Added fall-back for .NET Framework. Endurance Test.

Author: vplusplus

src/Org.Security.Cryptography.X509Extensions/GenerateSelfSignedCerts.ps1

@@ -5,14 +5,14 @@
     <RootNamespace>Org.Security.Cryptography</RootNamespace>
     <Version>20.3.0</Version>
     <Authors>Venkatesh Ramakrishnan</Authors>
-    <Company>OSS</Company>
+    <Company>Open Source</Company>
     <Product>X509Extensions</Product>
-    <Description>Helpers for signing/encryption/decryption using X509 certs.</Description>
+    <Description>Helpers for encryption/decryption/signing using X509 certs.</Description>
     <PackageProjectUrl>https://github.com/vplusplus/Org.Security.Cryptography.X509Extensions</PackageProjectUrl>
     <PackageTags>.NET Standard X509 Encrypt Decrypt DigitalSignature</PackageTags>
     <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>
-    <PackageReleaseNotes>DISCLAIMER: Information security is a complex and sensitive area, and requires deep expertise. Author of this package is NOT an expert of this domain. Consumers are expected to review the source code first before using this package.</PackageReleaseNotes>
+    <PackageReleaseNotes>Information security is a complex and sensitive area, and requires deep expertise. Review the source code first before using this package.</PackageReleaseNotes>
   </PropertyGroup>
 
 </Project>

src/Org.Security.Cryptography.X509Extensions/Org.Security.Cryptography.X509Extensions.csproj

@@ -0,0 +1,70 @@
+
+# ----------------------------------------------------------------------------------------
+# Standard disclaimer, so that I am not judged...
+# Use of self-signed=certs is NOT recommonded for real world application workloads.
+# ----------------------------------------------------------------------------------------
+
+$dnsName = "hello.world.net"
+$outputPath = "D:\Junk"
+
+# Output file names.
+$pfxFileName = "$outputPath\$dnsName.pfx"
+$cerFileName = "$outputPath\$dnsName.cer"
+$thumbprintFileName = "$outputPath\$dnsName.thumb.txt"
+
+# Cert-validity, from yesterday, for two years...
+$dtStart = (Get-Date).ToUniversalTime().AddDays(-1).Date
+$dtEnd = $dtStart.AddYears(2)
+
+# Collect password for the PFX file. Username is ignored.
+$pfxCredentials = Get-Credential -Message "Enter a password for the PFX" -UserName "$dnsName"
+
+# NOTE: KeySpec was required to use Cert.PrivateKey in .Net Framework 4.7.1
+# NOTE: Alternative is to use cert.GetRSAPrivateKey()
+Write-Host "Creating (and registering) self-signed certificate. DNS Name: $dnsName"
+$cert = New-SelfSignedCertificate `
+	-DnsName $dnsName `
+	-CertStoreLocation Cert:\CurrentUser\My `
+	-KeyLength 1024 `
+	-NotBefore $dtStart `
+	-NotAfter $dtEnd 
+
+	# -KeySpec KeyExchange | Signature | None
+    # -KeyExportPolicy Exportable | NonExportable
+	# -KeyAlgorithm RSA
+	# -KeyLength 1024 2048
+
+# Retrieve and show cert info
+$thumbprint = $cert.Thumbprint
+$c = Get-Item Cert:\CurrentUser\My\$thumbprint
+Write-Host $c.ToString($true)
+
+# Export to files...
+Write-Host				"Exporting PFX, CER and thumbprint"
+Export-PfxCertificate	-Cert $cert -FilePath $pfxFileName -Password $pfxCredentials.Password | Out-Null
+Export-Certificate		-Cert $cert -FilePath $cerFileName | Out-Null
+Set-Content				-Path $thumbprintFileName -Value $cert.Thumbprint | Out-Null
+
+# Print the file names and the thumbprint
+Write-Host "--------------------------------------------------------------------"
+Write-Host "Generated..."
+Write-Host "--------------------------------------------------------------------"
+$pfxFileName
+$cerFileName
+$thumbprintFileName
+
+# Print the certificate Thumbprint
+Write-Host "Thumbprint:"
+$cert.Thumbprint
+
+# REMOVE CERT from local store.
+# Write-Host "--------------------------------------------------------------------"
+# Write-Host "IMP: Removing the self-signed-certificate from Cert:\CurrentUser\My"
+# Write-Host "IMP: Import the .pfx again in the target machine"
+# Write-Host "--------------------------------------------------------------------"
+# Get-ChildItem -Path cert:\CurrentUser\My\$thumbprint | Remove-Item
+# Write-Host "Removed the certificate."
+
+# Use following command to import the PFX using powershell.
+# Import-PfxCertificate -Exportable -CertStoreLocation Cert:\LocalMachine\My -FilePath $pfxFileName -Password $securePassword
+

src/Org.Security.Cryptography.X509Extensions/X509-PS-Helpers/GenerateSelfSignedCerts.ps1

@@ -0,0 +1,24 @@
+
+
+# List of certs
+$certs = Get-ChildItem -Path cert:\CurrentUser\My
+
+# Print Thumbprint
+$certs
+
+# Loop and print specific property
+Foreach ($c IN $certs) 
+{
+	Write-Host $c.SubjectName.Name
+	Write-Host $c.Issuer
+	Write-Host $c.Thumbprint
+    Write-Host "HasPrivateKey?" $c.HasPrivateKey
+    Write-Host "SignatureAlgorithm" $c.SignatureAlgorithm.FriendlyName
+}
+
+# Find cert by Thumbprint, print details
+$thumb = "TheThumbprint"
+$c = Get-ChildItem -Path cert:\CurrentUser\My\$$thumb
+Write-Host $c.ToString($true)
+
+ 

src/Org.Security.Cryptography.X509Extensions/X509-PS-Helpers/ListCertificates.ps1

@@ -1,6 +1,5 @@
 
 using System;
-using System.Diagnostics;
 using System.IO;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
@@ -71,17 +70,16 @@ public static void Encrypt(this Stream inputStream, Stream outputStream, X509Cer
             if (null == cert) throw new ArgumentNullException(nameof(cert));
             if (null == algName) throw new ArgumentNullException(nameof(algName));
 
-            // Ensure PublicKey exists
-            if (null == cert.PublicKey) throw new ArgumentException($"X509Certificate2.PublicKey was NULL: {cert.Thumbprint}", nameof(cert));
-            if (null == cert.PublicKey.Key) throw new ArgumentException($"X509Certificate2.PublicKey.Key was NULL: {cert.Thumbprint}", nameof(cert));
+            // DO NOT Dispose this; Doing so will render the X509Certificate in cache use-less.
+            var keyEncryption = cert.GetRsaPublicKeyAsymmetricAlgorithm();
 
             using (var dataEncryption = SymmetricAlgorithm.Create(algName))
             {
                 if (null == dataEncryption) throw new Exception($"SymmetricAlgorithm.Create() returned null. Check algName: '{algName}'");
 
                 dataEncryption.KeySize = keySize;
                 dataEncryption.BlockSize = blockSize;
-                Encrypt(inputStream, outputStream, cert.PublicKey.Key, dataEncryption);
+                Encrypt(inputStream, outputStream, keyEncryption,  dataEncryption);
             }
         }
 
@@ -97,14 +95,14 @@ public static void Decrypt(this Stream inputStream, Stream outputStream, X509Cer
             if (null == cert) throw new ArgumentNullException(nameof(cert));
             if (null == algName) throw new ArgumentNullException(nameof(algName));
 
-            // Ensure PrivateKey exists.
-            if (null == cert.PrivateKey) throw new ArgumentException($"X509Certificate2.PrivateKey was NULL: {cert.Thumbprint}", nameof(cert));
+            // DO NOT Dispose this; Doing so will render the X509Certificate in cache use-less.
+            var keyEncryption = cert.GetRsaPrivateKeyAsymmetricAlgorithm();
 
             using (var dataEncryption = SymmetricAlgorithm.Create(algName))
             {
                 if (null == dataEncryption) throw new Exception($"SymmetricAlgorithm.Create() returned null. Check algName: '{algName}'");
 
-                Decrypt(inputStream, outputStream, cert.PrivateKey, dataEncryption);
+                Decrypt(inputStream, outputStream, keyEncryption, dataEncryption);
             }
         }
 
@@ -165,6 +163,9 @@ static void Decrypt(Stream inputStream, Stream outputStream, AsymmetricAlgorithm
             }
         }
 
+        //...............................................................................
+        #region Utils: WriteLengthAndBytes(), ReadLengthAndBytes()
+        //...............................................................................
         static void WriteLengthAndBytes(this Stream outputStream, byte[] bytes)
         {
             if (null == outputStream) throw new ArgumentNullException(nameof(outputStream));
@@ -196,5 +197,63 @@ static byte[] ReadLengthAndBytes(this Stream inputStream, int maxBytes)
 
             return bytes;
         }
+
+        #endregion
+
+        //...............................................................................
+        #region Obtain private/public key AsymmetricAlgorithm
+        //...............................................................................
+        static AsymmetricAlgorithm GetRsaPublicKeyAsymmetricAlgorithm(this X509Certificate2 cert)
+        {
+            if (null == cert) throw new ArgumentNullException(nameof(cert));
+            if (null == cert.Thumbprint) throw new ArgumentNullException("X509Certificate2.Thumbprint was NULL.");
+
+            try
+            {
+                try
+                {
+                    // [FASTER] 
+                    return cert.PublicKey?.Key ?? throw new Exception($"X509Certificate2.PublicKey?.Key was NULL.");
+                }
+                catch (CryptographicException)
+                {
+                    // [SLOWER] 
+                    return cert.GetRSAPublicKey() ?? throw new Exception($"X509Certificate2.GetRSAPublicKey() returned NULL");
+                }
+            }
+            catch (Exception err)
+            {
+                var msg = $"Error accessing PublicKey of the X509 Certificate. Cert: {cert.Thumbprint}";
+                throw new Exception(msg, err);
+            }
+        }
+
+        static AsymmetricAlgorithm GetRsaPrivateKeyAsymmetricAlgorithm(this X509Certificate2 cert)
+        {
+            if (null == cert) throw new ArgumentNullException(nameof(cert));
+            if (null == cert.Thumbprint) throw new ArgumentNullException("X509Certificate2.Thumbprint was NULL.");
+
+            try
+            {
+                try
+                {
+                    // [FASTER] 
+                    return cert.PrivateKey ?? throw new Exception($"X509Certificate2.PrivateKey was NULL.");
+                }
+                catch (CryptographicException)
+                {
+                    // [SLOWER] 
+                    return cert.GetRSAPrivateKey() ?? throw new Exception($"X509Certificate2.GetRSAPrivateKey() returned NULL.");
+                }
+            }
+            catch (Exception err)
+            {
+                var msg = $"Error accessing PrivateKey of the X509 Certificate. Cert: {cert.Thumbprint}";
+                throw new Exception(msg, err);
+            }
+        }
+
+        #endregion
+
     }
 }

src/Org.Security.Cryptography.X509Extensions/X509StreamEncryptionExtensions.cs

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+
+  <appSettings>
+    <add key="X509.ThumbPrint" value="F73299C92B327DB836170E9CF1C6AA948BFF5124" />
+  </appSettings>
+  
+</configuration>

src/UnitTests/App.config

@@ -1,58 +1,19 @@
-using Microsoft.VisualStudio.TestTools.UnitTesting;
-using Org.Security.Cryptography;
+
 using System;
-using System.Collections.Generic;
+using Org.Security.Cryptography;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
-
 using System.Text;
 
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
 namespace UnitTests.POCs
 {
     // https://docs.microsoft.com/en-us/dotnet/standard/security/cryptographic-signatures
 
     [TestClass]
     public class SignatureSamples
     {
-        // Sender
-        //  Message Or payload - The substance
-        //  Message Digest - A compact representation of the message
-        //  Encrypt the message digest with private key to create signature.
-        // 
-        // Receiver:
-        //  Decrypt the signature using sender's public key
-        //  Hash the message or payload to recreate the message digest
-        //  Compare the hashses
-
-        // To verify that data was signed by a particular party, you must have the following information:
-        // a) The public key of the party that signed the data.
-        // b) The digital signature.
-        // c) The data that was signed.
-        // d) The hash algorithm used by the signer.
-
-        public void HelloSignature()
-        {
-            string something = "Hello World";
-
-            //The hash value to sign.
-            byte[] hashValue = SHA1.Create().ComputeHash(Encoding.UTF8.GetBytes(something));
-
-            //Generate a public/private key pair.
-            RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
-
-            //Create an RSAPKCS1SignatureFormatter object and pass it the
-            //RSACryptoServiceProvider to transfer the private key.
-            RSAPKCS1SignatureFormatter rsaFormatter = new RSAPKCS1SignatureFormatter(rsa);
-
-            //Set the hash algorithm to SHA1.
-            rsaFormatter.SetHashAlgorithm("SHA1");
-
-            //Create a signature for hashValue and assign it to
-            //signedHashValue.
-            byte[] signedHashValue = rsaFormatter.CreateSignature(hashValue);
-
-        }
-
         [TestMethod]
         public void TestSignature()
         {
@@ -70,10 +31,8 @@ public void TestSignature()
             Assert.IsTrue(good);
 
         }
-
     }
 
-
     static class X509RsaSha1Signature
     {
         const string SHA1 = "SHA1";
@@ -112,8 +71,5 @@ public static bool Verify(byte[] payload, byte[] signature, string thumbprint)
                 return signatureDeformatter.VerifySignature(digest, signature);
             }
         }
-
-
-
     }
 }