/// <summary>
/// Configures keys to be encrypted to a given certificate before being persisted to storage.
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="thumbprint">The thumbprint of the certificate to use when encrypting keys.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
public static IDataProtectionBuilder ProtectKeysWithCertificate(this IDataProtectionBuilder builder, string thumbprint)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (thumbprint == null)
{
throw new ArgumentNullException(nameof(thumbprint));
}
// Make sure the thumbprint corresponds to a valid certificate.
if (new CertificateResolver().ResolveCertificate(thumbprint) == null)
{
throw Error.CertificateXmlEncryptor_CertificateNotFound(thumbprint);
}
var services = builder.Services;
// ICertificateResolver is necessary for this type to work correctly, so register it
// if it doesn't already exist.
services.TryAdd(DataProtectionServiceDescriptors.ICertificateResolver_Default());
Use(services, DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(thumbprint));
return(builder);
}
/// <summary>
/// Configures keys to be encrypted with Windows CNG DPAPI before being persisted to storage.
/// </summary>
/// <param name="protectionDescriptorRule">The descriptor rule string with which to protect the key material.</param>
/// <param name="flags">Flags that should be passed to the call to 'NCryptCreateProtectionDescriptor'.
/// The default value of this parameter is <see cref="DpapiNGProtectionDescriptorFlags.None"/>.</param>
/// <returns>The 'this' instance.</returns>
/// <remarks>
/// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx
/// and https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx
/// for more information on valid values for the the <paramref name="descriptor"/>
/// and <paramref name="flags"/> arguments.
/// This API is only supported on Windows 8 / Windows Server 2012 and higher.
/// </remarks>
public DataProtectionConfiguration ProtectKeysWithDpapiNG(string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
{
if (protectionDescriptorRule == null)
{
throw new ArgumentNullException(nameof(protectionDescriptorRule));
}
Use(DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags));
return(this);
}
/// <summary>
/// Configures keys to be encrypted to a given certificate before being persisted to storage.
/// </summary>
/// <param name="certificate">The certificate to use when encrypting keys.</param>
/// <returns>The 'this' instance.</returns>
public DataProtectionConfiguration ProtectKeysWithCertificate(X509Certificate2 certificate)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
Use(DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate));
return(this);
}
/// <summary>
/// Configures the data protection system to persist keys to the Windows registry.
/// </summary>
/// <param name="registryKey">The location in the registry where keys should be stored.</param>
/// <returns>The 'this' instance.</returns>
public DataProtectionConfiguration PersistKeysToRegistry(RegistryKey registryKey)
{
if (registryKey == null)
{
throw new ArgumentNullException(nameof(registryKey));
}
Use(DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey));
return(this);
}
/// <summary>
/// Configures the data protection system to persist keys to the specified directory.
/// This path may be on the local machine or may point to a UNC share.
/// </summary>
/// <param name="directory">The directory in which to store keys.</param>
/// <returns>The 'this' instance.</returns>
public DataProtectionConfiguration PersistKeysToFileSystem(DirectoryInfo directory)
{
if (directory == null)
{
throw new ArgumentNullException(nameof(directory));
}
Use(DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory));
return(this);
}
/// <summary>
/// Configures the data protection system to use the <see cref="EphemeralDataProtectionProvider"/>
/// for data protection services.
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
/// <remarks>
/// If this option is used, payloads protected by the data protection system will
/// be permanently undecipherable after the application exits.
/// </remarks>
public static IDataProtectionBuilder UseEphemeralDataProtectionProvider(this IDataProtectionBuilder builder)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
Use(builder.Services, DataProtectionServiceDescriptors.IDataProtectionProvider_Ephemeral());
return(builder);
}
/// <summary>
/// Configures keys to be encrypted with Windows DPAPI before being persisted to
/// storage.
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="protectToLocalMachine">'true' if the key should be decryptable by any
/// use on the local machine, 'false' if the key should only be decryptable by the current
/// Windows user account.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
/// <remarks>
/// This API is only supported on Windows platforms.
/// </remarks>
public static IDataProtectionBuilder ProtectKeysWithDpapi(this IDataProtectionBuilder builder, bool protectToLocalMachine)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToLocalMachine));
return(builder);
}
/// <summary>
/// Configures keys to be encrypted with Windows CNG DPAPI before being persisted to storage.
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="protectionDescriptorRule">The descriptor rule string with which to protect the key material.</param>
/// <param name="flags">Flags that should be passed to the call to 'NCryptCreateProtectionDescriptor'.
/// The default value of this parameter is <see cref="DpapiNGProtectionDescriptorFlags.None"/>.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
/// <remarks>
/// See https://msdn.microsoft.com/en-us/library/windows/desktop/hh769091(v=vs.85).aspx
/// and https://msdn.microsoft.com/en-us/library/windows/desktop/hh706800(v=vs.85).aspx
/// for more information on valid values for the the <paramref name="protectionDescriptorRule"/>
/// and <paramref name="flags"/> arguments.
/// This API is only supported on Windows 8 / Windows Server 2012 and higher.
/// </remarks>
public static IDataProtectionBuilder ProtectKeysWithDpapiNG(this IDataProtectionBuilder builder, string protectionDescriptorRule, DpapiNGProtectionDescriptorFlags flags)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (protectionDescriptorRule == null)
{
throw new ArgumentNullException(nameof(protectionDescriptorRule));
}
Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_DpapiNG(protectionDescriptorRule, flags));
return(builder);
}
/// <summary>
/// Configures keys to be encrypted to a given certificate before being persisted to storage.
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="certificate">The certificate to use when encrypting keys.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
public static IDataProtectionBuilder ProtectKeysWithCertificate(this IDataProtectionBuilder builder, X509Certificate2 certificate)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
Use(builder.Services, DataProtectionServiceDescriptors.IXmlEncryptor_Certificate(certificate));
return(builder);
}
/// <summary>
/// Configures the data protection system to persist keys to the Windows registry.
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="registryKey">The location in the registry where keys should be stored.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
public static IDataProtectionBuilder PersistKeysToRegistry(this IDataProtectionBuilder builder, RegistryKey registryKey)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (registryKey == null)
{
throw new ArgumentNullException(nameof(registryKey));
}
Use(builder.Services, DataProtectionServiceDescriptors.IXmlRepository_Registry(registryKey));
return(builder);
}
/// <summary>
/// Configures the data protection system to persist keys to the specified directory.
/// This path may be on the local machine or may point to a UNC share.
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="directory">The directory in which to store keys.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
public static IDataProtectionBuilder PersistKeysToFileSystem(this IDataProtectionBuilder builder, DirectoryInfo directory)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (directory == null)
{
throw new ArgumentNullException(nameof(directory));
}
Use(builder.Services, DataProtectionServiceDescriptors.IXmlRepository_FileSystem(directory));
return(builder);
}
private IEnumerable <ServiceDescriptor> ResolvePolicyCore()
{
// Read the encryption options type: CNG-CBC, CNG-GCM, Managed
IInternalAuthenticatedEncryptionSettings options = null;
string encryptionType = (string)_policyRegKey.GetValue("EncryptionType");
if (String.Equals(encryptionType, "CNG-CBC", StringComparison.OrdinalIgnoreCase))
{
options = new CngCbcAuthenticatedEncryptionSettings();
}
else if (String.Equals(encryptionType, "CNG-GCM", StringComparison.OrdinalIgnoreCase))
{
options = new CngGcmAuthenticatedEncryptionSettings();
}
else if (String.Equals(encryptionType, "Managed", StringComparison.OrdinalIgnoreCase))
{
options = new ManagedAuthenticatedEncryptionSettings();
}
else if (!String.IsNullOrEmpty(encryptionType))
{
throw CryptoUtil.Fail("Unrecognized EncryptionType: " + encryptionType);
}
if (options != null)
{
PopulateOptions(options, _policyRegKey);
yield return(DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(options));
}
// Read ancillary data
int?defaultKeyLifetime = (int?)_policyRegKey.GetValue("DefaultKeyLifetime");
if (defaultKeyLifetime.HasValue)
{
yield return(DataProtectionServiceDescriptors.ConfigureOptions_DefaultKeyLifetime(defaultKeyLifetime.Value));
}
var keyEscrowSinks = ReadKeyEscrowSinks(_policyRegKey);
foreach (var keyEscrowSink in keyEscrowSinks)
{
yield return(DataProtectionServiceDescriptors.IKeyEscrowSink_FromTypeName(keyEscrowSink));
}
}
/// <summary>
/// Configures the data protection system to use the <see cref="EphemeralDataProtectionProvider"/>
/// for data protection services.
/// </summary>
/// <returns>The 'this' instance.</returns>
/// <remarks>
/// If this option is used, payloads protected by the data protection system will
/// be permanently undecipherable after the application exits.
/// </remarks>
public DataProtectionConfiguration UseEphemeralDataProtectionProvider()
{
Use(DataProtectionServiceDescriptors.IDataProtectionProvider_Ephemeral());
return(this);
}
private DataProtectionConfiguration UseCryptographicAlgorithmsCore(IInternalAuthenticatedEncryptionOptions options)
{
options.Validate(); // perform self-test
Use(DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromOptions(options));
return(this);
}
/// <summary>
/// Configures keys to be encrypted with Windows DPAPI before being persisted to
/// storage.
/// </summary>
/// <param name="protectToLocalMachine">'true' if the key should be decryptable by any
/// use on the local machine, 'false' if the key should only be decryptable by the current
/// Windows user account.</param>
/// <returns>The 'this' instance.</returns>
/// <remarks>
/// This API is only supported on Windows platforms.
/// </remarks>
public DataProtectionConfiguration ProtectKeysWithDpapi(bool protectToLocalMachine)
{
Use(DataProtectionServiceDescriptors.IXmlEncryptor_Dpapi(protectToLocalMachine));
return(this);
}
private static IDataProtectionBuilder UseCryptographicAlgorithmsCore(IDataProtectionBuilder builder, IInternalAuthenticatedEncryptionSettings settings)
{
settings.Validate(); // perform self-test
Use(builder.Services, DataProtectionServiceDescriptors.IAuthenticatedEncryptorConfiguration_FromSettings(settings));
return(builder);
}
