/// <summary>
/// Used by the client to autenticate using Private Key Authentication.
/// </summary>
/// <param name="domainId"></param>
/// <param name="memberId"></param>
/// <param name="baseUrl"></param>
/// <returns></returns>
public static bool AuthenticateWithPPK(string domainId, string memberId, string baseUrl)
{
try
{
Store store = Store.GetStore();
Domain domain = store.GetDomain(domainId);
Member member = domain.GetMemberByID(memberId);
WebState webState = new WebState(domainId);
// Get the challenge and sign it with the Private Key to use as a one time password.
string url = baseUrl + "/Login.ashx?" + NonceKey + "=Get";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
webState.InitializeWebRequest(request, domain.ID);
request.ContentType = "application/octet-stream";
request.Method = "GET";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
request.CookieContainer.Add(response.Cookies);
if (response.StatusCode != HttpStatusCode.OK)
{
CookieCollection cc = request.CookieContainer.GetCookies(new Uri(url));
foreach (Cookie cookie in cc)
{
cookie.Expired = true;
}
return(false);
}
string nonce = response.Headers.Get(NonceKey);
if (nonce != null)
{
byte[] bChallenge = Nonce.GetBytes(nonce);
byte[] signed = store.CurrentUser.GetDomainCredential(domain.ID).SignData(bChallenge, new SHA1CryptoServiceProvider());
// Now authenticate using signed data
url = baseUrl + "/Login.ashx?" + PpkAuthKey + "=" + member.UserID;
request = (HttpWebRequest)WebRequest.Create(url);
webState.InitializeWebRequest(request, domain.ID);
request.ContentType = "application/octet-stream";
request.Method = "POST";
request.Headers.Add(Simias.Security.Web.AuthenticationService.Login.DomainIDHeader, domain.ID);
Stream rStream = request.GetRequestStream();
rStream.Write(signed, 0, signed.Length);
rStream.Close();
response = (HttpWebResponse)request.GetResponse();
}
}
catch { return(false); }
return(true);
}
public void EncryptWithADTestWithPlainText()
{
String key = "908b166535c01a935cf1e130a5fe895ab4e6f3ef8855d87e9b7581c4ab663ddc";
String additionalData = "90578e247e98674e661013da3c5c1ca6a8c8f48c90b485c0dfa1494e23d56d72";
String plaintext = "034f355bdcb7cc0af728ef3cceb9615d90684bb5b2ca5f859ab0f0b704075871aa";
String expectedCipherResult = "b9e3a702e93e3a9948c2ed6e5fd7590a6e1c3a0344cfc9d5b57357049aa22355361aa02e55a8fc28fef5bd6d71ad0c3822";
Nonce nonce = new Nonce();
nonce.Increment();
(byte[] actualCipherText, byte[] mac) = ChaCha20Poly1305.EncryptWithAdditionalData(key.HexToByteArray(), nonce.GetBytes(), additionalData.HexToByteArray(), plaintext.HexToByteArray());
Assert.Equal(expectedCipherResult, actualCipherText.ToHex() + mac.ToHex());
}
public void EncryptWithADTestWithoutPlainTextMacTest()
{
String key = "e68f69b7f096d7917245f5e5cf8ae1595febe4d4644333c99f9c4a1282031c9f";
String additionalData = "9e0e7de8bb75554f21db034633de04be41a2b8a18da7a319a03c803bf02b396c";
String expectedCipherResult = "0df6086551151f58b8afe6c195782c6a";
Nonce nonce = new Nonce();
(byte[] actualCipherText, byte[] mac) = ChaCha20Poly1305.EncryptWithAdditionalData(key.HexToByteArray(), nonce.GetBytes(), additionalData.HexToByteArray(), new byte[0]);
Assert.Equal(new byte[0], actualCipherText);
Assert.Equal(expectedCipherResult, mac.ToHex());
}
/// <summary>
/// Used by server to validate the signature using PPK.
/// </summary>
/// <param name="domainId"></param>
/// <param name="memberId"></param>
/// <param name="signed"></param>
/// <param name="ctx"></param>
static public void VerifyWithPPK(string domainId, string memberId, byte[] signed, HttpContext ctx)
{
Simias.Authentication.Session simiasSession;
Simias.Storage.Domain domain = null;
Simias.Storage.Member member = null;
Store store = Store.GetStore();
ctx.Response.Cache.SetCacheability(HttpCacheability.NoCache);
domain = store.GetDomain(domainId);
if (domain == null)
{
ctx.Response.StatusCode = 500;
ctx.Response.StatusDescription = "Invalid Domain";
ctx.ApplicationInstance.CompleteRequest();
return;
}
member = domain.GetMemberByID(memberId);
if (member == null)
{
ctx.Response.StatusCode = 500;
ctx.Response.StatusDescription = "Invalid Member";
ctx.ApplicationInstance.CompleteRequest();
return;
}
if (ctx.Session == null)
{
// Must have a session.
ctx.Response.StatusCode = 401;
ctx.Response.AddHeader(
"WWW-Authenticate",
String.Concat("Basic realm=\"", domain.Name, "\""));
ctx.ApplicationInstance.CompleteRequest();
return;
}
simiasSession = ctx.Session[sessionTag] as Simias.Authentication.Session;
if (simiasSession != null)
{
ctx.User = simiasSession.User;
}
if (ctx.User.Identity.IsAuthenticated == false)
{
// Validate signature.
string nonce = (string)ctx.Session[NonceKey];
byte[] nonceBytes = Nonce.GetBytes(nonce);
if (member.PublicKey.VerifyData(nonceBytes, new SHA1CryptoServiceProvider(), signed))
{
simiasSession = new Simias.Authentication.Session();
simiasSession.MemberID = member.UserID;
simiasSession.Requests++;
ctx.Session[sessionTag] = simiasSession;
// Setup a principal
simiasSession.User =
new GenericPrincipal(
new GenericIdentity(
member.UserID,
PpkType),
hostRoles);
ctx.User = simiasSession.User;
Thread.CurrentPrincipal = ctx.User;
// Set the last login time for the user.
SetLastLoginTime(domain, member);
}
else
{
// Failed
ctx.Response.StatusCode = 401;
ctx.Response.AddHeader(
"WWW-Authenticate",
String.Concat("Basic realm=\"", domain.Name, "\""));
ctx.ApplicationInstance.CompleteRequest();
return;
}
}
else
{
simiasSession.Requests++;
Thread.CurrentPrincipal = ctx.User;
member = domain.GetMemberByID(simiasSession.MemberID);
}
}
