internal async Task <(byte[], EncryptionKeyWrapMetadata, InMemoryRawDek)> WrapAsync(
string id,
byte[] key,
string encryptionAlgorithm,
EncryptionKeyWrapMetadata metadata,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
EncryptionKeyWrapResult keyWrapResponse;
using (diagnosticsContext.CreateScope("WrapDataEncryptionKey"))
{
keyWrapResponse = await this.DekProvider.EncryptionKeyWrapProvider.WrapKeyAsync(key, metadata, cancellationToken);
}
// Verify
DataEncryptionKeyProperties tempDekProperties = new DataEncryptionKeyProperties(id, encryptionAlgorithm, keyWrapResponse.WrappedDataEncryptionKey, keyWrapResponse.EncryptionKeyWrapMetadata, DateTime.UtcNow);
InMemoryRawDek roundTripResponse = await this.UnwrapAsync(tempDekProperties, diagnosticsContext, cancellationToken);
if (!roundTripResponse.DataEncryptionKey.RawKey.SequenceEqual(key))
{
throw new InvalidOperationException("The key wrapping provider configured was unable to unwrap the wrapped key correctly.");
}
return(keyWrapResponse.WrappedDataEncryptionKey, keyWrapResponse.EncryptionKeyWrapMetadata, roundTripResponse);
}
internal async Task <(DataEncryptionKeyProperties, InMemoryRawDek)> FetchUnwrappedAsync(
string id,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
try
{
DataEncryptionKeyProperties dekProperties = await this.DekProvider.DekCache.GetOrAddDekPropertiesAsync(
id,
this.ReadResourceAsync,
diagnosticsContext,
cancellationToken);
InMemoryRawDek inMemoryRawDek = await this.DekProvider.DekCache.GetOrAddRawDekAsync(
dekProperties,
this.UnwrapAsync,
diagnosticsContext,
cancellationToken);
return(dekProperties, inMemoryRawDek);
}
catch (CosmosException exception)
{
throw EncryptionExceptionFactory.EncryptionKeyNotFoundException(
$"Failed to retrieve Data Encryption Key with id: '{id}'.",
exception);
}
}
internal async Task <(DataEncryptionKeyProperties, InMemoryRawDek)> FetchUnwrappedAsync(
string id,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
DataEncryptionKeyProperties dekProperties = await this.DekProvider.DekCache.GetOrAddDekPropertiesAsync(
id,
this.ReadResourceAsync,
diagnosticsContext,
cancellationToken);
InMemoryRawDek inMemoryRawDek = await this.DekProvider.DekCache.GetOrAddRawDekAsync(
dekProperties,
this.UnwrapAsync,
diagnosticsContext,
cancellationToken);
return(dekProperties, inMemoryRawDek);
}
public async Task <InMemoryRawDek> GetOrAddRawDekAsync(
DataEncryptionKeyProperties dekProperties,
Func <DataEncryptionKeyProperties, CosmosDiagnosticsContext, CancellationToken, Task <InMemoryRawDek> > unwrapper,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
InMemoryRawDek inMemoryRawDek = await this.RawDekCache.GetAsync(
dekProperties.SelfLink,
null,
() => unwrapper(dekProperties, diagnosticsContext, cancellationToken),
cancellationToken);
if (inMemoryRawDek.RawDekExpiry <= DateTime.UtcNow)
{
inMemoryRawDek = await this.RawDekCache.GetAsync(
dekProperties.SelfLink,
null,
() => unwrapper(dekProperties, diagnosticsContext, cancellationToken),
cancellationToken,
forceRefresh : true);
}
return(inMemoryRawDek);
}
public void SetRawDek(string dekId, InMemoryRawDek inMemoryRawDek)
{
this.RawDekCache.Set(dekId, inMemoryRawDek);
}
