public override EncryptResult Encrypt(EncryptOptions options, CancellationToken cancellationToken = default)
{
Argument.AssertNotNull(options, nameof(options));
ThrowIfTimeInvalid();
EncryptionAlgorithm algorithm = options.Algorithm;
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc aesCbc)
{
// Make sure the IV is initialized.
options.Initialize();
using ICryptoTransform encryptor = aesCbc.CreateEncryptor(KeyMaterial.K, options.Iv);
byte[] plaintext = options.Plaintext;
byte[] ciphertext = encryptor.TransformFinalBlock(plaintext, 0, plaintext.Length);
return(new EncryptResult
{
Algorithm = algorithm,
KeyId = KeyMaterial.Id,
Ciphertext = ciphertext,
Iv = options.Iv,
});
}
else
{
KeysEventSource.Singleton.AlgorithmNotSupported(nameof(Encrypt), algorithm);
return(null);
}
}
public override EncryptResult Encrypt(EncryptOptions options, CancellationToken cancellationToken)
{
Argument.AssertNotNull(options, nameof(options));
ThrowIfTimeInvalid();
EncryptionAlgorithm algorithm = options.Algorithm;
RSAEncryptionPadding padding = algorithm.GetRsaEncryptionPadding();
if (padding is null)
{
KeysEventSource.Singleton.AlgorithmNotSupported(nameof(Encrypt), algorithm);
return(null);
}
byte[] ciphertext = Encrypt(options.Plaintext, padding);
EncryptResult result = null;
if (ciphertext != null)
{
result = new EncryptResult
{
Algorithm = algorithm,
Ciphertext = ciphertext,
KeyId = KeyMaterial.Id,
};
}
return(result);
}
public override EncryptResult Encrypt(EncryptOptions options, CancellationToken cancellationToken = default)
{
Argument.AssertNotNull(options, nameof(options));
ThrowIfTimeInvalid();
EncryptionAlgorithm algorithm = options.Algorithm;
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc aesCbc)
{
// Make sure the IV is initialized.
options.Initialize();
using ICryptoTransform encryptor = aesCbc.CreateEncryptor(KeyMaterial.K, options.Iv);
byte[] plaintext = options.Plaintext;
byte[] ciphertext = encryptor.TransformFinalBlock(plaintext, 0, plaintext.Length);
return(new EncryptResult
{
Algorithm = algorithm,
KeyId = KeyMaterial.Id,
Ciphertext = ciphertext,
Iv = options.Iv,
});
}
else if (algorithm.IsAesGcm() && AesGcmProxy.TryCreate(KeyMaterial.K, out AesGcmProxy aesGcm))
{
using (aesGcm)
{
byte[] plaintext = options.Plaintext;
byte[] ciphertext = new byte[plaintext.Length];
byte[] tag = new byte[AesGcmProxy.NonceByteSize];
// Generate an nonce only for local AES-GCM; Managed HSM will do it service-side and err if serialized.
byte[] iv = Crypto.GenerateIv(AesGcmProxy.NonceByteSize);
aesGcm.Encrypt(iv, plaintext, ciphertext, tag, options.AdditionalAuthenticatedData);
return(new EncryptResult
{
Algorithm = algorithm,
KeyId = KeyMaterial.Id,
Ciphertext = ciphertext,
Iv = iv,
AuthenticationTag = tag,
AdditionalAuthenticatedData = options.AdditionalAuthenticatedData,
});
}
}
else
{
KeysEventSource.Singleton.AlgorithmNotSupported(nameof(Encrypt), algorithm);
return(null);
}
}
/// <summary>
/// Encrypts plaintext.
/// </summary>
/// <param name="options">An <see cref="EncryptOptions"/> containing the data to encrypt and other options for algorithm-dependent encryption.</param>
/// <param name="cancellationToken">A <see cref="CancellationToken"/> to cancel the operation.</param>
/// <returns>
/// The result of the encrypt operation. The returned <see cref="EncryptResult"/> contains the encrypted data
/// along with all other information needed to decrypt it. This information should be stored with the encrypted data.
/// </returns>
/// <exception cref="ArgumentException">The specified algorithm does not match the key corresponding to the key identifier.</exception>
/// <exception cref="ArgumentNullException"><paramref name="options"/> is null.</exception>
/// <exception cref="CryptographicException">The local cryptographic provider threw an exception.</exception>
/// <exception cref="InvalidOperationException">The key is invalid for the current operation.</exception>
/// <exception cref="NotSupportedException">The operation is not supported with the specified key.</exception>
public virtual async Task <EncryptResult> EncryptAsync(EncryptOptions options, CancellationToken cancellationToken = default)
{
Argument.AssertNotNull(options, nameof(options));
EncryptResult result = null;
if (_provider.SupportsOperation(KeyOperation.Encrypt))
{
result = await _provider.EncryptAsync(options, cancellationToken).ConfigureAwait(false);
}
return(result ?? throw LocalCryptographyProvider.CreateOperationNotSupported(nameof(KeyOperation.Encrypt)));
}
/// <summary>
/// Encrypts plaintext.
/// </summary>
/// <param name="options">An <see cref="EncryptOptions"/> containing the data to encrypt and other options for algorithm-dependent encryption.</param>
/// <param name="cancellationToken">A <see cref="CancellationToken"/> to cancel the operation.</param>
/// <returns>
/// The result of the encrypt operation. The returned <see cref="EncryptResult"/> contains the encrypted data
/// along with all other information needed to decrypt it. This information should be stored with the encrypted data.
/// </returns>
/// <exception cref="ArgumentException">The specified algorithm does not match the key corresponding to the key identifier.</exception>
/// <exception cref="ArgumentNullException"><paramref name="options"/> is null.</exception>
/// <exception cref="CryptographicException">The local cryptographic provider threw an exception.</exception>
/// <exception cref="InvalidOperationException">The key is invalid for the current operation.</exception>
/// <exception cref="NotSupportedException">The operation is not supported with the specified key.</exception>
public virtual EncryptResult Encrypt(EncryptOptions options, CancellationToken cancellationToken = default)
{
Argument.AssertNotNull(options, nameof(options));
EncryptResult result = null;
if (_provider.SupportsOperation(KeyOperation.Encrypt))
{
result = _provider.Encrypt(options, cancellationToken);
}
return(result ?? throw LocalCryptographyProvider.CreateOperationNotSupported(nameof(KeyOperation.Encrypt)));
}
public virtual async Task <Response <EncryptResult> > EncryptAsync(EncryptOptions options, CancellationToken cancellationToken = default)
{
using DiagnosticScope scope = Pipeline.CreateScope($"{nameof(RemoteCryptographyClient)}.{nameof(Encrypt)}");
scope.AddAttribute("key", _keyId);
scope.Start();
try
{
// Make sure the IV is initialized.
// TODO: Remove this call once the service will initialized it: https://github.com/Azure/azure-sdk-for-net/issues/16175
options.Initialize();
return(await Pipeline.SendRequestAsync(RequestMethod.Post, options, () => new EncryptResult { Algorithm = options.Algorithm }, cancellationToken, "/encrypt").ConfigureAwait(false));
}
catch (Exception e)
{
scope.Failed(e);
throw;
}
}
public virtual Task <EncryptResult> EncryptAsync(EncryptOptions options, CancellationToken cancellationToken = default)
{
EncryptResult result = Encrypt(options, cancellationToken);
return(Task.FromResult(result));
}
public virtual EncryptResult Encrypt(EncryptOptions options, CancellationToken cancellationToken = default)
{
throw CreateOperationNotSupported(nameof(Encrypt));
}
EncryptResult ICryptographyProvider.Encrypt(EncryptOptions options, CancellationToken cancellationToken)
{
return(Encrypt(options, cancellationToken));
}
async Task <EncryptResult> ICryptographyProvider.EncryptAsync(EncryptOptions options, CancellationToken cancellationToken)
{
return(await EncryptAsync(options, cancellationToken).ConfigureAwait(false));
}
