I have an old app that runs a read only membership provider. I am tasked with creating an admin page to help with adding/changing/deleting users from this app. The membership provider uses FormsAuthentication, which I cannot use because my admin app is in .net Core. I'm trying to reverse-engineer the way they encrypt using FormsAuthentication and I have this so far:
They use:
FormsAuthentication.HashPasswordForStoringInConfigFile(password, "sha1").ToLower();
I've reverse-engineered it to:
(string pwd is passed in)
HashAlgorithm hashAlgorithm = new HMASHA1();
var step1 = Encoding.UTF8.GetBytes(pwd);
var step2 = hashAlgorithm.ComputeHash(step1);
var step3 = BinaryToHex(step2);
And step3 comes out to something like this "AD626B9D42073B299ECFC664CCB7A8B01F3AF726", which looks like what the passwords look like in the XML user file for the old app.
I'm just curious if I use this method of hashing (which works in .net core), will the hashed passwords be able to be "validated" by FormsAuthentication?
My tests so far don't seem to be working. Any ideas? Am I doing it wrong?
EDIT: it is not HMASHA1, it's SHA1Cng - which I can't use because it is in System.Core in the .net framework 4.something... what can I use to do this in .net core?
I figured it out, this works:
using System.Security.Cryptography;
var sha1 = SHA1.Create();
var step1 = Encoding.UTF8.GetBytes(pwd);
var step2 = sha1.ComputeHash(step1);
var step3 = BinaryToHex(step2);
BinaryToHex and it's associated functions are copied from System.Web.Security.Cryptography.CryptoUtil
Would still like to be able to do this in reverse and decrypt passwords.