Eveldee
d7691e414b
Salt length depended on fingerprint name length, which lead to weak salts in some cases It's now a fixed length (12 bytes)
123 lines
3.7 KiB
C#
123 lines
3.7 KiB
C#
using Akari.Prototype.Server.Models;
|
|
using Akari.Prototype.Server.Utils;
|
|
using Isopoh.Cryptography.Argon2;
|
|
using Microsoft.Extensions.Hosting;
|
|
using Microsoft.Extensions.Logging;
|
|
using System;
|
|
using System.Collections.Concurrent;
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using System.Linq;
|
|
using System.Runtime.InteropServices;
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using System.Text.Json;
|
|
using System.Threading;
|
|
using System.Threading.Tasks;
|
|
|
|
namespace Akari.Prototype.Server.Services
|
|
{
|
|
public sealed class AuthManager : IAuthManager, IDisposable
|
|
{
|
|
public const int AuthKeysLength = 256 / 8;
|
|
public const string SaltsPath = "auth_salts.json";
|
|
|
|
public IEnumerable<KeyValuePair<string, TimedEntry<AesGcm>>> Pairs => _keys;
|
|
|
|
private readonly ILogger<AuthManager> _logger;
|
|
private readonly IKeyManager _keyManager;
|
|
private readonly AkariPath _akariPath;
|
|
|
|
private IDictionary<string, TimedEntry<AesGcm>> _keys;
|
|
private IDictionary<string, string> _salts;
|
|
|
|
public AuthManager(ILogger<AuthManager> logger, IKeyManager keyManager, AkariPath akariPath)
|
|
{
|
|
_logger = logger;
|
|
_keyManager = keyManager;
|
|
_akariPath = akariPath;
|
|
|
|
_keys = new ConcurrentDictionary<string, TimedEntry<AesGcm>>();
|
|
|
|
LoadSalts();
|
|
}
|
|
|
|
private void LoadSalts()
|
|
{
|
|
var path = _akariPath.GetPath(SaltsPath);
|
|
|
|
// Create new
|
|
if (!File.Exists(path))
|
|
{
|
|
_salts = new Dictionary<string, string>();
|
|
|
|
File.WriteAllText(path, JsonSerializer.Serialize(_salts));
|
|
}
|
|
// Load
|
|
else
|
|
{
|
|
_salts = JsonSerializer.Deserialize<IDictionary<string, string>>(File.ReadAllText(path));
|
|
}
|
|
}
|
|
|
|
private void SaveSalts()
|
|
{
|
|
var path = _akariPath.GetPath(SaltsPath);
|
|
|
|
File.WriteAllText(path, JsonSerializer.Serialize(_salts));
|
|
}
|
|
|
|
public void GenerateSalt(string name)
|
|
{
|
|
Span<byte> salt = Security.DefaultSaltLength <= 1024 ? stackalloc byte[Security.DefaultSaltLength]
|
|
: new byte[Security.DefaultSaltLength];
|
|
|
|
RandomNumberGenerator.Fill(salt);
|
|
|
|
_salts[name] = Convert.ToBase64String(salt);
|
|
|
|
SaveSalts();
|
|
}
|
|
|
|
public void Auth(string name, byte[] token)
|
|
{
|
|
// Retrieve salt
|
|
if (!_salts.TryGetValue(name, out var salt))
|
|
{
|
|
throw new Exception($"Can't find the salt for '{name}', try to register the fingerprint again");
|
|
}
|
|
|
|
// Derive key and store it
|
|
using var key = Security.Argon2idDeriveBytes(token, Convert.FromBase64String(salt), AuthKeysLength, clear: true);
|
|
|
|
SetKey(name, new AesGcm(key.Buffer));
|
|
}
|
|
|
|
public bool Remove(string name)
|
|
{
|
|
return _keys.Remove(name);
|
|
}
|
|
|
|
private void SetKey(string name, AesGcm aesGcm)
|
|
{
|
|
_logger.LogDebug($"New fingerprint auth: {name}");
|
|
|
|
if (_keys.TryGetValue(name, out var oldEntry))
|
|
{
|
|
_logger.LogDebug($"Old auth were present for '{name}', clearing it");
|
|
|
|
oldEntry.Value.Dispose();
|
|
}
|
|
|
|
_keys[name] = new TimedEntry<AesGcm>(DateTime.Now, aesGcm);
|
|
|
|
_logger.LogDebug($"New auth '{name}' at [{_keys[name].CreationDate}], expires at [{_keys[name].CreationDate + AuthLifetimeService.AuthLifetime}]");
|
|
}
|
|
|
|
public void Dispose()
|
|
{
|
|
_keys.Clear();
|
|
}
|
|
}
|
|
}
|