Exemplo n.º 1
0
        public static void AddKeyManagement(
            this IServiceCollection services,
            IConfiguration configuration,
            ILogger logger)
        {
            services.AddSingleton <IKeyManagement>(s =>
            {
                var provider = configuration.GetValue <string>("KeyManagement:Provider");
                logger.Information("Selected KeyManagement: {provider}", provider);
                switch (provider)
                {
                case "AwsKms":
                    return(GetAwsKeyManagement(logger, configuration));

                case "GoogleKms":
                    return(GetGoogleCloudKeyManagment(configuration));

                case "AzureKeyVault":
                    return(GetAzurKeyVaultKeyManagement(configuration));

                case "AESKey":
                    var key = configuration.GetValue <string>("KeyManagement:AES:Key");
                    if (string.IsNullOrEmpty(key))
                    {
                        logger.Warning("Random key was created for SymmetricKeyManagement, it might break distributed deployments");

                        return(new SymmetricKeyManagement(RijndaelUtils.GenerateKey(256)));
                    }
                    return(new SymmetricKeyManagement(Convert.FromBase64String(key)));

                default:
                    throw new InvalidOperationException($"Unsupported provider type: {provider}");
                }
            });
        }
Exemplo n.º 2
0
        public Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            var key = mUseKeyDerivation ? DeriveKey(serviceAccountId) : mKey;

            var(decryptedData, iv) = RijndaelUtils.Encrypt(key, Encoding.UTF8.GetBytes(data));

            return(Task.FromResult(Convert.ToBase64String(iv) + ":" + Convert.ToBase64String(decryptedData)));
        }
Exemplo n.º 3
0
        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            var masterKeyAlias = $"alias/{mCmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}";

            var(dataKey, encryptedDataKey) = await GenerateEncryptionKey(masterKeyAlias);

            var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey.ToArray(), Encoding.UTF8.GetBytes(data));

            return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData));
        }
Exemplo n.º 4
0
        public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
        {
            var tuple = EnvelopeEncryptionUtils.Unwrap(encryptedData).ValueOrFailure("Invalid encrypted data format");

            var(encryptedDataKey, iv, actualEncryptedData) = tuple;

            var decryptionResult = await mAmazonKeyManagementService.DecryptAsync(new DecryptRequest
            {
                CiphertextBlob = new MemoryStream(Convert.FromBase64String(encryptedDataKey)),
            });

            var decrypted = RijndaelUtils.Decrypt(decryptionResult.Plaintext.ToArray(), iv, actualEncryptedData);

            return(Encoding.UTF8.GetString(decrypted));
        }
Exemplo n.º 5
0
        public Task <string> Decrypt(string encryptedData, string serviceAccountId)
        {
            return(EnvelopeEncryptionUtils.Unwrap(encryptedData).Match(
                       some: async t =>
            {
                (string encryptedDataKey, byte[] iv, byte[] actualEncryptedData) = t;

                var key = await mMasterKeyManagement.Decrypt(encryptedDataKey, serviceAccountId);

                var decrypted = RijndaelUtils.Decrypt(Convert.FromBase64String(key), iv, actualEncryptedData);
                return Encoding.UTF8.GetString(decrypted);
            },
                       none: () => mMasterKeyManagement.Decrypt(encryptedData, serviceAccountId)
                       ));
        }
Exemplo n.º 6
0
        public Task <string> Decrypt(string encryptedData, string serviceAccountId)
        {
            var splitted = encryptedData.Split(':');

            if (splitted.Length != 2)
            {
                throw new InvalidOperationException("Encrypted data format is invalid");
            }

            var iv   = Convert.FromBase64String(splitted[0]);
            var data = Convert.FromBase64String(splitted[1]);

            var result = RijndaelUtils.Decrypt(mKey, iv, data);

            return(Task.FromResult(Encoding.UTF8.GetString(result)));
        }
Exemplo n.º 7
0
        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            if (data.Length <= mMaximumDataLength)
            {
                return(await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing));
            }

            mLogger.Information("Encryption data too length, using envelope encryption");

            var dataKey = RijndaelUtils.GenerateKey(256);

            var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey, Encoding.UTF8.GetBytes(data));
            var encryptedDataKey = await mMasterKeyManagement.Encrypt(Convert.ToBase64String(dataKey), serviceAccountId, createKeyIfMissing);

            return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData));
        }