eelke/IdentityShroud
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

Browse source
This commit is contained in:
eelke 2026-02-26 16:53:02 +01:00
parent 644b005f2a
commit 650fe99990
36 changed files with 399 additions and 129 deletions
Download patch file Download diff file Expand all files Collapse all files

4
IdentityShroud.Core/Security/ConfigurationSecretProvider.cs
View file

@ -15,8 +15,8 @@ public class ConfigurationSecretProvider(IConfiguration configuration) : ISecret
return secrets.GetValue<string>(name) ?? "";
}
public EncryptionKey[] GetKeys(string name)
public KeyEncryptionKey[] GetKeys(string name)
{
return secrets.GetSection(name).Get<EncryptionKey[]>() ?? [];
return secrets.GetSection(name).Get<KeyEncryptionKey[]>() ?? [];
}
}

6
IdentityShroud.Core/Security/DekId.cs Normal file
View file

@ -0,0 +1,6 @@
namespace IdentityShroud.Core.Security;
public record struct DekId(Guid Id)
{
public static DekId NewId() => new(Guid.NewGuid());
}

6
IdentityShroud.Core/Security/EncryptedDek.cs Normal file
View file

@ -0,0 +1,6 @@
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Security;
[Owned]
public record EncryptedDek(KekId KekId, byte[] Value);

6
IdentityShroud.Core/Security/EncryptedValue.cs
View file

@ -1,6 +1,8 @@
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Contracts;
namespace IdentityShroud.Core.Security;
[Owned]
public record EncryptedValue(string KeyId, byte[] Value);
public record EncryptedValue(DekId DekId, byte[] Value);

70
IdentityShroud.Core/Security/Encryption.cs Normal file
View file

@ -0,0 +1,70 @@
using System.Security.Cryptography;
namespace IdentityShroud.Core.Security;
public static class Encryption
{
private record struct AlgVersion(int Version, int NonceSize, int TagSize);
private static AlgVersion[] _versions =
[
new(0, 0, 0), // version 0 does not realy exist
new(1, 12, 16), // version 1
];
public static byte[] Encrypt(ReadOnlyMemory<byte> plaintext, ReadOnlySpan<byte> key)
{
const int versionNumber = 1;
AlgVersion versionParams = _versions[versionNumber];
int resultSize = 1 + versionParams.NonceSize + versionParams.TagSize + plaintext.Length;
// allocate buffer for complete response
var result = new byte[resultSize];
result[0] = (byte)versionParams.Version;
// make the spans that point to the parts of the result where their data is located
var nonce = result.AsSpan(1, versionParams.NonceSize);
var tag = result.AsSpan(1 + versionParams.NonceSize, versionParams.TagSize);
var cipher = result.AsSpan(1 + versionParams.NonceSize + versionParams.TagSize);
// use the spans to place the data directly in its place
RandomNumberGenerator.Fill(nonce);
using var aes = new AesGcm(key, versionParams.TagSize);
aes.Encrypt(nonce, plaintext.Span, cipher, tag);
return result;
}
public static byte[] Decrypt(ReadOnlyMemory<byte> input, ReadOnlySpan<byte> key)
{
var payload = input.Span;
int versionNumber = (int)payload[0];
if (versionNumber != 1)
throw new ArgumentException("Invalid payload");
AlgVersion versionParams = _versions[versionNumber];
if (payload.Length < 1 + versionParams.NonceSize + versionParams.TagSize)
throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
ReadOnlySpan<byte> nonce = payload.Slice(1, versionParams.NonceSize);
ReadOnlySpan<byte> tag = payload.Slice(1 + versionParams.NonceSize, versionParams.TagSize);
ReadOnlySpan<byte> cipher = payload.Slice(1 + versionParams.NonceSize + versionParams.TagSize);
byte[] plaintext = new byte[cipher.Length];
using var aes = new AesGcm(key, versionParams.TagSize);
try
{
aes.Decrypt(nonce, cipher, tag, plaintext);
}
catch (CryptographicException ex)
{
// Tag verification failed → tampering or wrong key/nonce.
throw new InvalidOperationException("Decryption failed authentication tag mismatch.", ex);
}
return plaintext;
}
}

4
IdentityShroud.Core/Security/EncryptionKey.cs
View file

@ -1,4 +0,0 @@
namespace IdentityShroud.Core.Contracts;
// Contains an encryption key and associated relevant data
public record EncryptionKey(string Id, bool Active, string Algorithm, byte[] Key);

41
IdentityShroud.Core/Security/KekId.cs Normal file
View file

@ -0,0 +1,41 @@
using System.ComponentModel;
using System.Globalization;
using System.Text.Json;
using System.Text.Json.Serialization;
namespace IdentityShroud.Core.Security;
[JsonConverter(typeof(KekIdJsonConverter))]
[TypeConverter(typeof(KekIdTypeConverter))]
public readonly record struct KekId
{
public Guid Id { get; }
public KekId(Guid id)
{
Id = id;
}
public static KekId NewId()
{
return new KekId(Guid.NewGuid());
}
}
public class KekIdJsonConverter : JsonConverter<KekId>
{
public override KekId Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
=> new KekId(reader.GetGuid());
public override void Write(Utf8JsonWriter writer, KekId value, JsonSerializerOptions options)
=> writer.WriteStringValue(value.Id);
}
public class KekIdTypeConverter : TypeConverter
{
public override bool CanConvertFrom(ITypeDescriptorContext? context, Type sourceType)
=> sourceType == typeof(string) || base.CanConvertFrom(context, sourceType);
public override object? ConvertFrom(ITypeDescriptorContext? context, CultureInfo? culture, object value)
=> value is string s ? new KekId(Guid.Parse(s)) : base.ConvertFrom(context, culture, value);
}

10
IdentityShroud.Core/Security/KeyEncryptionKey.cs Normal file
View file

@ -0,0 +1,10 @@
namespace IdentityShroud.Core.Security;
/// <summary>
/// Contains a KEK and associated relevant data. This structure
/// </summary>
/// <param name="Id"></param>
/// <param name="Active"></param>
/// <param name="Algorithm"></param>
/// <param name="Key"></param>
public record KeyEncryptionKey(KekId Id, bool Active, string Algorithm, byte[] Key);