Imported Upstream version 4.6.0.125

Former-commit-id: a2155e9bd80020e49e72e86c44da02a8ac0e57a4
2016-08-03 10:59:49 +00:00
parent a569aebcfd
commit e79aa3c0ed
17047 changed files with 3137615 additions and 392334 deletions
--- a/mcs/class/referencesource/System.Configuration/System/Configuration/FipsAwareEncryptedXml.cs
+++ b/mcs/class/referencesource/System.Configuration/System/Configuration/FipsAwareEncryptedXml.cs
@ -0,0 +1,75 @@
+//------------------------------------------------------------------------------
+// <copyright file="FipsAwareEncryptedXml.cs" company="Microsoft">
+//     Copyright (c) Microsoft Corporation.  All rights reserved.
+// </copyright>
+//------------------------------------------------------------------------------
+
+namespace System.Configuration {
+    using System.Collections;
+    using System.Security.Cryptography;
+    using System.Security.Cryptography.Xml;
+    using System.Xml;
+
+    // 
+    // Extends EncryptedXml to use FIPS-certified symmetric algorithm
+    // 
+    class FipsAwareEncryptedXml : EncryptedXml {
+
+        public FipsAwareEncryptedXml(XmlDocument doc)
+            : base(doc) {
+        }
+
+        // Override EncryptedXml.GetDecryptionKey to avoid calling into CryptoConfig.CreateFromName
+        // When detect AES, we need to return AesCryptoServiceProvider (FIPS certified) instead of AesManaged (FIPS obsolated)
+        public override SymmetricAlgorithm GetDecryptionKey(EncryptedData encryptedData, string symmetricAlgorithmUri) {
+            
+            // If AES is used then assume FIPS is required
+            bool fipsRequired = IsAesDetected(encryptedData, symmetricAlgorithmUri);
+
+            if (fipsRequired) {
+                // Obtain the EncryptedKey
+                EncryptedKey ek = null;
+
+                foreach (var ki in encryptedData.KeyInfo) {
+                    KeyInfoEncryptedKey kiEncKey = ki as KeyInfoEncryptedKey;
+                    if (kiEncKey != null) {
+                        ek = kiEncKey.EncryptedKey;
+                        break;
+                    }
+                }
+
+                // Got an EncryptedKey, decrypt it to get the AES key
+                if (ek != null) {
+                    byte[] key = DecryptEncryptedKey(ek);
+
+                    // Construct FIPS-certified AES provider
+                    if (key != null) {
+                        AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
+                        aes.Key = key;
+                        
+                        return aes;
+                    }
+                }
+            }
+
+            // Fallback to the base implementation
+            return base.GetDecryptionKey(encryptedData, symmetricAlgorithmUri);
+        }
+
+        private static bool IsAesDetected(EncryptedData encryptedData, string symmetricAlgorithmUri) {
+            if (encryptedData != null &&
+                encryptedData.KeyInfo != null &&
+                (symmetricAlgorithmUri != null || encryptedData.EncryptionMethod != null)) {
+
+                if (symmetricAlgorithmUri == null) {
+                    symmetricAlgorithmUri = encryptedData.EncryptionMethod.KeyAlgorithm;
+                }
+
+                // Check if the Uri matches AES256
+                return string.Equals(symmetricAlgorithmUri, EncryptedXml.XmlEncAES256Url, StringComparison.InvariantCultureIgnoreCase);
+            }
+
+            return false;
+        }
+    }
+}