eelke
07393f57fc
Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
35 lines
No EOL
993 B
C#
35 lines
No EOL
993 B
C#
using System.Buffers.Text;
|
|
using System.Security.Cryptography;
|
|
using IdentityShroud.Core.Messages;
|
|
|
|
namespace IdentityShroud.Core.Security.Keys.Rsa;
|
|
|
|
public class RsaKeyPolicy : KeyPolicy
|
|
{
|
|
public override string KeyType => "RSA";
|
|
public int KeySize { get; } = 2048;
|
|
}
|
|
|
|
public class RsaProvider : IKeyProvider
|
|
{
|
|
public byte[] CreateKey(KeyPolicy policy)
|
|
{
|
|
if (policy is RsaKeyPolicy p)
|
|
{
|
|
using var rsa = RSA.Create(p.KeySize);
|
|
return rsa.ExportPkcs8PrivateKey();
|
|
}
|
|
|
|
throw new ArgumentException("Incorrect policy type", nameof(policy));
|
|
}
|
|
|
|
public void SetJwkParameters(byte[] key, JsonWebKey jwk)
|
|
{
|
|
using var rsa = RSA.Create();
|
|
rsa.ImportPkcs8PrivateKey(key, out _);
|
|
var parameters = rsa.ExportParameters(includePrivateParameters: false);
|
|
|
|
jwk.Exponent = Base64Url.EncodeToString(parameters.Exponent);
|
|
jwk.Modulus = Base64Url.EncodeToString(parameters.Modulus);
|
|
}
|
|
} |