/// <summary>
///
/// </summary>
/// <param name="message"> a message/text to be digitally signed </param>
/// <param name="hashAlgorithm"> an arbitrary hash algorithm </param>
/// <param name="certificate"> certificate of a user who creates a signature </param>
/// <returns> byte array representing a digital signature for the given message </returns>
public static byte[] Create(string message, HashAlgorithm hashAlgorithm, X509Certificate2 certificate)
{
RSACryptoServiceProvider csp = null;
/// Looks for the certificate's private key to sign a message
csp = (RSACryptoServiceProvider)certificate.PrivateKey;
if (csp == null)
{
throw new Exception("Valid certificate was not found");
}
UnicodeEncoding encoding = new UnicodeEncoding();
byte[] data = encoding.GetBytes(message);
byte[] hash = null;
if (hashAlgorithm.Equals(HashAlgorithm.SHA1))
{
SHA1Managed sha1 = new SHA1Managed();
hash = sha1.ComputeHash(data);
}
else if (hashAlgorithm.Equals(HashAlgorithm.SHA256))
{
SHA256Managed sha1 = new SHA256Managed();
hash = sha1.ComputeHash(data);
}
/// Use RSACryptoServiceProvider support to create a signature using a previously created hash value
byte[] signature = csp.SignHash(hash, CryptoConfig.MapNameToOID(hashAlgorithm.ToString()));
return(signature);
}
/// <summary>
/// Checks the conditions to throw a <see cref="InsecureOperationException"/>.
/// </summary>
/// <exception cref="InsecureOperationException"></exception>
/// <remarks>
/// Salt size should be at least 8 Bytes, and the Hash size not greater than the output of the used HMAC.
/// Hash size should not be smaller than the Salt size and the minimum hash iterations of 10 000 should not get undercutted.
/// Also MD5 should never be used as the HMAC.
/// </remarks>
private void CheckConditions()
{
string message = null;
if (HashAlgorithm.Equals(HashAlgorithmName.MD5))
{
message = InsecureMessages.INSECURE_HMAC(HashAlgorithm.Name);
}
if (SaltSize < 8)
{
message = InsecureMessages.SALT_TO_SHORT;
}
if (HashSize > GetHmacSize())
{
message = InsecureMessages.HASH_SIZE_TO_BIG;
}
if (HashSize < SaltSize)
{
message = InsecureMessages.HASH_SIZE_TO_SMALL;
}
if (HashIterations < 10000)
{
message = InsecureMessages.NOT_ENOUGH_ITERATIONS;
}
if (message != null)
{
throw new InsecureOperationException(message);
}
}
internal bool EqualsParameters(DnsResourceDataNextDomainSecure3Base other)
{
return(other != null &&
HashAlgorithm.Equals(other.HashAlgorithm) &&
Flags.Equals(other.Flags) &&
Iterations.Equals(other.Iterations) &&
Salt.Equals(other.Salt));
}
protected override void ProcessRecord()
{
HttpSigningConfiguration httpConfig = new HttpSigningConfiguration()
{
KeyId = this.ApiKeyId,
KeyFilePath = this.ApiKeyFilePath,
HttpSigningHeader = this.HttpSigningHeader
};
if (this.HttpSigningHeader.Contains("(expires)"))
{
if (SignatureValidityPeriod <= 0)
{
throw new Exception("SignatureValidityPeriod must be greater than 0 seconds.");
}
else
{
httpConfig.SignatureValidityPeriod = SignatureValidityPeriod;
}
}
if (HashAlgorithm.Equals("sha256"))
{
httpConfig.HashAlgorithm = HashAlgorithmName.SHA256;
}
else if (HashAlgorithm.Equals("sha512"))
{
httpConfig.HashAlgorithm = HashAlgorithmName.SHA512;
}
if (!string.IsNullOrEmpty(ApiKeyPassPhrase))
{
var secStr = new SecureString();
foreach (char ch in ApiKeyPassPhrase)
{
secStr.AppendChar(ch);
}
httpConfig.KeyPassPhrase = secStr;
}
Configuration config = new Configuration()
{
BasePath = BasePath,
HttpSigningConfiguration = httpConfig
};
CmdletBase.Config = config;
if (Proxy != null)
{
config.Proxy = this.Proxy;
}
if (SkipCertificateCheck.IsPresent)
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return(true); };
}
}
public static Boolean VerifyRaw(byte[] data, HashAlgorithm hashAlgorithm, byte[] signature, string publicKey)
{
hashAlgorithm = hashAlgorithm.Equals(HashAlgorithm.Md5) ? HashAlgorithm.Sha1 : hashAlgorithm;
using (RSACryptoServiceProvider csp = new RSACryptoServiceProvider())
{
ParsePublicKey(csp, publicKey);
return(csp.VerifyData(data, hashAlgorithm.ToString(), signature));
}
}
public static byte[] SignRaw(byte[] data, HashAlgorithm hashAlgorithm, string privateKey)
{
hashAlgorithm = hashAlgorithm.Equals(HashAlgorithm.Md5) ? HashAlgorithm.Sha1 : hashAlgorithm;
using (RSACryptoServiceProvider csp = new RSACryptoServiceProvider())
{
ParsePrivateKey(csp, privateKey);
return(csp.SignData(data, hashAlgorithm.ToString()));
}
}
/// <inheritdoc cref="IEquatable{T}.Equals(T)"/>
public bool Equals(Block <T>?other)
{
if (other is null)
{
return(false);
}
return(ReferenceEquals(this, other) ||
(Hash.Equals(other.Hash) && HashAlgorithm.Equals(other.HashAlgorithm)));
}
public static bool Verify(string message, HashAlgorithm hashAlgorithm, byte[] signature, X509Certificate2 certificate)
{
/// Looks for the certificate's public key to verify a message
RSACryptoServiceProvider csp = (RSACryptoServiceProvider)certificate.PublicKey.Key;
UnicodeEncoding encoding = new UnicodeEncoding();
byte[] data = encoding.GetBytes(message);
byte[] hash = null;
if (hashAlgorithm.Equals(HashAlgorithm.SHA1))
{
SHA1Managed sha1 = new SHA1Managed();
hash = sha1.ComputeHash(data);
}
else if (hashAlgorithm.Equals(HashAlgorithm.SHA256))
{
SHA256Managed sha1 = new SHA256Managed();
hash = sha1.ComputeHash(data);
}
/// Use RSACryptoServiceProvider support to compare two - hash value from signature and newly created hash value
return(csp.VerifyHash(hash, CryptoConfig.MapNameToOID(hashAlgorithm.ToString()), signature));
}
/// <summary>
/// Returns the output size of the used <see cref="HashAlgorithm"/> in bytes.
/// </summary>
/// <returns></returns>
private int GetHmacSize()
{
if (HashAlgorithm.Equals(HashAlgorithmName.SHA1))
{
return(20);
}
if (HashAlgorithm.Equals(HashAlgorithmName.SHA256))
{
return(32);
}
if (HashAlgorithm.Equals(HashAlgorithmName.SHA384))
{
return(48);
}
if (HashAlgorithm.Equals(HashAlgorithmName.SHA512))
{
return(64);
}
return(0);
}
