5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
2026-02-27 17:57:42 +00:00 · 2026-02-27 17:57:42 +00:00 · 07393f57fc
commit 07393f57fc
parent 138f335af0
87 changed files with 1903 additions and 533 deletions
--- a/IdentityShroud.Core/Services/RealmService.cs
+++ b/IdentityShroud.Core/Services/RealmService.cs
@ -1,8 +1,9 @@
-using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Helpers;
 using IdentityShroud.Core.Messages.Realm;
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security.Keys;
+using IdentityShroud.Core.Security.Keys.Rsa;
 using Microsoft.EntityFrameworkCore;

 namespace IdentityShroud.Core.Services;
@ -11,8 +12,14 @@ public record RealmCreateResponse(Guid Id, string Slug, string Name);

 public class RealmService(
    Db db,
-    IEncryptionService encryptionService) : IRealmService
+    IKeyService keyService) : IRealmService
 {
+    public async Task<Realm?> FindById(Guid id, CancellationToken ct = default)
+    {
+        return await db.Realms
+            .SingleOrDefaultAsync(r => r.Id == id, ct);
+    }
+
    public async Task<Realm?> FindBySlug(string slug, CancellationToken ct = default)
    {
        return await db.Realms
@ -26,8 +33,9 @@ public class RealmService(
            Id = request.Id ?? Guid.CreateVersion7(),
            Slug = request.Slug ?? SlugHelper.GenerateSlug(request.Name),
            Name = request.Name,
-            Keys = [ CreateKey() ],
        };
+        
+        realm.Keys.Add(keyService.CreateKey(GetKeyPolicy(realm)));

        db.Add(realm);
        await db.SaveChangesAsync(ct);
@ -36,25 +44,26 @@ public class RealmService(
            realm.Id, realm.Slug, realm.Name);
    }

+    /// <summary>
+    /// Place holder for getting policies from the realm and falling back to sane defaults when no policies have been set.
+    /// </summary>
+    /// <param name="_"></param>
+    /// <returns></returns>
+    private KeyPolicy GetKeyPolicy(Realm _) => new RsaKeyPolicy();
+    
+
    public async Task LoadActiveKeys(Realm realm)
    {
        await db.Entry(realm).Collection(r => r.Keys)
            .Query()
-            .Where(k => k.DeactivatedAt == null)
+            .Where(k => k.RevokedAt == null)
            .LoadAsync();
-        
    }

-    private Key CreateKey()
+    public async Task LoadDeks(Realm realm)
    {
-        using RSA rsa = RSA.Create(2048);
-
-        Key key = new()
-        {
-            Priority = 10,
-        };
-        key.SetPrivateKey(encryptionService, rsa.ExportPkcs8PrivateKey());
-
-        return key;
+        await db.Entry(realm).Collection(r => r.Deks)
+            .Query()
+            .LoadAsync();
    }
 }