File: XmlEncryption\DpapiXmlDecryptor.cs
Web Access
Project: src\src\DataProtection\DataProtection\src\Microsoft.AspNetCore.DataProtection.csproj (Microsoft.AspNetCore.DataProtection)
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
 
using System;
using System.Xml.Linq;
using Microsoft.AspNetCore.Cryptography;
using Microsoft.AspNetCore.DataProtection.Cng;
using Microsoft.AspNetCore.Shared;
using Microsoft.Extensions.Logging;
 
namespace Microsoft.AspNetCore.DataProtection.XmlEncryption;
 
/// <summary>
/// An <see cref="IXmlDecryptor"/> that decrypts XML elements that were encrypted with <see cref="DpapiXmlEncryptor"/>.
/// </summary>
public sealed class DpapiXmlDecryptor : IXmlDecryptor
{
    private readonly ILogger _logger;
 
    /// <summary>
    /// Creates a new instance of a <see cref="DpapiXmlDecryptor"/>.
    /// </summary>
    public DpapiXmlDecryptor()
        : this(services: null)
    {
    }
 
    /// <summary>
    /// Creates a new instance of a <see cref="DpapiXmlDecryptor"/>.
    /// </summary>
    /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services.</param>
    public DpapiXmlDecryptor(IServiceProvider? services)
    {
        CryptoUtil.AssertPlatformIsWindows();
 
        _logger = services.GetLogger<DpapiXmlDecryptor>();
    }
 
    /// <summary>
    /// Decrypts the specified XML element.
    /// </summary>
    /// <param name="encryptedElement">An encrypted XML element.</param>
    /// <returns>The decrypted form of <paramref name="encryptedElement"/>.</returns>
    public XElement Decrypt(XElement encryptedElement)
    {
        ArgumentNullThrowHelper.ThrowIfNull(encryptedElement);
 
        _logger.DecryptingSecretElementUsingWindowsDPAPI();
 
        try
        {
            // <encryptedKey>
            //   <!-- This key is encrypted with {provider}. -->
            //   <value>{base64}</value>
            // </encryptedKey>
 
            var protectedSecret = Convert.FromBase64String((string)encryptedElement.Element("value")!);
            using (var secret = DpapiSecretSerializerHelper.UnprotectWithDpapi(protectedSecret))
            {
                return secret.ToXElement();
            }
        }
        catch (Exception ex)
        {
            // It's OK for us to log the error, as we control the exception, and it doesn't contain
            // sensitive information.
            _logger.ExceptionOccurredTryingToDecryptElement(ex);
            throw;
        }
    }
}