(chocolatey#2437) Fall back to CurrentUser scope when permission denied

When running on mono on a non-Windows system, the ProtectedData methods use /usr/local/.mono/keypair as the folder to save keypairs. This folder is not normally writable by non-root users, thus erroring when used by a normal user. This catches that error and falls back to using the CurrentUser scope. Also, during data unprotection, it will try to fall back to CurrentUser scope if the decryption fails for other reasons, so as to attempt to decrypt data encrypted with CurrentUser if the LocalSystem scope starts working.
TheCakeIsNaOH · Nov 2, 2021 · a94c572 · a94c572
1 parent c0fbb14
commit a94c572
Showing 1 changed file with 41 additions and 2 deletions.
diff --git a/src/chocolatey/infrastructure/cryptography/DefaultEncryptionUtility.cs b/src/chocolatey/infrastructure/cryptography/DefaultEncryptionUtility.cs
@@ -20,6 +20,7 @@ namespace chocolatey.infrastructure.cryptography
     using System.Security.Cryptography;
     using System.Text;
     using adapters;
+    using platforms;
 
     public class DefaultEncryptionUtility : IEncryptionUtility
     {
@@ -30,7 +31,26 @@ public string encrypt_string(string cleartextValue)
             if (string.IsNullOrWhiteSpace(cleartextValue)) return null;
 
             var decryptedByteArray = Encoding.UTF8.GetBytes(cleartextValue);
-            var encryptedByteArray = ProtectedData.Protect(decryptedByteArray, _entropyBytes, DataProtectionScope.LocalMachine);
+            byte[] encryptedByteArray;
+            try
+            {
+                encryptedByteArray = ProtectedData.Protect(decryptedByteArray, _entropyBytes, DataProtectionScope.LocalMachine);
+            }
+            catch(Exception ex)
+            {
+                if (Platform.get_platform() != PlatformType.Windows && ex is CryptographicException)
+                {
+                    this.Log().Warn(@"Could not encrypt with LocalMachine scope.
+Falling back to CurrentUser scope for encryption.
+This is can be because the machine keyfile cannot be written as a normal user.
+Anything encrypted as CurrentUser can only be decrypted by your current user.");
+                    encryptedByteArray = ProtectedData.Protect(decryptedByteArray, _entropyBytes, DataProtectionScope.CurrentUser);
+                }
+                else
+                {
+                    throw;
+                }
+            }
             var encryptedString = Convert.ToBase64String(encryptedByteArray);
 
             return encryptedString;
@@ -39,7 +59,26 @@ public string encrypt_string(string cleartextValue)
         public string decrypt_string(string encryptedString)
         {
             var encryptedByteArray = Convert.FromBase64String(encryptedString);
-            var decryptedByteArray = ProtectedData.Unprotect(encryptedByteArray, _entropyBytes, DataProtectionScope.LocalMachine);
+            byte[] decryptedByteArray;
+
+            try
+            {
+                decryptedByteArray = ProtectedData.Unprotect(encryptedByteArray, _entropyBytes, DataProtectionScope.LocalMachine);
+            }
+            catch (Exception ex)
+            {
+                if (Platform.get_platform() != PlatformType.Windows && ex is CryptographicException)
+                {
+                    this.Log().Warn(@"Could not decrypt with LocalMachine scope.
+Falling back to CurrentUser scope for decryption.
+Anything encrypted as CurrentUser can only be decrypted by your current user.");
+                    decryptedByteArray = ProtectedData.Unprotect(encryptedByteArray, _entropyBytes, DataProtectionScope.CurrentUser);
+                }
+                else
+                {
+                    throw;
+                }
+            }
 
             return Encoding.UTF8.GetString(decryptedByteArray);
         }