Fix X509 data protector

default.ps1

@@ -11,7 +11,7 @@ properties {
 	$nuget_path = "$base_directory\nuget.exe"
 
 	$buildNumber = 0;
-	$version = "2.6.1.0"
+	$version = "2.6.2.0"
 	$preRelease = $null
 }
 
@@ -94,5 +94,5 @@ task CreateNuGetPackage -depends ILMerge {
 
 	copy-item $src_directory\IdentityServer3.nuspec $dist_directory
 	copy-item $output_directory\IdentityServer3.xml $dist_directory\lib\net45\
-	exec { . $nuget_path pack $dist_directory\IdentityServer3.nuspec -BasePath $dist_directory -o $dist_directory -version $packageVersion }
+	exec { . $nuget_path pack $dist_directory\IdentityServer3.nuspec -BasePath $dist_directory -OutputDirectory $dist_directory -version $packageVersion }
 }

source/Core/Configuration/X509CertificateDataProtector.cs

@@ -14,8 +14,11 @@
  * limitations under the License.
  */
 
+using System;
 using System.IdentityModel;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
+using System.Text;
 
 namespace IdentityServer3.Core.Configuration
 {
@@ -45,7 +48,12 @@ public X509CertificateDataProtector(X509Certificate2 certificate)
         /// <returns></returns>
         public byte[] Protect(byte[] data, string entropy = "")
         {
-            var encrypted = _encrypt.Encode(data);
+            //as there is no way to include entropy as separate attribute or flag we just append it to the end of the data
+            //to be able to take it into consideration when unprotecting
+            var entropyBytes = GetBytes(entropy);
+            var dataWithEntropy = Combine(data, entropyBytes);
+
+            var encrypted = _encrypt.Encode(dataWithEntropy);
             return _sign.Encode(encrypted);
         }
 
@@ -58,7 +66,36 @@ public byte[] Protect(byte[] data, string entropy = "")
         public byte[] Unprotect(byte[] data, string entropy = "")
         {
             var validated = _sign.Decode(data);
-            return _encrypt.Decode(validated);
+            var decoded = _encrypt.Decode(validated);
+
+            //need to reverse things done in protect before returning: subtract entropy from the end and ensure it matches
+            var entropyBytes = GetBytes(entropy);
+            var decodedEntropy = new byte[entropyBytes.Length];
+            var decodedDataLength = decoded.Length - entropyBytes.Length;
+            Array.Copy(decoded, decodedDataLength, decodedEntropy, 0, entropyBytes.Length);
+
+            var rez = decodedEntropy.SequenceEqual(entropyBytes) ? GetSubArray(decoded, decodedDataLength) : null;
+            return rez;
+        }
+
+        private static byte[] GetBytes(string value)
+        {
+            return Encoding.UTF8.GetBytes(value);
+        }
+
+        private static byte[] GetSubArray(byte[] src, int length)
+        {
+            var dst = new byte[length];
+            Array.Copy(src, dst, length);
+            return dst;
+        }
+
+        private static byte[] Combine(byte[] first, byte[] second)
+        {
+            var combined = new byte[first.Length + second.Length];
+            Buffer.BlockCopy(first, 0, combined, 0, first.Length);
+            Buffer.BlockCopy(second, 0, combined, first.Length, second.Length);
+            return combined;
         }
     }
 }