Reworked code around signing keys have key details much more isolated from the other parts of the program.

IdentityShroud.Core/Services/ClientService.cs

@@ -14,7 +14,6 @@ public class ClientService(
     {
         Client client = new()
         {
-            Id = Guid.NewGuid(),
             RealmId = realmId,
             ClientId = request.ClientId,
             Name = request.Name,
@@ -40,6 +39,11 @@ public class ClientService(
         return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId, ct);
     }
 
+    public async Task<Client?> FindById(int id, CancellationToken ct = default)
+    {
+        return await db.Clients.FirstOrDefaultAsync(c => c.Id == id, ct);
+    }
+
     private ClientSecret CreateSecret()
     {
         byte[] secret = RandomNumberGenerator.GetBytes(24);

IdentityShroud.Core/Services/EncryptionService.cs

@@ -20,7 +20,7 @@ public class EncryptionService : IEncryptionService
         return AesGcmHelper.EncryptAesGcm(plain, encryptionKey);
     }
 
-    public byte[] Decrypt(byte[] cipher)
+    public byte[] Decrypt(ReadOnlyMemory<byte> cipher)
     {
         return AesGcmHelper.DecryptAesGcm(cipher, encryptionKey);
     }

IdentityShroud.Core/Services/KeyProvisioningService.cs

@@ -1,30 +0,0 @@
-using System.Security.Cryptography;
-using IdentityShroud.Core.Contracts;
-using IdentityShroud.Core.Model;
-
-namespace IdentityShroud.Core.Services;
-
-public class KeyProvisioningService(
-    IEncryptionService encryptionService,
-    IClock clock) : IKeyProvisioningService
-{
-    public RealmKey CreateRsaKey(int keySize = 2048)
-    {
-        using var rsa = RSA.Create(keySize);
-        return CreateKey("RSA", rsa.ExportPkcs8PrivateKey());
-    }
-
-    private RealmKey CreateKey(string keyType, byte[] keyData) =>
-        new RealmKey(
-            Guid.NewGuid(),
-            keyType,
-            encryptionService.Encrypt(keyData),
-            clock.UtcNow());
-
-    // public byte[] GetPrivateKey(IEncryptionService encryptionService)
-    // {
-    //     if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
-    //         _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
-    //     return _privateKeyDecrypted;
-    // }
-}

IdentityShroud.Core/Services/KeyService.cs

@@ -0,0 +1,52 @@
+using System.Security.Cryptography;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security.Keys;
+
+namespace IdentityShroud.Core.Services;
+
+public class KeyService(
+    IEncryptionService cryptor,
+    IKeyProviderFactory keyProviderFactory,
+    IClock clock) : IKeyService
+{
+    public RealmKey CreateKey(KeyPolicy policy)
+    {
+        IKeyProvider provider = keyProviderFactory.CreateProvider(policy.KeyType);
+        var plainKey = provider.CreateKey(policy);
+
+        return CreateKey(policy.KeyType, plainKey);
+    }
+
+    public JsonWebKey? CreateJsonWebKey(RealmKey realmKey)
+    {
+        JsonWebKey jwk = new()
+        {
+            KeyId = realmKey.Id.ToString(),
+            KeyType = realmKey.KeyType,
+            Use = "sig",
+        };
+        
+        IKeyProvider provider = keyProviderFactory.CreateProvider(realmKey.KeyType);
+        provider.SetJwkParameters(
+            cryptor.Decrypt(realmKey.KeyDataEncrypted),
+            jwk);
+
+        return jwk;
+    }
+
+    private RealmKey CreateKey(string keyType, byte[] plainKey) =>
+        new RealmKey(
+            Guid.NewGuid(),
+            keyType,
+            cryptor.Encrypt(plainKey),
+            clock.UtcNow());
+
+    // public byte[] GetPrivateKey(IEncryptionService encryptionService)
+    // {
+    //     if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
+    //         _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
+    //     return _privateKeyDecrypted;
+    // }
+}

IdentityShroud.Core/Services/RealmService.cs

@@ -3,6 +3,8 @@ using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Helpers;
 using IdentityShroud.Core.Messages.Realm;
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security.Keys;
+using IdentityShroud.Core.Security.Keys.Rsa;
 using Microsoft.EntityFrameworkCore;
 
 namespace IdentityShroud.Core.Services;
@@ -11,8 +13,14 @@ public record RealmCreateResponse(Guid Id, string Slug, string Name);
 
 public class RealmService(
     Db db,
-    IKeyProvisioningService keyProvisioningService) : IRealmService
+    IKeyService keyService) : IRealmService
 {
+    public async Task<Realm?> FindById(Guid id, CancellationToken ct = default)
+    {
+        return await db.Realms
+            .SingleOrDefaultAsync(r => r.Id == id, ct);
+    }
+
     public async Task<Realm?> FindBySlug(string slug, CancellationToken ct = default)
     {
         return await db.Realms
@@ -26,8 +34,9 @@ public class RealmService(
             Id = request.Id ?? Guid.CreateVersion7(),
             Slug = request.Slug ?? SlugHelper.GenerateSlug(request.Name),
             Name = request.Name,
-            Keys = [ keyProvisioningService.CreateRsaKey() ],
         };
+        
+        realm.Keys.Add(keyService.CreateKey(GetKeyPolicy(realm)));
 
         db.Add(realm);
         await db.SaveChangesAsync(ct);
@@ -36,6 +45,14 @@ public class RealmService(
             realm.Id, realm.Slug, realm.Name);
     }
 
+    /// <summary>
+    /// Place holder for getting policies from the realm and falling back to sane defaults when no policies have been set.
+    /// </summary>
+    /// <param name="_"></param>
+    /// <returns></returns>
+    private KeyPolicy GetKeyPolicy(Realm _) => new RsaKeyPolicy();
+    
+
     public async Task LoadActiveKeys(Realm realm)
     {
         await db.Entry(realm).Collection(r => r.Keys)