Remove Bouncy Castle dependency when targeting .NET 8 et al. (#3844)

Author: teo-tsirpanis

extensions/src/AWSSDK.Extensions.CloudFront.Signers/AWSSDK.Extensions.CloudFront.Signers.NetStandard.csproj

@@ -33,7 +33,7 @@
 	  </PropertyGroup>
 	</Otherwise>
   </Choose>
-  <ItemGroup>
+  <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' OR '$(TargetFramework)' == 'netcoreapp3.1'">
     <PackageReference Include="BouncyCastle.Cryptography" Version="2.4.0" />
   </ItemGroup>
   <ItemGroup>

extensions/src/AWSSDK.Extensions.CloudFront.Signers/AWSSDK.Extensions.CloudFront.Signers.nuspec

@@ -3,7 +3,7 @@
   <metadata> 
     <id>AWSSDK.Extensions.CloudFront.Signers</id>
     <title>AWSSDK - Extensions for AWS CloudFront</title>
-    <version>4.0.0.0</version>
+    <version>4.0.0.1</version>
     <authors>Amazon Web Services</authors>
 	<description>This package contains extension methods for creating signed URLs for Amazon CloudFront distributions and for creating signed cookies for Amazon CloudFront distributions using canned or custom policies.</description>
     <language>en-US</language>
@@ -30,7 +30,6 @@
       <group targetFramework="net8.0">
         <dependency id="AWSSDK.Core" version="4.0.0.0" />
         <dependency id="AWSSDK.CloudFront" version="4.0.0.0" />
-        <dependency id="BouncyCastle.Cryptography" version="2.4.0" />
       </group>
     </dependencies>
   </metadata> 

extensions/src/AWSSDK.Extensions.CloudFront.Signers/AmazonCloudFrontCookieSigner.cs

@@ -15,15 +15,10 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
-using System.Security.Cryptography;
 using System.Text;
 
-using Amazon.CloudFront.Model;
-using Amazon.Runtime;
 using Amazon.Util;
 
-using System.Globalization;
-
 namespace Amazon.CloudFront
 {
     /// <summary>
@@ -159,12 +154,11 @@ public static CookiesForCannedPolicy GetCookiesForCannedPolicy(string resourceUr
             cookies.Expires = new KeyValuePair<string, string>(
                 ExpiresKey, epochSeconds);
 
-            RSAParameters rsaParameters = AmazonCloudFrontUrlSigner.ConvertPEMToRSAParameters(privateKey);
             string cannedPolicy = "{\"Statement\":[{\"Resource\":\"" + resourceUrlOrPath
                     + "\",\"Condition\":{\"DateLessThan\":{\"AWS:EpochTime\":" + epochSeconds
                     + "}}}]}";
             byte[] signatureBytes = AmazonCloudFrontUrlSigner.SignWithSha1RSA(
-                UTF8Encoding.UTF8.GetBytes(cannedPolicy), rsaParameters);
+                UTF8Encoding.UTF8.GetBytes(cannedPolicy), privateKey);
             string urlSafeSignature = AmazonCloudFrontUrlSigner.MakeBytesUrlSafe(signatureBytes);
             cookies.Signature = new KeyValuePair<string, string>(SignatureKey, urlSafeSignature);
 
@@ -252,9 +246,8 @@ public static CookiesForCustomPolicy GetCookiesForCustomPolicy(string resourceUr
             var base64EncodedPolicy = AmazonCloudFrontUrlSigner.MakeStringUrlSafe(policy);
             cookies.Policy = new KeyValuePair<string, string>(PolicyKey, base64EncodedPolicy);
 
-            RSAParameters rsaParameters = AmazonCloudFrontUrlSigner.ConvertPEMToRSAParameters(privateKey);
             byte[] signatureBytes = AmazonCloudFrontUrlSigner.SignWithSha1RSA(
-                UTF8Encoding.UTF8.GetBytes(policy), rsaParameters);
+                Encoding.UTF8.GetBytes(policy), privateKey);
             string urlSafeSignature = AmazonCloudFrontUrlSigner.MakeBytesUrlSafe(signatureBytes);
             cookies.Signature = new KeyValuePair<string, string>(SignatureKey, urlSafeSignature);
 

extensions/src/AWSSDK.Extensions.CloudFront.Signers/AmazonCloudFrontUrlSigner.cs

@@ -12,19 +12,19 @@
  * express or implied. See the License for the specific language governing
  * permissions and limitations under the License.
  */
+
 using System;
-using System.Collections.Generic;
 using System.IO;
 using System.Security.Cryptography;
 using System.Text;
-using Amazon.CloudFront.Model;
 using Amazon.Runtime;
 using Amazon.Util;
+#if !NET
 using Org.BouncyCastle.OpenSsl;
-using System.Globalization;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Security;
+#endif
 
 #pragma warning disable 1591
 
@@ -266,8 +266,7 @@ public static string SignUrl(string resourceUrlOrPath, string keyPairId, FileInf
         /// <returns>A signed URL that will permit access to distribution and S3 objects as specified in the policy document.</returns>
         public static string SignUrl(string resourceUrlOrPath, string keyPairId, TextReader privateKey, string policy)
         {
-            RSAParameters rsaParameters = ConvertPEMToRSAParameters(privateKey);
-            byte[] signatureBytes = SignWithSha1RSA(UTF8Encoding.UTF8.GetBytes(policy), rsaParameters);
+            byte[] signatureBytes = SignWithSha1RSA(Encoding.UTF8.GetBytes(policy), privateKey);
 
             string urlSafePolicy = MakeStringUrlSafe(policy);
             string urlSafeSignature = MakeBytesUrlSafe(signatureBytes);
@@ -330,11 +329,10 @@ public static String SignUrlCanned(string resourceUrlOrPath,
                                            DateTime expiresOn)
         {
             string epochSeconds = AWSSDKUtils.ConvertToUnixEpochSecondsString(expiresOn);
-            RSAParameters rsaParameters = ConvertPEMToRSAParameters(privateKey);
             string cannedPolicy = "{\"Statement\":[{\"Resource\":\"" + resourceUrlOrPath
                     + "\",\"Condition\":{\"DateLessThan\":{\"AWS:EpochTime\":" + epochSeconds
                     + "}}}]}";
-            byte[] signatureBytes = SignWithSha1RSA(UTF8Encoding.UTF8.GetBytes(cannedPolicy), rsaParameters);
+            byte[] signatureBytes = SignWithSha1RSA(Encoding.UTF8.GetBytes(cannedPolicy), privateKey);
 
             string urlSafeSignature = MakeBytesUrlSafe(signatureBytes);
 
@@ -503,20 +501,23 @@ private static string GenerateResourcePath(Protocol protocol,
         /// Signs the data given with the private key given, using the SHA1withRSA
         /// algorithm provided by bouncy castle.
         /// </summary>
-        internal static byte[] SignWithSha1RSA(byte[] dataToSign, RSAParameters rsaParameters)
+        internal static byte[] SignWithSha1RSA(byte[] dataToSign, TextReader privateKey)
         {
-            using (SHA1 cryptoSHA1 = GetSHA1Provider())
+            using (SHA1 cryptoSHA1 = SHA1.Create())
+            using (RSA rsa = RSA.Create())
             {
-                var providerRSA = RSA.Create();
-                providerRSA.ImportParameters(rsaParameters);
+                ImportRSAFromPem(rsa, privateKey);
 
                 byte[] hashedData = cryptoSHA1.ComputeHash(dataToSign);
-                return GetRSAPKCS1SignatureFromSHA1(hashedData, providerRSA);
+                return GetRSAPKCS1SignatureFromSHA1(hashedData, rsa);
             }
         }
 
-        internal static RSAParameters ConvertPEMToRSAParameters(TextReader privateKeyReader)
+        private static void ImportRSAFromPem(RSA rsa, TextReader privateKeyReader)
         {
+#if NET
+            rsa.ImportFromPem(privateKeyReader.ReadToEnd());
+#else
             RSAParameters rsaParams;
             try
             {
@@ -543,15 +544,7 @@ internal static RSAParameters ConvertPEMToRSAParameters(TextReader privateKeyRea
             {
                 throw new AmazonClientException("Invalid RSA Private Key", e);
             }
-            return rsaParams;
-        }
-
-        private static SHA1 GetSHA1Provider()
-        {
-#if NETSTANDARD
-            return SHA1.Create();
-#else
-            return new SHA1CryptoServiceProvider();
+            rsa.ImportParameters(rsaParams);
 #endif
         }
 
@@ -567,4 +560,4 @@ private static byte[] GetRSAPKCS1SignatureFromSHA1(byte[] hashedData, RSA provid
 #endif
         }
     }
-}
+}

extensions/src/AWSSDK.Extensions.EC2.DecryptPassword/AWSSDK.Extensions.EC2.DecryptPassword.NetStandard.csproj

@@ -32,7 +32,7 @@
 		</PropertyGroup>
 	  </Otherwise>
   </Choose>
-  <ItemGroup>
+  <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' OR '$(TargetFramework)' == 'netcoreapp3.1'">
 	<PackageReference Include="BouncyCastle.Cryptography" Version="2.4.0" />
   </ItemGroup>
   <ItemGroup>

extensions/src/AWSSDK.Extensions.EC2.DecryptPassword/AWSSDK.Extensions.EC2.DecryptPassword.nuspec

@@ -3,7 +3,7 @@
   <metadata> 
     <id>AWSSDK.Extensions.EC2.DecryptPassword</id>
     <title>AWSSDK - Extensions for AWS EC2</title>
-    <version>4.0.0.0</version>
+    <version>4.0.0.1</version>
     <authors>Amazon Web Services</authors>
     <description>Extensions for the AWS EC2 to get the decrypted password for an EC2 instance.</description>
     <language>en-US</language>
@@ -30,7 +30,6 @@
       <group targetFramework="net8.0">
         <dependency id="AWSSDK.Core" version="4.0.0.0" />
         <dependency id="AWSSDK.EC2" version="4.0.0.0" />
-        <dependency id="BouncyCastle.Cryptography" version="2.4.0" />
       </group>
     </dependencies>
   </metadata> 

extensions/src/AWSSDK.Extensions.EC2.DecryptPassword/GetPasswordDataResponseExtensions.cs

@@ -12,21 +12,19 @@
  * express or implied. See the License for the specific language governing
  * permissions and limitations under the License.
  */
+
 using System;
-using System.Collections.Generic;
-using System.Xml.Serialization;
+using System.Security.Cryptography;
 using System.Text;
-
-using Amazon.EC2;
+#if !NET
 using Amazon.Runtime;
 using System.IO;
-using System.Security.Cryptography;
-using Org.BouncyCastle.OpenSsl;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Parameters;
-using System.Runtime.CompilerServices;
-using System.Diagnostics;
+using Org.BouncyCastle.OpenSsl;
 using Org.BouncyCastle.Security;
+#endif
+
 namespace Amazon.EC2.Model
 {
     /// <summary>
@@ -43,6 +41,10 @@ public static class GetPasswordDataResponseExtensions
         /// <returns>The decrypted password</returns>
         public static string GetDecryptedPassword(this GetPasswordDataResponse getPasswordDataResponse, string rsaPrivateKey)
         {
+            RSA rsa = RSA.Create();
+#if NET
+            rsa.ImportFromPem(rsaPrivateKey.AsSpan().Trim());
+#else
             RSAParameters rsaParams;
             try
             {
@@ -69,12 +71,11 @@ public static string GetDecryptedPassword(this GetPasswordDataResponse getPasswo
             {
                 throw new AmazonEC2Exception("Invalid RSA Private Key", e);
             }
-
-            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
             rsa.ImportParameters(rsaParams);
+#endif
 
             byte[] encryptedBytes = Convert.FromBase64String(getPasswordDataResponse.PasswordData);
-            var decryptedBytes = rsa.Decrypt(encryptedBytes, false);
+            var decryptedBytes = rsa.Decrypt(encryptedBytes, RSAEncryptionPadding.Pkcs1);
 
             string decrypted = Encoding.UTF8.GetString(decryptedBytes);
             return decrypted;

extensions/test/CloudFront.SignersTests/CloudFront.Signers.Tests.NetStandard.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
 	<TargetFrameworks>netcoreapp3.1;net8.0</TargetFrameworks>
 	<AssemblyName>CloudFront.SignersTests</AssemblyName>
@@ -13,7 +13,6 @@
 	<GenerateAssemblyFileVersionAttribute>false</GenerateAssemblyFileVersionAttribute>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="BouncyCastle.Cryptography" Version="2.4.0" />
 	<PackageReference Include="xunit" Version="2.4.2" />
 	<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5" />
   </ItemGroup>

extensions/test/EC2.DecryptPasswordTests/EC2.DecryptPassword.NetStandard.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFrameworks>netcoreapp3.1;net8.0</TargetFrameworks>
     <AssemblyName>EC2.DecryptPasswordTests</AssemblyName>
@@ -14,7 +14,6 @@
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="BouncyCastle.Cryptography" Version="2.4.0" />
 	<PackageReference Include="xunit" Version="2.4.2" />
 	<PackageReference Include="xunit.runner.visualstudio" Version="2.4.5" />
   </ItemGroup>