private void ValidateSignature(string masterKeyPath, EncryptedColumnEncryptionKey key)
{
if (!KeyCryptographer.VerifyData(key.Message, key.Signature, masterKeyPath))
{
throw new ArgumentException("Invalid signature");
}
}
/// <summary>
/// This function uses the asymmetric key specified by the key path
/// and decrypts an encrypted CEK with RSA encryption algorithm.
/// Key format is (version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature)
/// </summary>
/// <param name="masterKeyPath">Complete path of an asymmetric key in AKV</param>
/// <param name="encryptionAlgorithm">Asymmetric Key Encryption Algorithm</param>
/// <param name="encryptedColumnEncryptionKey">Encrypted Column Encryption Key</param>
/// <returns>Plain text column encryption key</returns>
public byte[] DecryptColumnEncryptionKey(string masterKeyPath, string encryptionAlgorithm, byte[] encryptedColumnEncryptionKey)
{
ValidateNotNullOrWhitespace(masterKeyPath, nameof(masterKeyPath));
ValidateMasterKeyPathFormat(masterKeyPath);
ValidateMasterKeyIsTrusted(masterKeyPath, TrustedEndPoints);
ValidateNotNullOrWhitespace(encryptionAlgorithm, nameof(encryptionAlgorithm));
ValidateEncryptionAlgorithmIsRsaOaep(encryptionAlgorithm);
ValidateNotNull(encryptedColumnEncryptionKey, nameof(encryptedColumnEncryptionKey));
ValidateNotEmpty(encryptedColumnEncryptionKey, nameof(encryptedColumnEncryptionKey));
KeyCryptographer.AddKey(masterKeyPath);
KeyWrapAlgorithm keyWrapAlgorithm = KeyWrapAlgorithm.RsaOaep;
EncryptedColumnEncryptionKey encryptionKey = new EncryptedColumnEncryptionKey(encryptedColumnEncryptionKey);
ValidateSignature(masterKeyPath, encryptionKey);
return(KeyCryptographer.UnwrapKey(keyWrapAlgorithm, encryptionKey.Ciphertext, masterKeyPath));
}
