< Summary

Information

Class:	LOCKnet.Core.Security.MasterKeyManager
Assembly:	LOCKnet.Core
File(s):	/home/runner/work/LOCKnet/LOCKnet/src/LOCKnet.Core/Security/MasterKeyManager.cs

Line coverage

94%

Covered lines:	458
Uncovered lines:	29
Coverable lines:	487
Total lines:	653
Line coverage:	94%

Branch coverage

83%

Covered branches:	134
Total branches:	160
Branch coverage:	83.7%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Metrics

Method	Branch coverage	Crap Score	Cyclomatic complexity	Line coverage
.cctor()	100%	1	1	100%
.ctor(...)	100%	1	1	100%
get_IsInitialized()	100%	1	1	100%
Initialize(...)	100%	6	6	100%
Unlock(...)	81.81%	22	22	98.36%
ChangePassword(...)	83.33%	6	6	97.56%
GetStorageCompactionInfo()	50%	2	2	100%
RetryPendingStorageCompaction()	75%	4	4	100%
BuildMigrationPlan(...)	100%	24	24	94.52%
DecryptForMigration(...)	100%	2	1	0%
DecryptSecretForMigration(...)	25%	5	4	57.14%
DecryptMetadataForMigration(...)	25%	5	4	66.66%
ValidateHeader(...)	88.88%	18	18	95.23%
CompleteStorageCompactionIfRequired(...)	87.5%	16	16	94.28%
ValidateStorageRewriteReadiness(...)	100%	2	2	62.5%
PersistStorageCompactionFailure(...)	100%	1	1	100%
ValidateHeaderForStorageRewrite(...)	50%	8	6	62.5%
ValidateCredentialForStorageRewrite(...)	50%	15	12	71.42%
NeedsCredentialMigration(...)	100%	4	4	100%
NeedsSecretMigration(...)	100%	2	2	100%
NeedsMetadataMigration(...)	100%	4	4	100%
HasPlaintextMetadataResidue(...)	100%	10	10	100%
EnsureCredentialUuid(...)	50%	2	2	100%
CloneParameters(...)	100%	1	1	100%
CloneCredential(...)	100%	1	1	100%
SanitizePersistedMetadata(...)	100%	1	1	100%
CloneHeader(...)	100%	1	1	100%
BuildNoPendingStorageInfo()	100%	1	1	100%
BuildStorageCompactionInfo(...)	91.66%	12	12	96.66%
get_Header()	100%	1	1	100%

File(s)

/home/runner/work/LOCKnet/LOCKnet/src/LOCKnet.Core/Security/MasterKeyManager.cs

#	Line	Line coverage
	`1`	`using LOCKnet.Core.Crypto;`
	`2`	`using LOCKnet.Core.DataAbstractions;`
	`3`	`using System.Security;`
	`4`	`using System.Security.Cryptography;`
	`5`	`using System.Text.Json;`
	`6`
	`7`	`namespace LOCKnet.Core.Security;`
	`8`
	`9`	`/// <summary>`
	`10`	`/// Implementierung von <see cref="IMasterKeyManager"/>.`
	`11`	`/// Delegiert Schlüsselableitung an <see cref="IKeyDerivationService"/> und`
	`12`	`/// Persistenz an <see cref="IMasterKeyRepository"/>.`
	`13`	`/// </summary>`
	`14`	`public sealed class MasterKeyManager : IMasterKeyManager`
	`15`	`{`
	`16`	`private const int WrappedVaultKeyPacketBytes = 60;`
2	`17`	`private static readonly TimeSpan AutomaticStorageCompactionRetryDelay = TimeSpan.FromMinutes(10);`
	`18`	`private readonly IKeyDerivationService _kdf;`
	`19`	`private readonly IMasterKeyRepository _repo;`
	`20`	`private readonly IVaultMigrationRepository _vaultMigrationRepo;`
	`21`	`private readonly IEncryptionService _encryption;`
	`22`	`private readonly ICredentialEnvelopeService _credentialEnvelope;`
	`23`	`private readonly ISessionManager _session;`
	`24`	`private readonly ISecureStringService _secureStr;`
	`25`
	`26`	`/// <summary>`
	`27`	`/// Initialisiert eine neue Instanz von <see cref="MasterKeyManager"/>.`
	`28`	`/// </summary>`
62	`29`	`public MasterKeyManager(`
62	`30`	`IKeyDerivationService kdf,`
62	`31`	`IMasterKeyRepository repo,`
62	`32`	`IVaultMigrationRepository vaultMigrationRepo,`
62	`33`	`IEncryptionService encryption,`
62	`34`	`ICredentialEnvelopeService credentialEnvelope,`
62	`35`	`ISessionManager session,`
62	`36`	`ISecureStringService secureStr)`
62	`37`	`{`
62	`38`	`ArgumentNullException.ThrowIfNull(kdf);`
62	`39`	`ArgumentNullException.ThrowIfNull(repo);`
62	`40`	`ArgumentNullException.ThrowIfNull(vaultMigrationRepo);`
62	`41`	`ArgumentNullException.ThrowIfNull(encryption);`
62	`42`	`ArgumentNullException.ThrowIfNull(credentialEnvelope);`
62	`43`	`ArgumentNullException.ThrowIfNull(session);`
62	`44`	`ArgumentNullException.ThrowIfNull(secureStr);`
62	`45`	`_kdf = kdf;`
62	`46`	`_repo = repo;`
62	`47`	`_vaultMigrationRepo = vaultMigrationRepo;`
62	`48`	`_encryption = encryption;`
62	`49`	`_credentialEnvelope = credentialEnvelope;`
62	`50`	`_session = session;`
62	`51`	`_secureStr = secureStr;`
62	`52`	`}`
	`53`
	`54`	`/// <inheritdoc/>`
70	`55`	`public bool IsInitialized => _repo.Get() is not null;`
	`56`
	`57`	`/// <inheritdoc/>`
	`58`	`public void Initialize(SecureString password)`
49	`59`	`{`
49	`60`	`ArgumentNullException.ThrowIfNull(password);`
48	`61`	`if (IsInitialized)`
2	`62`	`throw new InvalidOperationException("Master-Key ist bereits initialisiert.");`
	`63`
46	`64`	`var passwordBytes = _secureStr.ToByteArray(password);`
46	`65`	`byte[]? kek = null;`
46	`66`	`byte[]? vaultKey = null;`
	`67`	`try`
46	`68`	`{`
46	`69`	`var parameters = _kdf.GetDefaultParameters();`
46	`70`	`var salt = _kdf.GenerateSalt(parameters.SaltLengthBytes);`
46	`71`	`kek = _kdf.DeriveKey(passwordBytes, salt, parameters);`
46	`72`	`vaultKey = RandomNumberGenerator.GetBytes(32);`
46	`73`	`var wrappedVaultKey = _encryption.Encrypt(vaultKey, kek);`
	`74`
46	`75`	`_repo.Create(new VaultHeader`
46	`76`	`{`
46	`77`	`FormatVersion = VaultHeaderFormatVersion.Current,`
46	`78`	`KdfIdentifier = _kdf.Identifier,`
46	`79`	`KdfParameters = parameters,`
46	`80`	`Salt = salt,`
46	`81`	`WrappedVaultKey = wrappedVaultKey,`
46	`82`	`LegacyPasswordHash = [],`
46	`83`	`UsesLegacyKeyMaterial = false,`
46	`84`	`RequiresStorageCompaction = false,`
46	`85`	`CreatedAt = DateTime.UtcNow,`
46	`86`	`UpdatedAt = DateTime.UtcNow`
46	`87`	`});`
46	`88`	`}`
	`89`	`finally`
46	`90`	`{`
46	`91`	`if (kek is not null)`
46	`92`	`CryptographicOperations.ZeroMemory(kek);`
46	`93`	`if (vaultKey is not null)`
46	`94`	`CryptographicOperations.ZeroMemory(vaultKey);`
46	`95`	`_secureStr.ZeroMemory(passwordBytes);`
46	`96`	`}`
46	`97`	`}`
	`98`
	`99`	`/// <inheritdoc/>`
	`100`	`public UnlockResult? Unlock(SecureString password)`
53	`101`	`{`
53	`102`	`ArgumentNullException.ThrowIfNull(password);`
	`103`
52	`104`	`var record = _repo.Get();`
52	`105`	`if (record is null)`
3	`106`	`throw new InvalidOperationException("Kein Master-Key vorhanden. Bitte zuerst Initialize() aufrufen.");`
49	`107`	`ValidateHeader(record);`
	`108`
43	`109`	`var passwordBytes = _secureStr.ToByteArray(password);`
43	`110`	`byte[]? kek = null;`
43	`111`	`byte[]? currentVaultKey = null;`
43	`112`	`byte[]? targetVaultKey = null;`
43	`113`	`byte[]? resultKey = null;`
	`114`	`try`
43	`115`	`{`
43	`116`	`var parameters = record.KdfParameters;`
43	`117`	`kek = _kdf.DeriveKey(passwordBytes, record.Salt, parameters);`
	`118`
43	`119`	`if (record.WrappedVaultKey.Length > 0)`
38	`120`	`{`
	`121`	`try`
38	`122`	`{`
38	`123`	`currentVaultKey = _encryption.Decrypt(record.WrappedVaultKey, kek);`
30	`124`	`}`
8	`125`	`catch (CryptographicException)`
8	`126`	`{`
8	`127`	`return null;`
	`128`	`}`
	`129`
30	`130`	`var usesLegacyKey = record.UsesLegacyKeyMaterial \|\|`
30	`131`	`(record.FormatVersion < VaultHeaderFormatVersion.Current &&`
30	`132`	`CryptographicOperations.FixedTimeEquals(currentVaultKey, kek));`
	`133`
30	`134`	`var migration = BuildMigrationPlan(record, currentVaultKey, kek, usesLegacyKey);`
30	`135`	`if (migration is not null)`
2	`136`	`{`
2	`137`	`_vaultMigrationRepo.ApplyMigration(migration.Header, migration.Credentials);`
2	`138`	`var storageInfo = CompleteStorageCompactionIfRequired(migration.Header, migration.ActiveVaultKey, automaticRet`
2	`139`	`targetVaultKey = migration.ActiveVaultKey;`
2	`140`	`resultKey = targetVaultKey;`
2	`141`	`targetVaultKey = null;`
2	`142`	`return new UnlockResult { VaultKey = resultKey, StorageCompaction = storageInfo };`
	`143`	`}`
	`144`
28	`145`	`var currentStorageInfo = CompleteStorageCompactionIfRequired(record, currentVaultKey, automaticRetry: true);`
	`146`
28	`147`	`resultKey = currentVaultKey;`
28	`148`	`currentVaultKey = null;`
28	`149`	`return new UnlockResult { VaultKey = resultKey, StorageCompaction = currentStorageInfo };`
	`150`	`}`
	`151`
5	`152`	`if (record.LegacyPasswordHash.Length == 0 \|\|`
5	`153`	`!_kdf.VerifyPassword(passwordBytes, record.Salt, record.LegacyPasswordHash, parameters))`
1	`154`	`{`
1	`155`	`return null;`
	`156`	`}`
	`157`
4	`158`	`currentVaultKey = _kdf.DeriveKey(passwordBytes, record.Salt, parameters);`
4	`159`	`var legacyMigration = BuildMigrationPlan(record, currentVaultKey, kek, true)`
4	`160`	`?? throw new InvalidOperationException("Legacy-Vault konnte nicht in das aktuelle Format migriert werden.");`
	`161`
4	`162`	`_vaultMigrationRepo.ApplyMigration(legacyMigration.Header, legacyMigration.Credentials);`
3	`163`	`var legacyStorageInfo = CompleteStorageCompactionIfRequired(legacyMigration.Header, legacyMigration.ActiveVaultKey`
3	`164`	`targetVaultKey = legacyMigration.ActiveVaultKey;`
3	`165`	`resultKey = targetVaultKey;`
3	`166`	`targetVaultKey = null;`
3	`167`	`return new UnlockResult { VaultKey = resultKey, StorageCompaction = legacyStorageInfo };`
	`168`	`}`
	`169`	`finally`
43	`170`	`{`
43	`171`	`if (kek is not null)`
43	`172`	`CryptographicOperations.ZeroMemory(kek);`
43	`173`	`if (currentVaultKey is not null)`
6	`174`	`CryptographicOperations.ZeroMemory(currentVaultKey);`
43	`175`	`if (targetVaultKey is not null)`
0	`176`	`CryptographicOperations.ZeroMemory(targetVaultKey);`
43	`177`	`_secureStr.ZeroMemory(passwordBytes);`
43	`178`	`}`
42	`179`	`}`
	`180`
	`181`	`/// <inheritdoc/>`
	`182`	`public void ChangePassword(SecureString currentPassword, SecureString newPassword)`
5	`183`	`{`
5	`184`	`ArgumentNullException.ThrowIfNull(currentPassword);`
5	`185`	`ArgumentNullException.ThrowIfNull(newPassword);`
	`186`
5	`187`	`var unlock = Unlock(currentPassword);`
4	`188`	`if (unlock is null)`
1	`189`	`throw new UnauthorizedAccessException("Das aktuelle Passwort ist falsch.");`
3	`190`	`var vaultKey = unlock.VaultKey;`
	`191`
3	`192`	`var record = _repo.Get();`
3	`193`	`if (record is null)`
0	`194`	`throw new InvalidOperationException("Kein Master-Key vorhanden.");`
	`195`
3	`196`	`var newBytes = _secureStr.ToByteArray(newPassword);`
3	`197`	`byte[]? newKek = null;`
	`198`	`try`
3	`199`	`{`
3	`200`	`var parameters = _kdf.GetDefaultParameters();`
3	`201`	`var newSalt = _kdf.GenerateSalt(parameters.SaltLengthBytes);`
3	`202`	`newKek = _kdf.DeriveKey(newBytes, newSalt, parameters);`
3	`203`	`var wrappedVaultKey = _encryption.Encrypt(vaultKey, newKek);`
	`204`
3	`205`	`_repo.Update(new VaultHeader`
3	`206`	`{`
3	`207`	`FormatVersion = VaultHeaderFormatVersion.Current,`
3	`208`	`KdfIdentifier = _kdf.Identifier,`
3	`209`	`KdfParameters = parameters,`
3	`210`	`Salt = newSalt,`
3	`211`	`WrappedVaultKey = wrappedVaultKey,`
3	`212`	`LegacyPasswordHash = [],`
3	`213`	`UsesLegacyKeyMaterial = false,`
3	`214`	`RequiresStorageCompaction = record.RequiresStorageCompaction,`
3	`215`	`LastStorageCompactionAttemptUtc = record.LastStorageCompactionAttemptUtc,`
3	`216`	`LastStorageCompactionFailureKind = record.LastStorageCompactionFailureKind,`
3	`217`	`LastStorageCompactionError = record.LastStorageCompactionError,`
3	`218`	`CreatedAt = record.CreatedAt,`
3	`219`	`UpdatedAt = DateTime.UtcNow`
3	`220`	`});`
3	`221`	`}`
	`222`	`finally`
3	`223`	`{`
3	`224`	`CryptographicOperations.ZeroMemory(vaultKey);`
3	`225`	`if (newKek is not null)`
3	`226`	`CryptographicOperations.ZeroMemory(newKek);`
3	`227`	`_secureStr.ZeroMemory(newBytes);`
3	`228`	`}`
3	`229`	`}`
	`230`
	`231`	`public StorageCompactionInfo GetStorageCompactionInfo()`
14	`232`	`{`
14	`233`	`var header = _repo.Get();`
14	`234`	`return header is null ? BuildNoPendingStorageInfo() : BuildStorageCompactionInfo(header, autoRetryDeferred: false, o`
14	`235`	`}`
	`236`
	`237`	`public StorageCompactionInfo RetryPendingStorageCompaction()`
7	`238`	`{`
7	`239`	`var header = _repo.Get()`
7	`240`	`?? throw new InvalidOperationException("Kein Master-Key vorhanden.");`
	`241`
7	`242`	`ValidateHeader(header);`
	`243`
7	`244`	`var sessionKey = _session.GetSessionKey();`
7	`245`	`if (sessionKey is null)`
1	`246`	`{`
1	`247`	`var info = BuildStorageCompactionInfo(header, autoRetryDeferred: false, overrideMessage: "Speicherbereinigung noch`
1	`248`	`return new StorageCompactionInfo`
1	`249`	`{`
1	`250`	`IsPending = info.IsPending,`
1	`251`	`AutoRetryDeferred = info.AutoRetryDeferred,`
1	`252`	`LastAttemptUtc = info.LastAttemptUtc,`
1	`253`	`NextAutomaticRetryUtc = info.NextAutomaticRetryUtc,`
1	`254`	`FailureKind = StorageCompactionFailureKind.BusyOrLocked,`
1	`255`	`UserMessage = info.UserMessage,`
1	`256`	`LastError = info.LastError,`
1	`257`	`};`
	`258`	`}`
	`259`
	`260`	`try`
6	`261`	`{`
6	`262`	`return CompleteStorageCompactionIfRequired(header, sessionKey, automaticRetry: false);`
	`263`	`}`
	`264`	`finally`
6	`265`	`{`
6	`266`	`CryptographicOperations.ZeroMemory(sessionKey);`
6	`267`	`}`
7	`268`	`}`
	`269`
	`270`	`private CredentialMigrationPlan? BuildMigrationPlan(VaultHeader header, byte[] currentVaultKey, byte[] kek, bool usesL`
34	`271`	`{`
34	`272`	`var credentials = _vaultMigrationRepo.GetAllCredentials();`
34	`273`	`var migratedCredentials = new List<CredentialRecord>();`
34	`274`	`var targetVaultKey = usesLegacyKey ? RandomNumberGenerator.GetBytes(32) : currentVaultKey.ToArray();`
34	`275`	`var requiresStorageCompaction = header.RequiresStorageCompaction;`
34	`276`	`var headerNeedsUpgrade = header.FormatVersion != VaultHeaderFormatVersion.Current \|\|`
34	`277`	`header.UsesLegacyKeyMaterial != usesLegacyKey \|\|`
34	`278`	`header.LegacyPasswordHash.Length > 0 \|\|`
34	`279`	`header.WrappedVaultKey.Length != WrappedVaultKeyPacketBytes;`
	`280`
	`281`	`try`
34	`282`	`{`
130	`283`	`foreach (var credential in credentials)`
14	`284`	`{`
14	`285`	`if (!NeedsCredentialMigration(credential, usesLegacyKey))`
8	`286`	`continue;`
	`287`
6	`288`	`var needsSecretMigration = NeedsSecretMigration(credential) \|\| usesLegacyKey;`
6	`289`	`var needsMetadataMigration = NeedsMetadataMigration(credential) \|\| usesLegacyKey;`
6	`290`	`requiresStorageCompaction \|= HasPlaintextMetadataResidue(credential);`
6	`291`	`byte[]? secretPlaintext = null;`
6	`292`	`CredentialRecord? metadataRecord = null;`
	`293`	`try`
6	`294`	`{`
6	`295`	`var migrated = CloneCredential(credential);`
6	`296`	`migrated.CredentialUuid = EnsureCredentialUuid(migrated.CredentialUuid);`
	`297`
6	`298`	`if (needsSecretMigration)`
6	`299`	`{`
6	`300`	`secretPlaintext = DecryptSecretForMigration(credential, currentVaultKey, header.FormatVersion);`
6	`301`	`migrated.SecretFormatVersion = CredentialSecretFormatVersion.Current;`
6	`302`	`migrated.EncryptedPassword = _credentialEnvelope.Encrypt(secretPlaintext, targetVaultKey, migrated, VaultHea`
6	`303`	`}`
	`304`
6	`305`	`if (needsMetadataMigration)`
6	`306`	`{`
6	`307`	`metadataRecord = DecryptMetadataForMigration(credential, currentVaultKey, header.FormatVersion);`
6	`308`	`migrated.Title = metadataRecord.Title;`
6	`309`	`migrated.Username = metadataRecord.Username;`
6	`310`	`migrated.Url = metadataRecord.Url;`
6	`311`	`migrated.Notes = metadataRecord.Notes;`
6	`312`	`migrated.IconKey = metadataRecord.IconKey;`
6	`313`	`migrated.CredentialType = metadataRecord.CredentialType;`
6	`314`	`migrated.MetadataFormatVersion = _credentialEnvelope.CurrentMetadataVersion;`
6	`315`	`migrated.EncryptedMetadata = _credentialEnvelope.EncryptMetadata(migrated, targetVaultKey, VaultHeaderFormat`
6	`316`	`migrated = SanitizePersistedMetadata(migrated);`
6	`317`	`}`
	`318`
6	`319`	`migrated.UpdatedAt = DateTime.UtcNow;`
6	`320`	`migratedCredentials.Add(migrated);`
6	`321`	`}`
	`322`	`finally`
6	`323`	`{`
6	`324`	`if (secretPlaintext is not null)`
6	`325`	`CryptographicOperations.ZeroMemory(secretPlaintext);`
6	`326`	`if (metadataRecord is not null)`
6	`327`	`metadataRecord.EncryptedMetadata = [];`
6	`328`	`}`
6	`329`	`}`
	`330`
34	`331`	`if (!headerNeedsUpgrade && migratedCredentials.Count == 0)`
28	`332`	`{`
28	`333`	`CryptographicOperations.ZeroMemory(targetVaultKey);`
28	`334`	`return null;`
	`335`	`}`
	`336`
6	`337`	`var migratedHeader = CloneHeader(header);`
6	`338`	`migratedHeader.FormatVersion = VaultHeaderFormatVersion.Current;`
6	`339`	`migratedHeader.KdfIdentifier = _kdf.Identifier;`
6	`340`	`migratedHeader.KdfParameters = CloneParameters(header.KdfParameters);`
6	`341`	`migratedHeader.LegacyPasswordHash = [];`
6	`342`	`migratedHeader.WrappedVaultKey = _encryption.Encrypt(targetVaultKey, kek);`
6	`343`	`migratedHeader.UsesLegacyKeyMaterial = false;`
6	`344`	`migratedHeader.RequiresStorageCompaction = requiresStorageCompaction;`
6	`345`	`migratedHeader.LastStorageCompactionAttemptUtc = null;`
6	`346`	`migratedHeader.LastStorageCompactionFailureKind = StorageCompactionFailureKind.None;`
6	`347`	`migratedHeader.LastStorageCompactionError = null;`
6	`348`	`migratedHeader.UpdatedAt = DateTime.UtcNow;`
	`349`
6	`350`	`return new CredentialMigrationPlan(migratedHeader, migratedCredentials, targetVaultKey);`
	`351`	`}`
0	`352`	`catch`
0	`353`	`{`
0	`354`	`CryptographicOperations.ZeroMemory(targetVaultKey);`
0	`355`	`throw;`
	`356`	`}`
34	`357`	`}`
	`358`
	`359`	`private byte[] DecryptForMigration(CredentialRecord credential, byte[] currentVaultKey, int vaultFormatVersion)`
0	`360`	`=> DecryptSecretForMigration(credential, currentVaultKey, vaultFormatVersion);`
	`361`
	`362`	`private byte[] DecryptSecretForMigration(CredentialRecord credential, byte[] currentVaultKey, int vaultFormatVersion)`
6	`363`	`=> credential.SecretFormatVersion switch`
6	`364`	`{`
6	`365`	`CredentialSecretFormatVersion.Legacy => _encryption.Decrypt(credential.EncryptedPassword, currentVaultKey),`
0	`366`	`CredentialSecretFormatVersion.AesGcmV1 => _credentialEnvelope.Decrypt(credential, currentVaultKey, vaultFormatVers`
0	`367`	`CredentialSecretFormatVersion.AesGcmV2 => _credentialEnvelope.Decrypt(credential, currentVaultKey, vaultFormatVers`
0	`368`	`_ => throw new InvalidOperationException($"Nicht unterstuetzte Secret-Formatversion: {credential.SecretFormatVersi`
6	`369`	`};`
	`370`
	`371`	`private CredentialRecord DecryptMetadataForMigration(CredentialRecord credential, byte[] currentVaultKey, int vaultFor`
6	`372`	`=> credential.MetadataFormatVersion switch`
6	`373`	`{`
6	`374`	`CredentialMetadataFormatVersion.Legacy => CloneCredential(credential),`
0	`375`	`CredentialMetadataFormatVersion.AesGcmV1 => _credentialEnvelope.DecryptMetadata(credential, currentVaultKey, vault`
0	`376`	`_ => throw new InvalidOperationException($"Nicht unterstuetzte Metadaten-Formatversion: {credential.MetadataFormat`
6	`377`	`};`
	`378`
	`379`	`private void ValidateHeader(VaultHeader header)`
56	`380`	`{`
56	`381`	`ArgumentNullException.ThrowIfNull(header);`
	`382`
56	`383`	`if (header.FormatVersion < VaultHeaderFormatVersion.Legacy \|\| header.FormatVersion > VaultHeaderFormatVersion.Curren`
1	`384`	`throw new InvalidOperationException($"Nicht unterstuetzte VaultHeader-Version: {header.FormatVersion}");`
	`385`
55	`386`	`if (!string.Equals(header.KdfIdentifier, _kdf.Identifier, StringComparison.Ordinal))`
1	`387`	`throw new InvalidOperationException($"Nicht unterstuetzter KDF-Identifier: {header.KdfIdentifier}");`
	`388`
54	`389`	`if (header.KdfParameters is null)`
0	`390`	`throw new InvalidOperationException("VaultHeader enthaelt keine KDF-Parameter.");`
	`391`
54	`392`	`_kdf.ValidateParameters(header.KdfParameters);`
	`393`
54	`394`	`if (header.Salt.Length != header.KdfParameters.SaltLengthBytes)`
1	`395`	`throw new InvalidOperationException("VaultHeader enthaelt einen ungueltigen Salt.");`
	`396`
53	`397`	`if (header.FormatVersion == VaultHeaderFormatVersion.Legacy)`
7	`398`	`{`
7	`399`	`if (header.WrappedVaultKey.Length != 0)`
1	`400`	`throw new InvalidOperationException("Legacy-VaultHeader darf keinen WrappedVaultKey enthalten.");`
	`401`
6	`402`	`if (header.LegacyPasswordHash.Length == 0)`
1	`403`	`throw new InvalidOperationException("Legacy-VaultHeader enthaelt keinen Passwort-Hash.");`
	`404`
5	`405`	`return;`
	`406`	`}`
	`407`
46	`408`	`if (header.WrappedVaultKey.Length != WrappedVaultKeyPacketBytes)`
1	`409`	`throw new InvalidOperationException("VaultHeader enthaelt einen ungueltigen WrappedVaultKey.");`
50	`410`	`}`
	`411`
	`412`	`private StorageCompactionInfo CompleteStorageCompactionIfRequired(VaultHeader header, byte[] activeVaultKey, bool auto`
39	`413`	`{`
39	`414`	`if (!header.RequiresStorageCompaction)`
25	`415`	`return BuildNoPendingStorageInfo();`
	`416`
14	`417`	`var now = DateTime.UtcNow;`
14	`418`	`if (automaticRetry && header.LastStorageCompactionAttemptUtc is DateTime lastAttemptUtc)`
3	`419`	`{`
3	`420`	`var nextRetryUtc = lastAttemptUtc + AutomaticStorageCompactionRetryDelay;`
3	`421`	`if (nextRetryUtc > now)`
3	`422`	`return BuildStorageCompactionInfo(header, autoRetryDeferred: true, overrideMessage: $"Speicherbereinigung noch o`
0	`423`	`}`
	`424`
11	`425`	`if (!_vaultMigrationRepo.HasPendingStorageArtifacts())`
11	`426`	`{`
11	`427`	`var validationFailure = ValidateStorageRewriteReadiness(header, activeVaultKey);`
11	`428`	`if (validationFailure is not null)`
1	`429`	`return PersistStorageCompactionFailure(header, validationFailure.Value.failureKind, validationFailure.Value.user`
10	`430`	`}`
	`431`
10	`432`	`var result = _vaultMigrationRepo.CompactStorage();`
10	`433`	`var updated = CloneHeader(header);`
10	`434`	`updated.LastStorageCompactionAttemptUtc = now;`
10	`435`	`updated.LastStorageCompactionFailureKind = result.FailureKind;`
10	`436`	`updated.LastStorageCompactionError = result.LastError;`
	`437`
10	`438`	`if (!result.IsPending)`
7	`439`	`{`
7	`440`	`updated.RequiresStorageCompaction = false;`
7	`441`	`updated.LastStorageCompactionAttemptUtc = null;`
7	`442`	`updated.LastStorageCompactionFailureKind = StorageCompactionFailureKind.None;`
7	`443`	`updated.LastStorageCompactionError = null;`
7	`444`	`updated.UpdatedAt = DateTime.UtcNow;`
7	`445`	`_repo.Update(updated);`
7	`446`	`return result;`
	`447`	`}`
	`448`
3	`449`	`updated.RequiresStorageCompaction = true;`
3	`450`	`updated.UpdatedAt = DateTime.UtcNow;`
3	`451`	`_repo.Update(updated);`
3	`452`	`return BuildStorageCompactionInfo(updated, autoRetryDeferred: false, overrideMessage: result.UserMessage);`
39	`453`	`}`
	`454`
	`455`	`private (StorageCompactionFailureKind failureKind, string userMessage, string lastError)? ValidateStorageRewriteReadin`
11	`456`	`{`
	`457`	`try`
11	`458`	`{`
11	`459`	`ValidateHeaderForStorageRewrite(header);`
50	`460`	`foreach (var credential in _vaultMigrationRepo.GetAllCredentials())`
9	`461`	`ValidateCredentialForStorageRewrite(credential, activeVaultKey, header.FormatVersion);`
	`462`
10	`463`	`return null;`
	`464`	`}`
0	`465`	`catch (CryptographicException ex)`
0	`466`	`{`
0	`467`	`return (StorageCompactionFailureKind.Corruption, "Speicherbereinigung noch offen: Aktuelle Vault-Daten konnten nic`
	`468`	`}`
1	`469`	`catch (InvalidOperationException ex)`
1	`470`	`{`
1	`471`	`return (StorageCompactionFailureKind.Corruption, "Speicherbereinigung noch offen: Aktuelle Vault-Daten sind inkons`
	`472`	`}`
0	`473`	`catch (JsonException ex)`
0	`474`	`{`
0	`475`	`return (StorageCompactionFailureKind.Corruption, "Speicherbereinigung noch offen: Aktuelle Vault-Metadaten sind in`
	`476`	`}`
11	`477`	`}`
	`478`
	`479`	`private StorageCompactionInfo PersistStorageCompactionFailure(VaultHeader header, StorageCompactionFailureKind failure`
1	`480`	`{`
1	`481`	`var updated = CloneHeader(header);`
1	`482`	`updated.RequiresStorageCompaction = true;`
1	`483`	`updated.LastStorageCompactionAttemptUtc = DateTime.UtcNow;`
1	`484`	`updated.LastStorageCompactionFailureKind = failureKind;`
1	`485`	`updated.LastStorageCompactionError = lastError;`
1	`486`	`updated.UpdatedAt = DateTime.UtcNow;`
1	`487`	`_repo.Update(updated);`
1	`488`	`return BuildStorageCompactionInfo(updated, autoRetryDeferred: false, overrideMessage: userMessage);`
1	`489`	`}`
	`490`
	`491`	`private void ValidateHeaderForStorageRewrite(VaultHeader header)`
11	`492`	`{`
11	`493`	`if (header.FormatVersion != VaultHeaderFormatVersion.Current)`
0	`494`	`throw new InvalidOperationException("Storage-Rewrite erwartet einen aktuellen VaultHeader.");`
	`495`
11	`496`	`if (header.UsesLegacyKeyMaterial)`
0	`497`	`throw new InvalidOperationException("Storage-Rewrite darf nicht mit Legacy-Keymaterial ausgefuehrt werden.");`
	`498`
11	`499`	`if (header.LegacyPasswordHash.Length > 0)`
0	`500`	`throw new InvalidOperationException("Storage-Rewrite erwartet keinen Legacy-Passwort-Hash mehr im Header.");`
11	`501`	`}`
	`502`
	`503`	`private void ValidateCredentialForStorageRewrite(CredentialRecord credential, byte[] activeVaultKey, int vaultFormatVe`
9	`504`	`{`
9	`505`	`if (credential.SecretFormatVersion != CredentialSecretFormatVersion.Current)`
0	`506`	`throw new InvalidOperationException($"Credential {credential.Id} verwendet noch ein Legacy-Secret-Format.");`
	`507`
9	`508`	`if (credential.MetadataFormatVersion != CredentialMetadataFormatVersion.Current)`
0	`509`	`throw new InvalidOperationException($"Credential {credential.Id} verwendet noch ein Legacy-Metadaten-Format.");`
	`510`
9	`511`	`if (!Guid.TryParseExact(credential.CredentialUuid, "N", out _))`
0	`512`	`throw new InvalidOperationException($"Credential {credential.Id} enthaelt eine ungueltige CredentialUuid.");`
	`513`
9	`514`	`if (credential.EncryptedPassword.Length == 0)`
0	`515`	`throw new InvalidOperationException($"Credential {credential.Id} enthaelt keine verschluesselten Secret-Daten.");`
	`516`
9	`517`	`if (credential.EncryptedMetadata.Length == 0)`
0	`518`	`throw new InvalidOperationException($"Credential {credential.Id} enthaelt keine verschluesselten Metadaten.");`
	`519`
9	`520`	`if (HasPlaintextMetadataResidue(credential))`
0	`521`	`throw new InvalidOperationException($"Credential {credential.Id} enthaelt unerwartete Klartext-Metadaten.");`
	`522`
9	`523`	`var secret = _credentialEnvelope.Decrypt(credential, activeVaultKey, vaultFormatVersion);`
	`524`	`try`
8	`525`	`{`
8	`526`	`}`
	`527`	`finally`
8	`528`	`{`
8	`529`	`CryptographicOperations.ZeroMemory(secret);`
8	`530`	`}`
	`531`
8	`532`	`_ = _credentialEnvelope.DecryptMetadata(credential, activeVaultKey, vaultFormatVersion);`
8	`533`	`}`
	`534`
	`535`	`private static bool NeedsCredentialMigration(CredentialRecord credential, bool usesLegacyKey)`
14	`536`	`=> usesLegacyKey \|\| NeedsSecretMigration(credential) \|\| NeedsMetadataMigration(credential);`
	`537`
	`538`	`private static bool NeedsSecretMigration(CredentialRecord credential)`
15	`539`	`=> credential.SecretFormatVersion != CredentialSecretFormatVersion.Current \|\| !Guid.TryParseExact(credential.Credent`
	`540`
	`541`	`private static bool NeedsMetadataMigration(CredentialRecord credential)`
14	`542`	`=> credential.MetadataFormatVersion != CredentialMetadataFormatVersion.Current \|\|`
14	`543`	`!Guid.TryParseExact(credential.CredentialUuid, "N", out _) \|\|`
14	`544`	`HasPlaintextMetadataResidue(credential);`
	`545`
	`546`	`private static bool HasPlaintextMetadataResidue(CredentialRecord credential)`
23	`547`	`=> !string.IsNullOrEmpty(credential.Title) \|\|`
23	`548`	`!string.IsNullOrEmpty(credential.Username) \|\|`
23	`549`	`!string.IsNullOrEmpty(credential.Url) \|\|`
23	`550`	`!string.IsNullOrEmpty(credential.Notes) \|\|`
23	`551`	`!string.IsNullOrEmpty(credential.IconKey) \|\|`
23	`552`	`credential.CredentialType != CredentialType.Password;`
	`553`
	`554`	`private static string EnsureCredentialUuid(string credentialUuid)`
6	`555`	`=> Guid.TryParseExact(credentialUuid, "N", out _) ? credentialUuid : Guid.NewGuid().ToString("N");`
	`556`
23	`557`	`private static VaultKdfParameters CloneParameters(VaultKdfParameters parameters) => new()`
23	`558`	`{`
23	`559`	`HashAlgorithm = parameters.HashAlgorithm,`
23	`560`	`Iterations = parameters.Iterations,`
23	`561`	`KeyLengthBytes = parameters.KeyLengthBytes,`
23	`562`	`SaltLengthBytes = parameters.SaltLengthBytes,`
23	`563`	`};`
	`564`
12	`565`	`private static CredentialRecord CloneCredential(CredentialRecord credential) => new()`
12	`566`	`{`
12	`567`	`Id = credential.Id,`
12	`568`	`Title = credential.Title,`
12	`569`	`Username = credential.Username,`
12	`570`	`EncryptedPassword = credential.EncryptedPassword.ToArray(),`
12	`571`	`EncryptedMetadata = credential.EncryptedMetadata.ToArray(),`
12	`572`	`CredentialUuid = credential.CredentialUuid,`
12	`573`	`SecretFormatVersion = credential.SecretFormatVersion,`
12	`574`	`MetadataFormatVersion = credential.MetadataFormatVersion,`
12	`575`	`Url = credential.Url,`
12	`576`	`Notes = credential.Notes,`
12	`577`	`CreatedAt = credential.CreatedAt,`
12	`578`	`UpdatedAt = credential.UpdatedAt,`
12	`579`	`IconKey = credential.IconKey,`
12	`580`	`CredentialType = credential.CredentialType,`
12	`581`	`};`
	`582`
	`583`	`private static CredentialRecord SanitizePersistedMetadata(CredentialRecord credential)`
6	`584`	`{`
6	`585`	`credential.Title = string.Empty;`
6	`586`	`credential.Username = null;`
6	`587`	`credential.Url = null;`
6	`588`	`credential.Notes = null;`
6	`589`	`credential.IconKey = null;`
6	`590`	`credential.CredentialType = CredentialType.Password;`
6	`591`	`return credential;`
6	`592`	`}`
	`593`
17	`594`	`private static VaultHeader CloneHeader(VaultHeader header) => new()`
17	`595`	`{`
17	`596`	`FormatVersion = header.FormatVersion,`
17	`597`	`KdfIdentifier = header.KdfIdentifier,`
17	`598`	`KdfParameters = CloneParameters(header.KdfParameters),`
17	`599`	`Salt = header.Salt.ToArray(),`
17	`600`	`WrappedVaultKey = header.WrappedVaultKey.ToArray(),`
17	`601`	`LegacyPasswordHash = header.LegacyPasswordHash.ToArray(),`
17	`602`	`UsesLegacyKeyMaterial = header.UsesLegacyKeyMaterial,`
17	`603`	`RequiresStorageCompaction = header.RequiresStorageCompaction,`
17	`604`	`LastStorageCompactionAttemptUtc = header.LastStorageCompactionAttemptUtc,`
17	`605`	`LastStorageCompactionFailureKind = header.LastStorageCompactionFailureKind,`
17	`606`	`LastStorageCompactionError = header.LastStorageCompactionError,`
17	`607`	`CreatedAt = header.CreatedAt,`
17	`608`	`UpdatedAt = header.UpdatedAt,`
17	`609`	`};`
	`610`
33	`611`	`private static StorageCompactionInfo BuildNoPendingStorageInfo() => new()`
33	`612`	`{`
33	`613`	`IsPending = false,`
33	`614`	`FailureKind = StorageCompactionFailureKind.None,`
33	`615`	`UserMessage = string.Empty,`
33	`616`	`};`
	`617`
	`618`	`private static StorageCompactionInfo BuildStorageCompactionInfo(VaultHeader header, bool autoRetryDeferred, string? ov`
22	`619`	`{`
22	`620`	`if (!header.RequiresStorageCompaction)`
8	`621`	`return BuildNoPendingStorageInfo();`
	`622`
14	`623`	`DateTime? nextRetryUtc = header.LastStorageCompactionAttemptUtc is DateTime lastAttemptUtc`
14	`624`	`? lastAttemptUtc + AutomaticStorageCompactionRetryDelay`
14	`625`	`: null;`
14	`626`	`var message = overrideMessage;`
14	`627`	`if (string.IsNullOrWhiteSpace(message))`
6	`628`	`{`
6	`629`	`message = header.LastStorageCompactionFailureKind switch`
6	`630`	`{`
1	`631`	`StorageCompactionFailureKind.None => "Speicherbereinigung steht noch aus. Die Vault ist entsperrt, aber alte Spe`
1	`632`	`StorageCompactionFailureKind.BusyOrLocked => "Speicherbereinigung noch offen: Die Vault-Datei oder ein Rewrite-A`
1	`633`	`StorageCompactionFailureKind.InsufficientSpace => "Speicherbereinigung noch offen: Fuer den Vault-Rewrite ist ni`
1	`634`	`StorageCompactionFailureKind.Io => "Speicherbereinigung noch offen: Beim Rewrite der Vault-Datei ist ein I/O-Feh`
1	`635`	`StorageCompactionFailureKind.Corruption => "Speicherbereinigung noch offen: Aktuelle Vault-Daten sind inkonsiste`
1	`636`	`_ => "Speicherbereinigung noch offen: Der Vault-Rewrite konnte nicht abgeschlossen werden.",`
6	`637`	`};`
6	`638`	`}`
	`639`
14	`640`	`return new StorageCompactionInfo`
14	`641`	`{`
14	`642`	`IsPending = true,`
14	`643`	`AutoRetryDeferred = autoRetryDeferred,`
14	`644`	`LastAttemptUtc = header.LastStorageCompactionAttemptUtc,`
14	`645`	`NextAutomaticRetryUtc = nextRetryUtc,`
14	`646`	`FailureKind = header.LastStorageCompactionFailureKind,`
14	`647`	`LastError = header.LastStorageCompactionError,`
14	`648`	`UserMessage = message,`
14	`649`	`};`
22	`650`	`}`
	`651`
33	`652`	`private sealed record CredentialMigrationPlan(VaultHeader Header, IReadOnlyList<CredentialRecord> Credentials, byte[]`
	`653`	`}`

< Summary

Metrics

File(s)

/home/runner/work/LOCKnet/LOCKnet/src/LOCKnet.Core/Security/MasterKeyManager.cs

Methods/Properties