/// <summary> /// Encrypts the key data. /// </summary> /// <param name="key">The key.</param> /// <param name="passwordPrompt">The password prompt.</param> /// <param name="iterationCount">The interation count.</param> /// <returns></returns> public static PbeKeyStore EncryptKeyData(byte[] key, Func <string> passwordPrompt, int iterationCount) { var pks = new PbeKeyStore() { Cipher = PbeKeyType.Aes128, Hmac = PbeHashType.HmacSha1, IterationCount = iterationCount, Salt = new byte[16] }; Secure.Random.NextBytes(pks.Salt); var pbeKey = new PbeAesKey() { Size = 128 }; pbeKey.AesKeyBytes = pks.GetDerivedBytes(pbeKey.Size / 8, passwordPrompt); pks.IV = pbeKey.IV; using (pbeKey) using (var ks = new ImportedKeySet(pbeKey, KeyPurpose.DecryptAndEncrypt, "Pbe key")) using (var crypter = new Crypter(ks)) { var data = crypter.Encrypt(key); byte[] justciphertext = new byte[data.Length - Keyczar.HeaderLength]; Array.Copy(data, Keyczar.HeaderLength, justciphertext, 0, justciphertext.Length); pks.Key = justciphertext; } return(pks); }
public CertEncryptedKeySetWriter(IKeySetWriter writer, Stream certStream, Func <string> passwordPrompt = null) { _writer = writer; _certKeySet = ImportedKeySet.Import.Pkcs12Keys(KeyPurpose.DecryptAndEncrypt, certStream, passwordPrompt); _encrypter = new Crypter(_certKeySet); _sessionPacker = new BsonSessionKeyPacker(); }
/// <summary> /// Decrypts the key data. /// </summary> /// <param name="passwordPrompt">The passsword prompt.</param> /// <returns></returns> public byte[] DecryptKeyData(Func <string> passwordPrompt) { var key = new PbeAesKey { IV = IV }; if (Cipher == PbeKeyType.Aes128) { key.Size = 128; } else { throw new InvalidKeySetException("Unknown Pbe Cipher"); } key.AesKeyBytes = GetDerivedBytes(key.Size / 8, passwordPrompt); using (key) using (var ks = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "Pbe key")) using (var crypter = new Crypter(ks)) using (var memstream = new MemoryStream()) { memstream.Write(Keyczar.FormatBytes, 0, Keyczar.FormatBytes.Length); memstream.Write(new byte[Keyczar.KeyHashLength], 0, Keyczar.KeyHashLength); memstream.Write(Key, 0, Key.Length); return(crypter.Decrypt(memstream.ToArray())); } }
protected virtual void Dispose(bool disposing) { _keyset = _keyset.SafeDispose(); _crypter = _crypter.SafeDispose(); _signer = _signer.SafeDispose(); _verifier = _verifier.SafeDispose(); _nonce = _nonce.Clear(); _sessionMaterial = _sessionMaterial.Clear(); }
private bool disposedValue = false; // To detect redundant calls protected virtual void Dispose(bool disposing) { if (!disposedValue) { if (disposing) { _certKeySet = _certKeySet.SafeDispose(); _encrypter = _encrypter.SafeDispose(); _writer = null; } disposedValue = true; } }
public void AESTest( [Values(2048)] int datasize, [Values(128, 192, 256)] int keysize, [Values("AES", "STDNET40_AES", "C#_AES_AEAD")] string alg ) { KeyType type = alg; var key = Key.Generate(type, keysize); using (var ks = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "Test")) using (var crypter = new Crypter(ks)) { var watchEncrypt = new System.Diagnostics.Stopwatch(); var watchDecrypt = new System.Diagnostics.Stopwatch(); for (int i = 0; i < iterations; i++) { var input = new byte[datasize]; watchEncrypt.Start(); var output = crypter.Encrypt(input); watchEncrypt.Stop(); watchDecrypt.Start(); var result = crypter.Decrypt(output); watchDecrypt.Stop(); Expect(result, Is.EqualTo(input)); } Console.WriteLine(String.Format("{3}-{4},{2}\t\tEncryption Total:{0},\tThroughput:{1:#,##0.00} MB/S", watchEncrypt.Elapsed, (datasize * iterations * 1000m) / (1024m * 1024m * watchEncrypt.ElapsedMilliseconds), datasize, alg, keysize )); Console.WriteLine(String.Format("{3}-{4},{2}\t\tDecryption Total:{0},\tThroughput:{1:#,##0.00} MB/S", watchDecrypt.Elapsed, (datasize * iterations * 1000m) / (1024m * 1024m * watchDecrypt.ElapsedMilliseconds), datasize, alg, keysize )); } }
public CertEncryptedKeySet(IKeySet keySet, string thumbPrint) { var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); certStore.Open(OpenFlags.ReadOnly); var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, false); var cert = certCollection.OfType <X509Certificate2>().FirstOrDefault(); var privKey = cert?.GetRSAPrivateKey(); var keyParam = DotNetUtilities.GetRsaKeyPair(privKey).Private as RsaPrivateCrtKeyParameters; var key = KeyFromBouncyCastle(keyParam); _certKeySet = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "imported from X509Store"); _keySet = keySet; _crypter = new Crypter(_certKeySet); _sessionPacker = new BsonSessionKeyPacker(); }
private bool disposedValue = false; // To detect redundant calls protected virtual void Dispose(bool disposing) { if (!disposedValue) { if (disposing) { _crypter = _crypter.SafeDispose(); _certKeySet = _certKeySet.SafeDispose(); _keySet = _keySet.SafeDispose(); } // TODO: free unmanaged resources (unmanaged objects) and override a finalizer below. // TODO: set large fields to null. disposedValue = true; } }
/// <summary> /// Initializes a new instance of the <see cref="SessionCrypter" /> class. /// </summary> /// <param name="keyEncrypter">The key encrypter.</param> /// <param name="signer">The signer, optionally used to certify sender. (Equivialent to SignedSessionEncrypter)</param> /// <param name="keySize">Size of the key.</param> /// <param name="symmetricKeyType">Type of the symmetric key. (requires unofficial keypacker)</param> /// <param name="keyPacker">The key packer.</param> /// <exception cref="System.ArgumentException">Without a supplying a keypacker you may only use KeyType.AES;symmetricKeyType</exception> public SessionCrypter(Encrypter keyEncrypter, AttachedSigner signer = null, int?keySize = null, KeyType symmetricKeyType = null, ISessionKeyPacker keyPacker = null) { symmetricKeyType = symmetricKeyType ?? KeyType.Aes; if (keyPacker == null && symmetricKeyType != KeyType.Aes) { throw new ArgumentException("Without a supplying a keypacker you may only use KeyType.AES", "symmetricKeyType"); } if (signer != null) { keyPacker = keyPacker ?? new NonceSignedSessionPacker(); } keyPacker = keyPacker ?? new SimpleAesHmacSha1KeyPacker(); var key = Key.Generate(symmetricKeyType, keySize ?? symmetricKeyType.DefaultSize); _keyset = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt); _crypter = new Crypter(_keyset); _signer = signer; byte[] packedKey; var sessionPacker = keyPacker as IInteroperableSessionMaterialPacker; if (sessionPacker == null) { packedKey = keyPacker.Pack(key); } else { var nonceSession = new NonceSessionMaterial((AesKey)key); packedKey = sessionPacker.PackMaterial(nonceSession); _nonce = nonceSession.Nonce.ToBytes(); } _sessionMaterial = WebBase64.FromBytes(keyEncrypter.Encrypt(packedKey)); if (sessionPacker == null && _signer != null) { _sessionMaterial = WebBase64.FromBytes(_signer.Sign(_sessionMaterial.ToBytes())); } }
public CertEncryptedKeySetWriter(IKeySetWriter writer, string thumbPrint) { var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); certStore.Open(OpenFlags.ReadOnly); var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, false); var cert = certCollection.OfType <X509Certificate2>().FirstOrDefault(); var privKey = cert?.GetRSAPrivateKey(); if (privKey == null) { throw new InvalidKeyException("Could not find cert that matched thumbprint."); } var keyParam = DotNetUtilities.GetRsaKeyPair(privKey).Private as RsaPrivateCrtKeyParameters; var key = CertEncryptedKeySet.KeyFromBouncyCastle(keyParam); _certKeySet = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "imported from X509Store"); _writer = writer; _encrypter = new Encrypter(_certKeySet); _sessionPacker = new BsonSessionKeyPacker(); }
/// <summary> /// Initializes a new instance of the <see cref="SessionCrypter" /> class. /// </summary> /// <param name="keyDecrypter">The key decrypter.</param> /// <param name="sessionMaterial">The session material.</param> /// <param name="verifier">The verifier, optionally used to certify sender. (Equivialent to SignedSessionDecrypter)</param> /// <param name="keyPacker">The key packer.</param> public SessionCrypter(Crypter keyDecrypter, WebBase64 sessionMaterial, AttachedVerifier verifier = null, ISessionKeyPacker keyPacker = null) { if (verifier != null) { keyPacker = keyPacker ?? new NonceSignedSessionPacker(); } keyPacker = keyPacker ?? new SimpleAesHmacSha1KeyPacker(); var sessionMaterialBytes = sessionMaterial.ToBytes(); var sessionPacker = keyPacker as IInteroperableSessionMaterialPacker; _verifier = verifier; if (sessionPacker == null && _verifier != null) { sessionMaterialBytes = _verifier.VerifiedMessage(sessionMaterialBytes); } var packedBytes = keyDecrypter.Decrypt(sessionMaterialBytes); Key key; if (sessionPacker == null) { key = keyPacker.Unpack(packedBytes); } else { var nonceSession = sessionPacker.UnpackMaterial(packedBytes); key = nonceSession.Key; _nonce = nonceSession.Nonce.ToBytes(); } _keyset = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt); _crypter = new Crypter(_keyset); _sessionMaterial = sessionMaterial; }
public override int Run(string[] remainingArguments) { var ret = 0; Crypter crypter = null; IKeySet ks = new KeySet(_location); Func <string> singlePrompt = CachedPrompt.Password(() => { Console.WriteLine(Localized.MsgForKeySet); return(Util.PromptForPassword()); }).Prompt; var prompt = ks.Metadata.Encrypted ? singlePrompt : CachedPrompt.Password(() => { Console.WriteLine(Localized.MsgForKeySet); return(Util.PromptForPassword()); }).Prompt; IDisposable dks = null; if (!String.IsNullOrWhiteSpace(_crypterLocation)) { if (_password) { var cks = new PbeKeySet(_crypterLocation, singlePrompt); crypter = new Crypter(cks); dks = cks; } else { crypter = new Crypter(_crypterLocation); } ks = new EncryptedKeySet(ks, crypter); } else if (_password) { ks = new PbeKeySet(ks, prompt); } var d2ks = ks as IDisposable; using (crypter) using (dks) using (d2ks) using (var keySet = new MutableKeySet(ks)) { if (_status != KeyStatus.Primary && _status != KeyStatus.Active) { Console.WriteLine("{0} {1}.", Localized.Status, _status.Identifier); return(-1); } ImportedKeySet importedKeySet = null; try { importedKeySet = ImportedKeySet.Import.X509Certificate(keySet.Metadata.Purpose, _importLocation); } catch { importedKeySet = ImportedKeySet.Import.PkcsKey( keySet.Metadata.Purpose, _importLocation, CachedPrompt.Password(() => { Console.WriteLine(Localized.MsgForImport); return(Util.PromptForPassword()); }).Prompt); } if (importedKeySet == null) { Console.WriteLine(Localized.MsgUnparsableImport); ret = -1; } else { if (keySet.Metadata.KeyType != importedKeySet.Metadata.KeyType) { if (!keySet.Metadata.Versions.Any()) { keySet.Metadata.KeyType = importedKeySet.Metadata.KeyType; } else { ret = -1; Console.WriteLine(Localized.MsgConflictingKeyTypes, keySet.Metadata.KeyType.Identifier, importedKeySet.Metadata.KeyType); } } using (importedKeySet) { if (ret != -1) { var ver = keySet.AddKey(_status, importedKeySet.GetKey(1)); IKeySetWriter writer = new KeySetWriter(_location, overwrite: true); if (crypter != null) { writer = new EncryptedKeySetWriter(writer, crypter); } else if (_password) { writer = new PbeKeySetWriter(writer, prompt); } if (keySet.Save(writer)) { Console.WriteLine("{0} {1}.", Localized.MsgImportedNewKey, ver); ret = 0; } else { ret = -1; } } } } } return(ret); }
public override int Run(string[] remainingArguments) { var ret = 0; Crypter crypter = null; IKeySet ks = new FileSystemKeySet(_location); Func <string> singlePrompt = CachedPrompt.Password(() => { Console.WriteLine(Localized.MsgForKeySet); return(Util.PromptForPassword()); }).Prompt; var prompt = ks.Metadata.Encrypted ? singlePrompt : CachedPrompt.Password(() => { Console.WriteLine(Localized.MsgForKeySet); return(Util.PromptForPassword()); }).Prompt; IDisposable dks = null; if (!String.IsNullOrWhiteSpace(_crypterLocation)) { if (_password) { var cks = KeySet.LayerSecurity(FileSystemKeySet.Creator(_crypterLocation), PbeKeySet.Creator(singlePrompt)); crypter = new Crypter(cks); dks = cks; } else { crypter = new Crypter(_crypterLocation); } ks = new EncryptedKeySet(ks, crypter); } else if (_password) { ks = new PbeKeySet(ks, prompt); } var d2ks = ks as IDisposable; using (crypter) using (dks) using (d2ks) using (var keySet = new MutableKeySet(ks)) { var official = keySet.Metadata.OriginallyOfficial && keySet.Metadata.ValidOfficial() && !_force; KeyType hint = null; if (!String.IsNullOrWhiteSpace(_type)) { hint = AddKey.KeyTypeForString(_type); } if (_status != KeyStatus.Primary && _status != KeyStatus.Active) { Console.WriteLine("{0} {1}.", Localized.Status, _status.Identifier); return(-1); } ImportedKeySet importedKeySet = null; try { importedKeySet = ImportedKeySet.Import.X509Certificate(keySet.Metadata.Purpose, _importLocation, official, hint); } catch { if (_importLocation.EndsWith("pfx", StringComparison.Ordinal) || _importLocation.EndsWith("p12", StringComparison.Ordinal) ) { importedKeySet = ImportedKeySet.Import.Pkcs12Keys( keySet.Metadata.Purpose, _importLocation, CachedPrompt.Password(() => { Console.WriteLine(Localized.MsgForImport); return(Util.PromptForPassword()); }).Prompt, official, hint); } else { importedKeySet = ImportedKeySet.Import.PkcsKey( keySet.Metadata.Purpose, _importLocation, CachedPrompt.Password(() => { Console.WriteLine(Localized.MsgForImport); return(Util.PromptForPassword()); }).Prompt, official, hint); } } if (importedKeySet == null) { Console.WriteLine(Localized.MsgUnparsableImport); ret = -1; } else { if (keySet.Metadata.OriginallyOfficial && keySet.Metadata.ValidOfficial()) { if (!_force && !importedKeySet.Metadata.ValidOfficial()) { var keySetKeyType = keySet.Metadata.OfficialKeyType(); ret = -1; Console.WriteLine(Localized.MsgMismatchedType, "Multiple Types", keySetKeyType); } else { var importedKeyType = importedKeySet.Metadata.OfficialKeyType(); var keySetKeyType = keySet.Metadata.OfficialKeyType(); if (importedKeyType != keySetKeyType && !_force) { ret = -1; Console.WriteLine(Localized.MsgMismatchedType, importedKeyType, keySetKeyType); } } } if (keySet.Metadata.Kind != importedKeySet.Metadata.Kind) { if (!keySet.Metadata.Versions.Any()) { keySet.Metadata.Kind = importedKeySet.Metadata.Kind; } else { ret = -1; Console.WriteLine(Localized.MsgConflictingKeyTypes, keySet.Metadata.Kind.Identifier, importedKeySet.Metadata.Kind); } } using (importedKeySet) { if (ret != -1) { var count = importedKeySet.Metadata.Versions.Count(); var outMsg = ""; foreach (var v in importedKeySet.Metadata.Versions) { var status = v.Status; if (count == 1 || _status != KeyStatus.Primary) { status = _status; } var ver = keySet.AddKey(status, importedKeySet.GetKey(v.VersionNumber)); outMsg = ver.ToString(); } if (count > 1) { outMsg = $"{count} keys"; } IKeySetWriter writer = new FileSystemKeySetWriter(_location, overwrite: true); if (crypter != null) { writer = new EncryptedKeySetWriter(writer, crypter); } else if (_password) { writer = new PbeKeySetWriter(writer, prompt); } if (keySet.Save(writer)) { Console.WriteLine("{0} {1}.", Localized.MsgImportedNewKey, outMsg); ret = 0; } else { ret = -1; } } } } } return(ret); }