public void GetAllKeys_WithEnvironmentKeyPresent_UsesEnvironmentKey()
{
var configuration = new AuthenticatedEncryptorConfiguration(new AuthenticatedEncryptionSettings());
var resolver = new AzureWebsitesXmlRepository(configuration);
string keyValue = "0F75CA46E7EBDD39E4CA6B074D1F9A5972B849A55F91A249";
using (new TestScopedEnvironmentVariable(Constants.AzureWebsiteInstanceId, "test"))
using (new TestScopedEnvironmentVariable(Constants.AzureWebsiteEnvironmentMachineKey, keyValue))
{
IReadOnlyCollection <XElement> keys = resolver.GetAllElements();
Assert.Equal(1, keys.Count);
string key = ((IEnumerable)keys.First().XPathEvaluate("descriptor/descriptor/masterKey/value"))
.Cast <XElement>()
.FirstOrDefault()
.Value;
var id = ((IEnumerable)keys.First().XPathEvaluate("@id"))
.Cast <XAttribute>()
.FirstOrDefault()
.Value;
Assert.Equal(Util.ConvertHexToByteArray(keyValue), System.Convert.FromBase64String(key));
Assert.Equal(Constants.DefaultEncryptionKeyId, id);
}
}
/// <summary>
/// Imports the <see cref="AuthenticatedEncryptorDescriptor"/> from serialized XML.
/// </summary>
public IAuthenticatedEncryptorDescriptor ImportFromXml(XElement element)
{
if (element == null)
{
throw new ArgumentNullException(nameof(element));
}
// <descriptor>
// <encryption algorithm="..." />
// <validation algorithm="..." /> <!-- only if not GCM -->
// <masterKey requiresEncryption="true">...</masterKey>
// </descriptor>
var configuration = new AuthenticatedEncryptorConfiguration();
var encryptionElement = element.Element("encryption") !;
configuration.EncryptionAlgorithm = (EncryptionAlgorithm)Enum.Parse(typeof(EncryptionAlgorithm), (string)encryptionElement.Attribute("algorithm") !);
// only read <validation> if not GCM
if (!AuthenticatedEncryptorFactory.IsGcmAlgorithm(configuration.EncryptionAlgorithm))
{
var validationElement = element.Element("validation") !;
configuration.ValidationAlgorithm = (ValidationAlgorithm)Enum.Parse(typeof(ValidationAlgorithm), (string)validationElement.Attribute("algorithm") !);
}
Secret masterKey = ((string)element.Elements("masterKey").Single()).ToSecret();
return(new AuthenticatedEncryptorDescriptor(configuration, masterKey));
}
internal IAuthenticatedEncryptor CreateAuthenticatedEncryptorInstance(
ISecret secret,
AuthenticatedEncryptorConfiguration authenticatedConfiguration)
{
if (authenticatedConfiguration == null)
{
return(null);
}
if (IsGcmAlgorithm(authenticatedConfiguration.EncryptionAlgorithm))
{
// GCM requires CNG, and CNG is only supported on Windows.
if (!OSVersionUtil.IsWindows())
{
throw new PlatformNotSupportedException(Resources.Platform_WindowsRequiredForGcm);
}
Debug.Assert(RuntimeInformation.IsOSPlatform(OSPlatform.Windows));
var configuration = new CngGcmAuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = GetBCryptAlgorithmNameFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm),
EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm)
};
return(new CngGcmAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration));
}
else
{
if (OSVersionUtil.IsWindows())
{
Debug.Assert(RuntimeInformation.IsOSPlatform(OSPlatform.Windows));
// CNG preferred over managed implementations if running on Windows
var configuration = new CngCbcAuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = GetBCryptAlgorithmNameFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm),
EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm),
HashAlgorithm = GetBCryptAlgorithmNameFromValidationAlgorithm(authenticatedConfiguration.ValidationAlgorithm)
};
return(new CngCbcAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration));
}
else
{
// Use managed implementations as a fallback
var configuration = new ManagedAuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithmType = GetManagedTypeFromEncryptionAlgorithm(authenticatedConfiguration.EncryptionAlgorithm),
EncryptionAlgorithmKeySize = GetAlgorithmKeySizeInBits(authenticatedConfiguration.EncryptionAlgorithm),
ValidationAlgorithmType = GetManagedTypeFromValidationAlgorithm(authenticatedConfiguration.ValidationAlgorithm)
};
return(new ManagedAuthenticatedEncryptorFactory(_loggerFactory).CreateAuthenticatedEncryptorInstance(secret, configuration));
}
}
}
/// <summary>
/// Initializes a new instance of <see cref="AuthenticatedEncryptorDescriptor"/>.
/// </summary>
/// <param name="configuration">The <see cref="AuthenticatedEncryptorDescriptor"/>.</param>
/// <param name="masterKey">The master key.</param>
public AuthenticatedEncryptorDescriptor(AuthenticatedEncryptorConfiguration configuration, ISecret masterKey)
{
if (configuration == null)
{
throw new ArgumentNullException(nameof(configuration));
}
if (masterKey == null)
{
throw new ArgumentNullException(nameof(masterKey));
}
Configuration = configuration;
MasterKey = masterKey;
}
/// <summary>
/// Configures the data protection system to use the specified cryptographic algorithms
/// by default when generating protected payloads.
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="configuration">Information about what cryptographic algorithms should be used.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
public static IDataProtectionBuilder UseCryptographicAlgorithms(this IDataProtectionBuilder builder, AuthenticatedEncryptorConfiguration configuration)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (configuration == null)
{
throw new ArgumentNullException(nameof(configuration));
}
return(UseCryptographicAlgorithmsCore(builder, configuration));
}
// For more information on configuring authentication, please visit https://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// these don't seem to change the behavior
if (CryptoConfig.AllowOnlyFipsAlgorithms)
{
CryptoConfig.AddAlgorithm(
typeof(AesCryptoServiceProvider),
"AES",
"AesCryptoServiceProvider",
"System.Security.Cryptography.AesCryptoServiceProvider",
"System.Security.Cryptography.AES"
);
CryptoConfig.AddAlgorithm(
typeof(SHA256CryptoServiceProvider),
"SHA256",
"SHA256CryptoServiceProvider",
"System.Security.Cryptography.SHA256CryptoServiceProvider",
"System.Security.Cryptography.SHA256"
);
CryptoConfig.AddAlgorithm(
typeof(SHA256CryptoServiceProvider),
"SHA512",
"SHA512CryptoServiceProvider",
"System.Security.Cryptography.SHA512CryptoServiceProvider",
"System.Security.Cryptography.SHA512"
);
}
var encryptionSettings = new AuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
};
// apply AppPool identity or service account permissions to registry path
var regPath = @"SOFTWARE\SharedCookieTest\Keys";
Registry.LocalMachine.CreateSubKey(regPath, true);
/*
* Certificate Thumbprints
* 6bee3f190055703c0dcd01e7c433462069549762 - dev.sharedcookietest.cert02
* d74e3a5413047996a10bda4661d296ca7f741ff8 - Dev.SharedCookieTest.Cert01
*/
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.OpenExistingOnly);
var cert = store.Certificates
.OfType <X509Certificate2>()
.FirstOrDefault(c => c.Thumbprint.Equals("6bee3f190055703c0dcd01e7c433462069549762", StringComparison.CurrentCultureIgnoreCase));
var protectionProvider = DataProtectionProvider.Create(
new DirectoryInfo($@"{HostingEnvironment.MapPath("~")}\keys"),
options =>
{
options.SetDefaultKeyLifetime(TimeSpan.FromDays(365));
options.UseCryptographicAlgorithms(encryptionSettings);
//options.UseCustomCryptographicAlgorithms(
// new CngCbcAuthenticatedEncryptorConfiguration()
// {
// EncryptionAlgorithm = "AES",
// //EncryptionAlgorithmProvider = WhatShouldThisBe?,//"Advanced Encryption Standard",//"ECDiffieHellmanCng",//"BCryptCloseAlgorithmProvider",//"MS_ENH_RSA_AES_PROV",
// EncryptionAlgorithmKeySize = 256,
// HashAlgorithm = "SHA256"
// //HashAlgorithmProvider = WhatShouldThisBe?//null//"SHA256CryptoServiceProvider"//"Microsoft Enhanced RSA and AES Cryptographic Provider"
// });
options.PersistKeysToRegistry(Registry.LocalMachine.OpenSubKey(regPath, true));
options.ProtectKeysWithCertificate(cert);
});
var dataProtector = protectionProvider.CreateProtector(
"CookieAuthenticationMiddleware",
"Cookie",
"v2");
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
TicketDataFormat = new AspNetTicketDataFormat(new DataProtectorShim(dataProtector)),
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
CookieDomain = "localhost",
CookieName = ".AspNet.SharedCookie",
CookiePath = "/",
CookieSecure = CookieSecureOption.SameAsRequest
});
}
public AzureWebsitesXmlRepository(IAuthenticatedEncryptorConfiguration encryptorConfiguration)
{
_encryptorConfiguration = encryptorConfiguration as AuthenticatedEncryptorConfiguration;
}
