Thursday, May 2, 2013

Encrypt InfoPath Fields - SharePoint 2010 Web Browser Enabled Forms

As InfoPath stores all the information in an open XML format it is easy for a little technical users to download the form to the client and read the xml and its values.

In this post I will go over How to encrypt fields in InfoPath Form and  How to upload the InfoPath Code Behind form to a form library.

For one of our requirements we had a requirement to secure or encrypt some of the compensation information that HR is to fillout on a SharePoint 2010 InfoPath Web Form/Online. Encryption of the fields help to secure the data so that when someone downloads the InfoPath 2010 form on their client what they say is encrypted data.

Just to let you know that I am just encrypting the compensation section and all fields in them. Other fields are not encrypted.

Here are the steps

  1. Create a Picture Button (rules and custom code) type and set the ID as Encrypt.
  2. Create a Picture Button (rules and custom code) type and set the ID as Decrypt.
  3. You can set the picture to these buttons if needed.
  4. Right click on the button and go to properties and click on Edit Form Code


  5. My fields in the infopath compensation area look like this 
  6. Create some extra Text fields on the form root section that we would use for the encryption purpose
  7. This is the code you need for the whole encryption and decryption to work. If you are familiar with C# then all function should be self explanatory
  8. This is the complete code in the code behind.



using Microsoft.Office.InfoPath;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.Xml;
using System.Xml.XPath;

namespace HR_Status_Form_Codebehind
{
    public partial class FormCode
    {

        // Member variables are not supported in browser-enabled forms.
        // Instead, write and read these values from the FormState
        // dictionary using code such as the following:
        //
        // public string encryptionkey
        //{
        //     get
        //          {
        //              return FormState["encryptionkey"];
        //     }
        //     set
        //     {
        //         FormState["encryptionkey"] = "r67$f#8gyv";
        //     }
        // }

        //private string Location
        //{
        //    get
        //    {
        //        return (string)FormState["Location"];
        //    }
        //    set
        //    {
        //        FormState["Location"] = value;
        //    }
        //}

        // NOTE: The following procedure is required by Microsoft InfoPath.
        // It can be modified using Microsoft InfoPath.



        #region Security Methods
        private string EncryptField(SymmetricAlgorithm SymmetricKey, string ValueToEncrypt)
        {
            string base64enc = string.Empty;

            byte[] dataToEncrypt = Encoding.Unicode.GetBytes(ValueToEncrypt);
            MemoryStream ms = new MemoryStream();

            CryptoStream csBase64 = new CryptoStream(
                ms, new ToBase64Transform(), CryptoStreamMode.Write);
            CryptoStream csRijndael = new CryptoStream(
                csBase64, SymmetricKey.CreateEncryptor(), CryptoStreamMode.Write);

            csRijndael.Write(dataToEncrypt, 0, (int)dataToEncrypt.Length);
            csRijndael.FlushFinalBlock();

            base64enc = Encoding.ASCII.GetString(ms.GetBuffer(), 0, (int)ms.Length);

            return base64enc;
        }

        private string DecryptField(SymmetricAlgorithm SymmetricKey, string ValueToDecrypt)
        {
            string unencryptedString = string.Empty;

            byte[] dataToDecrypt = Convert.FromBase64String(ValueToDecrypt);
            MemoryStream ms = new MemoryStream();

            CryptoStream csRijndael = new CryptoStream(
                ms, SymmetricKey.CreateDecryptor(), CryptoStreamMode.Write);

            csRijndael.Write(dataToDecrypt, 0, (int)dataToDecrypt.Length);
            csRijndael.FlushFinalBlock();

            unencryptedString = Encoding.Unicode.GetString(
                ms.GetBuffer(), 0, (int)ms.Length);

            return unencryptedString;
        }

        private SymmetricAlgorithm GenerateKey()
        {
            string saltValue = "CreateYourOwn";
            SymmetricAlgorithm symmKey = new RijndaelManaged();
            byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
            PasswordDeriveBytes passwordKey = new PasswordDeriveBytes("CreateYourOwn", saltValueBytes, "SHA1", 3);
            symmKey.Key = passwordKey.GetBytes(symmKey.KeySize / 8);
            symmKey.IV = passwordKey.GetBytes(symmKey.BlockSize / 8);
            return symmKey;
        }
        #endregion



        public void InternalStartup()
        {
            EventManager.FormEvents.Loading += new LoadingEventHandler(FormEvents_Loading);
            ((ButtonEvent)EventManager.ControlEvents["Encrypt"]).Clicked += new ClickedEventHandler(Encrypt_Clicked);
            ((ButtonEvent)EventManager.ControlEvents["Decrypt"]).Clicked += new ClickedEventHandler(Decrypt_Clicked);

            ((ButtonEvent)EventManager.ControlEvents["hrsubmit"]).Clicked += new ClickedEventHandler(hrsubmit_Clicked);
        }

        public void GenericFormSubmit(object sender, SubmitEventArgs e)
        {
            EncryptData();

        }
        #region private methods
        private void SetErrorMessage(string message)
        {
            XPathNavigator root = MainDataSource.CreateNavigator();
            root.SelectSingleNode("/my:myFields/my:errorMessage",
                NamespaceManager).SetValue(message);
        }


        private void ClearErrorMessage()
        {
            XPathNavigator root = MainDataSource.CreateNavigator();
            root.SelectSingleNode("/my:myFields/my:errorMessage",
                NamespaceManager).SetValue(String.Empty);
        }
        #endregion
        public void FormEvents_Loading(object sender, LoadingEventArgs e)
        {
            try
            {

                XPathNavigator root = MainDataSource.CreateNavigator();

                // Copy the XML structure for the protectedFields node with empty values
                string emptyProtectedFields = root.SelectSingleNode(
                "/my:myFields/my:Compensation", NamespaceManager).OuterXml;

                if (root.SelectSingleNode("/my:myFields/my:emptyProtectedFields", NamespaceManager).Value == string.Empty || root.SelectSingleNode("/my:myFields/my:emptyProtectedFields",
                NamespaceManager).Value == "")
                {
                    // Store the XML structure in the emptyProtectedFields node
                    root.SelectSingleNode("/my:myFields/my:emptyProtectedFields",
                    NamespaceManager).SetValue(emptyProtectedFields);
                }


            }
            catch (Exception ex)
            {
                SetErrorMessage(ex.Message);
            }

        }

        public void ClearCompensationInformation()
        {

            XPathNavigator root = MainDataSource.CreateNavigator();
            string emptyProtectedFields = root.SelectSingleNode(
                   "/my:myFields/my:emptyProtectedFields", NamespaceManager).Value;

            XPathNavigator container = root.SelectSingleNode(
            "//my:Compensation", NamespaceManager);
            container.ReplaceSelf(emptyProtectedFields);

        }



        public void Encrypt_Clicked(object sender, ClickedEventArgs e)
        {
            try
            {
                EncryptData();

            }
            catch (Exception ex)
            {
                SetErrorMessage(ex.Message);
            }
        }
        public void EncryptData()
        {

            try
            {
                ClearErrorMessage();

                XPathNavigator root = MainDataSource.CreateNavigator();

                // Generate the encryption
                SymmetricAlgorithm symmKey = GenerateKey();

                // Retrieve and encrypt the sensitive fields
                string dataToEncrypt = root.SelectSingleNode("/my:myFields/my:Compensation", NamespaceManager).OuterXml;
                root.SelectSingleNode("/my:myFields/my:encryptedData", NamespaceManager).SetValue(EncryptField(symmKey, dataToEncrypt));

                // Encrypt the isLocked field
                root.SelectSingleNode("/my:myFields/my:isLocked",
                NamespaceManager).SetValue("locked");

                // root.SelectSingleNode("/my:myFields/my:Compensation/my:salery",
                // NamespaceManager).SetValue("0");

                // root.SelectSingleNode("/my:myFields/my:Compensation/my:hourly",
                //NamespaceManager).SetValue("0");
                // Do not save the password; empty the password field
                //  root.SelectSingleNode("/my:myFields/my:password",
                // NamespaceManager).SetValue(String.Empty);

                // Empty the protected fields node
                string emptyProtectedFields = root.SelectSingleNode(
                "/my:myFields/my:emptyProtectedFields", NamespaceManager).Value;

                XPathNavigator container = root.SelectSingleNode(
                "//my:Compensation", NamespaceManager);
                container.ReplaceSelf(emptyProtectedFields);

                SetErrorMessage("Compensation information is encrypted! Please click the unlock button to view the information");
            }
            catch (Exception ex)
            {
                SetErrorMessage(ex.Message);
            }

        }
        public void ShowDecryptedData()
        {

            try
            {
                ClearErrorMessage();

                XPathNavigator root = MainDataSource.CreateNavigator();

                // Retrieve the password entered by the user and generate a key

                SymmetricAlgorithm symmKey = GenerateKey();

                // Retrieve the encrypted data
                string encryptedData = root.SelectSingleNode(
                "/my:myFields/my:encryptedData", NamespaceManager).Value;

                // Try to decrypt the data
                string decryptedData = DecryptField(symmKey, encryptedData);

                // Put the decrypted data in the protectedFields node
                XPathNavigator container = root.SelectSingleNode(
                "//my:Compensation", NamespaceManager);
                container.ReplaceSelf(decryptedData);

                // Empty the isLocked and password fields
                root.SelectSingleNode("/my:myFields/my:isLocked",
                NamespaceManager).SetValue("unlocked");
                SetErrorMessage("The data is now decrypted. It is advised to encrypt it info before submitting the form. ");
            }
            catch (CryptographicException ex)
            {
                //string msg = "Either the password you entered is incorrect ";
                //msg += "or you are not authorized to view the protected data.";
                SetErrorMessage(ex.Message);
            }
            catch (Exception ex)
            {
                string msg = "The InfoPath form has been tampered with; ";
                msg += "cannot unprotect the data.";
                SetErrorMessage(msg + ex.Message);
            }


        }


        public void Decrypt_Clicked(object sender, ClickedEventArgs e)
        {
            ShowDecryptedData();
        }



        public void hrsubmit_Clicked(object sender, ClickedEventArgs e)
        {
            // Write your code here.
        }
    }
}

NEXT STEPS TO PUBLISH THE FORM TO A SHAREPOINT FORMS LIBRARY AS ADMIN APPROVED FORM

First for the code behind forms to work you need to create this forms as admin approved form that will be uploaded to SharePoint CA(Central Admin).
To the InfoPath Form that has code Behind go to File and Form Options and go to Security and set a valid certificate and set to full trusted forms
Go to File on InfoPath and Publish - SharePoint Server and choose the form library you like to deploy it to and choose the following to make it admin approved
 Choose a local path where you want to store this template for uploading to CA
Finish the deployment.
Next Go to CA- General Application Settings and InfoPath Forms Service--Upload a form.
Choose the form that you saved in the publishing wizard local path. 
Upload the form
Then to the the form templates where the form got uploaded on CA, and choose the form click on that small dropdown icon and say activate in a site collection.
Choose the site collection where this form is going to be part of and hit activate in this site collection.
Now if you go back to the site collection where you activated you should see a new feature available.
Go ahead and activate that new feature which is usually named same as the form
Now Go the Form Library(This is the Site where you uploaded the form as a template).
Advanced settings on the Forms library and Say.
Allow management of content types.
Go to Form Library Settings and say Add An existing Content Type
Choose this new form/feature you just uploaded
You can set this new content type as default as seen in the above picture.

ALL SET TO ROCK NOW.