private void ValidateSignature(string masterKeyPath, EncryptedColumnEncryptionKey key) { if (!KeyCryptographer.VerifyData(key.Message, key.Signature, masterKeyPath)) { throw new ArgumentException("Invalid signature"); } }
/// <summary> /// This function uses the asymmetric key specified by the key path /// and decrypts an encrypted CEK with RSA encryption algorithm. /// Key format is (version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature) /// </summary> /// <param name="masterKeyPath">Complete path of an asymmetric key in AKV</param> /// <param name="encryptionAlgorithm">Asymmetric Key Encryption Algorithm</param> /// <param name="encryptedColumnEncryptionKey">Encrypted Column Encryption Key</param> /// <returns>Plain text column encryption key</returns> public byte[] DecryptColumnEncryptionKey(string masterKeyPath, string encryptionAlgorithm, byte[] encryptedColumnEncryptionKey) { ValidateNotNullOrWhitespace(masterKeyPath, nameof(masterKeyPath)); ValidateMasterKeyPathFormat(masterKeyPath); ValidateMasterKeyIsTrusted(masterKeyPath, TrustedEndPoints); ValidateNotNullOrWhitespace(encryptionAlgorithm, nameof(encryptionAlgorithm)); ValidateEncryptionAlgorithmIsRsaOaep(encryptionAlgorithm); ValidateNotNull(encryptedColumnEncryptionKey, nameof(encryptedColumnEncryptionKey)); ValidateNotEmpty(encryptedColumnEncryptionKey, nameof(encryptedColumnEncryptionKey)); KeyCryptographer.AddKey(masterKeyPath); KeyWrapAlgorithm keyWrapAlgorithm = KeyWrapAlgorithm.RsaOaep; EncryptedColumnEncryptionKey encryptionKey = new EncryptedColumnEncryptionKey(encryptedColumnEncryptionKey); ValidateSignature(masterKeyPath, encryptionKey); return(KeyCryptographer.UnwrapKey(keyWrapAlgorithm, encryptionKey.Ciphertext, masterKeyPath)); }