You've already forked linux-packaging-mono
							
							
		
			
	
	
		
			266 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
		
		
			
		
	
	
			266 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			C#
		
	
	
	
	
	
|   | //------------------------------------------------------------------------------ | ||
|  | // <copyright file="RsaProtectedConfigurationProvider.cs" company="Microsoft"> | ||
|  | //     Copyright (c) Microsoft Corporation.  All rights reserved. | ||
|  | // </copyright> | ||
|  | //------------------------------------------------------------------------------ | ||
|  | 
 | ||
|  | namespace System.Configuration | ||
|  | { | ||
|  |     using System.Collections.Specialized; | ||
|  |     using System.Runtime.Serialization; | ||
|  |     using System.Configuration.Provider; | ||
|  |     using System.Xml; | ||
|  |     using System.Security; | ||
|  |     using System.Security.Cryptography; | ||
|  |     using System.Security.Cryptography.Xml; | ||
|  |     using System.IO; | ||
|  |     using System.Runtime.InteropServices; | ||
|  |     using Microsoft.Win32; | ||
|  |     using System.Security.Permissions; | ||
|  | 
 | ||
|  |     [PermissionSet(SecurityAction.Demand, Name = "FullTrust")] | ||
|  |     public sealed class RsaProtectedConfigurationProvider : ProtectedConfigurationProvider | ||
|  |     { | ||
|  |         // Note: this name has to match the name used in RegiisUtility  | ||
|  |         const string DefaultRsaKeyContainerName = "NetFrameworkConfigurationKey"; | ||
|  |          | ||
|  |         public override XmlNode Decrypt(XmlNode encryptedNode) | ||
|  |         { | ||
|  |             XmlDocument                 xmlDocument = new XmlDocument(); | ||
|  |             EncryptedXml                exml        = null; | ||
|  |             RSACryptoServiceProvider    rsa         = GetCryptoServiceProvider(false, true); | ||
|  | 
 | ||
|  |             xmlDocument.PreserveWhitespace = true; | ||
|  |             xmlDocument.LoadXml(encryptedNode.OuterXml); | ||
|  |             exml = new FipsAwareEncryptedXml(xmlDocument); | ||
|  |             exml.AddKeyNameMapping(_KeyName, rsa); | ||
|  |             exml.DecryptDocument(); | ||
|  |             rsa.Clear(); | ||
|  |             return xmlDocument.DocumentElement; | ||
|  |         } | ||
|  | 
 | ||
|  |         public override XmlNode Encrypt(XmlNode node) | ||
|  |         { | ||
|  |             XmlDocument         xmlDocument; | ||
|  |             EncryptedXml        exml; | ||
|  |             byte[]              rgbOutput; | ||
|  |             EncryptedData       ed; | ||
|  |             KeyInfoName         kin; | ||
|  |             EncryptedKey        ek; | ||
|  |             KeyInfoEncryptedKey kek; | ||
|  |             XmlElement          inputElement; | ||
|  |             RSACryptoServiceProvider rsa = GetCryptoServiceProvider(false, false); | ||
|  | 
 | ||
|  |             // Encrypt the node with the new key | ||
|  |             xmlDocument = new XmlDocument(); | ||
|  |             xmlDocument.PreserveWhitespace = true; | ||
|  |             xmlDocument.LoadXml("<foo>"+ node.OuterXml+ "</foo>"); | ||
|  |             exml = new EncryptedXml(xmlDocument); | ||
|  |             inputElement = xmlDocument.DocumentElement; | ||
|  | 
 | ||
|  |             using (SymmetricAlgorithm symAlg = GetSymAlgorithmProvider()) { | ||
|  |                 rgbOutput = exml.EncryptData(inputElement, symAlg, true); | ||
|  |                 ed = new EncryptedData(); | ||
|  |                 ed.Type = EncryptedXml.XmlEncElementUrl; | ||
|  |                 ed.EncryptionMethod = GetSymEncryptionMethod(); | ||
|  |                 ed.KeyInfo = new KeyInfo(); | ||
|  | 
 | ||
|  |                 ek = new EncryptedKey(); | ||
|  |                 ek.EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSA15Url); | ||
|  |                 ek.KeyInfo = new KeyInfo(); | ||
|  |                 ek.CipherData = new CipherData(); | ||
|  |                 ek.CipherData.CipherValue = EncryptedXml.EncryptKey(symAlg.Key, rsa, UseOAEP); | ||
|  |             } | ||
|  | 
 | ||
|  |             kin = new KeyInfoName(); | ||
|  |             kin.Value = _KeyName; | ||
|  |             ek.KeyInfo.AddClause(kin); | ||
|  |             kek = new KeyInfoEncryptedKey(ek); | ||
|  |             ed.KeyInfo.AddClause(kek); | ||
|  |             ed.CipherData = new CipherData(); | ||
|  |             ed.CipherData.CipherValue = rgbOutput; | ||
|  |             EncryptedXml.ReplaceElement(inputElement, ed, true); | ||
|  | 
 | ||
|  |             rsa.Clear(); | ||
|  | 
 | ||
|  |                 // Get node from the document | ||
|  |             foreach (XmlNode node2 in xmlDocument.ChildNodes) | ||
|  |                 if (node2.NodeType == XmlNodeType.Element) | ||
|  |                     foreach (XmlNode node3 in node2.ChildNodes) // node2 is the "foo" node | ||
|  |                         if (node3.NodeType == XmlNodeType.Element) | ||
|  |                             return node3; // node3 is the "EncryptedData" node | ||
|  |                 return null; | ||
|  | 
 | ||
|  |         } | ||
|  | 
 | ||
|  |         public void AddKey(int keySize, bool exportable) | ||
|  |         { | ||
|  |             RSACryptoServiceProvider rsa = GetCryptoServiceProvider(exportable, false); | ||
|  |             rsa.KeySize = keySize; | ||
|  |             rsa.PersistKeyInCsp = true; | ||
|  |             rsa.Clear(); | ||
|  |         } | ||
|  | 
 | ||
|  |         public void DeleteKey() | ||
|  |         { | ||
|  |             RSACryptoServiceProvider rsa = GetCryptoServiceProvider(false, true); | ||
|  |             rsa.PersistKeyInCsp = false; | ||
|  |             rsa.Clear(); | ||
|  |         } | ||
|  |         public void ImportKey(string xmlFileName, bool exportable) | ||
|  |         { | ||
|  |             RSACryptoServiceProvider rsa = GetCryptoServiceProvider(exportable, false); | ||
|  |             rsa.FromXmlString(File.ReadAllText(xmlFileName)); | ||
|  |             rsa.PersistKeyInCsp = true; | ||
|  |             rsa.Clear(); | ||
|  |         } | ||
|  | 
 | ||
|  |         public void ExportKey(string xmlFileName, bool includePrivateParameters) | ||
|  |         { | ||
|  |             RSACryptoServiceProvider rsa = GetCryptoServiceProvider(false, false); | ||
|  |             string xmlString = rsa.ToXmlString(includePrivateParameters); | ||
|  |             File.WriteAllText(xmlFileName, xmlString); | ||
|  |             rsa.Clear(); | ||
|  |         } | ||
|  | 
 | ||
|  |         public string   KeyContainerName    { get { return _KeyContainerName; } } | ||
|  |         public string   CspProviderName     { get { return _CspProviderName; } } | ||
|  |         public bool     UseMachineContainer { get { return _UseMachineContainer; } } | ||
|  |         public bool UseOAEP { get { return _UseOAEP; } } | ||
|  |         public bool UseFIPS { get { return _UseFIPS; } } | ||
|  | 
 | ||
|  |         public override void Initialize(string name, NameValueCollection configurationValues) | ||
|  |         { | ||
|  |             base.Initialize(name, configurationValues); | ||
|  | 
 | ||
|  |             _KeyName = "Rsa Key"; | ||
|  |             _KeyContainerName = configurationValues["keyContainerName"]; | ||
|  |             configurationValues.Remove("keyContainerName"); | ||
|  |             if (_KeyContainerName == null || _KeyContainerName.Length < 1) | ||
|  |                 _KeyContainerName = DefaultRsaKeyContainerName; | ||
|  | 
 | ||
|  |             _CspProviderName = configurationValues["cspProviderName"]; | ||
|  |             configurationValues.Remove("cspProviderName"); | ||
|  |             _UseMachineContainer = GetBooleanValue(configurationValues, "useMachineContainer", true); | ||
|  |             _UseOAEP = GetBooleanValue(configurationValues, "useOAEP", false); | ||
|  |             _UseFIPS = GetBooleanValue(configurationValues, "useFIPS", false); | ||
|  |             if (configurationValues.Count > 0) | ||
|  |                 throw new ConfigurationErrorsException(SR.GetString(SR.Unrecognized_initialization_value, configurationValues.GetKey(0))); | ||
|  |         } | ||
|  | 
 | ||
|  | 
 | ||
|  |         private string _KeyName; | ||
|  |         private string _KeyContainerName; | ||
|  |         private string _CspProviderName; | ||
|  |         private bool _UseMachineContainer; | ||
|  |         private bool _UseOAEP; | ||
|  |         private bool _UseFIPS; | ||
|  | 
 | ||
|  |         public RSAParameters RsaPublicKey { get { return GetCryptoServiceProvider(false, false).ExportParameters(false); } } | ||
|  | 
 | ||
|  |         private RSACryptoServiceProvider GetCryptoServiceProvider(bool exportable, bool keyMustExist) | ||
|  |         { | ||
|  |             try { | ||
|  |                 CspParameters csp = new CspParameters(); | ||
|  |                 csp.KeyContainerName = KeyContainerName; | ||
|  |                 csp.KeyNumber = 1; | ||
|  |                 csp.ProviderType = 1; // Dev10 Bug #548719: Explicitly require "RSA Full (Signature and Key Exchange)" | ||
|  | 
 | ||
|  |                 if (CspProviderName != null && CspProviderName.Length > 0) | ||
|  |                     csp.ProviderName = CspProviderName; | ||
|  | 
 | ||
|  |                 if (UseMachineContainer) | ||
|  |                     csp.Flags |= CspProviderFlags.UseMachineKeyStore; | ||
|  |                 if (!exportable && !keyMustExist) | ||
|  |                     csp.Flags |= CspProviderFlags.UseNonExportableKey; | ||
|  |                 if (keyMustExist) | ||
|  |                     csp.Flags |= CspProviderFlags.UseExistingKey; | ||
|  | 
 | ||
|  |                 return new RSACryptoServiceProvider(csp); | ||
|  | 
 | ||
|  |             } catch { | ||
|  |                 ThrowBetterException(keyMustExist); | ||
|  | 
 | ||
|  |                 // If a better exception can't be found, this will propagate | ||
|  |                 // the original one | ||
|  |                 throw; | ||
|  |             } | ||
|  |         } | ||
|  |         private byte[] GetRandomKey() | ||
|  |         { | ||
|  |             byte [] buf = new byte[24]; | ||
|  |             (new RNGCryptoServiceProvider()).GetBytes(buf); | ||
|  |             return buf; | ||
|  |         } | ||
|  | 
 | ||
|  |         private void ThrowBetterException(bool keyMustExist) | ||
|  |         { | ||
|  |             SafeCryptContextHandle hProv = null; | ||
|  |             int success = 0; | ||
|  |             try { | ||
|  |                 success = UnsafeNativeMethods.CryptAcquireContext(out hProv, KeyContainerName, CspProviderName, PROV_Rsa_FULL, UseMachineContainer ? CRYPT_MACHINE_KEYSET : 0); | ||
|  |                 if (success != 0) | ||
|  |                     return; // propagate original exception | ||
|  | 
 | ||
|  |                 int hr = Marshal.GetHRForLastWin32Error(); | ||
|  |                 if (hr == HResults.NteBadKeySet && !keyMustExist) { | ||
|  |                     return; // propagate original exception | ||
|  |                 } | ||
|  | 
 | ||
|  |                 switch (hr) { | ||
|  |                     case HResults.NteBadKeySet: | ||
|  |                     case HResults.Win32AccessDenied: | ||
|  |                     case HResults.Win32InvalidHandle: | ||
|  |                         throw new ConfigurationErrorsException(SR.GetString(SR.Key_container_doesnt_exist_or_access_denied)); | ||
|  | 
 | ||
|  |                     default: | ||
|  |                         Marshal.ThrowExceptionForHR(hr); | ||
|  |                         break; | ||
|  |                 } | ||
|  |             } finally { | ||
|  |                 if (!(hProv == null || hProv.IsInvalid)) | ||
|  |                     hProv.Dispose(); | ||
|  |             } | ||
|  |         } | ||
|  |         const uint PROV_Rsa_FULL = 1; | ||
|  |         const uint CRYPT_MACHINE_KEYSET = 0x00000020; | ||
|  | 
 | ||
|  |         private static bool GetBooleanValue(NameValueCollection configurationValues, string valueName, bool defaultValue) { | ||
|  |             string s = configurationValues[valueName]; | ||
|  |             if (s == null) | ||
|  |                 return defaultValue; | ||
|  |             configurationValues.Remove(valueName); | ||
|  |             if (s == "true") | ||
|  |                 return true; | ||
|  |             if (s == "false") | ||
|  |                 return false; | ||
|  |             throw new ConfigurationErrorsException(SR.GetString(SR.Config_invalid_boolean_attribute, valueName)); | ||
|  |         } | ||
|  | 
 | ||
|  |         private SymmetricAlgorithm GetSymAlgorithmProvider() { | ||
|  |             SymmetricAlgorithm symAlg; | ||
|  | 
 | ||
|  |             if (UseFIPS) { | ||
|  |                 // AesCryptoServiceProvider implementation is FIPS certified | ||
|  |                 symAlg = new AesCryptoServiceProvider(); | ||
|  |             } | ||
|  |             else { | ||
|  |                 // Use the 3DES. FIPS obsolated 3DES | ||
|  |                 symAlg = new TripleDESCryptoServiceProvider(); | ||
|  | 
 | ||
|  |                 byte[] rgbKey1 = GetRandomKey(); | ||
|  |                 symAlg.Key = rgbKey1; | ||
|  |                 symAlg.Mode = CipherMode.ECB; | ||
|  |                 symAlg.Padding = PaddingMode.PKCS7; | ||
|  |             } | ||
|  | 
 | ||
|  |             return symAlg; | ||
|  |         } | ||
|  | 
 | ||
|  |         private EncryptionMethod GetSymEncryptionMethod() { | ||
|  |             return UseFIPS ? new EncryptionMethod(EncryptedXml.XmlEncAES256Url) : | ||
|  |                              new EncryptionMethod(EncryptedXml.XmlEncTripleDESUrl); | ||
|  |         } | ||
|  |     } | ||
|  | } |