Compare commits
16 Commits
683b95c205
...
f7193594b1
| Author | SHA1 | Date | |
|---|---|---|---|
|
f7193594b1 | ||
|
|
9c7319634a | ||
|
|
3becb208ec | ||
|
|
1b00f9afa2 | ||
|
|
b58d4aed2f | ||
|
|
5adc67edf2 | ||
|
|
0ff0de8159 | ||
|
|
49b49271f3 | ||
|
|
5c5a6bd181 | ||
|
|
6ab1777f7c | ||
|
|
103ddf5c2e | ||
|
|
f9c94e8464 | ||
|
|
cdb0009e7c | ||
|
|
5010224500 | ||
|
|
1ebdd7e5bb | ||
|
|
0e0513e640 |
@@ -18,6 +18,20 @@ namespace DigitalData.Core.Abstractions.Security
|
||||
|
||||
string EncryptedPrivateKeyPemLabel { get; init; }
|
||||
|
||||
/// <summary>
|
||||
/// Gets the formatter function for generating RSA key names.
|
||||
/// This formatter takes an issuer, audience, isPrivate, and optional version and separator
|
||||
/// to produce a formatted string used for the key naming convention.
|
||||
/// </summary>
|
||||
/// <param name="issuer">A string representing the issuer of the key. It should not contain invalid file name characters or the separator.</param>
|
||||
/// <param name="audience">A string representing the audience for which the key is intended. It should not contain invalid file name characters or the separator.</param>
|
||||
/// <param name="isPrivate">An bool to check if the key is private.</param>
|
||||
/// <param name="version">An instance of the <see cref="Version?"/> interface, which is used to keep the version of Pbe password.</param>
|
||||
/// <param name="separator">An optional string separator used to separate the issuer and audience. The default is "-_-". It should not be included in the issuer or audience strings.</param>
|
||||
/// <returns>A formatted string combining the issuer, audience, and separator, which adheres to valid file naming rules.</returns>
|
||||
/// <exception cref="ArgumentException">Thrown when the issuer, audience, or separator contains invalid characters or when the separator is present within the issuer or audience.</exception>
|
||||
Func<string, string, bool, Version?, string?, string> RSAKeyNameFormatter { get; }
|
||||
|
||||
string CreateRSAPrivateKeyPem(int? keySizeInBits = null);
|
||||
|
||||
string CreateEncryptedPrivateKeyPem(
|
||||
|
||||
@@ -2,12 +2,16 @@
|
||||
{
|
||||
public interface IRSADecryptor : IRSACryptographer
|
||||
{
|
||||
public string? Password { get; init; }
|
||||
(string Value, Version Version) VersionedPassword { init; }
|
||||
|
||||
public IRSAEncryptor Encryptor { get; }
|
||||
Version? PasswordVersion { get; }
|
||||
|
||||
public byte[] Decrypt(byte[] data);
|
||||
bool HasEncryptedPem { get; }
|
||||
|
||||
public string Decrypt(string data);
|
||||
IRSAEncryptor Encryptor { get; }
|
||||
|
||||
byte[] Decrypt(byte[] data);
|
||||
|
||||
string Decrypt(string data);
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,5 @@
|
||||
using DigitalData.Core.Abstractions.Security;
|
||||
using System.Collections.Concurrent;
|
||||
using System.Security.Cryptography;
|
||||
|
||||
namespace DigitalData.Core.Security.Extensions
|
||||
@@ -12,32 +13,53 @@ namespace DigitalData.Core.Security.Extensions
|
||||
return rsa;
|
||||
}
|
||||
|
||||
public static bool TryGetEncryptor(this IDictionary<string, IRSAEncryptor> pairs, string issuer, string audience, out IRSAEncryptor? encryptor)
|
||||
=> pairs.TryGetValue($"{issuer}:{audience}", out encryptor);
|
||||
public static IRSADecryptor GetRSADecryptor(this ICryptFactory factory, string issuer, string audience, Version? version = null, string? seperator = null)
|
||||
=> factory[factory.RSAKeyNameFormatter(issuer, audience, true, version, seperator)];
|
||||
|
||||
public static IRSAEncryptor? GetEncryptor(this IDictionary<string, IRSAEncryptor> pairs, string issuer, string audience)
|
||||
=> pairs.TryGetEncryptor(issuer: issuer, audience: audience, out var encryptor) ? encryptor : null;
|
||||
public static bool TryGetRSADecryptor(this ICryptFactory factory, string issuer, string audience, out IRSADecryptor? decryptor, Version? version = null, string? seperator = null)
|
||||
=> factory.TryGetRSADecryptor(factory.RSAKeyNameFormatter(issuer, audience, true, version, seperator), out decryptor);
|
||||
|
||||
public static IRSADecryptor GetRSADecryptor(this ICryptFactory factory, string issuer, string audience)
|
||||
=> factory[$"{issuer}:{audience}"];
|
||||
|
||||
public static bool TryGetRSADecryptor(this ICryptFactory factory, string issuer, string audience, out IRSADecryptor? decryptor)
|
||||
=> factory.TryGetRSADecryptor($"{issuer}:{audience}", out decryptor);
|
||||
|
||||
public static IRSAEncryptor GetRSAEncryptor(this ICryptFactory factory, string issuer, string audience)
|
||||
=> factory[$"{issuer}:{audience}"].Encryptor;
|
||||
|
||||
public static bool TryGetRSADecryptor(this ICryptFactory factory, string issuer, string audience, out IRSAEncryptor? encryptor)
|
||||
private static string CreatePath(string filename, string? directory = null)
|
||||
{
|
||||
if(factory.TryGetRSADecryptor($"{issuer}:{audience}", out var decryptor) && decryptor is not null)
|
||||
directory ??= Environment.CurrentDirectory;
|
||||
|
||||
if (!Directory.Exists(directory))
|
||||
{
|
||||
encryptor = decryptor.Encryptor;
|
||||
return true;
|
||||
Directory.CreateDirectory(directory);
|
||||
}
|
||||
else
|
||||
|
||||
return Path.Combine(directory, $"{filename}.pem");
|
||||
}
|
||||
|
||||
private static readonly ConcurrentDictionary<string, SemaphoreSlim> FileLocks = new();
|
||||
|
||||
public static void SavePem(this IRSACryptographer decryptor, string key, string? directory = null)
|
||||
{
|
||||
var filePath = CreatePath(filename: key, directory : directory);
|
||||
var fileLock = FileLocks.GetOrAdd(filePath, _ => new (1, 1));
|
||||
fileLock.Wait();
|
||||
try
|
||||
{
|
||||
encryptor = null;
|
||||
return false;
|
||||
File.WriteAllText(filePath, decryptor.Pem);
|
||||
}
|
||||
finally
|
||||
{
|
||||
fileLock.Release();
|
||||
}
|
||||
}
|
||||
|
||||
public static async Task SavePemAsync(this IRSACryptographer decryptor, string key, string? directory = null)
|
||||
{
|
||||
var filePath = CreatePath(filename: key, directory: directory);
|
||||
var fileLock = FileLocks.GetOrAdd(filePath, _ => new (1, 1));
|
||||
await fileLock.WaitAsync();
|
||||
try
|
||||
{
|
||||
await File.WriteAllTextAsync(filePath, decryptor.Pem);
|
||||
}
|
||||
finally
|
||||
{
|
||||
fileLock.Release();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -9,10 +9,14 @@ namespace DigitalData.Core.Security
|
||||
|
||||
public IRSADecryptor this[string key] { get => _decryptors[key]; set => _decryptors[key] = value; }
|
||||
|
||||
public CryptFactory(ILogger<CryptFactory> logger, IDictionary<string, IRSADecryptor> decryptors) : base()
|
||||
public Func<string, string, bool, Version?, string?, string> RSAKeyNameFormatter { get; }
|
||||
|
||||
public CryptFactory(ILogger<CryptFactory> logger, IDictionary<string, IRSADecryptor> decryptors, Func<string, string, bool, Version?, string?, string> rsaKeyNameFormatter) : base()
|
||||
{
|
||||
_decryptors = decryptors ?? new Dictionary<string, IRSADecryptor>();
|
||||
|
||||
RSAKeyNameFormatter = rsaKeyNameFormatter;
|
||||
|
||||
logger?.LogInformation("Core.Secrets version: {Version}, Created on: {CreationDate}.", Secrets.Version, Secrets.CreationDate.ToString("dd.MM.yyyy"));
|
||||
}
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ namespace DigitalData.Core.Security
|
||||
|
||||
public RSAEncryptionPadding Padding { get; init; } = RSAEncryptionPadding.OaepSHA256;
|
||||
|
||||
protected readonly RSA _rsa = RSA.Create();
|
||||
protected virtual RSA RSA { get; } = RSA.Create();
|
||||
|
||||
internal RSACryptographer() { }
|
||||
}
|
||||
|
||||
@@ -1,46 +1,58 @@
|
||||
using DigitalData.Core.Abstractions.Security;
|
||||
using DigitalData.Core.Security.Extensions;
|
||||
using System.Runtime.Serialization;
|
||||
using System.Security.Cryptography;
|
||||
|
||||
namespace DigitalData.Core.Security
|
||||
{
|
||||
public class RSADecryptor : RSACryptographer, IRSADecryptor, IRSACryptographer
|
||||
{
|
||||
public string? Password { get; init; }
|
||||
public (string Value, Version Version) VersionedPassword
|
||||
{
|
||||
init
|
||||
{
|
||||
_password = value.Value;
|
||||
PasswordVersion = value.Version;
|
||||
}
|
||||
}
|
||||
|
||||
public bool IsEncrypted => Password is not null;
|
||||
private string? _password;
|
||||
|
||||
public Version? PasswordVersion { get; private init; } = null;
|
||||
|
||||
public bool HasEncryptedPem => _password is not null;
|
||||
|
||||
public bool IsEncrypted => _password is not null;
|
||||
|
||||
private readonly Lazy<IRSAEncryptor> _lazyEncryptor;
|
||||
|
||||
public IRSAEncryptor Encryptor => _lazyEncryptor.Value;
|
||||
|
||||
internal RSADecryptor()
|
||||
private readonly Lazy<RSA> lazyRSA;
|
||||
|
||||
protected override RSA RSA => lazyRSA.Value;
|
||||
|
||||
public RSADecryptor()
|
||||
{
|
||||
_lazyEncryptor = new(() => new RSAEncryptor()
|
||||
{
|
||||
Pem = _rsa.ExportRSAPublicKeyPem(),
|
||||
Pem = RSA.ExportRSAPublicKeyPem(),
|
||||
Padding = Padding
|
||||
});
|
||||
|
||||
lazyRSA = new(() =>
|
||||
{
|
||||
var rsa = RSA.Create();
|
||||
if (_password is null)
|
||||
RSA.ImportFromPem(Pem);
|
||||
else
|
||||
RSA.ImportFromEncryptedPem(Pem, _password.AsSpan());
|
||||
|
||||
return rsa;
|
||||
});
|
||||
}
|
||||
|
||||
public byte[] Decrypt(byte[] data) => RSA.Decrypt(data, Padding);
|
||||
|
||||
[OnDeserialized]
|
||||
private void OnDeserialized(StreamingContext context) => Init();
|
||||
|
||||
private IRSADecryptor Init()
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(Pem))
|
||||
throw new InvalidOperationException("Pem cannot be null or empty.");
|
||||
|
||||
if (Password is null)
|
||||
_rsa.ImportFromPem(Pem);
|
||||
else
|
||||
_rsa.ImportFromEncryptedPem(Pem, Password.AsSpan());
|
||||
|
||||
return this;
|
||||
}
|
||||
|
||||
public byte[] Decrypt(byte[] data) => _rsa.Decrypt(data, Padding);
|
||||
|
||||
public string Decrypt(string data) => _rsa.Decrypt(data.Base64ToByte(), Padding).BytesToString();
|
||||
public string Decrypt(string data) => RSA.Decrypt(data.Base64ToByte(), Padding).BytesToString();
|
||||
}
|
||||
}
|
||||
@@ -10,17 +10,14 @@ namespace DigitalData.Core.Security
|
||||
get => base.Pem;
|
||||
init
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(Pem))
|
||||
throw new InvalidOperationException("Pem cannot be null or empty.");
|
||||
|
||||
_rsa.ImportFromPem(base.Pem);
|
||||
RSA.ImportFromPem(base.Pem);
|
||||
base.Pem = value;
|
||||
}
|
||||
}
|
||||
|
||||
public byte[] Encrypt(byte[] data) => _rsa.Encrypt(data, Padding);
|
||||
public byte[] Encrypt(byte[] data) => RSA.Encrypt(data, Padding);
|
||||
|
||||
public string Encrypt(string data) => _rsa.Encrypt(data.Base64ToByte(), Padding).BytesToString();
|
||||
public string Encrypt(string data) => RSA.Encrypt(data.Base64ToByte(), Padding).BytesToString();
|
||||
|
||||
public bool Verify(string data, string signature) => Encrypt(data) == signature;
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
|
||||
namespace DigitalData.Core.Security
|
||||
{
|
||||
@@ -8,6 +9,57 @@ namespace DigitalData.Core.Security
|
||||
|
||||
public static RSAFactory Static => LazyInstance.Value;
|
||||
|
||||
public static readonly string DefaultEncryptedPrivateKeyFileTag = "enc-private";
|
||||
|
||||
public static readonly string DefaultPrivateKeyFileTag = "private";
|
||||
|
||||
public static readonly string DefaultPublicKeyFileTag = "public";
|
||||
|
||||
public static readonly IEnumerable<string> KeyFileTags = new string[] { DefaultEncryptedPrivateKeyFileTag, DefaultPrivateKeyFileTag, DefaultPublicKeyFileTag };
|
||||
|
||||
private static readonly Lazy<IEnumerable<string>> LazyLowerFileTags = new(() => KeyFileTags.Select(tag => tag.ToLower()));
|
||||
|
||||
public static readonly string DefaultRSAKeyNameSeparator = "-_-";
|
||||
|
||||
//TODO: make the validation using regex
|
||||
public static string DefaultRSAKeyNameFormatter(string issuer, string audience, bool isPrivate = true, Version? passwordVersion = null, string? separator = null)
|
||||
{
|
||||
separator ??= DefaultRSAKeyNameSeparator;
|
||||
|
||||
void ValidateForbidden(string value, string paramName)
|
||||
{
|
||||
if (Path.GetInvalidFileNameChars().Any(value.Contains) || LazyLowerFileTags.Value.Any(tag => value.ToLower().Contains(tag)))
|
||||
throw new ArgumentException($"RSA decryptor key name creation is forbidden. The {paramName} contains forbidden characters that are not allowed in file naming.", paramName);
|
||||
}
|
||||
|
||||
static void ValidateSeparator(string value, string paramName, string separator)
|
||||
{
|
||||
if (value.Contains(separator))
|
||||
throw new ArgumentException($"RSA decryptor key name creation is forbidden. The {paramName} contains separator characters ({separator}) that are not allowed in file naming.", paramName);
|
||||
}
|
||||
|
||||
ValidateForbidden(issuer, nameof(issuer));
|
||||
ValidateForbidden(audience, nameof(audience));
|
||||
ValidateForbidden(separator, nameof(separator));
|
||||
|
||||
ValidateSeparator(issuer, nameof(issuer), separator);
|
||||
ValidateSeparator(audience, nameof(audience), separator);
|
||||
|
||||
var sb = new StringBuilder(issuer.Length + audience.Length + separator.Length * 2 + 20);
|
||||
sb.Append(issuer).Append(separator).Append(audience).Append(separator);
|
||||
|
||||
if (passwordVersion is null && isPrivate)
|
||||
sb.Append(DefaultPrivateKeyFileTag);
|
||||
else if (isPrivate)
|
||||
sb.Append(DefaultEncryptedPrivateKeyFileTag).Append(separator).Append(passwordVersion);
|
||||
else if (passwordVersion is null)
|
||||
sb.Append(DefaultPublicKeyFileTag);
|
||||
else
|
||||
sb.Append(DefaultPublicKeyFileTag).Append(separator).Append(passwordVersion);
|
||||
|
||||
return sb.ToString();
|
||||
}
|
||||
|
||||
public int KeySizeInBits { get; init; } = 2048;
|
||||
|
||||
public string PbePassword { private get; init; } = Secrets.PBE_PASSWORD;
|
||||
|
||||
Reference in New Issue
Block a user