public void Test_Decrypt_IsThrowingCryptographicExceptionForWrongData()
{
var aesAlgorithm = new AesAlgorithm();
Assert.Throws <CryptographicException>(() =>
aesAlgorithm.Decrypt(new byte[] { 12, 20, 25 },
new byte[] { 212, 29, 140, 217, 143, 0, 178, 4, 233, 128, 9, 152, 236, 248, 66, 126, 212, 29, 140, 217, 143, 0, 178, 4, 233, 128, 9, 152, 236, 248, 66, 126 },
new byte[] { 212, 29, 140, 217, 143, 0, 178, 4, 233, 128, 9, 152, 236, 248, 66, 126 }));
}
/// <summary>
/// Validates the masterkey by decrypting the given fortress and flushing the memory afterwards.
/// </summary>
/// <param name="fortressFullPath"></param>
/// <param name="fortressName"></param>
/// <param name="password"></param>
internal void ValidateMasterKey(string fortressFullPath, string fortressName, string password)
{
try
{
Logger.log.Info($"Start validating the masterkey of fortress {fortressFullPath}...");
var aesHelper = new AesHelper();
// =========================================================== Unzip the fortress - Read salt
var unzippedFortress = ZipHelper.UnzipSavedZip(fortressFullPath);
using (unzippedFortress)
{
var entryOfSalt = fortressName + "/salt" + TermHelper.GetTextFileEnding();
var saltEntry = unzippedFortress.GetEntry(entryOfSalt);
var saltBytes = new byte[32];
using (var stream = saltEntry.Open())
{
saltBytes = ByteHelper.ReadBytesOfStream(stream);
}
Logger.log.Debug("Unzipped fortress - Salt bytes read.");
// =========================================================== Create masterkey
var hashedKey = aesHelper.CreateKey(password, 256, saltBytes);
password = string.Empty; // Delete the password in plaintext from RAM
var masterKey = new Masterkey(hashedKey);
Logger.log.Debug("Masterkey created.");
// =========================================================== Decrypt database
var entryOfDatabase = fortressName + "/" + TermHelper.GetDatabaseTerm() + TermHelper.GetDatabaseEnding();
var databaseEntry = unzippedFortress.GetEntry(entryOfDatabase);
var aesAlg = new AesAlgorithm();
using (var stream = databaseEntry.Open())
{
var dbBytes = ByteHelper.ReadBytesOfStream(stream);
var decryptedDb = aesAlg.Decrypt(dbBytes, masterKey.Value, saltBytes);
Logger.log.Info($"Validated {TermHelper.GetDatabaseTerm()}");
decryptedDb = null;
}
}
}
catch (Exception ex)
{
ex.SetUserMessage(WellKnownExceptionMessages.DataExceptionMessage());
throw ex;
}
}
public void DecryptTest()
{
string cipherText = "jTIXGJHmu4AjzU2dG1mhz4lRVvC8gmi5udHfHO3sovA=";
string decryptText = AesAlgorithm.Decrypt(cipherText);
if (!String.IsNullOrWhiteSpace(decryptText))
{
Assert.AreEqual(decryptText, m_sourceString);
}
else
{
Assert.Fail();
}
}
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//Get the start page
var startPage = _config.Value.GFCUrls.StartPage;
//Get the controller
var controller = (BaseController)filterContext.Controller;
//Check the allowed CORS Domains
var origin = GetOrigin(filterContext);
//Get the allowed domains
var allowedDomains = string.IsNullOrEmpty(_config.Value.AllowedCorsDomains)
? new string[] { }
: _config.Value.AllowedCorsDomains.Split(',');
//Check origin against allowed domains
var isOriginAllowed = allowedDomains.Contains(origin.Host);
//If origin is not allowed send user to error page
if (!isOriginAllowed)
{
filterContext.Result = controller.GetCustomErrorCode(EnumStatusCode.CrossDomainOriginResourcesSharing,
$"Cross Origin Resources Sharing - Invalid Domain - {origin.Host}");
}
//Check the encrypted key in the form post
var encKeyFromPost = filterContext.HttpContext.Request.Form[_gfcKeyName].FirstOrDefault();
var keyFromPost = AesAlgorithm.Decrypt(_corsConfig.Value.GFCKey, encKeyFromPost);
// If no key or invalid key, send user to error page
if (string.IsNullOrEmpty(keyFromPost) || _corsConfig.Value.GFCPassword != keyFromPost)
{
filterContext.Result = controller.GetCustomErrorCode(EnumStatusCode.CrossDomainOriginResourcesSharing,
"Cross Origin Resources Sharing - Form Post key was invalid");
}
//We've passed our checks, add the headers to the response
filterContext.HttpContext.Response.Headers.Add("Access-Control-Allow-Origin", $"{origin.Scheme}://{origin.Host}");
filterContext.HttpContext.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "Origin, X-Requested-With, Content-Type, Accept" });
filterContext.HttpContext.Response.Headers.Add("Access-Control-Allow-Methods", new[] { "POST, GET, OPTIONS" }); // new[] { "GET, POST, PUT, DELETE, OPTIONS" }
}
static void Main(string[] args)
{
//Guid key generated with base64encoded and uppercase combination
var key = "A+W2nzdpbEe3UHrCBZU5Qw==";
//Console.WriteLine("Please enter a secret key for the symmetric algorithm.");
//var key = Console.ReadLine();
Console.WriteLine("Please enter a string for encryption");
var str = Console.ReadLine();
var encryptedString = AesAlgorithm.Encrypt(key, str);
Console.WriteLine($"encrypted string = {encryptedString}");
var decryptedString = AesAlgorithm.Decrypt(key, encryptedString);
Console.WriteLine($"decrypted string = {decryptedString}");
Console.ReadKey();
}
private void SucceedRequirementIfKeyPresentAndValid(AuthorizationHandlerContext context, KeyRequirement requirement)
{
if (context.Resource is AuthorizationFilterContext authorizationFilterContext)
{
if (!AllowCrossOrigin(authorizationFilterContext))
{
_logger.LogError("Cross Domain Origin Resources Sharing Post Error Occured", EnumStatusCode.CrossDomainOriginResourcesSharing);
context.Fail();
}
//requested data using form-urlencoded
var encryptedString = authorizationFilterContext.HttpContext.Request.Form[GFC_KEY_NAME].FirstOrDefault();
if (encryptedString != null && requirement.Keys[GFC_PASSWORD] == AesAlgorithm.Decrypt(requirement.Keys[GFC_KEY], encryptedString))
{
context.Succeed(requirement);
}
}
}
/// <summary>
/// Opens a <see cref="Fortress"/> and loads the database.
/// </summary>
public void BuildFortress(string fortressFullPath, string fortressName, string password)
{
try
{
Logger.log.Info($"Start opening the fortress {fortressFullPath}...");
var aesHelper = new AesHelper();
// =========================================================== Unzip the fortress - Read salt
var unzippedFortress = ZipHelper.UnzipSavedZip(fortressFullPath);
using (unzippedFortress)
{
var entryOfSalt = fortressName + "/salt" + TermHelper.GetTextFileEnding();
var saltEntry = unzippedFortress.GetEntry(entryOfSalt);
var saltBytes = new byte[32];
using (var stream = saltEntry.Open())
{
saltBytes = ByteHelper.ReadBytesOfStream(stream);
}
CurrentFortressData.Salt = saltBytes;
Logger.log.Debug("Unzipped fortress - Salt bytes read.");
// =========================================================== Create masterkey
var hashedKey = aesHelper.CreateKey(password, 256, saltBytes);
password = string.Empty; // Delete the password in plaintext from RAM
var masterKey = new Masterkey(hashedKey);
hashedKey = null; // Hash also
Logger.log.Debug("Masterkey created.");
// =========================================================== Decrypt database
var entryOfDatabase = fortressName + "/" + TermHelper.GetDatabaseTerm() + TermHelper.GetDatabaseEnding();
var databaseEntry = unzippedFortress.GetEntry(entryOfDatabase);
var aesAlg = new AesAlgorithm();
using (var stream = databaseEntry.Open())
{
var dbBytes = ByteHelper.ReadBytesOfStream(stream);
var decryptedDb = aesAlg.Decrypt(dbBytes, masterKey.Value, saltBytes);
Logger.log.Info($"Decrypted {TermHelper.GetDatabaseTerm()}");
// =========================================================== Unzip database
// We distinguish between sensible data and normal data. We put the sensible data into the secureDatacache.
var unzippedByteEntriesOfDb = ZipHelper.GetEntriesFromZipArchive(decryptedDb); // These are the entries in byte arrays
decryptedDb = null;
// Add to secureDC.
foreach (var sensibleBytes in unzippedByteEntriesOfDb.Item2.Item2.ToList()) // ToList() otherwise the iterations throws exception
{
AddToSecureMemoryDC(unzippedByteEntriesOfDb.Item2.Item1.Pop(), unzippedByteEntriesOfDb.Item2.Item2.Pop());
}
foreach (var bytes in unzippedByteEntriesOfDb.Item1.ToList()) // Add not sensible data to the "unsecure" DC.
{
AddToUnsecureMemoryDC(BuildModelsOutOfBytes <ModelBase>(unzippedByteEntriesOfDb.Item1.Pop()));
}
unzippedByteEntriesOfDb = null;
}
// Track the security parameters for scans later.
SecurityParameterProvider.Instance.UpdateHash(nameof(Fortress), fortressFullPath);
}
}
catch (Exception ex)
{
ex.SetUserMessage(WellKnownExceptionMessages.DataExceptionMessage());
throw ex;
}
}
/// <summary>
/// Decodes the file name and then decrypts it using the file Key and Iv values with AES-OFB algorithm.
/// </summary>
/// <param name="aes">AES algorithm used for decryption of the full file name.</param>
/// <returns>Full name of the file (name + extension).</returns>
public string NameDecryption(AesAlgorithm aes)
{
return(Encoding.ASCII.GetString(aes.Decrypt(Convert.FromBase64String(EncryptedName.Replace('$', '/')))));
}
