public static bool Exists(string keyName, CngProvider provider)
{
return Exists(keyName, provider, options: CngKeyOpenOptions.None);
}
internal BCryptHMAC(CngAlgorithm algorithm,
CngProvider algorithmProvider,
string hashName,
int blockSize,
byte[] key)
{
Debug.Assert(algorithm != null, "algorithm != null");
Debug.Assert(algorithmProvider != null, "algorithmProvider != null");
Debug.Assert(!String.IsNullOrEmpty(hashName), "!String.IsNullOrEmpty(hashName)");
Debug.Assert(blockSize > 0, "blockSize > 0");
Debug.Assert(key != null, "key != null");
BlockSizeValue = blockSize;
HashName = hashName;
m_algorithm = BCryptNative.OpenAlgorithm(algorithm.Algorithm,
algorithmProvider.Provider,
BCryptNative.AlgorithmProviderOptions.HmacAlgorithm);
// Resetting the key will call Initialize for us, and get us setup with a hash handle,
// so we don't need to create the hash handle ourselves
Key = key;
HashSizeValue = BCryptNative.GetInt32Property(m_hash, BCryptNative.HashPropertyName.HashLength) * 8;
}
public static bool Exists(string keyName, CngProvider provider, CngKeyOpenOptions options)
{
if (keyName == null)
throw new ArgumentNullException(nameof(keyName));
if (provider == null)
throw new ArgumentNullException(nameof(provider));
using (SafeNCryptProviderHandle providerHandle = provider.OpenStorageProvider())
{
SafeNCryptKeyHandle keyHandle = null;
try
{
ErrorCode errorCode = Interop.NCrypt.NCryptOpenKey(providerHandle, out keyHandle, keyName, 0, options);
if (errorCode == ErrorCode.NTE_BAD_KEYSET)
return false;
if (errorCode != ErrorCode.ERROR_SUCCESS)
throw errorCode.ToCryptographicException();
return true;
}
finally
{
if (keyHandle != null)
keyHandle.Dispose();
}
}
}
public static CngKey CreateKey(CngProvider provider = null, string keyName = null)
{
var hProvider = IntPtr.Zero;
var hKey = IntPtr.Zero;
int err = 0;
try
{
err = NCryptOpenStorageProvider(out hProvider, provider == null ? null : provider.Provider, 0);
if (err != 0)
throw new CryptographicException(err);
err = NCryptCreatePersistedKey(hProvider, out hKey, "RSA", keyName, 0, 0);
if (err != 0)
throw new CryptographicException(err);
err = NCryptSetProperty(hKey, "Length", BitConverter.GetBytes(3072), 4, 0);
if (err != 0)
throw new CryptographicException(err);
err = NCryptFinalizeKey(hKey, 0);
if (err != 0)
throw new CryptographicException(err);
return CngKey.Open(keyName, provider);
}
finally
{
if (hProvider != IntPtr.Zero)
NCryptFreeObject(hProvider);
if (hKey != IntPtr.Zero)
NCryptFreeObject(hKey);
}
}
internal static CngKey Import(byte[] keyBlob, string curveName, CngKeyBlobFormat format, CngProvider provider)
{
if (keyBlob == null)
throw new ArgumentNullException(nameof(keyBlob));
if (format == null)
throw new ArgumentNullException(nameof(format));
if (provider == null)
throw new ArgumentNullException(nameof(provider));
SafeNCryptProviderHandle providerHandle = provider.OpenStorageProvider();
SafeNCryptKeyHandle keyHandle = null;
ErrorCode errorCode;
if (curveName == null)
{
errorCode = Interop.NCrypt.NCryptImportKey(providerHandle, IntPtr.Zero, format.Format, IntPtr.Zero, out keyHandle, keyBlob, keyBlob.Length, 0);
if (errorCode != ErrorCode.ERROR_SUCCESS)
{
throw errorCode.ToCryptographicException();
}
}
else
{
#if !NETNATIVE
keyHandle = ECCng.ImportKeyBlob(format.Format, keyBlob, curveName, providerHandle);
#endif //!NETNATIVE
}
CngKey key = new CngKey(providerHandle, keyHandle);
// We can't tell directly if an OpaqueTransport blob imported as an ephemeral key or not
key.IsEphemeral = format != CngKeyBlobFormat.OpaqueTransportBlob;
return key;
}
/// <summary>
/// Configures the core to use plaintext keys (to be auto-generated when first needed.)
/// </summary>
public CngSymmetricAlgorithmCore(ICngSymmetricAlgorithm outer)
{
_outer = outer;
_keyName = null; // Setting _keyName to null signifies that this object is based on a plaintext key, not a stored CNG key.
_provider = null;
_optionOptions = CngKeyOpenOptions.None;
}
public RNGCng(CngProvider algorithmProvider)
{
if (algorithmProvider == null)
throw new ArgumentNullException("algorithmProvider");
m_algorithm = BCryptNative.OpenAlgorithm(BCryptNative.AlgorithmName.Rng,
algorithmProvider.Provider);
}
public HMACSHA256Cng(byte[] key, CngProvider algorithmProvider)
{
if (key == null)
throw new ArgumentNullException("key");
if (algorithmProvider == null)
throw new ArgumentNullException("algorithmProvider");
HashName = "SHA256";
m_hmac = new BCryptHMAC(CngAlgorithm.Sha256, algorithmProvider, HashName, BlockSize, key);
}
public RNGCng(CngProvider algorithmProvider)
{
if (algorithmProvider == null)
{
throw new ArgumentNullException("algorithmProvider");
}
m_algorithm = BCryptNative.OpenAlgorithm(BCryptNative.AlgorithmName.Rng,
algorithmProvider.Provider);
m_implementation = algorithmProvider;
}
/// <summary>
/// GetKeys provides an enumerator over all of the keys that are stored in the key storage
/// provider.
/// </summary>
public static IEnumerable <CngKey> GetKeys(this CngProvider provider)
{
foreach (CngKey machineKey in GetKeys(provider, CngKeyOpenOptions.MachineKey))
{
yield return(machineKey);
}
foreach (CngKey userKey in GetKeys(provider, CngKeyOpenOptions.UserKey))
{
yield return(userKey);
}
}
private static int GuessKeySpec(CngProvider provider, string keyName, bool machineKey, CngAlgorithmGroup algorithmGroup)
{
if (provider == CngProvider.MicrosoftSoftwareKeyStorageProvider || provider == CngProvider.MicrosoftSmartCardKeyStorageProvider)
{
return(0);
}
CngKeyOpenOptions openOptions = machineKey ? CngKeyOpenOptions.MachineKey : CngKeyOpenOptions.None;
using (CngKey.Open(keyName, provider, openOptions))
{
return(0);
}
}
/// <summary>
/// GetKeys provides an enumerator over all of the keys that are stored in the key storage
/// provider. This overload of GetKeys allows you to enumerate over only the user keys in the KSP
/// or only the machine keys. It also allows you to return only keys that are usable with a
/// specified algorithm.
/// </summary>
/// <param name="provider">CngProvider to enumerate the keys of</param>
/// <param name="openOptions">options to use when opening the CNG keys</param>
/// <param name="algorithm">algorithm that the returned keys should support</param>
/// <exception cref="ArgumentNullException">if <paramref name="algorithm" /> is null</exception>
public static IEnumerable <CngKey> GetKeys(this CngProvider provider,
CngKeyOpenOptions openOptions,
CngAlgorithm algorithm)
{
if (algorithm == null)
{
throw new ArgumentNullException("algorithm");
}
return(from key in provider.GetKeys(openOptions)
where key.Algorithm == algorithm
select key);
}
public static void Sign()
{
CngProvider provider = new CngProvider("Dyadic Security Key Storage Provider");
// get the key
RSACng privateKey = new RSACng(CngKey.Open("test", provider));
// sign with the key
byte[] message = new byte[32];
byte[] signature = privateKey.SignData(message, HashAlgorithmName.SHA256, RSASignaturePadding.Pss);
Console.WriteLine("Message :" + Convert.ToBase64String(message));
Console.WriteLine("Signature :" + Convert.ToBase64String(signature));
}
/// <summary>
/// Constructs a HMACSHA256Cng object using the given key, which will calculate the HMAC using the
/// given algorithm provider and key.
/// </summary>
/// <param name="key">key to use when calculating the HMAC</param>
/// <param name="algorithmProvider">algorithm provider to calculate the HMAC in</param>
/// <exception cref="ArgumentNullException">
/// if <paramref name="key"/> or <paramref name="algorithmProvider"/> are null
/// </exception>
public HMACSHA256Cng(byte[] key, CngProvider algorithmProvider)
{
if (key == null)
{
throw new ArgumentNullException("key");
}
if (algorithmProvider == null)
{
throw new ArgumentNullException("algorithmProvider");
}
m_hmac = new BCryptHMAC(CngAlgorithm.Sha256, algorithmProvider, "SHA256", BlockSize, key);
HashName = m_hmac.HashName;
}
public static CngKey Open(string keyName, CngProvider provider, CngKeyOpenOptions openOptions)
{
if (keyName == null)
throw new ArgumentNullException("keyName");
if (provider == null)
throw new ArgumentNullException("provider");
SafeNCryptProviderHandle providerHandle = provider.OpenStorageProvider();
SafeNCryptKeyHandle keyHandle;
ErrorCode errorCode = Interop.NCrypt.NCryptOpenKey(providerHandle, out keyHandle, keyName, 0, openOptions);
if (errorCode != ErrorCode.ERROR_SUCCESS)
throw errorCode.ToCryptographicException();
return new CngKey(providerHandle, keyHandle);
}
/// <summary>
/// Check for the existence of a key and set the Options accordingly.
/// </summary>
/// <param name="provider">Provider Object</param>
/// <param name="keyName">Name of the key to destroy</param>
/// <param name="cngKeyOpts">MachineKey or None depending on where it found the key.</param>
/// <returns></returns>
private bool doesKeyExists(CngProvider provider, string keyName, CngKeyOpenOptions openOpts = CngKeyOpenOptions.MachineKey)
{
bool keyExists = false;
try
{
keyExists = CngKey.Exists(keyName, provider, openOpts);
}
catch (CryptographicException e)
{
throw new CryptographicException(string.Format("There was an error contacting provider {0}. It may not exist or may be configured incorrectly. Error Code:0x{1:X8} Exception thrown:{2}\nStack Trace:{3}\n",
provider.ToString(), e.HResult, e.Message, e.StackTrace), e);
}
return(keyExists);
}
public HMACSHA384Cng(byte[] key, CngProvider algorithmProvider)
{
if (key == null)
{
throw new ArgumentNullException("key");
}
if (algorithmProvider == null)
{
throw new ArgumentNullException("algorithmProvider");
}
HashName = "SHA384";
m_hmac = new BCryptHMAC(CngAlgorithm.Sha384, algorithmProvider, HashName, BlockSize, key);
}
public static IEnumerable <CngKey> GetKeys(this CngProvider provider, CngKeyOpenOptions openOptions)
{
using (SafeNCryptProviderHandle providerHandle = provider.OpenProvider())
{
NCryptNative.NCryptKeyName[] keyNames = NCryptNative.EnumerateKeys(providerHandle, openOptions);
CngKey[] keys = new CngKey[keyNames.Length];
for (int i = 0; i < keys.Length; ++i)
{
keys[i] = CngKey.Open(keyNames[i].pszName, provider);
}
return(keys);
}
}
public static IEnumerable <CngAlgorithm> GetSupportedAlgorithms(this CngProvider provider,
NCryptAlgorithmOperations operations)
{
using (SafeNCryptProviderHandle providerHandle = provider.OpenProvider())
{
NCryptNative.NCryptAlgorithmName[] algorithmNames = NCryptNative.EnumerateAlgorithms(providerHandle, operations);
CngAlgorithm[] algorithms = new CngAlgorithm[algorithmNames.Length];
for (int i = 0; i < algorithmNames.Length; ++i)
{
algorithms[i] = new CngAlgorithm(algorithmNames[i].pszName);
}
return(algorithms);
}
}
/// <summary>
/// Will destroy the key with keyname within the given provider with providerName. Will throw CryptographicException if either Provider or Key don't exist
/// </summary>
/// <param name="providerName">Name of the provider</param>
/// <param name="keyName">Name of the key to destroy</param>
public void DestroyLocalRSAKey(string providerName, string keyName)
{
CngProvider provider = new CngProvider(providerName);
bool keyExists = doesKeyExists(provider, keyName);
if (!keyExists)
{
//Nothing to destroy
return;
}
using (CngKey key = CngKey.Open(keyName, provider, CngKeyOpenOptions.MachineKey))
{
key.Delete();
}
}
internal BCryptSymmetricAlgorithm(CngAlgorithm algorithm,
CngProvider algorithmProvider,
KeySizes[] legalBlockSizes,
KeySizes[] legalkeySizes)
{
Debug.Assert(algorithm != null, "algorithm != null");
Debug.Assert(algorithmProvider != null, "algorithmProvider != null");
Debug.Assert(legalBlockSizes != null, "legalBlockSizes != null");
Debug.Assert(legalkeySizes != null, "legalKeySizes != null");
m_algorithm = algorithm;
m_algorithmProvider = algorithmProvider;
LegalBlockSizesValue = legalBlockSizes;
LegalKeySizesValue = legalkeySizes;
}
public TripleDESCng(CngProvider algorithmProvider)
{
if (algorithmProvider == null)
throw new ArgumentNullException("algorithmProvider");
m_symmetricAlgorithm = new BCryptSymmetricAlgorithm(new CngAlgorithm(BCryptNative.AlgorithmName.TripleDes),
algorithmProvider,
LegalBlockSizesValue,
LegalKeySizesValue);
// Propigate the default properties from the TripleDES class to the implementation algorithm.
m_symmetricAlgorithm.BlockSize = BlockSizeValue;
m_symmetricAlgorithm.KeySize = KeySizeValue;
m_symmetricAlgorithm.Mode = ModeValue;
m_symmetricAlgorithm.Padding = PaddingValue;
}
internal BCryptSymmetricAlgorithm(CngAlgorithm algorithm,
CngProvider algorithmProvider,
KeySizes[] legalBlockSizes,
KeySizes[] legalkeySizes)
{
Debug.Assert(algorithm != null, "algorithm != null");
Debug.Assert(algorithmProvider != null, "algorithmProvider != null");
Debug.Assert(legalBlockSizes != null, "legalBlockSizes != null");
Debug.Assert(legalkeySizes != null, "legalKeySizes != null");
m_algorithm = algorithm;
m_algorithmProvider = algorithmProvider;
LegalBlockSizesValue = legalBlockSizes;
LegalKeySizesValue = legalkeySizes;
}
/// <summary>
/// Constructs an AesCng object using the specified algorithm provider. The default settings for
/// this object are:
/// <list type="bullet">
/// <item>Algorithm provider - Microsoft Primitive Algorithm Provider</item>
/// <item>Block size - 128 bits</item>
/// <item>Feedback size - 8 bits</item>
/// <item>Key size - 256 bits</item>
/// <item>Cipher mode - CipherMode.CBC</item>
/// <item>Padding mode - PaddingMode.PKCS7</item>
/// </list>
/// </summary>
/// <exception cref="ArgumentNullException">if <paramref name="algorithmProvider"/> is null</exception>
/// <param name="algorithmProvider">algorithm provider to use for AES computation</param>
public AesCng(CngProvider algorithmProvider)
{
if (algorithmProvider == null)
{
throw new ArgumentNullException("algorithmProvider");
}
m_symmetricAlgorithm = new BCryptSymmetricAlgorithm(new CngAlgorithm(BCryptNative.AlgorithmName.Aes),
algorithmProvider,
LegalBlockSizesValue,
LegalKeySizesValue);
// Propigate the default properties from the Aes class to the implementation algorithm.
m_symmetricAlgorithm.BlockSize = BlockSizeValue;
m_symmetricAlgorithm.KeySize = KeySizeValue;
m_symmetricAlgorithm.Mode = ModeValue;
m_symmetricAlgorithm.Padding = PaddingValue;
}
/// <summary>
/// Construct an AuthenticatedAesCng using a specific algorithm provider. The default settings
/// for this object are:
/// <list type="bullet">
/// <item>CngMode - CngChainingMode.Gcm</item>
/// </list>
/// </summary>
/// <param name="provider">algorithm provider to use for AES computation</param>
/// <exception cref="ArgumentNullException">if <paramref name="provider"/> is null</exception>
public AuthenticatedAesCng(CngProvider provider)
{
if (provider == null)
{
throw new ArgumentNullException("provider");
}
m_authenticatedSymmetricAlgorithm =
new BCryptAuthenticatedSymmetricAlgorithm(CngAlgorithm2.Aes,
provider,
LegalBlockSizesValue,
LegalKeySizesValue);
// Propigate the default properties from the Aes class to the implementation algorithm.
m_authenticatedSymmetricAlgorithm.BlockSize = BlockSizeValue;
m_authenticatedSymmetricAlgorithm.KeySize = KeySizeValue;
m_authenticatedSymmetricAlgorithm.Padding = PaddingValue;
}
/// <summary>
/// Export the private key so that decryption can happen on other machines.
/// </summary>
/// <param name="providerName">Name of the provider</param>
/// <param name="keyName">Name of the key to destroy</param>
/// <param name="filePath">Output Path for where to write the key</param>
public void ExportPrivateKeytoFile(string providerName, string keyName, string filePath)
{
CngProvider provider = new CngProvider(providerName);
bool keyExists = doesKeyExists(provider, keyName);
if (!keyExists)
{
throw new CryptographicException(string.Format("They key {0} does not exist so there is no key to export", keyName));
}
if (File.Exists(filePath))
{
throw new IOException(string.Format("File {0} already exists.", filePath));
}
using (CngKey key = CngKey.Open(keyName, provider, CngKeyOpenOptions.MachineKey))
{
File.WriteAllBytes(filePath, key.Export(new CngKeyBlobFormat("RSAFULLPRIVATEBLOB")));
}
}
public void Init()
{
using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadWrite))
{
X509Certificate2Collection certificates = store.Certificates;
X509Certificate2Collection signingcertificates = certificates.Find(X509FindType.FindBySubjectName, "Utimaco CNG Signing Test", false);
if (signingcertificates.Count == 0)
{
CngProvider provider = new CngProvider("Utimaco CryptoServer Key Storage Provider");
CngKey key = CngKey.Open("DEMOecdsa", provider);
ECDsaCng ecdsaKey = new ECDsaCng(key);
CertificateRequest request = new CertificateRequest("CN = Utimaco CNG Signing Test", ecdsaKey, HashAlgorithmName.SHA512);
X509Certificate2 certificate = request.CreateSelfSigned(System.DateTimeOffset.Now, System.DateTimeOffset.Now.AddYears(2));
certificate.FriendlyName = "Utimaco CNG Signing Test";
System.Console.WriteLine("Utimaco CNG Signing Test Certificate generated:\n****\n{0}\n****", certificate);
store.Add(certificate);
}
}
}
public void ExportPublicKeytoFile(string providerName, string keyName, string filePath)
{
CngProvider provider = new CngProvider(providerName);
bool keyExists = doesKeyExists(provider, keyName);
if (!keyExists)
{
throw new CryptographicException(string.Format("They key {0} does not exist so there is no public key to export", keyName));
}
if (File.Exists(filePath))
{
throw new IOException(string.Format("File {0} already exists.", filePath));
}
using (CngKey key = IsMicrosoftSoftwareKSP(provider) ? CngKey.Open(keyName, provider, CngKeyOpenOptions.MachineKey) : CngKey.Open(keyName, provider))
{
File.WriteAllBytes(filePath, key.Export(CngKeyBlobFormat.GenericPublicBlob));
}
}
public static void Main()
{
partyAKey();
partyBKey();
CngProvider luna = new CngProvider("SafeNet Key Storage Provider");
CngKey ecKey = CngKey.Open("Party-A", luna);
byte [] pubKey = softKey.Export(CngKeyBlobFormat.EccPublicBlob);
softKey.Delete();
publicKey = CngKey.Import(pubKey, CngKeyBlobFormat.EccPublicBlob, luna);
ECDiffieHellmanCng xChg = new ECDiffieHellmanCng(ecKey);
xChg.HashAlgorithm = CngAlgorithm.Sha256;
xChg.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hmac;
byte[] data = xChg.DeriveKeyMaterial(publicKey);
Console.ReadLine();
ecKey.Delete();
}
private unsafe ICertificatePal?CopyWithPersistedCngKey(CngKey cngKey)
{
if (string.IsNullOrEmpty(cngKey.KeyName))
{
return(null);
}
// Make a new pal from bytes.
CertificatePal pal = (CertificatePal)FromBlob(RawData, SafePasswordHandle.InvalidHandle, X509KeyStorageFlags.PersistKeySet);
CngProvider provider = cngKey.Provider !;
string keyName = cngKey.KeyName;
bool machineKey = cngKey.IsMachineKey;
// CAPI RSA_SIGN keys won't open correctly under CNG without the key number being specified, so
// check to see if we can figure out what key number it needs to re-open.
int keySpec = GuessKeySpec(provider, keyName, machineKey, cngKey.AlgorithmGroup);
Interop.Crypt32.CRYPT_KEY_PROV_INFO keyProvInfo = default;
fixed(char *keyNamePtr = cngKey.KeyName)
fixed(char *provNamePtr = cngKey.Provider !.Provider)
{
keyProvInfo.pwszContainerName = keyNamePtr;
keyProvInfo.pwszProvName = provNamePtr;
keyProvInfo.dwFlags = machineKey ? Interop.Crypt32.CryptAcquireContextFlags.CRYPT_MACHINE_KEYSET : 0;
keyProvInfo.dwKeySpec = keySpec;
if (!Interop.Crypt32.CertSetCertificateContextProperty(
pal._certContext,
Interop.Crypt32.CertContextPropId.CERT_KEY_PROV_INFO_PROP_ID,
Interop.Crypt32.CertSetPropertyFlags.None,
&keyProvInfo))
{
Exception e = Marshal.GetLastPInvokeError().ToCryptographicException();
pal.Dispose();
throw e;
}
}
return(pal);
}
/// <summary>
/// Tries to generate and RSA Key in the given provider with this keyName.
/// </summary>
/// <param name="providerName">Name of the provider</param>
/// <param name="keyName">Name of the key</param>
/// <param name="keyLength">Length of the key to generate</param>
/// <returns>true if successful, false if that key already exists.</returns>
public bool TryGenerateLocalRSAKey(string providerName, string keyName, int keyLength = 2048)
{
CngProvider provider = new CngProvider(providerName);
if (CngKey.Exists(keyName, provider))
{
return(false);
}
CngKeyCreationParameters keyParams = new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.None,
Provider = provider,
Parameters = { new CngProperty("Length", BitConverter.GetBytes(keyLength), CngPropertyOptions.None) }
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams)) {
// nothing to do inside here, except to return without throwing an exception
return(true);
}
}
/// <summary>
/// Given a KeyProvider and a KeyName, uses that key to encrypt the given data
/// </summary>
/// <param name="providerName">Provider where the key is stored</param>
/// <param name="keyName">Name of the key to use</param>
/// <param name="toEncrypt">Data to encrypt</param>
/// <param name="hashAlgorithm">OAEP hash algorithm, Look in PaddingHashAlgorithmNames.cs for values, but supports only SHA1, SHA256, SHA384, SHA512</param>
/// <param name="paddingFlags">Padding Type, Look in PaddingFlags.cs for values, but supports only PKCS1 amd OAEP</param>
/// <exception cref="CryptographicException">Cryptographic Exception</exception>
/// <returns>Encrypted data</returns>
public byte[] EncryptWithLocalKey(string providerName, string keyName, byte[] toEncrypt, string hashAlgorithm = PaddingHashAlgorithmNames.SHA512, int paddingFlags = PaddingFlags.OAEPPadding)
{
CngProvider provider = new CngProvider(providerName);
byte[] encryptedData = null;
bool keyExists = doesKeyExists(provider, keyName);
if (!keyExists)
{
throw new CryptographicException(string.Format("They key {0} does not exist and cannot be used for encryption", keyName));
}
using (CngKey key = CngKey.Open(keyName, provider, CngKeyOpenOptions.MachineKey))
{
using (RSACng rsa = new RSACng(key))
{
RSAEncryptionPadding padding = this.GetRSAPadding(hashAlgorithm, paddingFlags);
encryptedData = rsa.Encrypt(toEncrypt, padding);
}
}
return(encryptedData);
}
/// <summary>
/// Creates a RSACng object from the given keyName
/// </summary>
/// <param name="keyPath"></param>
/// <param name="isSystemOp">Indicates if ADO.NET calls or the customer calls the API</param>
/// <returns></returns>
private RSACng CreateRSACngProvider(string keyPath, bool isSystemOp)
{
// Get CNGProvider and the KeyID
string cngProviderName;
string keyIdentifier;
GetCngProviderAndKeyId(keyPath, isSystemOp, out cngProviderName, out keyIdentifier);
CngProvider cngProvider = new CngProvider(cngProviderName);
CngKey cngKey;
try
{
cngKey = CngKey.Open(keyIdentifier, cngProvider);
}
catch (CryptographicException)
{
throw SQL.InvalidCngKey(keyPath, cngProviderName, keyIdentifier, isSystemOp);
}
return new RSACng(cngKey);
}
public byte[] Decrypt(byte[] encryptedData)
{
CngProvider provider = new CngProvider(kspName);
CngKey key;
// If you get an error here, make sure you register the KSP and the project run in 64bits
if (!CngKey.Exists(keyId, provider))
{
throw new System.ArgumentException("Key " + keyId + " not found in " + kspName);
}
key = CngKey.Open(keyId, provider);
RSACng cryptoEngine = new RSACng(key);
var decryptedData = cryptoEngine.Decrypt(encryptedData, System.Security.Cryptography.RSAEncryptionPadding.OaepSHA256);
cryptoEngine.Dispose();
key.Dispose();
return(decryptedData);
}
/// <summary>
/// Creates an RSA 2048 key inside the specified CSP.
/// </summary>
/// <param name="providerName">CSP name</param>
/// <param name="containerName">Container name</param>
/// <returns></returns>
internal static bool CreateCmkUsingCsp(string providerName, string containerName)
{
try
{
// open provider
CngProvider provider = new CngProvider(providerName);
// generate new test key pair
CngKeyCreationParameters creation = new CngKeyCreationParameters();
creation.Provider = provider;
CngKey privateKey = CngKey.Create(new CngAlgorithm("RSA"), containerName, creation); // default is 2048
}
catch (CryptographicException e)
{
Console.WriteLine("\tFAILURE: The RSA key was not persisted in the container, \"{0}\".", containerName);
Console.WriteLine(@" {0}", e.Message);
return(false);
}
return(true);
}
public static CngKey Import(byte[] keyBlob, CngKeyBlobFormat format, CngProvider provider)
{
if (keyBlob == null)
throw new ArgumentNullException("keyBlob");
if (format == null)
throw new ArgumentNullException("format");
if (provider == null)
throw new ArgumentNullException("provider");
SafeNCryptProviderHandle providerHandle = provider.OpenStorageProvider();
SafeNCryptKeyHandle keyHandle;
ErrorCode errorCode = Interop.NCrypt.NCryptImportKey(providerHandle, IntPtr.Zero, format.Format, IntPtr.Zero, out keyHandle, keyBlob, keyBlob.Length, 0);
if (errorCode != ErrorCode.ERROR_SUCCESS)
throw errorCode.ToCryptographicException();
CngKey key = new CngKey(providerHandle, keyHandle);
// We can't tell directly if an OpaqueTransport blob imported as an ephemeral key or not
key.IsEphemeral = format != CngKeyBlobFormat.OpaqueTransportBlob;
return key;
}
/// <summary>
/// Constructs the core to use a stored CNG key.
/// </summary>
public CngSymmetricAlgorithmCore(string algorithm, ICngSymmetricAlgorithm outer, string keyName, CngProvider provider, CngKeyOpenOptions openOptions)
{
if (keyName == null)
throw new ArgumentNullException("keyName");
if (provider == null)
throw new ArgumentNullException("provider");
_algorithm = algorithm;
_outer = outer;
_keyName = keyName;
_provider = provider;
_optionOptions = openOptions;
using (CngKey cngKey = ProduceCngKey())
{
CngAlgorithm actualAlgorithm = cngKey.Algorithm;
if (algorithm != actualAlgorithm.Algorithm)
throw new CryptographicException(SR.Format(SR.Cryptography_CngKeyWrongAlgorithm, actualAlgorithm.Algorithm, algorithm));
_outer.BaseKeySize = cngKey.KeySize;
}
}
private CngKey GetPrivateKey(X509Certificate2 cert)
{
var rsakey = cert.GetRSAPrivateKey() as RSACng;
if (rsakey != null)
{
return(rsakey.Key);
}
var provider = new CngProvider(CSPName);
var cngkey = CngKey.Open(KeyContainer, provider, CngKeyOpenOptions.MachineKey);
if (cngkey == null)
{
throw new InvalidOperationException(NuGetMSSignCommand.MSSignCommandNoCngKeyException);
}
if (cngkey.AlgorithmGroup != CngAlgorithmGroup.Rsa)
{
throw new InvalidOperationException(NuGetMSSignCommand.MSSignCommandInvalidCngKeyException);
}
return(cngkey);
}
public static bool Exists(string keyName, CngProvider provider, CngKeyOpenOptions options) {
if (keyName == null) {
throw new ArgumentNullException("keyName");
}
if (provider == null) {
throw new ArgumentNullException("provider");
}
// Make sure that NCrypt is supported on this platform
if (!NCryptNative.NCryptSupported) {
throw new PlatformNotSupportedException(SR.GetString(SR.Cryptography_PlatformNotSupported));
}
using (SafeNCryptProviderHandle kspHandle = NCryptNative.OpenStorageProvider(provider.Provider)) {
SafeNCryptKeyHandle keyHandle = null;
try {
NCryptNative.ErrorCode error = NCryptNative.UnsafeNativeMethods.NCryptOpenKey(kspHandle,
out keyHandle,
keyName,
0,
options);
// CNG will return either NTE_NOT_FOUND or NTE_BAD_KEYSET for the case where the key does
// not exist, so we need to check for both return codes.
bool keyNotFound = error == NCryptNative.ErrorCode.KeyDoesNotExist ||
error == NCryptNative.ErrorCode.NotFound;
if (error != NCryptNative.ErrorCode.Success && !keyNotFound) {
throw new CryptographicException((int)error);
}
return error == NCryptNative.ErrorCode.Success;
}
finally {
if (keyHandle != null) {
keyHandle.Dispose();
}
}
}
}
public static CngKey Import(byte[] keyBlob, CngKeyBlobFormat format, CngProvider provider)
{
return Import(keyBlob, null, format, provider);
}
/// <summary>
/// Creates a RSACng object from the given keyName
/// </summary>
/// <param name="keyPath"></param>
/// <param name="isSystemOp">Indicates if ADO.NET calls or the customer calls the API</param>
/// <returns></returns>
private RSACng CreateRSACngProvider(string keyPath, bool isSystemOp)
{
// Get CNGProvider and the KeyID
string cngProviderName;
string keyIdentifier;
GetCngProviderAndKeyId(keyPath, isSystemOp, out cngProviderName, out keyIdentifier);
CngProvider cngProvider = new CngProvider(cngProviderName);
CngKey cngKey;
try
{
cngKey = CngKey.Open(keyIdentifier, cngProvider);
}
catch (CryptographicException)
{
throw SQL.InvalidCngKey(keyPath, cngProviderName, keyIdentifier, isSystemOp);
}
return new RSACng(cngKey);
}
public AesCng(string keyName, CngProvider provider)
: this(keyName, provider, CngKeyOpenOptions.None)
{
}
public AesCng(string keyName, CngProvider provider, CngKeyOpenOptions openOptions)
{
_core = new CngSymmetricAlgorithmCore(this, keyName, provider, openOptions);
}
/// <summary>
/// Import a key from a file for use on the machine.
/// </summary>
/// <param name="providerName"></param>
/// <param name="filePath"></param>
public bool ImportKeyToKSP(string providerName, string keyName, string filePath, bool makeExportable = false)
{
CngProvider provider = new CngProvider(providerName);
bool keyExists = doesKeyExists(provider, keyName);
if (keyExists)
{
//Key already exists. Can't create it.
return(false);
}
CryptoKeySecurity sec = new CryptoKeySecurity();
CngKeyCreationParameters keyParams = null;
byte[] keyBlob = File.ReadAllBytes(filePath);
CngProperty keyBlobProp = new CngProperty(new CngKeyBlobFormat("RSAFULLPRIVATEBLOB").Format, keyBlob, CngPropertyOptions.None);
if (IsMicrosoftSoftwareKSP(provider))
{
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(sidType: WellKnownSidType.BuiltinAdministratorsSid, domainSid: null),
cryptoKeyRights: CryptoKeyRights.FullControl,
type: AccessControlType.Allow));
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(sidType: WellKnownSidType.BuiltinSystemOperatorsSid, domainSid: null),
cryptoKeyRights: CryptoKeyRights.GenericRead,
type: AccessControlType.Allow));
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
CngProperty permissions = new CngProperty(
NCRYPT_SECURITY_DESCR_PROPERTY,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
keyParams = new CngKeyCreationParameters()
{
ExportPolicy = makeExportable ? CngExportPolicies.AllowExport | CngExportPolicies.AllowPlaintextExport : CngExportPolicies.None,
Provider = provider,
Parameters = { permissions, keyBlobProp },
KeyCreationOptions = CngKeyCreationOptions.MachineKey
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
{
if (key == null)
{
return(false);
}
return(true);
}
}
else
{
keyParams = new CngKeyCreationParameters()
{
ExportPolicy = makeExportable ? CngExportPolicies.AllowExport | CngExportPolicies.AllowPlaintextExport : CngExportPolicies.None,
Provider = provider,
Parameters = { keyBlobProp },
KeyCreationOptions = CngKeyCreationOptions.MachineKey
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
{
if (key == null)
{
return(false);
}
// nothing to do inside here, except to return without throwing an exception
return(true);
}
}
}
public static bool Exists(string keyName, CngProvider provider, CngKeyOpenOptions options)
{
return default(bool);
}
public static CngKey Open(string keyName, CngProvider provider)
{
Contract.Ensures(Contract.Result<System.Security.Cryptography.CngKey>() != null);
return default(CngKey);
}
public static CngKey Import(byte[] keyBlob, CngKeyBlobFormat format, CngProvider provider) {
Contract.Ensures(Contract.Result<CngKey>() != null);
if (keyBlob == null) {
throw new ArgumentNullException("keyBlob");
}
if (format == null) {
throw new ArgumentNullException("format");
}
if (provider == null) {
throw new ArgumentNullException("provider");
}
// Make sure that NCrypt is supported on this platform
if (!NCryptNative.NCryptSupported) {
throw new PlatformNotSupportedException(SR.GetString(SR.Cryptography_PlatformNotSupported));
}
// If we don't know for sure that the key will be ephemeral, then we need to demand Import
// permission. Since we won't know the name of the key until it's too late, we demand a full Import
// rather than one scoped to the key.
bool safeKeyImport = format == CngKeyBlobFormat.EccPublicBlob ||
format == CngKeyBlobFormat.GenericPublicBlob;
if (!safeKeyImport) {
new KeyContainerPermission(KeyContainerPermissionFlags.Import).Demand();
}
// Import the key into the KSP
SafeNCryptProviderHandle kspHandle = NCryptNative.OpenStorageProvider(provider.Provider);
SafeNCryptKeyHandle keyHandle = NCryptNative.ImportKey(kspHandle, keyBlob, format.Format);
// Prepare the key for use
CngKey key = new CngKey(kspHandle, keyHandle);
// We can't tell directly if an OpaqueTransport blob imported as an ephemeral key or not
key.IsEphemeral = format != CngKeyBlobFormat.OpaqueTransportBlob;
return key;
}
public TripleDESCng(string keyName, CngProvider provider)
: this(keyName, CngProvider.MicrosoftSoftwareKeyStorageProvider, CngKeyOpenOptions.None)
{
}
public static bool Exists(string keyName, CngProvider provider) {
throw new NotImplementedException ();
}
public static CngKey Import(byte[] keyBlob, CngKeyBlobFormat format, CngProvider provider) {
throw new NotImplementedException ();
}
/// <summary>
/// Tries to generate and RSA Key in the given provider with this keyName.
/// </summary>
/// <param name="providerName">Name of the provider</param>
/// <param name="keyName">Name of the key</param>
/// <param name="keyLength">Length of the key to generate</param>
/// <returns>true if successful, false if that key already exists.</returns>
public bool TryGenerateLocalRSAKey(string providerName, string keyName, int keyLength = 2048)
{
CngProvider provider = new CngProvider(providerName);
bool keyExists = doesKeyExists(provider, keyName);
if (keyExists)
{
//Key already exists. Can't create it.
return(false);
}
CryptoKeySecurity sec = new CryptoKeySecurity();
CngKeyCreationParameters keyParams = null;
if (IsMicrosoftSoftwareKSP(provider))
{
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(sidType: WellKnownSidType.BuiltinAdministratorsSid, domainSid: null),
cryptoKeyRights: CryptoKeyRights.FullControl,
type: AccessControlType.Allow));
sec.AddAccessRule(
new CryptoKeyAccessRule(
new SecurityIdentifier(sidType: WellKnownSidType.BuiltinSystemOperatorsSid, domainSid: null),
cryptoKeyRights: CryptoKeyRights.GenericRead,
type: AccessControlType.Allow));
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
CngProperty permissions = new CngProperty(
NCRYPT_SECURITY_DESCR_PROPERTY,
sec.GetSecurityDescriptorBinaryForm(),
CngPropertyOptions.Persist | DACL_SECURITY_INFORMATION);
keyParams = new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.None,
Provider = provider,
Parameters = { new CngProperty("Length", BitConverter.GetBytes(keyLength), CngPropertyOptions.None),
permissions },
KeyCreationOptions = CngKeyCreationOptions.MachineKey
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
{
if (key == null)
{
return(false);
}
return(true);
}
}
else
{
keyParams = new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.None,
Provider = provider,
Parameters = { new CngProperty("Length", BitConverter.GetBytes(keyLength), CngPropertyOptions.None) }
};
using (CngKey key = CngKey.Create(CngAlgorithm.Rsa, keyName, keyParams))
{
if (key == null)
{
return(false);
}
// nothing to do inside here, except to return without throwing an exception
return(true);
}
}
}
public static CngKey Open(string keyName, CngProvider provider, CngKeyOpenOptions openOptions) {
throw new NotImplementedException ();
}
/// <summary>
/// Constructs the core to use a stored CNG key.
/// </summary>
public CngSymmetricAlgorithmCore(ICngSymmetricAlgorithm outer, string keyName, CngProvider provider, CngKeyOpenOptions openOptions)
{
if (keyName == null)
{
throw new ArgumentNullException(nameof(keyName));
}
if (provider == null)
{
throw new ArgumentNullException(nameof(provider));
}
_outer = outer;
_keyName = keyName;
_provider = provider;
_optionOptions = openOptions;
using (CngKey cngKey = ProduceCngKey())
{
CngAlgorithm actualAlgorithm = cngKey.Algorithm;
string algorithm = _outer.GetNCryptAlgorithmIdentifier();
if (algorithm != actualAlgorithm.Algorithm)
{
throw new CryptographicException(SR.Format(SR.Cryptography_CngKeyWrongAlgorithm, actualAlgorithm.Algorithm, algorithm));
}
_outer.BaseKeySize = cngKey.KeySize;
}
}
public static CngKey Import(byte[] keyBlob, CngKeyBlobFormat format, CngProvider provider)
{
Contract.Ensures(Contract.Result<System.Security.Cryptography.CngKey>() != null);
return default(CngKey);
}
public TripleDESCng(string keyName, CngProvider provider, CngKeyOpenOptions openOptions)
{
throw new NotImplementedException();
}
public static CngKey Open(string keyName, CngProvider provider)
{
return Open(keyName, provider, openOptions: CngKeyOpenOptions.None);
}
public static CngKey Open(string keyName, CngProvider provider, CngKeyOpenOptions openOptions) {
Contract.Ensures(Contract.Result<CngKey>() != null);
if (keyName == null) {
throw new ArgumentNullException("keyName");
}
if (provider == null) {
throw new ArgumentNullException("provider");
}
// Make sure that NCrypt is supported on this platform
if (!NCryptNative.NCryptSupported) {
throw new PlatformNotSupportedException(SR.GetString(SR.Cryptography_PlatformNotSupported));
}
// Ensure the user has access to the key name
KeyContainerPermissionAccessEntry access = new KeyContainerPermissionAccessEntry(keyName, KeyContainerPermissionFlags.Open);
access.ProviderName = provider.Provider;
KeyContainerPermission permission = new KeyContainerPermission(KeyContainerPermissionFlags.NoFlags);
permission.AccessEntries.Add(access);
permission.Demand();
// Open the key
SafeNCryptProviderHandle kspHandle = NCryptNative.OpenStorageProvider(provider.Provider);
SafeNCryptKeyHandle keyHandle = NCryptNative.OpenKey(kspHandle, keyName, openOptions);
return new CngKey(kspHandle, keyHandle);
}
public static bool Exists(string keyName, CngProvider provider)
{
return default(bool);
}
/// <summary>
/// Constructs the core to use a stored CNG key.
/// </summary>
public CngSymmetricAlgorithmCore(string algorithm, ICngSymmetricAlgorithm outer, string keyName, CngProvider provider, CngKeyOpenOptions openOptions)
{
if (keyName == null)
{
throw new ArgumentNullException("keyName");
}
if (provider == null)
{
throw new ArgumentNullException("provider");
}
_algorithm = algorithm;
_outer = outer;
_keyName = keyName;
_provider = provider;
_optionOptions = openOptions;
using (CngKey cngKey = ProduceCngKey())
{
CngAlgorithm actualAlgorithm = cngKey.Algorithm;
if (algorithm != actualAlgorithm.Algorithm)
{
throw new CryptographicException(SR.GetString(SR.Cryptography_CngKeyWrongAlgorithm, actualAlgorithm.Algorithm, algorithm));
}
_outer.BaseKeySize = cngKey.KeySize;
}
}
public static CngKey Open(string keyName, CngProvider provider) {
Contract.Ensures(Contract.Result<CngKey>() != null);
return Open(keyName, provider, CngKeyOpenOptions.None);
}
