private async Task <CryptoKey> DecryptAsync(KeyInfo key)
{
Ensure.NotNull(key, nameof(key));
switch (key.Status)
{
case KeyStatus.Deactivated: throw new Exception($"key#{key.Id} is deactivated");
case KeyStatus.Compromised: throw new Exception($"key#{key.Id} was compromised and may not longer be used");
case KeyStatus.Destroyed: throw new Exception($"key#{key.Id} is destroyed");
case KeyStatus.Suspended: throw new Exception($"key#{key.Id} is suspended");
}
if (key.Expires != null && key.Expires <= clock.Observe())
{
throw new KeyExpiredException(key, key.Expires.Value);
}
var kek = await protectorFactory.GetAsync(
keyId : key.KekId.ToString(),
aad : key.GetAad()
);
// use the key encryption key to decrypt it
var result = await kek.DecryptAsync(key.Data);
return(new CryptoKey(
id: key.Id.ToString(),
value: result
));
}
