public static string Login(string username, string passwordPlaintext)
{
var passwordHash = RFSecure.ComputeHash(passwordPlaintext);
_passwordHashCache.AddOrUpdate(username, passwordHash, (k, v) => passwordHash);
return(GetPasswordHash(username));
}
// runtime only
public void ChangeMasterKey(byte[] newKey)
{
RFStatic.Log.Debug(this, "ChangeMasterKey under user {0}", AccessingUsername);
var oldMasterKey = GetKey(MASTER_KEY_ID);
if (oldMasterKey == null)
{
throw new RFSystemException(this, "Existing Master Key not accessible.");
}
// remove all entries with master key (other users')
Rows.RemoveAll(r => r.Key.KeyID == MASTER_KEY_ID);
BuildCache();
// save new master key
SecureKeyByPassword(MASTER_KEY_ID, newKey);
// reencrypt all keys using the new master key
foreach (var k in Rows.Where(r => r.Key.SecuredByKeyID == MASTER_KEY_ID))
{
var plainKey = RIFF.Interfaces.Encryption.AES.AESUtils.SimpleDecrypt(k.CipherStream, oldMasterKey, SALT_LENGTH);
k.CipherStream = RIFF.Interfaces.Encryption.AES.AESUtils.SimpleEncrypt(plainKey, newKey, RFSecure.GenerateSalt(SALT_LENGTH));
}
}
private void ResetLogin(string username, string passwordHash)
{
RFStatic.Log.Debug(this, "ResetLogin {0}", username);
username = username.Trim().ToLower();
var loginKey = GetLoginKey(username);
var loginMapping = GetOrCreateMapping(loginKey);
loginMapping.CipherStream = RIFF.Interfaces.Encryption.AES.AESUtils.SimpleEncryptWithPassword(new byte[] { 0x66 }, passwordHash, RFSecure.GenerateSalt(SALT_LENGTH));
}
public void SecureKeyForAnotherUser(string keyID, byte[] keyStream, string username, string passwordHash)
{
RFStatic.Log.Debug(this, "SecureKeyForAnotherUser key {0} by user {1} for user {2}", keyID, AccessingUsername, username);
if (!IsOpen())
{
throw new RFSystemException(this, "Key Vault hasn't been opened yet.");
}
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(passwordHash))
{
throw new RFSystemException(this, "Empty credentials provided.");
}
username = username.ToLower().Trim();
if (keyStream == null || string.IsNullOrWhiteSpace(keyID))
{
throw new RFSystemException(this, "Empty key provided.");
}
var securedKey = GetOrCreateMapping(new Key
{
KeyID = keyID,
SecuredByKeyID = null,
SecuredByUsername = username
});
securedKey.CipherStream = RIFF.Interfaces.Encryption.AES.AESUtils.SimpleEncryptWithPassword(keyStream, passwordHash, RFSecure.GenerateSalt(SALT_LENGTH));
}
public void SecureKeyByAnotherKey(string keyID, byte[] keyStream, string secureByKeyID)
{
RFStatic.Log.Debug(this, "SecureKeyByAnotherKey key {0} using key {1} under user {2}", keyID, secureByKeyID, AccessingUsername);
if (!IsOpen())
{
throw new RFSystemException(this, "Key Vault hasn't been opened yet.");
}
if (keyStream == null || string.IsNullOrWhiteSpace(keyID))
{
throw new RFSystemException(this, "Empty key provided.");
}
var secureByKey = GetKey(secureByKeyID);
if (secureByKey != null)
{
var securedKey = GetOrCreateMapping(new Key
{
KeyID = keyID,
SecuredByKeyID = secureByKeyID,
SecuredByUsername = null
});
securedKey.CipherStream = RIFF.Interfaces.Encryption.AES.AESUtils.SimpleEncrypt(keyStream, secureByKey, RFSecure.GenerateSalt(SALT_LENGTH));
}
else
{
throw new RFSystemException(this, "Requested encryption key {0} not accessible.", secureByKeyID);
}
}
public void ResetUser(string username, string passwordHash) // reset ourselves OK
{
RFStatic.Log.Debug(this, "ResetUser {0}", username);
username = username.Trim().ToLower();
// reset held keys
var ownedKeys = new Dictionary <string, byte[]>(); // cache owned keys
foreach (var r in Rows.Where(r => r.Key.SecuredByUsername == username && r.Key.KeyID != LOGIN_KEY_ID))
{
if (!ownedKeys.ContainsKey(r.Key.KeyID))
{
var ownedKey = GetKey(r.Key.KeyID); // we need to be able to access this key as ourselves
if (ownedKey != null)
{
ownedKeys.Add(r.Key.KeyID, ownedKey); // cache
}
else
{
throw new RFSystemException(this, "Unable to reset user {0} as key {1} not accessible to user {2}", username, r.Key.KeyID, AccessingUsername);
}
}
}
// reset login
ResetLogin(username, passwordHash);
// iterate again this time recrypting keys
foreach (var r in Rows.Where(r => r.Key.SecuredByUsername == username && r.Key.KeyID != LOGIN_KEY_ID))
{
var ownedKey = ownedKeys[r.Key.KeyID]; // stored plain key
r.CipherStream = RIFF.Interfaces.Encryption.AES.AESUtils.SimpleEncryptWithPassword(ownedKey, passwordHash, RFSecure.GenerateSalt(SALT_LENGTH)); // recrypt using new password
}
}
