Merge pull request #70 from CyberSource/security-fixes

Security fixes

Author: gnongsie

CyberSource.nuspec

@@ -2,7 +2,7 @@
 <package >
   <metadata>
     <id>CyberSource</id>
-    <version>1.4.6</version>
+    <version>1.4.7</version>
 	<title>CyberSource Corporation</title>
     <authors>CyberSource Corporation</authors>
     <owners>CyberSource Corporation</owners>

CyberSource/Base/Properties/AssemblyInfo.cs

@@ -31,5 +31,5 @@
 //
 // You can specify all the values or you can default the Revision and Build Numbers 
 // by using the '*' as shown below:
-[assembly: AssemblyVersion("1.4.6")]
-[assembly: AssemblyFileVersion("1.4.6")]
+[assembly: AssemblyVersion("1.4.7")]
+[assembly: AssemblyFileVersion("1.4.7")]

CyberSource/Client/BaseClient.cs

@@ -7,7 +7,8 @@
 using System.ServiceModel.Channels;
 using System.ServiceModel.Security.Tokens;
 using System.Security.Cryptography.X509Certificates;
-using System.Collections.Concurrent;
+using System.Collections.Concurrent;
+using System.Security;
 
 namespace CyberSource.Clients
 {
@@ -70,15 +71,22 @@ string proxyUser
                     = AppSettings.GetSetting(null, PROXY_USER);
                 if (proxyUser != null)
                 {
-                    string proxyPassword
-                        = AppSettings.GetSetting(null, PROXY_PASSWORD);
+                    SecureString proxyPassword = new SecureString();
+
+                    foreach (char c in AppSettings.GetSetting(null, PROXY_PASSWORD))
+                    {
+                        proxyPassword.AppendChar(c);
+                    }
+
+                    proxyPassword.MakeReadOnly();
 
                     NetworkCredential credential
                         = new NetworkCredential(proxyUser, proxyPassword);
 
                     CredentialCache cache = new CredentialCache();
                     cache.Add(new Uri(proxyURL), BASIC_AUTH, credential);
                     mProxy.Credentials = cache;
+                    proxyPassword.Dispose();
                 }
             }
         }
@@ -201,8 +209,8 @@ int boolVal
                    merchantID, Configuration.KEY_ALIAS);
 
             config.Password
-                = AppSettings.GetSetting(
-                    merchantID, Configuration.PASSWORD);
+                = convertToSecureString(AppSettings.GetSetting(
+                    merchantID, Configuration.PASSWORD));
 
             config.LogFilename
                 = AppSettings.GetSetting(
@@ -422,6 +430,22 @@ public static bool IsMerchantCertExpired(Logger logger, string merchantId, DateT
 
             }
             return false;
+        }
+
+        private static SecureString convertToSecureString(string originalString)
+        {
+            if (originalString == null)
+            {
+                return null;
+            }
+
+            var secureString = new SecureString();
+
+            foreach (char c in originalString)
+                secureString.AppendChar(c);
+
+            secureString.MakeReadOnly();
+            return secureString;
         }
     }
 }

CyberSource/Client/Configuration.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Security;
 
 namespace CyberSource.Clients
 {
@@ -65,7 +66,7 @@ public class Configuration
         private string serverURL = null;
         private string keyFilename = null;
         private string keyAlias = null;
-        private string password = null;
+        private SecureString password = null;
         private string logFilename = null;
         private int logMaximumSize = -1;
         private int timeout = -1;
@@ -195,7 +196,7 @@ public string KeyAlias
         /// This is optional.  When not set, the value of MerchantID is
         /// used.
         /// </summary>
-        public string Password
+        public SecureString Password
         {
             get { return password; }
             set { password = value; }
@@ -409,14 +410,30 @@ internal string EffectiveKeyFilename
         /// Returns the password that will take effect given
         /// the current state of this Configuration object.
         /// </summary>
-        internal string EffectivePassword
+        internal SecureString EffectivePassword
         {
             get
             {
-                return( password != null ? password : merchantID);
+                return( password != null ? password : convertToSecureString(merchantID));
             }
         }
 
+        private SecureString convertToSecureString(string originalString)
+        {
+            if (originalString == null)
+            {
+                return null;
+            }
+
+            var secureString = new SecureString();
+
+            foreach (char c in originalString)
+                secureString.AppendChar(c);
+
+            secureString.MakeReadOnly();
+            return secureString;
+        }
+
         /// <summary>
         /// Returns the merchantID.  Throws an exception when it is null.
         /// </summary>

CyberSource/Client/NVPClient.cs

@@ -86,9 +86,12 @@ public static Hashtable RunTransaction(
                             if (logger != null)
                             {
                                 logger.LogInfo("Loading certificate for " + config.KeyAlias);
-                            }
-                            X509Certificate2Collection collection = new X509Certificate2Collection();
-                            collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                            }
+
+                            X509Certificate2 userCertificate = new X509Certificate2(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+
+                            X509Certificate2Collection collection = new X509Certificate2Collection();
+                            collection.Add(userCertificate);
 
                             X509Certificate2 newMerchantCert = null;
                             X509Certificate2 newCybsCert = null;
@@ -121,9 +124,10 @@ public static Hashtable RunTransaction(
                     }
                     else
                     {
-                        // Changes for SHA2 certificates support
-                        X509Certificate2Collection collection = new X509Certificate2Collection();
-                        collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                        X509Certificate2 userCertificate = new X509Certificate2(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+
+                        X509Certificate2Collection collection = new X509Certificate2Collection();
+                        collection.Add(userCertificate);
 
                         foreach (X509Certificate2 cert1 in collection)
                         {

CyberSource/Client/Properties/AssemblyInfo.cs

@@ -31,5 +31,5 @@
 //
 // You can specify all the values or you can default the Revision and Build Numbers 
 // by using the '*' as shown below:
-[assembly: AssemblyVersion("1.4.6")]
-[assembly: AssemblyFileVersion("1.4.6")]
+[assembly: AssemblyVersion("1.4.7")]
+[assembly: AssemblyFileVersion("1.4.7")]

CyberSource/Client/Service References/SoapServiceReference/Reference.cs

@@ -47985,7 +47985,7 @@ public partial class PayerAuthEnrollService : object, System.ComponentModel.INot
 
         private string loginIDField;
 
-        private string passwordField;
+        private System.Security.SecureString passwordField;
 
         private string merchantIDField;
 
@@ -48227,10 +48227,11 @@ public string loginID {
         [System.Xml.Serialization.XmlElementAttribute(Order=9)]
         public string password {
             get {
-                return this.passwordField;
+                return ConvertToUnsecureString(this.passwordField);
             }
             set {
-                this.passwordField = value;
+                this.passwordField = new System.Net.NetworkCredential(string.Empty, value).SecurePassword;
+                this.passwordField.MakeReadOnly();
                 this.RaisePropertyChanged("password");
             }
         }
@@ -49011,6 +49012,25 @@ protected void RaisePropertyChanged(string propertyName) {
                 propertyChanged(this, new System.ComponentModel.PropertyChangedEventArgs(propertyName));
             }
         }
+
+        public static string ConvertToUnsecureString(System.Security.SecureString secureString)
+        {
+            if (secureString == null)
+            {
+                return string.Empty;
+            }
+
+            System.IntPtr unmanagedString = System.IntPtr.Zero;
+            try
+            {
+                unmanagedString = System.Runtime.InteropServices.Marshal.SecureStringToGlobalAllocUnicode(secureString);
+                return System.Runtime.InteropServices.Marshal.PtrToStringUni(unmanagedString);
+            }
+            finally
+            {
+                System.Runtime.InteropServices.Marshal.ZeroFreeGlobalAllocUnicode(unmanagedString);
+            }
+        }
     }
 
     /// <remarks/>

CyberSource/Client/SoapClient.cs

@@ -81,6 +81,7 @@ public static ReplyMessage RunTransaction(
                     X509Certificate2 merchantCert = null;
                     X509Certificate2 cybsCert = null;
                     DateTime dateFile = File.GetLastWriteTime(keyFilePath);
+
                     if (config.CertificateCacheEnabled)
                     {
                         if (!merchantIdentities.ContainsKey(config.KeyAlias) || IsMerchantCertExpired(logger, config.KeyAlias, dateFile, merchantIdentities))
@@ -90,8 +91,10 @@ public static ReplyMessage RunTransaction(
                                 logger.LogInfo("Loading certificate for " + config.KeyAlias);
                             }
 
+                            X509Certificate2 userCertificate = new X509Certificate2(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+
                             X509Certificate2Collection collection = new X509Certificate2Collection();
-                            collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                            collection.Add(userCertificate);
 
                             X509Certificate2 newMerchantCert = null;
                             X509Certificate2 newCybsCert = null;
@@ -124,9 +127,10 @@ public static ReplyMessage RunTransaction(
                     }
                     else
                     {
-                        // Changes for SHA2 certificates support
+                        X509Certificate2 userCertificate = new X509Certificate2(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+
                         X509Certificate2Collection collection = new X509Certificate2Collection();
-                        collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                        collection.Add(userCertificate);
 
                         foreach (X509Certificate2 cert1 in collection)
                         {

CyberSource/Client/XmlClient.cs

@@ -106,8 +106,10 @@ public static XmlDocument RunTransaction(
                             logger.LogInfo("Loading certificate for "+ config.KeyAlias);
                         }
 
+                        X509Certificate2 userCertificate = new X509Certificate2(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+
                         X509Certificate2Collection collection = new X509Certificate2Collection();
-                        collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                        collection.Add(userCertificate);
 
                         X509Certificate2 newMerchantCert = null;
                         X509Certificate2 newCybsCert = null;
@@ -140,8 +142,11 @@ public static XmlDocument RunTransaction(
                 }
                 else
                 {
+                    X509Certificate2 userCertificate = new X509Certificate2(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+
                     X509Certificate2Collection collection = new X509Certificate2Collection();
-                    collection.Import(keyFilePath, config.EffectivePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
+                    collection.Add(userCertificate);
+
                     foreach (X509Certificate2 cert1 in collection)
                     {
                         if (cert1.Subject.Contains(config.KeyAlias))

CyberSourceSamples/src/soap/SoapSample.cs

@@ -5,7 +5,6 @@
 using CyberSource.Clients;
 using CyberSource.Clients.SoapServiceReference;
 using System.Security.Cryptography;
-//using SoapSampleTransactions;
 
 
 namespace CyberSource.Samples
@@ -845,7 +844,6 @@ public RequestMessage saleRequest()
         // you would set a merchantID in each request.
 
         // this sample requests auth and capture
-
         // Credit Card Authorization
         request.ccAuthService = new CCAuthService();
         request.ccAuthService.run = "true";