span data protector unprotect

Author: DeagleGross

src/DataProtection/Abstractions/src/ISpanDataProtector.cs

@@ -18,9 +18,9 @@ public interface ISpanDataProtector : IDataProtector
     /// <summary>
     /// Determines the size of the protected data in order to then use <see cref="TryProtect(ReadOnlySpan{byte}, Span{byte}, out int)"/>."/>.
     /// </summary>
-    /// <param name="plainText">The plain text that will be encrypted later</param>
+    /// <param name="plainTextLength">The plain text length which will be encrypted later.</param>
     /// <returns>The size of the protected data.</returns>
-    int GetProtectedSize(ReadOnlySpan<byte> plainText);
+    int GetProtectedSize(int plainTextLength);
 
     /// <summary>
     /// Returns the size of the decrypted data for a given ciphertext length.
@@ -42,12 +42,8 @@ public interface ISpanDataProtector : IDataProtector
     /// Attempts to validate the authentication tag of and decrypt a blob of encrypted data.
     /// </summary>
     /// <param name="cipherText">The encrypted data to decrypt.</param>
-    /// <param name="additionalAuthenticatedData">
-    /// A piece of data which was included in the authentication tag during encryption.
-    /// This input may be zero bytes in length. The same AAD must be specified in the corresponding encryption call.
-    /// </param>
     /// <param name="destination">The decrypted output.</param>
     /// <param name="bytesWritten">When this method returns, the total number of bytes written into destination</param>
     /// <returns>true if decryption was successful; otherwise, false.</returns>
-    bool TryUnprotect(ReadOnlySpan<byte> cipherText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);
+    bool TryUnprotect(ReadOnlySpan<byte> cipherText, Span<byte> destination, out int bytesWritten);
 }

src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt

@@ -1,6 +1,6 @@
 #nullable enable
 Microsoft.AspNetCore.DataProtection.ISpanDataProtector
-Microsoft.AspNetCore.DataProtection.ISpanDataProtector.GetProtectedSize(System.ReadOnlySpan<byte> plainText) -> int
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector.GetProtectedSize(int plainTextLength) -> int
 Microsoft.AspNetCore.DataProtection.ISpanDataProtector.GetUnprotectedSize(int cipherTextLength) -> int
 Microsoft.AspNetCore.DataProtection.ISpanDataProtector.TryProtect(System.ReadOnlySpan<byte> plainText, System.Span<byte> destination, out int bytesWritten) -> bool
-Microsoft.AspNetCore.DataProtection.ISpanDataProtector.TryUnprotect(System.ReadOnlySpan<byte> cipherText, System.ReadOnlySpan<byte> additionalAuthenticatedData, System.Span<byte> destination, out int bytesWritten) -> bool
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector.TryUnprotect(System.ReadOnlySpan<byte> cipherText, System.Span<byte> destination, out int bytesWritten) -> bool

src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs

@@ -89,19 +89,6 @@ protected static string JoinPurposesForLog(IEnumerable<string> purposes)
         return "(" + String.Join(", ", purposes.Select(p => "'" + p + "'")) + ")";
     }
 
-    // allows decrypting payloads whose keys have been revoked
-    public byte[] DangerousUnprotect(byte[] protectedData, bool ignoreRevocationErrors, out bool requiresMigration, out bool wasRevoked)
-    {
-        // argument & state checking
-        ArgumentNullThrowHelper.ThrowIfNull(protectedData);
-
-        UnprotectStatus status;
-        var retVal = UnprotectCore(protectedData, ignoreRevocationErrors, status: out status);
-        requiresMigration = (status != UnprotectStatus.Ok);
-        wasRevoked = (status == UnprotectStatus.DecryptionKeyWasRevoked);
-        return retVal;
-    }
-
     public byte[] Protect(byte[] plaintext)
     {
         ArgumentNullThrowHelper.ThrowIfNull(plaintext);
@@ -152,7 +139,7 @@ public byte[] Protect(byte[] plaintext)
         }
     }
 
-    private static Guid ReadGuid(void* ptr)
+    protected static Guid ReadGuid(void* ptr)
     {
 #if NETCOREAPP
         // Performs appropriate endianness fixups
@@ -165,15 +152,7 @@ private static Guid ReadGuid(void* ptr)
 #endif
     }
 
-    private static uint ReadBigEndian32BitInteger(byte* ptr)
-    {
-        return ((uint)ptr[0] << 24)
-            | ((uint)ptr[1] << 16)
-            | ((uint)ptr[2] << 8)
-            | ((uint)ptr[3]);
-    }
-
-    private static bool TryGetVersionFromMagicHeader(uint magicHeader, out int version)
+    protected static bool TryGetVersionFromMagicHeader(uint magicHeader, out int version)
     {
         const uint MAGIC_HEADER_VERSION_MASK = 0xFU;
         if ((magicHeader & ~MAGIC_HEADER_VERSION_MASK) == MAGIC_HEADER_V0)
@@ -199,14 +178,26 @@ public byte[] Unprotect(byte[] protectedData)
             wasRevoked: out _);
     }
 
+    // allows decrypting payloads whose keys have been revoked
+    public byte[] DangerousUnprotect(byte[] protectedData, bool ignoreRevocationErrors, out bool requiresMigration, out bool wasRevoked)
+    {
+        // argument & state checking
+        ArgumentNullThrowHelper.ThrowIfNull(protectedData);
+
+        UnprotectStatus status;
+        var retVal = UnprotectCore(protectedData, ignoreRevocationErrors, status: out status);
+        requiresMigration = (status != UnprotectStatus.Ok);
+        wasRevoked = (status == UnprotectStatus.DecryptionKeyWasRevoked);
+        return retVal;
+    }
+
     private byte[] UnprotectCore(byte[] protectedData, bool allowOperationsOnRevokedKeys, out UnprotectStatus status)
     {
         Debug.Assert(protectedData != null);
 
         try
         {
-            // argument & state checking
-            if (protectedData.Length < sizeof(uint) /* magic header */ + sizeof(Guid) /* key id */)
+            if (protectedData.Length < _magicHeaderKeyIdSize)
             {
                 // payload must contain at least the magic header and key id
                 throw Error.ProtectionProvider_BadMagicHeader();
@@ -215,17 +206,15 @@ private byte[] UnprotectCore(byte[] protectedData, bool allowOperationsOnRevoked
             // Need to check that protectedData := { magicHeader || keyId || encryptorSpecificProtectedPayload }
 
             // Parse the payload version number and key id.
-            uint magicHeaderFromPayload;
+            var magicHeaderFromPayload = BinaryPrimitives.ReadUInt32BigEndian(protectedData.AsSpan(0, sizeof(uint)));
             Guid keyIdFromPayload;
             fixed (byte* pbInput = protectedData)
             {
-                magicHeaderFromPayload = ReadBigEndian32BitInteger(pbInput);
                 keyIdFromPayload = ReadGuid(&pbInput[sizeof(uint)]);
             }
 
             // Are the magic header and version information correct?
-            int payloadVersion;
-            if (!TryGetVersionFromMagicHeader(magicHeaderFromPayload, out payloadVersion))
+            if (!TryGetVersionFromMagicHeader(magicHeaderFromPayload, out var payloadVersion))
             {
                 throw Error.ProtectionProvider_BadMagicHeader();
             }

src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedSpanDataProtector.cs

@@ -19,7 +19,7 @@ public KeyRingBasedSpanDataProtector(IKeyRingProvider keyRingProvider, ILogger?
     {
     }
 
-    public int GetProtectedSize(ReadOnlySpan<byte> plainText)
+    public int GetProtectedSize(int plainTextLength)
     {
         // Get the current key ring to access the encryptor
         var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
@@ -28,7 +28,7 @@ public int GetProtectedSize(ReadOnlySpan<byte> plainText)
 
         // We allocate a 20-byte pre-buffer so that we can inject the magic header and key id into the return value.
         // See Protect() / TryProtect() for details
-        return _magicHeaderKeyIdSize + defaultEncryptor.GetEncryptedSize(plainText.Length);
+        return _magicHeaderKeyIdSize + defaultEncryptor.GetEncryptedSize(plainTextLength);
     }
 
     public bool TryProtect(ReadOnlySpan<byte> plaintext, Span<byte> destination, out int bytesWritten)
@@ -83,4 +83,106 @@ public bool TryProtect(ReadOnlySpan<byte> plaintext, Span<byte> destination, out
             throw Error.Common_EncryptionFailed(ex);
         }
     }
+
+    public int GetUnprotectedSize(int cipherTextLength)
+    {
+        // The ciphertext includes the magic header and key id, so we need to subtract those
+        if (cipherTextLength < _magicHeaderKeyIdSize)
+        {
+            throw Error.ProtectionProvider_BadMagicHeader();
+        }
+
+        var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+        var defaultEncryptor = (ISpanAuthenticatedEncryptor)currentKeyRing.DefaultAuthenticatedEncryptor!;
+        CryptoUtil.Assert(defaultEncryptor != null, "DefaultAuthenticatedEncryptor != null");
+
+        return defaultEncryptor.GetDecryptedSize(cipherTextLength - _magicHeaderKeyIdSize);
+    }
+
+    public bool TryUnprotect(ReadOnlySpan<byte> cipherText, Span<byte> destination, out int bytesWritten)
+    {
+        try
+        {
+            if (cipherText.Length < _magicHeaderKeyIdSize)
+            {
+                // payload must contain at least the magic header and key id
+                throw Error.ProtectionProvider_BadMagicHeader();
+            }
+
+            // Parse the payload version number and key id.
+            var magicHeaderFromPayload = BinaryPrimitives.ReadUInt32BigEndian(cipherText.Slice(0, sizeof(uint)));
+#if NET10_0_OR_GREATER
+            var keyIdFromPayload = new Guid(cipherText.Slice(sizeof(uint), sizeof(Guid)));
+#else
+            Guid keyIdFromPayload;
+            fixed (byte* pbCipherText = cipherText)
+            {
+                keyIdFromPayload = ReadGuid(&pbCipherText[sizeof(uint)]);
+            }
+#endif
+
+            // Are the magic header and version information correct?
+            if (!TryGetVersionFromMagicHeader(magicHeaderFromPayload, out var payloadVersion))
+            {
+                throw Error.ProtectionProvider_BadMagicHeader();
+            }
+            else if (payloadVersion != 0)
+            {
+                throw Error.ProtectionProvider_BadVersion();
+            }
+
+            if (_logger.IsDebugLevelEnabled())
+            {
+                _logger.PerformingUnprotectOperationToKeyWithPurposes(keyIdFromPayload, JoinPurposesForLog(Purposes));
+            }
+
+            // Find the correct encryptor in the keyring.
+            var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+            var requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out bool keyWasRevoked);
+            if (requestedEncryptor is null)
+            {
+                if (_keyRingProvider is KeyRingProvider provider && provider.InAutoRefreshWindow())
+                {
+                    currentKeyRing = provider.RefreshCurrentKeyRing();
+                    requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out keyWasRevoked);
+                }
+
+                if (requestedEncryptor is null)
+                {
+                    if (_logger.IsTraceLevelEnabled())
+                    {
+                        _logger.KeyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(keyIdFromPayload);
+                    }
+                    bytesWritten = 0;
+                    return false;
+                }
+            }
+
+            // Check if key was revoked - for simplified version, we disallow revoked keys
+            if (keyWasRevoked)
+            {
+                if (_logger.IsDebugLevelEnabled())
+                {
+                    _logger.KeyWasRevokedUnprotectOperationCannotProceed(keyIdFromPayload);
+                }
+                bytesWritten = 0;
+                return false;
+            }
+
+            // Perform the decryption operation.
+            ReadOnlySpan<byte> actualCiphertext = cipherText.Slice(sizeof(uint) + sizeof(Guid)); // chop off magic header + encryptor id
+            ReadOnlySpan<byte> aad = _aadTemplate.GetAadForKey(keyIdFromPayload, isProtecting: false);
+
+            // At this point, actualCiphertext := { encryptorSpecificPayload },
+            // so all that's left is to invoke the decryption routine directly.
+            var spanEncryptor = (ISpanAuthenticatedEncryptor)requestedEncryptor;
+            return spanEncryptor.TryDecrypt(actualCiphertext, aad, destination, out bytesWritten);
+
+        }
+        catch (Exception ex) when (ex.RequiresHomogenization())
+        {
+            // homogenize all errors to CryptographicException
+            throw Error.DecryptionFailed(ex);
+        }
+    }
 }

src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs

@@ -70,4 +70,61 @@ public static void AssertTryEncryptTryDecryptParity(IAuthenticatedEncryptor encr
             ArrayPool<byte>.Shared.Return(plainTextPooled);
         }
     }
+
+    /// <summary>
+    /// <see cref="ISpanDataProtector.TryProtect"/> and <see cref="ISpanDataProtector.TryUnprotect"/> APIs should do the same steps
+    /// as <see cref="IDataProtector.Protect"/> and <see cref="IDataProtector.Unprotect"/> APIs.
+    /// <br/>
+    /// Method ensures that the two APIs are equivalent in terms of their behavior by performing a roundtrip protect-unprotect test.
+    /// </summary>
+    public static void AssertTryProtectTryUnprotectParity(ISpanDataProtector protector, ReadOnlySpan<byte> plaintext)
+    {
+        // assert "allocatey" Protect/Unprotect APIs roundtrip correctly
+        byte[] protectedData = protector.Protect(plaintext.ToArray());
+        byte[] unprotectedData = protector.Unprotect(protectedData);
+        Assert.Equal(plaintext, unprotectedData.AsSpan());
+
+        // assert calculated sizes are correct
+        var expectedProtectedSize = protector.GetProtectedSize(plaintext.Length);
+        Assert.Equal(expectedProtectedSize, protectedData.Length);
+        var expectedUnprotectedSize = protector.GetUnprotectedSize(protectedData.Length);
+
+        // note: for unprotection we can't know exactly how many bytes will be written since it's the original plaintext
+        Assert.True(expectedUnprotectedSize >= unprotectedData.Length);
+
+        // perform TryProtect and Unprotect roundtrip - ensures cross operation compatibility
+        var protectedPooled = ArrayPool<byte>.Shared.Rent(expectedProtectedSize);
+        try
+        {
+            var tryProtectResult = protector.TryProtect(plaintext, protectedPooled, out var bytesWritten);
+            Assert.Equal(expectedProtectedSize, bytesWritten);
+            Assert.True(tryProtectResult);
+
+            var unprotectedTryProtect = protector.Unprotect(protectedPooled.AsSpan(0, expectedProtectedSize).ToArray());
+            Assert.Equal(plaintext, unprotectedTryProtect.AsSpan());
+        }
+        finally
+        {
+            ArrayPool<byte>.Shared.Return(protectedPooled);
+        }
+
+        // perform Protect and TryUnprotect roundtrip - ensures cross operation compatibility
+        // Note: This test is limited because we can't easily access the correct AAD from outside the protector
+        // But we can test basic functionality with empty AAD and expect it to fail gracefully
+        var unprotectedPooled = ArrayPool<byte>.Shared.Rent(expectedUnprotectedSize);
+        try
+        {
+            var protectedByProtect = protector.Protect(plaintext.ToArray());
+            var unprotectedTryUnprotect = protector.TryUnprotect(protectedByProtect, unprotectedPooled, out var bytesWritten);
+            Assert.Equal(plaintext, unprotectedPooled.AsSpan(0, bytesWritten));
+            Assert.True(unprotectedTryUnprotect);
+
+            // now we should know that bytesWritten is STRICTLY equal to the deciphered text
+            Assert.Equal(unprotectedData.Length, bytesWritten);
+        }
+        finally
+        {
+            ArrayPool<byte>.Shared.Return(unprotectedPooled);
+        }
+    }
 }