public ToSignatureAlgorithm() { _encryptionKey = new SharedSecretEncryptionKey("The_Big_Secret"); _unencryptedKey = "s3cr3t"; _encryptedKey = new FakeStringProtector().Protect(_unencryptedKey); _recordVersion = 2; _dataRecord = new SignatureAlgorithmDataRecord { Type = "HMAC", Param = $"<Secret>{_encryptedKey}</Secret>", Hash = HashAlgorithmName.MD5.Name, Encrypted = true }; }
public void GivenHMACAlgorithm_ReturnsExpectedDataRecord() { using (var hmac = SignatureAlgorithm.CreateForVerification(_unencryptedKey, HashAlgorithmName.SHA384)) { var actual = _sut.FromSignatureAlgorithm(hmac, _encryptionKey); var encryptedKey = new FakeStringProtector().Protect(_unencryptedKey); var expected = new SignatureAlgorithmDataRecord { Type = "HMAC", Hash = HashAlgorithmName.SHA384.Name, Encrypted = true, Param = $"<Secret>{encryptedKey}</Secret>" }; actual.Should().BeEquivalentTo(expected); } }
public void GivenRSAAlgorithm_ReturnsExpectedDataRecord() { using (var rsa = new RSACryptoServiceProvider()) { using (var rsaAlg = SignatureAlgorithm.CreateForVerification(rsa, HashAlgorithmName.SHA384)) { var actual = _sut.FromSignatureAlgorithm(rsaAlg, _encryptionKey); var expected = new SignatureAlgorithmDataRecord { Type = "RSA", Param = rsa.ExportParameters(false).ToXml(), Hash = HashAlgorithmName.SHA384.Name, Encrypted = false }; actual.Should().BeEquivalentTo(expected); } } }
public void GivenECDsaAlgorithm_ReturnsExpectedDataRecord() { using (var ecdsa = ECDsa.Create()) { using (var ecdsaAlg = SignatureAlgorithm.CreateForVerification(ecdsa, HashAlgorithmName.SHA384)) { var actual = _sut.FromSignatureAlgorithm(ecdsaAlg, _encryptionKey); var expected = new SignatureAlgorithmDataRecord { Type = "ECDsa", Param = ecdsa.ExportParameters(false).ToXml(), Hash = HashAlgorithmName.SHA384.Name, Encrypted = false }; actual.Should().BeEquivalentTo(expected); } } }
public static ClientDataRecord FromXml(XContainer xml) { if (xml == null) { throw new ArgumentNullException(nameof(xml)); } var clockSkew = double.TryParse(xml.Element(nameof(ClockSkew))?.Value, out var c) ? c : 0; if (clockSkew <= 0) { clockSkew = ClientOptions.Default.ClockSkew.TotalSeconds; } var nonceLifetime = double.TryParse(xml.Element(nameof(NonceLifetime))?.Value, out var n) ? n : 0; if (nonceLifetime <= 0) { nonceLifetime = ClientOptions.Default.NonceLifetime.TotalSeconds; } var version = int.TryParse(xml.Element(nameof(V))?.Value, out var v) ? v : GetV(); if (version <= 0) { version = GetV(); } var escaping = xml.Element(nameof(Escaping))?.Value; if (string.IsNullOrEmpty(escaping) || !Enum.IsDefined(typeof(RequestTargetEscaping), escaping)) { escaping = ClientOptions.Default.RequestTargetEscaping.ToString(); } return(new ClientDataRecord { Id = xml.Element(nameof(Id))?.Value, Name = xml.Element(nameof(Name))?.Value, ClockSkew = clockSkew, NonceLifetime = nonceLifetime, Escaping = escaping, V = version, Claims = xml.Element(nameof(Claims))?.Elements()?.Select(ClaimDataRecord.FromXml)?.ToArray() ?? Array.Empty <ClaimDataRecord>(), SigAlg = SignatureAlgorithmDataRecord.FromXml(xml.Element(nameof(SigAlg))) }); }
private string GetUnencryptedParameter(SignatureAlgorithmDataRecord dataRecord, SharedSecretEncryptionKey encryptionKey) { var paramValue = XElement.Parse(dataRecord.Param).Value; if (encryptionKey == SharedSecretEncryptionKey.Empty) { return(paramValue); } if (!dataRecord.Encrypted) { return(paramValue); // The value in the data store is not encrypted } var protector = _stringProtectorFactory.CreateSymmetric(encryptionKey); try { return(protector.Unprotect(paramValue)); } catch (Exception ex) { throw new SecurityException("Something went wrong during acquisition of the unencrypted symmetric key. See inner exception for details.", ex); } }
public ISignatureAlgorithm ToSignatureAlgorithm(SignatureAlgorithmDataRecord dataRecord, SharedSecretEncryptionKey encryptionKey, int?recordVersion) { if (dataRecord == null) { throw new ArgumentNullException(nameof(dataRecord)); } switch (dataRecord.Type) { case string str when str.Equals("rsa", StringComparison.OrdinalIgnoreCase): using (var rsaForVerification = new RSACryptoServiceProvider()) { rsaForVerification.FromXml(dataRecord.Param); var paramsForVerification = rsaForVerification.ExportParameters(includePrivateParameters: false); return(SignatureAlgorithm.CreateForVerification(paramsForVerification, new HashAlgorithmName(dataRecord.Hash))); } case string str when str.Equals("ecdsa", StringComparison.OrdinalIgnoreCase): using (var ecdsaForVerification = ECDsa.Create()) { ecdsaForVerification.FromXml(dataRecord.Param); var paramsForVerification = ecdsaForVerification.ExportParameters(includePrivateParameters: false); return(SignatureAlgorithm.CreateForVerification(paramsForVerification, new HashAlgorithmName(dataRecord.Hash))); } case string str when str.Equals("hmac", StringComparison.OrdinalIgnoreCase): var unencryptedKey = GetUnencryptedParameter(dataRecord, encryptionKey); return(SignatureAlgorithm.CreateForVerification(unencryptedKey, new HashAlgorithmName(dataRecord.Hash))); default: throw new NotSupportedException($"The specified signature algorithm type ({dataRecord.Type ?? "[null]"}) cannot be deserialized."); } }