internal async Task <InMemoryRawDek> UnwrapAsync(
DataEncryptionKeyProperties dekProperties,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
EncryptionKeyUnwrapResult unwrapResult;
if (this.DekProvider.EncryptionKeyWrapProvider == null)
{
throw new InvalidOperationException($"For use of '{CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized}' algorithm, " +
"Encryptor or CosmosDataEncryptionKeyProvider needs to be initialized with EncryptionKeyWrapProvider.");
}
using (diagnosticsContext.CreateScope("UnwrapDataEncryptionKey"))
{
unwrapResult = await this.DekProvider.EncryptionKeyWrapProvider.UnwrapKeyAsync(
dekProperties.WrappedDataEncryptionKey,
dekProperties.EncryptionKeyWrapMetadata,
cancellationToken);
}
DataEncryptionKey dek = DataEncryptionKey.Create(
unwrapResult.DataEncryptionKey,
dekProperties.EncryptionAlgorithm);
return(new InMemoryRawDek(dek, unwrapResult.ClientCacheTimeToLive));
}
internal async Task <InMemoryRawDek> FetchUnwrappedAsync(
DataEncryptionKeyProperties dekProperties,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
try
{
if (string.Equals(dekProperties.EncryptionAlgorithm, CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized))
{
DataEncryptionKey dek = this.InitMdeEncryptionAlgorithm(dekProperties);
// TTL is not used since DEK is not cached.
return(new InMemoryRawDek(dek, TimeSpan.FromMilliseconds(0)));
}
return(await this.DekProvider.DekCache.GetOrAddRawDekAsync(
dekProperties,
this.UnwrapAsync,
diagnosticsContext,
cancellationToken));
}
catch (Exception exception)
{
throw EncryptionExceptionFactory.EncryptionKeyNotFoundException(
$"Failed to unwrap Data Encryption Key with id: '{dekProperties.Id}'.",
exception);
}
}
internal async Task <DataEncryptionKey> FetchUnWrappedLegacySupportedMdeDekAsync(
DataEncryptionKeyProperties dekProperties,
string encryptionAlgorithm,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
EncryptionKeyUnwrapResult unwrapResult;
if (this.DekProvider.EncryptionKeyStoreProvider == null)
{
throw new InvalidOperationException($"For use of '{CosmosEncryptionAlgorithm.MdeAeadAes256CbcHmac256Randomized}' algorithm based DEK, " +
"Encryptor or CosmosDataEncryptionKeyProvider needs to be initialized with EncryptionKeyStoreProvider.");
}
try
{
using (diagnosticsContext.CreateScope("UnwrapDataEncryptionKey"))
{
unwrapResult = await this.UnWrapDekMdeEncAlgoAsync(
dekProperties,
diagnosticsContext,
cancellationToken);
}
return(DataEncryptionKey.Create(
unwrapResult.DataEncryptionKey,
encryptionAlgorithm));
}
catch (Exception exception)
{
throw EncryptionExceptionFactory.EncryptionKeyNotFoundException(
$"Failed to unwrap Data Encryption Key with id: '{dekProperties.Id}'.",
exception);
}
}
/// <inheritdoc/>
public override async Task <byte[]> EncryptAsync(
byte[] plainText,
string dataEncryptionKeyId,
string encryptionAlgorithm,
CancellationToken cancellationToken = default)
{
DataEncryptionKey dek = await this.DataEncryptionKeyProvider.FetchDataEncryptionKeyAsync(
dataEncryptionKeyId,
encryptionAlgorithm,
cancellationToken);
if (dek == null)
{
throw new InvalidOperationException($"Null {nameof(DataEncryptionKey)} returned from {nameof(this.DataEncryptionKeyProvider.FetchDataEncryptionKeyAsync)}.");
}
return(dek.EncryptData(plainText));
}
private async Task <(byte[], EncryptionKeyWrapMetadata, InMemoryRawDek)> GenerateAndWrapRawDekForLegacyEncAlgoAsync(
string id,
string encryptionAlgorithm,
EncryptionKeyWrapMetadata encryptionKeyWrapMetadata,
CosmosDiagnosticsContext diagnosticsContext,
CancellationToken cancellationToken)
{
if (this.DekProvider.EncryptionKeyWrapProvider == null)
{
throw new InvalidOperationException($"For use of '{CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized}' algorithm, " +
"Encryptor or CosmosDataEncryptionKeyProvider needs to be initialized with EncryptionKeyWrapProvider.");
}
byte[] rawDek = DataEncryptionKey.Generate(encryptionAlgorithm);
return(await this.WrapAsync(
id,
rawDek,
encryptionAlgorithm,
encryptionKeyWrapMetadata,
diagnosticsContext,
cancellationToken));
}
public InMemoryRawDek(DataEncryptionKey dataEncryptionKey, TimeSpan clientCacheTimeToLive)
{
this.DataEncryptionKey = dataEncryptionKey;
this.RawDekExpiry = DateTime.UtcNow + clientCacheTimeToLive;
}
