public void Can_Encrypt_And_Decrypt_Forms_Authentication_Ticket_WithSha256()
{
// Arrange
var issueDateUtc = DateTime.UtcNow;
var expiryDateUtc = issueDateUtc.AddHours(1);
var formsAuthenticationTicket = new FormsAuthenticationTicket(1, "*****@*****.**", issueDateUtc.ToLocalTime(), expiryDateUtc.ToLocalTime(), false, "*****@*****.**", "/");
var encryptor = new LegacyFormsAuthenticationTicketEncryptor(SHA256DecryptionKey, SHA256ValidationKey, ShaVersion.Sha256);
// Act
var encryptedText = encryptor.Encrypt(formsAuthenticationTicket);
Assert.IsNotNull(encryptedText);
// We decrypt the encypted text back into a forms auth ticket, and compare it to the original ticket to make sure it
// round tripped successfully.
FormsAuthenticationTicket decryptedFormsAuthenticationTicket = encryptor.DecryptCookie(encryptedText);
Assert.AreEqual(formsAuthenticationTicket.CookiePath, decryptedFormsAuthenticationTicket.CookiePath);
Assert.AreEqual(formsAuthenticationTicket.Expiration, decryptedFormsAuthenticationTicket.Expiration);
Assert.AreEqual(formsAuthenticationTicket.Expired, decryptedFormsAuthenticationTicket.Expired);
Assert.AreEqual(formsAuthenticationTicket.IsValid(), decryptedFormsAuthenticationTicket.IsValid());
Assert.AreEqual(formsAuthenticationTicket.IsPersistent, decryptedFormsAuthenticationTicket.IsPersistent);
Assert.AreEqual(false, decryptedFormsAuthenticationTicket.Expired);
Assert.AreEqual(true, decryptedFormsAuthenticationTicket.IsValid());
Assert.AreEqual(formsAuthenticationTicket.IssueDate, decryptedFormsAuthenticationTicket.IssueDate);
Assert.AreEqual(formsAuthenticationTicket.UserData, decryptedFormsAuthenticationTicket.UserData);
Assert.AreEqual(formsAuthenticationTicket.Version, decryptedFormsAuthenticationTicket.Version);
}
public void Can_Encrypt_And_Decrypt_Forms_Authentication_Ticket()
{
// These would come from the asp.net 3.5 applications <machineKey decryption="AES" decryptionKey"" validation="SHA1" validationKey="" /> web.config.
// I have made these up for the purposes of this test.
string validationKey = "30101052676849B0B494466B7A99656346328E8964748448E422D7344467A45777D972414947271744423422851D6742C9A09A65212C276C7F839157501291C6";
string decryptionKey = "AC7387D7E54B156377D81930CF237888854B5B5B515CF2D6356541255E696144";
// Arrange
var issueDate = DateTime.Now;
var expiryDate = issueDate.AddHours(1);
var formsAuthenticationTicket = new FormsAuthenticationTicket(2, "*****@*****.**", issueDate, expiryDate, false, "custom data", "/");
byte[] decryptionKeyBytes = HexUtils.HexToBinary(decryptionKey);
byte[] validationKeyBytes = HexUtils.HexToBinary(validationKey);
var legacyFormsAuthenticationTicketEncryptor = new LegacyFormsAuthenticationTicketEncryptor(decryptionKeyBytes, validationKeyBytes);
// Act
// We encrypt the forms auth cookie.
var encryptedText = legacyFormsAuthenticationTicketEncryptor.Encrypt(formsAuthenticationTicket);
Assert.IsNotNull(encryptedText);
// We decrypt the encypted text back into a forms auth ticket, and compare it to the original ticket to make sure it
// roundtripped successfully.
FormsAuthenticationTicket decryptedFormsAuthenticationTicket = legacyFormsAuthenticationTicketEncryptor.DecryptCookie(encryptedText);
Assert.AreEqual(formsAuthenticationTicket.CookiePath, decryptedFormsAuthenticationTicket.CookiePath);
Assert.AreEqual(formsAuthenticationTicket.Expiration, decryptedFormsAuthenticationTicket.Expiration);
Assert.AreEqual(formsAuthenticationTicket.Expired, decryptedFormsAuthenticationTicket.Expired);
Assert.AreEqual(formsAuthenticationTicket.IsPersistent, decryptedFormsAuthenticationTicket.IsPersistent);
Assert.AreEqual(formsAuthenticationTicket.IssueDate, decryptedFormsAuthenticationTicket.IssueDate);
Assert.AreEqual(formsAuthenticationTicket.UserData, decryptedFormsAuthenticationTicket.UserData);
Assert.AreEqual(formsAuthenticationTicket.Version, decryptedFormsAuthenticationTicket.Version);
}
public void Can_Encrypt_And_Decrypt_Forms_Authentication_Ticket_WithSha512()
{
// Arrange
var issueDate = DateTime.UtcNow;
var expiryDate = issueDate.AddHours(1);
var formsAuthenticationTicket = new FormsAuthenticationTicket(2, "*****@*****.**", issueDate, expiryDate, false, "custom data", "/");
var encryptor = new LegacyFormsAuthenticationTicketEncryptor(SHA512DecryptionKey, SHA512ValidationKey, ShaVersion.Sha512);
// Act
// We encrypt the forms auth cookie.
var encryptedText = encryptor.Encrypt(formsAuthenticationTicket);
Assert.IsNotNull(encryptedText);
// We decrypt the encypted text back into a forms auth ticket, and compare it to the original ticket to make sure it
// roundtripped successfully.
FormsAuthenticationTicket decryptedFormsAuthenticationTicket = encryptor.DecryptCookie(encryptedText);
Assert.AreEqual(formsAuthenticationTicket.CookiePath, decryptedFormsAuthenticationTicket.CookiePath);
Assert.AreEqual(formsAuthenticationTicket.Expiration, decryptedFormsAuthenticationTicket.Expiration);
Assert.AreEqual(formsAuthenticationTicket.IsPersistent, decryptedFormsAuthenticationTicket.IsPersistent);
Assert.AreEqual(formsAuthenticationTicket.IssueDate, decryptedFormsAuthenticationTicket.IssueDate);
Assert.AreEqual(formsAuthenticationTicket.UserData, decryptedFormsAuthenticationTicket.UserData);
Assert.AreEqual(formsAuthenticationTicket.Version, decryptedFormsAuthenticationTicket.Version);
}
public void Can_Encrypt_And_Decrypt_Forms_Authentication_45_Ticket_WithSha512()
{
// Arrange
var issueDateUtc = DateTime.UtcNow;
var expiryDateUtc = issueDateUtc.AddHours(1);
var formsAuthenticationTicket = new FormsAuthenticationTicket(5, "*****@*****.**", issueDateUtc.ToLocalTime(), expiryDateUtc.ToLocalTime(), true, "my data", "/path/");
var encryptor = new LegacyFormsAuthenticationTicketEncryptor(SHA512DecryptionKey, SHA512ValidationKey, ShaVersion.Sha512, CompatibilityMode.Framework45);
// Act
// We encrypt the forms auth cookie.
var encryptedText = encryptor.Encrypt(formsAuthenticationTicket);
Assert.IsNotNull(encryptedText);
// We decrypt the encypted text back into a forms auth ticket, and compare it to the original ticket to make sure it
// roundtripped successfully.
FormsAuthenticationTicket decryptedFormsAuthenticationTicket = encryptor.DecryptCookie(encryptedText);
Assert.IsNotNull(decryptedFormsAuthenticationTicket);
Assert.AreEqual(formsAuthenticationTicket.CookiePath, decryptedFormsAuthenticationTicket.CookiePath);
Assert.AreEqual(formsAuthenticationTicket.IsPersistent, decryptedFormsAuthenticationTicket.IsPersistent);
Assert.AreEqual(formsAuthenticationTicket.UserData, decryptedFormsAuthenticationTicket.UserData);
Assert.AreEqual(formsAuthenticationTicket.Version, decryptedFormsAuthenticationTicket.Version);
Assert.AreEqual(formsAuthenticationTicket.Expired, decryptedFormsAuthenticationTicket.Expired);
Assert.AreEqual(formsAuthenticationTicket.IsValid(), decryptedFormsAuthenticationTicket.IsValid());
Assert.AreEqual(false, decryptedFormsAuthenticationTicket.Expired);
Assert.AreEqual(true, decryptedFormsAuthenticationTicket.IsValid());
Assert.AreEqual(formsAuthenticationTicket.Expiration, decryptedFormsAuthenticationTicket.Expiration);
Assert.AreEqual(formsAuthenticationTicket.IssueDate, decryptedFormsAuthenticationTicket.IssueDate);
}
public void Can_Decrypt_Forms_Authentication_Ticket_WithSha256()
{
// Arrange
var encryptor = new LegacyFormsAuthenticationTicketEncryptor(SHA256DecryptionKey, SHA256ValidationKey, ShaVersion.Sha256);
var encryptedText = "71AE29F3588ACE8E0097BA62E71B3E3ADC92FBEAFC2CBBD3FC3AC200EB6F78BC85CE111125F1ED0D7F4A54805F06F572A1D5FAD25A4DE014B54D199E6FBAF10A8674107BD78A310E589A49F2ADF6019785AF065C6677CF769D7CB17419D9BCAC35820862DEBC5894B4012B1406DD5B94248FBF87DA197BBE983A2E0A3068B6FDF83B076E387262534F946E1D861EF008EF7F7B630D7851525F1E883C9D973692";
// Act
FormsAuthenticationTicket result = encryptor.DecryptCookie(encryptedText);
Assert.AreEqual("/", result.CookiePath);
Assert.AreEqual(false, result.IsPersistent);
Assert.AreEqual("*****@*****.**", result.Name);
Assert.AreEqual("*****@*****.**", result.UserData);
Assert.AreEqual(1, result.Version);
}
public void Can_Decrypt_Forms_Authentication_Ticket_WithSha512()
{
// Arrange
var encryptor = new LegacyFormsAuthenticationTicketEncryptor(SHA512DecryptionKey, SHA512ValidationKey, ShaVersion.Sha512);
// Act
// this cookie has been generated by legacy FormsAuthentication
var encryptedText = "0A833139A5369842BC3555F7E533E011A136190ECC5FE989DFD4D011E079BC6ABD478DA9E00A4063D8B93E7745AC7A01E51BDF0BF70EA413E713F41B272FEDAF4A7BF8EEEB7B011A1051C7D9F2D6D81041A59DE8F7F385C1CFDAA379F76C45B0EBF2DAEAF297E8FAE13A5905A8A37DF1A06FE488E3754E7B636649606853C97F52F6E1EE7F5B8FBB7B1367CB6D84FB62572A342D5913359819124CDBC997F453D07D86E22B9CA9D1DB52CFFF64AD3DDE96A3A255890D66DE030EBE7BDE03F48FAA8A5A8274B3AAC6FCDD3B2A99E220D4B2CA5DCD2D8D3549F776146A633948869D4B5E1D1269ABB8EB729EF8DEDDB5E783ED6B13A607FF1879AC398C514211EBAF55BB94487FDBF5E619340F694F90AD7976B044B9B822A437470A5A133EB826A6325CD09B6795DC746DCED1EF66A86E28AF5DC015E33119EF4E666FE3690E1E";
FormsAuthenticationTicket result = encryptor.DecryptCookie(encryptedText);
Assert.AreEqual("/", result.CookiePath);
Assert.AreEqual(false, result.IsPersistent);
Assert.AreEqual("4@@@@[email protected]", result.Name);
Assert.AreEqual("1a4359f8-9d6f-431b-96bf-e83ce59c06f9", result.UserData);
Assert.AreEqual(2, result.Version);
}
public AuthenticationTicket Unprotect(string protectedText, string purpose)
{
var ticket = _Encryptor.DecryptCookie(protectedText, _HashProvider);
var identity = new ClaimsIdentity("MyCookie");
identity.AddClaim(new Claim(ClaimTypes.Name, ticket.Name));
identity.AddClaim(new Claim(ClaimTypes.IsPersistent, ticket.IsPersistent.ToString()));
identity.AddClaim(new Claim(ClaimTypes.Expired, ticket.Expired.ToString()));
identity.AddClaim(new Claim(ClaimTypes.Expiration, ticket.Expiration.ToString()));
identity.AddClaim(new Claim(ClaimTypes.CookiePath, ticket.CookiePath));
identity.AddClaim(new Claim(ClaimTypes.Version, ticket.Version.ToString()));
// Add some additional properties to the authentication ticket.
var props = new AuthenticationProperties();
props.ExpiresUtc = ticket.Expiration.ToUniversalTime();
props.IsPersistent = ticket.IsPersistent;
var principal = new ClaimsPrincipal(identity);
var authTicket = new AuthenticationTicket(principal, props, CookieDetails.AuthenticationScheme);
return authTicket;
}
public void Can_Decrypt_Forms_Authentication_45_Ticket_WithSha512()
{
// Arrange
var encryptor = new LegacyFormsAuthenticationTicketEncryptor(SHA512DecryptionKey, SHA512ValidationKey, ShaVersion.Sha512, CompatibilityMode.Framework45);
// Act
// this cookie has been generated by legacy FormsAuthentication
var encryptedText = "4155EDCD81DB4687336A024F636B54ADB352E25E6D8D89E393C407A041DE0F8DFCA382DF1B1135B89AE0C580CCCFEBBB497C609ECA0B1BDDB5875E166A5C230A547FDBF7B4BDCA6A67A55E4AFA8F24B2399EAA55B4C31C00E36239E897B78FA234BF3DAFCCDB85CCA205A21569A7F4A23A7D0A2AD7780C3B55720574E72461675B30453CB214576453BF9D27DD6F2DA78BF74183728B5196D6772BA6031366CBC38A289B171251E7AEC8132B00F39E80D37E4331D97EDFE825840954C7D1FC274C68617C1D1A4B5973E4B977905E38EDE616EEC7AE22C0C2393BEDF95126063A";
FormsAuthenticationTicket result = encryptor.DecryptCookie(encryptedText);
Assert.IsNotNull(result);
Assert.AreEqual("/", result.CookiePath);
Assert.AreEqual(false, result.IsPersistent);
Assert.AreEqual("*****@*****.**", result.Name);
Assert.AreEqual("84e456a0-dbae-4ef9-9828-1f80def0d749", result.UserData);
Assert.AreEqual(3, result.Version);
Assert.AreEqual(result.IssueDate, new DateTime(636971592103633638, DateTimeKind.Utc).ToLocalTime());
Assert.AreEqual(result.Expiration, new DateTime(636971628103633638, DateTimeKind.Utc).ToLocalTime());
}
public async Task <IActionResult> ExternalLoginCallback()
{
// This is the SecureAuth callback, which is reached by a 302. The token that
// SecureAuth sends is a cookie.
var viewDataErrorKey = "secureAuthError";
var tokenName = _configuration["SecureAuth:TokenName"];
string token = Request.Cookies[tokenName];
if (token != null)
{
// Decrypt the token with our SecureAuth keys.
var validationKey = _configuration["SecureAuth:ValidationKey"];
var decryptionKey = _configuration["SecureAuth:DecryptionKey"];
// Default to Framework45 for compatibility mode.
CompatibilityMode compatibilityMode = CompatibilityMode.Framework45;
if (_configuration.GetValue <bool>("SecureAuth:UseCompatibilityMode20SP2"))
{
compatibilityMode = CompatibilityMode.Framework20SP2;
}
if (validationKey == null || decryptionKey == null)
{
ViewData[viewDataErrorKey] = "SecureAuth keys missing from configuration file.";
}
else
{
byte[] decryptionKeyBytes = HexUtils.HexToBinary(decryptionKey);
byte[] validationKeyBytes = HexUtils.HexToBinary(validationKey);
try
{
var legacyFormsAuthenticationTicketEncryptor = new LegacyFormsAuthenticationTicketEncryptor(decryptionKeyBytes, validationKeyBytes, ShaVersion.Sha1, compatibilityMode);
FormsAuthenticationTicket decryptedTicket = legacyFormsAuthenticationTicketEncryptor.DecryptCookie(token);
// If already authenticated and usernames don't match, log out.
if (User.Identity.IsAuthenticated)
{
if (decryptedTicket.Name != User.Identity.Name)
{
return(await LogoutAsync());
}
}
else
{
// Let's authenticate!
// Create a user principal object for this user.
var principal = CreateIdentity(decryptedTicket.Name, decryptedTicket.UserData);
// Authenticate using the identity.
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal);
// Now redirect to determine this user's roles.
return(RedirectToAction("CheckCAAM", "Login"));
}
}
catch (Exception ex)
{
ViewData[viewDataErrorKey] = ex.Message;
}
}
}
else
{
// No token.
ViewData[viewDataErrorKey] = "SecureAuth post-authentication token is missing.";
}
// Append our common error message.
ViewData[viewDataErrorKey] = String.Format("{0} {1}", ViewData[viewDataErrorKey],
_sharedLocalizer["CaptureAndEmailUsMessage"]);
return(View());
}
