public Task<string> Encrypt(IEnclaveKey key, object value)
{
Jose.JweAlgorithm algorithm;
Jose.JweEncryption encryption;
switch (key.KeyType.ToLowerInvariant())
{
case "rsa":
algorithm = Jose.JweAlgorithm.RSA_OAEP;
encryption = Jose.JweEncryption.A128CBC_HS256;
break;
case "aes":
algorithm = Jose.JweAlgorithm.A128KW;
encryption = Jose.JweEncryption.A128CBC_HS256;
break;
case "ecc":
algorithm = Jose.JweAlgorithm.ECDH_ES;
encryption = Jose.JweEncryption.A128CBC_HS256;
break;
default:
throw new NotSupportedException($"Unknown KeyType {key.KeyType}");
}
var encrypted = Jose.JWT.Encode(value, key.RetrieveKey(), algorithm, encryption);
return Task.FromResult(encrypted);
}
public async Task <string> Encrypt(IEnclaveKey key, object value)
{
using (var client = KeyVault.CreateClient())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var encrypted = await client.EncryptAsync(kvKey.Kid, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(value)));
return(Convert.ToBase64String(encrypted.Result));
}
}
public async Task <T> Decrypt <T>(IEnclaveKey key, string ciphertext)
{
using (var client = KeyVault.CreateClient())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var result = await client.DecryptAsync(kvKey.Kid, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, Convert.FromBase64String(ciphertext));
return(JsonConvert.DeserializeObject <T>(Encoding.UTF8.GetString(result.Result)));
}
}
public async Task <bool> Validate(IEnclaveKey key, string value)
{
using (var client = KeyVault.CreateClient())
{
var signed = JsonConvert.DeserializeObject <SignaturePayload>(
Encoding.UTF8.GetString(Convert.FromBase64String(value)));
var kvKey = key.RetrieveKey <JsonWebKey>();
return(await client.VerifyAsync(kvKey.Kid, JsonWebKeySignatureAlgorithm.RS256,
digest : signed.Dig, signature : signed.Sig));
}
}
public async Task <string> Sign(IEnclaveKey key, object value)
{
using (var client = KeyVault.CreateClient())
using (var sha = SHA256.Create())
{
var kvKey = key.RetrieveKey <JsonWebKey>();
var hashed = sha.ComputeHash(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(value)));
var result = await client.SignAsync(kvKey.Kid, JsonWebKeySignatureAlgorithm.RS256, hashed);
var signed = new SignaturePayload
{
Val = value,
Dig = hashed,
Kid = result.Kid,
Sig = result.Result,
};
return(Convert.ToBase64String(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(signed))));
}
}
public Task<string> Sign(IEnclaveKey key, object value)
{
Jose.JwsAlgorithm algorithm;
switch (key.KeyType.ToLowerInvariant())
{
case "rsa":
algorithm = Jose.JwsAlgorithm.RS256;
break;
case "aes":
algorithm = Jose.JwsAlgorithm.HS256;
break;
case "ecc":
algorithm = Jose.JwsAlgorithm.ES256;
break;
default:
throw new NotSupportedException($"Unknown KeyType {key.KeyType}");
}
var result = Jose.JWT.Encode(value, key.RetrieveKey(), algorithm);
return Task.FromResult(result);
}
public Task<bool> Validate(IEnclaveKey key, string value)
{
var result = Jose.JWT.Decode(value, key.RetrieveKey());
return Task.FromResult(!string.IsNullOrWhiteSpace(result));
}
public Task<T> Decrypt<T>(IEnclaveKey key, string ciphertext)
{
T result = Jose.JWT.Decode<T>(ciphertext, key.RetrieveKey());
return Task.FromResult(result);
}