< Summary

Information

Class:	LOCKnet.Core.Crypto.Pbkdf2KeyDerivationService
Assembly:	LOCKnet.Core
File(s):	/home/runner/work/LOCKnet/LOCKnet/src/LOCKnet.Core/Crypto/Pbkdf2KeyDerivationService.cs

Line coverage

95%

Covered lines:	61
Uncovered lines:	3
Coverable lines:	64
Total lines:	126
Line coverage:	95.3%

Branch coverage

68%

Covered branches:	11
Total branches:	16
Branch coverage:	68.7%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Metrics

Method	Branch coverage	Crap Score	Cyclomatic complexity	Line coverage
get_Identifier()	100%	1	1	100%
GetDefaultParameters()	100%	1	1	100%
ValidateParameters(...)	100%	1	1	100%
GenerateSalt(...)	100%	1	1	100%
DeriveKey(...)	100%	1	1	100%
DeriveKey(...)	100%	1	1	100%
ComputePasswordHash(...)	100%	1	1	100%
ComputePasswordHash(...)	100%	1	1	100%
VerifyPassword(...)	100%	1	1	100%
VerifyPassword(...)	100%	1	1	100%
ResolveHashAlgorithm(...)	50%	2	2	80%
ValidateParametersCore(...)	71.42%	16	14	77.77%

File(s)

/home/runner/work/LOCKnet/LOCKnet/src/LOCKnet.Core/Crypto/Pbkdf2KeyDerivationService.cs

#	Line	Line coverage
	`1`	`using LOCKnet.Core.DataAbstractions;`
	`2`	`using System.Security.Cryptography;`
	`3`
	`4`	`namespace LOCKnet.Core.Crypto;`
	`5`
	`6`	`/// <summary>`
	`7`	`/// PBKDF2-Implementierung von <see cref="IKeyDerivationService"/>.`
	`8`	`/// Nutzt HMAC-SHA256, 600.000 Iterationen (OWASP-Empfehlung 2023).`
	`9`	`/// </summary>`
	`10`	`public sealed class Pbkdf2KeyDerivationService : IKeyDerivationService`
	`11`	`{`
	`12`	`private const string KdfIdentifier = "PBKDF2-SHA256";`
	`13`	`/// <summary>Anzahl der PBKDF2-Iterationen. OWASP empfiehlt ≥600.000 für HMAC-SHA256.</summary>`
	`14`	`private const int Iterations = 600_000;`
	`15`
	`16`	`/// <summary>Ausgabelänge des abgeleiteten Schlüssels in Bytes (256 Bit für AES-256).</summary>`
	`17`	`private const int KeyLengthBytes = 32;`
	`18`
	`19`	`/// <summary>Ausgabelänge des Passwort-Hashes in Bytes.</summary>`
	`20`	`private const int HashLengthBytes = 32;`
	`21`
	`22`	`/// <inheritdoc/>`
117	`23`	`public string Identifier => KdfIdentifier;`
	`24`
	`25`	`/// <inheritdoc/>`
73	`26`	`public VaultKdfParameters GetDefaultParameters() => new()`
73	`27`	`{`
73	`28`	`HashAlgorithm = "SHA256",`
73	`29`	`Iterations = Iterations,`
73	`30`	`KeyLengthBytes = KeyLengthBytes,`
73	`31`	`SaltLengthBytes = 32,`
73	`32`	`};`
	`33`
	`34`	`/// <inheritdoc/>`
	`35`	`public void ValidateParameters(VaultKdfParameters parameters)`
54	`36`	`=> ValidateParametersCore(parameters);`
	`37`
	`38`	`/// <inheritdoc/>`
	`39`	`public byte[] GenerateSalt(int length = 32)`
75	`40`	`{`
75	`41`	`ArgumentOutOfRangeException.ThrowIfLessThan(length, 16, nameof(length));`
74	`42`	`return RandomNumberGenerator.GetBytes(length);`
74	`43`	`}`
	`44`
	`45`	`/// <inheritdoc/>`
	`46`	`public byte[] DeriveKey(byte[] password, byte[] salt)`
8	`47`	`=> DeriveKey(password, salt, GetDefaultParameters());`
	`48`
	`49`	`/// <inheritdoc/>`
	`50`	`public byte[] DeriveKey(byte[] password, byte[] salt, VaultKdfParameters parameters)`
112	`51`	`{`
112	`52`	`ArgumentNullException.ThrowIfNull(password);`
112	`53`	`ArgumentNullException.ThrowIfNull(salt);`
112	`54`	`ArgumentNullException.ThrowIfNull(parameters);`
112	`55`	`ValidateParametersCore(parameters);`
	`56`
111	`57`	`return Rfc2898DeriveBytes.Pbkdf2(`
111	`58`	`password,`
111	`59`	`salt,`
111	`60`	`parameters.Iterations,`
111	`61`	`ResolveHashAlgorithm(parameters.HashAlgorithm),`
111	`62`	`parameters.KeyLengthBytes);`
111	`63`	`}`
	`64`
	`65`	`/// <inheritdoc/>`
	`66`	`public byte[] ComputePasswordHash(byte[] password, byte[] salt)`
6	`67`	`=> ComputePasswordHash(password, salt, GetDefaultParameters());`
	`68`
	`69`	`/// <inheritdoc/>`
	`70`	`public byte[] ComputePasswordHash(byte[] password, byte[] salt, VaultKdfParameters parameters)`
21	`71`	`{`
21	`72`	`ArgumentNullException.ThrowIfNull(password);`
21	`73`	`ArgumentNullException.ThrowIfNull(salt);`
21	`74`	`ArgumentNullException.ThrowIfNull(parameters);`
21	`75`	`ValidateParametersCore(parameters);`
	`76`
	`77`	`// Separater Durchlauf mit anderem Kontext-Byte, damit`
	`78`	`// DeriveKey-Ausgabe und PasswordHash nie identisch sind.`
21	`79`	`var saltWithContext = new byte[salt.Length + 1];`
21	`80`	`salt.CopyTo(saltWithContext, 0);`
21	`81`	`saltWithContext[^1] = 0x01; // Kontext: "password verification"`
	`82`
21	`83`	`return Rfc2898DeriveBytes.Pbkdf2(`
21	`84`	`password,`
21	`85`	`saltWithContext,`
21	`86`	`parameters.Iterations,`
21	`87`	`ResolveHashAlgorithm(parameters.HashAlgorithm),`
21	`88`	`HashLengthBytes);`
21	`89`	`}`
	`90`
	`91`	`/// <inheritdoc/>`
	`92`	`public bool VerifyPassword(byte[] password, byte[] salt, byte[] storedHash)`
3	`93`	`=> VerifyPassword(password, salt, storedHash, GetDefaultParameters());`
	`94`
	`95`	`/// <inheritdoc/>`
	`96`	`public bool VerifyPassword(byte[] password, byte[] salt, byte[] storedHash, VaultKdfParameters parameters)`
8	`97`	`{`
8	`98`	`ArgumentNullException.ThrowIfNull(password);`
8	`99`	`ArgumentNullException.ThrowIfNull(salt);`
8	`100`	`ArgumentNullException.ThrowIfNull(storedHash);`
	`101`
8	`102`	`var computed = ComputePasswordHash(password, salt, parameters);`
8	`103`	`return CryptographicOperations.FixedTimeEquals(computed, storedHash);`
8	`104`	`}`
	`105`
	`106`	`private static HashAlgorithmName ResolveHashAlgorithm(string algorithm)`
318	`107`	`=> algorithm.ToUpperInvariant() switch`
318	`108`	`{`
318	`109`	`"SHA256" => HashAlgorithmName.SHA256,`
0	`110`	`_ => throw new NotSupportedException($"Nicht unterstuetzter PBKDF2-Hash-Algorithmus: {algorithm}"),`
318	`111`	`};`
	`112`
	`113`	`private static void ValidateParametersCore(VaultKdfParameters parameters)`
187	`114`	`{`
187	`115`	`if (parameters.Iterations is < 100_000 or > 5_000_000)`
1	`116`	`throw new InvalidOperationException("Persistierte PBKDF2-Iterationen liegen ausserhalb des erlaubten Bereichs.");`
	`117`
186	`118`	`if (parameters.KeyLengthBytes != KeyLengthBytes)`
0	`119`	`throw new InvalidOperationException($"Persistierte PBKDF2-Schluessellaenge muss {KeyLengthBytes} Bytes betragen.")`
	`120`
186	`121`	`if (parameters.SaltLengthBytes is < 16 or > 64)`
0	`122`	`throw new InvalidOperationException("Persistierte Salt-Laenge liegt ausserhalb des erlaubten Bereichs.");`
	`123`
186	`124`	`_ = ResolveHashAlgorithm(parameters.HashAlgorithm);`
186	`125`	`}`
	`126`	`}`

< Summary

Metrics

File(s)

/home/runner/work/LOCKnet/LOCKnet/src/LOCKnet.Core/Crypto/Pbkdf2KeyDerivationService.cs

Methods/Properties