Replaces explicit crypto algorithm use with factories.

Fixes #47 which requires that FIPS compliance be an option.

9 files changed, 80 insertions, 14 deletions

diff --git a/src/DotNetOpenAuth.Core/DotNetOpenAuth.Core.csproj b/src/DotNetOpenAuth.Core/DotNetOpenAuth.Core.csproj
index 5e079a0..eb38711 100644
--- a/src/DotNetOpenAuth.Core/DotNetOpenAuth.Core.csproj
+++ b/src/DotNetOpenAuth.Core/DotNetOpenAuth.Core.csproj
@@ -29,6 +29,7 @@
     <Compile Include="Messaging\CachedDirectWebResponse.cs" />
     <Compile Include="Messaging\ChannelContract.cs" />
     <Compile Include="Messaging\DataBagFormatterBase.cs" />
+    <Compile Include="Messaging\HmacAlgorithms.cs" />
     <Compile Include="Messaging\HttpRequestHeaders.cs" />
     <Compile Include="Messaging\IHttpDirectRequest.cs" />
     <Compile Include="Messaging\IHttpDirectRequestContract.cs" />
diff --git a/src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs b/src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs
index c9ceb81..69ee8dc 100644
--- a/src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs
+++ b/src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs
@@ -286,7 +286,7 @@ namespace DotNetOpenAuth.Messaging {
 			Requires.NotNull(signature, "signature");
 
 			if (this.asymmetricSigning != null) {
-				using (var hasher = new SHA1CryptoServiceProvider()) {
+				using (var hasher = SHA1.Create()) {
 					return this.asymmetricSigning.VerifyData(signedData, hasher, signature);
 				}
 			} else {
@@ -309,13 +309,13 @@ namespace DotNetOpenAuth.Messaging {
 			Contract.Ensures(Contract.Result<byte[]>() != null);
 
 			if (this.asymmetricSigning != null) {
-				using (var hasher = new SHA1CryptoServiceProvider()) {
+				using (var hasher = SHA1.Create()) {
 					return this.asymmetricSigning.SignData(bytesToSign, hasher);
 				}
 			} else {
 				var key = this.cryptoKeyStore.GetKey(this.cryptoKeyBucket, symmetricSecretHandle);
 				ErrorUtilities.VerifyProtocol(key != null, MessagingStrings.MissingDecryptionKeyForHandle, this.cryptoKeyBucket, symmetricSecretHandle);
-				using (var symmetricHasher = new HMACSHA256(key.Key)) {
+				using (var symmetricHasher = HmacAlgorithms.Create(HmacAlgorithms.HmacSha256, key.Key)) {
 					return symmetricHasher.ComputeHash(bytesToSign);
 				}
 			}
diff --git a/src/DotNetOpenAuth.Core/Messaging/HmacAlgorithms.cs b/src/DotNetOpenAuth.Core/Messaging/HmacAlgorithms.cs
new file mode 100644
index 0000000..41dce81
--- /dev/null
+++ b/src/DotNetOpenAuth.Core/Messaging/HmacAlgorithms.cs
@@ -0,0 +1,58 @@
+//-----------------------------------------------------------------------
+// <copyright file="HmacAlgorithmNames.cs" company="Outercurve Foundation">
+//     Copyright (c) Outercurve Foundation. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.Messaging {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Security.Cryptography;
+	using System.Text;
+
+	/// <summary>
+	/// HMAC-SHA algorithm names that can be passed to the <see cref="HMAC.Create"/> method.
+	/// </summary>
+	internal static class HmacAlgorithms {
+		/// <summary>
+		/// The name of the HMAC-SHA1 algorithm.
+		/// </summary>
+		internal const string HmacSha1 = "HMACSHA1";
+
+		/// <summary>
+		/// The name of the HMAC-SHA256 algorithm.
+		/// </summary>
+		internal const string HmacSha256 = "HMACSHA256";
+
+		/// <summary>
+		/// The name of the HMAC-SHA384 algorithm.
+		/// </summary>
+		internal const string HmacSha384 = "HMACSHA384";
+
+		/// <summary>
+		/// The name of the HMAC-SHA512 algorithm.
+		/// </summary>
+		internal const string HmacSha512 = "HMACSHA512";
+
+		/// <summary>
+		/// Creates an HMAC-SHA algorithm with the specified name and key.
+		/// </summary>
+		/// <param name="algorithmName">A name from the available choices in the static const members of this class.</param>
+		/// <param name="key">The secret key used as the HMAC.</param>
+		/// <returns>The HMAC algorithm instance.</returns>
+		internal static HMAC Create(string algorithmName, byte[] key) {
+			Requires.NotNullOrEmpty(algorithmName, "algorithmName");
+			Requires.NotNull(key, "key");
+
+			HMAC hmac = HMAC.Create(algorithmName);
+			try {
+				hmac.Key = key;
+				return hmac;
+			} catch {
+				hmac.Dispose();
+				throw;
+			}
+		}
+	}
+}
diff --git a/src/DotNetOpenAuth.InfoCard/InfoCard/Token/TokenUtility.cs b/src/DotNetOpenAuth.InfoCard/InfoCard/Token/TokenUtility.cs
index e50cafd..8b9eef8 100644
--- a/src/DotNetOpenAuth.InfoCard/InfoCard/Token/TokenUtility.cs
+++ b/src/DotNetOpenAuth.InfoCard/InfoCard/Token/TokenUtility.cs
@@ -123,7 +123,7 @@ namespace DotNetOpenAuth.InfoCard {
 
 			ICspAsymmetricAlgorithm rsa = claim.Resource as ICspAsymmetricAlgorithm;
 			if (null != rsa) {
-				using (SHA256 sha = new SHA256Managed()) {
+				using (SHA256 sha = SHA256.Create()) {
 					return Convert.ToBase64String(sha.ComputeHash(rsa.ExportCspBlob(false)));
 				}
 			}
diff --git a/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/HmacSha1SigningBindingElement.cs b/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/HmacSha1SigningBindingElement.cs
index 64e8a77..ee05614 100644
--- a/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/HmacSha1SigningBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/HmacSha1SigningBindingElement.cs
@@ -34,7 +34,7 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 		[SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "False positive.")]
 		protected override string GetSignature(ITamperResistantOAuthMessage message) {
 			string key = GetConsumerAndTokenSecretString(message);
-			using (HashAlgorithm hasher = new HMACSHA1(Encoding.ASCII.GetBytes(key))) {
+			using (var hasher = HmacAlgorithms.Create(HmacAlgorithms.HmacSha1, Encoding.ASCII.GetBytes(key))) {
 				string baseString = ConstructSignatureBaseString(message, this.Channel.MessageDescriptions.GetAccessor(message));
 				byte[] digest = hasher.ComputeHash(Encoding.ASCII.GetBytes(baseString));
 				return Convert.ToBase64String(digest);
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs
index 853a629..08da8d2 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs
@@ -110,7 +110,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 				return null;
 			}
 
-			using (var hasher = new SHA256Managed()) {
+			using (var hasher = SHA256.Create()) {
 				return hasher.ComputeHash(Encoding.UTF8.GetBytes(callback.AbsoluteUri));
 			}
 		}
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/Association.cs b/src/DotNetOpenAuth.OpenId/OpenId/Association.cs
index 764f4fa..a0f5bae 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/Association.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/Association.cs
@@ -240,7 +240,7 @@ namespace DotNetOpenAuth.OpenId {
 		/// A hash code for the current <see cref="T:System.Object"/>.
 		/// </returns>
 		public override int GetHashCode() {
-			HMACSHA1 hmac = new HMACSHA1(this.SecretKey);
+			var hmac = HmacAlgorithms.Create(HmacAlgorithms.HmacSha1, this.SecretKey);
 			try {
 				CryptoStream cs = new CryptoStream(Stream.Null, hmac, CryptoStreamMode.Write);
 
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
index ec16fae..fa7768b 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
@@ -197,7 +197,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 					cryptoKey = this.cryptoKeyStore.GetKey(SecretUri.AbsoluteUri, returnToParameters[ReturnToSignatureHandleParameterName]);
 				}
 
-				using (var signer = new HMACSHA256(cryptoKey.Key)) {
+				using (var signer = HmacAlgorithms.Create(HmacAlgorithms.HmacSha256, cryptoKey.Key)) {
 					signature = signer.ComputeHash(bytesToSign);
 				}
 			} catch (ProtocolException ex) {
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/HmacShaAssociation.cs b/src/DotNetOpenAuth.OpenId/OpenId/HmacShaAssociation.cs
index 5e3553d..89f346c 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/HmacShaAssociation.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/HmacShaAssociation.cs
@@ -226,22 +226,22 @@ namespace DotNetOpenAuth.OpenId {
 		private static HmacSha[] CreateAssociationTypes() {
 			return new[] {
 				new HmacSha {
-					CreateHasher = secretKey => new HMACSHA512(secretKey),
+					HmacAlgorithmName = HmacAlgorithms.HmacSha384,
 					GetAssociationType = protocol => protocol.Args.SignatureAlgorithm.HMAC_SHA512,
 					BaseHashAlgorithm = SHA512.Create(),
 				},
 				new HmacSha {
-					CreateHasher = secretKey => new HMACSHA384(secretKey),
+					HmacAlgorithmName = HmacAlgorithms.HmacSha384,
 					GetAssociationType = protocol => protocol.Args.SignatureAlgorithm.HMAC_SHA384,
 					BaseHashAlgorithm = SHA384.Create(),
 				},
 				new HmacSha {
-					CreateHasher = secretKey => new HMACSHA256(secretKey),
+					HmacAlgorithmName = HmacAlgorithms.HmacSha256,
 					GetAssociationType = protocol => protocol.Args.SignatureAlgorithm.HMAC_SHA256,
 					BaseHashAlgorithm = SHA256.Create(),
 				},
 				new HmacSha {
-					CreateHasher = secretKey => new HMACSHA1(secretKey),
+					HmacAlgorithmName = HmacAlgorithms.HmacSha1,
 					GetAssociationType = protocol => protocol.Args.SignatureAlgorithm.HMAC_SHA1,
 					BaseHashAlgorithm = SHA1.Create(),
 				},
@@ -258,9 +258,16 @@ namespace DotNetOpenAuth.OpenId {
 			internal Func<Protocol, string> GetAssociationType { get; set; }
 
 			/// <summary>
-			/// Gets or sets a function that will create the <see cref="HashAlgorithm"/> using a given shared secret for the mac.
+			/// Creates the <see cref="HashAlgorithm"/> using a given shared secret for the mac.
 			/// </summary>
-			internal Func<byte[], HashAlgorithm> CreateHasher { get; set; }
+			internal HashAlgorithm CreateHasher(byte[] secret) {
+				return HmacAlgorithms.Create(this.HmacAlgorithmName, secret);
+			}
+
+			/// <summary>
+			/// Gets or sets the name of the HMAC-SHA algorithm. (e.g. "HMAC-SHA256")
+			/// </summary>
+			internal string HmacAlgorithmName { get; set; }
 
 			/// <summary>
 			/// Gets or sets the base hash algorithm.