc/>
protected override void UpdateSettingsFrom1To2(XElement root)
{
base.UpdateSettingsFrom1To2(root);
// Handle protected password
XElement oldPasswortElement = root.Element("cloud_storage")?.Element("cloud_password");
XElement cloudStorageAccount = root.Element("cloud_storage_account");
if ((oldPasswortElement != null) && (cloudStorageAccount != null))
{
// Deobfuscate old password
ICryptor decryptor = new Cryptor("snps", null);
byte[] binaryCipher = CryptoUtils.Base64StringToBytes(oldPasswortElement.Value);
byte[] unprotectedBinaryPassword = decryptor.Decrypt(binaryCipher, CryptoUtils.StringToSecureString(snpsk));
// Protect with new data protection service and add to XML
char[] unprotectedChars = Encoding.UTF8.GetChars(unprotectedBinaryPassword);
byte[] unprotectedUnicodePassword = Encoding.Unicode.GetBytes(unprotectedChars);
string protectedPassword = _dataProtectionService.Protect(unprotectedUnicodePassword);
cloudStorageAccount.Add(new XElement("protected_password", protectedPassword));
CryptoUtils.CleanArray(unprotectedBinaryPassword);
CryptoUtils.CleanArray(unprotectedChars);
CryptoUtils.CleanArray(unprotectedUnicodePassword);
}
}
public void EnsureBackwardsCompatibilityLongTimeDecryptionOfTwofishGcm()
{
// Ensure that a once stored cipher can always be decrypted even after changes in the liberary
string base64Cipher = "dW5pdHRlc3QkdHdvZmlzaF9nY20kZHhMWFh4K0UrZ2MzWHdWc01rWUFxQT09JHBia2RmMiRma1BCWTdDWXp1OG5YUlJtYk9DUlp3PT0kMTAwMCRRc0ETSqDekQuBgKJ5x4Mvy02OHsivm0uJ9KchKdpGk+pmbF4Kq/EDbx9Uw54uEZUQLnK70dNKSEVtb1GyUOX1mitr";
byte[] cipher = CryptoUtils.Base64StringToBytes(base64Cipher);
ICryptor decryptor = new Cryptor("unittest", null);
string decryptedMessage = CryptoUtils.BytesToString(decryptor.Decrypt(cipher, CryptoUtils.StringToSecureString("brownie")));
Assert.AreEqual("The brown fox jumps over the lazy 🐢🖐🏿 doc.", decryptedMessage);
}
public void EnsureBackwardsCompatibilityLongTimeDecryptionOfAesGcm()
{
// Ensure that a once stored cipher can always be decrypted even after changes in the liberary
string base64Cipher = "dW5pdHRlc3QkYWVzX2djbSQ0NG04QXBFU1ptcXhnYll2OE5wcWl3PT0kcGJrZGYyJGgwSDdxSGZnVFlXNzBKS3lEb0JLeFE9PSQxMDAwJJsMDjdYEYXYmcqTOFRbge6iVfWo/iny4nrIOMVuoqYak6xB/MAe53G5H3AyxiTi8OENJbi9tzZStpe3p3nlDB7l+J8=";
byte[] cipher = CryptoUtils.Base64StringToBytes(base64Cipher);
ICryptor decryptor = new Cryptor("unittest", null);
string decryptedMessage = CryptoUtils.BytesToString(decryptor.Decrypt(cipher, CryptoUtils.StringToSecureString("brownie")));
Assert.AreEqual("The brown fox jumps over the lazy 🐢🖐🏿 doc.", decryptedMessage);
}
public void EnsureBackwardsCompatibilityLongTimeDecryptionOfXChaCha()
{
// Ensure that a once stored cipher can always be decrypted even after changes in the liberary
string base64Cipher = "dW5pdHRlc3Qgdj0yJHhjaGFjaGEyMF9wb2x5MTMwNSRsT0FJVW5wZXEyL0g3Ti96UkdCSktqaW9MdmFTUWk5eCRwYmtkZjIkdmN0dmpXVmx1NEhGbGhqbTV0SGlWQT09JDEwMDAwJCTcCqQglE3Xmfe0lg9AOhzxJXOuj7wEj+kgaSnKlZgnMyQwpQCwa9W57jnz1RhrwUuLh0X3PJpPbf7lR07Le7TFRZc8";
byte[] cipher = CryptoUtils.Base64StringToBytes(base64Cipher);
ICryptor decryptor = new Cryptor("unittest", null);
string decryptedMessage = CryptoUtils.BytesToString(decryptor.Decrypt(cipher, CryptoUtils.StringToSecureString("brownie")));
Assert.AreEqual("The brown fox jumps over the lazy 🐢🖐🏿 doc.", decryptedMessage);
}
/// <summary>
/// Decrypts the note, if the belonging safe is open.
/// </summary>
/// <returns>Decrypted note content, or null if the safe is closed.</returns>
private string UnlockIfSafeOpen(string lockedContent)
{
SafeModel safe = _safes.FindById(Model.SafeId);
if ((safe != null) && safe.IsOpen)
{
byte[] binaryContent = CryptoUtils.Base64StringToBytes(lockedContent);
byte[] unlockedContent = _cryptor.Decrypt(binaryContent, safe.Key);
return(CryptoUtils.BytesToString(unlockedContent));
}
return(null);
}
/// <inheritdoc/>
public byte[] Unprotect(string protectedData)
{
// Extract encrypted key and encrypted data
string[] parts = protectedData.Split(Separator);
if (parts.Length != 3)
{
throw new Exception("Invalid format of protected data");
}
byte[] encryptedStoredKey = CryptoUtils.Base64StringToBytes(parts[0]);
byte[] nonce = CryptoUtils.Base64StringToBytes(parts[1]);
byte[] protectedDataPart = CryptoUtils.Base64StringToBytes(parts[2]);
// Unprotect the random key with OS support
byte[] storedKey = null;
try
{
if (KeysExistInKeyStore())
{
Cipher cipher = Cipher.GetInstance("RSA/ECB/PKCS1Padding"); // ECB mode is not used by RSA
IKey privateKey = GetPrivateKeyFromKeyStore();
cipher.Init(CipherMode.DecryptMode, privateKey);
storedKey = cipher.DoFinal(encryptedStoredKey);
}
}
catch (Exception)
{
storedKey = null;
}
// Fallback to obfuscated key
if (storedKey == null)
{
storedKey = CryptoUtils.Deobfuscate(encryptedStoredKey, CryptoUtils.StringToSecureString(Obcake));
}
// Decrypt the data with the random key
ISymmetricEncryptionAlgorithm decryptor;
byte[] result;
try
{
decryptor = new BouncyCastleXChaCha20();
result = decryptor.Decrypt(protectedDataPart, storedKey, nonce);
}
catch (Exception)
{
// Fallback to twofish, which was used before 3.2021
decryptor = new BouncyCastleTwofishGcm();
result = decryptor.Decrypt(protectedDataPart, storedKey, nonce);
}
return(result);
}
public void EnsureBackwardsCompatibility()
{
// Ensure that a once stored packed header can always be unpacked even after changes in the liberary
string packedBase64Header = "TXlBcHBOYW1lJFR3b2Zpc2gkUWtKQ1FrSkNRa0k9JFBCS0RGMiRUVTFOVFUxTlRVMD0kMTAkWFhYWFhYWFhYWFhYWFhYWA==";
byte[] packedHeader = CryptoUtils.Base64StringToBytes(packedBase64Header);
CryptoHeaderPacker.UnpackHeaderAndCipher(packedHeader, "MyAppName", out CryptoHeader unpackedHeader, out byte[] unpackedCipher);
Assert.AreEqual("MyAppName", unpackedHeader.PackageName);
Assert.AreEqual("Twofish", unpackedHeader.AlgorithmName);
Assert.AreEqual("PBKDF2", unpackedHeader.KdfName);
Assert.AreEqual("10", unpackedHeader.Cost);
Assert.AreEqual(CommonMocksAndStubs.FilledByteArray(8, 66), unpackedHeader.Nonce);
Assert.AreEqual(CommonMocksAndStubs.FilledByteArray(8, 77), unpackedHeader.Salt);
Assert.AreEqual(CommonMocksAndStubs.FilledByteArray(16, 88), unpackedCipher);
}
public void EnsureCompatibilityToLibsodiumXChaCha20()
{
// Ensure that a once stored cipher can always be decrypted even after changes in the liberary.
// This cypher was created with libsodium.
string base64Cipher = "q8w/Zotsi3ZJp2eaAnFmMiAGgko+N2TkNgunS5+bDRNqrBBoN+XMQPSt7ojO4ODMP3Rf3aoYMNeJFL2/ZqK3AngIuQ==";
byte[] cipher = CryptoUtils.Base64StringToBytes(base64Cipher);
ISymmetricEncryptionAlgorithm decryptor = new BouncyCastleXChaCha20();
ICryptoRandomService randomGenerator = CommonMocksAndStubs.CryptoRandomService(88);
byte[] key = randomGenerator.GetRandomBytes(decryptor.ExpectedKeySize);
byte[] nonce = randomGenerator.GetRandomBytes(decryptor.ExpectedNonceSize);
string decryptedMessage = CryptoUtils.BytesToString(decryptor.Decrypt(cipher, key, nonce));
Assert.AreEqual("The brown fox jumps over the lazy 🐢🖐🏿 doc.", decryptedMessage);
}
/// <summary>
/// Test the password update from Version1 in Android to Version2
/// </summary>
/// <param name="root"></param>
protected override void UpdateSettingsFrom1To2(XElement root)
{
base.UpdateSettingsFrom1To2(root);
SecureString snpsk = CryptoUtils.StringToSecureString("53EC49B1-6600+406b;B84F-0B9CFA1D2BE1");
// Handle protected password
XElement oldPasswortElement = root.Element("cloud_storage")?.Element("cloud_password");
XElement cloudStorageAccount = root.Element("cloud_storage_account");
if ((oldPasswortElement != null) && (cloudStorageAccount != null))
{
// Deobfuscate old password
ICryptor decryptor = new Cryptor("snps", null);
byte[] binaryCipher = CryptoUtils.Base64StringToBytes(oldPasswortElement.Value);
byte[] unprotectedBinaryPassword = decryptor.Decrypt(binaryCipher, snpsk);
// Protect with new data protection service and add to XML
string protectedPassword = _dataProtectionService.Protect(unprotectedBinaryPassword);
cloudStorageAccount.Add(new XElement("protected_password", protectedPassword));
CryptoUtils.CleanArray(unprotectedBinaryPassword);
}
}
