internal bool CanBeUsedForSigning(RsaKeyContainer key, bool ignoreActiveDelay = false) { if (key == null) { return(false); } if (key.KeyType != _options.KeyType) { _logger.LogTrace("Key {kid} is of type {kty} but server configured for {configuredKty}", key.Id, key.KeyType, _options.KeyType); return(false); } var now = _clock.UtcNow; // newly created key check var start = key.Created; if (start > now) { // if another server created the key in the future (meaning this server's clock is // behind the other), then we will just assume the other server's time for this key. // this is how we can deal with clock skew for recently created keys. now = start; } if (!ignoreActiveDelay) { _logger.LogTrace("Checking if key with kid {kid} is active (respecting activation delay).", key.Id); start = start.Add(_options.KeyActivationDelay); } else { _logger.LogTrace("Checking if key with kid {kid} is active (ignoring activation delay).", key.Id); } if (start > now) { _logger.LogTrace("Key with kid {kid} is inactive: the current time is prior to its activation delay.", key.Id); return(false); } // expired key check var end = key.Created.Add(_options.KeyExpiration); if (end < now) { _logger.LogTrace("Key with kid {kid} is inactive: the current time is past its expiration.", key.Id); return(false); } _logger.LogTrace("Key with kid {kid} is active.", key.Id); return(true); }
/// <summary> /// Protects RsaKeyContainer. /// </summary> /// <param name="key"></param> /// <returns></returns> public SerializedKey Protect(RsaKeyContainer key) { var data = KeySerializer.Serialize(key); if (_options.DataProtectKeys) { data = _dataProtectionProvider.Protect(data); } return(new SerializedKey { Created = DateTime.UtcNow, Id = key.Id, KeyType = key.KeyType, Data = data, DataProtected = _options.DataProtectKeys, }); }