linux-packaging-mono/mcs/class/referencesource/System.Configuration/System/Configuration/FipsAwareEncryptedXml.cs

//------------------------------------------------------------------------------
// <copyright file="FipsAwareEncryptedXml.cs" company="Microsoft">
//     Copyright (c) Microsoft Corporation.  All rights reserved.
// </copyright>
//------------------------------------------------------------------------------

namespace System.Configuration {
    using System.Collections;
    using System.Security.Cryptography;
    using System.Security.Cryptography.Xml;
    using System.Xml;

    // 
    // Extends EncryptedXml to use FIPS-certified symmetric algorithm
    // 
    class FipsAwareEncryptedXml : EncryptedXml {

        public FipsAwareEncryptedXml(XmlDocument doc)
            : base(doc) {
        }

        // Override EncryptedXml.GetDecryptionKey to avoid calling into CryptoConfig.CreateFromName
        // When detect AES, we need to return AesCryptoServiceProvider (FIPS certified) instead of AesManaged (FIPS obsolated)
        public override SymmetricAlgorithm GetDecryptionKey(EncryptedData encryptedData, string symmetricAlgorithmUri) {
            
            // If AES is used then assume FIPS is required
            bool fipsRequired = IsAesDetected(encryptedData, symmetricAlgorithmUri);

            if (fipsRequired) {
                // Obtain the EncryptedKey
                EncryptedKey ek = null;

                foreach (var ki in encryptedData.KeyInfo) {
                    KeyInfoEncryptedKey kiEncKey = ki as KeyInfoEncryptedKey;
                    if (kiEncKey != null) {
                        ek = kiEncKey.EncryptedKey;
                        break;
                    }
                }

                // Got an EncryptedKey, decrypt it to get the AES key
                if (ek != null) {
                    byte[] key = DecryptEncryptedKey(ek);

                    // Construct FIPS-certified AES provider
                    if (key != null) {
                        AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
                        aes.Key = key;
                        
                        return aes;
                    }
                }
            }

            // Fallback to the base implementation
            return base.GetDecryptionKey(encryptedData, symmetricAlgorithmUri);
        }

        private static bool IsAesDetected(EncryptedData encryptedData, string symmetricAlgorithmUri) {
            if (encryptedData != null &&
                encryptedData.KeyInfo != null &&
                (symmetricAlgorithmUri != null || encryptedData.EncryptionMethod != null)) {

                if (symmetricAlgorithmUri == null) {
                    symmetricAlgorithmUri = encryptedData.EncryptionMethod.KeyAlgorithm;
                }

                // Check if the Uri matches AES256
                return string.Equals(symmetricAlgorithmUri, EncryptedXml.XmlEncAES256Url, StringComparison.InvariantCultureIgnoreCase);
            }

            return false;
        }
    }
}
Imported Upstream version 4.6.0.125 Former-commit-id: a2155e9bd80020e49e72e86c44da02a8ac0e57a4 2016-08-03 10:59:49 +00:00			`//------------------------------------------------------------------------------`
			`// <copyright file="FipsAwareEncryptedXml.cs" company="Microsoft">`
			`// Copyright (c) Microsoft Corporation. All rights reserved.`
			`// </copyright>`
			`//------------------------------------------------------------------------------`

			`namespace System.Configuration {`
			`using System.Collections;`
			`using System.Security.Cryptography;`
			`using System.Security.Cryptography.Xml;`
			`using System.Xml;`

			`//`
			`// Extends EncryptedXml to use FIPS-certified symmetric algorithm`
			`//`
			`class FipsAwareEncryptedXml : EncryptedXml {`

			`public FipsAwareEncryptedXml(XmlDocument doc)`
			`: base(doc) {`
			`}`

			`// Override EncryptedXml.GetDecryptionKey to avoid calling into CryptoConfig.CreateFromName`
			`// When detect AES, we need to return AesCryptoServiceProvider (FIPS certified) instead of AesManaged (FIPS obsolated)`
			`public override SymmetricAlgorithm GetDecryptionKey(EncryptedData encryptedData, string symmetricAlgorithmUri) {`

			`// If AES is used then assume FIPS is required`
			`bool fipsRequired = IsAesDetected(encryptedData, symmetricAlgorithmUri);`

			`if (fipsRequired) {`
			`// Obtain the EncryptedKey`
			`EncryptedKey ek = null;`

			`foreach (var ki in encryptedData.KeyInfo) {`
			`KeyInfoEncryptedKey kiEncKey = ki as KeyInfoEncryptedKey;`
			`if (kiEncKey != null) {`
			`ek = kiEncKey.EncryptedKey;`
			`break;`
			`}`
			`}`

			`// Got an EncryptedKey, decrypt it to get the AES key`
			`if (ek != null) {`
			`byte[] key = DecryptEncryptedKey(ek);`

			`// Construct FIPS-certified AES provider`
			`if (key != null) {`
			`AesCryptoServiceProvider aes = new AesCryptoServiceProvider();`
			`aes.Key = key;`

			`return aes;`
			`}`
			`}`
			`}`

			`// Fallback to the base implementation`
			`return base.GetDecryptionKey(encryptedData, symmetricAlgorithmUri);`
			`}`

			`private static bool IsAesDetected(EncryptedData encryptedData, string symmetricAlgorithmUri) {`
			`if (encryptedData != null &&`
			`encryptedData.KeyInfo != null &&`
			`(symmetricAlgorithmUri != null \|\| encryptedData.EncryptionMethod != null)) {`

			`if (symmetricAlgorithmUri == null) {`
			`symmetricAlgorithmUri = encryptedData.EncryptionMethod.KeyAlgorithm;`
			`}`

			`// Check if the Uri matches AES256`
			`return string.Equals(symmetricAlgorithmUri, EncryptedXml.XmlEncAES256Url, StringComparison.InvariantCultureIgnoreCase);`
			`}`

			`return false;`
			`}`
			`}`
			`}`