DSInternals/Src/DSInternals.Replication/ReplicationSecretDecryptor.cs

64 lines
2.0 KiB
C#
Raw Permalink Normal View History

2015-12-26 22:44:43 +00:00
using DSInternals.Common;
using DSInternals.Common.Cryptography;
using System;
namespace DSInternals.Replication
{
public class ReplicationSecretDecryptor : DirectorySecretDecryptor
{
private const int SaltOffset = 0;
private const int EncryptedBlobMinSize = SaltSize + 1;
2015-12-26 22:44:43 +00:00
private byte[] key;
public override byte[] CurrentKey
{
get
{
return this.key;
}
}
public override SecretEncryptionType EncryptionType
{
get
{
2016-01-02 15:27:44 +00:00
return SecretEncryptionType.ReplicationRC4WithSalt;
2015-12-26 22:44:43 +00:00
}
}
public ReplicationSecretDecryptor(byte[] key)
{
Validator.AssertNotNull(key, "key");
// Session key size: NTLM - 16B, Kerberos - 32B
Validator.AssertMinLength(key, KeySize, "key");
2015-12-26 22:44:43 +00:00
this.key = key;
}
public override byte[] DecryptSecret(byte[] blob)
{
// Blob structure: Salt (16B), Encrypted secret (rest)
Validator.AssertMinLength(blob, EncryptedBlobMinSize, "blob");
2015-12-26 22:44:43 +00:00
// Extract salt and the actual encrypted data from the blob
byte[] salt = blob.Cut(SaltOffset, SaltSize);
byte[] encryptedSecret = blob.Cut(SaltOffset + SaltSize);
// Perform decryption
byte[] decryptedBlob = DecryptUsingRC4(encryptedSecret, salt, this.CurrentKey);
// The blob is prepended with CRC
byte[] decryptedSecret;
uint expectedCrc = BitConverter.ToUInt32(decryptedBlob, 0);
decryptedSecret = decryptedBlob.Cut(sizeof(uint));
Validator.AssertCrcMatches(decryptedSecret, expectedCrc);
return decryptedSecret;
}
public override byte[] EncryptSecret(byte[] secret)
{
throw new NotImplementedException("We will never act as a replication source so secret encryption is out of scope.");
}
2015-12-26 22:44:43 +00:00
}
}