public void RotateEncryptionKey()
{
var dateTimeNow = DateTime.UtcNow;
_keyManager.RevokeAllKeys(dateTimeNow, "manual rotating");
_keyManager.CreateNewKey(dateTimeNow, dateTimeNow
.AddDays(30));
}
public IActionResult CreateNewKey()
{
//Create a new key that will be valid for 30 days
_keyManager.CreateNewKey(
activationDate: DateTimeOffset.Now,
expirationDate: DateTimeOffset.Now.AddSeconds(30));
return(RedirectToAction("Index"));
}
public void PersistPassword(string key, string toEncrypt)
{
var securityKey = _keyManager.GetAllKeys().FirstOrDefault()
?? _keyManager.CreateNewKey(DateTimeOffset.UtcNow, DateTimeOffset.MaxValue);
var bytes = Encoding.UTF8.GetBytes(toEncrypt);
var result = securityKey.CreateEncryptor().Encrypt(new ArraySegment <byte>(bytes), new ArraySegment <byte>(new byte[] {}));
_passwordStorage.Save(key, result);
}
private CacheableKeyRing CreateCacheableKeyRingCore(DateTimeOffset now, IKey?keyJustAdded)
{
// Refresh the list of all keys
var cacheExpirationToken = _keyManager.GetCacheExpirationToken();
var allKeys = _keyManager.GetAllKeys();
// Fetch the current default key from the list of all keys
var defaultKeyPolicy = _defaultKeyResolver.ResolveDefaultKeyPolicy(now, allKeys);
if (!defaultKeyPolicy.ShouldGenerateNewKey)
{
CryptoUtil.Assert(defaultKeyPolicy.DefaultKey != null, "Expected to see a default key.");
return(CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, defaultKeyPolicy.DefaultKey, allKeys));
}
_logger.PolicyResolutionStatesThatANewKeyShouldBeAddedToTheKeyRing();
// We shouldn't call CreateKey more than once, else we risk stack diving. This code path shouldn't
// get hit unless there was an ineligible key with an activation date slightly later than the one we
// just added. If this does happen, then we'll just use whatever key we can instead of creating
// new keys endlessly, eventually falling back to the one we just added if all else fails.
if (keyJustAdded != null)
{
var keyToUse = defaultKeyPolicy.DefaultKey ?? defaultKeyPolicy.FallbackKey ?? keyJustAdded;
return(CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, keyToUse, allKeys));
}
// At this point, we know we need to generate a new key.
// We have been asked to generate a new key, but auto-generation of keys has been disabled.
// We need to use the fallback key or fail.
if (!_keyManagementOptions.AutoGenerateKeys)
{
var keyToUse = defaultKeyPolicy.DefaultKey ?? defaultKeyPolicy.FallbackKey;
if (keyToUse == null)
{
_logger.KeyRingDoesNotContainValidDefaultKey();
throw new InvalidOperationException(Resources.KeyRingProvider_NoDefaultKey_AutoGenerateDisabled);
}
else
{
_logger.UsingFallbackKeyWithExpirationAsDefaultKey(keyToUse.KeyId, keyToUse.ExpirationDate);
return(CreateCacheableKeyRingCoreStep2(now, cacheExpirationToken, keyToUse, allKeys));
}
}
if (defaultKeyPolicy.DefaultKey == null)
{
// The case where there's no default key is the easiest scenario, since it
// means that we need to create a new key with immediate activation.
var newKey = _keyManager.CreateNewKey(activationDate: now, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
return(CreateCacheableKeyRingCore(now, keyJustAdded: newKey)); // recursively call
}
else
{
// If there is a default key, then the new key we generate should become active upon
// expiration of the default key. The new key lifetime is measured from the creation
// date (now), not the activation date.
var newKey = _keyManager.CreateNewKey(activationDate: defaultKeyPolicy.DefaultKey.ExpirationDate, expirationDate: now + _keyManagementOptions.NewKeyLifetime);
return(CreateCacheableKeyRingCore(now, keyJustAdded: newKey)); // recursively call
}
}