// ==============================================================================================================================================
/// <summary>
/// Re-encrypts the currently encrypted data with the current version of the key. This is a simplified way
/// of upgrading the encryption for an element without have to call Decrypt and then Encrypt separately.
/// </summary>
/// <param name="keyName">The Encryption key to use to decrypt and re-encrypt the data</param>
/// <param name="encryptedData">The currently encrypted data element that you want to have upgraded with the new encryption key.</param>
/// <param name="keyDerivationContext">The context used for key derivation if the key supports that key derivation.</param>
/// <param name="keyVersion">Version of the key to use. Defaults to current version (0).</param>
/// <returns>The data element encrypted with the version of the key specified. (Default is latest version of the key). Returns null if operation failed.</returns>
public async Task <TransitEncryptedItem> ReEncrypt(string keyName, string encryptedData, string keyDerivationContext = "", int keyVersion = 0)
{
string path = MountPointPath + "rewrap/" + keyName;
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
// Build the parameter list.
contentParams.Add("ciphertext", encryptedData);
if (keyDerivationContext != "")
{
contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext));
}
if (keyVersion > 0)
{
contentParams.Add("key_version", keyVersion.ToString());
}
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "ReEncrypt", contentParams);
if (vdro.HttpStatusCode == 200)
{
return(await vdro.GetDotNetObject <TransitEncryptedItem>());
}
else
{
return(null);
}
}
// ==============================================================================================================================================
/// <summary>
/// Decrypts a single encrypted value. If the keys supports convergent or derived encryption then you must supply the keyDerivationContext param.
/// </summary>
/// <param name="keyName">Name of the encryption key to use to decrypt.</param>
/// <param name="encryptedData">The encrypted value that you wish to have decrypted.</param>
/// <param name="keyDerivationContext">The context value that is required to delete a convergent encrypted item.</param>
/// <returns>TransitDecryptedItem if the value was able to be successfully decrypted.
/// Throws <VaultInvalidDataException> if unable to decrypt the item due to bad key or context value.</VaultInvalidDataException></returns>
public async Task <TransitDecryptedItem> Decrypt(string keyName, string encryptedData, string keyDerivationContext = "")
{
string path = MountPointPath + PathDecrypt + keyName;
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
// Build the parameter list.
contentParams.Add("ciphertext", encryptedData);
if (keyDerivationContext != "")
{
contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext));
}
// Call Vault API.
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "Decrypt", contentParams);
if (vdro.HttpStatusCode == 200)
{
return(await vdro.GetDotNetObject <TransitDecryptedItem>());
}
// This code should never get hit.
throw new VaultUnexpectedCodePathException("TransitBackEnd-Decrypt");
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="encryptedValue">The Encrypted Value</param>
/// <param name="context"></param>
public TransitBulkItemToDecrypt(string encryptedValue, string context = null)
{
encryptedItem = encryptedValue;
if (context != null)
{
base64Context = VaultUtilityFX.Base64EncodeAscii(context);
}
}
/// <summary>
/// Constructor for a single item to be encrypted.
/// </summary>
/// <param name="itemToEncrypt">The string value of the item to encrypt</param>
/// <param name="context">The Base64 Context for key derivation if desired</param>
public TransitBulkItemToEncrypt(string itemToEncrypt, string context = null)
{
base64ItemToEncrypt = VaultUtilityFX.Base64EncodeAscii(itemToEncrypt);
if (context != null)
{
base64Context = VaultUtilityFX.Base64EncodeAscii(context);
}
}
/// <summary>
/// Returns the cryptographic hashing of given data using the specified algorithm.
/// </summary>
/// <param name="input">The data value you wish to have the hashing generated on.</param>
/// <param name="hashing">The hashing algorithm to use.</param>
/// <param name="hexOutputFormat">Boolean. Set to true if you wish the hashing output to be returned in Hexadecimal format. False means Base64 format.</param>
/// <returns>The hashing of the input data returned in either hexadecimal or Base64 format.</returns>
public async Task <string> ComputeHash(string input, TransitEnumHashingAlgorithm hashing, bool hexOutputFormat = false)
{
string path = MountPointPath + "hash";
string hashStr = "";
switch (hashing)
{
case TransitEnumHashingAlgorithm.sha2_224:
hashStr = "sha2-224";
break;
case TransitEnumHashingAlgorithm.sha2_256:
hashStr = "sha2-256";
break;
case TransitEnumHashingAlgorithm.sha2_384:
hashStr = "sha2-384";
break;
case TransitEnumHashingAlgorithm.sha2_512:
hashStr = "sha2-512";
break;
}
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
string encodeFormat = "base64";
if (hexOutputFormat)
{
encodeFormat = "hex";
}
contentParams.Add("format", encodeFormat);
contentParams.Add("algorithm", hashStr);
string inputBase64 = VaultUtilityFX.Base64EncodeAscii(input);
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "ComputeHash", contentParams);
if (vdro.Success)
{
return(await vdro.GetDotNetObject <string>("data.sum")); //vdro.GetJSONPropertyValue (vdro.GetDataPackageAsJSON(), "sum"); }
}
return("");
}
// ==============================================================================================================================================
/// <summary>
/// Calls the Vault Encryption API.
/// - This version only supports a single data element for encryption at a time. See the EncryptBulk method for enabling encrypting more than
/// one value during a single API call.
/// - It always encrypts with the latest version of the key, unless you have specified the KeyVersion parameter > 0.
/// </summary>
/// <param name="keyName">The name of the encryption key to use to encrypt the data.</param>
/// <param name="rawStringData">The data to be encrypted in string format. This should not be base64 encoded. This routine takes care of that for you.</param>
/// <param name="keyDerivationContext"></param>
/// <param name="keyVersion">Version of the key that should be used to encrypt the data. The default (0) is the latest version of the key.</param>
/// <returns></returns>
public async Task <TransitEncryptedItem> Encrypt(string keyName, string rawStringData, string keyDerivationContext = "", int keyVersion = 0)
{
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
// Base64 Encode Data
contentParams.Add("plaintext", VaultUtilityFX.Base64EncodeAscii(rawStringData));
if (keyDerivationContext != "")
{
contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(keyDerivationContext));
}
if (keyVersion > 0)
{
contentParams.Add("key_version", keyVersion.ToString());
}
return(await EncryptToVault(keyName, contentParams));
}
/// <summary>
/// Throws VaultInvalidDataException for a number of errors, including not supplying context for keys that require it.
/// </summary>
/// <param name="keyName">Name of the key that should be used to create this Data Key.</param>
/// <param name="returnCipherAndPlainText">Boolean: If true, the key returned will contain both the plaintext and cipher text for the key. IF false, just the cipher is returned.</param>
/// <param name="context">Optional: the context value to encrypt with. Required if Key supports convergent or Derived Encryption.</param>
/// <param name="bits">128, 256 or 512. Number of bits the key should have.</param>
/// <returns></returns>
public async Task <TransitDataKey> GenerateDataKey(string keyName, bool returnCipherAndPlainText = false, string context = "", int bits = 256)
{
string sType = "";
if (returnCipherAndPlainText)
{
sType = "plaintext";
}
else
{
sType = "wrapped";
}
if ((bits != 128) && (bits != 256) && (bits != 512))
{
throw new ArgumentOutOfRangeException("bits", "Bits value can only be 128, 256 or 512.");
}
// Build parameters
Dictionary <string, string> contentParams = new Dictionary <string, string>();
contentParams.Add("bits", bits.ToString());
if (context != "")
{
contentParams.Add("context", VaultUtilityFX.Base64EncodeAscii(context));
}
string path = MountPointPath + "datakey/" + sType + "/" + keyName;
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "GenerateDataKey", contentParams);
// Pull out the results and send back.
return(await vdro.GetDotNetObject <TransitDataKey>());
}