public async Task <IEnclaveKey> GetKey(IKeyIdentifier id)
{
using (var client = KeyVault.CreateClient())
{
var keyId = Encoding.UTF8.GetString(Convert.FromBase64String(id.KeyId));
var key = await client.GetKeyAsync(keyId);
return(new KeyVaultKey(key));
}
}
public async Task <IQueryable <IKeyIdentifier> > ListKeys()
{
using (var client = KeyVault.CreateClient())
{
var config = KeyVault.ServiceConfiguration;
var keys = await client.GetKeysAsync(config.Vault);
return(keys.Select(k => new KeyVaultKeyIdentifier(k.Identifier.Identifier)).AsQueryable());
}
}
public async Task <IEnclaveKey> GenerateKey(string keyType)
{
using (var client = KeyVault.CreateClient())
{
var config = KeyVault.ServiceConfiguration;
var createdKey = await client.CreateKeyAsync(config.Vault, Guid.NewGuid().ToString(), keyType);
return(new KeyVaultStorageService.KeyVaultKey(createdKey));
}
}
public async Task <string> Encrypt(IEnclaveKey key, object value)
{
using (var client = KeyVault.CreateClient())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var encrypted = await client.EncryptAsync(kvKey.Kid, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(value)));
return(Convert.ToBase64String(encrypted.Result));
}
}
public async Task <T> Decrypt <T>(IEnclaveKey key, string ciphertext)
{
using (var client = KeyVault.CreateClient())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var result = await client.DecryptAsync(kvKey.Kid, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, Convert.FromBase64String(ciphertext));
return(JsonConvert.DeserializeObject <T>(Encoding.UTF8.GetString(result.Result)));
}
}
public async Task <bool> Validate(IEnclaveKey key, string value)
{
using (var client = KeyVault.CreateClient())
{
var signed = JsonConvert.DeserializeObject <SignaturePayload>(
Encoding.UTF8.GetString(Convert.FromBase64String(value)));
var kvKey = key.RetrieveKey <JsonWebKey>();
return(await client.VerifyAsync(kvKey.Kid, JsonWebKeySignatureAlgorithm.RS256,
digest : signed.Dig, signature : signed.Sig));
}
}
public async Task <string> Sign(IEnclaveKey key, object value)
{
using (var client = KeyVault.CreateClient())
using (var sha = SHA256.Create())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var hashed = sha.ComputeHash(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(value)));
var result = await client.SignAsync(kvKey.Kid, JsonWebKeySignatureAlgorithm.RS256, hashed);
var signed = new SignaturePayload
{
Val = value,
Dig = hashed,
Kid = result.Kid,
Sig = result.Result,
};
return(Convert.ToBase64String(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(signed))));
}
}
