eelke
07393f57fc
Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
46 lines
1.3 KiB
C#
46 lines
1.3 KiB
C#
using IdentityShroud.Core.Contracts;
|
|
using IdentityShroud.Core.Messages;
|
|
using IdentityShroud.Core.Model;
|
|
using IdentityShroud.Core.Security.Keys;
|
|
|
|
namespace IdentityShroud.Core.Services;
|
|
|
|
public class KeyService(
|
|
IDekEncryptionService cryptor,
|
|
IKeyProviderFactory keyProviderFactory,
|
|
IClock clock) : IKeyService
|
|
{
|
|
public RealmKey CreateKey(KeyPolicy policy)
|
|
{
|
|
IKeyProvider provider = keyProviderFactory.CreateProvider(policy.KeyType);
|
|
var plainKey = provider.CreateKey(policy);
|
|
|
|
return CreateKey(policy.KeyType, plainKey);
|
|
}
|
|
|
|
public JsonWebKey? CreateJsonWebKey(RealmKey realmKey)
|
|
{
|
|
JsonWebKey jwk = new()
|
|
{
|
|
KeyId = realmKey.Id.ToString(),
|
|
KeyType = realmKey.KeyType,
|
|
Use = "sig",
|
|
};
|
|
|
|
IKeyProvider provider = keyProviderFactory.CreateProvider(realmKey.KeyType);
|
|
provider.SetJwkParameters(
|
|
cryptor.Decrypt(realmKey.Key),
|
|
jwk);
|
|
|
|
return jwk;
|
|
}
|
|
|
|
private RealmKey CreateKey(string keyType, byte[] plainKey) =>
|
|
new RealmKey()
|
|
{
|
|
Id = Guid.NewGuid(),
|
|
KeyType = keyType,
|
|
Key = cryptor.Encrypt(plainKey),
|
|
CreatedAt = clock.UtcNow(),
|
|
};
|
|
}
|