I'm working on creating a JSON configuration file setup for my application. The application will require access to sensitive information (specifically login credentials and decryption passwords) Obviously, I'd rather not store this kind of sensitive data in the JSON as plain-text, so I've come up with what I believe is a decent solution. Perhaps I'm going about this all wrong and there's a better solution, but this is what I've come to through my research so far.
What I'd like to do is something like what's available in .NET Core to store this data in a "protected" file (stored in the user's %appdata% folder). The idea is to allow the user to enter the sensitive data into the main configuration file, then implement a custom JsonConverter object to "move" it over to the protected file.
For example, I have this JSON:
{
"MyApplication": {
"ApplicationHost": "localhost",
"ManagedItems": [
{
"SiteID": "3b1c7e59-d7a0-4451-d8e3-169517ec1d6b",
"Name": "MySite",
"UserPassword": "My$3c?e7P@$sw0rD"
}
}
]
}
}
Then, amongst the others, I have this Property in my class:
<JsonProperty("UserPassword")>
<JsonConverter(GetType(PasswordProtector))>
Public Property UserPassword As String
And, then I've started working on the PasswordProtector custom JsonConverter class as follows:
Public Class PasswordProtector
Inherits JsonConverter
Public Overrides Sub WriteJson(writer As JsonWriter, value As Object, serializer As JsonSerializer)
If TypeOf value Is ApplicationSettings.ManagedItem Then
Dim BaseObject As JObject = CType(JToken.FromObject(value), JObject)
Dim UserData As New UserDataSettings
If UserDataFile.Exists Then
Dim JSONData As String = File.ReadAllText(UserDataFile.FullName)
UserData = JsonConvert.DeserializeObject(Of UserDataSettings)(JSONData)
If UserData.MyApplication Is Nothing Then
UserData.MyApplication = New UserDataSettings.AppSettings
End If
If UserData.MyApplication.ManagedItems Is Nothing Then
UserData.MyApplication.ManagedItems = New List(Of UserDataSettings.AppSettings.ManagedItem)
UserData.MyApplication.ManagedItems.Add(New UserDataSettings.AppSettings.ManagedItem With {
.SiteID = BaseObject("SiteID"),
.UserPassword = BaseObject("UserPassword")})
Else
If Not UserData.MyApplication.ManagedItems.Where(Function(c) c.SiteID = BaseObject("SiteID")).First Is Nothing Then
UserData.MyApplication.ManagedItems.Where(Function(c) c.SiteID = BaseObject("SiteID")).First.UserPassword = BaseObject("UserPassword")
Else
UserData.MyApplication.ManagedItems.Add(New UserDataSettings.AppSettings.ManagedItem With {
.SiteID = BaseObject("SiteID"),
.UserPassword = BaseObject("UserPassword")})
End If
End If
Else
UserData.MyApplication = New UserDataSettings.AppSettings
UserData.MyApplication.ManagedItems = New List(Of UserDataSettings.AppSettings.ManagedItem)
UserData.MyApplication.ManagedItems.Add(New UserDataSettings.AppSettings.ManagedItem With {
.SiteID = BaseObject("SiteID"),
.UserPassword = BaseObject("UserPassword")})
End If
If Not UserDataFile.Directory.Exists Then
Directory.CreateDirectory(UserDataFile.DirectoryName)
End If
File.WriteAllText(UserDataFile.FullName, JsonConvert.SerializeObject(UserData, JSONSettings))
UserDataFile.Refresh()
BaseObject("UserPassword") = "[PROTECTED]"
serializer.Serialize(writer, BaseObject, GetType(ApplicationSettings.ManagedItem))
End If
End Sub
Public Overrides Function ReadJson(reader As JsonReader, objectType As Type, existingValue As Object, serializer As JsonSerializer) As Object
Dim BaseObject As JObject = JObject.Load(reader)
If TypeOf existingValue Is ApplicationSettings.ManagedItem Then
Dim UserData As New UserDataSettings
Dim TargetItem As New ApplicationSettings.ManagedItem
Dim UserPassword As String = Nothing
If BaseObject("UserPassword") IsNot Nothing Then
UserPassword = BaseObject("UserPassword").ToString
End If
If UserDataFile.Exists Then
UserData = JsonConvert.DeserializeObject(Of UserDataSettings)(File.ReadAllText(UserDataFile.FullName))
If UserData.MyApplication Is Nothing Then
UserData.MyApplication = New UserDataSettings.AppSettings
End If
If UserData.MyApplication.ManagedItems IsNot Nothing Then
Dim SavedSite As UserDataSettings.AppSettings.ManagedItem = UserData.MyApplication.ManagedItems.Where(Function(c) c.SiteID = BaseObject("SiteID")).First
If SavedSite IsNot Nothing Then
Dim SavedPassword As String = SavedSite.UserPassword
If UserPassword IsNot Nothing AndAlso Not String.IsNullOrEmpty(UserPassword) Then
If SavedPassword IsNot Nothing AndAlso Not String.IsNullOrEmpty(SavedPassword) Then
If UserPassword <> "[PROTECTED]" Then
If UserPassword <> SavedPassword Then
UserData.MyApplication.ManagedItems.Where(Function(c) c.SiteID = BaseObject("SiteID")).First.UserPassword = UserPassword
TargetItem.UserPassword = UserPassword
Else
TargetItem.UserPassword = SavedPassword
End If
Else
TargetItem.UserPassword = SavedPassword
End If
Else
UserData.MyApplication.ManagedItems.Where(Function(c) c.SiteID = BaseObject("SiteID")).First.UserPassword = UserPassword
TargetItem.UserPassword = UserPassword
End If
ElseIf SavedPassword IsNot Nothing AndAlso Not String.IsNullOrEmpty(SavedPassword) Then
TargetItem.UserPassword = SavedPassword
End If
Else
If UserPassword IsNot Nothing AndAlso Not String.IsNullOrEmpty(UserPassword) Then
If UserPassword <> "[PROTECTED]" Then
UserData.MyApplication.ManagedItems = New List(Of UserDataSettings.AppSettings.ManagedItem)
UserData.MyApplication.ManagedItems.Add(New UserDataSettings.AppSettings.ManagedItem With {
.SiteID = BaseObject("SiteID"),
.UserPassword = UserPassword})
TargetItem.UserPassword = UserPassword
Else
TargetItem.UserPassword = Nothing
End If
Else
TargetItem.UserPassword = Nothing
End If
End If
Else
UserData.MyApplication.ManagedItems = New List(Of UserDataSettings.AppSettings.ManagedItem)
UserData.MyApplication.ManagedItems.Add(New UserDataSettings.AppSettings.ManagedItem With {
.SiteID = BaseObject("SiteID"),
.UserPassword = UserPassword})
End If
Else
UserData.MyApplication = New UserDataSettings.AppSettings
UserData.MyApplication.ManagedItems = New List(Of UserDataSettings.AppSettings.ManagedItem)
UserData.MyApplication.ManagedItems.Add(New UserDataSettings.AppSettings.ManagedItem With {
.SiteID = BaseObject("SiteID"),
.UserPassword = UserPassword})
End If
File.WriteAllText(UserDataFile.FullName, JsonConvert.SerializeObject(UserData, JSONSettings))
UserDataFile.Refresh()
serializer.Populate(BaseObject.CreateReader(), TargetItem)
Return TargetItem
Else
Return Nothing
End If
End Function
Public Overrides Function CanConvert(objectType As Type) As Boolean
Return GetType(ApplicationSettings.ManagedItem).IsAssignableFrom(objectType)
End Function
End Class
The idea is to have it put the UserPassword into a similar (but simplified) version of the same JSON structure in the "protected" file:
{
"ProtectedSettings": {
"ManagedItems": [
{
"SiteID": "3b1c7e59-d7a0-4451-d8e3-169517ec1d6b",
"UserPassword": "My$3c?e7P@$sw0rD"
}
}
]
}
}
Then replace/obfuscate the value in the "main" JSON file with [PROTECTED]. When the application loads the current configuration, it should pull the UserPassword from the protected file for use as required, but it should never rewrite anything but the obfuscated version (or Nothing) to the main file.
If the value in the main file is not [PROTECTED] (meaning the user has changed it), then it should update the protected file with that value and re-obfuscate the value in the main file.
I know there are several issues with my code so far. However, my first hurdle is getting it past the ReadJson() method. Whenever I try to execute JObject.Load(reader), I get an exception:
Error reading JObject from JsonReader. Current JsonReader item is not an object: String.
I've tried casting the reader to an object, using the JObject.Parse on both the reader.Path and reader.ReadAsString (the latter moves the reader to the next node, so that obviously won't work), and a variety of other methods to get it to read the current value of the UserPassword object, but I can't seem to get past that so far.
Also, I wrote the entire method before I got around to doing any testing so, now that I'm trying to run things, I realize that the next line - If TypeOf existingValue Is CertifySettings.ManagedCertificate - isn't going to work either, but I'm taking things one step at a time here. I'm just providing the entirety of my code here to give a "big-picture" view of what I'm trying to do and how I believe it should work.
Am I just "spinning my wheels" here trying to make this work? Is there a better way to achieve my stated goals (e.g., some other method of "moving" the sensitive data to a separate file and replacing/obfuscating it in the main config file) other than using a JsonConverter? I need for my application to be able to access the sensitive information, but I just can't figure out the best way to keep it from being accessed by the casual observer. I've looked at several other implementations of custom JsonConverters, but none of them quite seem to fit the use case closely enough for me to get from there to where I need to be.