IDataProtector IDataProtectionProvider.CreateProtector(string purpose)
{
IDataProtector cached;
if (_dataProtectorCache.TryGetValue(purpose, out cached))
{
return(cached);
}
// Create the crypto key:
var keyRingName = string.Format(
"projects/{0}/locations/{1}/keyRings/{2}",
_options.Value.ProjectId, _options.Value.Location,
_options.Value.KeyRing);
string rotationPeriod = string.Format("{0}s",
TimeSpan.FromDays(7).TotalSeconds);
CryptoKey cryptoKeyToCreate = new CryptoKey()
{
Purpose = "ENCRYPT_DECRYPT",
NextRotationTime = DateTime.UtcNow.AddDays(7),
RotationPeriod = rotationPeriod
};
var request = new ProjectsResource.LocationsResource
.KeyRingsResource.CryptoKeysResource.CreateRequest(
_kms, cryptoKeyToCreate, keyRingName);
string keyId = EscapeKeyId(purpose);
request.CryptoKeyId = keyId;
string keyName;
try
{
keyName = request.Execute().Name;
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
keyName = string.Format("{0}/cryptoKeys/{1}",
keyRingName, keyId);
}
var newProtector = new KmsDataProtector(_kms, keyName,
(string innerPurpose) =>
this.CreateProtector($"{purpose}.{innerPurpose}"));
_dataProtectorCache.TryAdd(purpose, newProtector);
return(newProtector);
}
// [END kms_get_cryptokey]
// [START kms_create_cryptokey]
public static object CreateCryptoKey(string projectId, string location, string keyRing, string cryptoKey)
{
var cloudKms = CreateAuthorizedClient();
// Generate the full path of the parent to use for creating the crypto key.
var parent = $"projects/{projectId}/locations/{location}/keyRings/{keyRing}";
CryptoKey cryptoKeyToCreate = new CryptoKey();
cryptoKeyToCreate.Purpose = "ENCRYPT_DECRYPT";
var request = new ProjectsResource.LocationsResource.KeyRingsResource.CryptoKeysResource.CreateRequest(
cloudKms, cryptoKeyToCreate, parent);
request.CryptoKeyId = cryptoKey;
var result = request.Execute();
Console.Write($"Created Crypto Key: {result.Name}");
return(0);
}
public KmsDataProtectionProvider(IOptions <KmsDataProtectionProviderOptions> options)
{
_options = options;
GoogleCredential credential = GoogleCredential.GetApplicationDefaultAsync().Result;
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(new[] { CloudKMSService.Scope.CloudPlatform });
}
_kms = new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credential,
GZipEnabled = false
});
var parent = string.Format("projects/{0}/locations/{1}", options.Value.ProjectId, options.Value.Location);
KeyRing keyRingToCreate = new KeyRing();
var request = new ProjectsResource.LocationsResource.KeyRingsResource.CreateRequest(_kms, keyRingToCreate, parent);
request.KeyRingId = options.Value.KeyRing;
try
{
request.Execute();
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict) /* Already exists. Ok.*/ }
{
}
IDataProtector IDataProtectionProvider.CreateProtector(string purpose)
{
IDataProtector cached;
if (_dataProtectorCache.TryGetValue(purpose, out cached))
{
return(cached);
}
var keyRingName = string.Format(
"projects/{0}/locations/{1}/keyRings/{2}",
_options.Value.ProjectId, _options.Value.Location,
_options.Value.KeyRing);
string rotationPeriod = string.Format("{0}s", TimeSpan.FromDays(7).TotalSeconds);
CryptoKey cryptoKeyToCreate = new CryptoKey()
{
Purpose = "ENCRYPT_DECRYPT",
NextRotationTime = DateTime.UtcNow.AddDays(7),
RotationPeriod = rotationPeriod
};
var request = new ProjectsResource.LocationsResource.KeyRingsResource.CryptoKeysResource.CreateRequest(_kms, cryptoKeyToCreate, keyRingName);
string keyId = EscapeKeyId(purpose);
request.CryptoKeyId = keyId;
string keyName;
try
{
keyName = request.Execute().Name;
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
keyName = string.Format("{0}/cryptoKeys/{1}", keyRingName, keyId);
}
var newProtector = new KmsDataProtector(_kms, keyName, (string innerPurpose) => this.CreateProtector($"{purpose}.{innerPurpose}"));
_dataProtectorCache.TryAdd(purpose, newProtector);
return(newProtector);
}
