public byte[][] WrapNewKey(int cekSizeBits, object key, IDictionary <string, object> header)
{
byte[] sharedKey = Ensure.Type <byte[]>(key, "AesGcmKeyWrapManagement alg expectes key to be byte[] array.");
Ensure.BitSize(sharedKey, keyLengthBits, string.Format("AesGcmKeyWrapManagement management algorithm expected key of size {0} bits, but was given {1} bits", keyLengthBits, sharedKey.Length * 8L));
byte[] iv = Arrays.Random(96);
byte[] cek = Arrays.Random(cekSizeBits);
byte[][] cipherAndTag = AesGcm.Encrypt(sharedKey, iv, null, cek);
header["iv"] = Base64Url.Encode(iv);
header["tag"] = Base64Url.Encode(cipherAndTag[1]);
return(new[] { cek, cipherAndTag[0] });
}
public byte[][] Encrypt(byte[] aad, byte[] plainText, byte[] cek)
{
Ensure.BitSize(cek, keyLength, string.Format("AES-GCM algorithm expected key of size {0} bits, but was given {1} bits", keyLength, cek.Length * 8L));
byte[] iv = Arrays.Random(96);
try
{
byte[][] cipherAndTag = AesGcm.Encrypt(cek, iv, aad, plainText);
return(new[] { iv, cipherAndTag[0], cipherAndTag[1] });
}
catch (CryptographicException e)
{
throw new EncryptionException("Unable to encrypt content.", e);
}
}
