-
Notifications
You must be signed in to change notification settings - Fork 533
Expand file tree
/
Copy pathEncryptionKeyStoreProviderImpl.cs
More file actions
114 lines (99 loc) · 5.49 KB
/
EncryptionKeyStoreProviderImpl.cs
File metadata and controls
114 lines (99 loc) · 5.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
//------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
//------------------------------------------------------------
namespace Microsoft.Azure.Cosmos.Encryption
{
using System;
using System.Threading;
using System.Threading.Tasks;
using global::Azure.Core.Cryptography;
using Microsoft.Data.Encryption.Cryptography;
/// <summary>
/// The purpose/intention to introduce this class is to utilize the cache provide by the <see cref="EncryptionKeyStoreProvider"/> abstract class. This class basically
/// redirects all the corresponding calls to <see cref="IKeyEncryptionKeyResolver"/> 's methods and thus allowing us
/// to utilize the virtual method <see cref="EncryptionKeyStoreProvider.GetOrCreateDataEncryptionKey"/> to access the cache.
///
/// Note: Since <see cref="EncryptionKeyStoreProvider.Sign"/> and <see cref="EncryptionKeyStoreProvider.Verify"/> methods are not exposed, <see cref="EncryptionKeyStoreProvider.GetOrCreateSignatureVerificationResult"/> is not supported either.
///
/// <remark>
/// The call hierarchy is as follows. Note, all core MDE API's used in internal cosmos encryption code are passed an EncryptionKeyStoreProviderImpl object.
/// ProtectedDataEncryptionKey -> KeyEncryptionKey(containing EncryptionKeyStoreProviderImpl object) -> EncryptionKeyStoreProviderImpl.WrapKey -> this.keyEncryptionKeyResolver.WrapKey
/// ProtectedDataEncryptionKey -> KeyEncryptionKey(containing EncryptionKeyStoreProviderImpl object) -> EncryptionKeyStoreProviderImpl.UnWrapKey -> this.keyEncryptionKeyResolver.UnwrapKey
/// </remark>
/// </summary>
internal class EncryptionKeyStoreProviderImpl : EncryptionKeyStoreProvider
{
public const string RsaOaepWrapAlgorithm = "RSA-OAEP";
private readonly IKeyEncryptionKeyResolver keyEncryptionKeyResolver;
public EncryptionKeyStoreProviderImpl(IKeyEncryptionKeyResolver keyEncryptionKeyResolver, string providerName)
{
this.keyEncryptionKeyResolver = keyEncryptionKeyResolver;
this.ProviderName = providerName;
this.DataEncryptionKeyCacheTimeToLive = TimeSpan.Zero;
}
public override string ProviderName { get; }
/// <summary>
/// Gets the key encryption key resolver for use by derived classes.
/// </summary>
internal IKeyEncryptionKeyResolver KeyEncryptionKeyResolver => this.keyEncryptionKeyResolver;
public override byte[] UnwrapKey(string encryptionKeyId, KeyEncryptionKeyAlgorithm algorithm, byte[] encryptedKey)
{
// since we do not expose GetOrCreateDataEncryptionKey we first look up the cache.
// Cache miss results in call to UnWrapCore which updates the cache after UnwrapKeyAsync is called.
return this.GetOrCreateDataEncryptionKey(encryptedKey.ToHexString(), UnWrapKeyCore);
// delegate that is called by GetOrCreateDataEncryptionKey, which unwraps the key and updates the cache in case of cache miss.
byte[] UnWrapKeyCore()
{
return this.keyEncryptionKeyResolver
.Resolve(encryptionKeyId)
.UnwrapKey(EncryptionKeyStoreProviderImpl.GetNameForKeyEncryptionKeyAlgorithm(algorithm), encryptedKey);
}
}
public override byte[] WrapKey(string encryptionKeyId, KeyEncryptionKeyAlgorithm algorithm, byte[] key)
{
return this.keyEncryptionKeyResolver
.Resolve(encryptionKeyId)
.WrapKey(EncryptionKeyStoreProviderImpl.GetNameForKeyEncryptionKeyAlgorithm(algorithm), key);
}
/// <Remark>
/// The public facing Cosmos Encryption library interface does not expose this method, hence not supported.
/// </Remark>
public override byte[] Sign(string encryptionKeyId, bool allowEnclaveComputations)
{
throw new NotSupportedException("The Sign operation is not supported.");
}
/// <Remark>
/// The public facing Cosmos Encryption library interface does not expose this method, hence not supported.
/// </Remark>
public override bool Verify(string encryptionKeyId, bool allowEnclaveComputations, byte[] signature)
{
throw new NotSupportedException("The Verify operation is not supported.");
}
internal static string GetNameForKeyEncryptionKeyAlgorithm(KeyEncryptionKeyAlgorithm algorithm)
{
if (algorithm == KeyEncryptionKeyAlgorithm.RSA_OAEP)
{
return EncryptionKeyStoreProviderImpl.RsaOaepWrapAlgorithm;
}
throw new InvalidOperationException(string.Format("Unexpected algorithm {0}", algorithm));
}
/// <summary>
/// No-op in the base implementation. Overridden in <see cref="CachingEncryptionKeyStoreProviderImpl"/>
/// to asynchronously pre-warm the unwrapped-key cache.
/// </summary>
internal virtual Task PrefetchUnwrapKeyAsync(
string encryptionKeyId,
byte[] encryptedKey,
CancellationToken cancellationToken)
{
return Task.CompletedTask;
}
/// <summary>
/// No-op in the base implementation. Overridden in <see cref="CachingEncryptionKeyStoreProviderImpl"/>
/// to cancel background tasks and release resources.
/// </summary>
internal virtual void Cleanup()
{
}
}
}