5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
2026-02-27 17:57:42 +00:00 · 2026-02-27 17:57:42 +00:00 · 07393f57fc
commit 07393f57fc
parent 138f335af0
87 changed files with 1903 additions and 533 deletions
--- a/IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs
+++ b/IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs
@ -0,0 +1,35 @@
+using System.Buffers.Text;
+using System.Security.Cryptography;
+using IdentityShroud.Core.Messages;
+
+namespace IdentityShroud.Core.Security.Keys.Rsa;
+
+public class RsaKeyPolicy : KeyPolicy
+{
+    public override string KeyType => "RSA";
+    public int KeySize { get; } = 2048;
+}
+
+public class RsaProvider : IKeyProvider
+{
+    public byte[] CreateKey(KeyPolicy policy)
+    {
+        if (policy is RsaKeyPolicy p)
+        {
+            using var rsa = RSA.Create(p.KeySize);
+            return rsa.ExportPkcs8PrivateKey();
+        }
+
+        throw new ArgumentException("Incorrect policy type", nameof(policy));
+    }
+
+    public void SetJwkParameters(byte[] key, JsonWebKey jwk)
+    {
+        using var rsa = RSA.Create();
+        rsa.ImportPkcs8PrivateKey(key, out _);
+        var parameters = rsa.ExportParameters(includePrivateParameters: false);
+
+        jwk.Exponent = Base64Url.EncodeToString(parameters.Exponent);
+        jwk.Modulus = Base64Url.EncodeToString(parameters.Modulus);
+    }
+}