internal bool CanBeUsedForSigning(RsaKeyContainer key, bool ignoreActiveDelay = false)
{
if (key == null)
{
return(false);
}
if (key.KeyType != _options.KeyType)
{
_logger.LogTrace("Key {kid} is of type {kty} but server configured for {configuredKty}", key.Id, key.KeyType, _options.KeyType);
return(false);
}
var now = _clock.UtcNow;
// newly created key check
var start = key.Created;
if (start > now)
{
// if another server created the key in the future (meaning this server's clock is
// behind the other), then we will just assume the other server's time for this key.
// this is how we can deal with clock skew for recently created keys.
now = start;
}
if (!ignoreActiveDelay)
{
_logger.LogTrace("Checking if key with kid {kid} is active (respecting activation delay).", key.Id);
start = start.Add(_options.KeyActivationDelay);
}
else
{
_logger.LogTrace("Checking if key with kid {kid} is active (ignoring activation delay).", key.Id);
}
if (start > now)
{
_logger.LogTrace("Key with kid {kid} is inactive: the current time is prior to its activation delay.", key.Id);
return(false);
}
// expired key check
var end = key.Created.Add(_options.KeyExpiration);
if (end < now)
{
_logger.LogTrace("Key with kid {kid} is inactive: the current time is past its expiration.", key.Id);
return(false);
}
_logger.LogTrace("Key with kid {kid} is active.", key.Id);
return(true);
}
/// <summary>
/// Protects RsaKeyContainer.
/// </summary>
/// <param name="key"></param>
/// <returns></returns>
public SerializedKey Protect(RsaKeyContainer key)
{
var data = KeySerializer.Serialize(key);
if (_options.DataProtectKeys)
{
data = _dataProtectionProvider.Protect(data);
}
return(new SerializedKey
{
Created = DateTime.UtcNow,
Id = key.Id,
KeyType = key.KeyType,
Data = data,
DataProtected = _options.DataProtectKeys,
});
}
