feat(transport): AES-256-GCM + PBKDF2 BundleSecretEncryptor

2026-05-24 04:03:44 -04:00
parent c5bd5418ad
commit dc669a119b
2 changed files with 154 additions and 0 deletions
--- a/src/ScadaLink.Transport/Encryption/BundleSecretEncryptor.cs
+++ b/src/ScadaLink.Transport/Encryption/BundleSecretEncryptor.cs
@@ -0,0 +1,76 @@
+using System.Security.Cryptography;
+using ScadaLink.Commons.Types.Transport;
+
+namespace ScadaLink.Transport.Encryption;
+
+/// <summary>
+/// AES-256-GCM authenticated encryption with a PBKDF2-SHA256 derived key.
+/// Output format is <c>ciphertext || tag</c> (tag is the GCM authentication tag).
+/// Each encrypt call produces a fresh random salt + nonce so re-encrypting the
+/// same plaintext yields a different ciphertext.
+/// </summary>
+public sealed class BundleSecretEncryptor
+{
+    private const int KeyBytes = 32;            // AES-256.
+    private const int SaltBytes = 16;
+    private const int NonceBytes = 12;          // GCM standard.
+    private const int TagBytes = 16;
+
+    public (byte[] Ciphertext, EncryptionMetadata Metadata) Encrypt(
+        ReadOnlySpan<byte> plaintext,
+        string passphrase,
+        int iterations)
+    {
+        var salt = RandomNumberGenerator.GetBytes(SaltBytes);
+        var nonce = RandomNumberGenerator.GetBytes(NonceBytes);
+        var key = DeriveKey(passphrase, salt, iterations);
+
+        var ciphertext = new byte[plaintext.Length];
+        var tag = new byte[TagBytes];
+        using var aes = new AesGcm(key, TagBytes);
+        aes.Encrypt(nonce, plaintext, ciphertext, tag);
+
+        // Format: ciphertext || tag.
+        var output = new byte[ciphertext.Length + TagBytes];
+        Buffer.BlockCopy(ciphertext, 0, output, 0, ciphertext.Length);
+        Buffer.BlockCopy(tag, 0, output, ciphertext.Length, TagBytes);
+
+        return (output, new EncryptionMetadata(
+            "AES-256-GCM", "PBKDF2-SHA256", iterations,
+            Convert.ToBase64String(salt),
+            Convert.ToBase64String(nonce)));
+    }
+
+    public byte[] Decrypt(ReadOnlySpan<byte> payload, EncryptionMetadata metadata, string passphrase)
+    {
+        ArgumentNullException.ThrowIfNull(metadata);
+
+        if (metadata.Algorithm != "AES-256-GCM" || metadata.Kdf != "PBKDF2-SHA256")
+        {
+            throw new CryptographicException("Unsupported bundle encryption parameters.");
+        }
+
+        var salt = Convert.FromBase64String(metadata.SaltB64);
+        var nonce = Convert.FromBase64String(metadata.IvB64);
+        var key = DeriveKey(passphrase, salt, metadata.Iterations);
+
+        if (payload.Length < TagBytes)
+        {
+            throw new CryptographicException("Bundle payload too short.");
+        }
+
+        var ctLen = payload.Length - TagBytes;
+        var ciphertext = payload[..ctLen];
+        var tag = payload[ctLen..];
+
+        var plaintext = new byte[ctLen];
+        using var aes = new AesGcm(key, TagBytes);
+        aes.Decrypt(nonce, ciphertext, tag, plaintext);
+        return plaintext;
+    }
+
+    private static byte[] DeriveKey(string passphrase, byte[] salt, int iterations)
+    {
+        return Rfc2898DeriveBytes.Pbkdf2(passphrase, salt, iterations, HashAlgorithmName.SHA256, KeyBytes);
+    }
+}