Code cleanup

Author: vplusplus

src/Org.Security.Cryptography.X509Extensions/X509CertificateCache.cs

@@ -1,9 +1,9 @@
 
 //...................................................................................
-#region Readme: X509CertificateCache
+#region About X509CertificateCache
 //...................................................................................
 // 
-// It takes approx 5 miiliSec to lookup and obtain the certificate from local certificate store,
+// It takes approx 5 milliSec to lookup and obtain the certificate from local certificate store,
 // unless the Store itself is handled as singleton and never closed during process lifetime.
 // X509CertificateCache can be used to cache and re-use the certs.
 //

src/Org.Security.Cryptography.X509Extensions/X509StreamEncryptionExtensions.cs

@@ -70,13 +70,16 @@ public static void Encrypt(this Stream inputStream, Stream outputStream, X509Cer
             if (null == cert) throw new ArgumentNullException(nameof(cert));
             if (null == algName) throw new ArgumentNullException(nameof(algName));
 
-            // DO NOT Dispose this; Doing so will render the X509Certificate in cache use-less.
+            // Encrypt using Public key.
+            // DO NOT Dispose this; Doing so will render the X509Certificate in the cache use-less.
+            // Did endurance test of 1 mil cycles, found NO HANDLE leak.
             var keyEncryption = cert.GetRsaPublicKeyAsymmetricAlgorithm();
 
             using (var dataEncryption = SymmetricAlgorithm.Create(algName))
             {
                 if (null == dataEncryption) throw new Exception($"SymmetricAlgorithm.Create() returned null. Check algName: '{algName}'");
 
+                // Select suggested keySize/blockSize.
                 dataEncryption.KeySize = keySize;
                 dataEncryption.BlockSize = blockSize;
                 Encrypt(inputStream, outputStream, keyEncryption,  dataEncryption);
@@ -95,17 +98,24 @@ public static void Decrypt(this Stream inputStream, Stream outputStream, X509Cer
             if (null == cert) throw new ArgumentNullException(nameof(cert));
             if (null == algName) throw new ArgumentNullException(nameof(algName));
 
+            // Decrypt using Private key.
             // DO NOT Dispose this; Doing so will render the X509Certificate in cache use-less.
+            // Did endurance test of 1 mil cycles, found NO HANDLE leak.
             var keyEncryption = cert.GetRsaPrivateKeyAsymmetricAlgorithm();
 
             using (var dataEncryption = SymmetricAlgorithm.Create(algName))
             {
                 if (null == dataEncryption) throw new Exception($"SymmetricAlgorithm.Create() returned null. Check algName: '{algName}'");
 
+                // KeySize/blockSize will be selected when we assign key/IV later.
                 Decrypt(inputStream, outputStream, keyEncryption, dataEncryption);
             }
         }
 
+        //...............................................................................
+        #region Encrypt/Decrypt the Key (Asymmetric) and the Data (Symmetric)
+        //...............................................................................
+
         static void Encrypt(Stream inputStream, Stream outputStream, AsymmetricAlgorithm keyEncryption, SymmetricAlgorithm dataEncryption)
         {
             if (null == inputStream) throw new ArgumentNullException(nameof(inputStream));
@@ -131,6 +141,7 @@ static void Encrypt(Stream inputStream, Stream outputStream, AsymmetricAlgorithm
             outputStream.WriteLengthAndBytes(encryptedIV);
 
             // Write the encrypted data.
+            // Note: Disposing the CryptoStream also disposes the outputStream. There is no keepOpen option.
             using (var transform = dataEncryption.CreateEncryptor())
             using (var cryptoStream = new CryptoStream(outputStream, transform, CryptoStreamMode.Write))
             {
@@ -156,13 +167,17 @@ static void Decrypt(Stream inputStream, Stream outputStream, AsymmetricAlgorithm
             // Trace.WriteLine($"Decrypting. KEK: {keyEncryption.GetType().Name} / {keyEncryption.KeySize} bits");
             // Trace.WriteLine($"Decrypting. DEK: {dataEncryption.GetType().Name} / {dataEncryption.KeySize} bits / BlockSize: {dataEncryption.BlockSize} bits");
 
+            // Read the encrypted data.
+            // Note: Disposing the CryptoStream also disposes the inputStream. There is no keepOpen option.
             using (var transform = dataEncryption.CreateDecryptor())
             using (var cryptoStream = new CryptoStream(inputStream, transform, CryptoStreamMode.Read))
             {
                 cryptoStream.CopyTo(outputStream, bufferSize: dataEncryption.BlockSize * 4);
             }
         }
 
+        #endregion
+
         //...............................................................................
         #region Utils: WriteLengthAndBytes(), ReadLengthAndBytes()
         //...............................................................................
@@ -171,8 +186,10 @@ static void WriteLengthAndBytes(this Stream outputStream, byte[] bytes)
             if (null == outputStream) throw new ArgumentNullException(nameof(outputStream));
             if (null == bytes) throw new ArgumentNullException(nameof(bytes));
 
+            // Int32 length to exactly-four-bytes array.
             var length = BitConverter.GetBytes((Int32)bytes.Length);
 
+            // Write the four-byte-length followed by the data.
             outputStream.Write(length, 0, length.Length);
             outputStream.Write(bytes, 0, bytes.Length);
         }
@@ -188,7 +205,7 @@ static byte[] ReadLengthAndBytes(this Stream inputStream, int maxBytes)
 
             // Length of data to read.
             var length = BitConverter.ToInt32(arrLength, 0);
-            if (length > maxBytes) throw new Exception($"Unexpected data size {length:#,0} bytes. Expecting not more than {maxBytes:#,0} bytes.");
+            if (length > maxBytes) throw new Exception($"Unexpected data size {length:#,0} bytes. Expecting NOT more than {maxBytes:#,0} bytes.");
 
             // Read suggested no of bytes...
             var bytes = new byte[length];
@@ -201,8 +218,9 @@ static byte[] ReadLengthAndBytes(this Stream inputStream, int maxBytes)
         #endregion
 
         //...............................................................................
-        #region Obtain private/public key AsymmetricAlgorithm
+        #region Obtain public/private key AsymmetricAlgorithm
         //...............................................................................
+
         static AsymmetricAlgorithm GetRsaPublicKeyAsymmetricAlgorithm(this X509Certificate2 cert)
         {
             if (null == cert) throw new ArgumentNullException(nameof(cert));

src/UnitTests/Algorithms.txt

@@ -2,7 +2,7 @@
 <configuration>
 
   <appSettings>
-    <add key="X509.ThumbPrint" value="F73299C92B327DB836170E9CF1C6AA948BFF5124" />
+    <add key="X509.ThumbPrint" value="7A89FF9299CDE8C690DB93CE1F128EA3BAD642AB" />
   </appSettings>
 
 </configuration>

src/UnitTests/App.config

@@ -11,6 +11,8 @@ namespace UnitTests.POCs
 {
     // https://docs.microsoft.com/en-us/dotnet/standard/security/cryptographic-signatures
 
+    // WIP WIP WIP 
+
     [TestClass]
     public class SignatureSamples
     {

src/UnitTests/POCs/SignatureSamples.cs

@@ -1,24 +1,68 @@
 
+//.............................................................................
+// IMP: CryptographicException "Invalid provider type specified” 
+//.............................................................................
+// Cert.PrivateKey throws CryptographicException in .Net Framework 4.7.1 if KeySpec is not specified.
+// Alternative is to use cert.GetRSAPrivateKey()
+// Or use -KeySpec KeyExchange when creating self-signed-cert
+// Noticed AsymmetricAlgorithm using cert.GetRSAPrivateKey() is 4x slower compared to Cert.PrivateKey
+
 
 // REF: Useful info on X509 certs, cert stores and their locations.
 // http://paulstovell.com/blog/x509certificate2
 
 // REF: Comparison of Encryption algorithms
 // https://symbiosisonlinepublishing.com/computer-science-technology/computerscience-information-technology32.php
 
-// REF: https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-store-asymmetric-keys-in-a-key-container
-// REF: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing
-// REF: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsacryptoserviceprovider?view=netstandard-2.0
-
-//...............................................................................
-// Sample Cryptographic Scheme
-//...............................................................................
-// REF: https://docs.microsoft.com/en-us/dotnet/standard/security/creating-a-cryptographic-scheme
-// A simple cryptographic scheme for encrypting and decrypting data might specify the following steps:
-// 1) Each party generates a public/private key pair.
-// 2) The parties exchange their public keys.
-// 3) Each party generates a secret key for TripleDES encryption, for example, and encrypts the newly created key using the other's public key.
-// 4) Each party sends the data to the other and combines the other's secret key with its own, in a particular order, to create a new secret key.
-// 5) The parties then initiate a conversation using symmetric encryption.
-//...............................................................................
+// System.Security.Cryptography
+// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=netstandard-2.0
+
+//.............................................................................
+// AsymmetricAlgorithm
+//.............................................................................
+	RSA
+		RSACng
+		RSACryptoServiceProvider
+		RSAOpenSsl
+	DSA
+		DSACng
+		DSACryptoServiceProvider
+		DSAOpenSsl
+	ECDiffieHellman
+		ECDiffieHellmanCng
+		ECDiffieHellmanOpenSsl
+	ECDsa
+		ECDsaCng
+		ECDsaOpenSsl
+
+notes: 
+* X509Certificate2.PublicKey.Key and X509Certificate2.PrivateKey returns RSACng
+* The RSACng class is an implementation of the RSA algorithm using the Windows CNG libraries and isn't available on operating systems other than Windows
+
+//.............................................................................
+// SymmetricAlgorithm
+//.............................................................................
+	Aes
+		AesCng
+		AesCryptoServiceProvider
+		AesManaged
+	TripleDES
+		TripleDESCng	
+		TripleDESCryptoServiceProvider
+	Rijndael
+		RijndaelManaged
+	DES
+		DESCryptoServiceProvider
+	RC2
+		RC2CryptoServiceProvider
+			
+Notes: 
+* AES algorithm can support any combination of data (128 bits) and key length of 128, 192, and 256 bits. 
+* The algorithm is referred to as AES-128, AES-192, or AES-256, depending on the key length.
+* The Rijndael class is the predecessor of the Aes algorithm. You should use the Aes algorithm instead of Rijndael
+
+
+
+
+
 

src/UnitTests/ReadMe.txt

@@ -11,16 +11,96 @@
 
 namespace UnitTests
 {
-
     [TestClass]
     public class X509Tests
     {
         static string TestCertThumbPrint => 
             System.Configuration.ConfigurationManager.AppSettings["X509.ThumbPrint"] ??
-              throw new Exception($"AppSetting 'Test.X509.ThumbPrint' not defined.");
+              throw new Exception($"AppSetting 'X509.ThumbPrint' not defined.");
 
         [TestMethod]
-        public void FindMyCertificate()
+        public void X509_LookupSpeed()
+        {
+            //......................................................................
+            // OpenStore-Lookup-CloseStore:  apprx 5 milliSec per lookup
+            // KeepStoreOpen-Lookup:         apprx 14 microSec per lookup
+            //......................................................................
+
+            const int loopCount = 10000;
+            const StoreName storeName = StoreName.My;
+            const StoreLocation storeLocation = StoreLocation.CurrentUser;
+
+            var thumb = TestCertThumbPrint;
+            Console.WriteLine(thumb);
+
+            // Dry run
+            OpenStoreAndLookupCert();
+
+            // Scenario #1: OpenStore/Lookup/CloseStore
+            Stopwatch timer = Stopwatch.StartNew();
+            for (int i=0; i<loopCount; i++)
+            {
+                OpenStoreAndLookupCert();
+            }
+            timer.Stop();
+            PrintStats("OPEN-CLOSE-STORE", timer.Elapsed, loopCount);
+
+            // Scenario #2: OpenStore ONCE. LookupCert.
+            timer = Stopwatch.StartNew();
+            using (X509Store store = new X509Store(storeName, storeLocation))
+            {
+                // Open an existing store.
+                store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
+
+                for (int i = 0; i < loopCount; i++)
+                {
+                    UseMyStoreLookupCert(store);
+                }
+            }
+            timer.Stop();
+            PrintStats("KEEP-STORE-OPEN", timer.Elapsed, loopCount);
+
+            void PrintStats(string scenario, TimeSpan elapsed, int iterations)
+            {
+                var ratePerSec = (long)iterations / elapsed.TotalSeconds;
+                var avgMs = elapsed.TotalMilliseconds / iterations;
+                Console.WriteLine($"{scenario}: {iterations:#,0} iterations @ {ratePerSec:#,0.00} per-Sec. Avg: {avgMs:#,0.000} millSec");
+            }
+
+            void OpenStoreAndLookupCert()
+            {
+                using (X509Store store = new X509Store(storeName, storeLocation))
+                {
+                    // Open an existing store.
+                    store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
+
+                    // Look for the certificate by thumbPrint.
+                    var certs = store
+                        .Certificates
+                        .Cast<X509Certificate2>()
+                        .Where(x => null != x?.Thumbprint)
+                        .Where(x => x.Thumbprint.Equals(thumb, StringComparison.OrdinalIgnoreCase))
+                        .ToArray();
+
+                    if (1 != certs.Length) throw new Exception("Cert not found.");
+                }
+            }
+
+            void UseMyStoreLookupCert(X509Store storeThatIsAlreadyOpen)
+            {
+                var certs = storeThatIsAlreadyOpen
+                    .Certificates
+                    .Cast<X509Certificate2>()
+                    .Where(x => null != x?.Thumbprint)
+                    .Where(x => x.Thumbprint.Equals(thumb, StringComparison.OrdinalIgnoreCase))
+                    .ToArray();
+
+                if (1 != certs.Length) throw new Exception("Cert not found.");
+            }
+        }
+
+        [TestMethod]
+        public void X509_CacheLookup()
         {
             var cert = X509CertificateCache.GetCertificate(TestCertThumbPrint, StoreName.My, StoreLocation.CurrentUser);
 
@@ -144,6 +224,6 @@ static byte[] GenerateJunk(int kiloBytes)
                 return buffer.ToArray();
             }
         }
-
     }
 }
+