eelke/IdentityShroud
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

5-improve-encrypted-storage (#6)

Browse source 
Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation.

Co-authored-by: eelke <eelke@eelkeklein.nl>
Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com>
Reviewed-on: #6
This commit is contained in:
eelke 2026-02-27 17:57:42 +00:00
parent 138f335af0
commit 07393f57fc
87 changed files with 1903 additions and 533 deletions
Download patch file Download diff file Expand all files Collapse all files

34
IdentityShroud.Api/Apis/Mappers/KeyMapper.cs
View file

@ -1,34 +1,22 @@
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using Microsoft.AspNetCore.WebUtilities;
namespace IdentityShroud.Api.Mappers;
public class KeyMapper(IEncryptionService encryptionService)
public class KeyMapper(IKeyService keyService)
{
public JsonWebKey KeyToJsonWebKey(Key key)
public JsonWebKeySet KeyListToJsonWebKeySet(IEnumerable<RealmKey> keys)
{
using var rsa = RsaHelper.LoadFromPkcs8(key.GetPrivateKey(encryptionService));
RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
return new JsonWebKey()
JsonWebKeySet wks = new();
foreach (var k in keys)
{
KeyType = rsa.SignatureAlgorithm,
KeyId = key.Id.ToString(),
Use = "sig",
Exponent = WebEncoders.Base64UrlEncode(parameters.Exponent!),
Modulus = WebEncoders.Base64UrlEncode(parameters.Modulus!),
};
}
public JsonWebKeySet KeyListToJsonWebKeySet(IEnumerable<Key> keys)
{
return new JsonWebKeySet()
{
Keys = keys.Select(e => KeyToJsonWebKey(e)).ToList(),
};
var wk = keyService.CreateJsonWebKey(k);
if (wk is {})
{
wks.Keys.Add(wk);
}
}
return wks;
}
}