//------------------------------------------------------------------------------ // // Copyright (c) Microsoft Corporation. All rights reserved. // // balnee // krishnib //------------------------------------------------------------------------------ namespace System.Data.SqlClient { using System; using System.Text; using System.Data.Common; using System.Diagnostics; using System.Globalization; using System.Security; using System.Security.Cryptography; using Microsoft.Win32; /// /// Provides implementation similar to certificate store provider. /// A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. /// /// Envolope Format for the encrypted column encryption key /// version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature /// version: A single byte indicating the format version. /// keyPathLength: Length of the keyPath. /// ciphertextLength: ciphertext length /// keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. /// ciphertext: Encrypted column encryption key /// signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key. /// public class SqlColumnEncryptionCspProvider : SqlColumnEncryptionKeyStoreProvider { /// /// Name for the CSP key store provider. /// public const string ProviderName = @"MSSQL_CSP_PROVIDER"; /// /// RSA_OAEP is the only algorithm supported for encrypting/decrypting column encryption keys using this provider. /// For now, we are keeping all the providers in sync. /// private const string RSAEncryptionAlgorithmWithOAEP = @"RSA_OAEP"; /// /// Hashing algoirthm used for signing /// private const string HashingAlgorithm = @"SHA256"; /// /// Algorithm version /// private readonly byte[] _version = new byte[] { 0x01 }; /// /// This function uses the asymmetric key specified by the key path /// and decrypts an encrypted CEK with RSA encryption algorithm. /// /// Complete path of an asymmetric key in CSP /// Asymmetric Key Encryption Algorithm /// Encrypted Column Encryption Key /// Plain text column encryption key public override byte[] DecryptColumnEncryptionKey(string masterKeyPath, string encryptionAlgorithm, byte[] encryptedColumnEncryptionKey) { // Validate the input parameters ValidateNonEmptyCSPKeyPath(masterKeyPath, isSystemOp: true); if (null == encryptedColumnEncryptionKey) { throw SQL.NullEncryptedColumnEncryptionKey(); } if (0 == encryptedColumnEncryptionKey.Length) { throw SQL.EmptyEncryptedColumnEncryptionKey(); } // Validate encryptionAlgorithm ValidateEncryptionAlgorithm(encryptionAlgorithm, isSystemOp: true); // Create RSA Provider with the given CSP name and key name RSACryptoServiceProvider rsaProvider = CreateRSACryptoProvider(masterKeyPath, isSystemOp: true); // Validate whether the key is RSA one or not and then get the key size int keySizeInBytes = GetKeySize(rsaProvider); // Validate and decrypt the EncryptedColumnEncryptionKey // Format is // version + keyPathLength + ciphertextLength + keyPath + ciphervtext + signature // // keyPath is present in the encrypted column encryption key for identifying the original source of the asymmetric key pair and // we will not validate it against the data contained in the CMK metadata (masterKeyPath). // Validate the version byte if (encryptedColumnEncryptionKey[0] != _version[0]) { throw SQL.InvalidAlgorithmVersionInEncryptedCEK(encryptedColumnEncryptionKey[0], _version[0]); } // Get key path length int currentIndex = _version.Length; UInt16 keyPathLength = BitConverter.ToUInt16(encryptedColumnEncryptionKey, currentIndex); currentIndex += sizeof(UInt16); // Get ciphertext length UInt16 cipherTextLength = BitConverter.ToUInt16(encryptedColumnEncryptionKey, currentIndex); currentIndex += sizeof(UInt16); // Skip KeyPath // KeyPath exists only for troubleshooting purposes and doesnt need validation. currentIndex += keyPathLength; // validate the ciphertext length if (cipherTextLength != keySizeInBytes) { throw SQL.InvalidCiphertextLengthInEncryptedCEKCsp(cipherTextLength, keySizeInBytes, masterKeyPath); } // Validate the signature length // Signature length should be same as the key side for RSA PKCSv1.5 int signatureLength = encryptedColumnEncryptionKey.Length - currentIndex - cipherTextLength; if (signatureLength != keySizeInBytes) { throw SQL.InvalidSignatureInEncryptedCEKCsp(signatureLength, keySizeInBytes, masterKeyPath); } // Get ciphertext byte[] cipherText = new byte[cipherTextLength]; Buffer.BlockCopy(encryptedColumnEncryptionKey, currentIndex, cipherText, 0, cipherText.Length); currentIndex += cipherTextLength; // Get signature byte[] signature = new byte[signatureLength]; Buffer.BlockCopy(encryptedColumnEncryptionKey, currentIndex, signature, 0, signature.Length); // Compute the hash to validate the signature byte[] hash; using (SHA256Cng sha256 = new SHA256Cng()) { sha256.TransformFinalBlock(encryptedColumnEncryptionKey, 0, encryptedColumnEncryptionKey.Length - signature.Length); hash = sha256.Hash; } Debug.Assert(hash != null, @"hash should not be null while decrypting encrypted column encryption key."); // Validate the signature if (!RSAVerifySignature(hash, signature, rsaProvider)) { throw SQL.InvalidSignature(masterKeyPath); } // Decrypt the CEK return RSADecrypt(rsaProvider, cipherText); } /// /// This function uses the asymmetric key specified by the key path /// and encrypts CEK with RSA encryption algorithm. /// /// Complete path of an asymmetric key in AKV /// Asymmetric Key Encryption Algorithm /// Plain text column encryption key /// Encrypted column encryption key public override byte[] EncryptColumnEncryptionKey(string masterKeyPath, string encryptionAlgorithm, byte[] columnEncryptionKey) { // Validate the input parameters ValidateNonEmptyCSPKeyPath(masterKeyPath, isSystemOp: false); if (null == columnEncryptionKey) { throw SQL.NullColumnEncryptionKey(); } else if (0 == columnEncryptionKey.Length) { throw SQL.EmptyColumnEncryptionKey(); } // Validate encryptionAlgorithm ValidateEncryptionAlgorithm(encryptionAlgorithm, isSystemOp: false); // Create RSA Provider with the given CSP name and key name RSACryptoServiceProvider rsaProvider = CreateRSACryptoProvider(masterKeyPath, isSystemOp: false); // Validate whether the key is RSA one or not and then get the key size int keySizeInBytes = GetKeySize(rsaProvider); // Construct the encryptedColumnEncryptionKey // Format is // version + keyPathLength + ciphertextLength + ciphertext + keyPath + signature // // We currently only support one version byte[] version = new byte[] { _version[0] }; // Get the Unicode encoded bytes of cultureinvariant lower case masterKeyPath byte[] masterKeyPathBytes = Encoding.Unicode.GetBytes(masterKeyPath.ToLowerInvariant()); byte[] keyPathLength = BitConverter.GetBytes((Int16)masterKeyPathBytes.Length); // Encrypt the plain text byte[] cipherText = RSAEncrypt(rsaProvider, columnEncryptionKey); byte[] cipherTextLength = BitConverter.GetBytes((Int16)cipherText.Length); Debug.Assert(cipherText.Length == keySizeInBytes, @"cipherText length does not match the RSA key size"); // Compute hash // SHA-2-256(version + keyPathLength + ciphertextLength + keyPath + ciphertext) byte[] hash; using (SHA256Cng sha256 = new SHA256Cng()) { sha256.TransformBlock(version, 0, version.Length, version, 0); sha256.TransformBlock(keyPathLength, 0, keyPathLength.Length, keyPathLength, 0); sha256.TransformBlock(cipherTextLength, 0, cipherTextLength.Length, cipherTextLength, 0); sha256.TransformBlock(masterKeyPathBytes, 0, masterKeyPathBytes.Length, masterKeyPathBytes, 0); sha256.TransformFinalBlock(cipherText, 0, cipherText.Length); hash = sha256.Hash; } // Sign the hash byte[] signedHash = RSASignHashedData(hash, rsaProvider); Debug.Assert(signedHash.Length == keySizeInBytes, @"signed hash length does not match the RSA key size"); Debug.Assert(RSAVerifySignature(hash, signedHash, rsaProvider), @"Invalid signature of the encrypted column encryption key computed."); // Construct the encrypted column encryption key // EncryptedColumnEncryptionKey = version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature int encryptedColumnEncryptionKeyLength = version.Length + cipherTextLength.Length + keyPathLength.Length + cipherText.Length + masterKeyPathBytes.Length + signedHash.Length; byte[] encryptedColumnEncryptionKey = new byte[encryptedColumnEncryptionKeyLength]; // Copy version byte int currentIndex = 0; Buffer.BlockCopy(version, 0, encryptedColumnEncryptionKey, currentIndex, version.Length); currentIndex += version.Length; // Copy key path length Buffer.BlockCopy(keyPathLength, 0, encryptedColumnEncryptionKey, currentIndex, keyPathLength.Length); currentIndex += keyPathLength.Length; // Copy ciphertext length Buffer.BlockCopy(cipherTextLength, 0, encryptedColumnEncryptionKey, currentIndex, cipherTextLength.Length); currentIndex += cipherTextLength.Length; // Copy key path Buffer.BlockCopy(masterKeyPathBytes, 0, encryptedColumnEncryptionKey, currentIndex, masterKeyPathBytes.Length); currentIndex += masterKeyPathBytes.Length; // Copy ciphertext Buffer.BlockCopy(cipherText, 0, encryptedColumnEncryptionKey, currentIndex, cipherText.Length); currentIndex += cipherText.Length; // copy the signature Buffer.BlockCopy(signedHash, 0, encryptedColumnEncryptionKey, currentIndex, signedHash.Length); return encryptedColumnEncryptionKey; } /// /// This function validates that the encryption algorithm is RSA_OAEP and if it is not, /// then throws an exception /// /// Asymmetric key encryptio algorithm /// Indicates if ADO.NET calls or the customer calls the API private void ValidateEncryptionAlgorithm(string encryptionAlgorithm, bool isSystemOp) { // This validates that the encryption algorithm is RSA_OAEP if (null == encryptionAlgorithm) { throw SQL.NullKeyEncryptionAlgorithm(isSystemOp); } if (string.Equals(encryptionAlgorithm, RSAEncryptionAlgorithmWithOAEP, StringComparison.OrdinalIgnoreCase) != true) { throw SQL.InvalidKeyEncryptionAlgorithm(encryptionAlgorithm, RSAEncryptionAlgorithmWithOAEP, isSystemOp); } } /// /// Checks if the CSP key path is Empty or Null (and raises exception if they are). /// /// CSP key path. /// Indicates if ADO.NET calls or the customer calls the API private void ValidateNonEmptyCSPKeyPath(string masterKeyPath, bool isSystemOp) { if (string.IsNullOrWhiteSpace(masterKeyPath)) { if (null == masterKeyPath) { throw SQL.NullCspKeyPath(isSystemOp); } else { throw SQL.InvalidCspPath(masterKeyPath, isSystemOp); } } } /// /// Encrypt the text using specified CSP key. /// /// CSP key path. /// Encryption Algorithm. /// Plain text Column Encryption Key. /// Returns an encrypted blob or throws an exception if there are any errors. private byte[] RSAEncrypt(RSACryptoServiceProvider rscp, byte[] columnEncryptionKey) { Debug.Assert(columnEncryptionKey != null); Debug.Assert(rscp != null); return rscp.Encrypt(columnEncryptionKey, fOAEP: true); } /// /// Decrypt the text using specified CSP key. /// /// CSP key url. /// Encryption Algorithm. /// Encrypted Column Encryption Key. /// Returns the decrypted plaintext Column Encryption Key or throws an exception if there are any errors. private byte[] RSADecrypt(RSACryptoServiceProvider rscp, byte[] encryptedColumnEncryptionKey) { Debug.Assert((encryptedColumnEncryptionKey != null) && (encryptedColumnEncryptionKey.Length != 0)); Debug.Assert(rscp != null); return rscp.Decrypt(encryptedColumnEncryptionKey, fOAEP: true); } /// /// Generates signature based on RSA PKCS#v1.5 scheme using a specified CSP Key URL. /// /// Text to sign. /// RSA Provider with a given key /// Signature private byte[] RSASignHashedData(byte[] dataToSign, RSACryptoServiceProvider rscp) { Debug.Assert((dataToSign != null) && (dataToSign.Length != 0)); Debug.Assert(rscp != null); return rscp.SignData(dataToSign, HashingAlgorithm); } /// /// Verifies the given RSA PKCSv1.5 signature. /// /// /// /// RSA Provider with a given key /// true if signature is valid, false if it is not valid private bool RSAVerifySignature(byte[] dataToVerify, byte[] signature, RSACryptoServiceProvider rscp) { Debug.Assert((dataToVerify != null) && (dataToVerify.Length != 0)); Debug.Assert((signature != null) && (signature.Length != 0)); Debug.Assert(rscp != null); return rscp.VerifyData(dataToVerify, HashingAlgorithm, signature); } /// /// Gets the public Key size in bytes /// /// RSA Provider with a given key /// Key size in bytes private int GetKeySize(RSACryptoServiceProvider rscp) { Debug.Assert(rscp != null); return rscp.KeySize / 8; } /// /// Creates a RSACryptoServiceProvider from the given key path which contains both CSP name and key name /// /// key path in the format of [CAPI provider name]\[key name] /// Indicates if ADO.NET calls or the customer calls the API /// private RSACryptoServiceProvider CreateRSACryptoProvider(string keyPath, bool isSystemOp) { // Get CNGProvider and the KeyID string cspProviderName; string keyName; GetCspProviderAndKeyName(keyPath, isSystemOp, out cspProviderName, out keyName); // Verify the existence of CSP and then get the provider type int providerType = GetProviderType(cspProviderName, keyPath, isSystemOp); // Create a new instance of CspParameters for an RSA container. CspParameters cspParams = new CspParameters(providerType, cspProviderName, keyName); cspParams.Flags = CspProviderFlags.UseExistingKey; RSACryptoServiceProvider rscp = null; try { //Create a new instance of RSACryptoServiceProvider rscp = new RSACryptoServiceProvider(cspParams); } catch (CryptographicException e) { const int KEYSETDOESNOTEXIST = -2146893802; if (e.HResult == KEYSETDOESNOTEXIST) { // Key does not exist throw SQL.InvalidCspKeyIdentifier(keyName, keyPath, isSystemOp); } else { // bubble up the exception throw; } } return rscp; } /// /// Extracts the CSP provider name and key name from the given key path /// /// key path in the format of [CSP provider name]\[key name] /// Indicates if ADO.NET calls or the customer calls the API /// output containing the CSP provider name /// output containing the key name private void GetCspProviderAndKeyName(string keyPath, bool isSystemOp, out string cspProviderName, out string keyIdentifier) { int indexOfSlash = keyPath.IndexOf(@"/"); if (indexOfSlash == -1) { throw SQL.InvalidCspPath(keyPath, isSystemOp); } cspProviderName = keyPath.Substring(0, indexOfSlash); keyIdentifier = keyPath.Substring(indexOfSlash + 1, keyPath.Length - (indexOfSlash + 1)); if (cspProviderName.Length == 0) { throw SQL.EmptyCspName(keyPath, isSystemOp); } if (keyIdentifier.Length == 0) { throw SQL.EmptyCspKeyId(keyPath, isSystemOp); } } /// /// Gets the provider type from a given CAPI provider name /// /// CAPI provider name /// key path in the format of [CSP provider name]\[key name] /// Indicates if ADO.NET calls or the customer calls the API /// private int GetProviderType(string providerName, string keyPath, bool isSystemOp) { string keyName = String.Format(@"SOFTWARE\Microsoft\Cryptography\Defaults\Provider\{0}", providerName); RegistryKey key = Registry.LocalMachine.OpenSubKey(keyName); if (key == null) { throw SQL.InvalidCspName(providerName, keyPath, isSystemOp); } int providerType = (int)key.GetValue(@"Type"); key.Close(); return providerType; } } }