/// <summary>
/// Encrypts the key data.
/// </summary>
/// <param name="key">The key.</param>
/// <param name="passwordPrompt">The password prompt.</param>
/// <param name="iterationCount">The interation count.</param>
/// <returns></returns>
public static PbeKeyStore EncryptKeyData(byte[] key, Func <string> passwordPrompt, int iterationCount)
{
var pks = new PbeKeyStore()
{
Cipher = PbeKeyType.Aes128,
Hmac = PbeHashType.HmacSha1,
IterationCount = iterationCount,
Salt = new byte[16]
};
Secure.Random.NextBytes(pks.Salt);
var pbeKey = new PbeAesKey()
{
Size = 128
};
pbeKey.AesKeyBytes = pks.GetDerivedBytes(pbeKey.Size / 8, passwordPrompt);
pks.IV = pbeKey.IV;
using (pbeKey)
using (var ks = new ImportedKeySet(pbeKey, KeyPurpose.DecryptAndEncrypt, "Pbe key"))
using (var crypter = new Crypter(ks))
{
var data = crypter.Encrypt(key);
byte[] justciphertext = new byte[data.Length - Keyczar.HeaderLength];
Array.Copy(data, Keyczar.HeaderLength, justciphertext, 0, justciphertext.Length);
pks.Key = justciphertext;
}
return(pks);
}
public CertEncryptedKeySetWriter(IKeySetWriter writer, Stream certStream, Func <string> passwordPrompt = null)
{
_writer = writer;
_certKeySet = ImportedKeySet.Import.Pkcs12Keys(KeyPurpose.DecryptAndEncrypt, certStream, passwordPrompt);
_encrypter = new Crypter(_certKeySet);
_sessionPacker = new BsonSessionKeyPacker();
}
/// <summary>
/// Decrypts the key data.
/// </summary>
/// <param name="passwordPrompt">The passsword prompt.</param>
/// <returns></returns>
public byte[] DecryptKeyData(Func <string> passwordPrompt)
{
var key = new PbeAesKey {
IV = IV
};
if (Cipher == PbeKeyType.Aes128)
{
key.Size = 128;
}
else
{
throw new InvalidKeySetException("Unknown Pbe Cipher");
}
key.AesKeyBytes = GetDerivedBytes(key.Size / 8, passwordPrompt);
using (key)
using (var ks = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "Pbe key"))
using (var crypter = new Crypter(ks))
using (var memstream = new MemoryStream())
{
memstream.Write(Keyczar.FormatBytes, 0, Keyczar.FormatBytes.Length);
memstream.Write(new byte[Keyczar.KeyHashLength], 0, Keyczar.KeyHashLength);
memstream.Write(Key, 0, Key.Length);
return(crypter.Decrypt(memstream.ToArray()));
}
}
protected virtual void Dispose(bool disposing)
{
_keyset = _keyset.SafeDispose();
_crypter = _crypter.SafeDispose();
_signer = _signer.SafeDispose();
_verifier = _verifier.SafeDispose();
_nonce = _nonce.Clear();
_sessionMaterial = _sessionMaterial.Clear();
}
private bool disposedValue = false; // To detect redundant calls
protected virtual void Dispose(bool disposing)
{
if (!disposedValue)
{
if (disposing)
{
_certKeySet = _certKeySet.SafeDispose();
_encrypter = _encrypter.SafeDispose();
_writer = null;
}
disposedValue = true;
}
}
public void AESTest(
[Values(2048)] int datasize,
[Values(128, 192, 256)] int keysize,
[Values("AES", "STDNET40_AES", "C#_AES_AEAD")] string alg
)
{
KeyType type = alg;
var key = Key.Generate(type, keysize);
using (var ks = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "Test"))
using (var crypter = new Crypter(ks))
{
var watchEncrypt = new System.Diagnostics.Stopwatch();
var watchDecrypt = new System.Diagnostics.Stopwatch();
for (int i = 0; i < iterations; i++)
{
var input = new byte[datasize];
watchEncrypt.Start();
var output = crypter.Encrypt(input);
watchEncrypt.Stop();
watchDecrypt.Start();
var result = crypter.Decrypt(output);
watchDecrypt.Stop();
Expect(result, Is.EqualTo(input));
}
Console.WriteLine(String.Format("{3}-{4},{2}\t\tEncryption Total:{0},\tThroughput:{1:#,##0.00} MB/S",
watchEncrypt.Elapsed,
(datasize * iterations * 1000m) /
(1024m * 1024m * watchEncrypt.ElapsedMilliseconds),
datasize,
alg,
keysize
));
Console.WriteLine(String.Format("{3}-{4},{2}\t\tDecryption Total:{0},\tThroughput:{1:#,##0.00} MB/S",
watchDecrypt.Elapsed,
(datasize * iterations * 1000m) /
(1024m * 1024m * watchDecrypt.ElapsedMilliseconds),
datasize,
alg,
keysize
));
}
}
public CertEncryptedKeySet(IKeySet keySet, string thumbPrint)
{
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, false);
var cert = certCollection.OfType <X509Certificate2>().FirstOrDefault();
var privKey = cert?.GetRSAPrivateKey();
var keyParam = DotNetUtilities.GetRsaKeyPair(privKey).Private as RsaPrivateCrtKeyParameters;
var key = KeyFromBouncyCastle(keyParam);
_certKeySet = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "imported from X509Store");
_keySet = keySet;
_crypter = new Crypter(_certKeySet);
_sessionPacker = new BsonSessionKeyPacker();
}
private bool disposedValue = false; // To detect redundant calls
protected virtual void Dispose(bool disposing)
{
if (!disposedValue)
{
if (disposing)
{
_crypter = _crypter.SafeDispose();
_certKeySet = _certKeySet.SafeDispose();
_keySet = _keySet.SafeDispose();
}
// TODO: free unmanaged resources (unmanaged objects) and override a finalizer below.
// TODO: set large fields to null.
disposedValue = true;
}
}
/// <summary>
/// Initializes a new instance of the <see cref="SessionCrypter" /> class.
/// </summary>
/// <param name="keyEncrypter">The key encrypter.</param>
/// <param name="signer">The signer, optionally used to certify sender. (Equivialent to SignedSessionEncrypter)</param>
/// <param name="keySize">Size of the key.</param>
/// <param name="symmetricKeyType">Type of the symmetric key. (requires unofficial keypacker)</param>
/// <param name="keyPacker">The key packer.</param>
/// <exception cref="System.ArgumentException">Without a supplying a keypacker you may only use KeyType.AES;symmetricKeyType</exception>
public SessionCrypter(Encrypter keyEncrypter, AttachedSigner signer = null, int?keySize = null,
KeyType symmetricKeyType = null, ISessionKeyPacker keyPacker = null)
{
symmetricKeyType = symmetricKeyType ?? KeyType.Aes;
if (keyPacker == null && symmetricKeyType != KeyType.Aes)
{
throw new ArgumentException("Without a supplying a keypacker you may only use KeyType.AES",
"symmetricKeyType");
}
if (signer != null)
{
keyPacker = keyPacker ?? new NonceSignedSessionPacker();
}
keyPacker = keyPacker ?? new SimpleAesHmacSha1KeyPacker();
var key = Key.Generate(symmetricKeyType, keySize ?? symmetricKeyType.DefaultSize);
_keyset = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt);
_crypter = new Crypter(_keyset);
_signer = signer;
byte[] packedKey;
var sessionPacker = keyPacker as IInteroperableSessionMaterialPacker;
if (sessionPacker == null)
{
packedKey = keyPacker.Pack(key);
}
else
{
var nonceSession = new NonceSessionMaterial((AesKey)key);
packedKey = sessionPacker.PackMaterial(nonceSession);
_nonce = nonceSession.Nonce.ToBytes();
}
_sessionMaterial = WebBase64.FromBytes(keyEncrypter.Encrypt(packedKey));
if (sessionPacker == null && _signer != null)
{
_sessionMaterial = WebBase64.FromBytes(_signer.Sign(_sessionMaterial.ToBytes()));
}
}
public CertEncryptedKeySetWriter(IKeySetWriter writer, string thumbPrint)
{
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, false);
var cert = certCollection.OfType <X509Certificate2>().FirstOrDefault();
var privKey = cert?.GetRSAPrivateKey();
if (privKey == null)
{
throw new InvalidKeyException("Could not find cert that matched thumbprint.");
}
var keyParam = DotNetUtilities.GetRsaKeyPair(privKey).Private as RsaPrivateCrtKeyParameters;
var key = CertEncryptedKeySet.KeyFromBouncyCastle(keyParam);
_certKeySet = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt, "imported from X509Store");
_writer = writer;
_encrypter = new Encrypter(_certKeySet);
_sessionPacker = new BsonSessionKeyPacker();
}
/// <summary>
/// Initializes a new instance of the <see cref="SessionCrypter" /> class.
/// </summary>
/// <param name="keyDecrypter">The key decrypter.</param>
/// <param name="sessionMaterial">The session material.</param>
/// <param name="verifier">The verifier, optionally used to certify sender. (Equivialent to SignedSessionDecrypter)</param>
/// <param name="keyPacker">The key packer.</param>
public SessionCrypter(Crypter keyDecrypter, WebBase64 sessionMaterial, AttachedVerifier verifier = null,
ISessionKeyPacker keyPacker = null)
{
if (verifier != null)
{
keyPacker = keyPacker ?? new NonceSignedSessionPacker();
}
keyPacker = keyPacker ?? new SimpleAesHmacSha1KeyPacker();
var sessionMaterialBytes = sessionMaterial.ToBytes();
var sessionPacker = keyPacker as IInteroperableSessionMaterialPacker;
_verifier = verifier;
if (sessionPacker == null && _verifier != null)
{
sessionMaterialBytes = _verifier.VerifiedMessage(sessionMaterialBytes);
}
var packedBytes = keyDecrypter.Decrypt(sessionMaterialBytes);
Key key;
if (sessionPacker == null)
{
key = keyPacker.Unpack(packedBytes);
}
else
{
var nonceSession = sessionPacker.UnpackMaterial(packedBytes);
key = nonceSession.Key;
_nonce = nonceSession.Nonce.ToBytes();
}
_keyset = new ImportedKeySet(key, KeyPurpose.DecryptAndEncrypt);
_crypter = new Crypter(_keyset);
_sessionMaterial = sessionMaterial;
}
public override int Run(string[] remainingArguments)
{
var ret = 0;
Crypter crypter = null;
IKeySet ks = new KeySet(_location);
Func <string> singlePrompt = CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForKeySet);
return(Util.PromptForPassword());
}).Prompt;
var prompt = ks.Metadata.Encrypted
? singlePrompt
: CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForKeySet);
return(Util.PromptForPassword());
}).Prompt;
IDisposable dks = null;
if (!String.IsNullOrWhiteSpace(_crypterLocation))
{
if (_password)
{
var cks = new PbeKeySet(_crypterLocation, singlePrompt);
crypter = new Crypter(cks);
dks = cks;
}
else
{
crypter = new Crypter(_crypterLocation);
}
ks = new EncryptedKeySet(ks, crypter);
}
else if (_password)
{
ks = new PbeKeySet(ks, prompt);
}
var d2ks = ks as IDisposable;
using (crypter)
using (dks)
using (d2ks)
using (var keySet = new MutableKeySet(ks))
{
if (_status != KeyStatus.Primary && _status != KeyStatus.Active)
{
Console.WriteLine("{0} {1}.", Localized.Status, _status.Identifier);
return(-1);
}
ImportedKeySet importedKeySet = null;
try
{
importedKeySet = ImportedKeySet.Import.X509Certificate(keySet.Metadata.Purpose, _importLocation);
}
catch
{
importedKeySet = ImportedKeySet.Import.PkcsKey(
keySet.Metadata.Purpose, _importLocation,
CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForImport);
return(Util.PromptForPassword());
}).Prompt);
}
if (importedKeySet == null)
{
Console.WriteLine(Localized.MsgUnparsableImport);
ret = -1;
}
else
{
if (keySet.Metadata.KeyType != importedKeySet.Metadata.KeyType)
{
if (!keySet.Metadata.Versions.Any())
{
keySet.Metadata.KeyType = importedKeySet.Metadata.KeyType;
}
else
{
ret = -1;
Console.WriteLine(Localized.MsgConflictingKeyTypes,
keySet.Metadata.KeyType.Identifier,
importedKeySet.Metadata.KeyType);
}
}
using (importedKeySet)
{
if (ret != -1)
{
var ver = keySet.AddKey(_status, importedKeySet.GetKey(1));
IKeySetWriter writer = new KeySetWriter(_location, overwrite: true);
if (crypter != null)
{
writer = new EncryptedKeySetWriter(writer, crypter);
}
else if (_password)
{
writer = new PbeKeySetWriter(writer, prompt);
}
if (keySet.Save(writer))
{
Console.WriteLine("{0} {1}.", Localized.MsgImportedNewKey, ver);
ret = 0;
}
else
{
ret = -1;
}
}
}
}
}
return(ret);
}
public override int Run(string[] remainingArguments)
{
var ret = 0;
Crypter crypter = null;
IKeySet ks = new FileSystemKeySet(_location);
Func <string> singlePrompt = CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForKeySet);
return(Util.PromptForPassword());
}).Prompt;
var prompt = ks.Metadata.Encrypted
? singlePrompt
: CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForKeySet);
return(Util.PromptForPassword());
}).Prompt;
IDisposable dks = null;
if (!String.IsNullOrWhiteSpace(_crypterLocation))
{
if (_password)
{
var cks = KeySet.LayerSecurity(FileSystemKeySet.Creator(_crypterLocation),
PbeKeySet.Creator(singlePrompt));
crypter = new Crypter(cks);
dks = cks;
}
else
{
crypter = new Crypter(_crypterLocation);
}
ks = new EncryptedKeySet(ks, crypter);
}
else if (_password)
{
ks = new PbeKeySet(ks, prompt);
}
var d2ks = ks as IDisposable;
using (crypter)
using (dks)
using (d2ks)
using (var keySet = new MutableKeySet(ks))
{
var official = keySet.Metadata.OriginallyOfficial && keySet.Metadata.ValidOfficial() && !_force;
KeyType hint = null;
if (!String.IsNullOrWhiteSpace(_type))
{
hint = AddKey.KeyTypeForString(_type);
}
if (_status != KeyStatus.Primary && _status != KeyStatus.Active)
{
Console.WriteLine("{0} {1}.", Localized.Status, _status.Identifier);
return(-1);
}
ImportedKeySet importedKeySet = null;
try
{
importedKeySet = ImportedKeySet.Import.X509Certificate(keySet.Metadata.Purpose, _importLocation, official, hint);
}
catch
{
if (_importLocation.EndsWith("pfx", StringComparison.Ordinal) ||
_importLocation.EndsWith("p12", StringComparison.Ordinal)
)
{
importedKeySet = ImportedKeySet.Import.Pkcs12Keys(
keySet.Metadata.Purpose, _importLocation,
CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForImport);
return(Util.PromptForPassword());
}).Prompt, official, hint);
}
else
{
importedKeySet = ImportedKeySet.Import.PkcsKey(
keySet.Metadata.Purpose, _importLocation,
CachedPrompt.Password(() =>
{
Console.WriteLine(Localized.MsgForImport);
return(Util.PromptForPassword());
}).Prompt, official, hint);
}
}
if (importedKeySet == null)
{
Console.WriteLine(Localized.MsgUnparsableImport);
ret = -1;
}
else
{
if (keySet.Metadata.OriginallyOfficial && keySet.Metadata.ValidOfficial())
{
if (!_force && !importedKeySet.Metadata.ValidOfficial())
{
var keySetKeyType = keySet.Metadata.OfficialKeyType();
ret = -1;
Console.WriteLine(Localized.MsgMismatchedType,
"Multiple Types",
keySetKeyType);
}
else
{
var importedKeyType = importedKeySet.Metadata.OfficialKeyType();
var keySetKeyType = keySet.Metadata.OfficialKeyType();
if (importedKeyType != keySetKeyType && !_force)
{
ret = -1;
Console.WriteLine(Localized.MsgMismatchedType,
importedKeyType,
keySetKeyType);
}
}
}
if (keySet.Metadata.Kind != importedKeySet.Metadata.Kind)
{
if (!keySet.Metadata.Versions.Any())
{
keySet.Metadata.Kind = importedKeySet.Metadata.Kind;
}
else
{
ret = -1;
Console.WriteLine(Localized.MsgConflictingKeyTypes,
keySet.Metadata.Kind.Identifier,
importedKeySet.Metadata.Kind);
}
}
using (importedKeySet)
{
if (ret != -1)
{
var count = importedKeySet.Metadata.Versions.Count();
var outMsg = "";
foreach (var v in importedKeySet.Metadata.Versions)
{
var status = v.Status;
if (count == 1 || _status != KeyStatus.Primary)
{
status = _status;
}
var ver = keySet.AddKey(status, importedKeySet.GetKey(v.VersionNumber));
outMsg = ver.ToString();
}
if (count > 1)
{
outMsg = $"{count} keys";
}
IKeySetWriter writer = new FileSystemKeySetWriter(_location, overwrite: true);
if (crypter != null)
{
writer = new EncryptedKeySetWriter(writer, crypter);
}
else if (_password)
{
writer = new PbeKeySetWriter(writer, prompt);
}
if (keySet.Save(writer))
{
Console.WriteLine("{0} {1}.", Localized.MsgImportedNewKey, outMsg);
ret = 0;
}
else
{
ret = -1;
}
}
}
}
}
return(ret);
}
