5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
2026-02-27 17:57:42 +00:00 · 2026-02-27 17:57:42 +00:00 · 07393f57fc
commit 07393f57fc
parent 138f335af0
87 changed files with 1903 additions and 533 deletions
--- a/IdentityShroud.Core/Services/ClientService.cs
+++ b/IdentityShroud.Core/Services/ClientService.cs
@ -0,0 +1,65 @@
+using System.Security.Cryptography;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Model;
+using Microsoft.EntityFrameworkCore;
+
+namespace IdentityShroud.Core.Services;
+
+public class ClientService(
+    Db db,
+    IDataEncryptionService cryptor,
+    IClock clock) : IClientService
+{
+    public async Task<Result<Client>> Create(Guid realmId, ClientCreateRequest request, CancellationToken ct = default)
+    {
+        Client client = new()
+        {
+            RealmId = realmId,
+            ClientId = request.ClientId,
+            Name = request.Name,
+            Description = request.Description,
+            SignatureAlgorithm = request.SignatureAlgorithm,
+            AllowClientCredentialsFlow = request.AllowClientCredentialsFlow ?? false,
+            CreatedAt = clock.UtcNow(),
+        };
+        
+        if (client.AllowClientCredentialsFlow)
+        {
+            client.Secrets.Add(CreateSecret());
+        }
+
+        await db.AddAsync(client, ct);
+        await db.SaveChangesAsync(ct);
+
+        return client;
+    }
+
+    public async Task<Client?> GetByClientId(
+        Guid realmId,
+        string clientId, 
+        CancellationToken ct = default)
+    {
+        return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId && c.RealmId == realmId, ct);
+    }
+
+    public async Task<Client?> FindById(
+        Guid realmId,
+        int id, 
+        CancellationToken ct = default)
+    {
+        return await db.Clients.FirstOrDefaultAsync(c => c.Id == id && c.RealmId == realmId, ct);
+    }
+
+    private ClientSecret CreateSecret()
+    {
+        Span<byte> secret = stackalloc byte[24];
+        RandomNumberGenerator.Fill(secret);
+
+        return new ClientSecret()
+        {
+            CreatedAt = clock.UtcNow(),
+            Secret = cryptor.Encrypt(secret.ToArray()),
+        };
+
+    }
+}