/// <summary>
/// Creates a new <see cref="UserKeyAuthorization"/> entry for a user key and a particular archive.
/// </summary>
/// <param name="friendlyName">A friendly name to help the user identify the key.</param>
/// <param name="userKey">The <see cref="UserKey"/> to authorize.</param>
/// <param name="archiveKey">The key used to encrypt the archive that the user key is being authorized for.</param>
/// <param name="securitySettings">The archive's <see cref="SecuritySettings"/>.</param>
/// <returns>The new <see cref="UserKeyAuthorization"/> entry.</returns>
public static UserKeyAuthorization CreateNewAuthorization(
UserKeyAuthorizationParameters newKeyParams,
ReadOnlySpan <byte> keyDerivationSalt,
ArchiveKey archiveKey,
SecuritySettings securitySettings)
{
ArgCheck.IsValid(newKeyParams, nameof(newKeyParams));
ArgCheck.NotEmpty(keyDerivationSalt, nameof(keyDerivationSalt));
ArgCheck.NotNull(archiveKey, nameof(archiveKey));
ArgCheck.IsValid(securitySettings, nameof(securitySettings));
using var userKey = UserKey.DeriveFrom(
newKeyParams.UserSecret,
keyDerivationSalt,
securitySettings);
// The SecureArchive file format requires that the friendly name and keyId be
// checked for tampering when using authenticated cyphers.
var additionalData = Encoding.UTF8.GetBytes(newKeyParams.FriendlyName + userKey.KeyId);
var cryptoStrategy = CryptoHelpers.GetCryptoStrategy(securitySettings.EncryptionAlgo);
var encryptedArchiveKey = userKey.EncryptSecret(cryptoStrategy, archiveKey, additionalData);
return(new UserKeyAuthorization
{
AuthorizationId = Guid.NewGuid(),
FriendlyName = newKeyParams.FriendlyName,
KeyId = userKey.KeyId,
TimeAdded = DateTime.UtcNow,
EncryptedArchiveKey = encryptedArchiveKey,
SecretMetadata = newKeyParams.SecretMetadata,
});
}
/// <summary>
/// Initializes a new instance of the <see cref="SecureArchiveFileSettings"/> class.
/// </summary>
/// <param name="archiveFilePath">The path to the <see cref="SecureArchive"/> on disk.</param>
/// <param name="tempDirectory">The path to the directory where secured files can be temporarily checked out.</param>
public SecureArchiveFileSettings(string archiveFilePath, string tempDirectory)
{
ArgCheck.NotEmpty(archiveFilePath, nameof(archiveFilePath));
ArgCheck.NotEmpty(tempDirectory, nameof(tempDirectory));
this.Path = archiveFilePath;
this.TempDirectory = tempDirectory;
}
/// <summary>
/// Creates a new instance of the <see cref="EncryptedPacket"/> class.
/// </summary>
/// <param name="cipherText">The encrypted data.</param>
/// <param name="iv">The initialization vector for the encryption.</param>
/// <param name="authTag">The authentication tag, for when authenticated encryption algorithms are used.</param>
/// <returns></returns>
public static EncryptedPacket CreateNewEncryptedPacket(
Span <byte> cipherText,
Span <byte> iv,
Span <byte> authTag = default)
{
ArgCheck.NotEmpty(cipherText, nameof(cipherText));
ArgCheck.NotEmpty(iv, nameof(iv));
return(new EncryptedPacket
{
CipherText = new List <byte>(cipherText.ToArray()),
IV = new List <byte>(iv.ToArray()),
AuthTag = authTag.IsEmpty
? new List <byte>()
: new List <byte>(authTag.ToArray()),
});
}