/// <summary> /// Copies settings from another settings object. /// </summary> /// <remarks> /// <see cref="Microsoft.Extensions.Options.IOptions{TOptions}"/> requires a parameterless constructor, so we end up with nasty hackery like this for handling programmatic options specification. /// </remarks> /// <param name="input">Input from which to copy configuration.</param> public void CopyFrom(IKmsXmlEncryptorConfig input) { KeyId = input.KeyId; EncryptionContext = input.EncryptionContext.ToDictionary(x => x.Key, x => x.Value); GrantTokens = input.GrantTokens.ToList(); DiscriminatorAsContext = input.DiscriminatorAsContext; HashDiscriminatorContext = input.HashDiscriminatorContext; }
public static Dictionary <string, string> GetEncryptionContext(IKmsXmlEncryptorConfig config, DataProtectionOptions dpOptions) { var encryptionContext = config.EncryptionContext; // Set the application discriminator as part of the context of encryption, given the intent of the discriminator if (config.DiscriminatorAsContext && !string.IsNullOrEmpty(dpOptions.ApplicationDiscriminator)) { encryptionContext = encryptionContext.ToDictionary(x => x.Key, x => x.Value); var contextValue = dpOptions.ApplicationDiscriminator; // Some application discriminators (like the defaults) leak sensitive file paths, so hash them if (config.HashDiscriminatorContext) { using (var hasher = SHA256.Create()) { contextValue = Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(contextValue))); } } encryptionContext[KmsConstants.ApplicationEncryptionContextKey] = contextValue; } return(encryptionContext); }
/// <summary> /// Creates a <see cref="KmsXmlEncryptor"/> for encrypting ASP.NET keys with a KMS master key /// </summary> /// <param name="kmsClient">The KMS client</param> /// <param name="config">The configuration object specifying which key data in KMS to use</param> /// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services</param> public KmsXmlEncryptor(IAmazonKeyManagementService kmsClient, IKmsXmlEncryptorConfig config, IServiceProvider services) { this.kmsClient = kmsClient ?? throw new ArgumentNullException(nameof(kmsClient)); Config = config ?? throw new ArgumentNullException(nameof(config)); logger = services?.GetService <ILoggerFactory>()?.CreateLogger <KmsXmlEncryptor>(); }
/// <summary> /// Creates a <see cref="KmsXmlEncryptor"/> for encrypting ASP.NET keys with a KMS master key /// </summary> /// <param name="kmsClient">The KMS client</param> /// <param name="config">The configuration object specifying which key data in KMS to use</param> public KmsXmlEncryptor(IAmazonKeyManagementService kmsClient, IKmsXmlEncryptorConfig config) : this(kmsClient, config, null) { }
/// <summary> /// Configures the data protection system to encrypt keys using AWS Key Management Service master keys /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <param name="config">The configuration object specifying how to use KMS keys.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> public static IDataProtectionBuilder ProtectKeysWithAwsKms(this IDataProtectionBuilder builder, IKmsXmlEncryptorConfig config) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (config == null) { throw new ArgumentNullException(nameof(config)); } return(builder.ProtectKeysWithAwsKmsRaw(null, config)); }
/// <summary> /// Configures the data protection system to encrypt keys using AWS Key Management Service master keys /// </summary> /// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param> /// <param name="kmsClient">KMS client configured with appropriate credentials.</param> /// <param name="config">The configuration object specifying how to use KMS keys.</param> /// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns> public static IDataProtectionBuilder ProtectKeysWithAwsKms(this IDataProtectionBuilder builder, IAmazonKeyManagementService kmsClient, IKmsXmlEncryptorConfig config) { if (builder == null) { throw new ArgumentNullException(nameof(builder)); } if (kmsClient == null) { throw new ArgumentNullException(nameof(kmsClient)); } if (config == null) { throw new ArgumentNullException(nameof(config)); } return(builder.ProtectKeysWithAwsKmsRaw(kmsClient, config)); }
public DirectConfigure(IKmsXmlEncryptorConfig input) { this.input = input ?? throw new ArgumentNullException(nameof(input)); }
private static IDataProtectionBuilder ProtectKeysWithAwsKmsRaw(this IDataProtectionBuilder builder, IAmazonKeyManagementService kmsClient, IKmsXmlEncryptorConfig config) { builder.Services.AddSingleton <IConfigureOptions <KmsXmlEncryptorConfig> >(new DirectConfigure(config)); return(builder.ProtectKeysWithAwsKmsImpl(kmsClient, sp => sp.GetRequiredService <IOptions <KmsXmlEncryptorConfig> >())); }