Crypto Algorithms (#189)

* LegacyCryptoAlgorithm

*AesCbcCryptoAlgorithm

* CryptoModule

* Deprecated CipherKey and RIV and updated tests with Crypto

* Newtonsoft.Json vulnerability fix

* sub key validation for subscribe call

* Update LICENSE

Author: budgetpreneur

.github/workflows/run-tests.yml

@@ -33,6 +33,7 @@ jobs:
             2.1.519
             5.0.x
             6.0.x
+            7.0.x
       - name: Build packages
         env:
           WORKSPACE_PATH: ${{ github.workspace }}

.gitignore

@@ -48,6 +48,14 @@ src/.vs/Pubnub/v15/sqlite3/storage.ide
 /src/Api/PubnubApiUWP/obj/*
 /src/Api/PubnubApiUWP/*.user
 
+/src/Api/PubnubApiUnity/bin/*
+/src/Api/PubnubApiUnity/bin/Debug/*
+/src/Api/PubnubApiUnity/obj/Debug/*
+/src/Api/PubnubApiUnity/bin/Release/*
+/src/Api/PubnubApiUnity/obj/Release/*
+/src/Api/PubnubApiUnity/obj/*
+/src/Api/PubnubApiUnity/*.user
+
 /src/packages/*
 
 /src/UnitTests/PubnubApi.Tests/bin/Debug/*
@@ -168,4 +176,4 @@ src/UnitTests/MockServer/obj/*
 ##################
 .github/.release
 
-.idea
+.idea

.pubnub.yml

@@ -1,8 +1,19 @@
 name: c-sharp
-version: "6.18.0"
+version: "6.19.0"
 schema: 1
 scm: github.com/pubnub/c-sharp
 changelog:
+  - date: 2023-10-16
+    version: v6.19.0
+    changes:
+      - type: feature
+        text: "Add crypto module that allows configure SDK to encrypt and decrypt messages."
+      - type: bug
+        text: "Improved security of crypto implementation by adding enhanced AES-CBC cryptor."
+      - type: bug
+        text: "Fixes Newtonsoft Json vulnerability with MaxDepth and upgrade to version  for non-PCL."
+      - type: improvement
+        text: "Add SubscribeKey validation for subscribe feature."
   - date: 2023-09-04
     version: v6.18.0
     changes:
@@ -730,7 +741,7 @@ features:
     - QUERY-PARAM
 supported-platforms:
   -
-    version: Pubnub 'C#' 6.18.0
+    version: Pubnub 'C#' 6.19.0
     platforms:
       - Windows 10 and up
       - Windows Server 2008 and up
@@ -740,7 +751,7 @@ supported-platforms:
       - .Net Framework 4.5
       - .Net Framework 4.6.1+
   -
-    version: PubnubPCL 'C#' 6.18.0
+    version: PubnubPCL 'C#' 6.19.0
     platforms:
       - Xamarin.Android
       - Xamarin.iOS
@@ -760,7 +771,7 @@ supported-platforms:
       - .Net Core
       - .Net 6.0
   -
-    version: PubnubUWP 'C#' 6.18.0
+    version: PubnubUWP 'C#' 6.19.0
     platforms:
       - Windows Phone 10
       - Universal Windows Apps
@@ -784,7 +795,7 @@ sdks:
             distribution-type: source
             distribution-repository: GitHub
             package-name: Pubnub
-            location: https://github.com/pubnub/c-sharp/releases/tag/v6.18.0.0
+            location: https://github.com/pubnub/c-sharp/releases/tag/v6.19.0.0
             requires:
               -
                 name: ".Net"
@@ -1067,7 +1078,7 @@ sdks:
             distribution-type: source
             distribution-repository: GitHub
             package-name: PubNubPCL
-            location: https://github.com/pubnub/c-sharp/releases/tag/v6.18.0.0
+            location: https://github.com/pubnub/c-sharp/releases/tag/v6.19.0.0
             requires:
               -
                 name: ".Net Core"
@@ -1426,7 +1437,7 @@ sdks:
             distribution-type: source
             distribution-repository: GitHub
             package-name: PubnubUWP
-            location: https://github.com/pubnub/c-sharp/releases/tag/v6.18.0.0
+            location: https://github.com/pubnub/c-sharp/releases/tag/v6.19.0.0
             requires:
               -
                 name: "Universal Windows Platform Development"

CHANGELOG

@@ -1,3 +1,12 @@
+v6.19.0 - October 16 2023
+-----------------------------
+- Added: add crypto module that allows configure SDK to encrypt and decrypt messages.
+
+- Fixed: improved security of crypto implementation by adding enhanced AES-CBC cryptor.
+- Fixed: fixes Newtonsoft Json vulnerability with MaxDepth and upgrade to version  for non-PCL.
+
+- Modified: add SubscribeKey validation for subscribe feature.
+
 v6.18.0 - September 04 2023
 -----------------------------
 - Fixed: allow name param as optional in SetChannelMetadata. Removed default empty value.

LICENSE

@@ -1,27 +1,29 @@
-PubNub Real-time Cloud-Hosted Push API and Push Notification Client Frameworks
-Copyright (c) 2013 PubNub Inc.
-http://www.pubnub.com/
-http://www.pubnub.com/terms
+PubNub Software Development Kit License Agreement
+Copyright © 2023 PubNub Inc. All rights reserved.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+Subject to the terms and conditions of the license, you are hereby granted
+a non-exclusive, worldwide, royalty-free license to (a) copy and modify
+the software in source code or binary form for use with the software services
+and interfaces provided by PubNub, and (b) redistribute unmodified copies
+of the software to third parties. The software may not be incorporated in
+or used to provide any product or service competitive with the products
+and services of PubNub.
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
+The above copyright notice and this license shall be included
+in or with all copies or substantial portions of the software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+This license does not grant you permission to use the trade names, trademarks,
+service marks, or product names of PubNub, except as required for reasonable
+and customary use in describing the origin of the software and reproducing
+the content of this license.
 
-PubNub Real-time Cloud-Hosted Push API and Push Notification Client Frameworks
-Copyright (c) 2013 PubNub Inc.
-http://www.pubnub.com/
-http://www.pubnub.com/terms
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF
+ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
+EVENT SHALL PUBNUB OR THE AUTHORS OR COPYRIGHT HOLDERS OF THE SOFTWARE BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
+CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+https://www.pubnub.com/
+https://www.pubnub.com/terms

src/Api/PubnubApi/Builder/UrlRequestBuilder.cs

@@ -6,12 +6,15 @@
 using System.Globalization;
 using System.Threading.Tasks;
 using System.Threading;
+using PubnubApi.Security.Crypto.Common;
 #if !NETSTANDARD10 && !NETSTANDARD11 && !NETSTANDARD12 && !WP81
 using System.Reflection;
 #endif
 #if !NET35 && !NET40
 using System.Collections.Concurrent;
 #endif
+using PubnubApi.Security.Crypto;
+using PubnubApi.Security.Crypto.Cryptors;
 
 namespace PubnubApi
 {
@@ -2114,8 +2117,7 @@ private string GeneratePAMv2Signature(string queryStringToSign, string partialUr
                 string_to_sign.Append(partialUrl).Append('\n');
                 string_to_sign.Append(queryStringToSign);
 
-                PubnubCrypto pubnubCrypto = new PubnubCrypto((opType != PNOperationType.PNSignalOperation) ? pubnubConfig[pubnubInstanceId].CipherKey : "", pubnubConfig[pubnubInstanceId], this.pubnubLog, null);
-                signature = pubnubCrypto.PubnubAccessManagerSign(pubnubConfig[pubnubInstanceId].SecretKey, string_to_sign.ToString());
+                signature = Util.PubnubAccessManagerSign(pubnubConfig[pubnubInstanceId].SecretKey, string_to_sign.ToString());
                 if (this.pubnubLog != null && this.pubnubConfig != null)
                 {
                     LoggingMethod.WriteToLog(pubnubLog, "string_to_sign = " + string_to_sign, pubnubConfig[pubnubInstanceId].LogVerbosity);
@@ -2142,8 +2144,7 @@ private string GeneratePAMv3Signature(string method, string requestBody, string
                 string_to_sign.AppendFormat(CultureInfo.InvariantCulture, "{0}\n", queryStringToSign);
                 string_to_sign.Append(requestBody);
 
-                PubnubCrypto pubnubCrypto = new PubnubCrypto((opType != PNOperationType.PNSignalOperation) ? pubnubConfig[pubnubInstanceId].CipherKey : "", pubnubConfig[pubnubInstanceId], this.pubnubLog, null);
-                signature = pubnubCrypto.PubnubAccessManagerSign(pubnubConfig[pubnubInstanceId].SecretKey, string_to_sign.ToString());
+                signature = Util.PubnubAccessManagerSign(pubnubConfig[pubnubInstanceId].SecretKey, string_to_sign.ToString());
                 signature = string.Format(CultureInfo.InvariantCulture, "v2.{0}", signature.TrimEnd(new[] { '=' }));
                 if (this.pubnubLog != null && this.pubnubConfig != null)
                 {
@@ -2259,10 +2260,10 @@ private string JsonEncodePublishMsg(object originalMessage, PNOperationType opTy
         {
             string message = jsonLib.SerializeToJsonString(originalMessage);
 
-            if (pubnubConfig.ContainsKey(pubnubInstanceId) && pubnubConfig[pubnubInstanceId].CipherKey.Length > 0 && opType != PNOperationType.PNSignalOperation)
+            if (pubnubConfig.ContainsKey(pubnubInstanceId) && (pubnubConfig[pubnubInstanceId].CryptoModule != null || pubnubConfig[pubnubInstanceId].CipherKey.Length > 0) && opType != PNOperationType.PNSignalOperation)
             {
-                PubnubCrypto aes = new PubnubCrypto(pubnubConfig[pubnubInstanceId].CipherKey, pubnubConfig[pubnubInstanceId], pubnubLog, null);
-                string encryptMessage = aes.Encrypt(message);
+                pubnubConfig[pubnubInstanceId].CryptoModule ??= new CryptoModule(new LegacyCryptor(pubnubConfig[pubnubInstanceId].CipherKey, pubnubConfig[pubnubInstanceId].UseRandomInitializationVector, pubnubLog), null);
+                string encryptMessage = pubnubConfig[pubnubInstanceId].CryptoModule.Encrypt(message);
                 message = jsonLib.SerializeToJsonString(encryptMessage);
             }
 

src/Api/PubnubApi/EndPoint/Files/DownloadFileOperation.cs

@@ -11,6 +11,8 @@
 #if !NET35 && !NET40
 using System.Collections.Concurrent;
 #endif
+using PubnubApi.Security.Crypto;
+using PubnubApi.Security.Crypto.Cryptors;
 
 namespace PubnubApi.EndPoint
 {
@@ -157,24 +159,23 @@ private void ProcessFileDownloadRequest(Dictionary<string, object> externalQuery
                 if (item1Bytes != null)
                 {
                     byte[] outputBytes = null;
-                    string currentCipherKey = !string.IsNullOrEmpty(this.currentFileCipherKey) ? this.currentFileCipherKey : config.CipherKey;
-                    if (currentCipherKey.Length > 0)
+                    if (string.IsNullOrEmpty(this.currentFileCipherKey) && string.IsNullOrEmpty(config.CipherKey) && config.CryptoModule == null)
                     {
+                        outputBytes = item1Bytes;
+                    }
+                    else
+                    {
+                        CryptoModule currentCryptoModule = !string.IsNullOrEmpty(this.currentFileCipherKey) ? new CryptoModule(new LegacyCryptor(this.currentFileCipherKey, true, pubnubLog), null) : (config.CryptoModule ??= new CryptoModule(new LegacyCryptor(config.CipherKey, true, pubnubLog), null));
                         try
                         {
-                            PubnubCrypto aes = new PubnubCrypto(currentCipherKey, config, pubnubLog, null);
-                            outputBytes = aes.Decrypt(item1Bytes, true);
+                            outputBytes = currentCryptoModule.Decrypt(item1Bytes);
                             LoggingMethod.WriteToLog(pubnubLog, string.Format(CultureInfo.InvariantCulture, "DateTime {0}, Stream length (after Decrypt)= {1}", DateTime.Now.ToString(CultureInfo.InvariantCulture), item1Bytes.Length), config.LogVerbosity);
                         }
                         catch (Exception ex)
                         {
                             System.Diagnostics.Debug.WriteLine(ex.ToString());
                         }
                     }
-                    else
-                    {
-                        outputBytes = item1Bytes;
-                    }
                     PNDownloadFileResult result = new PNDownloadFileResult();
                     result.FileBytes = outputBytes;
                     result.FileName = currentFileName;
@@ -226,25 +227,24 @@ private async Task<PNResult<PNDownloadFileResult>> ProcessFileDownloadRequest(Di
             if (item1Bytes != null)
             {
                 byte[] outputBytes = null;
-                string currentCipherKey = !string.IsNullOrEmpty(this.currentFileCipherKey) ? this.currentFileCipherKey : config.CipherKey;
-                if (currentCipherKey.Length > 0)
+                if (string.IsNullOrEmpty(this.currentFileCipherKey) && string.IsNullOrEmpty(config.CipherKey) && config.CryptoModule == null)
                 {
+                    outputBytes = item1Bytes;
+                }
+                else
+                {
+                    CryptoModule currentCryptoModule = !string.IsNullOrEmpty(this.currentFileCipherKey) ? new CryptoModule(new LegacyCryptor(this.currentFileCipherKey, true, pubnubLog), null) : (config.CryptoModule ??= new CryptoModule(new LegacyCryptor(config.CipherKey, true, pubnubLog), null));
                     try
                     {
-                        PubnubCrypto aes = new PubnubCrypto(currentCipherKey, config, pubnubLog, null);
-                        outputBytes = aes.Decrypt(item1Bytes, true);
+                        outputBytes = currentCryptoModule.Decrypt(item1Bytes);
                         LoggingMethod.WriteToLog(pubnubLog, string.Format(CultureInfo.InvariantCulture, "DateTime {0}, Stream length (after Decrypt)= {1}", DateTime.Now.ToString(CultureInfo.InvariantCulture), item1Bytes.Length), config.LogVerbosity);
                     }
                     catch (Exception ex)
                     {
                         System.Diagnostics.Debug.WriteLine(ex.ToString());
                     }
                 }
-                else
-                {
-                    outputBytes = item1Bytes;
-                }
-                
+
                 PNDownloadFileResult result = new PNDownloadFileResult();
                 result.FileBytes = outputBytes;
                 result.FileName = currentFileName;

src/Api/PubnubApi/EndPoint/Files/SendFileOperation.cs

@@ -11,6 +11,8 @@
 #if !NET35 && !NET40
 using System.Collections.Concurrent;
 #endif
+using PubnubApi.Security.Crypto;
+using PubnubApi.Security.Crypto.Cryptors;
 
 namespace PubnubApi.EndPoint
 {
@@ -199,8 +201,12 @@ private void ProcessFileUpload(Dictionary<string, object> externalQueryParam, PN
 
             string dataBoundary = String.Format(CultureInfo.InvariantCulture, "----------{0:N}", Guid.NewGuid());
             string contentType = "multipart/form-data; boundary=" + dataBoundary;
-            string currentCipherKey = !string.IsNullOrEmpty(this.currentFileCipherKey) ? this.currentFileCipherKey : config.CipherKey;
-            byte[] postData = GetMultipartFormData(sendFileByteArray,generateFileUploadUrlResult.FileName, generateFileUploadUrlResult.FileUploadRequest.FormFields, dataBoundary, currentCipherKey, config, pubnubLog);
+            CryptoModule currentCryptoModule = null;
+            if (!string.IsNullOrEmpty(this.currentFileCipherKey) || !string.IsNullOrEmpty(config.CipherKey) || config.CryptoModule != null)
+            {
+                currentCryptoModule = !string.IsNullOrEmpty(this.currentFileCipherKey) ? new CryptoModule(new LegacyCryptor(this.currentFileCipherKey, true, pubnubLog), null) : (config.CryptoModule ??= new CryptoModule(new LegacyCryptor(config.CipherKey, true, pubnubLog), null));
+            }
+            byte[] postData = GetMultipartFormData(sendFileByteArray,generateFileUploadUrlResult.FileName, generateFileUploadUrlResult.FileUploadRequest.FormFields, dataBoundary, currentCryptoModule, config, pubnubLog);
 
             string json;
             UrlProcessRequest(new Uri(generateFileUploadUrlResult.FileUploadRequest.Url), requestState, false, postData, contentType).ContinueWith(r =>
@@ -300,8 +306,12 @@ private async Task<PNResult<PNFileUploadResult>> ProcessFileUpload(Dictionary<st
 
             string dataBoundary = String.Format(CultureInfo.InvariantCulture, "----------{0:N}", Guid.NewGuid());
             string contentType = "multipart/form-data; boundary=" + dataBoundary;
-            string currentCipherKey = !string.IsNullOrEmpty(this.currentFileCipherKey) ? this.currentFileCipherKey : config.CipherKey;
-            byte[] postData = GetMultipartFormData(sendFileByteArray, generateFileUploadUrlResult.FileName, generateFileUploadUrlResult.FileUploadRequest.FormFields, dataBoundary, currentCipherKey, config, pubnubLog);
+            CryptoModule currentCryptoModule = null;
+            if (!string.IsNullOrEmpty(this.currentFileCipherKey) || !string.IsNullOrEmpty(config.CipherKey) || config.CryptoModule != null)
+            {
+                currentCryptoModule = !string.IsNullOrEmpty(this.currentFileCipherKey) ? new CryptoModule(new LegacyCryptor(this.currentFileCipherKey, true, pubnubLog), null) : (config.CryptoModule ??= new CryptoModule(new LegacyCryptor(config.CipherKey, true, pubnubLog), null));
+            }
+            byte[] postData = GetMultipartFormData(sendFileByteArray, generateFileUploadUrlResult.FileName, generateFileUploadUrlResult.FileUploadRequest.FormFields, dataBoundary, currentCryptoModule, config, pubnubLog);
 
             Tuple<string, PNStatus> JsonAndStatusTuple = await UrlProcessRequest(new Uri(generateFileUploadUrlResult.FileUploadRequest.Url), requestState, false, postData, contentType).ConfigureAwait(false);
             ret.Status = JsonAndStatusTuple.Item2;
@@ -469,7 +479,7 @@ private static byte[] GetByteArrayFromFilePath(string filePath)
 
         }
 
-        private static byte[] GetMultipartFormData(byte[] sendFileByteArray, string fileName, Dictionary<string, object> formFields, string dataBoundary, string currentCipherKey, PNConfiguration config, IPubnubLog pubnubLog)
+        private static byte[] GetMultipartFormData(byte[] sendFileByteArray, string fileName, Dictionary<string, object> formFields, string dataBoundary, CryptoModule currentCryptoModule, PNConfiguration config, IPubnubLog pubnubLog)
         {
             byte[] ret = null;
             string fileContentType = "application/octet-stream";
@@ -500,12 +510,11 @@ private static byte[] GetMultipartFormData(byte[] sendFileByteArray, string file
                 byte[] postHeaderData = Encoding.UTF8.GetBytes(header);
 
                 dataStream.Write(postHeaderData, 0, postHeaderData.Length);
-                if (currentCipherKey.Length > 0)
+                if (currentCryptoModule != null)
                 {
                     try
                     {
-                        PubnubCrypto aes = new PubnubCrypto(currentCipherKey, config, pubnubLog, null);
-                        byte[] encryptBytes = aes.Encrypt(sendFileByteArray, true);
+                        byte[] encryptBytes = currentCryptoModule.Encrypt(sendFileByteArray);
                         dataStream.Write(encryptBytes, 0, encryptBytes.Length);
                     }
                     catch (Exception ex)