update/crypto (#41)

Updated cryptography components to separate out public/private key requirements, especially those relating to PKCS8 format keys.

Author: MrMatthewLayton

.run/Build.run.xml

@@ -0,0 +1,17 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="Build" type="ShConfigurationType">
+    <option name="SCRIPT_TEXT" value="dotnet build" />
+    <option name="INDEPENDENT_SCRIPT_PATH" value="true" />
+    <option name="SCRIPT_PATH" value="" />
+    <option name="SCRIPT_OPTIONS" value="" />
+    <option name="INDEPENDENT_SCRIPT_WORKING_DIRECTORY" value="true" />
+    <option name="SCRIPT_WORKING_DIRECTORY" value="$PROJECT_DIR$" />
+    <option name="INDEPENDENT_INTERPRETER_PATH" value="true" />
+    <option name="INTERPRETER_PATH" value="/bin/zsh" />
+    <option name="INTERPRETER_OPTIONS" value="" />
+    <option name="EXECUTE_IN_TERMINAL" value="true" />
+    <option name="EXECUTE_SCRIPT_FILE" value="false" />
+    <envs />
+    <method v="2" />
+  </configuration>
+</component>

OnixLabs.Security.Cryptography.UnitTests.Data/TestPrivateKey.cs

@@ -12,13 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-using System.Security.Cryptography;
-
 namespace OnixLabs.Security.Cryptography.UnitTests.Data;
 
-public sealed class TestPrivateKey(ReadOnlySpan<byte> value) : PrivateKey(value)
-{
-    public override PublicKey GetPublicKey() => new TestPublicKey([]);
-    public override byte[] ExportPkcs8PrivateKey() => [];
-    public override byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters) => [];
-}
+public sealed class TestPrivateKey(ReadOnlySpan<byte> value) : PrivateKey(value);

OnixLabs.Security.Cryptography.UnitTests/EcdsaKeyTests.cs

@@ -24,7 +24,7 @@ public void EcdsaSignAndVerifyWithTwoIdenticalKeysShouldSucceed()
     {
         // Given
         byte[] data = Salt.CreateNonZero(2048).ToByteArray();
-        HashAlgorithm algorithm = SHA256.Create();
+        using HashAlgorithm algorithm = SHA256.Create();
         IEcdsaPrivateKey privateKey1 = EcdsaPrivateKey.Create();
         IEcdsaPrivateKey privateKey2 = new EcdsaPrivateKey(privateKey1.ToByteArray());
         IEcdsaPublicKey publicKey1 = privateKey1.GetPublicKey();
@@ -40,4 +40,22 @@ public void EcdsaSignAndVerifyWithTwoIdenticalKeysShouldSucceed()
         Assert.True(publicKey2.IsDataValid(signature1, data, algorithm));
         Assert.True(publicKey2.IsDataValid(signature2, data, algorithm));
     }
+
+    [Fact(DisplayName = "ECDSA PKCS #8 round-trip sign and verify should succeed")]
+    public void EcdsaPkcs8RoundTripSignAndVerifyShouldSucceed()
+    {
+        // Given
+        byte[] data = Salt.CreateNonZero(2048).ToByteArray();
+        using HashAlgorithm algorithm = SHA256.Create();
+        PbeParameters parameters = new(PbeEncryptionAlgorithm.Aes256Cbc, HashAlgorithmName.SHA256, 10);
+        byte[] exportedPrivateKey = EcdsaPrivateKey.Create().ExportPkcs8PrivateKey("Password", parameters);
+        IEcdsaPrivateKey privateKey = EcdsaPrivateKey.ImportPkcs8PrivateKey(exportedPrivateKey, "Password");
+        IEcdsaPublicKey publicKey = privateKey.GetPublicKey();
+
+        // When
+        DigitalSignature signature = new(privateKey.SignData(data, algorithm));
+
+        // Then
+        Assert.True(publicKey.IsDataValid(signature, data, algorithm));
+    }
 }

OnixLabs.Security.Cryptography.UnitTests/RsaKeyTests.cs

@@ -41,4 +41,23 @@ public void RsaSignAndVerifyWithTwoIdenticalKeysShouldSucceed()
         Assert.True(publicKey2.IsDataValid(signature1, data, algorithm, padding));
         Assert.True(publicKey2.IsDataValid(signature2, data, algorithm, padding));
     }
+
+    [Fact(DisplayName = "ECDSA PKCS #8 round-trip sign and verify should succeed")]
+    public void EcdsaPkcs8RoundTripSignAndVerifyShouldSucceed()
+    {
+        // Given
+        byte[] data = Salt.CreateNonZero(2048).ToByteArray();
+        HashAlgorithmName algorithm = HashAlgorithmName.SHA256;
+        RSASignaturePadding padding = RSASignaturePadding.Pkcs1;
+        PbeParameters parameters = new(PbeEncryptionAlgorithm.Aes256Cbc, HashAlgorithmName.SHA256, 10);
+        byte[] exportedPrivateKey = RsaPrivateKey.Create().ExportPkcs8PrivateKey("Password", parameters);
+        IRsaPrivateKey privateKey = RsaPrivateKey.ImportPkcs8PrivateKey(exportedPrivateKey, "Password");
+        IRsaPublicKey publicKey = privateKey.GetPublicKey();
+
+        // When
+        DigitalSignature signature = new(privateKey.SignData(data, algorithm, padding));
+
+        // Then
+        Assert.True(publicKey.IsDataValid(signature, data, algorithm, padding));
+    }
 }

OnixLabs.Security.Cryptography/EcdsaPrivateKey.Export.cs

@@ -23,7 +23,7 @@ public sealed partial class EcdsaPrivateKey
     /// Exports the ECDSA cryptographic private key data in PKCS #8 format.
     /// </summary>
     /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the ECDSA cryptographic private key data in PKCS #8 format.</returns>
-    public override byte[] ExportPkcs8PrivateKey()
+    public byte[] ExportPkcs8PrivateKey()
     {
         using ECDsa key = ImportKeyData();
         return key.ExportPkcs8PrivateKey();
@@ -35,7 +35,7 @@ public override byte[] ExportPkcs8PrivateKey()
     /// <param name="password">The password to use for encryption.</param>
     /// <param name="parameters">The parameters required for password based encryption.</param>
     /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the ECDSA cryptographic private key data in PKCS #8 format.</returns>
-    public override byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters)
+    public byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters)
     {
         using ECDsa key = ImportKeyData();
         return key.ExportEncryptedPkcs8PrivateKey(password, parameters);

OnixLabs.Security.Cryptography/EcdsaPrivateKey.Get.cs

@@ -22,7 +22,7 @@ public sealed partial class EcdsaPrivateKey
     /// Gets the ECDSA cryptographic public key component from the current ECDSA cryptographic private key.
     /// </summary>
     /// <returns>Returns a new <see cref="EcdsaPublicKey"/> instance containing the ECDSA cryptographic public key component from the current ECDSA cryptographic private key.</returns>
-    public override EcdsaPublicKey GetPublicKey()
+    public EcdsaPublicKey GetPublicKey()
     {
         using ECDsa key = ImportKeyData();
         byte[] keyData = key.ExportSubjectPublicKeyInfo();

OnixLabs.Security.Cryptography/IEcdsaPrivateKey.cs

@@ -22,60 +22,8 @@ namespace OnixLabs.Security.Cryptography;
 /// <summary>
 /// Defines an ECDSA cryptographic private key.
 /// </summary>
-public interface IEcdsaPrivateKey : IBinaryConvertible
+public interface IEcdsaPrivateKey : IPublicKeyExportable<EcdsaPublicKey>, IPrivateKeyImportablePkcs8<EcdsaPrivateKey>, IPrivateKeyExportablePkcs8, IBinaryConvertible
 {
-    /// <summary>
-    /// Imports the ECDSA cryptographic private key data in PKCS #8 format.
-    /// </summary>
-    /// <param name="data">The cryptographic private key data to import.</param>
-    /// <returns>Returns a new <see cref="EcdsaPrivateKey"/> instance from the imported cryptographic private key data.</returns>
-    public static abstract EcdsaPrivateKey ImportPkcs8PrivateKey(ReadOnlySpan<byte> data);
-
-    /// <summary>
-    /// Imports the ECDSA cryptographic private key data in PKCS #8 format.
-    /// </summary>
-    /// <param name="data">The cryptographic private key data to import.</param>
-    /// <param name="bytesRead">The number of bytes read from the input data.</param>
-    /// <returns>Returns a new <see cref="EcdsaPrivateKey"/> instance from the imported cryptographic private key data.</returns>
-    public static abstract EcdsaPrivateKey ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, out int bytesRead);
-
-    /// <summary>
-    /// Imports the ECDSA cryptographic private key data in encrypted PKCS #8 format.
-    /// </summary>
-    /// <param name="data">The cryptographic private key data to import.</param>
-    /// <param name="password">The password required for password based decryption.</param>
-    /// <returns>Returns a new <see cref="EcdsaPrivateKey"/> instance from the imported cryptographic private key data.</returns>
-    public static abstract EcdsaPrivateKey ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, ReadOnlySpan<char> password);
-
-    /// <summary>
-    /// Imports the ECDSA cryptographic private key data in encrypted PKCS #8 format.
-    /// </summary>
-    /// <param name="data">The cryptographic private key data to import.</param>
-    /// <param name="password">The password required for password based decryption.</param>
-    /// <param name="bytesRead">The number of bytes read from the input data.</param>
-    /// <returns>Returns a new <see cref="EcdsaPrivateKey"/> instance from the imported cryptographic private key data.</returns>
-    public static abstract EcdsaPrivateKey ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, ReadOnlySpan<char> password, out int bytesRead);
-
-    /// <summary>
-    /// Exports the ECDSA cryptographic private key data in PKCS #8 format.
-    /// </summary>
-    /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the ECDSA cryptographic private key data in PKCS #8 format.</returns>
-    byte[] ExportPkcs8PrivateKey();
-
-    /// <summary>
-    /// Exports the ECDSA cryptographic private key data in encrypted PKCS #8 format.
-    /// </summary>
-    /// <param name="password">The password to use for encryption.</param>
-    /// <param name="parameters">The parameters required for password based encryption.</param>
-    /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the ECDSA cryptographic private key data in PKCS #8 format.</returns>
-    byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters);
-
-    /// <summary>
-    /// Gets the ECDSA cryptographic public key component from the current ECDSA cryptographic private key.
-    /// </summary>
-    /// <returns>Returns a new <see cref="EcdsaPublicKey"/> instance containing the ECDSA cryptographic public key component from the current ECDSA cryptographic private key.</returns>
-    EcdsaPublicKey GetPublicKey();
-
     /// <summary>
     /// Hashes the specified <see cref="ReadOnlySpan{T}"/> data and signs the resulting hash.
     /// </summary>

OnixLabs.Security.Cryptography/PrivateKey.Export.cs OnixLabs.Security.Cryptography/IPrivateKeyExportablePkcs8.cs

@@ -17,19 +17,22 @@
 
 namespace OnixLabs.Security.Cryptography;
 
-public abstract partial class PrivateKey
+/// <summary>
+/// Defines a cryptographic private key that can be exported in PKCS #8 format.
+/// </summary>
+public interface IPrivateKeyExportablePkcs8
 {
     /// <summary>
     /// Exports the cryptographic private key data in PKCS #8 format.
     /// </summary>
     /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the cryptographic private key data in PKCS #8 format.</returns>
-    public abstract byte[] ExportPkcs8PrivateKey();
+    byte[] ExportPkcs8PrivateKey();
 
     /// <summary>
     /// Exports the cryptographic private key data in encrypted PKCS #8 format.
     /// </summary>
     /// <param name="password">The password to use for encryption.</param>
     /// <param name="parameters">The parameters required for password based encryption.</param>
     /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the cryptographic private key data in PKCS #8 format.</returns>
-    public abstract byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters);
+    byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters);
 }

OnixLabs.Security.Cryptography/IPrivateKeyImportablePkcs8.cs

@@ -0,0 +1,56 @@
+// Copyright 2020 ONIXLabs
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+
+namespace OnixLabs.Security.Cryptography;
+
+/// <summary>
+/// Defines a cryptographic private key that can be imported in PKCS #8 format.
+/// </summary>
+/// <typeparam name="T">The underlying type of <see cref="PrivateKey"/> that the import functions will return.</typeparam>
+public interface IPrivateKeyImportablePkcs8<out T> where T : PrivateKey
+{
+    /// <summary>
+    /// Imports the cryptographic private key data in PKCS #8 format.
+    /// </summary>
+    /// <param name="data">The cryptographic private key data to import.</param>
+    /// <returns>Returns a new cryptographic private key from the imported data.</returns>
+    public static abstract T ImportPkcs8PrivateKey(ReadOnlySpan<byte> data);
+
+    /// <summary>
+    /// Imports the cryptographic private key data in PKCS #8 format.
+    /// </summary>
+    /// <param name="data">The cryptographic private key data to import.</param>
+    /// <param name="bytesRead">The number of bytes read from the input data.</param>
+    /// <returns>Returns a new cryptographic private key from the imported data.</returns>
+    public static abstract T ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, out int bytesRead);
+
+    /// <summary>
+    /// Imports the cryptographic private key data in encrypted PKCS #8 format.
+    /// </summary>
+    /// <param name="data">The cryptographic private key data to import.</param>
+    /// <param name="password">The password required for password based decryption.</param>
+    /// <returns>Returns a new cryptographic private key from the imported data.</returns>
+    public static abstract T ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, ReadOnlySpan<char> password);
+
+    /// <summary>
+    /// Imports the cryptographic private key data in encrypted PKCS #8 format.
+    /// </summary>
+    /// <param name="data">The cryptographic private key data to import.</param>
+    /// <param name="password">The password required for password based decryption.</param>
+    /// <param name="bytesRead">The number of bytes read from the input data.</param>
+    /// <returns>Returns a new cryptographic private key from the imported data.</returns>
+    public static abstract T ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, ReadOnlySpan<char> password, out int bytesRead);
+}

OnixLabs.Security.Cryptography/PrivateKey.Get.cs OnixLabs.Security.Cryptography/IPublicKeyExportable.cs

@@ -14,11 +14,15 @@
 
 namespace OnixLabs.Security.Cryptography;
 
-public abstract partial class PrivateKey
+/// <summary>
+/// Defines a cryptographic private key that can export a cryptographic public key component.
+/// </summary>
+/// <typeparam name="T">The underlying type of <see cref="PublicKey"/> that the cryptographic private key exports.</typeparam>
+public interface IPublicKeyExportable<out T> where T : PublicKey
 {
     /// <summary>
     /// Gets the cryptographic public key component from the current cryptographic private key.
     /// </summary>
-    /// <returns>Returns a new <see cref="PublicKey"/> instance containing the cryptographic public key component from the current cryptographic private key.</returns>
-    public abstract PublicKey GetPublicKey();
+    /// <returns>Returns the cryptographic public key component from the current cryptographic private key.</returns>
+    T GetPublicKey();
 }

OnixLabs.Security.Cryptography/IRsaPrivateKey.cs

@@ -22,60 +22,8 @@ namespace OnixLabs.Security.Cryptography;
 /// <summary>
 /// Defines an RSA cryptographic private key.
 /// </summary>
-public interface IRsaPrivateKey : IBinaryConvertible
+public interface IRsaPrivateKey : IPublicKeyExportable<RsaPublicKey>, IPrivateKeyImportablePkcs8<RsaPrivateKey>, IPrivateKeyExportablePkcs8, IBinaryConvertible
 {
-    /// <summary>
-    /// Imports the RSA cryptographic private key data in PKCS #8 format.
-    /// </summary>
-    /// <param name="data">The cryptographic private key data to import.</param>
-    /// <returns>Returns a new <see cref="RsaPrivateKey"/> instance from the imported cryptographic private key data.</returns>
-    public static abstract RsaPrivateKey ImportPkcs8PrivateKey(ReadOnlySpan<byte> data);
-
-    /// <summary>
-    /// Imports the RSA cryptographic private key data in PKCS #8 format.
-    /// </summary>
-    /// <param name="data">The cryptographic private key data to import.</param>
-    /// <param name="bytesRead">The number of bytes read from the input data.</param>
-    /// <returns>Returns a new <see cref="RsaPrivateKey"/> instance from the imported cryptographic private key data.</returns>
-    public static abstract RsaPrivateKey ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, out int bytesRead);
-
-    /// <summary>
-    /// Imports the RSA cryptographic private key data in encrypted PKCS #8 format.
-    /// </summary>
-    /// <param name="data">The cryptographic private key data to import.</param>
-    /// <param name="password">The password required for password based decryption.</param>
-    /// <returns>Returns a new <see cref="RsaPrivateKey"/> instance from the imported cryptographic private key data.</returns>
-    public static abstract RsaPrivateKey ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, ReadOnlySpan<char> password);
-
-    /// <summary>
-    /// Imports the RSA cryptographic private key data in encrypted PKCS #8 format.
-    /// </summary>
-    /// <param name="data">The cryptographic private key data to import.</param>
-    /// <param name="password">The password required for password based decryption.</param>
-    /// <param name="bytesRead">The number of bytes read from the input data.</param>
-    /// <returns>Returns a new <see cref="RsaPrivateKey"/> instance from the imported cryptographic private key data.</returns>
-    public static abstract RsaPrivateKey ImportPkcs8PrivateKey(ReadOnlySpan<byte> data, ReadOnlySpan<char> password, out int bytesRead);
-
-    /// <summary>
-    /// Exports the RSA cryptographic private key data in PKCS #8 format.
-    /// </summary>
-    /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the RSA cryptographic private key data in PKCS #8 format.</returns>
-    byte[] ExportPkcs8PrivateKey();
-
-    /// <summary>
-    /// Exports the RSA cryptographic private key data in encrypted PKCS #8 format.
-    /// </summary>
-    /// <param name="password">The password to use for encryption.</param>
-    /// <param name="parameters">The parameters required for password based encryption.</param>
-    /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the RSA cryptographic private key data in PKCS #8 format.</returns>
-    byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters);
-
-    /// <summary>
-    /// Gets the RSA cryptographic public key component from the current RSA cryptographic private key.
-    /// </summary>
-    /// <returns>Returns a new <see cref="RsaPublicKey"/> instance containing the RSA cryptographic public key component from the current RSA cryptographic private key.</returns>
-    RsaPublicKey GetPublicKey();
-
     /// <summary>
     /// Hashes the specified <see cref="ReadOnlySpan{T}"/> data and signs the resulting hash.
     /// </summary>

OnixLabs.Security.Cryptography/RsaPrivateKey.Export.cs

@@ -23,7 +23,7 @@ public sealed partial class RsaPrivateKey
     /// Exports the RSA cryptographic private key data in PKCS #8 format.
     /// </summary>
     /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the RSA cryptographic private key data in PKCS #8 format.</returns>
-    public override byte[] ExportPkcs8PrivateKey()
+    public byte[] ExportPkcs8PrivateKey()
     {
         using RSA key = ImportKeyData();
         return key.ExportPkcs8PrivateKey();
@@ -35,7 +35,7 @@ public override byte[] ExportPkcs8PrivateKey()
     /// <param name="password">The password to use for encryption.</param>
     /// <param name="parameters">The parameters required for password based encryption.</param>
     /// <returns>Returns a new <see cref="T:Byte[]"/> instance containing the RSA cryptographic private key data in PKCS #8 format.</returns>
-    public override byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters)
+    public byte[] ExportPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters parameters)
     {
         using RSA key = ImportKeyData();
         return key.ExportEncryptedPkcs8PrivateKey(password, parameters);