| public ImportCspBlob ( byte keyBlob ) : void | ||
| keyBlob | byte | A byte array that represents a DSA key blob. |
| Результат | void | |
public AsymmetricAlgorithm DecodePublicKey(Oid oid, byte[] encodedKeyValue, byte[] encodedParameters)
{
int algId = OidInfo.FindOidInfo(CryptOidInfoKeyType.CRYPT_OID_INFO_OID_KEY, oid.Value, OidGroup.PublicKeyAlgorithm, fallBackToAllGroups: true).AlgId;
switch (algId)
{
case AlgId.CALG_RSA_KEYX:
case AlgId.CALG_RSA_SIGN:
{
byte[] keyBlob = DecodeKeyBlob(CryptDecodeObjectStructType.RSA_CSP_PUBLICKEYBLOB, encodedKeyValue);
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
rsa.ImportCspBlob(keyBlob);
return rsa;
}
case AlgId.CALG_DSS_SIGN:
{
byte[] keyBlob = ConstructDSSPublicKeyCspBlob(encodedKeyValue, encodedParameters);
DSACryptoServiceProvider dsa = new DSACryptoServiceProvider();
dsa.ImportCspBlob(keyBlob);
return dsa;
}
default:
throw new NotSupportedException(SR.NotSupported_KeyAlgorithm);
}
}
public AsymmetricAlgorithm DecodePublicKey(Oid oid, byte[] encodedKeyValue, byte[] encodedParameters, ICertificatePal certificatePal)
{
if (oid.Value == Oids.Ecc)
{
return DecodeECDsaPublicKey((CertificatePal)certificatePal);
}
int algId = OidInfo.FindOidInfo(CryptOidInfoKeyType.CRYPT_OID_INFO_OID_KEY, oid.Value, OidGroup.PublicKeyAlgorithm, fallBackToAllGroups: true).AlgId;
switch (algId)
{
case AlgId.CALG_RSA_KEYX:
case AlgId.CALG_RSA_SIGN:
{
byte[] keyBlob = DecodeKeyBlob(CryptDecodeObjectStructType.CNG_RSA_PUBLIC_KEY_BLOB, encodedKeyValue);
CngKey cngKey = CngKey.Import(keyBlob, CngKeyBlobFormat.GenericPublicBlob);
return new RSACng(cngKey);
}
#if !NETNATIVE
case AlgId.CALG_DSS_SIGN:
{
byte[] keyBlob = ConstructDSSPublicKeyCspBlob(encodedKeyValue, encodedParameters);
DSACryptoServiceProvider dsa = new DSACryptoServiceProvider();
dsa.ImportCspBlob(keyBlob);
return dsa;
}
#endif
default:
throw new NotSupportedException(SR.NotSupported_KeyAlgorithm);
}
}
public static bool IsSignatureValid(byte[] data, byte[] signature, byte[] signPublicKey)
{
using (DSACryptoServiceProvider dsa = new DSACryptoServiceProvider())
{
dsa.ImportCspBlob(signPublicKey);
return dsa.VerifyData(data, signature);
}
}
public static byte[] Sign(byte[] data, byte[] signKeyPair)
{
using (DSACryptoServiceProvider dsa = new DSACryptoServiceProvider())
{
dsa.ImportCspBlob(signKeyPair);
if (dsa.PublicOnly)
{
throw new InvalidOperationException("You must have both the public and private key");
}
return dsa.SignData(data);
}
}
public AuthenticationResult Authenticate(int[] versionParts, string clientId, string b64IdSig, string b64PrivId)
{
//do version negotiation first so client and server know they'll
//be using correct key pairs (in case signatures are changed in future).
bool versionMatch = false;
if (versionParts == null || versionParts.Length != 3)
return new AuthenticationResult(2, clientId); // throw new AuthorisationException("Invalid version specification. Please state the version of RPC client that is requesting authorisation. This can differ from the version of your client application provided that the RPC interface remains identical.", -1, 2);
Version versionClient = new Version(versionParts[0], versionParts[1], versionParts[2]);
if (PluginVersion.CompareTo(versionClient) == 0)
versionMatch = true;
if (versionMatch == false)
return new AuthenticationResult(3, clientId); // version mismatch
if (string.IsNullOrEmpty(clientId))
return new AuthenticationResult(4, clientId); // missing clientId parameter
if (string.IsNullOrEmpty(b64IdSig))
return new AuthenticationResult(5, clientId); // missing base64 encoded clientId signature parameter
if (string.IsNullOrEmpty(b64PrivId))
return new AuthenticationResult(6, clientId); // missing base64 encoded unique client hash parameter
byte[] clientIdClaim = System.Text.Encoding.UTF8.GetBytes(clientId);
byte[] clientIdSignature = Convert.FromBase64String(b64IdSig);
// calculate hash of claimed client ID
SHA1 sha1 = new SHA1CryptoServiceProvider(); //TODO2: SHA256
byte[] clientIdClaimHash = sha1.ComputeHash(clientIdClaim);
// Load public key information
DSACryptoServiceProvider DSA = new DSACryptoServiceProvider();
DSA.ImportCspBlob(GetClientIdPublicKey());
//Create an DSASignatureDeformatter object and pass it the
//DSACryptoServiceProvider to transfer the key information.
DSASignatureDeformatter DSADeformatter = new DSASignatureDeformatter(DSA);
//Verify the hash and the signature
if (!DSADeformatter.VerifySignature(
clientIdClaimHash, clientIdSignature))
{
return new AuthenticationResult(7, clientId); // Signature invalid
}
// hash the (now authenticated) client Id and the client's
// secret unique identifier so we can tell if this particular
// client has conencted to KeePassRPC before
//TODO2: record failed attempts too so we can avoid bothering
// the user if they choose to ignore certain clients
byte[] data = System.Text.Encoding.UTF8.GetBytes("hash of: " + b64PrivId + clientId);
byte[] result;
SHA256 shaM = new SHA256Managed();
result = shaM.ComputeHash(data);
string clientHash = Convert.ToBase64String(result);
string currentKnownClients = host.CustomConfig
.GetString("KeePassRPC.knownClients." + clientId, "");
string[] knownClients = new string[0];
if (!string.IsNullOrEmpty(currentKnownClients))
{
knownClients = currentKnownClients.Split(',');
foreach (string knownClient in knownClients)
if (knownClient == clientHash)
return new AuthenticationResult(0, clientId); // everything's good, access granted
}
// This is the first time this type of client has
// connected to KeePassRPC so we start the new user
// wizard.
// TODO2: support wizards for different clients
if (knownClients.Length == 0 && clientId == "KeeFox Firefox add-on")
{
// The wizard handles user confirmation - if user says yes,
// the hash will be stored in the KeePass config file
PendingRPCClient newClient = new PendingRPCClient(
clientId, clientHash, new List<string>(knownClients));
object[] delParams = { newClient };
object invokeResult = host.MainWindow.Invoke(
new KeePassRPCExt.WelcomeKeeFoxUserDelegate(
KeePassRPCPlugin.WelcomeKeeFoxUser), delParams);
return new AuthenticationResult((int)invokeResult, clientId); // Should be 0 unless user cancels
}
else
{
DialogResult userConfirmationResult = MessageBox.Show(
"KeePass detected an attempt to connect to KeePass from '"
+ clientId
+ "'. Should KeePass allow this application to access your passwords?",
"Security check from the KeePassRPC plugin", MessageBoxButtons.YesNo,
MessageBoxIcon.Warning, MessageBoxDefaultButton.Button2);
// if user says yes, we store the hash in the KeePass config file
if (userConfirmationResult == DialogResult.Yes)
{
AddKnownRPCClient(new PendingRPCClient(clientId, clientHash, new List<string>(knownClients)));
return new AuthenticationResult(0, clientId); // everything's good, access granted
}
return new AuthenticationResult(5, clientId);
}
//TODO2: audit logging options? needs to be a KeePass supported
//feature really or maybe a seperate plugin?
}
public void ImportCspBlob_Keypair ()
{
byte[] blob = new byte [336] { 0x07, 0x02, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x44, 0x53, 0x53, 0x32, 0x00, 0x04, 0x00, 0x00, 0xD3,
0x7B, 0xC6, 0xED, 0x3F, 0x72, 0x44, 0xBD, 0x22, 0x7D, 0xF2, 0xD4, 0x62, 0xFE, 0x7C, 0xE3, 0x75, 0x8F, 0x9C, 0xDE, 0x69, 0xC0, 0x3A,
0x0C, 0xE6, 0x26, 0x5A, 0x46, 0x3D, 0xEF, 0x0D, 0x90, 0x20, 0xC6, 0xF6, 0x45, 0x7C, 0x73, 0xE8, 0xB9, 0x7D, 0x86, 0x27, 0xF7, 0x97,
0x76, 0xC8, 0x1C, 0x8E, 0x8B, 0xCE, 0x26, 0x93, 0xE6, 0x21, 0x53, 0x20, 0x93, 0x58, 0x25, 0x45, 0x1C, 0x46, 0x66, 0x17, 0x10, 0x98,
0x03, 0x96, 0xD0, 0xE5, 0xC8, 0x30, 0x80, 0x72, 0xB6, 0x49, 0xB3, 0x82, 0x95, 0xB3, 0x8D, 0x3A, 0xA5, 0xE5, 0x60, 0xC6, 0x42, 0x3A,
0x33, 0x70, 0x67, 0x30, 0xC5, 0x1C, 0x32, 0xD9, 0xEB, 0xCF, 0xC1, 0x36, 0xB3, 0xF3, 0x24, 0x07, 0x39, 0x86, 0x0D, 0xE9, 0x12, 0x80,
0x73, 0x26, 0xA7, 0x8C, 0x8B, 0x8A, 0x40, 0xAA, 0x51, 0x43, 0x8F, 0x20, 0xDE, 0xD2, 0x9C, 0xF3, 0xB3, 0x51, 0x73, 0x83, 0x62, 0xA0,
0x11, 0xC9, 0x50, 0x93, 0xE1, 0xF0, 0x64, 0xBE, 0xD0, 0x9E, 0xE0, 0x5B, 0x13, 0x47, 0xAA, 0x56, 0x65, 0x62, 0x47, 0xFD, 0x3A, 0x94,
0xB7, 0x1B, 0xE5, 0x35, 0x95, 0x86, 0x14, 0x64, 0xC0, 0xD6, 0x07, 0x96, 0x4C, 0x55, 0x1E, 0x0A, 0x4C, 0x10, 0xC2, 0xB5, 0xE6, 0xFB,
0x74, 0xF9, 0xA5, 0x72, 0xE0, 0x42, 0x96, 0x62, 0x0B, 0xEF, 0xB7, 0x52, 0x36, 0x7D, 0xE3, 0x01, 0x12, 0x85, 0xE6, 0xFE, 0x92, 0x75,
0x40, 0xC2, 0xA6, 0xD0, 0x9D, 0x16, 0x6F, 0xC1, 0xC7, 0xA7, 0xDF, 0x48, 0x80, 0xA2, 0x5D, 0xA0, 0xFD, 0x84, 0xBE, 0x06, 0xAC, 0xCB,
0x32, 0x22, 0x82, 0xD2, 0xD7, 0x7C, 0x69, 0xFC, 0xBC, 0x94, 0x78, 0x2B, 0x11, 0x5B, 0x1C, 0x1E, 0xAF, 0xDB, 0x7A, 0xAA, 0x31, 0xF3,
0xD8, 0x74, 0x84, 0x00, 0x3F, 0x9D, 0xB9, 0x4B, 0xB2, 0x68, 0x7E, 0xF4, 0x1B, 0xC2, 0x83, 0x73, 0x21, 0x78, 0x0F, 0xD5, 0x0F, 0xB0,
0xEB, 0x76, 0x41, 0xF1, 0x23, 0x7A, 0x6A, 0x78, 0xCC, 0x4F, 0x3D, 0xB1, 0x2F, 0x0A, 0xF6, 0x9A, 0xA7, 0x18, 0xC1, 0x2F, 0xF0, 0xB7,
0x73, 0x91, 0x51, 0x6D, 0x9B, 0xB5, 0xB2, 0x03, 0x7C, 0xE0, 0x00, 0x00, 0x00, 0x9B, 0xAF, 0x1B, 0xE9, 0xC1, 0xC7, 0x35, 0xF5, 0xE2,
0xEB, 0xC9, 0xEE, 0xF6, 0xBA, 0x25, 0x6D, 0x6F, 0x39, 0x83, 0xB9 };
dsa = new DSACryptoServiceProvider (minKeySize);
dsa.ImportCspBlob (blob);
byte[] keypair = dsa.ExportCspBlob (true);
for (int i = 0; i < blob.Length; i++)
Assert.AreEqual (blob[i], keypair[i], i.ToString ());
}
public void ImportCspBlob_Bad ()
{
byte[] blob = new byte [148]; // valid size for public key
dsa = new DSACryptoServiceProvider (minKeySize);
dsa.ImportCspBlob (blob);
}
public void ImportCspBlob_Null ()
{
dsa = new DSACryptoServiceProvider (minKeySize);
dsa.ImportCspBlob (null);
}
//--- Methods ---
protected override Yield Start(XDoc config, Result result) {
yield return Coroutine.Invoke(base.Start, config, new Result());
// initialize debug mode
string debug = config["debug"].AsText;
_debug = (debug != null) && !debug.EqualsInvariantIgnoreCase("false");
// check if a public digital signature key was provided
string dsaKey = config["dekiwiki-signature"].AsText;
if(dsaKey != null) {
try {
DSACryptoServiceProvider dsa = new DSACryptoServiceProvider();
dsa.ImportCspBlob(Convert.FromBase64String(dsaKey));
_publicDigitalSignature = dsa;
} catch {
throw new ArgumentException("invalid digital signature provided", "dekiwiki-signature");
}
}
// load script
LoadScript();
result.Return();
}
/// <summary>
/// Generate a signature file using a private key.
/// </summary>
/// <param name="filePath">The file whose contents will be hashed.</param>
/// <param name="signatureFilePath">The path of the generated signature file.</param>
/// <param name="privateBlob">The private key.</param>
public static void SignFile(string filePath, string signatureFilePath, byte[] privateBlob)
{
try
{
if (privateBlob.Length == 0)
{
throw new Exception("The specified private key is invalid.");
}
byte[] hash = null;
using (Stream fileStream = File.Open(filePath, FileMode.Open))
{
SHA1 sha1 = new SHA1CryptoServiceProvider();
hash = sha1.ComputeHash(fileStream);
}
// Import the private key
var dsa = new DSACryptoServiceProvider();
dsa.ImportCspBlob(privateBlob);
var rsaFormatter = new DSASignatureFormatter(dsa);
rsaFormatter.SetHashAlgorithm("SHA1");
// Create a signature based on the private key
byte[] signature = rsaFormatter.CreateSignature(hash);
// Write the signature file
File.WriteAllBytes(signatureFilePath, signature);
}
catch (Exception e)
{
Debug.WriteLine(e);
}
}
/// <summary>
/// Verify a file using a signature file and a public key.
/// </summary>
/// <param name="filePath">The file whose contents will be hashed.</param>
/// <param name="signatureFilePath">The path of the signature file.</param>
/// <param name="publicBlob">The public key.</param>
/// <returns> True if the file is verified, otherwise false.</returns>
public static bool VerifyFile(string filePath, string signatureFilePath, byte[] publicBlob)
{
if (publicBlob.Length == 0)
return false;
bool verified = false;
byte[] hash = null;
try
{
// Compute a hash of the installer
using (Stream fileStream = File.Open(filePath, FileMode.Open))
{
SHA1 sha1 = new SHA1CryptoServiceProvider();
hash = sha1.ComputeHash(fileStream);
}
// Import the public key
var dsa = new DSACryptoServiceProvider();
dsa.ImportCspBlob(publicBlob);
var dsaDeformatter = new DSASignatureDeformatter(dsa);
dsaDeformatter.SetHashAlgorithm("SHA1");
// Read the signature file
byte[] signature = File.ReadAllBytes(signatureFilePath);
// Verify the signature against the hash of the installer
verified = dsaDeformatter.VerifySignature(hash, signature);
Console.WriteLine("File verified: {0}", verified);
}
catch (Exception e)
{
Debug.WriteLine(e);
return false;
}
return verified;
}
public void ExportCspBlob_PublicKey ()
{
byte[] blob = new byte [444] { 0x06, 0x02, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x44, 0x53, 0x53, 0x31, 0x00, 0x04, 0x00, 0x00, 0xD3,
0x7B, 0xC6, 0xED, 0x3F, 0x72, 0x44, 0xBD, 0x22, 0x7D, 0xF2, 0xD4, 0x62, 0xFE, 0x7C, 0xE3, 0x75, 0x8F, 0x9C, 0xDE, 0x69, 0xC0, 0x3A,
0x0C, 0xE6, 0x26, 0x5A, 0x46, 0x3D, 0xEF, 0x0D, 0x90, 0x20, 0xC6, 0xF6, 0x45, 0x7C, 0x73, 0xE8, 0xB9, 0x7D, 0x86, 0x27, 0xF7, 0x97,
0x76, 0xC8, 0x1C, 0x8E, 0x8B, 0xCE, 0x26, 0x93, 0xE6, 0x21, 0x53, 0x20, 0x93, 0x58, 0x25, 0x45, 0x1C, 0x46, 0x66, 0x17, 0x10, 0x98,
0x03, 0x96, 0xD0, 0xE5, 0xC8, 0x30, 0x80, 0x72, 0xB6, 0x49, 0xB3, 0x82, 0x95, 0xB3, 0x8D, 0x3A, 0xA5, 0xE5, 0x60, 0xC6, 0x42, 0x3A,
0x33, 0x70, 0x67, 0x30, 0xC5, 0x1C, 0x32, 0xD9, 0xEB, 0xCF, 0xC1, 0x36, 0xB3, 0xF3, 0x24, 0x07, 0x39, 0x86, 0x0D, 0xE9, 0x12, 0x80,
0x73, 0x26, 0xA7, 0x8C, 0x8B, 0x8A, 0x40, 0xAA, 0x51, 0x43, 0x8F, 0x20, 0xDE, 0xD2, 0x9C, 0xF3, 0xB3, 0x51, 0x73, 0x83, 0x62, 0xA0,
0x11, 0xC9, 0x50, 0x93, 0xE1, 0xF0, 0x64, 0xBE, 0xD0, 0x9E, 0xE0, 0x5B, 0x13, 0x47, 0xAA, 0x56, 0x65, 0x62, 0x47, 0xFD, 0x3A, 0x94,
0xB7, 0x1B, 0xE5, 0x35, 0x95, 0x86, 0x14, 0x64, 0xC0, 0xD6, 0x07, 0x96, 0x4C, 0x55, 0x1E, 0x0A, 0x4C, 0x10, 0xC2, 0xB5, 0xE6, 0xFB,
0x74, 0xF9, 0xA5, 0x72, 0xE0, 0x42, 0x96, 0x62, 0x0B, 0xEF, 0xB7, 0x52, 0x36, 0x7D, 0xE3, 0x01, 0x12, 0x85, 0xE6, 0xFE, 0x92, 0x75,
0x40, 0xC2, 0xA6, 0xD0, 0x9D, 0x16, 0x6F, 0xC1, 0xC7, 0xA7, 0xDF, 0x48, 0x80, 0xA2, 0x5D, 0xA0, 0xFD, 0x84, 0xBE, 0x06, 0xAC, 0xCB,
0x32, 0x22, 0x82, 0xD2, 0xD7, 0x7C, 0x69, 0xFC, 0xBC, 0x94, 0x78, 0x2B, 0x11, 0x5B, 0x1C, 0x1E, 0xAF, 0xDB, 0x7A, 0xAA, 0x31, 0xF3,
0xD8, 0x74, 0x84, 0x00, 0x3F, 0x9D, 0xB9, 0x4B, 0xB2, 0x68, 0x7E, 0xF4, 0x1B, 0xC2, 0x83, 0x73, 0x21, 0x78, 0x0F, 0xD5, 0x0F, 0xB0,
0xEB, 0x76, 0x41, 0xF1, 0x23, 0x7A, 0x6A, 0x78, 0xCC, 0x4F, 0x3D, 0xBB, 0xC7, 0x03, 0x89, 0xC4, 0x0B, 0x66, 0x86, 0x80, 0xD5, 0xAA,
0x34, 0xE8, 0x14, 0x71, 0xF9, 0x29, 0xBE, 0xB9, 0xEE, 0x34, 0xB1, 0x5F, 0xA2, 0xC8, 0x4D, 0xCD, 0xCF, 0x0E, 0x8E, 0xA4, 0x2E, 0xD4,
0x65, 0x8C, 0x27, 0xFF, 0xC1, 0x41, 0x26, 0xF9, 0x0E, 0xE5, 0x11, 0xC9, 0xCC, 0x3E, 0x45, 0x87, 0xEC, 0x49, 0xBA, 0x7C, 0x83, 0x91,
0xDE, 0x70, 0xE8, 0x27, 0x1C, 0x47, 0xEB, 0x1D, 0xE2, 0x37, 0x62, 0x2F, 0xAA, 0x5B, 0x30, 0x80, 0x8B, 0x80, 0x00, 0x55, 0xF4, 0x64,
0xC2, 0xBE, 0x5A, 0xD3, 0x54, 0x4A, 0xE7, 0x0B, 0x95, 0x00, 0xF4, 0xBA, 0x72, 0xCD, 0xF8, 0x22, 0xE6, 0x30, 0x4E, 0xF6, 0xBD, 0xBE,
0x3F, 0x00, 0x52, 0x7F, 0xE2, 0x57, 0x5F, 0xC0, 0xBE, 0x82, 0xC0, 0x50, 0x07, 0x1C, 0x7D, 0x89, 0x56, 0x49, 0xCE, 0x28, 0x52, 0x8C,
0x11, 0xB1, 0xD1, 0x51, 0x51, 0x12, 0xB2, 0xE0, 0x00, 0x00, 0x00, 0x9B, 0xAF, 0x1B, 0xE9, 0xC1, 0xC7, 0x35, 0xF5, 0xE2, 0xEB, 0xC9,
0xEE, 0xF6, 0xBA, 0x25, 0x6D, 0x6F, 0x39, 0x83, 0xB9 };
dsa = new DSACryptoServiceProvider (minKeySize);
dsa.ImportCspBlob (blob);
byte[] pubkey = dsa.ExportCspBlob (false);
for (int i = 0; i < blob.Length; i++)
AssertEquals (i.ToString (), blob [i], pubkey [i]);
}
private void SignFileButton_Click(object sender, RoutedEventArgs e)
{
DSACryptoServiceProvider provider = new DSACryptoServiceProvider();
provider.ImportCspBlob(SelectedKey.PrivateKey);
OpenFileDialog dialog = new OpenFileDialog();
dialog.Filter = "All Files|*.*";
dialog.Title = "Please choose the file to sign";
if (dialog.ShowDialog() == System.Windows.Forms.DialogResult.Cancel) {
return;
}
if (!String.IsNullOrEmpty(dialog.FileName)) {
try {
DSASignatureFormatter formatter = new DSASignatureFormatter(provider);
formatter.SetHashAlgorithm("SHA1");
SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider();
byte[] hash = sha1.ComputeHash(File.ReadAllBytes(dialog.FileName));
string signature = Convert.ToBase64String(formatter.CreateSignature(hash));
SignatureBox.Text = signature;
} catch (Exception ex) {
System.Windows.MessageBox.Show(String.Format("File could not be signed: {0}", ex.Message));
return;
}
} else {
return;
}
}
