brendanmckenzie/Pkcs12ProtectedConfigurationProvider.cs

## Pkcs12ProtectedConfigurationProvider.cs
using System;
using System.Collections.Specialized;
using System.Configuration;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography.Xml;
using System.Xml;

namespace MyApp.Core.Security
{
    /// <summary>
    /// Class Pkcs12ProtectedConfigurationProvider.
    /// </summary>
    /// <seealso cref="ProtectedConfigurationProvider" />
    public class Pkcs12ProtectedConfigurationProvider : ProtectedConfigurationProvider
    {
        private string thumbprint;
        private StoreLocation storeLocation;

        /// <summary>
        /// Decrypts the XML node passed to it.
        /// </summary>
        /// <param name="encryptedNode">The XmlNode to decrypt.</param>
        /// <returns></returns>
        public override XmlNode Decrypt(XmlNode encryptedNode)
        {
            var document = new XmlDocument();

            // Get the RSA private key.  This key will decrypt
            // a symmetric key that was embedded in the XML document.
            var cryptoServiceProvider = GetCryptoServiceProvider(false);
            document.PreserveWhitespace = true;
            document.LoadXml(encryptedNode.OuterXml);
            var xml = new EncryptedXml(document);

            // Add a key-name mapping.This method can only decrypt documents
            // that present the specified key name.
            xml.AddKeyNameMapping("rsaKey", cryptoServiceProvider);
            xml.DecryptDocument();
            cryptoServiceProvider.Clear();
            return document.DocumentElement;
        }

        /// <summary>
        /// Encrypts the XML node passed to it.
        /// </summary>
        /// <param name="node">The XmlNode to encrypt.</param>
        /// <returns></returns>
        public override XmlNode Encrypt(XmlNode node)
        {
            // Get the RSA public key to encrypt the node. This key will encrypt
            // a symmetric key, which will then be encryped in the XML document.
            var cryptoServiceProvider = GetCryptoServiceProvider(true);

            // Create an XML document and load the node to be encrypted in it.
            var document = new XmlDocument();
            document.PreserveWhitespace = true;
            document.LoadXml("<Data>" + node.OuterXml + "</Data>");

            // Create a new instance of the EncryptedXml class
            // and use it to encrypt the XmlElement with the
            // a new random symmetric key.
            var xml = new EncryptedXml(document);
            var documentElement = document.DocumentElement;
            SymmetricAlgorithm symmetricAlgorithm = new RijndaelManaged
            {

                // Create a 192 bit random key.
                Key = GetRandomKey()
            };
            symmetricAlgorithm.GenerateIV();
            symmetricAlgorithm.Padding = PaddingMode.PKCS7;

            var buffer = xml.EncryptData(documentElement, symmetricAlgorithm, true);

            // Construct an EncryptedData object and populate
            // it with the encryption information.
            var encryptedData = new EncryptedData
            {
                Type = EncryptedXml.XmlEncElementUrl,

                // Create an EncryptionMethod element so that the
                // receiver knows which algorithm to use for decryption.
                EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES192Url),
                KeyInfo = new KeyInfo()
            };

            // Encrypt the session key and add it to an EncryptedKey element.
            var encryptedKey = new EncryptedKey
            {
                EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSA15Url),
                KeyInfo = new KeyInfo(),
                CipherData = new CipherData
                {
                    CipherValue = EncryptedXml.EncryptKey(symmetricAlgorithm.Key, cryptoServiceProvider, false)
                }
            };
            var clause = new KeyInfoName
            {
                Value = "rsaKey"
            };

            // Add the encrypted key to the EncryptedData object.
            encryptedKey.KeyInfo.AddClause(clause);
            var key2 = new KeyInfoEncryptedKey(encryptedKey);
            encryptedData.KeyInfo.AddClause(key2);
            encryptedData.CipherData = new CipherData
            {
                CipherValue = buffer
            };

            // Replace the element from the original XmlDocument
            // object with the EncryptedData element.
            EncryptedXml.ReplaceElement(documentElement, encryptedData, true);
            foreach (XmlNode node2 in document.ChildNodes)
            {
                if (node2.NodeType == XmlNodeType.Element)
                {
                    foreach (XmlNode node3 in node2.ChildNodes)
                    {
                        if (node3.NodeType == XmlNodeType.Element)
                        {
                            return node3;
                        }
                    }
                }
            }
            return null;
        }

        /// <summary>
        /// Initializes the provider with default settings.
        /// </summary>
        /// <param name="name"></param>
        /// <param name="configurationValues">A NameValueCollection collection of values to use
        /// when initializing the object. This must include a thumbprint value for the thumbprint of
        /// the certificate used to encrypt the configuration section.
        /// </param>
        public override void Initialize(string name, NameValueCollection configurationValues)
        {
            base.Initialize(name, configurationValues);
            if (configurationValues["thumbprint"] == null || configurationValues["thumbprint"].Length == 0)
            {
                throw new ApplicationException("thumbprint not set in the configuration");
            }

            this.thumbprint = configurationValues["thumbprint"];
            try
            {
                this.storeLocation = (StoreLocation)Enum.Parse(typeof(StoreLocation), configurationValues["storeLocation"]);
            }
            catch (Exception ex)
            {
                throw new Exception(@"storeLocation must be ""LocalMachine"" or ""CurrentUser"".", ex);
            }
        }
        /// <summary>
        /// Get certificate from the Local Machine store, based on the given thumbprint
        /// </summary>
        /// <param name="thumbprint">The thumbnail of the certificate used to encrypt the configuration file.</param>
        /// <param name="storeLocation">This can be CurrentUser or LocalMachine. Generally speaking Azure uses CurrentUser and Windows IIS uses LocalMachine.</param>
        /// <returns></returns>
        /// <remarks>The certificate, with private key, must be accessible in the indicated store location.</remarks>
        private X509Certificate2 GetCertificate(string thumbprint, StoreLocation storeLocation)
        {
            var store = new X509Store(StoreName.My, storeLocation);
            X509Certificate2Collection certificates = null;
            store.Open(OpenFlags.ReadOnly);

            try
            {
                X509Certificate2 result = null;

                certificates = store.Certificates;

                for (var i = 0; i < certificates.Count; i++)
                {
                    var cert = certificates[i];

                    if (cert.Thumbprint.ToLower().CompareTo(thumbprint.ToLower()) == 0)
                    {
                        result = new X509Certificate2(cert);

                        return result;
                    }
                }

                if (result == null)
                {
                    throw new ApplicationException(string.Format("No certificate was found for thumbprint {0}", thumbprint));
                }

                return null;
            }
            finally
            {
                if (certificates != null)
                {
                    for (var i = 0; i < certificates.Count; i++)
                    {
                        var cert = certificates[i];
                        cert.Reset();
                    }
                }

                store.Close();
            }
        }

        /// <summary>
        /// Get either the public key for encrypting configuration sections or the private key to decrypt them.
        /// </summary>
        /// <param name="IsEncryption"></param>
        /// <returns></returns>
        private RSACryptoServiceProvider GetCryptoServiceProvider(bool IsEncryption)
        {
            RSACryptoServiceProvider provider;
            var cert = GetCertificate(this.thumbprint, this.storeLocation);
            if (IsEncryption)
            {
                provider = (RSACryptoServiceProvider)cert.PublicKey.Key;
            }
            else
            {
                provider = (RSACryptoServiceProvider)cert.PrivateKey;
            }
            return provider;
        }

        private byte[] GetRandomKey()
        {
            var data = new byte[0x18];
            new RNGCryptoServiceProvider().GetBytes(data);
            return data;
        }
    }

}
	using System;
	using System.Collections.Specialized;
	using System.Configuration;
	using System.Security.Cryptography;
	using System.Security.Cryptography.X509Certificates;
	using System.Security.Cryptography.Xml;
	using System.Xml;

	namespace MyApp.Core.Security
	{
	/// <summary>
	/// Class Pkcs12ProtectedConfigurationProvider.
	/// </summary>
	/// <seealso cref="ProtectedConfigurationProvider" />
	public class Pkcs12ProtectedConfigurationProvider : ProtectedConfigurationProvider
	{
	private string thumbprint;
	private StoreLocation storeLocation;

	/// <summary>
	/// Decrypts the XML node passed to it.
	/// </summary>
	/// <param name="encryptedNode">The XmlNode to decrypt.</param>
	/// <returns></returns>
	public override XmlNode Decrypt(XmlNode encryptedNode)
	{
	var document = new XmlDocument();

	// Get the RSA private key. This key will decrypt
	// a symmetric key that was embedded in the XML document.
	var cryptoServiceProvider = GetCryptoServiceProvider(false);
	document.PreserveWhitespace = true;
	document.LoadXml(encryptedNode.OuterXml);
	var xml = new EncryptedXml(document);

	// Add a key-name mapping.This method can only decrypt documents
	// that present the specified key name.
	xml.AddKeyNameMapping("rsaKey", cryptoServiceProvider);
	xml.DecryptDocument();
	cryptoServiceProvider.Clear();
	return document.DocumentElement;
	}

	/// <summary>
	/// Encrypts the XML node passed to it.
	/// </summary>
	/// <param name="node">The XmlNode to encrypt.</param>
	/// <returns></returns>
	public override XmlNode Encrypt(XmlNode node)
	{
	// Get the RSA public key to encrypt the node. This key will encrypt
	// a symmetric key, which will then be encryped in the XML document.
	var cryptoServiceProvider = GetCryptoServiceProvider(true);

	// Create an XML document and load the node to be encrypted in it.
	var document = new XmlDocument();
	document.PreserveWhitespace = true;
	document.LoadXml("<Data>" + node.OuterXml + "</Data>");

	// Create a new instance of the EncryptedXml class
	// and use it to encrypt the XmlElement with the
	// a new random symmetric key.
	var xml = new EncryptedXml(document);
	var documentElement = document.DocumentElement;
	SymmetricAlgorithm symmetricAlgorithm = new RijndaelManaged
	{

	// Create a 192 bit random key.
	Key = GetRandomKey()
	};
	symmetricAlgorithm.GenerateIV();
	symmetricAlgorithm.Padding = PaddingMode.PKCS7;

	var buffer = xml.EncryptData(documentElement, symmetricAlgorithm, true);

	// Construct an EncryptedData object and populate
	// it with the encryption information.
	var encryptedData = new EncryptedData
	{
	Type = EncryptedXml.XmlEncElementUrl,

	// Create an EncryptionMethod element so that the
	// receiver knows which algorithm to use for decryption.
	EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncAES192Url),
	KeyInfo = new KeyInfo()
	};

	// Encrypt the session key and add it to an EncryptedKey element.
	var encryptedKey = new EncryptedKey
	{
	EncryptionMethod = new EncryptionMethod(EncryptedXml.XmlEncRSA15Url),
	KeyInfo = new KeyInfo(),
	CipherData = new CipherData
	{
	CipherValue = EncryptedXml.EncryptKey(symmetricAlgorithm.Key, cryptoServiceProvider, false)
	}
	};
	var clause = new KeyInfoName
	{
	Value = "rsaKey"
	};

	// Add the encrypted key to the EncryptedData object.
	encryptedKey.KeyInfo.AddClause(clause);
	var key2 = new KeyInfoEncryptedKey(encryptedKey);
	encryptedData.KeyInfo.AddClause(key2);
	encryptedData.CipherData = new CipherData
	{
	CipherValue = buffer
	};

	// Replace the element from the original XmlDocument
	// object with the EncryptedData element.
	EncryptedXml.ReplaceElement(documentElement, encryptedData, true);
	foreach (XmlNode node2 in document.ChildNodes)
	{
	if (node2.NodeType == XmlNodeType.Element)
	{
	foreach (XmlNode node3 in node2.ChildNodes)
	{
	if (node3.NodeType == XmlNodeType.Element)
	{
	return node3;
	}
	}
	}
	}
	return null;
	}

	/// <summary>
	/// Initializes the provider with default settings.
	/// </summary>
	/// <param name="name"></param>
	/// <param name="configurationValues">A NameValueCollection collection of values to use
	/// when initializing the object. This must include a thumbprint value for the thumbprint of
	/// the certificate used to encrypt the configuration section.
	/// </param>
	public override void Initialize(string name, NameValueCollection configurationValues)
	{
	base.Initialize(name, configurationValues);
	if (configurationValues["thumbprint"] == null \|\| configurationValues["thumbprint"].Length == 0)
	{
	throw new ApplicationException("thumbprint not set in the configuration");
	}

	this.thumbprint = configurationValues["thumbprint"];
	try
	{
	this.storeLocation = (StoreLocation)Enum.Parse(typeof(StoreLocation), configurationValues["storeLocation"]);
	}
	catch (Exception ex)
	{
	throw new Exception(@"storeLocation must be ""LocalMachine"" or ""CurrentUser"".", ex);
	}
	}
	/// <summary>
	/// Get certificate from the Local Machine store, based on the given thumbprint
	/// </summary>
	/// <param name="thumbprint">The thumbnail of the certificate used to encrypt the configuration file.</param>
	/// <param name="storeLocation">This can be CurrentUser or LocalMachine. Generally speaking Azure uses CurrentUser and Windows IIS uses LocalMachine.</param>
	/// <returns></returns>
	/// <remarks>The certificate, with private key, must be accessible in the indicated store location.</remarks>
	private X509Certificate2 GetCertificate(string thumbprint, StoreLocation storeLocation)
	{
	var store = new X509Store(StoreName.My, storeLocation);
	X509Certificate2Collection certificates = null;
	store.Open(OpenFlags.ReadOnly);

	try
	{
	X509Certificate2 result = null;

	certificates = store.Certificates;

	for (var i = 0; i < certificates.Count; i++)
	{
	var cert = certificates[i];

	if (cert.Thumbprint.ToLower().CompareTo(thumbprint.ToLower()) == 0)
	{
	result = new X509Certificate2(cert);

	return result;
	}
	}

	if (result == null)
	{
	throw new ApplicationException(string.Format("No certificate was found for thumbprint {0}", thumbprint));
	}

	return null;
	}
	finally
	{
	if (certificates != null)
	{
	for (var i = 0; i < certificates.Count; i++)
	{
	var cert = certificates[i];
	cert.Reset();
	}
	}

	store.Close();
	}
	}

	/// <summary>
	/// Get either the public key for encrypting configuration sections or the private key to decrypt them.
	/// </summary>
	/// <param name="IsEncryption"></param>
	/// <returns></returns>
	private RSACryptoServiceProvider GetCryptoServiceProvider(bool IsEncryption)
	{
	RSACryptoServiceProvider provider;
	var cert = GetCertificate(this.thumbprint, this.storeLocation);
	if (IsEncryption)
	{
	provider = (RSACryptoServiceProvider)cert.PublicKey.Key;
	}
	else
	{
	provider = (RSACryptoServiceProvider)cert.PrivateKey;
	}
	return provider;
	}

	private byte[] GetRandomKey()
	{
	var data = new byte[0x18];
	new RNGCryptoServiceProvider().GetBytes(data);
	return data;
	}
	}

	}