public Task<string> Encrypt(IEnclaveKey key, object value)
{
Jose.JweAlgorithm algorithm;
Jose.JweEncryption encryption;
switch (key.KeyType.ToLowerInvariant())
{
case "rsa":
algorithm = Jose.JweAlgorithm.RSA_OAEP;
encryption = Jose.JweEncryption.A128CBC_HS256;
break;
case "aes":
algorithm = Jose.JweAlgorithm.A128KW;
encryption = Jose.JweEncryption.A128CBC_HS256;
break;
case "ecc":
algorithm = Jose.JweAlgorithm.ECDH_ES;
encryption = Jose.JweEncryption.A128CBC_HS256;
break;
default:
throw new NotSupportedException($"Unknown KeyType {key.KeyType}");
}
var encrypted = Jose.JWT.Encode(value, key.RetrieveKey(), algorithm, encryption);
return Task.FromResult(encrypted);
}
public Task <IKeyIdentifier> AddKey(IEnclaveKey key)
{
var kvKey = (KeyVaultKey)key;
IKeyIdentifier id = new KeyVaultKeyIdentifier(kvKey.Identifier);
return(Task.FromResult(id));
}
public async Task <string> Encrypt(IEnclaveKey key, object value)
{
using (var client = KeyVault.CreateClient())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var encrypted = await client.EncryptAsync(kvKey.Kid, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(value)));
return(Convert.ToBase64String(encrypted.Result));
}
}
public async Task <T> Decrypt <T>(IEnclaveKey key, string ciphertext)
{
using (var client = KeyVault.CreateClient())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var result = await client.DecryptAsync(kvKey.Kid, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, Convert.FromBase64String(ciphertext));
return(JsonConvert.DeserializeObject <T>(Encoding.UTF8.GetString(result.Result)));
}
}
public Task <IKeyIdentifier> AddKey(IEnclaveKey key)
{
var idBytes = new byte[16];
RNG.GetBytes(idBytes);
IKeyIdentifier keyId = new InMemoryKeyIdentifier(ToBase64UrlString(idBytes));
InMemoryKeys[keyId.KeyId] = key;
return(Task.FromResult(keyId));
}
public async Task <bool> Validate(IEnclaveKey key, string value)
{
using (var client = KeyVault.CreateClient())
{
var signed = JsonConvert.DeserializeObject <SignaturePayload>(
Encoding.UTF8.GetString(Convert.FromBase64String(value)));
var kvKey = key.RetrieveKey <JsonWebKey>();
return(await client.VerifyAsync(kvKey.Kid, JsonWebKeySignatureAlgorithm.RS256,
digest : signed.Dig, signature : signed.Sig));
}
}
public async Task <string> Sign(IEnclaveKey key, object value)
{
using (var client = KeyVault.CreateClient())
using (var sha = SHA256.Create())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var hashed = sha.ComputeHash(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(value)));
var result = await client.SignAsync(kvKey.Kid, JsonWebKeySignatureAlgorithm.RS256, hashed);
var signed = new SignaturePayload
{
Val = value,
Dig = hashed,
Kid = result.Kid,
Sig = result.Result,
};
return(Convert.ToBase64String(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(signed))));
}
}
public Task<string> Sign(IEnclaveKey key, object value)
{
Jose.JwsAlgorithm algorithm;
switch (key.KeyType.ToLowerInvariant())
{
case "rsa":
algorithm = Jose.JwsAlgorithm.RS256;
break;
case "aes":
algorithm = Jose.JwsAlgorithm.HS256;
break;
case "ecc":
algorithm = Jose.JwsAlgorithm.ES256;
break;
default:
throw new NotSupportedException($"Unknown KeyType {key.KeyType}");
}
var result = Jose.JWT.Encode(value, key.RetrieveKey(), algorithm);
return Task.FromResult(result);
}
public Task<IEnclaveKey> GenerateKey(string keyType)
{
IEnclaveKey key = null;
switch (keyType.ToLowerInvariant())
{
case "rsa":
key = new InMemoryKey(keyType, new RSACryptoServiceProvider(2048));
break;
case "aes":
var bytes = new byte[16];
RNG.GetBytes(bytes);
key = new InMemoryKey(keyType, bytes);
break;
case "ecc":
key = new InMemoryKey(keyType, new ECDsaCng(256));
break;
default:
throw new NotSupportedException($"Unknown key type {keyType}");
}
return Task.FromResult(key);
}
public Task<bool> Validate(IEnclaveKey key, string value)
{
var result = Jose.JWT.Decode(value, key.RetrieveKey());
return Task.FromResult(!string.IsNullOrWhiteSpace(result));
}
public Task<T> Decrypt<T>(IEnclaveKey key, string ciphertext)
{
T result = Jose.JWT.Decode<T>(ciphertext, key.RetrieveKey());
return Task.FromResult(result);
}
