feature/secure-sensitive-data (#47)

* Added ProtectedData to provide in-memory encryption for sensitive data such as private keys and secrets.

* Added xmldoc.

Author: MrMatthewLayton

OnixLabs.Security.Cryptography/PrivateKey.cs

@@ -19,11 +19,22 @@ namespace OnixLabs.Security.Cryptography;
 /// <summary>
 /// Represents a cryptographic private key.
 /// </summary>
-/// <param name="keyData">The underlying key data of the cryptographic private key.</param>
-public abstract partial class PrivateKey(ReadOnlySpan<byte> keyData) : ICryptoPrimitive<PrivateKey>
+public abstract partial class PrivateKey : ICryptoPrimitive<PrivateKey>
 {
+    private readonly ProtectedData protectedData = new();
+    private readonly byte[] encryptedKeyData;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="PrivateKey"/> class.
+    /// </summary>
+    /// <param name="keyData">The underlying key data of the cryptographic private key.</param>
+    protected PrivateKey(ReadOnlySpan<byte> keyData)
+    {
+        encryptedKeyData = protectedData.Encrypt(keyData.ToArray());
+    }
+
     /// <summary>
     /// Gets the cryptographic private key data.
     /// </summary>
-    protected byte[] KeyData { get; } = keyData.ToArray();
+    protected byte[] KeyData => protectedData.Decrypt(encryptedKeyData);
 }

OnixLabs.Security.Cryptography/ProtectedData.cs

@@ -0,0 +1,80 @@
+// Copyright 2020 ONIXLabs
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System.IO;
+using System.Security.Cryptography;
+using Aes = System.Security.Cryptography.Aes;
+
+namespace OnixLabs.Security.Cryptography;
+
+/// <summary>
+/// Represents an in-memory data protection mechanism for sensitive, long-lived cryptographic data.
+/// </summary>
+internal sealed class ProtectedData
+{
+    private readonly byte[] key = Salt.CreateNonZero(32).ToByteArray();
+    private readonly byte[] iv = Salt.CreateNonZero(16).ToByteArray();
+
+    /// <summary>
+    /// Encrypted the specified data.
+    /// </summary>
+    /// <param name="data">The data to encrypt.</param>
+    /// <returns>Returns the encrypted data.</returns>
+    public byte[] Encrypt(byte[] data)
+    {
+        Require(data.Length > 0, "Data must not be empty.", nameof(data));
+
+        using Aes algorithm = Aes.Create();
+
+        algorithm.Key = key;
+        algorithm.IV = iv;
+        algorithm.Padding = PaddingMode.PKCS7;
+
+        ICryptoTransform transform = algorithm.CreateEncryptor(algorithm.Key, algorithm.IV);
+
+        using MemoryStream memoryStream = new();
+        using CryptoStream cryptoStream = new(memoryStream, transform, CryptoStreamMode.Write);
+
+        cryptoStream.Write(data, 0, data.Length);
+        cryptoStream.FlushFinalBlock();
+
+        return memoryStream.ToArray();
+    }
+
+    /// <summary>
+    /// Decrypts the specified data.
+    /// </summary>
+    /// <param name="data">The data to decrypt.</param>
+    /// <returns>Returns the decrypted data.</returns>
+    public byte[] Decrypt(byte[] data)
+    {
+        Require(data.Length > 0, "Data must not be empty.", nameof(data));
+
+        using Aes algorithm = Aes.Create();
+
+        algorithm.Key = key;
+        algorithm.IV = iv;
+        algorithm.Padding = PaddingMode.PKCS7;
+
+        ICryptoTransform transform = algorithm.CreateDecryptor(algorithm.Key, algorithm.IV);
+
+        using MemoryStream memoryStream = new(data);
+        using CryptoStream cryptoStream = new(memoryStream, transform, CryptoStreamMode.Read);
+        using MemoryStream resultStream = new();
+
+        cryptoStream.CopyTo(resultStream);
+
+        return resultStream.ToArray();
+    }
+}

OnixLabs.Security.Cryptography/Secret.Equatable.cs

@@ -24,7 +24,7 @@ public readonly partial struct Secret
     /// </summary>
     /// <param name="other">An object to compare with the current object.</param>
     /// <returns>Returns <see langword="true"/> if the current object is equal to the other parameter; otherwise, <see langword="false"/>.</returns>
-    public bool Equals(Secret other) => value.SequenceEqual(other.value);
+    public bool Equals(Secret other) => hash == other.hash;
 
     /// <summary>
     /// Checks for equality between the current instance and another object.
@@ -37,7 +37,7 @@ public readonly partial struct Secret
     /// Serves as a hash code function for the current instance.
     /// </summary>
     /// <returns>Returns a hash code for the current instance.</returns>
-    public override int GetHashCode() => value.GetContentHashCode();
+    public override int GetHashCode() => hash.GetHashCode();
 
     /// <summary>
     /// Performs an equality comparison between two object instances.

OnixLabs.Security.Cryptography/Secret.To.cs

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 using System;
-using OnixLabs.Core;
 
 namespace OnixLabs.Security.Cryptography;
 
@@ -23,11 +22,11 @@ public readonly partial struct Secret
     /// Gets the underlying <see cref="T:Byte[]"/> representation of the current <see cref="DigitalSignature"/> instance.
     /// </summary>
     /// <returns>Return the underlying <see cref="T:Byte[]"/> representation of the current <see cref="DigitalSignature"/> instance.</returns>
-    public byte[] ToByteArray() => value.Copy();
+    public byte[] ToByteArray() => protectedData.Decrypt(encryptedKeyData);
 
     /// <summary>
     /// Returns a <see cref="string"/> that represents the current object.
     /// </summary>
     /// <returns>Returns a <see cref="string"/> that represents the current object.</returns>
-    public override string ToString() => Convert.ToHexString(value).ToLower();
+    public override string ToString() => Convert.ToHexString(protectedData.Decrypt(encryptedKeyData)).ToLower();
 }

OnixLabs.Security.Cryptography/Secret.cs

@@ -13,14 +13,26 @@
 // limitations under the License.
 
 using System;
+using System.Security.Cryptography;
 
 namespace OnixLabs.Security.Cryptography;
 
 /// <summary>
 /// Represents a cryptographic secret.
 /// </summary>
-/// <param name="value">The underlying value of the cryptographic secret.</param>
-public readonly partial struct Secret(ReadOnlySpan<byte> value) : ICryptoPrimitive<Secret>
+public readonly partial struct Secret : ICryptoPrimitive<Secret>
 {
-    private readonly byte[] value = value.ToArray();
+    private readonly ProtectedData protectedData = new();
+    private readonly byte[] encryptedKeyData;
+    private readonly Hash hash;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="Secret"/> struct.
+    /// </summary>
+    /// <param name="value">The underlying value of the cryptographic secret.</param>
+    public Secret(ReadOnlySpan<byte> value)
+    {
+        encryptedKeyData = protectedData.Encrypt(value.ToArray());
+        hash = Hash.Compute(SHA256.Create(), value.ToArray());
+    }
 }