/// <summary> /// Generates random bytes. Can return data as string or Hexidecimal. Note, Vault native function returns Base64-encoded. This routine /// decodes it before returning to you. /// </summary> /// <param name="numBytes">Number of bytes you need.</param> /// <param name="hexOutputFormat">true if you want hexidecimal values, False if you want ascii</param> /// <returns></returns> public async Task <string> GenerateRandomBytes(int numBytes, bool hexOutputFormat = false) { string path = MountPointPath + "random/" + numBytes.ToString(); // Setup Post Parameters in body. Dictionary <string, string> contentParams = new Dictionary <string, string>(); string encodeFormat = "base64"; if (hexOutputFormat) { encodeFormat = "hex"; } contentParams.Add("format", encodeFormat); VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "GenerateRandomBytes", contentParams); if (vdro.Success) { string bytes = await vdro.GetDotNetObject <string>("data.random_bytes"); if (hexOutputFormat) { return(bytes); } else { return(VaultUtilityFX.Base64DecodeAscii(bytes)); } } return(""); }
// ============================================================================================================================================== /// <summary> /// Re-encrypts the currently encrypted data with the current version of the key. This is a simplified way /// of upgrading the encryption for an element without have to call Decrypt and then Encrypt separately. /// </summary> /// <param name="keyName">The Encryption key to use to decrypt and re-encrypt the data</param> /// <param name="encryptedData">The currently encrypted data element that you want to have upgraded with the new encryption key.</param> /// <param name="keyDerivationContext">The context used for key derivation if the key supports that key derivation.</param> /// <param name="keyVersion">Version of the key to use. Defaults to current version (0).</param> /// <returns>The data element encrypted with the version of the key specified. (Default is latest version of the key). Returns null if operation failed.</returns> public async Task <TransitEncryptedItem> ReEncrypt(string keyName, string encryptedData, string keyDerivationContext = "", int keyVersion = 0) { string path = MountPointPath + "rewrap/" + keyName; // Setup Post Parameters in body. Dictionary <string, string> contentParams = new Dictionary <string, string>(); // Build the parameter list. contentParams.Add("ciphertext", encryptedData); if (keyDerivationContext != "") { contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext)); } if (keyVersion > 0) { contentParams.Add("key_version", keyVersion.ToString()); } VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "ReEncrypt", contentParams); if (vdro.HttpStatusCode == 200) { return(await vdro.GetDotNetObject <TransitEncryptedItem>()); } else { return(null); } }
// ============================================================================================================================================== /// <summary> /// Decrypts a single encrypted value. If the keys supports convergent or derived encryption then you must supply the keyDerivationContext param. /// </summary> /// <param name="keyName">Name of the encryption key to use to decrypt.</param> /// <param name="encryptedData">The encrypted value that you wish to have decrypted.</param> /// <param name="keyDerivationContext">The context value that is required to delete a convergent encrypted item.</param> /// <returns>TransitDecryptedItem if the value was able to be successfully decrypted. /// Throws <VaultInvalidDataException> if unable to decrypt the item due to bad key or context value.</VaultInvalidDataException></returns> public async Task <TransitDecryptedItem> Decrypt(string keyName, string encryptedData, string keyDerivationContext = "") { string path = MountPointPath + PathDecrypt + keyName; // Setup Post Parameters in body. Dictionary <string, string> contentParams = new Dictionary <string, string>(); // Build the parameter list. contentParams.Add("ciphertext", encryptedData); if (keyDerivationContext != "") { contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext)); } // Call Vault API. VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "Decrypt", contentParams); if (vdro.HttpStatusCode == 200) { return(await vdro.GetDotNetObject <TransitDecryptedItem>()); } // This code should never get hit. throw new VaultUnexpectedCodePathException("TransitBackEnd-Decrypt"); }
/// <summary> /// Constructor /// </summary> /// <param name="encryptedValue">The Encrypted Value</param> /// <param name="context"></param> public TransitBulkItemToDecrypt(string encryptedValue, string context = null) { encryptedItem = encryptedValue; if (context != null) { base64Context = VaultUtilityFX.Base64EncodeAscii(context); } }
/// <summary> /// Constructor for a single item to be encrypted. /// </summary> /// <param name="itemToEncrypt">The string value of the item to encrypt</param> /// <param name="context">The Base64 Context for key derivation if desired</param> public TransitBulkItemToEncrypt(string itemToEncrypt, string context = null) { base64ItemToEncrypt = VaultUtilityFX.Base64EncodeAscii(itemToEncrypt); if (context != null) { base64Context = VaultUtilityFX.Base64EncodeAscii(context); } }
/// <summary> /// Returns the cryptographic hashing of given data using the specified algorithm. /// </summary> /// <param name="input">The data value you wish to have the hashing generated on.</param> /// <param name="hashing">The hashing algorithm to use.</param> /// <param name="hexOutputFormat">Boolean. Set to true if you wish the hashing output to be returned in Hexadecimal format. False means Base64 format.</param> /// <returns>The hashing of the input data returned in either hexadecimal or Base64 format.</returns> public async Task <string> ComputeHash(string input, TransitEnumHashingAlgorithm hashing, bool hexOutputFormat = false) { string path = MountPointPath + "hash"; string hashStr = ""; switch (hashing) { case TransitEnumHashingAlgorithm.sha2_224: hashStr = "sha2-224"; break; case TransitEnumHashingAlgorithm.sha2_256: hashStr = "sha2-256"; break; case TransitEnumHashingAlgorithm.sha2_384: hashStr = "sha2-384"; break; case TransitEnumHashingAlgorithm.sha2_512: hashStr = "sha2-512"; break; } // Setup Post Parameters in body. Dictionary <string, string> contentParams = new Dictionary <string, string>(); string encodeFormat = "base64"; if (hexOutputFormat) { encodeFormat = "hex"; } contentParams.Add("format", encodeFormat); contentParams.Add("algorithm", hashStr); string inputBase64 = VaultUtilityFX.Base64EncodeAscii(input); VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "ComputeHash", contentParams); if (vdro.Success) { return(await vdro.GetDotNetObject <string>("data.sum")); //vdro.GetJSONPropertyValue (vdro.GetDataPackageAsJSON(), "sum"); } } return(""); }
// ============================================================================================================================================== /// <summary> /// Calls the Vault Encryption API. /// - This version only supports a single data element for encryption at a time. See the EncryptBulk method for enabling encrypting more than /// one value during a single API call. /// - It always encrypts with the latest version of the key, unless you have specified the KeyVersion parameter > 0. /// </summary> /// <param name="keyName">The name of the encryption key to use to encrypt the data.</param> /// <param name="rawStringData">The data to be encrypted in string format. This should not be base64 encoded. This routine takes care of that for you.</param> /// <param name="keyDerivationContext"></param> /// <param name="keyVersion">Version of the key that should be used to encrypt the data. The default (0) is the latest version of the key.</param> /// <returns></returns> public async Task <TransitEncryptedItem> Encrypt(string keyName, string rawStringData, string keyDerivationContext = "", int keyVersion = 0) { // Setup Post Parameters in body. Dictionary <string, string> contentParams = new Dictionary <string, string>(); // Base64 Encode Data contentParams.Add("plaintext", VaultUtilityFX.Base64EncodeAscii(rawStringData)); if (keyDerivationContext != "") { contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext)); } if (keyVersion > 0) { contentParams.Add("key_version", keyVersion.ToString()); } return(await EncryptToVault(keyName, contentParams)); }
/// <summary> /// Throws VaultInvalidDataException for a number of errors, including not supplying context for keys that require it. /// </summary> /// <param name="keyName">Name of the key that should be used to create this Data Key.</param> /// <param name="returnCipherAndPlainText">Boolean: If true, the key returned will contain both the plaintext and cipher text for the key. IF false, just the cipher is returned.</param> /// <param name="context">Optional: the context value to encrypt with. Required if Key supports convergent or Derived Encryption.</param> /// <param name="bits">128, 256 or 512. Number of bits the key should have.</param> /// <returns></returns> public async Task <TransitDataKey> GenerateDataKey(string keyName, bool returnCipherAndPlainText = false, string context = "", int bits = 256) { string sType = ""; if (returnCipherAndPlainText) { sType = "plaintext"; } else { sType = "wrapped"; } if ((bits != 128) && (bits != 256) && (bits != 512)) { throw new ArgumentOutOfRangeException("bits", "Bits value can only be 128, 256 or 512."); } // Build parameters Dictionary <string, string> contentParams = new Dictionary <string, string>(); contentParams.Add("bits", bits.ToString()); if (context != "") { contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(context)); } string path = MountPointPath + "datakey/" + sType + "/" + keyName; VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "GenerateDataKey", contentParams); // Pull out the results and send back. return(await vdro.GetDotNetObject <TransitDataKey>()); }
/// <summary> /// Creates a new secret with the specified Name (Path) /// </summary> /// <param name="secretName">The name of the secret.</param> /// <param name="path">The path to the secret to be stored. apps/appA/config apps/appA is the path.</param> public KV2SecretBase(string secretName, string path = "") { if (path.StartsWith("/data/")) { throw new ArgumentException("KeyValue V2 secret paths do not need to specify the /data/ prefix as it is assumed."); } string tempName = secretName.TrimStart('/').TrimEnd('/'); if (tempName.Contains("/")) { if (path != string.Empty) { throw new ArgumentException("The secretName must not contain any path arguments, if the path parameter has a value"); } (_path, _name) = VaultUtilityFX.GetNameAndPathTuple(secretName); } else { _name = tempName; _path = path.Trim('/'); } Attributes = new Dictionary <string, string>(); }
public void GetPathAndNameValuesTupleThrows(string scenario, string name, string path, string expName, string expPath) { Assert.Throws <ArgumentException>(() => VaultUtilityFX.GetNameAndPathFromValuesTuple(name, path)); }
public void GetPathAndNameValuesTuple(string scenario, string name, string path, string expName, string expPath) { (string pathResult, string nameResult) = VaultUtilityFX.GetNameAndPathFromValuesTuple(name, path); Assert.AreEqual(expName, nameResult, "A10: Name is not correct value"); Assert.AreEqual(expPath, pathResult, "A20: Path is not expected value"); }
public void GetPathNameTuple(string value, string name, string path) { (string pathResult, string nameResult) = VaultUtilityFX.GetNameAndPathTuple(value); Assert.AreEqual(name, nameResult, "A10: Name is not correct value"); Assert.AreEqual(path, pathResult, "A20: Path is not expected value"); }
public void GetPathFromPath(string fullPathName, string expected) { string result = VaultUtilityFX.GetPathFromVaultPath(fullPathName); Assert.AreEqual(expected, result); }
/// <summary> /// Creates a new secret with the name and path specified /// </summary> /// <param name="secretPathAndName">The Name and optionally the path for the secret. If the argument contains /// no path parts, then the path is set to empty and the entire argument is the name.</param> public KV2SecretBase(string secretPathAndName) { (_path, _name) = VaultUtilityFX.GetNameAndPathTuple(secretPathAndName); Attributes = new Dictionary <string, string>(); }