I am trying to encrypt something with a key generated in the TEE environment.
The key has the following properties:
I set the mUserAuthenticationRequired to true.
However, when I do:
cipher.init(Cipher.ENCRYPT_MODE, secretKey)
return cipher.doFinal(secretToBeEncrypted)
It works just fine and does not throw any exceptions for not displaying the authentication dialog.
Why is that ?
Related
I'm currently writing an ASP.NET Core web API that has an action with a encrypted value as a parameter.
I'm trying to test this action and the URL won't even submit in the web browser, at first I thought it could be due to the URL being too long but I've found this answer and my URL is well below the 2000 character limit. I've changed the parameter to a trivial string ("hello") and it submits fine and runs the code. I've tried in both Edge and IE11 whilst debugging my application, in Edge nothing happens at all, in IE11 I get a message saying:
Windows cannot find 'http://localhost:5000/api/...' Check the spelling and try again
In either case the code in the application doesn't execute (I've put a breakpoint on the first line of the controllers constructor which isn't being hit).
I've included an example of one of the URLs that isn't working below, as well as the code I'm using to generate the encrypted string, it uses HttpUtility.UrlEncode to convert the encrypted byte[] array to a string.
Example URL (one that doesn't work):
http://localhost:5000/api/testcontroller/doaction/%95%d6%f8%97%84K%1f%d4%40P%f0%8d%de%27%19%ed%ffAR%9c%c6%d4%b1%83%1e%9fX%ce%9b%ca%0e%d4j%d3Rlz%89%19%96%5dL%b1%16%e9V%14u%c7W%ee%89p%3f%f7%e6d%60%13%e5%ca%00%e9%a2%27%cb%d3J%94%a6%e1%b9%9c%914%06y%7e%0bn%ce%00%e5%7d%98b%85c%fa6m%7d%f7%f1%7b8%26%22%5e%1et%5e%10%0c%05%dd%deFAR%bb%93L%b9-W%e1K%82%d8%cc8%ce%e0%0c%2b%bc%19
Action:
[HttpGet("[action]/{encrypted}")]
public string DoAction(string encrypted)
{
return "Executed";
}
Generate encrypted string:
private string GenerateEncryptedString()
{
RSACryptoServiceProvider rsaProvider = new RSACryptoServiceProvider();
byte[] data = HttpUtility.UrlDecodeToBytes("AHMW9GMXQZXYL04EYBIW");
byte[] encryptedData = rsaProvider.Encrypt(data, true);
string encryptedString = HttpUtility.UrlEncode(encryptedData);
return encryptedString;
}
Not sure if I'm going wrong in my methodology for converting the encrypted data to a string but I would appreciate any feedback on how to fix this issue.
I think you should try to pass this data in the query string and not in the location (path) part of the url (some characters may be forbidden in paths as a security layer), so add a ?data= before the encoded data.
http://localhost:5000/api/testcontroller/doaction/?data=%95%d6%f8%97%84K%1f%d4%40P%f0%8d%de%27%19%ed%ffAR%9c%c6%d4%b1%83%1e%9fX%ce%9b%ca%0e%d4j%d3Rlz%89%19%96%5dL%b1%16%e9V%14u%c7W%ee%89p%3f%f7%e6d%60%13%e5%ca%00%e9%a2%27%cb%d3J%94%a6%e1%b9%9c%914%06y%7e%0bn%ce%00%e5%7d%98b%85c%fa6m%7d%f7%f1%7b8%26%22%5e%1et%5e%10%0c%05%dd%deFAR%bb%93L%b9-W%e1K%82%d8%cc8%ce%e0%0c%2b%bc%19
Is it possible to get the private key of a TLS session from the SSL* context variable? I have a string encrypted with the public key and I would like to decrypt it using the corresponding private key from an SSL* context.
I have tried this but is doesn't work:
EVP_PKEY_CTX *ctx;
ctx = EVP_PKEY_CTX_new(pkey, NULL);
EVP_PKEY_decrypt(ctx, *out, &outlen, in, inlen)
where:
pkey is s->cert->key->privatekey (s is an already existing SSL* variable in the TLS session)
in/inlen is the encrypted string,
out/outlen is the expected output.
Any suggestion is welcome. Thanks.
Sorry, that code is actually working, it was just a problem with the padding.
I was calling:
EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
As soon as I removed that line the decryption worked. I don't actully know why, anybody can explain how padding works? I mean, should I know what kind of padding has been used or I just can ignore it (i.e. remove the line)
I have a little problem in using a simple ProtectedData.Unprotect call, here's the code I'm sharing, maybe I'm missing something here.
public static byte[] SampleDecrypt(IEncrypted symmetricallyEncrypted, string base64DpapiLocalEncyrptedKey)
{
if (base64DpapiLocalEncryptedKey == null)
{
throw new ArgumentNullException("base64DpapiLocalEncryptedKey");
}
byte[] unprotectedKey =
ProtectedData.Unprotect(
base64DpapiLocalEncyrptedKey,
null,
DataProtectionScope.LocalMachine);
return unprotectedKey;
}
Where base64DpapiLocalEncyrptedKey is:
"ABCCENCMnd8CFdERjHoAVV/Pl+sMAAAA4q4wemrun5a67ohPku3cIAQCCCBAAAAKKKDZgAAqAAAABADDDCvGV5W6fCNcWbb9LPZp2U3AAAYYYSBBBCgDDDDEAAAANlpDcUbBvGqMyHXk8CPtUEoBBBBlB1TtMZRC05ASxGV1/c3U548eVSPUO4X307ZDjRYytjNC35Di92q9RQAAACN//xNkexvIrGULI9GG9MdyS9Lee=="
when I ran the above it gives me the "Key not valid for use in specified state"
Thank you so much in advance guys!
I've figured out the problem. DPAPI pairs the encrypted key with your machine (assuming it's encrypted using a machine scope) in my case, localmachine scope was used.
Thought it may help anyone out there having the same issues. Try the key onto different machines to see if one works and not on the other to verify that you have a wrong key.
I created a new key off of a different server and was able to use it.
From what I've been reading, the following code should first ensure that a MembershipUser record exists for "ArthurDent", then set "ArthurDent" as the current user, and finally assign his MembershipUser record to the variable mUser.
if (Membership.GetUser("ArthurDent") == null)
{
Membership.CreateUser("ArthurDent", "thisisapassword");
}
FormsAuthentication.SetAuthCookie("ArthurDent", true);
MembershipUser mUser = Membership.GetUser();
Instead, the variable mUser remains null.'
My goal is to programmatically set the current user to a valid record so that I can set a WebPartManager.DisplayMode on a page that started erroring out when I added BlogEngine to my web site.
This problem generally occurs when the application breaks a rule defined in the web.config file. For instance I ran your code in my local environment using Windows Authentication and CreateUser at first failed because the password string was of insufficient length. I padded the password with additional characters and was able to create user with the supplied code. Check the section to examine password prerequisites.
Upon first examination this looks like a configuration problem.
The answer is that BlogEngine actively suppresses the normal workings of Page.User.Identity, which Membership.GetUser() retrieves. When I replaced FormsAuthentication.SetAuthCookie with the following code from BlogEngine...
Security.AuthenticateUser("ArthurDent", "thisisapassword", true);
... it authenticated Arthur and logged him in.
I'm working on some RSA encryption/decryption unit tests and all of my functions require some certificates. I'm using dependency injection for these certs so for my unit tests, I'd like to just get some sample dummy (but functional) certificate to test my encryption/decryption library. I'd like to do this by hardcoding the RawData of valid certificate in my unit tests' SetUp method.
Where can I find something like this to put into my unit tests' SetUp method? Or how can I create this and pull this "raw data"? I'm not sure exactly what this "RawData" is. If somebody has something posted online (which would obviously be insecure, which is fine for my unit testing purposes), that would be preferable (from a lazy perspective) but I'm fine generating a cert and pulling this data as well.
Use .Export() instead of .RawData
When the X509Certificate2 has a private key within you can call:
var certBytes = certificateWithPrivateKey.Export(X509ContentType.Pkcs12);
Which returns a byte[] similar to .RawData, but it keeps the private key.
To store this in a unit test, you could just have a const string as Base64 of that data. Which you would get from:
var certAsString = Convert.ToBase64String(certBytes);
You can restore the key from this byte[] by constructing a X509Certificate2 with it:
var certificateCopy = new X509Certificate2(certBytes);
// Or from the string:
var certificateCopy2 = new X509Certificate2(Convert.FromBase64String(certAsString));
I don't understand it but this is what's going on...
I have a helper method that I call:
var cert = X509CertificateHelper.LoadCertificate(StoreName.My, StoreLocation.LocalMachine, "thumbprintgoeshere");
When I call this, cert is successfully populated and even HasPrivateKey is true. However, if I then do the following:
var cert2 = new X509Certificate2(cert.RawData);
then the resulting cert2 certificate, which is also what appears to be a valid certificate, has HasPrivateKey set to false. It appears that the RawData property "strips" out the private key (and yes, it's exportable - I have no problems creating a .pfx w/private key and importing it on another system and reproducing this behavior).
Now that I've discovered all of this, my solution is no longer to hardcode the RawData but instead to actually load up a certificate out of the certificate store - exactly what I was trying to avoid doing. If somebody has a better idea, please lay it on me. But until then, I'm calling this a failure and this is my end result. :-(