From 2bf43a4919cfcc03dd4c406bdeadf389b4399357 Mon Sep 17 00:00:00 2001 From: nd Date: Sat, 9 Mar 2024 13:32:51 +0100 Subject: [PATCH] Update + Added `BcEllipticCurves.IsCurveAllowed` and `BcEllipticCurves.DenyCurve` + Added checks for allowed algorithms and elliptic curves - Fixed Ed25519, Ed448, X448, XEd25519 and XEd448 algorithms didn't check for PQC requirement - Fixed non-PQC signature algorithms didn't check for PQC requirement --- .../AsymmetricBcEcDiffieHellmanAlgorithm.cs | 6 +++++- .../AsymmetricBcEcDiffieHellmanPrivateKey.cs | 7 ++++--- .../AsymmetricBcEcDsaAlgorithm.cs | 6 +++++- .../AsymmetricBcEcDsaPrivateKey.cs | 3 ++- .../AsymmetricEd25519Algorithm.cs | 1 + src/wan24-Crypto-BC/AsymmetricEd448Algorithm.cs | 1 + .../AsymmetricSNtruPrimeAlgorithm.cs | 1 + .../AsymmetricX25519Algorithm.cs | 1 + .../AsymmetricX25519PrivateKey.cs | 6 +++--- src/wan24-Crypto-BC/AsymmetricX448Algorithm.cs | 1 + src/wan24-Crypto-BC/AsymmetricX448PrivateKey.cs | 6 +++--- .../AsymmetricXEd25519Algorithm.cs | 1 + .../AsymmetricXEd25519PrivateKey.cs | 2 +- .../AsymmetricXEd448Algorithm.cs | 2 ++ .../AsymmetricXEd448PrivateKey.cs | 3 ++- src/wan24-Crypto-BC/BcEllipticCurves.cs | 17 +++++++++++++++-- src/wan24-Crypto-BC/BouncyCastle.cs | 6 +++++- .../BouncyCastleAeadCipherAlgorithmBase.cs | 2 ++ .../BouncyCastleAsymmetricAlgorithmBase.cs | 1 + ...leAsymmetricNonPqcPrivateSignatureKeyBase.cs | 2 ++ ...eAsymmetricNonPqcPrivateSignatureKeyBase2.cs | 2 ++ ...tleAsymmetricPqcPrivateKeyExchangeKeyBase.cs | 1 + ...astleAsymmetricPqcPrivateSignatureKeyBase.cs | 1 + .../BouncyCastleBlockCipherAlgorithmBase.cs | 2 ++ src/wan24-Crypto-BC/StreamCipherRng.cs | 1 + src/wan24-Crypto-BC/wan24-Crypto-BC.csproj | 6 +++--- 26 files changed, 68 insertions(+), 20 deletions(-) diff --git a/src/wan24-Crypto-BC/AsymmetricBcEcDiffieHellmanAlgorithm.cs b/src/wan24-Crypto-BC/AsymmetricBcEcDiffieHellmanAlgorithm.cs index d0b6a25..d9e1931 100644 --- a/src/wan24-Crypto-BC/AsymmetricBcEcDiffieHellmanAlgorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricBcEcDiffieHellmanAlgorithm.cs @@ -74,6 +74,10 @@ protected override ECKeyGenerationParameters CreateKeyGenParameters(SecureRandom => new(parameters, random); /// - protected override ECDomainParameters GetEngineParameters(CryptoOptions options) => BcEllipticCurves.GetCurve(options.AsymmetricKeyBits); + protected override ECDomainParameters GetEngineParameters(CryptoOptions options) + { + EnsureAllowedCurve(options.AsymmetricKeyBits); + return BcEllipticCurves.GetCurve(options.AsymmetricKeyBits); + } } } diff --git a/src/wan24-Crypto-BC/AsymmetricBcEcDiffieHellmanPrivateKey.cs b/src/wan24-Crypto-BC/AsymmetricBcEcDiffieHellmanPrivateKey.cs index 7b28b53..525f639 100644 --- a/src/wan24-Crypto-BC/AsymmetricBcEcDiffieHellmanPrivateKey.cs +++ b/src/wan24-Crypto-BC/AsymmetricBcEcDiffieHellmanPrivateKey.cs @@ -47,7 +47,8 @@ public override (byte[] Key, byte[] KeyExchangeData) GetKeyExchangeData(IAsymmet try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + Algorithm.EnsureAllowed(); + EnsureAllowedCurve(); publicKey ??= options?.PublicKey ?? options?.PrivateKey?.PublicKey ?? PublicKey; if (publicKey is not AsymmetricBcEcDiffieHellmanPublicKey key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); return (DeriveKey(publicKey), PublicKey.KeyData.Array.CloneArray()); @@ -67,7 +68,7 @@ public override byte[] DeriveKey(byte[] keyExchangeData) try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + EnsurePqcRequirement(); using AsymmetricBcEcDiffieHellmanPublicKey publicKey = new(keyExchangeData); return DeriveKey(publicKey as IAsymmetricPublicKey); } @@ -83,7 +84,7 @@ public override byte[] DeriveKey(IAsymmetricPublicKey publicKey) try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + EnsurePqcRequirement(); if (publicKey is not AsymmetricBcEcDiffieHellmanPublicKey key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); ECDHBasicAgreement agreement = new(); agreement.Init(PrivateKey); diff --git a/src/wan24-Crypto-BC/AsymmetricBcEcDsaAlgorithm.cs b/src/wan24-Crypto-BC/AsymmetricBcEcDsaAlgorithm.cs index ba8e8da..f2a1c65 100644 --- a/src/wan24-Crypto-BC/AsymmetricBcEcDsaAlgorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricBcEcDsaAlgorithm.cs @@ -74,6 +74,10 @@ protected override ECKeyGenerationParameters CreateKeyGenParameters(SecureRandom => new(parameters, random); /// - protected override ECDomainParameters GetEngineParameters(CryptoOptions options) => BcEllipticCurves.GetCurve(options.AsymmetricKeyBits); + protected override ECDomainParameters GetEngineParameters(CryptoOptions options) + { + EnsureAllowedCurve(options.AsymmetricKeyBits); + return BcEllipticCurves.GetCurve(options.AsymmetricKeyBits); + } } } diff --git a/src/wan24-Crypto-BC/AsymmetricBcEcDsaPrivateKey.cs b/src/wan24-Crypto-BC/AsymmetricBcEcDsaPrivateKey.cs index 7a28709..d7462f9 100644 --- a/src/wan24-Crypto-BC/AsymmetricBcEcDsaPrivateKey.cs +++ b/src/wan24-Crypto-BC/AsymmetricBcEcDsaPrivateKey.cs @@ -66,7 +66,8 @@ public override byte[] SignHashRaw(byte[] hash) try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + Algorithm.EnsureAllowed(); + EnsureAllowedCurve(); DsaDigestSigner signer = new(new ECDsaSigner(), new NullDigest()); signer.Init(forSigning: true, PrivateKey); signer.BlockUpdate(hash); diff --git a/src/wan24-Crypto-BC/AsymmetricEd25519Algorithm.cs b/src/wan24-Crypto-BC/AsymmetricEd25519Algorithm.cs index 06fc190..23a6f68 100644 --- a/src/wan24-Crypto-BC/AsymmetricEd25519Algorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricEd25519Algorithm.cs @@ -74,6 +74,7 @@ public override AsymmetricEd25519PrivateKey CreateKeyPair(CryptoOptions? options { try { + EnsureAllowed(); options ??= DefaultOptions; if (!options.AsymmetricKeyBits.In(AllowedKeySizes)) throw new ArgumentException("Invalid key size", nameof(options)); Ed25519KeyPairGenerator keyGen = new(); diff --git a/src/wan24-Crypto-BC/AsymmetricEd448Algorithm.cs b/src/wan24-Crypto-BC/AsymmetricEd448Algorithm.cs index aadfa80..c2e5246 100644 --- a/src/wan24-Crypto-BC/AsymmetricEd448Algorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricEd448Algorithm.cs @@ -75,6 +75,7 @@ public override AsymmetricEd448PrivateKey CreateKeyPair(CryptoOptions? options = { try { + EnsureAllowed(); options ??= DefaultOptions; if (!options.AsymmetricKeyBits.In(AllowedKeySizes)) throw new ArgumentException("Invalid key size", nameof(options)); Ed448KeyPairGenerator keyGen = new(); diff --git a/src/wan24-Crypto-BC/AsymmetricSNtruPrimeAlgorithm.cs b/src/wan24-Crypto-BC/AsymmetricSNtruPrimeAlgorithm.cs index 85c3748..93b66be 100644 --- a/src/wan24-Crypto-BC/AsymmetricSNtruPrimeAlgorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricSNtruPrimeAlgorithm.cs @@ -76,6 +76,7 @@ public override AsymmetricSNtruPrimePrivateKey CreateKeyPair(CryptoOptions? opti { try { + EnsureAllowed(); options ??= DefaultOptions; if (!options.AsymmetricKeyBits.In(AllowedKeySizes)) throw new ArgumentException("Invalid key size", nameof(options)); SNtruPrimeKeyPairGenerator keyGen = new(); diff --git a/src/wan24-Crypto-BC/AsymmetricX25519Algorithm.cs b/src/wan24-Crypto-BC/AsymmetricX25519Algorithm.cs index 4079781..167b95e 100644 --- a/src/wan24-Crypto-BC/AsymmetricX25519Algorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricX25519Algorithm.cs @@ -74,6 +74,7 @@ public override AsymmetricX25519PrivateKey CreateKeyPair(CryptoOptions? options { try { + EnsureAllowed(); options ??= DefaultOptions; if (!options.AsymmetricKeyBits.In(AllowedKeySizes)) throw new ArgumentException("Invalid key size", nameof(options)); X25519KeyPairGenerator keyGen = new(); diff --git a/src/wan24-Crypto-BC/AsymmetricX25519PrivateKey.cs b/src/wan24-Crypto-BC/AsymmetricX25519PrivateKey.cs index 19579f2..d6d6e4d 100644 --- a/src/wan24-Crypto-BC/AsymmetricX25519PrivateKey.cs +++ b/src/wan24-Crypto-BC/AsymmetricX25519PrivateKey.cs @@ -46,7 +46,7 @@ public override (byte[] Key, byte[] KeyExchangeData) GetKeyExchangeData(IAsymmet try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + Algorithm.EnsureAllowed(); publicKey ??= options?.PublicKey ?? options?.PrivateKey?.PublicKey ?? PublicKey; if (publicKey is not AsymmetricX25519PublicKey key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); return (DeriveKey(publicKey), PublicKey.KeyData.Array.CloneArray()); @@ -66,7 +66,7 @@ public override byte[] DeriveKey(byte[] keyExchangeData) try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + EnsurePqcRequirement(); using AsymmetricX25519PublicKey publicKey = new(keyExchangeData); return DeriveKey(publicKey as IAsymmetricPublicKey); } @@ -82,7 +82,7 @@ public override byte[] DeriveKey(IAsymmetricPublicKey publicKey) try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + EnsurePqcRequirement(); if (publicKey is not AsymmetricX25519PublicKey key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); X25519Agreement agreement = new(); agreement.Init(PrivateKey); diff --git a/src/wan24-Crypto-BC/AsymmetricX448Algorithm.cs b/src/wan24-Crypto-BC/AsymmetricX448Algorithm.cs index c02c03b..f55eb07 100644 --- a/src/wan24-Crypto-BC/AsymmetricX448Algorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricX448Algorithm.cs @@ -75,6 +75,7 @@ public override AsymmetricX448PrivateKey CreateKeyPair(CryptoOptions? options = { try { + EnsureAllowed(); options ??= DefaultOptions; if (!options.AsymmetricKeyBits.In(AllowedKeySizes)) throw new ArgumentException("Invalid key size", nameof(options)); X448KeyPairGenerator keyGen = new(); diff --git a/src/wan24-Crypto-BC/AsymmetricX448PrivateKey.cs b/src/wan24-Crypto-BC/AsymmetricX448PrivateKey.cs index aa9c58f..ade2471 100644 --- a/src/wan24-Crypto-BC/AsymmetricX448PrivateKey.cs +++ b/src/wan24-Crypto-BC/AsymmetricX448PrivateKey.cs @@ -67,7 +67,7 @@ public override (byte[] Key, byte[] KeyExchangeData) GetKeyExchangeData(IAsymmet try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + Algorithm.EnsureAllowed(); publicKey ??= options?.PublicKey ?? options?.PrivateKey?.PublicKey ?? PublicKey; if (publicKey is not AsymmetricX448PublicKey key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); return (DeriveKey(publicKey), PublicKey.KeyData.Array.CloneArray()); @@ -87,7 +87,7 @@ public override byte[] DeriveKey(byte[] keyExchangeData) try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + EnsurePqcRequirement(); using AsymmetricX448PublicKey publicKey = new(keyExchangeData); return DeriveKey(publicKey as IAsymmetricPublicKey); } @@ -103,7 +103,7 @@ public override byte[] DeriveKey(IAsymmetricPublicKey publicKey) try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + EnsurePqcRequirement(); if (publicKey is not AsymmetricX448PublicKey key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); X448Agreement agreement = new(); agreement.Init(PrivateKey); diff --git a/src/wan24-Crypto-BC/AsymmetricXEd25519Algorithm.cs b/src/wan24-Crypto-BC/AsymmetricXEd25519Algorithm.cs index 080521d..d384e39 100644 --- a/src/wan24-Crypto-BC/AsymmetricXEd25519Algorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricXEd25519Algorithm.cs @@ -74,6 +74,7 @@ public override AsymmetricXEd25519PrivateKey CreateKeyPair(CryptoOptions? option { try { + EnsureAllowed(); options ??= DefaultOptions; if (!options.AsymmetricKeyBits.In(AllowedKeySizes)) throw new ArgumentException("Invalid key size", nameof(options)); Ed25519KeyPairGenerator keyGen = new(); diff --git a/src/wan24-Crypto-BC/AsymmetricXEd25519PrivateKey.cs b/src/wan24-Crypto-BC/AsymmetricXEd25519PrivateKey.cs index 399e5fc..e83055d 100644 --- a/src/wan24-Crypto-BC/AsymmetricXEd25519PrivateKey.cs +++ b/src/wan24-Crypto-BC/AsymmetricXEd25519PrivateKey.cs @@ -86,7 +86,7 @@ public override (byte[] Key, byte[] KeyExchangeData) GetKeyExchangeData(IAsymmet try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + Algorithm.EnsureAllowed(); publicKey ??= options?.PublicKey ?? options?.PrivateKey?.PublicKey ?? PublicKey; if (publicKey is not AsymmetricXEd25519PublicKey key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); return GetX25519Key().GetKeyExchangeData(key._PublicKey2 ?? throw new InvalidOperationException(), options); diff --git a/src/wan24-Crypto-BC/AsymmetricXEd448Algorithm.cs b/src/wan24-Crypto-BC/AsymmetricXEd448Algorithm.cs index b5846fd..c587a37 100644 --- a/src/wan24-Crypto-BC/AsymmetricXEd448Algorithm.cs +++ b/src/wan24-Crypto-BC/AsymmetricXEd448Algorithm.cs @@ -3,6 +3,7 @@ using Org.BouncyCastle.Crypto.Parameters; using Org.BouncyCastle.Security; using System.Collections.Frozen; +using System.Security; using wan24.Core; namespace wan24.Crypto.BC @@ -75,6 +76,7 @@ public override AsymmetricXEd448PrivateKey CreateKeyPair(CryptoOptions? options { try { + EnsureAllowed(); options ??= DefaultOptions; if (!options.AsymmetricKeyBits.In(AllowedKeySizes)) throw new ArgumentException("Invalid key size", nameof(options)); Ed448KeyPairGenerator keyGen = new(); diff --git a/src/wan24-Crypto-BC/AsymmetricXEd448PrivateKey.cs b/src/wan24-Crypto-BC/AsymmetricXEd448PrivateKey.cs index 4b6fc49..0095d3b 100644 --- a/src/wan24-Crypto-BC/AsymmetricXEd448PrivateKey.cs +++ b/src/wan24-Crypto-BC/AsymmetricXEd448PrivateKey.cs @@ -1,6 +1,7 @@ using Org.BouncyCastle.Crypto; using Org.BouncyCastle.Crypto.Parameters; using Org.BouncyCastle.Crypto.Signers; +using System.Security; using wan24.Core; namespace wan24.Crypto.BC @@ -95,7 +96,7 @@ public override (byte[] Key, byte[] KeyExchangeData) GetKeyExchangeData(IAsymmet try { EnsureUndisposed(); - if (CryptoHelper.StrictPostQuantumSafety) throw new InvalidOperationException($"Post quantum safety-forced - {Algorithm.Name} isn't post quantum"); + Algorithm.EnsureAllowed(); publicKey ??= options?.PublicKey ?? options?.PrivateKey?.PublicKey ?? PublicKey; if (publicKey is not AsymmetricXEd448PublicKey key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); return GetX448Key().GetKeyExchangeData(key._PublicKey2 ?? throw new InvalidOperationException(), options); diff --git a/src/wan24-Crypto-BC/BcEllipticCurves.cs b/src/wan24-Crypto-BC/BcEllipticCurves.cs index d51842b..83e8163 100644 --- a/src/wan24-Crypto-BC/BcEllipticCurves.cs +++ b/src/wan24-Crypto-BC/BcEllipticCurves.cs @@ -26,7 +26,7 @@ public static class BcEllipticCurves /// /// Curve name /// Key size in bits - public static int GetKeySize(ECDomainParameters curve) + public static int GetKeySize(in ECDomainParameters curve) { if (curve.Equals(SECP256R1_CURVE)) return EllipticCurves.SECP256R1_KEY_SIZE; if (curve.Equals(SECP384R1_CURVE)) return EllipticCurves.SECP384R1_KEY_SIZE; @@ -39,12 +39,25 @@ public static int GetKeySize(ECDomainParameters curve) /// /// Key size in bits /// Curve name - public static ECDomainParameters GetCurve(int bits) => bits switch + public static ECDomainParameters GetCurve(in int bits) => bits switch { EllipticCurves.SECP256R1_KEY_SIZE => SECP256R1_CURVE, EllipticCurves.SECP384R1_KEY_SIZE => SECP384R1_CURVE, EllipticCurves.SECP521R1_KEY_SIZE => SECP521R1_CURVE, _ => throw new ArgumentException("Unknown key size", nameof(bits)) }; + + /// + /// Determine if an elliptic curve is allowed + /// + /// Curve + /// If the elliptic curve is allowed + public static bool IsCurveAllowed(in ECDomainParameters curve) => EllipticCurves.IsCurveAllowed(GetKeySize(curve)); + + /// + /// Deny an elliptic curve + /// + /// Curve + public static void DenyCurve(in ECDomainParameters curve) => EllipticCurves.DenyCurve(GetKeySize(curve)); } } diff --git a/src/wan24-Crypto-BC/BouncyCastle.cs b/src/wan24-Crypto-BC/BouncyCastle.cs index cfd20fd..422cfca 100644 --- a/src/wan24-Crypto-BC/BouncyCastle.cs +++ b/src/wan24-Crypto-BC/BouncyCastle.cs @@ -1,4 +1,8 @@ -namespace wan24.Crypto.BC + +//TODO Add v2 SEIPD encryption algorithms as an alternate to AEAD +//TODO Add Argon2 S2K KDF algorithm + +namespace wan24.Crypto.BC { /// /// Bouncy Castle helper diff --git a/src/wan24-Crypto-BC/BouncyCastleAeadCipherAlgorithmBase.cs b/src/wan24-Crypto-BC/BouncyCastleAeadCipherAlgorithmBase.cs index 16e9434..04810f9 100644 --- a/src/wan24-Crypto-BC/BouncyCastleAeadCipherAlgorithmBase.cs +++ b/src/wan24-Crypto-BC/BouncyCastleAeadCipherAlgorithmBase.cs @@ -31,6 +31,7 @@ protected sealed override ICryptoTransform GetEncryptor(Stream cipherData, Crypt { try { + EnsureAllowed(); IBufferedCipher cipher = CreateCipher(forEncryption: true, options); byte[] iv = CreateIvBytes(); cipher.Init(forEncryption: true, CreateParameters(iv, options)); @@ -52,6 +53,7 @@ protected sealed override async Task GetEncryptorAsync(Stream { try { + EnsureAllowed(); IBufferedCipher cipher = CreateCipher(forEncryption: true, options); byte[] iv = CreateIvBytes(); cipher.Init(forEncryption: true, CreateParameters(iv, options)); diff --git a/src/wan24-Crypto-BC/BouncyCastleAsymmetricAlgorithmBase.cs b/src/wan24-Crypto-BC/BouncyCastleAsymmetricAlgorithmBase.cs index a984a69..8325839 100644 --- a/src/wan24-Crypto-BC/BouncyCastleAsymmetricAlgorithmBase.cs +++ b/src/wan24-Crypto-BC/BouncyCastleAsymmetricAlgorithmBase.cs @@ -54,6 +54,7 @@ public override tPrivate CreateKeyPair(CryptoOptions? options = null) { try { + EnsureAllowed(); options ??= DefaultOptions; if (!options.AsymmetricKeyBits.In(AllowedKeySizes)) throw new ArgumentException("Invalid key size", nameof(options)); tKeyGen keyGen = new(); diff --git a/src/wan24-Crypto-BC/BouncyCastleAsymmetricNonPqcPrivateSignatureKeyBase.cs b/src/wan24-Crypto-BC/BouncyCastleAsymmetricNonPqcPrivateSignatureKeyBase.cs index 12215ba..8e0daa0 100644 --- a/src/wan24-Crypto-BC/BouncyCastleAsymmetricNonPqcPrivateSignatureKeyBase.cs +++ b/src/wan24-Crypto-BC/BouncyCastleAsymmetricNonPqcPrivateSignatureKeyBase.cs @@ -53,6 +53,8 @@ public override byte[] SignHashRaw(byte[] hash) try { EnsureUndisposed(); + Algorithm.EnsureAllowed(); + EnsureAllowedCurve(); tSigner signer = new(); signer.Init(forSigning: true, PrivateKey); signer.BlockUpdate(hash); diff --git a/src/wan24-Crypto-BC/BouncyCastleAsymmetricNonPqcPrivateSignatureKeyBase2.cs b/src/wan24-Crypto-BC/BouncyCastleAsymmetricNonPqcPrivateSignatureKeyBase2.cs index 7735bb6..6954764 100644 --- a/src/wan24-Crypto-BC/BouncyCastleAsymmetricNonPqcPrivateSignatureKeyBase2.cs +++ b/src/wan24-Crypto-BC/BouncyCastleAsymmetricNonPqcPrivateSignatureKeyBase2.cs @@ -53,6 +53,8 @@ public override byte[] SignHashRaw(byte[] hash) try { EnsureUndisposed(); + Algorithm.EnsureAllowed(); + EnsureAllowedCurve(); tSigner signer = Activator.CreateInstance(typeof(tSigner), Array.Empty()) as tSigner ?? throw CryptographicException.From(new InvalidProgramException($"Failed to instance {typeof(tSigner)}")); signer.Init(forSigning: true, PrivateKey); diff --git a/src/wan24-Crypto-BC/BouncyCastleAsymmetricPqcPrivateKeyExchangeKeyBase.cs b/src/wan24-Crypto-BC/BouncyCastleAsymmetricPqcPrivateKeyExchangeKeyBase.cs index 1a9f6d8..f69d8b5 100644 --- a/src/wan24-Crypto-BC/BouncyCastleAsymmetricPqcPrivateKeyExchangeKeyBase.cs +++ b/src/wan24-Crypto-BC/BouncyCastleAsymmetricPqcPrivateKeyExchangeKeyBase.cs @@ -57,6 +57,7 @@ public override (byte[] Key, byte[] KeyExchangeData) GetKeyExchangeData(IAsymmet try { EnsureUndisposed(); + Algorithm.EnsureAllowed(); publicKey ??= options?.PublicKey ?? options?.PrivateKey?.PublicKey ?? PublicKey; if (publicKey is not tPublic key) throw new ArgumentException($"Public {Algorithm.Name} key required", nameof(publicKey)); tGenerator generator = Activator.CreateInstance(typeof(tGenerator), new SecureRandom(BouncyCastleRandomGenerator.Instance())) as tGenerator diff --git a/src/wan24-Crypto-BC/BouncyCastleAsymmetricPqcPrivateSignatureKeyBase.cs b/src/wan24-Crypto-BC/BouncyCastleAsymmetricPqcPrivateSignatureKeyBase.cs index 9c79861..5ccb18b 100644 --- a/src/wan24-Crypto-BC/BouncyCastleAsymmetricPqcPrivateSignatureKeyBase.cs +++ b/src/wan24-Crypto-BC/BouncyCastleAsymmetricPqcPrivateSignatureKeyBase.cs @@ -54,6 +54,7 @@ public sealed override byte[] SignHashRaw(byte[] hash) try { EnsureUndisposed(); + Algorithm.EnsureAllowed(); tSigner signer = new(); signer.Init(forSigning: true, PrivateKey); return signer.GenerateSignature(hash); diff --git a/src/wan24-Crypto-BC/BouncyCastleBlockCipherAlgorithmBase.cs b/src/wan24-Crypto-BC/BouncyCastleBlockCipherAlgorithmBase.cs index d814917..bb16bcf 100644 --- a/src/wan24-Crypto-BC/BouncyCastleBlockCipherAlgorithmBase.cs +++ b/src/wan24-Crypto-BC/BouncyCastleBlockCipherAlgorithmBase.cs @@ -45,6 +45,7 @@ protected sealed override ICryptoTransform GetEncryptor(Stream cipherData, Crypt { try { + EnsureAllowed(); IBlockCipher cipher = CreateCipher(forEncryption: true, options); byte[] iv = CreateIvBytes(); cipher.Init(forEncryption: true, CreateParameters(iv, options)); @@ -66,6 +67,7 @@ protected sealed override async Task GetEncryptorAsync(Stream { try { + EnsureAllowed(); IBlockCipher cipher = CreateCipher(forEncryption: true, options); byte[] iv = CreateIvBytes(); cipher.Init(forEncryption: true, CreateParameters(iv, options)); diff --git a/src/wan24-Crypto-BC/StreamCipherRng.cs b/src/wan24-Crypto-BC/StreamCipherRng.cs index 6288744..13adb77 100644 --- a/src/wan24-Crypto-BC/StreamCipherRng.cs +++ b/src/wan24-Crypto-BC/StreamCipherRng.cs @@ -43,6 +43,7 @@ public StreamCipherRng( Algorithm = algorithm; try { + algorithm.EnsureAllowed(); if (algorithm.BlockSize != 1) throw new ArgumentException("Stream cipher required", nameof(algorithm)); if (bufferSize.HasValue && bufferSize.Value < Algorithm.IvSize) throw new ArgumentOutOfRangeException(nameof(bufferSize), $"Min. buffer size for {algorithm.DisplayName} is {algorithm.IvSize} byte"); diff --git a/src/wan24-Crypto-BC/wan24-Crypto-BC.csproj b/src/wan24-Crypto-BC/wan24-Crypto-BC.csproj index b9f63cd..66ec935 100644 --- a/src/wan24-Crypto-BC/wan24-Crypto-BC.csproj +++ b/src/wan24-Crypto-BC/wan24-Crypto-BC.csproj @@ -9,7 +9,7 @@ True wan24-Crypto-BC wan24-Crypto-BC - 3.3.0 + 3.4.0 nd1012 Andreas Zimmermann, wan24.de wan24-Crypto-BC @@ -33,8 +33,8 @@ - - + +