Kiu/xenadmin
1
0
Fork 0
mirror of https://github.com/xcp-ng/xenadmin.git synced 2024-11-23 12:30:50 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

CA-350574: Corrections to signing an appliance.

Browse Source 
Also, removed listing of CryptoServiceProviders from the settings.

Signed-off-by: Konstantina Chremmou <konstantina.chremmou@citrix.com>
This commit is contained in:
Konstantina Chremmou 2021-01-09 01:49:13 +00:00
parent bbad0e5cf8
commit 9a5c664eb0
6 changed files with 71 additions and 294 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
XenCenterLib/StreamUtilities.cs
View File

@ -33,11 +33,31 @@ using System;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
namespace XenCenterLib
{
public static class StreamUtilities
{
private enum HashMethod
{
Sha1,
Sha256
}
private static string StringOf(this HashMethod method)
{
switch (method)
{
case HashMethod.Sha1:
return "SHA1";
case HashMethod.Sha256:
return "SHA256";
default:
throw new ArgumentOutOfRangeException(nameof(method), method, null);
}
}
/// <summary>
/// Perform a copy of the contents of one stream class to another in a buffered fashion
///
@ -65,7 +85,39 @@ namespace XenCenterLib
outputData.Flush();
}
public static bool VerifyAgainstDigest(Stream stream, long limit, string algorithmName, byte[] digest, RSACryptoServiceProvider cryptoServiceProvider = null)
public static byte[] ComputeHash(Stream stream, out string hashAlgorithm)
{
hashAlgorithm = HashMethod.Sha256.StringOf();
using (var hasher = HashAlgorithm.Create(hashAlgorithm))
return hasher?.ComputeHash(stream);
}
public static byte[] ComputeSignedHash(Stream stream, X509Certificate2 certificate, out string hashAlgorithm)
{
hashAlgorithm = HashMethod.Sha256.StringOf();
if (!certificate.SignatureAlgorithm.FriendlyName.ToUpper().Contains(hashAlgorithm))
{
hashAlgorithm = HashMethod.Sha1.StringOf();
if (!certificate.SignatureAlgorithm.FriendlyName.ToUpper().Contains(hashAlgorithm))
throw new NotSupportedException("Unsupported hash algorithm");
}
byte[] hash;
using (var hasher = HashAlgorithm.Create(hashAlgorithm))
hash = hasher?.ComputeHash(stream);
if (hash == null || !(certificate.PrivateKey is RSACryptoServiceProvider csp))
return null;
if (hashAlgorithm == HashMethod.Sha256.StringOf())
return csp.SignData(hash, CryptoConfig.MapNameToOID(hashAlgorithm));
return csp.SignHash(hash, CryptoConfig.MapNameToOID(hashAlgorithm));
}
public static bool VerifyAgainstDigest(Stream stream, long limit, string algorithmName, byte[] digest, X509Certificate2 certificate = null)
{
int bytesRead = 0;
long offset = 0;
@ -102,9 +154,16 @@ namespace XenCenterLib
// Compute the final hash.
hashAlgorithm.TransformFinalBlock(buffer, bytesRead / 2, bytesRead / 2 + bytesRead % 2);
return cryptoServiceProvider == null
? digest.SequenceEqual(hashAlgorithm.Hash)
: cryptoServiceProvider.VerifyHash(hashAlgorithm.Hash, CryptoConfig.MapNameToOID(algorithmName), digest);
if (certificate == null)
return digest.SequenceEqual(hashAlgorithm.Hash);
if (!(certificate.PublicKey.Key is RSACryptoServiceProvider csp))
return false;
if (algorithmName == HashMethod.Sha256.StringOf())
return csp.VerifyData(hashAlgorithm.Hash, CryptoConfig.MapNameToOID(algorithmName), digest);
return csp.VerifyHash(hashAlgorithm.Hash, CryptoConfig.MapNameToOID(algorithmName), digest);
}
}
}

19
XenModel/Actions/OvfActions/ExportApplianceAction.cs
View File

@ -33,11 +33,11 @@ using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using XenAdmin.Core;
using XenAdmin.Network;
using XenAPI;
using XenCenterLib;
using XenCenterLib.Compression;
using XenOvf;
using XenOvf.Definitions;
@ -197,10 +197,9 @@ namespace XenAdmin.Actions.OvfActions
log.Info($"Calculating checksum for file {mf}");
using (FileStream stream = new FileStream(mfPath, FileMode.Open, FileAccess.Read))
using (var hasher = HashAlgorithm.Create(FileDigest.DEFAULT_HASHING_ALGORITHM))
{
var hash = hasher?.ComputeHash(stream);
fileDigests.Add(new FileDigest(Path.GetFileName(mf), hash));
var hash = StreamUtilities.ComputeHash(stream, out var hashAlgorithm);
fileDigests.Add(new FileDigest(Path.GetFileName(mf), hash, hashAlgorithm));
}
}
@ -229,19 +228,13 @@ namespace XenAdmin.Actions.OvfActions
CheckForCancellation();
byte[] signedHash = null;
FileDigest fileDigest;
using (FileStream stream = new FileStream(manifestPath, FileMode.Open, FileAccess.Read, FileShare.Read))
using (var hasher = HashAlgorithm.Create(FileDigest.DEFAULT_HASHING_ALGORITHM))
{
var hash = hasher?.ComputeHash(stream);
if (hash != null)
{
using (var csp = (RSACryptoServiceProvider)certificate.PrivateKey)
signedHash = csp.SignHash(hash, CryptoConfig.MapNameToOID(FileDigest.DEFAULT_HASHING_ALGORITHM));
}
var signedHash = StreamUtilities.ComputeSignedHash(stream, certificate, out var hashAlgorithm);
fileDigest = new FileDigest(manifestFileName, signedHash, hashAlgorithm);
}
var fileDigest = new FileDigest(manifestFileName, signedHash);
string signatureFileName = packageName + Package.CERTIFICATE_EXT;
string signaturePath = Path.Combine(pathToOvf, signatureFileName);

7
XenOvfApi/Package.cs
View File

@ -33,7 +33,6 @@ using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text.RegularExpressions;
using XenCenterLib;
@ -49,8 +48,6 @@ namespace XenOvf
/// </summary>
public class FileDigest
{
public const string DEFAULT_HASHING_ALGORITHM = "SHA256";
/// <summary>
/// Creates a new instance from a line in the manifest.
/// </summary>
@ -71,7 +68,7 @@ namespace XenOvf
Digest = ToArray(DigestAsString);
}
public FileDigest(string fileName, byte[] digest, string hashingAlgorithm = DEFAULT_HASHING_ALGORITHM)
public FileDigest(string fileName, byte[] digest, string hashingAlgorithm)
{
AlgorithmName = hashingAlgorithm;
Name = fileName;
@ -592,7 +589,7 @@ namespace XenOvf
// Do this independently to minimize the number of files opened concurrently.
using (Stream stream = new MemoryStream(RawManifest))
{
if (!StreamUtilities.VerifyAgainstDigest(stream, stream.Length, fileDigest.AlgorithmName, fileDigest.Digest, certificate.PublicKey.Key as RSACryptoServiceProvider))
if (!StreamUtilities.VerifyAgainstDigest(stream, stream.Length, fileDigest.AlgorithmName, fileDigest.Digest, certificate))
throw new Exception(string.Format(Messages.SECURITY_SIGNATURE_FAILED, fileDigest.Name));
}
}

162
XenOvfApi/Properties/Settings.Designer.cs generated
View File

@ -367,15 +367,6 @@ namespace XenOvf.Properties {
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RijndaelManaged")]
public string encryptMicrosoftAlgorithmClass {
get {
return ((string)(this["encryptMicrosoftAlgorithmClass"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("192")]
@ -403,141 +394,6 @@ namespace XenOvf.Properties {
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.TripleDESCryptoServiceProvider")]
public string tripledes_cbc {
get {
return ((string)(this["tripledes_cbc"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RijndaelManaged")]
public string aes128_cbc {
get {
return ((string)(this["aes128_cbc"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RijndaelManaged")]
public string aes256_cbc {
get {
return ((string)(this["aes256_cbc"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RijndaelManaged")]
public string aes192_cbc {
get {
return ((string)(this["aes192_cbc"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RSACryptoServiceProvider")]
public string rsa_1_5 {
get {
return ((string)(this["rsa_1_5"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RSACryptoServiceProvider")]
public string rsa_oaep_mgf1p {
get {
return ((string)(this["rsa_oaep_mgf1p"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.TripleDESCryptoServiceProvider")]
public string kw_tripledes {
get {
return ((string)(this["kw_tripledes"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RijndaelManaged")]
public string kw_aes128 {
get {
return ((string)(this["kw_aes128"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RijndaelManaged")]
public string kw_aes256 {
get {
return ((string)(this["kw_aes256"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RijndaelManaged")]
public string kw_aes192 {
get {
return ((string)(this["kw_aes192"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.SHA1CryptoServiceProvider")]
public string sha1 {
get {
return ((string)(this["sha1"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.SHA256CryptoServiceProvider")]
public string sha256 {
get {
return ((string)(this["sha256"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.FromBase64Transform")]
public string base64 {
get {
return ((string)(this["base64"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.SHA384CryptoServiceProvider")]
public string sha384 {
get {
return ((string)(this["sha384"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.SHA512CryptoServiceProvider")]
public string sha512 {
get {
return ((string)(this["sha512"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("xen-3.0-unknown")]
@ -601,24 +457,6 @@ namespace XenOvf.Properties {
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.DESCryptoServiceProvider")]
public string des {
get {
return ((string)(this["des"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("System.Security.Cryptography.RC2CryptoServiceProvider\r\n")]
public string rc2 {
get {
return ((string)(this["rc2"]));
}
}
[global::System.Configuration.ApplicationScopedSettingAttribute()]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Configuration.DefaultSettingValueAttribute("True")]

55
XenOvfApi/Properties/Settings.settings
View File

@ -116,9 +116,6 @@
<Setting Name="xmldsigSchemaLocation" Type="System.String" Scope="Application">
<Value Profile="(Default)">Schemas\xmldsig-core-schema.xsd</Value>
</Setting>
<Setting Name="encryptMicrosoftAlgorithmClass" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RijndaelManaged</Value>
</Setting>
<Setting Name="encryptKeyLength" Type="System.String" Scope="Application">
<Value Profile="(Default)">192</Value>
</Setting>
@ -128,51 +125,6 @@
<Setting Name="encryptKeyName" Type="System.String" Scope="Application">
<Value Profile="(Default)">CitrixEncryptedKey</Value>
</Setting>
<Setting Name="tripledes_cbc" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.TripleDESCryptoServiceProvider</Value>
</Setting>
<Setting Name="aes128_cbc" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RijndaelManaged</Value>
</Setting>
<Setting Name="aes256_cbc" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RijndaelManaged</Value>
</Setting>
<Setting Name="aes192_cbc" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RijndaelManaged</Value>
</Setting>
<Setting Name="rsa_1_5" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RSACryptoServiceProvider</Value>
</Setting>
<Setting Name="rsa_oaep_mgf1p" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RSACryptoServiceProvider</Value>
</Setting>
<Setting Name="kw_tripledes" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.TripleDESCryptoServiceProvider</Value>
</Setting>
<Setting Name="kw_aes128" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RijndaelManaged</Value>
</Setting>
<Setting Name="kw_aes256" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RijndaelManaged</Value>
</Setting>
<Setting Name="kw_aes192" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RijndaelManaged</Value>
</Setting>
<Setting Name="sha1" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.SHA1CryptoServiceProvider</Value>
</Setting>
<Setting Name="sha256" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.SHA256CryptoServiceProvider</Value>
</Setting>
<Setting Name="base64" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.FromBase64Transform</Value>
</Setting>
<Setting Name="sha384" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.SHA384CryptoServiceProvider</Value>
</Setting>
<Setting Name="sha512" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.SHA512CryptoServiceProvider</Value>
</Setting>
<Setting Name="xenDefaultPVVirtualSystemType" Type="System.String" Scope="Application">
<Value Profile="(Default)">xen-3.0-unknown</Value>
</Setting>
@ -194,13 +146,6 @@
<Setting Name="xenDeviceKey" Type="System.String" Scope="Application">
<Value Profile="(Default)">device=</Value>
</Setting>
<Setting Name="des" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.DESCryptoServiceProvider</Value>
</Setting>
<Setting Name="rc2" Type="System.String" Scope="Application">
<Value Profile="(Default)">System.Security.Cryptography.RC2CryptoServiceProvider
</Value>
</Setting>
<Setting Name="useGZip" Type="System.Boolean" Scope="Application">
<Value Profile="(Default)">True</Value>
</Setting>

55
XenOvfApi/app.config
View File

@ -121,9 +121,6 @@
<setting name="xmldsigSchemaLocation" serializeAs="String">
<value>Schemas\xmldsig-core-schema.xsd</value>
</setting>
<setting name="encryptMicrosoftAlgorithmClass" serializeAs="String">
<value>System.Security.Cryptography.RijndaelManaged</value>
</setting>
<setting name="encryptKeyLength" serializeAs="String">
<value>192</value>
</setting>
@ -133,51 +130,6 @@
<setting name="encryptKeyName" serializeAs="String">
<value>CitrixEncryptedKey</value>
</setting>
<setting name="tripledes_cbc" serializeAs="String">
<value>System.Security.Cryptography.TripleDESCryptoServiceProvider</value>
</setting>
<setting name="aes128_cbc" serializeAs="String">
<value>System.Security.Cryptography.RijndaelManaged</value>
</setting>
<setting name="aes256_cbc" serializeAs="String">
<value>System.Security.Cryptography.RijndaelManaged</value>
</setting>
<setting name="aes192_cbc" serializeAs="String">
<value>System.Security.Cryptography.RijndaelManaged</value>
</setting>
<setting name="rsa_1_5" serializeAs="String">
<value>System.Security.Cryptography.RSACryptoServiceProvider</value>
</setting>
<setting name="rsa_oaep_mgf1p" serializeAs="String">
<value>System.Security.Cryptography.RSACryptoServiceProvider</value>
</setting>
<setting name="kw_tripledes" serializeAs="String">
<value>System.Security.Cryptography.TripleDESCryptoServiceProvider</value>
</setting>
<setting name="kw_aes128" serializeAs="String">
<value>System.Security.Cryptography.RijndaelManaged</value>
</setting>
<setting name="kw_aes256" serializeAs="String">
<value>System.Security.Cryptography.RijndaelManaged</value>
</setting>
<setting name="kw_aes192" serializeAs="String">
<value>System.Security.Cryptography.RijndaelManaged</value>
</setting>
<setting name="sha1" serializeAs="String">
<value>System.Security.Cryptography.SHA1CryptoServiceProvider</value>
</setting>
<setting name="sha256" serializeAs="String">
<value>System.Security.Cryptography.SHA256CryptoServiceProvider</value>
</setting>
<setting name="base64" serializeAs="String">
<value>System.Security.Cryptography.FromBase64Transform</value>
</setting>
<setting name="sha384" serializeAs="String">
<value>System.Security.Cryptography.SHA384CryptoServiceProvider</value>
</setting>
<setting name="sha512" serializeAs="String">
<value>System.Security.Cryptography.SHA512CryptoServiceProvider</value>
</setting>
<setting name="xenDefaultPVVirtualSystemType" serializeAs="String">
<value>xen-3.0-unknown</value>
</setting>
@ -199,13 +151,6 @@
<setting name="xenDeviceKey" serializeAs="String">
<value>device=</value>
</setting>
<setting name="des" serializeAs="String">
<value>System.Security.Cryptography.DESCryptoServiceProvider</value>
</setting>
<setting name="rc2" serializeAs="String">
<value>System.Security.Cryptography.RC2CryptoServiceProvider
</value>
</setting>
<setting name="useGZip" serializeAs="String">
<value>True</value>
</setting>