5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation.

Co-authored-by: eelke <eelke@eelkeklein.nl>
Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com>
Reviewed-on: #6

IdentityShroud.Core/Contracts/IClientService.cs

@@ -0,0 +1,14 @@
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IClientService
+{
+    Task<Result<Client>> Create(
+        Guid realmId,
+        ClientCreateRequest request, 
+        CancellationToken ct = default);
+
+    Task<Client?> GetByClientId(Guid realmId, string clientId, CancellationToken ct = default);
+    Task<Client?> FindById(Guid realmId, int id, CancellationToken ct = default);
+}

IdentityShroud.Core/Contracts/IClock.cs

@@ -0,0 +1,6 @@
+namespace IdentityShroud.Core.Contracts;
+
+public interface IClock
+{
+    DateTime UtcNow();
+}

IdentityShroud.Core/Contracts/IDataEncryptionService.cs

@@ -0,0 +1,9 @@
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IDataEncryptionService
+{
+    EncryptedValue Encrypt(ReadOnlySpan<byte> plain);
+    byte[] Decrypt(EncryptedValue input);
+}

IdentityShroud.Core/Contracts/IDekEncryptionService.cs

@@ -0,0 +1,11 @@
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Contracts;
+
+
+
+public interface IDekEncryptionService
+{
+    EncryptedDek Encrypt(ReadOnlySpan<byte> plain);
+    byte[] Decrypt(EncryptedDek input);
+}

IdentityShroud.Core/Contracts/IEncryptionService.cs

@@ -1,7 +0,0 @@
-namespace IdentityShroud.Core.Contracts;
-
-public interface IEncryptionService
-{
-    byte[] Encrypt(byte[] plain);
-    byte[] Decrypt(byte[] cipher);
-}

IdentityShroud.Core/Contracts/IKeyService.cs

@@ -0,0 +1,12 @@
+using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security.Keys;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IKeyService
+{
+    RealmKey CreateKey(KeyPolicy policy);
+
+    JsonWebKey? CreateJsonWebKey(RealmKey realmKey);
+}

IdentityShroud.Core/Contracts/IRealmContext.cs

@@ -0,0 +1,9 @@
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IRealmContext
+{
+    public Realm GetRealm();
+    Task<IList<RealmDek>> GetDeks(CancellationToken ct = default);
+}

IdentityShroud.Core/Contracts/IRealmService.cs

@@ -0,0 +1,15 @@
+using IdentityShroud.Core.Messages.Realm;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Services;
+
+namespace IdentityShroud.Core.Contracts;
+
+public interface IRealmService
+{
+    Task<Realm?> FindById(Guid id, CancellationToken ct = default);
+    Task<Realm?> FindBySlug(string slug, CancellationToken ct = default);
+        
+    Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default);
+    Task LoadActiveKeys(Realm realm);
+    Task LoadDeks(Realm realm);
+}

IdentityShroud.Core/Contracts/ISecretProvider.cs

@@ -1,6 +1,14 @@
+using IdentityShroud.Core.Security;
+
 namespace IdentityShroud.Core.Contracts;
 
 public interface ISecretProvider
 {
     string GetSecret(string name);
+
+    /// <summary>
+    /// Should return one active key, might return inactive keys.
+    /// </summary>
+    /// <returns></returns>
+    KeyEncryptionKey[] GetKeys(string name);
 }