strommen/CertificateCrypto.cs

## CertificateCrypto.cs
// This is free and unencumbered software released into the public domain. (For the full license statement, see the bottom of this gist)
using Microsoft.WindowsAzure;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

// See https://www.fasterweb.io/Blog/two-way-encryption-for-azure-web-roles for the context around this.
namespace FasterWeb
{
	public static class CertificateCrypto
	{
		public class EncryptionPayload
		{
			public byte[] EncryptedData { get; set; }
			public byte[] CertificateEncryptedKey { get; set; }
			public byte[] ClearTextIV { get; set; }
		}

		private static readonly string Thumbprint = CloudConfigurationManager.GetSetting("CertificateCryptoThumbprint");
		private static readonly RSACryptoServiceProvider CertificateEncryption;
		private static object CertificateEncryptionLock = new object();

		static CertificateCrypto()
		{
			X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

			try
			{
				store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);

				X509Certificate2Collection foundCerts = store.Certificates.Find(X509FindType.FindByThumbprint, Thumbprint, false);
				CertificateEncryption = (RSACryptoServiceProvider)foundCerts.Cast<X509Certificate2>().Single().PrivateKey;
			}
			finally
			{
				store.Close();
			}
		}

		public static EncryptionPayload Encrypt(Stream input)
		{
			// Generate Key & IV
			AesManaged algorithm = new AesManaged();
			algorithm.GenerateIV();
			algorithm.GenerateKey();

			// Encrypt data with the key
			byte[] encryptedData;
			using (MemoryStream encryptedDataStream = new MemoryStream())
			{
				using (var encryptor = algorithm.CreateEncryptor())
				{
					using (CryptoStream cryptoStream = new CryptoStream(encryptedDataStream, encryptor, CryptoStreamMode.Write))
					{
						input.CopyTo(cryptoStream);
						cryptoStream.FlushFinalBlock();

						encryptedData = new byte[encryptedDataStream.Length];
						encryptedDataStream.Seek(0, SeekOrigin.Begin);
						encryptedDataStream.Read(encryptedData, 0, encryptedData.Length);
					}
				}
			}

			// Encrypt the key using RSA and the certificate
			byte[] encryptedKey;
			lock (CertificateEncryptionLock)
			{
				encryptedKey = CertificateEncryption.Encrypt(algorithm.Key, true);
			}

			return new EncryptionPayload()
			{
				EncryptedData = encryptedData,
				CertificateEncryptedKey = encryptedKey,
				ClearTextIV = algorithm.IV,
			};
		}

		public static byte[] Decrypt(EncryptionPayload encryptedData)
		{
			// Decrypt the key using RSA and the certificate
			byte[] decryptedKey;
			lock (CertificateEncryptionLock)
			{
				decryptedKey = CertificateEncryption.Decrypt(encryptedData.CertificateEncryptedKey, true);
			}

			// Decrypt data with the key & IV
			AesManaged algorithm = new AesManaged();
			algorithm.IV = encryptedData.ClearTextIV;
			algorithm.Key = decryptedKey;

			byte[] result;
			using (var decryptor = algorithm.CreateDecryptor())
			{
				using (MemoryStream resultStream = new MemoryStream())
				{
					using (CryptoStream cryptoStream = new CryptoStream(resultStream, decryptor, CryptoStreamMode.Write))
					{
						cryptoStream.Write(encryptedData.EncryptedData, 0, encryptedData.EncryptedData.Length);
						cryptoStream.FlushFinalBlock();

						result = new byte[resultStream.Length];
						resultStream.Seek(0, SeekOrigin.Begin);
						resultStream.Read(result, 0, result.Length);
					}
				}
			}

			return result;
		}
	}
}

// This is free and unencumbered software released into the public domain.
//
// Anyone is free to copy, modify, publish, use, compile, sell, or
// distribute this software, either in source code form or as a compiled
// binary, for any purpose, commercial or non-commercial, and by any
// means.
//
// In jurisdictions that recognize copyright laws, the author or authors
// of this software dedicate any and all copyright interest in the
// software to the public domain. We make this dedication for the benefit
// of the public at large and to the detriment of our heirs and
// successors. We intend this dedication to be an overt act of
// relinquishment in perpetuity of all present and future rights to this
// software under copyright law.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
// IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
// OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
// OTHER DEALINGS IN THE SOFTWARE.
//
// For more information, please refer to <http://unlicense.org/>
	// This is free and unencumbered software released into the public domain. (For the full license statement, see the bottom of this gist)
	using Microsoft.WindowsAzure;
	using System.IO;
	using System.Linq;
	using System.Security.Cryptography;
	using System.Security.Cryptography.X509Certificates;

	// See https://www.fasterweb.io/Blog/two-way-encryption-for-azure-web-roles for the context around this.
	namespace FasterWeb
	{
	public static class CertificateCrypto
	{
	public class EncryptionPayload
	{
	public byte[] EncryptedData { get; set; }
	public byte[] CertificateEncryptedKey { get; set; }
	public byte[] ClearTextIV { get; set; }
	}

	private static readonly string Thumbprint = CloudConfigurationManager.GetSetting("CertificateCryptoThumbprint");
	private static readonly RSACryptoServiceProvider CertificateEncryption;
	private static object CertificateEncryptionLock = new object();

	static CertificateCrypto()
	{
	X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

	try
	{
	store.Open(OpenFlags.OpenExistingOnly \| OpenFlags.ReadOnly);

	X509Certificate2Collection foundCerts = store.Certificates.Find(X509FindType.FindByThumbprint, Thumbprint, false);
	CertificateEncryption = (RSACryptoServiceProvider)foundCerts.Cast<X509Certificate2>().Single().PrivateKey;
	}
	finally
	{
	store.Close();
	}
	}

	public static EncryptionPayload Encrypt(Stream input)
	{
	// Generate Key & IV
	AesManaged algorithm = new AesManaged();
	algorithm.GenerateIV();
	algorithm.GenerateKey();

	// Encrypt data with the key
	byte[] encryptedData;
	using (MemoryStream encryptedDataStream = new MemoryStream())
	{
	using (var encryptor = algorithm.CreateEncryptor())
	{
	using (CryptoStream cryptoStream = new CryptoStream(encryptedDataStream, encryptor, CryptoStreamMode.Write))
	{
	input.CopyTo(cryptoStream);
	cryptoStream.FlushFinalBlock();

	encryptedData = new byte[encryptedDataStream.Length];
	encryptedDataStream.Seek(0, SeekOrigin.Begin);
	encryptedDataStream.Read(encryptedData, 0, encryptedData.Length);
	}
	}
	}

	// Encrypt the key using RSA and the certificate
	byte[] encryptedKey;
	lock (CertificateEncryptionLock)
	{
	encryptedKey = CertificateEncryption.Encrypt(algorithm.Key, true);
	}

	return new EncryptionPayload()
	{
	EncryptedData = encryptedData,
	CertificateEncryptedKey = encryptedKey,
	ClearTextIV = algorithm.IV,
	};
	}

	public static byte[] Decrypt(EncryptionPayload encryptedData)
	{
	// Decrypt the key using RSA and the certificate
	byte[] decryptedKey;
	lock (CertificateEncryptionLock)
	{
	decryptedKey = CertificateEncryption.Decrypt(encryptedData.CertificateEncryptedKey, true);
	}

	// Decrypt data with the key & IV
	AesManaged algorithm = new AesManaged();
	algorithm.IV = encryptedData.ClearTextIV;
	algorithm.Key = decryptedKey;

	byte[] result;
	using (var decryptor = algorithm.CreateDecryptor())
	{
	using (MemoryStream resultStream = new MemoryStream())
	{
	using (CryptoStream cryptoStream = new CryptoStream(resultStream, decryptor, CryptoStreamMode.Write))
	{
	cryptoStream.Write(encryptedData.EncryptedData, 0, encryptedData.EncryptedData.Length);
	cryptoStream.FlushFinalBlock();

	result = new byte[resultStream.Length];
	resultStream.Seek(0, SeekOrigin.Begin);
	resultStream.Read(result, 0, result.Length);
	}
	}
	}

	return result;
	}
	}
	}

	// This is free and unencumbered software released into the public domain.
	//
	// Anyone is free to copy, modify, publish, use, compile, sell, or
	// distribute this software, either in source code form or as a compiled
	// binary, for any purpose, commercial or non-commercial, and by any
	// means.
	//
	// In jurisdictions that recognize copyright laws, the author or authors
	// of this software dedicate any and all copyright interest in the
	// software to the public domain. We make this dedication for the benefit
	// of the public at large and to the detriment of our heirs and
	// successors. We intend this dedication to be an overt act of
	// relinquishment in perpetuity of all present and future rights to this
	// software under copyright law.
	//
	// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
	// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
	// IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
	// OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
	// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
	// OTHER DEALINGS IN THE SOFTWARE.
	//
	// For more information, please refer to <http://unlicense.org/>