feature: online session authentication and one-way decryption
This commit is contained in:
Gary Sharp
@@ -18,6 +18,7 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
{
|
||||
public class ActivationService
|
||||
{
|
||||
private static readonly HttpClient httpClient;
|
||||
private static readonly byte[] onlineServicesActivationKey;
|
||||
private readonly DiscoDataContext database;
|
||||
|
||||
@@ -29,6 +30,10 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
resourceStream.Read(key, 0, key.Length);
|
||||
onlineServicesActivationKey = key;
|
||||
}
|
||||
httpClient = new HttpClient(new OnlineServicesAuthenticatedHandler())
|
||||
{
|
||||
BaseAddress = DiscoServiceHelpers.ActivationServiceUrl
|
||||
};
|
||||
}
|
||||
|
||||
public ActivationService(DiscoDataContext database)
|
||||
@@ -247,6 +252,38 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
}
|
||||
}
|
||||
|
||||
public static async Task<T> Post<T>(string url, object request)
|
||||
{
|
||||
var stream = new MemoryStream();
|
||||
using (var jsonWriter = new StreamWriter(stream, new UTF8Encoding(false), 1024, true))
|
||||
{
|
||||
var serializer = new JsonSerializer();
|
||||
serializer.Serialize(jsonWriter, request);
|
||||
}
|
||||
stream.Position = 0;
|
||||
using (var content = new StreamContent(stream))
|
||||
{
|
||||
content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
|
||||
|
||||
using (var response = await httpClient.PostAsync(url, content))
|
||||
{
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
using (var responseContent = await response.Content.ReadAsStreamAsync())
|
||||
{
|
||||
using (var reader = new StreamReader(responseContent, Encoding.UTF8))
|
||||
{
|
||||
using (var jsonReader = new JsonTextReader(reader))
|
||||
{
|
||||
var serializer = new JsonSerializer();
|
||||
return serializer.Deserialize<T>(jsonReader);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static bool ValidateSignature(ChallengeResponse response)
|
||||
{
|
||||
var stream = new MemoryStream();
|
||||
@@ -255,7 +292,7 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
stream.Write(response.Challenge, 0, response.Challenge.Length);
|
||||
stream.Write(response.ChallengeIv, 0, response.ChallengeIv.Length);
|
||||
|
||||
return ValidateSignature(stream.ToArray(), response.Signature);
|
||||
return ValidateOnlineServicesSignature(stream.ToArray(), response.Signature);
|
||||
}
|
||||
|
||||
private static bool ValidateSignature(Guid activationId, byte[] challenge, byte[] challengeIv, byte[] signature)
|
||||
@@ -264,10 +301,10 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
stream.Write(activationId.ToByteArray(), 0, 16);
|
||||
stream.Write(challenge, 0, challenge.Length);
|
||||
stream.Write(challengeIv, 0, challengeIv.Length);
|
||||
return ValidateSignature(stream.ToArray(), signature);
|
||||
return ValidateOnlineServicesSignature(stream.ToArray(), signature);
|
||||
}
|
||||
|
||||
private static bool ValidateSignature(byte[] bytes, byte[] signature)
|
||||
public static bool ValidateOnlineServicesSignature(byte[] bytes, byte[] signature)
|
||||
{
|
||||
byte[] hash;
|
||||
using (var hasher = SHA256.Create())
|
||||
@@ -313,6 +350,11 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
}
|
||||
}
|
||||
|
||||
public static byte[] SignSHA256Hash(byte[] hash)
|
||||
{
|
||||
return SignHash(OnlineServicesAuthentication.Key, hash);
|
||||
}
|
||||
|
||||
private static byte[] Encrypt(byte[] privateKey, byte[] iv, long timeStamp, byte[] data)
|
||||
{
|
||||
var key = DeriveEncryptionKey(privateKey, iv, timeStamp);
|
||||
@@ -336,6 +378,17 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
}
|
||||
}
|
||||
|
||||
public static byte[] Encrypt(byte[] data, out byte[] iv, out long timeStamp)
|
||||
{
|
||||
iv = new byte[16];
|
||||
using (var rng = RandomNumberGenerator.Create())
|
||||
rng.GetBytes(iv);
|
||||
|
||||
timeStamp = DateTime.UtcNow.Ticks;
|
||||
|
||||
return Encrypt(OnlineServicesAuthentication.Key, iv, timeStamp, data);
|
||||
}
|
||||
|
||||
private static byte[] Decrypt(byte[] privateKey, byte[] iv, long timeStamp, byte[] data)
|
||||
{
|
||||
var key = DeriveEncryptionKey(privateKey, iv, timeStamp);
|
||||
@@ -360,6 +413,63 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
}
|
||||
}
|
||||
|
||||
public static byte[] Decrypt(byte[] data, byte[] iv, long timeStamp)
|
||||
{
|
||||
return Decrypt(OnlineServicesAuthentication.Key, iv, timeStamp, data);
|
||||
}
|
||||
|
||||
public static byte[] OneWayDecrypt(byte[] data)
|
||||
{
|
||||
var span = data.AsSpan();
|
||||
|
||||
if (span.Length < 13)
|
||||
throw new ArgumentException("Data is too short", nameof(data));
|
||||
Span<byte> magicBytes = new byte[] { 0xF0, 0x9F, 0x94, 0x8F, 0x44, 0x69, 0x73, 0x63, 0x6F, 0x49, 0x43, 0x54 }.AsSpan();
|
||||
if (!MemoryExtensions.SequenceEqual(magicBytes, span.Slice(0, 12)))
|
||||
throw new InvalidOperationException("Invalid format signature");
|
||||
|
||||
span = span.Slice(12);
|
||||
|
||||
byte[] readChunk(ref Span<byte> source)
|
||||
{
|
||||
var length = source[0];
|
||||
if (source.Length < (length + 1))
|
||||
throw new ArgumentException("Data is too short", nameof(data));
|
||||
var buffer = new byte[length];
|
||||
source.Slice(1, length).CopyTo(buffer);
|
||||
source = source.Slice(length + 1);
|
||||
return buffer;
|
||||
}
|
||||
|
||||
var publicKey = readChunk(ref span);
|
||||
var iv = readChunk(ref span);
|
||||
var signature = readChunk(ref span);
|
||||
|
||||
var key = DeriveOneWayDecryptingKey(OnlineServicesAuthentication.Key, publicKey, iv);
|
||||
|
||||
var outputStream = new MemoryStream();
|
||||
using (var aes = Aes.Create())
|
||||
{
|
||||
aes.Key = key;
|
||||
aes.IV = iv;
|
||||
aes.Mode = CipherMode.CBC;
|
||||
aes.Padding = PaddingMode.PKCS7;
|
||||
|
||||
using (var decryptor = aes.CreateDecryptor())
|
||||
{
|
||||
var ms = new MemoryStream(span.ToArray());
|
||||
using (var cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
|
||||
{
|
||||
cs.CopyTo(outputStream);
|
||||
}
|
||||
}
|
||||
}
|
||||
var output = outputStream.ToArray();
|
||||
if (!ValidateOnlineServicesSignature(output, signature))
|
||||
throw new InvalidOperationException("Invalid encrypted data signature");
|
||||
return output;
|
||||
}
|
||||
|
||||
private static byte[] DeriveEncryptionKey(byte[] privateKey, byte[] iv, long timeStamp)
|
||||
{
|
||||
using (var serverKey = CngKey.Import(onlineServicesActivationKey, CngKeyBlobFormat.EccPublicBlob))
|
||||
@@ -377,6 +487,23 @@ namespace Disco.Services.Interop.DiscoServices
|
||||
}
|
||||
}
|
||||
|
||||
private static byte[] DeriveOneWayDecryptingKey(byte[] privateKey, byte[] publicKey, byte[] iv)
|
||||
{
|
||||
using (var ephemeralKey = CngKey.Import(publicKey, CngKeyBlobFormat.EccPublicBlob))
|
||||
{
|
||||
using (var clientKey = CngKey.Import(privateKey, CngKeyBlobFormat.EccPrivateBlob))
|
||||
{
|
||||
using (var ephemeralEcdh = new ECDiffieHellmanCng(ephemeralKey))
|
||||
{
|
||||
using (var ecdh = new ECDiffieHellmanCng(clientKey))
|
||||
{
|
||||
return ecdh.DeriveKeyFromHash(ephemeralEcdh.PublicKey, HashAlgorithmName.SHA256, iv, null);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static (byte[] privateKey, byte[] publicKey) GenerateActivationKey()
|
||||
{
|
||||
using (var key = CngKey.Create(CngAlgorithm.ECDiffieHellmanP521, null, new CngKeyCreationParameters
|
||||
|
||||
Reference in New Issue
Block a user