C# (CSharp) Kamus.KeyManagement KeyIdCreator示例

示例#1

文件： GoogleCloudKeyManagment.cs 项目： yfried/kamus

        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            var safeId        = KeyIdCreator.Create(serviceAccountId);
            var keyring       = new KeyRingName(mProjectName, mKeyringLocation, mKeyringName);
            var cryptoKeyName =
                new CryptoKeyName(mProjectName, mKeyringLocation, mKeyringName, safeId);

            try
            {
                await mKmsService.GetCryptoKeyAsync(cryptoKeyName);
            } catch (RpcException e) when(e.StatusCode == StatusCode.NotFound && createKeyIfMissing)
            {
                var key = new CryptoKey
                {
                    Purpose         = CryptoKey.Types.CryptoKeyPurpose.EncryptDecrypt,
                    VersionTemplate = new CryptoKeyVersionTemplate
                    {
                        ProtectionLevel = ProtectionLevel.Software
                    }
                };

                if (mRotationPeriod.HasValue)
                {
                    key.NextRotationTime = (DateTime.UtcNow + mRotationPeriod.Value).ToTimestamp();
                    key.RotationPeriod   = Duration.FromTimeSpan(mRotationPeriod.Value);
                }

                var request = await mKmsService.CreateCryptoKeyAsync(keyring, safeId, key);
            }

            var cryptoKeyPathName = new CryptoKeyPathName(mProjectName, mKeyringLocation, mKeyringName, safeId);
            var encryted          = await mKmsService.EncryptAsync(cryptoKeyPathName, ByteString.FromBase64(data));

            return(encryted.Ciphertext.ToBase64());
        }

示例#2

        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            var safeId     = KeyIdCreator.Create(serviceAccountId);
            var cryptoKeys = mKmsService.Projects.Locations.KeyRings.CryptoKeys;
            var keyringId  = $"projects/{mProjectName}/locations/{mKeyringLocation}/keyRings/{mKeyringName}";
            var keyId      = $"{keyringId}/cryptoKeys/{safeId}";

            try
            {
                await cryptoKeys.Get(keyId).ExecuteAsync();
            } catch (GoogleApiException e) when(e.HttpStatusCode == HttpStatusCode.NotFound && createKeyIfMissing)
            {
                //todo: handle key rotation - currently set to never expired
                var key = new CryptoKey
                {
                    Purpose         = "ENCRYPT_DECRYPT",
                    VersionTemplate = new CryptoKeyVersionTemplate
                    {
                        ProtectionLevel = mProtectionLevel
                    }
                };

                var request = cryptoKeys.Create(key, keyringId);

                request.CryptoKeyId = safeId;
                await request.ExecuteAsync();
            }

            var encryted = await cryptoKeys.Encrypt(new EncryptRequest
            {
                Plaintext = data
            }, keyId).ExecuteAsync();

            return(encryted.Ciphertext);
        }

示例#3

文件： AwsKeyManagement.cs 项目： lichnak/kamus

        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            var masterKeyAlias = $"alias/{mCmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}";

            var(dataKey, encryptedDataKey) = await GenerateEncryptionKey(masterKeyAlias);

            var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey.ToArray(), Encoding.UTF8.GetBytes(data));

            return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData));
        }

示例#4

文件： GoogleCloudKeyManagment.cs 项目： yfried/kamus

        public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
        {
            var safeId        = KeyIdCreator.Create(serviceAccountId);
            var cryptoKeyName =
                new CryptoKeyName(mProjectName, mKeyringLocation, mKeyringName, safeId);
            var result =
                await mKmsService.DecryptAsync(
                    cryptoKeyName,
                    ByteString.FromBase64(encryptedData));

            return(result.Plaintext.ToBase64());
        }

示例#5

        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            var cmkPrefix      = string.IsNullOrEmpty(mCmkPrefix) ? "" : $"{mCmkPrefix}-";
            var masterKeyAlias = $"alias/{cmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}";

            var(dataKey, encryptedDataKey) = await GenerateEncryptionKey(masterKeyAlias);

            mSymmetricKeyManagement.SetEncryptionKey(Convert.ToBase64String(dataKey.ToArray()));
            var encryptedData = await mSymmetricKeyManagement.Encrypt(data, serviceAccountId);

            return("env" + "$" + encryptedDataKey + "$" + encryptedData);
        }

示例#6

        public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
        {
            var safeId     = KeyIdCreator.Create(serviceAccountId);
            var cryptoKeys = mKmsService.Projects.Locations.KeyRings.CryptoKeys;
            var keyringId  = $"projects/{mProjectName}/locations/{mKeyringLocation}/keyRings/{mKeyringName}";
            var keyId      = $"{keyringId}/cryptoKeys/{safeId}";

            var result = await cryptoKeys.Decrypt(new DecryptRequest
            {
                Ciphertext = encryptedData
            }, keyId).ExecuteAsync();

            return(result.Plaintext);
        }

示例#7

文件： AwsKeyManagement.cs 项目： lichnak/kamus

        public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
        {
            var tuple = EnvelopeEncryptionUtils.Unwrap(encryptedData).ValueOrFailure("Invalid encrypted data format");

            var(encryptedDataKey, iv, actualEncryptedData) = tuple;

            var masterKeyAlias   = $"alias/{mCmkPrefix}kamus/{KeyIdCreator.Create(serviceAccountId)}";
            var decryptionResult = await mAmazonKeyManagementService.DecryptAsync(new DecryptRequest
            {
                CiphertextBlob = new MemoryStream(Convert.FromBase64String(encryptedDataKey)),
                KeyId          = masterKeyAlias
            });

            var decrypted = RijndaelUtils.Decrypt(decryptionResult.Plaintext.ToArray(), iv, actualEncryptedData);

            return(Encoding.UTF8.GetString(decrypted));
        }

示例#8

文件： AzureKeyVaultKeyManagement.cs 项目： vanderstack/kamus

        public async Task <string> Decrypt(string encryptedData, string serviceAccountId)
        {
            var hash = KeyIdCreator.Create(serviceAccountId);

            var keyId = $"https://{mKeyVaultName}.vault.azure.net/keys/{hash}";

            try
            {
                var encryptionResult =
                    await mKeyVaultClient.DecryptAsync(keyId, "RSA-OAEP", Convert.FromBase64String(encryptedData));

                return(Encoding.UTF8.GetString(encryptionResult.Result));
            }
            catch (KeyVaultErrorException e)
            {
                throw new DecryptionFailureException("KeyVault decryption failed", e);
            }
        }

示例#9

文件： AzureKeyVaultKeyManagement.cs 项目： vanderstack/kamus

        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            var hash = KeyIdCreator.Create(serviceAccountId);

            var keyId = $"https://{mKeyVaultName}.vault.azure.net/keys/{hash}";

            try
            {
                await mKeyVaultClient.GetKeyAsync(keyId);
            }
            catch (KeyVaultErrorException e) when(e.Response.StatusCode == HttpStatusCode.NotFound && createKeyIfMissing)
            {
                mLogger.Information(
                    "KeyVault key was not found for service account id {serviceAccount}, creating new one.",
                    serviceAccountId);

                await mKeyVaultClient.CreateKeyAsync($"https://{mKeyVaultName}.vault.azure.net", hash, mKeyType, mKeyLength);
            }

            var encryptionResult = await mKeyVaultClient.EncryptAsync(keyId, "RSA-OAEP", Encoding.UTF8.GetBytes(data));

            return(Convert.ToBase64String(encryptionResult.Result));
        }