public static byte[] HashData(byte[] data, int offset, int count, HashAlgorithmName hashAlgorithm)
{
// The classes that call us are sealed and their base class has checked this already.
Debug.Assert(data != null);
Debug.Assert(count >= 0 && count <= data.Length);
Debug.Assert(offset >= 0 && offset <= data.Length - count);
Debug.Assert(!string.IsNullOrEmpty(hashAlgorithm.Name));
#if NET5_0_OR_GREATER
ReadOnlySpan <byte> source = data.AsSpan(offset, count);
return
(hashAlgorithm == HashAlgorithmName.SHA256 ? SHA256.HashData(source) :
hashAlgorithm == HashAlgorithmName.SHA1 ? SHA1.HashData(source) :
hashAlgorithm == HashAlgorithmName.SHA512 ? SHA512.HashData(source) :
hashAlgorithm == HashAlgorithmName.SHA384 ? SHA384.HashData(source) :
hashAlgorithm == HashAlgorithmName.MD5 ? MD5.HashData(source) :
throw new CryptographicException(SR.Cryptography_UnknownHashAlgorithm, hashAlgorithm.Name));
#else
using (HashAlgorithm hasher = GetHashAlgorithm(hashAlgorithm))
{
return(hasher.ComputeHash(data, offset, count));
}
#endif
}
private static byte[] GetHashForChannelBinding(X509Certificate2 cert)
{
Oid signatureAlgorithm = cert.SignatureAlgorithm;
switch (signatureAlgorithm.Value)
{
// RFC 5929 4.1 says that MD5 and SHA1 both upgrade to SHA256 for cbt calculation
case "1.2.840.113549.2.5": // MD5
case "1.2.840.113549.1.1.4": // MD5RSA
case "1.3.14.3.2.26": // SHA1
case "1.2.840.10040.4.3": // SHA1DSA
case "1.2.840.10045.4.1": // SHA1ECDSA
case "1.2.840.113549.1.1.5": // SHA1RSA
case "2.16.840.1.101.3.4.2.1": // SHA256
case "1.2.840.10045.4.3.2": // SHA256ECDSA
case "1.2.840.113549.1.1.11": // SHA256RSA
return(SHA256.HashData(cert.RawDataMemory.Span));
case "2.16.840.1.101.3.4.2.2": // SHA384
case "1.2.840.10045.4.3.3": // SHA384ECDSA
case "1.2.840.113549.1.1.12": // SHA384RSA
return(SHA384.HashData(cert.RawDataMemory.Span));
case "2.16.840.1.101.3.4.2.3": // SHA512
case "1.2.840.10045.4.3.4": // SHA512ECDSA
case "1.2.840.113549.1.1.13": // SHA512RSA
return(SHA512.HashData(cert.RawDataMemory.Span));
default:
throw new ArgumentException(signatureAlgorithm.Value);
}
}
public unsafe int DoSha512ComputeHash()
{
const int DataByteCount = 512 / 8;
byte * bytes = stackalloc byte[DataByteCount];
SHA512.HashData(_input, new Span <byte>(bytes, DataByteCount));
return(Unsafe.ReadUnaligned <int>(bytes));
}
public static string HashPassword(string password)
{
var bytes = Encoding.UTF8.GetBytes($"{password}{CommonConstants.PassSalt}");
var hash = SHA512.HashData(bytes);
var passwordHash = Convert.ToBase64String(hash);
return(passwordHash);
}
public static byte[] HashData(HashAlgorithmName hashName, ReadOnlySpan <byte> data)
{
return(hashName.Name switch
{
"SHA1" => SHA1.HashData(data),
"SHA256" or "HS256" or "RS256" or "ES256" or "PS256" => SHA256.HashData(data),
"SHA384" or "HS384" or "RS384" or "ES384" or "PS384" => SHA384.HashData(data),
"SHA512" or "HS512" or "RS512" or "ES512" or "PS512" => SHA512.HashData(data),
_ => throw new ArgumentOutOfRangeException(nameof(hashName)),
});
public async Task AuthPassword()
{
var passwordHashString = Configuration["AuthKey"];
var passwordHash = Convert.FromBase64String(passwordHashString);
if (passwordHash.SequenceEqual(SHA512.HashData(Encoding.UTF8.GetBytes(PasswordToAuth))))
{
MemoryCache.Set(BlazorContext.ClientIp, true);
await JSRuntime.InvokeVoidAsync("location.reload");
}
}
public static byte[] HashData(Stream data, HashAlgorithmName hashAlgorithm)
{
// The classes that call us are sealed and their base class has checked this already.
Debug.Assert(data != null);
Debug.Assert(!string.IsNullOrEmpty(hashAlgorithm.Name));
return
(hashAlgorithm == HashAlgorithmName.SHA256 ? SHA256.HashData(data) :
hashAlgorithm == HashAlgorithmName.SHA1 ? SHA1.HashData(data) :
hashAlgorithm == HashAlgorithmName.SHA512 ? SHA512.HashData(data) :
hashAlgorithm == HashAlgorithmName.SHA384 ? SHA384.HashData(data) :
hashAlgorithm == HashAlgorithmName.MD5 ? MD5.HashData(data) :
throw new CryptographicException(SR.Cryptography_UnknownHashAlgorithm, hashAlgorithm.Name));
}
public static string GetByteHash(this MemoryOwner <byte> item)
{
byte[] hashResult = SHA512.HashData(item.Span);
return(string.Create(hashResult.Length, hashResult, (state, bytes) =>
{
StringBuilder builder = new();
for (int i = 0; i < bytes.Length; i++)
{
ref byte b = ref bytes[i];
builder.Append(b.ToString("X2"));
}
builder.CopyTo(0, state, state.Length);
}));
public async Task SetPassword()
{
if (string.IsNullOrEmpty(PasswordToSet))
{
return;
}
var settingModel = new AppSettingModel
{
AuthKey = SHA512.HashData(Encoding.UTF8.GetBytes(PasswordToSet))
};
await using var stream = File.OpenWrite("app.json");
await JsonSerializer.SerializeAsync(stream, settingModel);
await JSRuntime.InvokeVoidAsync("location.reload");
}
protected override byte[] HashData(Stream source) => SHA512.HashData(source);
private static uint GetPersistentHashCode(string value)
{
byte[] valueBytes = Encoding.UTF8.GetBytes(value);
byte[] hash = SHA512.HashData(valueBytes);
return(BinaryPrimitives.ReadUInt32BigEndian(hash));
}
protected override int HashData(ReadOnlySpan <byte> source, Span <byte> destination) => SHA512.HashData(source, destination);
protected override int HashData(Stream source, Span <byte> destination) => SHA512.HashData(source, destination);
protected override byte[] HashData(ReadOnlySpan <byte> source) => SHA512.HashData(source);
protected override byte[] GetHash(string data) => SHA512.HashData(Encoding.UTF8.GetBytes(data));
private static unsafe void FillKeyDerivation(
ReadOnlySpan <byte> password,
ReadOnlySpan <byte> salt,
int iterations,
string hashAlgorithmName,
Span <byte> destination)
{
SafeBCryptKeyHandle keyHandle;
int hashBlockSizeBytes = GetHashBlockSize(hashAlgorithmName);
// stackalloc 0 to let compiler know this cannot escape.
Span <byte> clearSpan = stackalloc byte[0];
ReadOnlySpan <byte> symmetricKeyMaterial = stackalloc byte[0];
int symmetricKeyMaterialLength;
if (password.IsEmpty)
{
// CNG won't accept a null pointer for the password.
symmetricKeyMaterial = stackalloc byte[1];
symmetricKeyMaterialLength = 0;
clearSpan = default;
}
else if (password.Length <= hashBlockSizeBytes)
{
// Password is small enough to use as-is.
symmetricKeyMaterial = password;
symmetricKeyMaterialLength = password.Length;
clearSpan = default;
}
else
{
// RFC 2104: "The key for HMAC can be of any length (keys longer than B bytes are
// first hashed using H).
// We denote by B the byte-length of such
// blocks (B=64 for all the above mentioned examples of hash functions)
//
// Windows' PBKDF2 will do this up to a point. To ensure we accept arbitrary inputs for
// PBKDF2, we do the hashing ourselves.
Span <byte> hashBuffer = stackalloc byte[512 / 8]; // 64 bytes is SHA512, the largest digest handled.
int hashBufferSize;
switch (hashAlgorithmName)
{
case HashAlgorithmNames.SHA1:
hashBufferSize = SHA1.HashData(password, hashBuffer);
break;
case HashAlgorithmNames.SHA256:
hashBufferSize = SHA256.HashData(password, hashBuffer);
break;
case HashAlgorithmNames.SHA384:
hashBufferSize = SHA384.HashData(password, hashBuffer);
break;
case HashAlgorithmNames.SHA512:
hashBufferSize = SHA512.HashData(password, hashBuffer);
break;
default:
Debug.Fail($"Unexpected hash algorithm '{hashAlgorithmName}'");
throw new CryptographicException();
}
clearSpan = hashBuffer.Slice(0, hashBufferSize);
symmetricKeyMaterial = clearSpan;
symmetricKeyMaterialLength = hashBufferSize;
}
Debug.Assert(symmetricKeyMaterial.Length > 0);
NTSTATUS generateKeyStatus;
if (Interop.BCrypt.PseudoHandlesSupported)
{
fixed(byte *pSymmetricKeyMaterial = symmetricKeyMaterial)
{
generateKeyStatus = Interop.BCrypt.BCryptGenerateSymmetricKey(
(nuint)BCryptAlgPseudoHandle.BCRYPT_PBKDF2_ALG_HANDLE,
out keyHandle,
pbKeyObject: IntPtr.Zero,
cbKeyObject: 0,
pSymmetricKeyMaterial,
symmetricKeyMaterialLength,
dwFlags: 0);
}
}
else
{
if (s_pbkdf2AlgorithmHandle is null)
{
NTSTATUS openStatus = Interop.BCrypt.BCryptOpenAlgorithmProvider(
out SafeBCryptAlgorithmHandle pbkdf2AlgorithmHandle,
Internal.NativeCrypto.BCryptNative.AlgorithmName.Pbkdf2,
null,
BCryptOpenAlgorithmProviderFlags.None);
if (openStatus != NTSTATUS.STATUS_SUCCESS)
{
pbkdf2AlgorithmHandle.Dispose();
CryptographicOperations.ZeroMemory(clearSpan);
throw Interop.BCrypt.CreateCryptographicException(openStatus);
}
// This might race, and that's okay. Worst case the algorithm is opened
// more than once, and the ones that lost will get cleaned up during collection.
Interlocked.CompareExchange(ref s_pbkdf2AlgorithmHandle, pbkdf2AlgorithmHandle, null);
}
fixed(byte *pSymmetricKeyMaterial = symmetricKeyMaterial)
{
generateKeyStatus = Interop.BCrypt.BCryptGenerateSymmetricKey(
s_pbkdf2AlgorithmHandle,
out keyHandle,
pbKeyObject: IntPtr.Zero,
cbKeyObject: 0,
pSymmetricKeyMaterial,
symmetricKeyMaterialLength,
dwFlags: 0);
}
}
CryptographicOperations.ZeroMemory(clearSpan);
if (generateKeyStatus != NTSTATUS.STATUS_SUCCESS)
{
keyHandle.Dispose();
throw Interop.BCrypt.CreateCryptographicException(generateKeyStatus);
}
Debug.Assert(!keyHandle.IsInvalid);
ulong kdfIterations = (ulong)iterations; // Previously asserted to be positive.
using (keyHandle)
fixed(char *pHashAlgorithmName = hashAlgorithmName)
fixed(byte *pSalt = salt)
fixed(byte *pDestination = destination)
{
Span <BCryptBuffer> buffers = stackalloc BCryptBuffer[3];
buffers[0].BufferType = CngBufferDescriptors.KDF_ITERATION_COUNT;
buffers[0].pvBuffer = (IntPtr)(&kdfIterations);
buffers[0].cbBuffer = sizeof(ulong);
buffers[1].BufferType = CngBufferDescriptors.KDF_SALT;
buffers[1].pvBuffer = (IntPtr)pSalt;
buffers[1].cbBuffer = salt.Length;
buffers[2].BufferType = CngBufferDescriptors.KDF_HASH_ALGORITHM;
buffers[2].pvBuffer = (IntPtr)pHashAlgorithmName;
// C# spec: "A char* value produced by fixing a string instance always points to a null-terminated string"
buffers[2].cbBuffer = checked ((hashAlgorithmName.Length + 1) * sizeof(char)); // Add null terminator.
fixed(BCryptBuffer *pBuffers = buffers)
{
Interop.BCrypt.BCryptBufferDesc bufferDesc;
bufferDesc.ulVersion = Interop.BCrypt.BCRYPTBUFFER_VERSION;
bufferDesc.cBuffers = buffers.Length;
bufferDesc.pBuffers = (IntPtr)pBuffers;
NTSTATUS deriveStatus = Interop.BCrypt.BCryptKeyDerivation(
keyHandle,
&bufferDesc,
pDestination,
destination.Length,
out uint resultLength,
dwFlags: 0);
if (deriveStatus != NTSTATUS.STATUS_SUCCESS)
{
throw Interop.BCrypt.CreateCryptographicException(deriveStatus);
}
if (destination.Length != resultLength)
{
Debug.Fail("PBKDF2 resultLength != destination.Length");
throw new CryptographicException();
}
}
}
}
public static byte[] GetHash(string ip, string password)
{
return(SHA512.HashData(Encoding.UTF8.GetBytes(ip + password)));
}
public async Task PublishAsync(
IKubernetesObject <V1ObjectMeta> resource,
string reason,
string message,
EventType type = EventType.Normal)
{
_logger.LogTrace(
"Encoding event name with: {resourceName}.{resourceNamespace}.{reason}.{message}.{type}.",
resource.Name(),
resource.Namespace(),
reason,
message,
type);
var eventName =
Base32.Rfc4648.Encode(
SHA512.HashData(
Encoding.UTF8.GetBytes($"{resource.Name()}.{resource.Namespace()}.{reason}.{message}.{type}")));
_logger.LogTrace(@"Search or create event with name ""{name}"".", eventName);
var @event = await _client.Get <Corev1Event>(eventName, resource.Namespace()) ??
new Corev1Event
{
Kind = Corev1Event.KubeKind,
ApiVersion = $"{Corev1Event.KubeGroup}/{Corev1Event.KubeApiVersion}",
Metadata = new V1ObjectMeta
{
Name = eventName,
NamespaceProperty = resource.Namespace(),
Annotations = new Dictionary <string, string>
{
{ "nameHash", "sha512" },
{ "nameEncoding", "Base32 / RFC 4648" },
},
},
Type = type.ToString(),
Reason = reason,
Message = message,
ReportingComponent = _settings.Name,
ReportingInstance = Environment.MachineName,
Source = new V1EventSource {
Component = _settings.Name
},
InvolvedObject = resource.MakeObjectReference(),
FirstTimestamp = DateTime.UtcNow,
LastTimestamp = DateTime.UtcNow,
Count = 0,
};
@event.Count++;
@event.LastTimestamp = DateTime.UtcNow;
_logger.LogTrace(
"Save event with new count {count} and last timestamp {timestamp}",
@event.Count,
@event.LastTimestamp);
await _client.Save(@event);
_logger.LogInformation(
@"Created or updated event with name ""{name}"" to new count {count} on resource ""{kind}/{name}"".",
eventName,
@event.Count,
resource.Kind,
resource.Name());
}
