GitHub-Bitwarden
/
key-connector
mirror of https://github.com/bitwarden/key-connector.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

AwsKmsRsaKeyService

pull/2/head
Kyle Spearrin 4 years ago
parent
fdfcde55ce
commit
6236320ed3
3 changed files with 96 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      src/CryptoAgent/CryptoAgent.csproj
  2. 6
      src/CryptoAgent/CryptoAgentSettings.cs
  3. 90
      src/CryptoAgent/Services/AwsKmsRsaKeyService.cs

1
src/CryptoAgent/CryptoAgent.csproj
Unescape View File

@ -7,6 +7,7 @@ @@ -7,6 +7,7 @@
</PropertyGroup>
<ItemGroup>
<PackageReference Include="AWSSDK.KeyManagementService" Version="3.7.1.19" />
<PackageReference Include="Azure.Identity" Version="1.4.1" />
<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.2.0" />
<PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.2.0" />

6
src/CryptoAgent/CryptoAgentSettings.cs
Unescape View File

@ -42,7 +42,11 @@ @@ -42,7 +42,11 @@
public string GoogleCloudKeyringId { get; set; }
public string GoogleCloudKeyId { get; set; }
public string GoogleCloudKeyVersionId { get; set; }
// AWS...
// AWS KMS
public string AwsAccessKeyId { get; set; }
public string AwsAccessKeySecret { get; set; }
public string AwsRegion { get; set; }
public string AwsKeyId { get; set; }
// Hashicorp Vault...
// Other HSMs...
}

90
src/CryptoAgent/Services/AwsKmsRsaKeyService.cs
Unescape View File

@ -0,0 +1,90 @@ @@ -0,0 +1,90 @@
using Amazon;
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;
using System.IO;
using System.Security.Cryptography;
using System.Threading.Tasks;
namespace Bit.CryptoAgent.Services
{
public class AwsKmsRsaKeyService : IRsaKeyService
{
private readonly CryptoAgentSettings _settings;
private AmazonKeyManagementServiceClient _kmsClient;
public AwsKmsRsaKeyService(
CryptoAgentSettings settings)
{
_settings = settings;
_kmsClient = new AmazonKeyManagementServiceClient(settings.RsaKey.AwsAccessKeyId,
settings.RsaKey.AwsAccessKeySecret, RegionEndpoint.GetBySystemName(settings.RsaKey.AwsRegion));
}
public async Task<byte[]> EncryptAsync(byte[] data)
{
using var dataStream = new MemoryStream(data);
var request = new EncryptRequest
{
KeyId = _settings.RsaKey.AwsKeyId,
Plaintext = dataStream
};
var response = await _kmsClient.EncryptAsync(request);
return response.CiphertextBlob.ToArray();
}
public async Task<byte[]> DecryptAsync(byte[] data)
{
using var dataStream = new MemoryStream(data);
var request = new DecryptRequest
{
KeyId = _settings.RsaKey.AwsKeyId,
CiphertextBlob = dataStream
};
var response = await _kmsClient.DecryptAsync(request);
return response.Plaintext.ToArray();
}
public async Task<byte[]> SignAsync(byte[] data)
{
using var dataStream = new MemoryStream(data);
var request = new SignRequest
{
KeyId = _settings.RsaKey.AwsKeyId,
SigningAlgorithm = SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256,
Message = dataStream,
MessageType = MessageType.RAW
};
var response = await _kmsClient.SignAsync(request);
return response.Signature.ToArray();
}
public async Task<bool> VerifyAsync(byte[] data, byte[] signature)
{
using var dataStream = new MemoryStream(data);
using var signatureStream = new MemoryStream(data);
var request = new VerifyRequest
{
KeyId = _settings.RsaKey.AwsKeyId,
SigningAlgorithm = SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256,
Message = dataStream,
MessageType = MessageType.RAW,
Signature = signatureStream
};
var response = await _kmsClient.VerifyAsync(request);
return response.SignatureValid;
}
public async Task<byte[]> GetPublicKeyAsync()
{
var request = new GetPublicKeyRequest
{
KeyId = _settings.RsaKey.AwsKeyId
};
var response = await _kmsClient.GetPublicKeyAsync(request);
var rsa = RSA.Create();
rsa.ImportSubjectPublicKeyInfo(response.PublicKey.ToArray(), out _);
return rsa.ExportRSAPublicKey();
}
}
}
Write Preview
Loading…
Cancel
Save