/// <summary>
/// Generates random bytes. Can return data as string or Hexidecimal. Note, Vault native function returns Base64-encoded. This routine
/// decodes it before returning to you.
/// </summary>
/// <param name="numBytes">Number of bytes you need.</param>
/// <param name="hexOutputFormat">true if you want hexidecimal values, False if you want ascii</param>
/// <returns></returns>
public async Task <string> GenerateRandomBytes(int numBytes, bool hexOutputFormat = false)
{
string path = MountPointPath + "random/" + numBytes.ToString();
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
string encodeFormat = "base64";
if (hexOutputFormat)
{
encodeFormat = "hex";
}
contentParams.Add("format", encodeFormat);
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "GenerateRandomBytes", contentParams);
if (vdro.Success)
{
string bytes = await vdro.GetDotNetObject <string>("data.random_bytes");
if (hexOutputFormat)
{
return(bytes);
}
else
{
return(VaultUtilityFX.Base64DecodeAscii(bytes));
}
}
return("");
}
// ==============================================================================================================================================
/// <summary>
/// Re-encrypts the currently encrypted data with the current version of the key. This is a simplified way
/// of upgrading the encryption for an element without have to call Decrypt and then Encrypt separately.
/// </summary>
/// <param name="keyName">The Encryption key to use to decrypt and re-encrypt the data</param>
/// <param name="encryptedData">The currently encrypted data element that you want to have upgraded with the new encryption key.</param>
/// <param name="keyDerivationContext">The context used for key derivation if the key supports that key derivation.</param>
/// <param name="keyVersion">Version of the key to use. Defaults to current version (0).</param>
/// <returns>The data element encrypted with the version of the key specified. (Default is latest version of the key). Returns null if operation failed.</returns>
public async Task <TransitEncryptedItem> ReEncrypt(string keyName, string encryptedData, string keyDerivationContext = "", int keyVersion = 0)
{
string path = MountPointPath + "rewrap/" + keyName;
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
// Build the parameter list.
contentParams.Add("ciphertext", encryptedData);
if (keyDerivationContext != "")
{
contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext));
}
if (keyVersion > 0)
{
contentParams.Add("key_version", keyVersion.ToString());
}
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "ReEncrypt", contentParams);
if (vdro.HttpStatusCode == 200)
{
return(await vdro.GetDotNetObject <TransitEncryptedItem>());
}
else
{
return(null);
}
}
// ==============================================================================================================================================
/// <summary>
/// Decrypts a single encrypted value. If the keys supports convergent or derived encryption then you must supply the keyDerivationContext param.
/// </summary>
/// <param name="keyName">Name of the encryption key to use to decrypt.</param>
/// <param name="encryptedData">The encrypted value that you wish to have decrypted.</param>
/// <param name="keyDerivationContext">The context value that is required to delete a convergent encrypted item.</param>
/// <returns>TransitDecryptedItem if the value was able to be successfully decrypted.
/// Throws <VaultInvalidDataException> if unable to decrypt the item due to bad key or context value.</VaultInvalidDataException></returns>
public async Task <TransitDecryptedItem> Decrypt(string keyName, string encryptedData, string keyDerivationContext = "")
{
string path = MountPointPath + PathDecrypt + keyName;
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
// Build the parameter list.
contentParams.Add("ciphertext", encryptedData);
if (keyDerivationContext != "")
{
contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext));
}
// Call Vault API.
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "Decrypt", contentParams);
if (vdro.HttpStatusCode == 200)
{
return(await vdro.GetDotNetObject <TransitDecryptedItem>());
}
// This code should never get hit.
throw new VaultUnexpectedCodePathException("TransitBackEnd-Decrypt");
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="encryptedValue">The Encrypted Value</param>
/// <param name="context"></param>
public TransitBulkItemToDecrypt(string encryptedValue, string context = null)
{
encryptedItem = encryptedValue;
if (context != null)
{
base64Context = VaultUtilityFX.Base64EncodeAscii(context);
}
}
/// <summary>
/// Constructor for a single item to be encrypted.
/// </summary>
/// <param name="itemToEncrypt">The string value of the item to encrypt</param>
/// <param name="context">The Base64 Context for key derivation if desired</param>
public TransitBulkItemToEncrypt(string itemToEncrypt, string context = null)
{
base64ItemToEncrypt = VaultUtilityFX.Base64EncodeAscii(itemToEncrypt);
if (context != null)
{
base64Context = VaultUtilityFX.Base64EncodeAscii(context);
}
}
/// <summary>
/// Returns the cryptographic hashing of given data using the specified algorithm.
/// </summary>
/// <param name="input">The data value you wish to have the hashing generated on.</param>
/// <param name="hashing">The hashing algorithm to use.</param>
/// <param name="hexOutputFormat">Boolean. Set to true if you wish the hashing output to be returned in Hexadecimal format. False means Base64 format.</param>
/// <returns>The hashing of the input data returned in either hexadecimal or Base64 format.</returns>
public async Task <string> ComputeHash(string input, TransitEnumHashingAlgorithm hashing, bool hexOutputFormat = false)
{
string path = MountPointPath + "hash";
string hashStr = "";
switch (hashing)
{
case TransitEnumHashingAlgorithm.sha2_224:
hashStr = "sha2-224";
break;
case TransitEnumHashingAlgorithm.sha2_256:
hashStr = "sha2-256";
break;
case TransitEnumHashingAlgorithm.sha2_384:
hashStr = "sha2-384";
break;
case TransitEnumHashingAlgorithm.sha2_512:
hashStr = "sha2-512";
break;
}
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
string encodeFormat = "base64";
if (hexOutputFormat)
{
encodeFormat = "hex";
}
contentParams.Add("format", encodeFormat);
contentParams.Add("algorithm", hashStr);
string inputBase64 = VaultUtilityFX.Base64EncodeAscii(input);
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "ComputeHash", contentParams);
if (vdro.Success)
{
return(await vdro.GetDotNetObject <string>("data.sum")); //vdro.GetJSONPropertyValue (vdro.GetDataPackageAsJSON(), "sum"); }
}
return("");
}
// ==============================================================================================================================================
/// <summary>
/// Calls the Vault Encryption API.
/// - This version only supports a single data element for encryption at a time. See the EncryptBulk method for enabling encrypting more than
/// one value during a single API call.
/// - It always encrypts with the latest version of the key, unless you have specified the KeyVersion parameter > 0.
/// </summary>
/// <param name="keyName">The name of the encryption key to use to encrypt the data.</param>
/// <param name="rawStringData">The data to be encrypted in string format. This should not be base64 encoded. This routine takes care of that for you.</param>
/// <param name="keyDerivationContext"></param>
/// <param name="keyVersion">Version of the key that should be used to encrypt the data. The default (0) is the latest version of the key.</param>
/// <returns></returns>
public async Task <TransitEncryptedItem> Encrypt(string keyName, string rawStringData, string keyDerivationContext = "", int keyVersion = 0)
{
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
// Base64 Encode Data
contentParams.Add("plaintext", VaultUtilityFX.Base64EncodeAscii(rawStringData));
if (keyDerivationContext != "")
{
contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext));
}
if (keyVersion > 0)
{
contentParams.Add("key_version", keyVersion.ToString());
}
return(await EncryptToVault(keyName, contentParams));
}
/// <summary>
/// Throws VaultInvalidDataException for a number of errors, including not supplying context for keys that require it.
/// </summary>
/// <param name="keyName">Name of the key that should be used to create this Data Key.</param>
/// <param name="returnCipherAndPlainText">Boolean: If true, the key returned will contain both the plaintext and cipher text for the key. IF false, just the cipher is returned.</param>
/// <param name="context">Optional: the context value to encrypt with. Required if Key supports convergent or Derived Encryption.</param>
/// <param name="bits">128, 256 or 512. Number of bits the key should have.</param>
/// <returns></returns>
public async Task <TransitDataKey> GenerateDataKey(string keyName, bool returnCipherAndPlainText = false, string context = "", int bits = 256)
{
string sType = "";
if (returnCipherAndPlainText)
{
sType = "plaintext";
}
else
{
sType = "wrapped";
}
if ((bits != 128) && (bits != 256) && (bits != 512))
{
throw new ArgumentOutOfRangeException("bits", "Bits value can only be 128, 256 or 512.");
}
// Build parameters
Dictionary <string, string> contentParams = new Dictionary <string, string>();
contentParams.Add("bits", bits.ToString());
if (context != "")
{
contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(context));
}
string path = MountPointPath + "datakey/" + sType + "/" + keyName;
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "GenerateDataKey", contentParams);
// Pull out the results and send back.
return(await vdro.GetDotNetObject <TransitDataKey>());
}
/// <summary>
/// Creates a new secret with the specified Name (Path)
/// </summary>
/// <param name="secretName">The name of the secret.</param>
/// <param name="path">The path to the secret to be stored. apps/appA/config apps/appA is the path.</param>
public KV2SecretBase(string secretName, string path = "")
{
if (path.StartsWith("/data/"))
{
throw new ArgumentException("KeyValue V2 secret paths do not need to specify the /data/ prefix as it is assumed.");
}
string tempName = secretName.TrimStart('/').TrimEnd('/');
if (tempName.Contains("/"))
{
if (path != string.Empty)
{
throw new ArgumentException("The secretName must not contain any path arguments, if the path parameter has a value");
}
(_path, _name) = VaultUtilityFX.GetNameAndPathTuple(secretName);
}
else
{
_name = tempName;
_path = path.Trim('/');
}
Attributes = new Dictionary <string, string>();
}
public void GetPathAndNameValuesTupleThrows(string scenario, string name, string path, string expName, string expPath)
{
Assert.Throws <ArgumentException>(() => VaultUtilityFX.GetNameAndPathFromValuesTuple(name, path));
}
public void GetPathAndNameValuesTuple(string scenario, string name, string path, string expName, string expPath)
{
(string pathResult, string nameResult) = VaultUtilityFX.GetNameAndPathFromValuesTuple(name, path);
Assert.AreEqual(expName, nameResult, "A10: Name is not correct value");
Assert.AreEqual(expPath, pathResult, "A20: Path is not expected value");
}
public void GetPathNameTuple(string value, string name, string path)
{
(string pathResult, string nameResult) = VaultUtilityFX.GetNameAndPathTuple(value);
Assert.AreEqual(name, nameResult, "A10: Name is not correct value");
Assert.AreEqual(path, pathResult, "A20: Path is not expected value");
}
public void GetPathFromPath(string fullPathName, string expected)
{
string result = VaultUtilityFX.GetPathFromVaultPath(fullPathName);
Assert.AreEqual(expected, result);
}
/// <summary>
/// Creates a new secret with the name and path specified
/// </summary>
/// <param name="secretPathAndName">The Name and optionally the path for the secret. If the argument contains
/// no path parts, then the path is set to empty and the entire argument is the name.</param>
public KV2SecretBase(string secretPathAndName)
{
(_path, _name) = VaultUtilityFX.GetNameAndPathTuple(secretPathAndName);
Attributes = new Dictionary <string, string>();
}
