Backend password hashing and encryption logic changes

SecureSend.Application/Commands/CreateSecureUpload.cs

@@ -3,5 +3,5 @@
 
 namespace SecureSend.Application.Commands
 {
-    public record CreateSecureUpload(Guid uploadId, DateTime? expiryDate): ICommand<Unit>;
+    public record CreateSecureUpload(Guid uploadId, DateTime? expiryDate, string? password): ICommand<Unit>;
 }

SecureSend.Application/Commands/Handlers/CreateSecureUploadHandler.cs

@@ -25,8 +25,8 @@ public CreateSecureUploadHandler(ISecureSendUploadRepository secureSendUploadRep
         public async Task<Unit> Handle (CreateSecureUpload command, CancellationToken cancellationToken)
         {
             var persisted = await _secureUploadReadService.GetUploadId(command.uploadId, cancellationToken);
-            if (persisted != Guid.Empty) throw new UploadAlreadyExistsException(persisted.Value);
-            var secureUpload = _secureSendUploadFactory.CreateSecureSendUpload(command.uploadId, new SecureSendUploadDate(), command.expiryDate, false);
+            if (persisted is not null && persisted != Guid.Empty) throw new UploadAlreadyExistsException(persisted.Value);
+            var secureUpload = _secureSendUploadFactory.CreateSecureSendUpload(command.uploadId, new SecureSendUploadDate(), command.expiryDate, false, command.password);
             await _secureSendUploadRepository.AddAsync(secureUpload, cancellationToken);
             return Unit.Value;
 

SecureSend.Application/Commands/Handlers/ViewSecureUploadHandler.cs

@@ -15,9 +15,11 @@ public ViewSecureUploadHandler(ISecureSendUploadRepository repository)
 
         public async Task<SecureUploadDto> Handle(ViewSecureUpload request, CancellationToken cancellationToken)
         {
-            var upload = await _repository.GetAsync(request.id, cancellationToken);
-            if (upload is null) throw new UploadDoesNotExistException(request.id);
-            if (upload.ExpiryDate is not null && upload.ExpiryDate < DateTime.UtcNow) throw new UploadExpiredException(upload.ExpiryDate);
+            var upload = await _repository.GetAsync(request.id, cancellationToken) ?? throw new UploadDoesNotExistException(request.id);
+            if (upload.PasswordHash is not null)
+            {
+                upload.PasswordHash.VerifyHash(request.password);
+            }
             upload.MarkAsViewed();
             await _repository.SaveChanges(cancellationToken);
 

SecureSend.Application/Commands/ViewSecureUpload.cs

@@ -2,7 +2,5 @@
 
 namespace SecureSend.Application.Commands
 {
-    public record ViewSecureUpload(Guid id) : ICommand<SecureUploadDto>
-    {
-    }
+    public record ViewSecureUpload(Guid id, string? password) : ICommand<SecureUploadDto>;
 }

SecureSend.Application/DTO/UploadVerifyResponseDTO.cs

@@ -0,0 +1,7 @@
+namespace SecureSend.Application.DTO;
+
+public class UploadVerifyResponseDTO
+{
+    public Guid SecureUploadId { get; set; }
+    public bool IsProtected { get; set; }
+}

SecureSend.Application/Queries/Handlers/VerifyUploadHandler.cs

@@ -0,0 +1,31 @@
+using SecureSend.Application.DTO;
+using SecureSend.Application.Exceptions;
+using SecureSend.Application.Services;
+
+namespace SecureSend.Application.Queries.Handlers;
+
+public sealed class VerifyUploadHandler: IQueryHandler<VerifyUpload,UploadVerifyResponseDTO>
+{
+    private readonly ISecureUploadReadService _readService;
+
+    public VerifyUploadHandler(ISecureUploadReadService readService)
+    {
+        _readService = readService;
+    }
+
+    public async Task<UploadVerifyResponseDTO> Handle(VerifyUpload request, CancellationToken cancellationToken)
+    {
+        var upload = await _readService.GetSecureUpload(request.id, cancellationToken);
+        if (upload is null) throw new UploadDoesNotExistException(request.id);
+        if (upload.ExpiryDate is not null && upload.ExpiryDate < DateTime.UtcNow) throw new UploadExpiredException(upload.ExpiryDate);
+
+        var uploadVerifyDto = new UploadVerifyResponseDTO()
+        {
+            SecureUploadId = upload.Id,
+            IsProtected = upload.PasswordHash is not null,
+
+        };
+
+        return uploadVerifyDto;
+    }
+}

SecureSend.Application/Queries/VerifyUpload.cs

@@ -0,0 +1,5 @@
+using SecureSend.Application.DTO;
+
+namespace SecureSend.Application.Queries;
+
+public record VerifyUpload(Guid id): IQuery<UploadVerifyResponseDTO>;

SecureSend.Application/Services/ISecureUploadReadService.cs

@@ -6,5 +6,6 @@ public interface ISecureUploadReadService
     {
         Task<UploadedFilesReadModel?> GetUploadedFile(string fileName, Guid id, CancellationToken cancellationToken);
         Task<Guid?> GetUploadId(Guid id, CancellationToken cancellationToken);
+        Task<SecureUploadsReadModel?> GetSecureUpload(Guid id, CancellationToken cancellationToken);
     }
 }

SecureSend.Domain/Entities/SecureSendUpload.cs

@@ -8,19 +8,22 @@
     {
         public SecureSendUploadId Id {get; private set;}
         public SecureSendUploadDate UploadDate { get; private set; }
-        public SecureSendExpiryDate ExpiryDate { get; private set; }
+        public SecureSendExpiryDate? ExpiryDate { get; private set; }
         public SecureSendIsViewed IsViewed { get; private set; }
+        public SecureSendPasswordHash? PasswordHash { get; private set; }
+
         public List<SecureSendFile> Files { get; private set; } = new();
 
-    public SecureSendUpload(SecureSendUploadId id, SecureSendUploadDate uploadDate, SecureSendExpiryDate expiryDate, SecureSendIsViewed isViewedl)
+    public SecureSendUpload(SecureSendUploadId id, SecureSendUploadDate uploadDate, SecureSendExpiryDate? expiryDate, SecureSendIsViewed isViewedl, SecureSendPasswordHash? passwordHash)
         {
             Id = id;
             UploadDate = uploadDate;
             ExpiryDate = expiryDate;
             IsViewed = isViewedl;
+            PasswordHash = passwordHash;
         }
 
         public SecureSendUpload()
         {
         }
 

SecureSend.Domain/Exceptions/InvalidPasswordException.cs

@@ -0,0 +1,10 @@
+using SecureSend.Domain.Exceptions;
+
+namespace SecureSend.Domain.Entities;
+
+public class InvalidPasswordException : SecureSendException
+{
+    public InvalidPasswordException() : base("Provided password is invalid.")
+    {
+    }
+}

SecureSend.Domain/Factories/ISecureSendUploadFactory.cs

@@ -5,6 +5,6 @@ namespace SecureSend.Domain.Factories
 {
     public interface ISecureSendUploadFactory
     {
-        SecureSendUpload CreateSecureSendUpload(SecureSendUploadId id, SecureSendUploadDate uploadDate, SecureSendExpiryDate expiryDate, SecureSendIsViewed isViewedl);
+        SecureSendUpload CreateSecureSendUpload(SecureSendUploadId id, SecureSendUploadDate uploadDate, SecureSendExpiryDate? expiryDate, SecureSendIsViewed isViewedl, SecureSendPasswordHash? password);
     }
 }

SecureSend.Domain/Factories/SecureSendUploadFactory.cs

@@ -10,9 +10,9 @@ public SecureSendUploadFactory()
 
         }
 
-        public SecureSendUpload CreateSecureSendUpload(SecureSendUploadId id, SecureSendUploadDate uploadDate, SecureSendExpiryDate expiryDate, SecureSendIsViewed isViewedl)
+        public SecureSendUpload CreateSecureSendUpload(SecureSendUploadId id, SecureSendUploadDate uploadDate, SecureSendExpiryDate? expiryDate, SecureSendIsViewed isViewedl, SecureSendPasswordHash? password)
         {
-            return new SecureSendUpload(id, uploadDate, expiryDate, isViewedl);
+            return new SecureSendUpload(id, uploadDate, expiryDate, isViewedl, password);
         }
     }
 }

SecureSend.Domain/ReadModels/SecureUploadsReadModel.cs

@@ -6,6 +6,7 @@
         public DateTime? ExpiryDate { get; set; }
         public bool IsViewed { get; set; }
         public DateTime UploadDate { get; set; }
+        public byte[]? PasswordHash { get; set; }
         public ICollection<UploadedFilesReadModel> Files { get; set; }
     }
 }

SecureSend.Domain/Repositories/ISecureSendUploadRepository.cs

@@ -5,7 +5,7 @@ namespace SecureSend.Domain.Repositories
 {
     public interface ISecureSendUploadRepository
     {
-        Task<SecureSendUpload> GetAsync(SecureSendUploadId id, CancellationToken cancellationToken);
+        Task<SecureSendUpload?> GetAsync(SecureSendUploadId id, CancellationToken cancellationToken);
         Task AddAsync(SecureSendUpload upload, CancellationToken cancellationToken);
         Task DeleteAsync(SecureSendUpload id, CancellationToken cancellationToken);
         Task UpdateAsync(SecureSendUpload upload, CancellationToken cancellationToken);

SecureSend.Domain/SecureSend.Domain.csproj

@@ -7,6 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Cryptography.KeyDerivation" Version="8.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="2.2.0" />
   </ItemGroup>
 

SecureSend.Domain/Services/HashingService.cs

@@ -0,0 +1,165 @@
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Cryptography.KeyDerivation;
+
+namespace SecureSend.Domain.Services;
+
+public class HashingService
+{
+            private const int DefaultIterations = 10000;
+
+        /// <summary>
+        /// Provides Information about a specific Hash Version
+        /// </summary>
+        private class HashVersion
+        {
+            public short Version { get; set; }
+            public int SaltSize { get; set; }
+            public int HashSize { get; set; }
+            public KeyDerivationPrf KeyDerivation { get; set; }
+        }
+
+        /// <summary>
+        /// Holds all possible Hash Versions
+        /// </summary>
+        private readonly Dictionary<short, HashVersion> _versions = new Dictionary<short, HashVersion>
+        {
+            {
+                1, new HashVersion
+                {
+                    Version = 1,
+                    KeyDerivation = KeyDerivationPrf.HMACSHA512,
+                    HashSize = 256 / 8,
+                    SaltSize = 128 / 8
+                }
+            }
+        };
+
+        /// <summary>
+        /// The default Hash Version, which should be used, if a new Hash is Created
+        /// </summary>
+        private HashVersion DefaultVersion => _versions[1];
+
+        /// <summary>
+        /// Checks if a given hash uses the latest version
+        /// </summary>
+        /// <param name="data">The hash</param>
+        /// <returns>Is the hash of the latest version?</returns>
+        public bool IsLatestHashVersion(byte[] data)
+        {
+            var version = BitConverter.ToInt16(data, 0);
+            return version == DefaultVersion.Version;
+        }
+
+        /// <summary>
+        /// Checks if a given hash uses the latest version
+        /// </summary>
+        /// <param name="data">The hash</param>
+        /// <returns>Is the hash of the latest version?</returns>
+        public bool IsLatestHashVersion(string data)
+        {
+            var dataBytes = Convert.FromBase64String(data);
+            return IsLatestHashVersion(dataBytes);
+        }
+
+        /// <summary>
+        /// Gets a random byte array
+        /// </summary>
+        /// <param name="length">The length of the byte array</param>
+        /// <returns>The random byte array</returns>
+        public byte[] GetRandomBytes(int length)
+        {
+            var data = new byte[length];
+            using (var randomNumberGenerator = RandomNumberGenerator.Create())
+            {
+                randomNumberGenerator.GetBytes(data);
+            }
+            return data;
+        }
+
+        /// <summary>
+        /// Creates a Hash of a clear text
+        /// </summary>
+        /// <param name="clearText">the clear text</param>
+        /// <param name="iterations">the number of iteration the hash alogrythm should run</param>
+        /// <returns>the Hash</returns>
+        public byte[] Hash(string clearText, int iterations = DefaultIterations)
+        {
+            //get current version
+            var currentVersion = DefaultVersion;
+
+            //get the byte arrays of the hash and meta information
+            var saltBytes = GetRandomBytes(currentVersion.SaltSize);
+            var versionBytes = BitConverter.GetBytes(currentVersion.Version);
+            var iterationBytes = BitConverter.GetBytes(iterations);
+            var hashBytes = KeyDerivation.Pbkdf2(clearText, saltBytes, currentVersion.KeyDerivation, iterations, currentVersion.HashSize);
+
+            //calculate the indexes for the combined hash
+            var indexVersion = 0;
+            var indexIteration = indexVersion + 2;
+            var indexSalt = indexIteration + 4;
+            var indexHash = indexSalt + currentVersion.SaltSize;
+
+            //combine all data to one result hash
+            var resultBytes = new byte[2 + 4 + currentVersion.SaltSize + currentVersion.HashSize];
+            Array.Copy(versionBytes, 0, resultBytes, indexVersion, 2);
+            Array.Copy(iterationBytes, 0, resultBytes, indexIteration, 4);
+            Array.Copy(saltBytes, 0, resultBytes, indexSalt, currentVersion.SaltSize);
+            Array.Copy(hashBytes, 0, resultBytes, indexHash, currentVersion.HashSize);
+            return resultBytes;
+        }
+
+        /// <summary>
+        /// Creates a Hash of a clear text and convert it to a Base64 String representation
+        /// </summary>
+        /// <param name="clearText">the clear text</param>
+        /// <param name="iterations">the number of iteration the hash alogrythm should run</param>
+        /// <returns>the Hash</returns>
+        public string HashToString(string clearText, int iterations = DefaultIterations)
+        {
+            var data = Hash(clearText, iterations);
+            return Convert.ToBase64String(data);
+        }
+
+        /// <summary>
+        /// Verifies a given clear Text against a hash
+        /// </summary>
+        /// <param name="clearText">The clear text</param>
+        /// <param name="data">The hash</param>
+        /// <returns>Is the hash equal to the clear text?</returns>
+        public bool Verify(string clearText, byte[] data)
+        {
+            //Get the current version and number of iterations
+            var currentVersion = _versions[BitConverter.ToInt16(data, 0)];
+            var iteration = BitConverter.ToInt32(data, 2);
+
+            //Create the byte arrays for the salt and hash
+            var saltBytes = new byte[currentVersion.SaltSize];
+            var hashBytes = new byte[currentVersion.HashSize];
+
+            //Calculate the indexes of the salt and the hash
+            var indexSalt = 2 + 4; // Int16 (Version) and Int32 (Iteration)
+            var indexHash = indexSalt + currentVersion.SaltSize;
+
+            //Fill the byte arrays with salt and hash
+            Array.Copy(data, indexSalt, saltBytes, 0, currentVersion.SaltSize);
+            Array.Copy(data, indexHash, hashBytes, 0, currentVersion.HashSize);
+
+            //Hash the current clearText with the parameters given via the data
+            var verificationHashBytes = KeyDerivation.Pbkdf2(clearText, saltBytes, currentVersion.KeyDerivation, iteration, currentVersion.HashSize);
+
+            //Check if generated hashes are equal
+            return hashBytes.SequenceEqual(verificationHashBytes);
+        }
+
+        /// <summary>
+        /// Verifies a given clear Text against a hash
+        /// </summary>
+        /// <param name="clearText">The clear text</param>
+        /// <param name="data">The hash</param>
+        /// <returns>Is the hash equal to the clear text?</returns>
+        public bool Verify(string clearText, string data)
+        {
+            var dataBytes = Convert.FromBase64String(data);
+            return Verify(clearText, dataBytes);
+        }
+}

SecureSend.Domain/ValueObjects/SecureSendExpiryDate.cs

@@ -6,11 +6,11 @@ public record SecureSendExpiryDate
 
         public SecureSendExpiryDate(DateTime? value = null)
         {
-            Value = value is not null ? value?.ToUniversalTime() : null;
+            Value = value?.ToUniversalTime();
         }
 
 
-        public static implicit operator DateTime?(SecureSendExpiryDate secureSendExpiryDate) => secureSendExpiryDate?.Value;
+        public static implicit operator DateTime?(SecureSendExpiryDate? secureSendExpiryDate) => secureSendExpiryDate?.Value;
 
         public static implicit operator SecureSendExpiryDate(DateTime? secureSendExpiryDate) => new(secureSendExpiryDate);
     }

SecureSend.Domain/ValueObjects/SecureSendPasswordHash.cs

@@ -0,0 +1,31 @@
+using SecureSend.Domain.Services;
+
+namespace SecureSend.Domain.Entities;
+
+public class SecureSendPasswordHash
+{
+    public byte[]? Value { get;}
+    private readonly  HashingService _hashingService;
+    public SecureSendPasswordHash(string? password)
+    {
+        _hashingService = new HashingService();
+        Value = String.IsNullOrEmpty(password) ? null : _hashingService.Hash(password);
+    }
+
+    public SecureSendPasswordHash(byte[]? hash)
+    {
+        _hashingService = new HashingService();
+        Value = hash;
+    }
+
+    public void VerifyHash(string? password)
+    {
+        if (Value is null || String.IsNullOrEmpty(password) || !_hashingService.Verify(password, Value)) throw new InvalidPasswordException();
+    }
+
+    public static implicit operator byte[]?(SecureSendPasswordHash value) => value.Value;
+
+    public static implicit operator SecureSendPasswordHash(byte[] hash) => new(hash);
+
+    public static implicit operator SecureSendPasswordHash(string? password) => new(password);
+}