AwsKmsRsaKeyService

src/CryptoAgent/CryptoAgent.csproj

@@ -7,6 +7,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="AWSSDK.KeyManagementService" Version="3.7.1.19" />
     <PackageReference Include="Azure.Identity" Version="1.4.1" />
     <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.2.0" />
     <PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.2.0" />

src/CryptoAgent/CryptoAgentSettings.cs

@@ -42,7 +42,11 @@
             public string GoogleCloudKeyringId { get; set; }
             public string GoogleCloudKeyId { get; set; }
             public string GoogleCloudKeyVersionId { get; set; }
-            // AWS...
+            // AWS KMS
+            public string AwsAccessKeyId { get; set; }
+            public string AwsAccessKeySecret { get; set; }
+            public string AwsRegion { get; set; }
+            public string AwsKeyId { get; set; }
             // Hashicorp Vault...
             // Other HSMs...
         }

src/CryptoAgent/Services/AwsKmsRsaKeyService.cs

@@ -0,0 +1,90 @@
+using Amazon;
+using Amazon.KeyManagementService;
+using Amazon.KeyManagementService.Model;
+using System.IO;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+
+namespace Bit.CryptoAgent.Services
+{
+    public class AwsKmsRsaKeyService : IRsaKeyService
+    {
+        private readonly CryptoAgentSettings _settings;
+
+        private AmazonKeyManagementServiceClient _kmsClient;
+
+        public AwsKmsRsaKeyService(
+            CryptoAgentSettings settings)
+        {
+            _settings = settings;
+            _kmsClient = new AmazonKeyManagementServiceClient(settings.RsaKey.AwsAccessKeyId,
+                settings.RsaKey.AwsAccessKeySecret, RegionEndpoint.GetBySystemName(settings.RsaKey.AwsRegion));
+        }
+
+        public async Task<byte[]> EncryptAsync(byte[] data)
+        {
+            using var dataStream = new MemoryStream(data);
+            var request = new EncryptRequest
+            {
+                KeyId = _settings.RsaKey.AwsKeyId,
+                Plaintext = dataStream
+            };
+            var response = await _kmsClient.EncryptAsync(request);
+            return response.CiphertextBlob.ToArray();
+        }
+
+        public async Task<byte[]> DecryptAsync(byte[] data)
+        {
+            using var dataStream = new MemoryStream(data);
+            var request = new DecryptRequest
+            {
+                KeyId = _settings.RsaKey.AwsKeyId,
+                CiphertextBlob = dataStream
+            };
+            var response = await _kmsClient.DecryptAsync(request);
+            return response.Plaintext.ToArray();
+        }
+
+        public async Task<byte[]> SignAsync(byte[] data)
+        {
+            using var dataStream = new MemoryStream(data);
+            var request = new SignRequest
+            {
+                KeyId = _settings.RsaKey.AwsKeyId,
+                SigningAlgorithm = SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256,
+                Message = dataStream,
+                MessageType = MessageType.RAW
+            };
+            var response = await _kmsClient.SignAsync(request);
+            return response.Signature.ToArray();
+        }
+
+        public async Task<bool> VerifyAsync(byte[] data, byte[] signature)
+        {
+            using var dataStream = new MemoryStream(data);
+            using var signatureStream = new MemoryStream(data);
+            var request = new VerifyRequest
+            {
+                KeyId = _settings.RsaKey.AwsKeyId,
+                SigningAlgorithm = SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256,
+                Message = dataStream,
+                MessageType = MessageType.RAW,
+                Signature = signatureStream
+            };
+            var response = await _kmsClient.VerifyAsync(request);
+            return response.SignatureValid;
+        }
+
+        public async Task<byte[]> GetPublicKeyAsync()
+        {
+            var request = new GetPublicKeyRequest
+            {
+                KeyId = _settings.RsaKey.AwsKeyId
+            };
+            var response = await _kmsClient.GetPublicKeyAsync(request);
+            var rsa = RSA.Create();
+            rsa.ImportSubjectPublicKeyInfo(response.PublicKey.ToArray(), out _);
+            return rsa.ExportRSAPublicKey();
+        }
+    }
+}