/// <summary> /// Imports the <see cref="ManagedAuthenticatedEncryptorDescriptor"/> from serialized XML. /// </summary> public IAuthenticatedEncryptorDescriptor ImportFromXml(XElement element) { if (element == null) { throw new ArgumentNullException(nameof(element)); } // <descriptor> // <!-- managed implementations --> // <encryption algorithm="..." keyLength="..." /> // <validation algorithm="..." /> // <masterKey>...</masterKey> // </descriptor> var configuration = new ManagedAuthenticatedEncryptorConfiguration(); var encryptionElement = element.Element("encryption") !; configuration.EncryptionAlgorithmType = FriendlyNameToType((string)encryptionElement.Attribute("algorithm") !); configuration.EncryptionAlgorithmKeySize = (int)encryptionElement.Attribute("keyLength") !; var validationElement = element.Element("validation") !; configuration.ValidationAlgorithmType = FriendlyNameToType((string)validationElement.Attribute("algorithm") !); Secret masterKey = ((string)element.Element("masterKey") !).ToSecret(); return(new ManagedAuthenticatedEncryptorDescriptor(configuration, masterKey)); }
public void ResolvePolicy_ManagedEncryption_WithExplicitSettings() { IServiceCollection serviceCollection = new ServiceCollection(); RunTestWithRegValues(serviceCollection, new Dictionary <string, object>() { ["EncryptionType"] = "managed", ["EncryptionAlgorithmType"] = typeof(TripleDES).AssemblyQualifiedName, ["EncryptionAlgorithmKeySize"] = 2048, ["ValidationAlgorithmType"] = typeof(HMACMD5).AssemblyQualifiedName }); var services = serviceCollection.BuildServiceProvider(); var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions() { EncryptionAlgorithmType = typeof(TripleDES), EncryptionAlgorithmKeySize = 2048, ValidationAlgorithmType = typeof(HMACMD5) }); var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService <IAuthenticatedEncryptorConfiguration>(); Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmType, actualConfiguration.Options.EncryptionAlgorithmType); Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize); Assert.Equal(expectedConfiguration.Options.ValidationAlgorithmType, actualConfiguration.Options.ValidationAlgorithmType); }
internal IAuthenticatedEncryptor?CreateAuthenticatedEncryptorInstance( ISecret secret, AuthenticatedEncryptorConfiguration?authenticatedConfiguration) { if (authenticatedConfiguration == null) { return(null); } if (IsGcmAlgorithm(authenticatedConfiguration.EncryptionAlgorithm)) { #if NETCOREAPP return(new AesGcmAuthenticatedEncryptor(secret, GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm) / 8)); #else // GCM requires CNG, and CNG is only supported on Windows. if (!OSVersionUtil.IsWindows()) { throw new PlatformNotSupportedException(Resources.Platform_WindowsRequiredForGcm); } Debug.Assert(RuntimeInformation.IsOSPlatform(OSPlatform.Windows)); var configuration = new CngGcmAuthenticatedEncryptorConfiguration() { EncryptionAlgorithm = GetBCryptAlgorithmNameFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm), EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm) }; return(new CngGcmAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration)); #endif } else { if (OSVersionUtil.IsWindows()) { Debug.Assert(RuntimeInformation.IsOSPlatform(OSPlatform.Windows)); // CNG preferred over managed implementations if running on Windows var configuration = new CngCbcAuthenticatedEncryptorConfiguration() { EncryptionAlgorithm = GetBCryptAlgorithmNameFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm), EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm), HashAlgorithm = GetBCryptAlgorithmNameFromValidationAlgorithm(authenticatedConfiguration.ValidationAlgorithm) }; return(new CngCbcAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration)); } else { // Use managed implementations as a fallback var configuration = new ManagedAuthenticatedEncryptorConfiguration() { EncryptionAlgorithmType = GetManagedTypeFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm), EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm), ValidationAlgorithmType = GetManagedTypeFromValidationAlgorithm(authenticatedConfiguration.ValidationAlgorithm) }; return(new ManagedAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration)); } } }
private Func <SymmetricAlgorithm> GetSymmetricBlockCipherAlgorithmFactory(ManagedAuthenticatedEncryptorConfiguration configuration) { // basic argument checking if (configuration.EncryptionAlgorithmType == null) { throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(configuration.EncryptionAlgorithmType)); } typeof(SymmetricAlgorithm).AssertIsAssignableFrom(configuration.EncryptionAlgorithmType); if (configuration.EncryptionAlgorithmKeySize < 0) { throw Error.Common_PropertyMustBeNonNegative(nameof(configuration.EncryptionAlgorithmKeySize)); } _logger.UsingManagedSymmetricAlgorithm(configuration.EncryptionAlgorithmType.FullName !); if (configuration.EncryptionAlgorithmType == typeof(Aes)) { Func <Aes>?factory = null; if (OSVersionUtil.IsWindows()) { // If we're on desktop CLR and running on Windows, use the FIPS-compliant implementation. factory = () => new AesCryptoServiceProvider(); } return(factory ?? Aes.Create); } else { return(AlgorithmActivator.CreateFactory <SymmetricAlgorithm>(configuration.EncryptionAlgorithmType)); } }
public void ResolvePolicy_ManagedEncryption_WithExplicitSettings() { // Arrange var registryEntries = new Dictionary <string, object>() { ["EncryptionType"] = "managed", ["EncryptionAlgorithmType"] = typeof(TripleDES).AssemblyQualifiedName, ["EncryptionAlgorithmKeySize"] = 2048, ["ValidationAlgorithmType"] = typeof(HMACSHA1).AssemblyQualifiedName }; var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration() { EncryptionAlgorithmType = typeof(TripleDES), EncryptionAlgorithmKeySize = 2048, ValidationAlgorithmType = typeof(HMACSHA1) }; // Act var context = RunTestWithRegValues(registryEntries); // Assert var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)context.EncryptorConfiguration; Assert.Equal(expectedConfiguration.EncryptionAlgorithmType, actualConfiguration.EncryptionAlgorithmType); Assert.Equal(expectedConfiguration.EncryptionAlgorithmKeySize, actualConfiguration.EncryptionAlgorithmKeySize); Assert.Equal(expectedConfiguration.ValidationAlgorithmType, actualConfiguration.ValidationAlgorithmType); }
public void CreateNewDescriptor_PropagatesOptions() { // Arrange var configuration = new ManagedAuthenticatedEncryptorConfiguration(); // Act var descriptor = (ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor(); // Assert Assert.Equal(configuration, descriptor.Configuration); }
internal IAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance( ISecret secret, AuthenticatedEncryptorConfiguration authenticatedConfiguration) { if (authenticatedConfiguration == null) { return(null); } if (IsGcmAlgorithm(authenticatedConfiguration.EncryptionAlgorithm)) { // GCM requires CNG, and CNG is only supported on Windows. if (!OSVersionUtil.IsWindows()) { throw new PlatformNotSupportedException("GCM algorithms require the Windows platform."); } var configuration = new CngGcmAuthenticatedEncryptorConfiguration() { EncryptionAlgorithm = GetBCryptAlgorithmNameFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm), EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm) }; return(new CngGcmAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration)); } else { if (OSVersionUtil.IsWindows()) { // CNG preferred over managed implementations if running on Windows var configuration = new CngCbcAuthenticatedEncryptorConfiguration() { EncryptionAlgorithm = GetBCryptAlgorithmNameFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm), EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm), HashAlgorithm = GetBCryptAlgorithmNameFromValidationAlgorithm(authenticatedConfiguration.ValidationAlgorithm) }; return(new CngCbcAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration)); } else { // Use managed implementations as a fallback var configuration = new ManagedAuthenticatedEncryptorConfiguration() { EncryptionAlgorithmType = GetManagedTypeFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm), EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm), ValidationAlgorithmType = GetManagedTypeFromValidationAlgorithm(authenticatedConfiguration.ValidationAlgorithm) }; return(new ManagedAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration)); } } }
public void CreateNewDescriptor_CreatesUniqueCorrectlySizedMasterKey() { // Arrange var configuration = new ManagedAuthenticatedEncryptorConfiguration(); // Act var masterKey1 = ((ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey; var masterKey2 = ((ManagedAuthenticatedEncryptorDescriptor)configuration.CreateNewDescriptor()).MasterKey; // Assert SecretAssert.NotEqual(masterKey1, masterKey2); SecretAssert.LengthIs(512 /* bits */, masterKey1); SecretAssert.LengthIs(512 /* bits */, masterKey2); }
/// <summary> /// Initializes a new instance of <see cref="ManagedAuthenticatedEncryptorDescriptor"/>. /// </summary> /// <param name="configuration">The <see cref="ManagedAuthenticatedEncryptorConfiguration"/>.</param> /// <param name="masterKey">The master key.</param> public ManagedAuthenticatedEncryptorDescriptor(ManagedAuthenticatedEncryptorConfiguration configuration, ISecret masterKey) { if (configuration == null) { throw new ArgumentNullException(nameof(configuration)); } if (masterKey == null) { throw new ArgumentNullException(nameof(masterKey)); } Configuration = configuration; MasterKey = masterKey; }
internal ManagedAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance( ISecret secret, ManagedAuthenticatedEncryptorConfiguration configuration) { if (configuration == null) { return(null); } return(new ManagedAuthenticatedEncryptor( keyDerivationKey: new Secret(secret), symmetricAlgorithmFactory: GetSymmetricBlockCipherAlgorithmFactory(configuration), symmetricAlgorithmKeySizeInBytes: configuration.EncryptionAlgorithmKeySize / 8, validationAlgorithmFactory: GetKeyedHashAlgorithmFactory(configuration))); }
public void ResolvePolicy_ManagedEncryption_WithoutExplicitSettings() { IServiceCollection serviceCollection = new ServiceCollection(); RunTestWithRegValues(serviceCollection, new Dictionary <string, object>() { ["EncryptionType"] = "managed" }); var services = serviceCollection.BuildServiceProvider(); var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(new ManagedAuthenticatedEncryptionOptions()); var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)services.GetService <IAuthenticatedEncryptorConfiguration>(); Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmType, actualConfiguration.Options.EncryptionAlgorithmType); Assert.Equal(expectedConfiguration.Options.EncryptionAlgorithmKeySize, actualConfiguration.Options.EncryptionAlgorithmKeySize); Assert.Equal(expectedConfiguration.Options.ValidationAlgorithmType, actualConfiguration.Options.ValidationAlgorithmType); }
public void CreateEncrptorInstance_ExpectedDescriptorType_ReturnsEncryptor() { // Arrange var descriptor = new ManagedAuthenticatedEncryptorConfiguration().CreateNewDescriptor(); var key = new Mock <IKey>(); key.Setup(k => k.Descriptor).Returns(descriptor); var factory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance); // Act var encryptor = factory.CreateEncryptorInstance(key.Object); // Assert Assert.NotNull(encryptor); Assert.IsType <ManagedAuthenticatedEncryptor>(encryptor); }
public void ResolvePolicy_ManagedEncryption_WithoutExplicitSettings() { // Arrange var registryEntries = new Dictionary <string, object>() { ["EncryptionType"] = "managed" }; var expectedConfiguration = new ManagedAuthenticatedEncryptorConfiguration(); // Act var context = RunTestWithRegValues(registryEntries); // Assert var actualConfiguration = (ManagedAuthenticatedEncryptorConfiguration)context.EncryptorConfiguration; Assert.Equal(expectedConfiguration.EncryptionAlgorithmType, actualConfiguration.EncryptionAlgorithmType); Assert.Equal(expectedConfiguration.EncryptionAlgorithmKeySize, actualConfiguration.EncryptionAlgorithmKeySize); Assert.Equal(expectedConfiguration.ValidationAlgorithmType, actualConfiguration.ValidationAlgorithmType); }
private RegistryPolicy?ResolvePolicyCore(RegistryKey?policyRegKey) { if (policyRegKey == null) { return(null); } // Read the encryption options type: CNG-CBC, CNG-GCM, Managed AlgorithmConfiguration?configuration = null; var encryptionType = (string?)policyRegKey.GetValue("EncryptionType"); if (String.Equals(encryptionType, "CNG-CBC", StringComparison.OrdinalIgnoreCase)) { configuration = new CngCbcAuthenticatedEncryptorConfiguration(); } else if (String.Equals(encryptionType, "CNG-GCM", StringComparison.OrdinalIgnoreCase)) { configuration = new CngGcmAuthenticatedEncryptorConfiguration(); } else if (String.Equals(encryptionType, "Managed", StringComparison.OrdinalIgnoreCase)) { configuration = new ManagedAuthenticatedEncryptorConfiguration(); } else if (!String.IsNullOrEmpty(encryptionType)) { throw CryptoUtil.Fail("Unrecognized EncryptionType: " + encryptionType); } if (configuration != null) { PopulateOptions(configuration, policyRegKey); } // Read ancillary data var defaultKeyLifetime = (int?)policyRegKey.GetValue("DefaultKeyLifetime"); var keyEscrowSinks = ReadKeyEscrowSinks(policyRegKey).Select(item => _activator.CreateInstance <IKeyEscrowSink>(item)); return(new RegistryPolicy(configuration, keyEscrowSinks, defaultKeyLifetime)); }
private Func <KeyedHashAlgorithm> GetKeyedHashAlgorithmFactory(ManagedAuthenticatedEncryptorConfiguration configuration) { // basic argument checking if (configuration.ValidationAlgorithmType == null) { throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(configuration.ValidationAlgorithmType)); } _logger.UsingManagedKeyedHashAlgorithm(configuration.ValidationAlgorithmType.FullName !); if (configuration.ValidationAlgorithmType == typeof(HMACSHA256)) { return(() => new HMACSHA256()); } else if (configuration.ValidationAlgorithmType == typeof(HMACSHA512)) { return(() => new HMACSHA512()); } else { return(AlgorithmActivator.CreateFactory <KeyedHashAlgorithm>(configuration.ValidationAlgorithmType)); } }
private Func <SymmetricAlgorithm> GetSymmetricBlockCipherAlgorithmFactory(ManagedAuthenticatedEncryptorConfiguration configuration) { // basic argument checking if (configuration.EncryptionAlgorithmType == null) { throw Error.Common_PropertyCannotBeNullOrEmpty(nameof(configuration.EncryptionAlgorithmType)); } typeof(SymmetricAlgorithm).AssertIsAssignableFrom(configuration.EncryptionAlgorithmType); if (configuration.EncryptionAlgorithmKeySize < 0) { throw Error.Common_PropertyMustBeNonNegative(nameof(configuration.EncryptionAlgorithmKeySize)); } _logger.UsingManagedSymmetricAlgorithm(configuration.EncryptionAlgorithmType.FullName !); if (configuration.EncryptionAlgorithmType == typeof(Aes)) { return(Aes.Create); } else { return(AlgorithmActivator.CreateFactory <SymmetricAlgorithm>(configuration.EncryptionAlgorithmType)); } }
private static ManagedAuthenticatedEncryptorConfiguration GetManagedAuthenticatedEncryptorConfiguration(RegistryKey key) { var options = new ManagedAuthenticatedEncryptorConfiguration(); var valueFromRegistry = key.GetValue(nameof(ManagedAuthenticatedEncryptorConfiguration.EncryptionAlgorithmType)); if (valueFromRegistry != null) { options.EncryptionAlgorithmType = TypeExtensions.GetTypeWithTrimFriendlyErrorMessage(Convert.ToString(valueFromRegistry, CultureInfo.InvariantCulture) !); } valueFromRegistry = key.GetValue(nameof(ManagedAuthenticatedEncryptorConfiguration.EncryptionAlgorithmKeySize)); if (valueFromRegistry != null) { options.EncryptionAlgorithmKeySize = Convert.ToInt32(valueFromRegistry, CultureInfo.InvariantCulture); } valueFromRegistry = key.GetValue(nameof(ManagedAuthenticatedEncryptorConfiguration.ValidationAlgorithmType)); if (valueFromRegistry != null) { options.ValidationAlgorithmType = TypeExtensions.GetTypeWithTrimFriendlyErrorMessage(Convert.ToString(valueFromRegistry, CultureInfo.InvariantCulture) !); } return(options); }
public static IDataProtectionBuilder UseCustomCryptographicAlgorithms(this IDataProtectionBuilder builder, ManagedAuthenticatedEncryptorConfiguration configuration) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (configuration == null) { throw new ArgumentNullException(nameof(configuration)); } return(UseCryptographicAlgorithmsCore(builder, configuration)); }