new draft

Author: martin-toman

src/Agent.Listener/Configuration.Windows/RSAEncryptedFileKeyManager.cs

@@ -57,8 +57,11 @@ private RSA CreateKeyStoreKeyInNamedContainer(bool useCng)
 
                     CspParameters Params = new CspParameters();
                     Params.KeyContainerName = "AgentKeyContainer" + Guid.NewGuid().ToString();
-                    Params.Flags |= CspProviderFlags.UseNonExportableKey | CspProviderFlags.UseMachineKeyStore;
-                    rsa = new RSACryptoServiceProvider(2048, Params);
+                    Params.Flags |= CspProviderFlags.UseMachineKeyStore;
+                    using (var csp = new RSACryptoServiceProvider(2048, Params))
+                    {
+                        rsa = RSA.Create(csp.ExportParameters(includePrivateParameters: true));
+                    }
 
                     // Now write the parameters to disk
                     SaveParameters(default(RSAParameters), Params.KeyContainerName, useCng);
@@ -79,8 +82,11 @@ private RSA CreateKeyStoreKeyInNamedContainer(bool useCng)
 
                 CspParameters Params = new CspParameters();
                 Params.KeyContainerName = result.containerName;
-                Params.Flags |= CspProviderFlags.UseNonExportableKey | CspProviderFlags.UseMachineKeyStore;
-                rsa = new RSACryptoServiceProvider(Params);
+                Params.Flags |= CspProviderFlags.UseMachineKeyStore;
+                using (var csp = new RSACryptoServiceProvider(Params))
+                {
+                    rsa = RSA.Create(csp.ExportParameters(includePrivateParameters: true));
+                }
             }
 
             return rsa;
@@ -93,12 +99,12 @@ private RSA CreateKeyStoreKeyInNamedContainer(bool useCng)
 
         private RSA CreateKeyStoreKeyInFile(bool useCng)
         {
-            RSACryptoServiceProvider rsa = null;
+            RSA rsa = null;
             if (!File.Exists(_keyFile))
             {
                 Trace.Info("Creating new RSA key using 2048-bit key length");
 
-                rsa = new RSACryptoServiceProvider(2048);
+                rsa = RSA.Create(2048);
 
                 // Now write the parameters to disk
                 SaveParameters(rsa.ExportParameters(true), string.Empty, false);
@@ -116,7 +122,6 @@ private RSA CreateKeyStoreKeyInFile(bool useCng)
                     return CreateKeyStoreKeyInNamedContainer(useCng);
                 }
 
-                rsa = new RSACryptoServiceProvider();
                 rsa.ImportParameters(result.rsaParameters);
             }
 
@@ -170,9 +175,11 @@ private RSA GetKeyFromNamedContainer()
                 Trace.Info("Using RSACryptoServiceProvider");
                 CspParameters Params = new CspParameters();
                 Params.KeyContainerName = result.containerName;
-                Params.Flags |= CspProviderFlags.UseNonExportableKey | CspProviderFlags.UseMachineKeyStore;
-                var rsa = new RSACryptoServiceProvider(Params);
-                return rsa;
+                Params.Flags |= CspProviderFlags.UseMachineKeyStore;
+                using (var csp = new RSACryptoServiceProvider(Params))
+                {
+                    return RSA.Create(csp.ExportParameters(includePrivateParameters: true));
+                }
             }
         }
 
@@ -193,9 +200,7 @@ private RSA GetKeyFromFile()
                 return GetKeyFromNamedContainer();
             }
 
-            var rsa = new RSACryptoServiceProvider();
-            rsa.ImportParameters(result.rsaParameters);
-            return rsa;
+            return RSA.Create(result.rsaParameters);
         }
 
         private (string containerName, bool useCng, RSAParameters rsaParameters) LoadParameters()

src/Agent.Listener/Configuration/IRSAKeyManager.cs

@@ -35,9 +35,9 @@ public interface IRSAKeyManager : IAgentService
         void DeleteKey();
 
         /// <summary>
-        /// Gets the <c>RSACryptoServiceProvider</c> instance currently stored by the key manager. 
+        /// Gets the <c>RSA</c> instance currently stored by the key manager. 
         /// </summary>
-        /// <returns>An <c>RSACryptoServiceProvider</c> instance representing the key for the agent</returns>
+        /// <returns>An <c>RSA</c> implementation representing the key for the agent</returns>
         /// <exception cref="CryptographicException">No key exists in the store</exception>
         RSA GetKey();
     }

src/Agent.Listener/Configuration/RSAFileKeyManager.cs

@@ -16,12 +16,12 @@ public class RSAFileKeyManager : AgentService, IRSAKeyManager
 
         public RSA CreateKey(bool enableAgentKeyStoreInNamedContainer, bool useCng)
         {
-            RSACryptoServiceProvider rsa = null;
+            RSA rsa = null;
             if (!File.Exists(_keyFile))
             {
                 Trace.Info("Creating new RSA key using 2048-bit key length");
 
-                rsa = new RSACryptoServiceProvider(2048);
+                rsa = RSA.Create(2048);
 
                 // Now write the parameters to disk
                 IOUtil.SaveObject(new RSAParametersSerializable("", false, rsa.ExportParameters(true)), _keyFile);
@@ -53,9 +53,7 @@ public RSA CreateKey(bool enableAgentKeyStoreInNamedContainer, bool useCng)
             else
             {
                 Trace.Info("Found existing RSA key parameters file {0}", _keyFile);
-
-                rsa = new RSACryptoServiceProvider();
-                rsa.ImportParameters(IOUtil.LoadObject<RSAParametersSerializable>(_keyFile).RSAParameters);
+                rsa = RSA.Create(IOUtil.LoadObject<RSAParametersSerializable>(_keyFile).RSAParameters);
             }
 
             return rsa;
@@ -80,8 +78,7 @@ public RSA GetKey()
             Trace.Info("Loading RSA key parameters from file {0}", _keyFile);
 
             var parameters = IOUtil.LoadObject<RSAParametersSerializable>(_keyFile).RSAParameters;
-            var rsa = new RSACryptoServiceProvider();
-            rsa.ImportParameters(parameters);
+            var rsa = RSA.Create(parameters);
             return rsa;
         }
 

src/Agent.Listener/MessageListener.cs

@@ -95,6 +95,7 @@ public async Task<Boolean> CreateSessionAsync(CancellationToken token)
                     await _agentServer.ConnectAsync(new Uri(serverUrl), creds);
                     Trace.Info("VssConnection created");
 
+                    taskAgentSession.AgentCanHandleOaepSHA256 = true;
                     _session = await _agentServer.CreateAgentSessionAsync(
                                                         _settings.PoolId,
                                                         taskAgentSession,
@@ -336,9 +337,21 @@ private ICryptoTransform GetMessageDecryptor(
             {
                 // The agent session encryption key uses the AES symmetric algorithm
                 var keyManager = HostContext.GetService<IRSAKeyManager>();
+                RSAEncryptionPadding rsaPadding;
+                switch (_session.EncryptionKey.EncryptionPadding)
+                {
+                    case "OaepSHA256":
+                        rsaPadding = RSAEncryptionPadding.OaepSHA256;
+                        break;
+
+                    default:
+                        rsaPadding = RSAEncryptionPadding.OaepSHA1;
+                        break;
+                }
+
                 using (var rsa = keyManager.GetKey())
                 {
-                    return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, RSAEncryptionPadding.OaepSHA1), message.IV);
+                    return aes.CreateDecryptor(rsa.Decrypt(_session.EncryptionKey.Value, rsaPadding), message.IV);
                 }
             }
             else

src/Test/L0/Listener/Configuration/ConfigurationManagerL0.cs

@@ -58,7 +58,7 @@ public sealed class ConfigurationManagerL0 : IDisposable
         private int _expectedPoolId = 1;
         private int _expectedDeploymentMachineId = 81;
         private int _expectedEnvironmentVMResourceId = 71;
-        private RSACryptoServiceProvider rsa = null;
+        private RSA rsa = null;
         private AgentSettings _configMgrAgentSettings = new AgentSettings();
 
         public ConfigurationManagerL0()
@@ -129,7 +129,7 @@ public ConfigurationManagerL0()
             _agentServer.Setup(x => x.AddAgentAsync(It.IsAny<int>(), It.IsAny<TaskAgent>())).Returns(Task.FromResult(expectedAgent));
             _agentServer.Setup(x => x.UpdateAgentAsync(It.IsAny<int>(), It.IsAny<TaskAgent>())).Returns(Task.FromResult(expectedAgent));
 
-            rsa = new RSACryptoServiceProvider(2048);
+            rsa = RSA.Create(2048);
 
             _rsaKeyManager.Setup(x => x.CreateKey(It.IsAny<bool>(), It.IsAny<bool>())).Returns(rsa);
 

src/Test/L0/Listener/MessageListenerL0.cs

@@ -29,7 +29,7 @@ public sealed class MessageListenerL0 : IDisposable
         private Mock<ICapabilitiesManager> _capabilitiesManager;
         private Mock<IFeatureFlagProvider> _featureFlagProvider;
         private Mock<IRSAKeyManager> _rsaKeyManager;
-        private readonly RSACryptoServiceProvider rsa;
+        private readonly RSA rsa;
 
         public MessageListenerL0()
         {
@@ -45,7 +45,7 @@ public MessageListenerL0()
             _featureFlagProvider.Setup(x => x.GetFeatureFlagAsync(It.IsAny<IHostContext>(), It.IsAny<string>(), It.IsAny<ITraceWriter>(), It.IsAny<CancellationToken>())).Returns(Task.FromResult(new FeatureAvailability.FeatureFlag("", "", "", "Off", "Off")));
             _featureFlagProvider.Setup(x => x.GetFeatureFlagWithCred(It.IsAny<IHostContext>(), It.IsAny<string>(), It.IsAny<ITraceWriter>(), It.IsAny<AgentSettings>(), It.IsAny<VssCredentials>(), It.IsAny<CancellationToken>())).Returns(Task.FromResult(new FeatureAvailability.FeatureFlag("", "", "", "Off", "Off")));
 
-            rsa = new RSACryptoServiceProvider(2048);
+            rsa = RSA.Create(2048);
             _rsaKeyManager.Setup(x => x.CreateKey(It.IsAny<bool>(), It.IsAny<bool>())).Returns(rsa);
         }