internal static void SetCacheValue(IPropertySet containerValues, byte[] value) { byte[] encryptedValue = CryptographyHelper.Encrypt(value); containerValues[CacheValueLength] = encryptedValue.Length; if (encryptedValue.Length == 0) { containerValues[CacheValueSegmentCount] = 1; containerValues[CacheValue + 0] = null; } else { int segmentCount = (encryptedValue.Length / MaxCompositeValueLength) + ((encryptedValue.Length % MaxCompositeValueLength == 0) ? 0 : 1); byte[] subValue = new byte[MaxCompositeValueLength]; for (int i = 0; i < segmentCount - 1; i++) { Array.Copy(encryptedValue, i * MaxCompositeValueLength, subValue, 0, MaxCompositeValueLength); containerValues[CacheValue + i] = subValue; } int copiedLength = (segmentCount - 1) * MaxCompositeValueLength; Array.Copy(encryptedValue, copiedLength, subValue, 0, encryptedValue.Length - copiedLength); containerValues[CacheValue + (segmentCount - 1)] = subValue; containerValues[CacheValueSegmentCount] = segmentCount; } }
public async Task <string> CreateDeviceAuthChallengeResponse(IDictionary <string, string> challengeData) { string authHeaderTemplate = "PKeyAuth {0}, Context=\"{1}\", Version=\"{2}\""; X509Certificate2 certificate = FindCertificate(challengeData); DeviceAuthJWTResponse response = new DeviceAuthJWTResponse(challengeData["SubmitUrl"], challengeData["nonce"], Convert.ToBase64String(certificate.GetRawCertData())); CngKey key = CryptographyHelper.GetCngPrivateKey(certificate); byte[] sig = null; using (RSACng rsa = new RSACng(key)) { rsa.SignatureHashAlgorithm = CngAlgorithm.Sha256; sig = rsa.SignData(response.GetResponseToSign().ToByteArray()); } string signedJwt = string.Format(CultureInfo.InvariantCulture, "{0}.{1}", response.GetResponseToSign(), Base64UrlEncoder.Encode(sig)); string authToken = string.Format(CultureInfo.InvariantCulture, " AuthToken=\"{0}\"", signedJwt); Task <string> resultTask = Task.Factory.StartNew( () => { return(string.Format(CultureInfo.InvariantCulture, authHeaderTemplate, authToken, challengeData["Context"], challengeData["Version"])); }); return(await resultTask.ConfigureAwait(false)); }
internal static byte[] GetCacheValue(IPropertySet containerValues) { if (!containerValues.ContainsKey(CacheValueLength)) { return(null); } int encyptedValueLength = (int)containerValues[CacheValueLength]; int segmentCount = (int)containerValues[CacheValueSegmentCount]; byte[] encryptedValue = new byte[encyptedValueLength]; if (segmentCount == 1) { encryptedValue = (byte[])containerValues[CacheValue + 0]; } else { for (int i = 0; i < segmentCount - 1; i++) { Array.Copy((byte[])containerValues[CacheValue + i], 0, encryptedValue, i * MaxCompositeValueLength, MaxCompositeValueLength); } } Array.Copy((byte[])containerValues[CacheValue + (segmentCount - 1)], 0, encryptedValue, (segmentCount - 1) * MaxCompositeValueLength, encyptedValueLength - (segmentCount - 1) * MaxCompositeValueLength); return(CryptographyHelper.Decrypt(encryptedValue)); }
public static void CreateSha256HashTest() { ICryptographyHelper cryptoHelper = new CryptographyHelper(); string hash = cryptoHelper.CreateSha256Hash("abc"); string hash2 = cryptoHelper.CreateSha256Hash("abd"); string hash3 = cryptoHelper.CreateSha256Hash("abc"); Verify.AreEqual(hash, hash3); Verify.AreNotEqual(hash, hash2); Verify.AreEqual(hash, "ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="); }
private void LogReturnedToken(AuthenticationResult result) { if (result.AccessToken != null) { string accessTokenHash = CryptographyHelper.CreateSha256Hash(result.AccessToken); CallState.Logger.Information(this.CallState, string.Format(CultureInfo.CurrentCulture, "=== Token Acquisition finished successfully. An access token was retuned:\n\tAccess Token Hash: {0}\n\tExpiration Time: {1}\n\tUser Hash: {2}\n\t", accessTokenHash, result.ExpiresOn, result.UserInfo != null ? CryptographyHelper.CreateSha256Hash(result.UserInfo.UniqueId) : "null")); } }
private AuthenticationResultEx ResultFromBrokerResponse(IDictionary <string, string> responseDictionary) { TokenResponse response; if (responseDictionary.ContainsKey("error") || responseDictionary.ContainsKey("error_description")) { response = TokenResponse.CreateFromBrokerResponse(responseDictionary); } else { string expectedHash = responseDictionary["hash"]; string encryptedResponse = responseDictionary["response"]; string decryptedResponse = BrokerKeyHelper.DecryptBrokerResponse(encryptedResponse); string responseActualHash = CryptographyHelper.CreateSha256Hash(decryptedResponse); byte[] rawHash = Convert.FromBase64String(responseActualHash); string hash = BitConverter.ToString(rawHash); if (expectedHash.Equals(hash.Replace("-", ""))) { responseDictionary = EncodingHelper.ParseKeyValueList(decryptedResponse, '&', false, null); response = TokenResponse.CreateFromBrokerResponse(responseDictionary); } else { response = new TokenResponse { Error = AdalError.BrokerReponseHashMismatch, ErrorDescription = AdalErrorMessage.BrokerReponseHashMismatch }; } } var dateTimeOffset = new DateTimeOffset(new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)); dateTimeOffset = dateTimeOffset.AddSeconds(response.ExpiresOn); return(response.GetResult(dateTimeOffset, dateTimeOffset)); }
public void SignWithCertificateTest() { const string Message = "This is a test message"; string[] certs = { "valid_cert.pfx", "valid_cert2.pfx" }; for (int i = 0; i < 2; i++) { X509Certificate2 x509Certificate = new X509Certificate2(certs[i], "password", X509KeyStorageFlags.Exportable); byte[] rawData = x509Certificate.Export(X509ContentType.Pkcs12, "password"); ICryptographyHelper cryptoHelper = new CryptographyHelper(); byte[] signature = cryptoHelper.SignWithCertificate(Message, rawData, "password"); Verify.IsNotNull(signature); GC.Collect(); GC.WaitForPendingFinalizers(); signature = cryptoHelper.SignWithCertificate(Message, rawData, "password"); Verify.IsNotNull(signature); } }
/// <summary> /// Signs a message using the private key in the certificate /// </summary> /// <param name="message">Message that needs to be signed</param> /// <returns>Signed message as a byte array</returns> public byte[] Sign(string message) { CryptographyHelper helper = new CryptographyHelper(); return(helper.SignWithCertificate(message, this.Certificate)); }
protected override async Task PreRunAsync() { await base.PreRunAsync().ConfigureAwait(false); if (this.userCredential != null) { if (string.IsNullOrWhiteSpace(this.userCredential.UserName)) { this.userCredential.UserName = await platformInformation.GetUserPrincipalNameAsync().ConfigureAwait(false); if (string.IsNullOrWhiteSpace(userCredential.UserName)) { CallState.Logger.Information(this.CallState, "Could not find UPN for logged in user"); throw new AdalException(AdalError.UnknownUser); } CallState.Logger.Verbose(this.CallState, string.Format(CultureInfo.CurrentCulture, " Logged in user with hash '{0}' detected", CryptographyHelper.CreateSha256Hash(userCredential.UserName))); } this.DisplayableId = userCredential.UserName; } else if (this.userAssertion != null) { this.DisplayableId = userAssertion.UserName; } }
protected override async Task PreTokenRequest() { await base.PreTokenRequest().ConfigureAwait(false); if (this.PerformUserRealmDiscovery()) { UserRealmDiscoveryResponse userRealmResponse = await UserRealmDiscoveryResponse.CreateByDiscoveryAsync(this.Authenticator.UserRealmUri, this.userCredential.UserName, this.CallState).ConfigureAwait(false); CallState.Logger.Information(this.CallState, string.Format(CultureInfo.CurrentCulture, " User with hash '{0}' detected as '{1}'", CryptographyHelper.CreateSha256Hash(this.userCredential.UserName), userRealmResponse.AccountType)); if (string.Compare(userRealmResponse.AccountType, "federated", StringComparison.OrdinalIgnoreCase) == 0) { if (string.IsNullOrWhiteSpace(userRealmResponse.FederationMetadataUrl)) { throw new AdalException(AdalError.MissingFederationMetadataUrl); } WsTrustAddress wsTrustAddress = await MexParser.FetchWsTrustAddressFromMexAsync(userRealmResponse.FederationMetadataUrl, this.userCredential.UserAuthType, this.CallState).ConfigureAwait(false); CallState.Logger.Information(this.CallState, string.Format(CultureInfo.CurrentCulture, " WS-Trust endpoint '{0}' fetched from MEX at '{1}'", wsTrustAddress.Uri, userRealmResponse.FederationMetadataUrl)); WsTrustResponse wsTrustResponse = await WsTrustRequest.SendRequestAsync(wsTrustAddress, this.userCredential, this.CallState, userRealmResponse.CloudAudienceUrn).ConfigureAwait(false); CallState.Logger.Information(this.CallState, string.Format(CultureInfo.CurrentCulture, " Token of type '{0}' acquired from WS-Trust endpoint", wsTrustResponse.TokenType)); // We assume that if the response token type is not SAML 1.1, it is SAML 2 this.userAssertion = new UserAssertion(wsTrustResponse.Token, (wsTrustResponse.TokenType == WsTrustResponse.Saml1Assertion) ? OAuthGrantType.Saml11Bearer : OAuthGrantType.Saml20Bearer); } else if (string.Compare(userRealmResponse.AccountType, "managed", StringComparison.OrdinalIgnoreCase) == 0) { // handle password grant flow for the managed user if (this.userCredential.PasswordToCharArray() == null) { throw new AdalException(AdalError.PasswordRequiredForManagedUserError); } } else { throw new AdalException(AdalError.UnknownUserType); } } }
internal byte[] Sign(string message) { return(CryptographyHelper.SignWithCertificate(message, this.Certificate)); }