Implement non-windows data protection

webprofusion-chrisc · webprofusion-chrisc · commit 06e6ce46f3a1 · 2024-11-19T19:28:55.000+08:00
diff --git a/src/Certify.Shared/Management/CredentialsUtil.cs b/src/Certify.Shared/Management/CredentialsUtil.cs
@@ -1,11 +1,14 @@
 ﻿using System;
 using System.Diagnostics;
+using System.IO;
 using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading.Tasks;
+using Certify.Models;
 using Certify.Providers;
+using Microsoft.AspNetCore.DataProtection;
 
 namespace Certify.Management
 {
@@ -52,6 +55,7 @@ public static string Protect(
 
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {
+                // protect using DAPI
                 if (scope == null)
                 {
                     scope = DataProtectionScope.CurrentUser;
@@ -66,13 +70,12 @@ public static string Protect(
             }
             else
             {
-#if RELEASE
-                Trace.Assert(true, "Using dummy encryption, not suitable for production use.");
-#endif
-                Trace.WriteLine("Using dummy encryption, not suitable for production use.");
+                // protect using platform data protection provider
 
-                // TODO: dummy implementation, require alternative implementation for non-windows
-                return Convert.ToBase64String(Encoding.UTF8.GetBytes(clearText).Reverse().ToArray());
+                var protector = GetDataProtector();
+                var clearBytes = Encoding.UTF8.GetBytes(clearText);
+                var protectedBytes = protector.Protect(clearBytes);
+                return Convert.ToBase64String(protectedBytes);
             }
         }
 
@@ -111,11 +114,19 @@ public static string Unprotect(
             }
             else
             {
-                Debug.WriteLine("Using dummy encryption, not suitable for production use.");
-                // TODO: dummy implementation, implement alternative implementation for non-windows
-                var bytes = Convert.FromBase64String(encryptedText);
-                return Encoding.UTF8.GetString(bytes.Reverse().ToArray());
+                // protect using platform data protection provider
+                var protector = GetDataProtector();
+                var encryptedBytes = Convert.FromBase64String(encryptedText);
+                var clearBytes = protector.Unprotect(encryptedBytes);
+                return Encoding.UTF8.GetString(clearBytes);
             }
         }
+
+        private static IDataProtector GetDataProtector()
+        {
+            var keyDirectory = EnvironmentUtil.CreateAppDataPath("credentials");
+            var dataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(keyDirectory));
+            return dataProtectionProvider.CreateProtector("StoredCredentials");
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,14 @@`
`1`	`1`	`using System;`
`2`	`2`	`using System.Diagnostics;`
	`3`	`+using System.IO;`
`3`	`4`	`using System.Linq;`
`4`	`5`	`using System.Runtime.InteropServices;`
`5`	`6`	`using System.Security.Cryptography;`
`6`	`7`	`using System.Text;`
`7`	`8`	`using System.Threading.Tasks;`
	`9`	`+using Certify.Models;`
`8`	`10`	`using Certify.Providers;`
	`11`	`+using Microsoft.AspNetCore.DataProtection;`
`9`	`12`
`10`	`13`	`namespace Certify.Management`
`11`	`14`	`{`
`@@ -52,6 +55,7 @@ public static string Protect(`
`52`	`55`
`53`	`56`	`if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))`
`54`	`57`	`{`
	`58`	`+ // protect using DAPI`
`55`	`59`	`if (scope == null)`
`56`	`60`	`{`
`57`	`61`	`scope = DataProtectionScope.CurrentUser;`
`@@ -66,13 +70,12 @@ public static string Protect(`
`66`	`70`	`}`
`67`	`71`	`else`
`68`	`72`	`{`
`69`		`-#if RELEASE`
`70`		`- Trace.Assert(true, "Using dummy encryption, not suitable for production use.");`
`71`		`-#endif`
`72`		`- Trace.WriteLine("Using dummy encryption, not suitable for production use.");`
	`73`	`+ // protect using platform data protection provider`
`73`	`74`
`74`		`- // TODO: dummy implementation, require alternative implementation for non-windows`
`75`		`- return Convert.ToBase64String(Encoding.UTF8.GetBytes(clearText).Reverse().ToArray());`
	`75`	`+ var protector = GetDataProtector();`
	`76`	`+ var clearBytes = Encoding.UTF8.GetBytes(clearText);`
	`77`	`+ var protectedBytes = protector.Protect(clearBytes);`
	`78`	`+ return Convert.ToBase64String(protectedBytes);`
`76`	`79`	`}`
`77`	`80`	`}`
`78`	`81`
`@@ -111,11 +114,19 @@ public static string Unprotect(`
`111`	`114`	`}`
`112`	`115`	`else`
`113`	`116`	`{`
`114`		`- Debug.WriteLine("Using dummy encryption, not suitable for production use.");`
`115`		`- // TODO: dummy implementation, implement alternative implementation for non-windows`
`116`		`- var bytes = Convert.FromBase64String(encryptedText);`
`117`		`- return Encoding.UTF8.GetString(bytes.Reverse().ToArray());`
	`117`	`+ // protect using platform data protection provider`
	`118`	`+ var protector = GetDataProtector();`
	`119`	`+ var encryptedBytes = Convert.FromBase64String(encryptedText);`
	`120`	`+ var clearBytes = protector.Unprotect(encryptedBytes);`
	`121`	`+ return Encoding.UTF8.GetString(clearBytes);`
`118`	`122`	`}`
`119`	`123`	`}`
	`124`	`+`
	`125`	`+ private static IDataProtector GetDataProtector()`
	`126`	`+ {`
	`127`	`+ var keyDirectory = EnvironmentUtil.CreateAppDataPath("credentials");`
	`128`	`+ var dataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(keyDirectory));`
	`129`	`+ return dataProtectionProvider.CreateProtector("StoredCredentials");`
	`130`	`+ }`
`120`	`131`	`}`
`121`	`132`	`}`