public string PostData(
[FromRoute] string userId,
[FromRoute] string challengeId,
[FromBody] string data,
[FromRoute] string mac)
{
using (var hash = SHA256.Create())
{
var seed = hash.ComputeHash(Encoding.ASCII.GetBytes(userId + challengeId));
var decodedData = Convert.FromBase64String(data);
var decodedMac = HexHelper.StringToByteArray(mac);
var targetMac = this.cbcMacManager.ConputeMacWithKey(decodedData, seed)
.Skip(AesBlockSize / 2)
.ToArray();
if (CompareHelper.CompareArrays(targetMac, decodedMac))
{
return(Convert.ToBase64String(
Encoding.ASCII.GetBytes(
$"{Encoding.ASCII.GetString(decodedData)} have valid mac = {BitConverter.ToString(decodedMac).Replace("-", "")}")));
}
else
{
return(Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Encoding.ASCII.GetString(decodedData)} have invalid mac")));
}
}
}
public string VerifyMac(
[FromRoute] string userId,
[FromRoute] string challengeId,
[FromRoute] string mac,
[FromBody] string messageBase64)
{
if (!Regex.IsMatch(userId, UserIdPattern))
{
return("Invalid userId. UserId should contains only alphabetical and numerical symbols!");
}
var key = this.GetSecretKey(userId, challengeId);
byte[] message = null;
try
{
message = Convert.FromBase64String(messageBase64);
}
catch
{
return("Message is not valid base64 string!");
}
var computedMac = SHA1.Create().ComputeHash(key.Concat(message).ToArray());
if (!CompareHelper.CompareArrays(computedMac, HexHelper.StringToByteArray(mac)))
{
return("MAC is not valid!");
}
return(Encoding.ASCII.GetString(message).Contains(";admin=true")
? "Wellcome to SecretNet!"
: "You are not admin! Good bye!");
}
public string AuthenticateAdminEncrypted(
[FromRoute] string userId,
[FromRoute] string challengeId,
[FromRoute] string encryptedToken)
{
using (var hash = SHA256.Create())
{
var seed = hash.ComputeHash(Encoding.ASCII.GetBytes(userId + challengeId));
var encryptedTokenBytes = HexHelper.StringToByteArray(encryptedToken);
var decryptedTokenBytes = this.cbcIvIsKeyManager.DecryptCbc(encryptedTokenBytes, seed);
var token = Encoding.ASCII.GetString(decryptedTokenBytes);
if (!TokenHelper.ValidateTokenString(token))
{
return($"Invalid token format! Received token [{token}] contains invalid characters! Raw token is [{BitConverter.ToString(decryptedTokenBytes).Replace("-", "")}]");
}
if (!TokenHelper.ValidateTokenAdmin(token, seed))
{
return("Access denied");
}
return($"Wellcome to secretNet!");
}
}
public string GetVerify(
[FromRoute] string userId,
[FromRoute] string challengeId,
[FromRoute] string data,
[FromRoute] string mac,
[FromRoute] int delay)
{
delay = delay > 1000 ? 1000 : delay;
using (var hash = SHA256.Create())
{
var seed = hash.ComputeHash(Encoding.ASCII.GetBytes(userId + challengeId));
using (var macHash = new HMACSHA256(seed))
{
var targetHash = macHash.ComputeHash(Encoding.ASCII.GetBytes(userId + challengeId + data));
if (!CompareHelper.InsecureCompareArrays(
targetHash.Take(HmacTimingController.MacSize).ToArray(),
HexHelper.StringToByteArray(mac), delay))
{
return("INVALID_MAC");
}
return("Wellcome to secretNet!");
}
}
}
public string ValidateRawToken(
[FromRoute] string userId,
[FromRoute] string challengeId,
[FromRoute] string rawToken)
{
using (var hash = SHA256.Create())
{
var seed = hash.ComputeHash(Encoding.ASCII.GetBytes(userId + challengeId + "GetEncryptedToken"));
// converting hex -> byte -> ascii string
rawToken = Encoding.ASCII.GetString(HexHelper.StringToByteArray(rawToken));
if (TokenHelper.ValidateTokenString(rawToken) && TokenHelper.ValidateTokenUser(rawToken, seed))
{
return("Raw Token decoded and validated. Wellcome to secretNet!");
}
}
return("Token is incorrect");
}
public string AuthenticateUserEncrypted(
[FromRoute] string userId,
[FromRoute] string challengeId,
[FromRoute] string encryptedToken)
{
using (var hash = SHA256.Create())
{
var seed = hash.ComputeHash(Encoding.ASCII.GetBytes(userId + challengeId));
byte[] encryptedTokenBytes;
try
{
encryptedTokenBytes = HexHelper.StringToByteArray(encryptedToken);
}
catch (Exception)
{
return($"Invalid token format! Can not deformat token!");
}
byte[] decryptedTokenBytes;
try
{
decryptedTokenBytes = this.cbcIvIsKeyManager.DecryptCbc(encryptedTokenBytes, seed);
}
catch (Exception)
{
return($"Invalid token format! Can not decrypt token!");
}
var token = Encoding.ASCII.GetString(decryptedTokenBytes);
if (!TokenHelper.ValidateTokenString(token))
{
return($"Invalid token format! Received token [{token}] contains invalid characters!. Raw token is [{BitConverter.ToString(decryptedTokenBytes).Replace("-", "")}]");
}
if (!TokenHelper.ValidateTokenUser(token, seed))
{
return("Access denied");
}
return($"Wellcome {userId}!");
}
}
public string ValidateEncryptedToken(
[FromRoute] string userId,
[FromRoute] string challengeId,
[FromRoute] string encryptedToken)
{
using (var hash = SHA256.Create())
{
var seed = hash.ComputeHash(Encoding.ASCII.GetBytes(userId + challengeId + "GetEncryptedToken"));
var encryptedTokenBytes = HexHelper.StringToByteArray(encryptedToken);
// change seed to make independant encryption key
seed[0] ^= 255;
try
{
byte[] plainTextWithMac;
try
{
plainTextWithMac = this.paddingOracleManger.DecryptCbc(encryptedTokenBytes, seed);
}
catch (Exception ex)
{
var debug = this.paddingOracleManger.DecryptCbc(encryptedTokenBytes, seed, PaddingMode.None);
throw;
}
// change it back
seed[0] ^= 255;
var plainText = this.paddingOracleManger.VerifyMac(
plainTextWithMac,
seed);
var stringToken = Encoding.ASCII.GetString(plainText);
if (TokenHelper.ValidateTokenString(stringToken) && TokenHelper.ValidateTokenUser(stringToken, seed))
{
return("Token have been decoded and validated");
}
return("Token is incorrect");
}
catch (Exception ex)
{
return(ex.Message);
}
}
}