From a7a71480d70dca121391a100e3d04dc038bdfa4f Mon Sep 17 00:00:00 2001 From: Dominick Baier Date: Thu, 26 Jul 2018 08:11:18 +0200 Subject: [PATCH] Fix X509 data protector --- default.ps1 | 4 +- .../X509CertificateDataProtector.cs | 41 +++++++++++++++++- source/VersionAssemblyInfo.cs | Bin 226 -> 226 bytes 3 files changed, 41 insertions(+), 4 deletions(-) diff --git a/default.ps1 b/default.ps1 index f20c57db5..6fe6d1e07 100644 --- a/default.ps1 +++ b/default.ps1 @@ -11,7 +11,7 @@ properties { $nuget_path = "$base_directory\nuget.exe" $buildNumber = 0; - $version = "2.6.1.0" + $version = "2.6.2.0" $preRelease = $null } @@ -94,5 +94,5 @@ task CreateNuGetPackage -depends ILMerge { copy-item $src_directory\IdentityServer3.nuspec $dist_directory copy-item $output_directory\IdentityServer3.xml $dist_directory\lib\net45\ - exec { . $nuget_path pack $dist_directory\IdentityServer3.nuspec -BasePath $dist_directory -o $dist_directory -version $packageVersion } + exec { . $nuget_path pack $dist_directory\IdentityServer3.nuspec -BasePath $dist_directory -OutputDirectory $dist_directory -version $packageVersion } } diff --git a/source/Core/Configuration/X509CertificateDataProtector.cs b/source/Core/Configuration/X509CertificateDataProtector.cs index dad9a3ab8..01cf6ea49 100644 --- a/source/Core/Configuration/X509CertificateDataProtector.cs +++ b/source/Core/Configuration/X509CertificateDataProtector.cs @@ -14,8 +14,11 @@ * limitations under the License. */ +using System; using System.IdentityModel; +using System.Linq; using System.Security.Cryptography.X509Certificates; +using System.Text; namespace IdentityServer3.Core.Configuration { @@ -45,7 +48,12 @@ public X509CertificateDataProtector(X509Certificate2 certificate) /// public byte[] Protect(byte[] data, string entropy = "") { - var encrypted = _encrypt.Encode(data); + //as there is no way to include entropy as separate attribute or flag we just append it to the end of the data + //to be able to take it into consideration when unprotecting + var entropyBytes = GetBytes(entropy); + var dataWithEntropy = Combine(data, entropyBytes); + + var encrypted = _encrypt.Encode(dataWithEntropy); return _sign.Encode(encrypted); } @@ -58,7 +66,36 @@ public byte[] Protect(byte[] data, string entropy = "") public byte[] Unprotect(byte[] data, string entropy = "") { var validated = _sign.Decode(data); - return _encrypt.Decode(validated); + var decoded = _encrypt.Decode(validated); + + //need to reverse things done in protect before returning: subtract entropy from the end and ensure it matches + var entropyBytes = GetBytes(entropy); + var decodedEntropy = new byte[entropyBytes.Length]; + var decodedDataLength = decoded.Length - entropyBytes.Length; + Array.Copy(decoded, decodedDataLength, decodedEntropy, 0, entropyBytes.Length); + + var rez = decodedEntropy.SequenceEqual(entropyBytes) ? GetSubArray(decoded, decodedDataLength) : null; + return rez; + } + + private static byte[] GetBytes(string value) + { + return Encoding.UTF8.GetBytes(value); + } + + private static byte[] GetSubArray(byte[] src, int length) + { + var dst = new byte[length]; + Array.Copy(src, dst, length); + return dst; + } + + private static byte[] Combine(byte[] first, byte[] second) + { + var combined = new byte[first.Length + second.Length]; + Buffer.BlockCopy(first, 0, combined, 0, first.Length); + Buffer.BlockCopy(second, 0, combined, first.Length, second.Length); + return combined; } } } \ No newline at end of file diff --git a/source/VersionAssemblyInfo.cs b/source/VersionAssemblyInfo.cs index 923304a43a30c97aae00bcef9692e4d164ecd149..49771755dfd80c89450475d49cc33706c928ca50 100644 GIT binary patch delta 23 ecmaFF_=s`BB>^J_Jq7~?B?e7~SO#7OE(QQjlLUwW delta 23 ecmaFF_=s`BB>_VQJq7~?B?e7~SO#7OE(QQjg9L{F