/// <summary>
/// This function uses the asymmetric key specified by the key path
/// and encrypts CEK with RSA encryption algorithm.
/// Key format is (version + keyPathLength + ciphertextLength + ciphertext + keyPath + signature)
/// </summary>
/// <param name="masterKeyPath">Complete path of an asymmetric key in AKV</param>
/// <param name="encryptionAlgorithm">Asymmetric Key Encryption Algorithm</param>
/// <param name="columnEncryptionKey">Plain text column encryption key</param>
/// <returns>Encrypted column encryption key</returns>
public byte[] EncryptColumnEncryptionKey(string masterKeyPath, string encryptionAlgorithm, byte[] columnEncryptionKey)
{
ValidateNotNullOrWhitespace(masterKeyPath, nameof(masterKeyPath));
ValidateMasterKeyPathFormat(masterKeyPath);
ValidateMasterKeyIsTrusted(masterKeyPath, TrustedEndPoints);
ValidateNotNullOrWhitespace(encryptionAlgorithm, nameof(encryptionAlgorithm));
ValidateEncryptionAlgorithmIsRsaOaep(encryptionAlgorithm);
ValidateNotNull(columnEncryptionKey, nameof(columnEncryptionKey));
ValidateNotEmpty(columnEncryptionKey, nameof(columnEncryptionKey));
KeyCryptographer.AddKey(masterKeyPath);
KeyWrapAlgorithm keyWrapAlgorithm = KeyWrapAlgorithm.RsaOaep;
byte[] versionByte = new byte[] { version };
byte[] masterKeyPathBytes = Encoding.Unicode.GetBytes(masterKeyPath.ToLowerInvariant());
byte[] keyPathLength = BitConverter.GetBytes((short)masterKeyPathBytes.Length);
byte[] cipherText = KeyCryptographer.WrapKey(keyWrapAlgorithm, columnEncryptionKey, masterKeyPath);
byte[] cipherTextLength = BitConverter.GetBytes((short)cipherText.Length);
byte[] message = versionByte.Concat(keyPathLength).Concat(cipherTextLength).Concat(masterKeyPathBytes).Concat(cipherText).ToArray();
byte[] signature = KeyCryptographer.SignData(message, masterKeyPath);
return(message.Concat(signature).ToArray());
}
public void WrapKey_BadMultiplePT1()
{
byte[] pt = new byte[23];
KeyWrapAlgorithm.WrapKey(ValidKEK, pt);
}
private PSKeyOperationResult UnwrapKey(CryptographyClient cryptographyClient, KeyWrapAlgorithm keyWrapAlgorithm, byte[] wrapKey)
{
return(new PSKeyOperationResult(cryptographyClient.UnwrapKey(keyWrapAlgorithm, wrapKey)));
}
public UnwrapResult UnwrapKey(KeyWrapAlgorithm algorithm, byte[] encryptedKey, CancellationToken cancellationToken = default) => throw new CryptographicException(CRYPT_E_NO_PROVIDER);
internal byte[] UnwrapKey(KeyWrapAlgorithm keyWrapAlgorithm, byte[] encryptedKey, string keyIdentifierUri)
{
CryptographyClient cryptographyClient = GetCryptographyClient(keyIdentifierUri);
return(cryptographyClient.UnwrapKey(keyWrapAlgorithm, encryptedKey).Key);
}
/// <summary>
/// Initializes a new instance of the <see cref="Cryptography.UnwrapResult"/> for mocking purposes.
/// </summary>
/// <param name="keyId">Sets the <see cref="UnwrapResult.KeyId"/> property.</param>
/// <param name="key">Sets the <see cref="UnwrapResult.Key"/> property.</param>
/// <param name="algorithm">Sets the <see cref="UnwrapResult.Algorithm"/> property.</param>
/// <returns>A new instance of the <see cref="Cryptography.UnwrapResult"/> for mocking purposes.</returns>
public static UnwrapResult UnwrapResult(string keyId = default, byte[] key = default, KeyWrapAlgorithm algorithm = default) => new UnwrapResult
{
KeyId = keyId,
Key = key,
Algorithm = algorithm,
};
public void KeyUnwrap_InvalidKekLength_ThrowsArgumentOutOfRangeException(int kekLength)
{
Assert.ThrowsException <ArgumentOutOfRangeException>(
() => _ = KeyWrapAlgorithm.UnwrapKey(new byte[kekLength], new byte[16]));
}
public void WrapKey_ShortKEK2()
{
byte[] kek = new byte[15];
KeyWrapAlgorithm.WrapKey(kek, new byte[16]);
}
public void KeyUnwrap_NullKEK()
{
KeyWrapAlgorithm.UnwrapKey(null, new byte[16]);
}
public void WrapKey_LongKEK1()
{
byte[] kek = new byte[33];
KeyWrapAlgorithm.WrapKey(kek, new byte[16]);
}
public void Constructor_NullKEK()
{
KeyWrapAlgorithm kwa = new KeyWrapAlgorithm(null);
}
public void WrapKey_BadMultiplePT()
{
Assert.ThrowsException <ArgumentException>(
() => _ = KeyWrapAlgorithm.WrapKey(ValidKEK, new byte[23]));
}
public void WrapKey_ShortPT()
{
Assert.ThrowsException <ArgumentOutOfRangeException>(
() => _ = KeyWrapAlgorithm.WrapKey(ValidKEK, new byte[8]));
}
public void WrapKey_NullPT()
{
Assert.ThrowsException <ArgumentNullException>(
() => _ = KeyWrapAlgorithm.WrapKey(ValidKEK, null));
}
public void WrapKey_NullKEK()
{
KeyWrapAlgorithm.WrapKey(null, new byte[16]);
}
public void KeyUnwrap_EmptyKEK()
{
byte[] kek = new byte[0];
KeyWrapAlgorithm.UnwrapKey(kek, new byte[16]);
}
public void WrapKey_EmptyKEK()
{
byte[] kek = new byte[0];
KeyWrapAlgorithm.WrapKey(kek, new byte[16]);
}
public void KeyUnwrap_ShortKEK1()
{
byte[] kek = new byte[8];
KeyWrapAlgorithm.UnwrapKey(kek, new byte[16]);
}
public void WrapKey_BadSizedKEK1()
{
byte[] kek = new byte[20];
KeyWrapAlgorithm.WrapKey(kek, new byte[16]);
}
public void KeyUnwrap_LongKEK2()
{
byte[] kek = new byte[40];
KeyWrapAlgorithm.UnwrapKey(kek, new byte[16]);
}
public void WrapKey_NullKEK()
{
Assert.ThrowsException <ArgumentNullException>(
() => _ = KeyWrapAlgorithm.WrapKey(null, new byte[16]));
}
public void Constructor_EmptyKEK()
{
byte[] kek = new byte[0];
KeyWrapAlgorithm kwa = new KeyWrapAlgorithm(kek);
}
/// <summary>
/// Initializes a new instance of the <see cref="Cryptography.WrapResult"/> for mocking purposes.
/// </summary>
/// <param name="keyId">Sets the <see cref="WrapResult.KeyId"/> property.</param>
/// <param name="key">Sets the <see cref="WrapResult.EncryptedKey"/> property.</param>
/// <param name="algorithm">Sets the <see cref="WrapResult.Algorithm"/> property.</param>
/// <returns>A new instance of the <see cref="Cryptography.WrapResult"/> for mocking purposes.</returns>
public static WrapResult WrapResult(string keyId = default, byte[] key = default, KeyWrapAlgorithm algorithm = default) => new WrapResult
{
KeyId = keyId,
EncryptedKey = key,
Algorithm = algorithm,
};
public void Constructor_ShortKEK2()
{
byte[] kek = new byte[15];
KeyWrapAlgorithm kwa = new KeyWrapAlgorithm(kek);
}
public byte[] WrapKey(KeyWrapAlgorithm keyWrapAlgorithm, byte[] key, string keyIdentifierUri)
{
CryptographyClient cryptographyClient = GetCryptographyClient(keyIdentifierUri);
return(cryptographyClient.WrapKey(keyWrapAlgorithm, key).EncryptedKey);
}
public void Constructor_BadSizedKEK1()
{
byte[] kek = new byte[20];
KeyWrapAlgorithm kwa = new KeyWrapAlgorithm(kek);
}
public Task <WrapResult> WrapKeyAsync(KeyWrapAlgorithm algorithm, byte[] key, CancellationToken cancellationToken = default) => throw new CryptographicException(CRYPT_E_NO_PROVIDER);
public void Constructor_LongKEK2()
{
byte[] kek = new byte[40];
KeyWrapAlgorithm kwa = new KeyWrapAlgorithm(kek);
}
private PSKeyOperationResult WrapKey(CryptographyClient cryptographyClient, KeyWrapAlgorithm keyEncryptAlgorithm, byte[] value)
{
return(new PSKeyOperationResult(cryptographyClient.WrapKey(keyEncryptAlgorithm, value)));
}
public void WrapKey_ShortPT1()
{
byte[] pt = new byte[8];
KeyWrapAlgorithm.WrapKey(ValidKEK, pt);
}
