public override WrapResult WrapKey(KeyWrapAlgorithm algorithm, byte[] key, CancellationToken cancellationToken)
{
Argument.AssertNotNull(key, nameof(key));
ThrowIfTimeInvalid();
int algorithmKeySizeBytes = algorithm.GetKeySizeInBytes();
if (algorithmKeySizeBytes == 0)
{
KeysEventSource.Singleton.AlgorithmNotSupported(nameof(WrapKey), algorithm);
return(null);
}
int keySizeBytes = GetKeySizeInBytes();
if (keySizeBytes < algorithmKeySizeBytes)
{
throw new ArgumentException($"Key wrap algorithm {algorithm} key size {algorithmKeySizeBytes} is greater than the underlying key size {keySizeBytes}");
}
byte[] sizedKey = (keySizeBytes == algorithmKeySizeBytes) ? KeyMaterial.K : KeyMaterial.K.Take(algorithmKeySizeBytes);
using ICryptoTransform encryptor = AesKw.CreateEncryptor(sizedKey);
byte[] encryptedKey = encryptor.TransformFinalBlock(key, 0, key.Length);
return(new WrapResult
{
Algorithm = algorithm,
EncryptedKey = encryptedKey,
KeyId = KeyMaterial.Id,
});
}
public UnwrapResult UnwrapKey(KeyWrapAlgorithm algorithm, byte[] encryptedKey, CancellationToken cancellationToken)
{
Argument.AssertNotNull(encryptedKey, nameof(encryptedKey));
int algorithmKeySizeBytes = algorithm.GetKeySizeInBytes();
if (algorithmKeySizeBytes == 0)
{
// TODO: Log that we don't support the algorithm locally.
return(null);
}
int keySizeBytes = GetKeySizeInBytes();
if (keySizeBytes < algorithmKeySizeBytes)
{
throw new ArgumentException($"Key wrap algorithm {algorithm} key size {algorithmKeySizeBytes} is greater than the underlying key size {keySizeBytes}");
}
byte[] sizedKey = (keySizeBytes == algorithmKeySizeBytes) ? _jwk.K : _jwk.K.Take(algorithmKeySizeBytes);
using ICryptoTransform decryptor = AesKw.CreateDecryptor(sizedKey);
byte[] key = decryptor.TransformFinalBlock(encryptedKey, 0, encryptedKey.Length);
return(new UnwrapResult
{
Algorithm = algorithm,
Key = key,
KeyId = _jwk.Id,
});
}
public override UnwrapResult UnwrapKey(KeyWrapAlgorithm algorithm, byte[] encryptedKey, CancellationToken cancellationToken)
{
Argument.AssertNotNull(encryptedKey, nameof(encryptedKey));
AesKw keyWrapAlgorithm = algorithm.GetAesKeyWrapAlgorithm();
if (keyWrapAlgorithm == null)
{
KeysEventSource.Singleton.AlgorithmNotSupported(nameof(UnwrapKey), algorithm);
return(null);
}
int keySizeBytes = GetKeySizeInBytes();
if (keySizeBytes < keyWrapAlgorithm.KeySizeInBytes)
{
throw new ArgumentException($"Key wrap algorithm {algorithm} key size {keyWrapAlgorithm.KeySizeInBytes} is greater than the underlying key size {keySizeBytes}");
}
using ICryptoTransform decryptor = keyWrapAlgorithm.CreateDecryptor(KeyMaterial.K);
byte[] key = decryptor.TransformFinalBlock(encryptedKey, 0, encryptedKey.Length);
return(new UnwrapResult
{
Algorithm = algorithm,
Key = key,
KeyId = KeyMaterial.Id,
});
}
internal AesKwDecryptor(byte[] keyBytes, byte[] iv)
{
// Create the AES provider
_aes = AesKw.Create(keyBytes);
// Set the AES IV to Zeroes
var aesIv = new byte[_aes.BlockSize >> 3];
aesIv.Zero();
_aes.IV = aesIv;
// Remember the real IV
_iv = iv.Clone() as byte[];
}
