From 9cb73344cbc074c51921576498ca8acc15b5825f Mon Sep 17 00:00:00 2001 From: Jake Fink Date: Wed, 26 Apr 2023 08:44:31 -0400 Subject: [PATCH] [PM-1348] Fix AWS expecting symmetric key (#34) * [PM-1348] switch to asymmetric key for aws encrypt/decrypt * [PM-1348] provide setting to use symmetric key on aws * [PM-1348] import system for exceptions * [PM-1348] add InvalidKeyTypeException * [PM-1348] allow InvalidKeyTypeException to be serializable * [PM-1348] add context to exception message * [PM-1348] actually add context to exception message --- .../Exceptions/InvalidKeyTypeException.cs | 20 ++++++++++++++++ src/KeyConnector/KeyConnectorSettings.cs | 1 + .../Services/AwsKmsRsaKeyService.cs | 23 +++++++++++++++++-- .../Services/GoogleCloudKmsRsaKeyService.cs | 2 +- src/KeyConnector/Startup.cs | 18 +++++++++++---- 5 files changed, 56 insertions(+), 8 deletions(-) create mode 100644 src/KeyConnector/Exceptions/InvalidKeyTypeException.cs diff --git a/src/KeyConnector/Exceptions/InvalidKeyTypeException.cs b/src/KeyConnector/Exceptions/InvalidKeyTypeException.cs new file mode 100644 index 0000000..8d93125 --- /dev/null +++ b/src/KeyConnector/Exceptions/InvalidKeyTypeException.cs @@ -0,0 +1,20 @@ +using System; +using System.Runtime.Serialization; + +namespace Bit.KeyConnector.Exceptions +{ + [Serializable] + public class InvalidKeyTypeException : Exception + { + public InvalidKeyTypeException() + : base("This type of key cannot perform this action.") { } + + public InvalidKeyTypeException(string message) : base(message) { } + + public InvalidKeyTypeException(string message, Exception innerException) + : base(message, innerException) { } + + protected InvalidKeyTypeException(SerializationInfo info, StreamingContext context) + : base(info, context) { } + } +} diff --git a/src/KeyConnector/KeyConnectorSettings.cs b/src/KeyConnector/KeyConnectorSettings.cs index 278033a..4922c62 100644 --- a/src/KeyConnector/KeyConnectorSettings.cs +++ b/src/KeyConnector/KeyConnectorSettings.cs @@ -57,6 +57,7 @@ public string AwsAccessKeySecret { get; set; } public string AwsRegion { get; set; } public string AwsKeyId { get; set; } + public bool AwsUseSymmetricEncryption { get; set; } // pkcs11 // Providers: // yubihsm diff --git a/src/KeyConnector/Services/AwsKmsRsaKeyService.cs b/src/KeyConnector/Services/AwsKmsRsaKeyService.cs index 85f674a..8b28026 100644 --- a/src/KeyConnector/Services/AwsKmsRsaKeyService.cs +++ b/src/KeyConnector/Services/AwsKmsRsaKeyService.cs @@ -4,6 +4,7 @@ using System.Threading.Tasks; using Amazon; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; +using Bit.KeyConnector.Exceptions; namespace Bit.KeyConnector.Services { @@ -26,7 +27,10 @@ namespace Bit.KeyConnector.Services var request = new EncryptRequest { KeyId = _settings.RsaKey.AwsKeyId, - Plaintext = dataStream + Plaintext = dataStream, + EncryptionAlgorithm = _settings.RsaKey.AwsUseSymmetricEncryption + ? EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT + : EncryptionAlgorithmSpec.RSAES_OAEP_SHA_256 }; var response = await _kmsClient.EncryptAsync(request); return response.CiphertextBlob.ToArray(); @@ -38,7 +42,10 @@ namespace Bit.KeyConnector.Services var request = new DecryptRequest { KeyId = _settings.RsaKey.AwsKeyId, - CiphertextBlob = dataStream + CiphertextBlob = dataStream, + EncryptionAlgorithm = _settings.RsaKey.AwsUseSymmetricEncryption + ? EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT + : EncryptionAlgorithmSpec.RSAES_OAEP_SHA_256 }; var response = await _kmsClient.DecryptAsync(request); return response.Plaintext.ToArray(); @@ -46,6 +53,10 @@ namespace Bit.KeyConnector.Services public async Task SignAsync(byte[] data) { + if (_settings.RsaKey.AwsUseSymmetricEncryption) + { + throw new InvalidKeyTypeException("Cannot sign using symmetric key"); + } using var dataStream = new MemoryStream(data); var request = new SignRequest { @@ -60,6 +71,10 @@ namespace Bit.KeyConnector.Services public async Task VerifyAsync(byte[] data, byte[] signature) { + if (_settings.RsaKey.AwsUseSymmetricEncryption) + { + throw new InvalidKeyTypeException("Cannot sign using symmetric key"); + } using var dataStream = new MemoryStream(data); using var signatureStream = new MemoryStream(data); var request = new VerifyRequest @@ -76,6 +91,10 @@ namespace Bit.KeyConnector.Services public async Task GetPublicKeyAsync() { + if (_settings.RsaKey.AwsUseSymmetricEncryption) + { + throw new InvalidKeyTypeException("Cannot retrieve public key as symmetric keys do not have public keys"); + } var request = new GetPublicKeyRequest { KeyId = _settings.RsaKey.AwsKeyId diff --git a/src/KeyConnector/Services/GoogleCloudKmsRsaKeyService.cs b/src/KeyConnector/Services/GoogleCloudKmsRsaKeyService.cs index b6eafb2..fc6b081 100644 --- a/src/KeyConnector/Services/GoogleCloudKmsRsaKeyService.cs +++ b/src/KeyConnector/Services/GoogleCloudKmsRsaKeyService.cs @@ -1,4 +1,4 @@ -using System; +using System; using System.Security.Cryptography; using System.Threading.Tasks; using Google.Cloud.Kms.V1; diff --git a/src/KeyConnector/Startup.cs b/src/KeyConnector/Startup.cs index e06d84b..bfc4ca2 100644 --- a/src/KeyConnector/Startup.cs +++ b/src/KeyConnector/Startup.cs @@ -1,4 +1,4 @@ -using System; +using System; using System.Globalization; using System.Security.Claims; using Bit.KeyConnector.Repositories; @@ -54,8 +54,11 @@ namespace Bit.KeyConnector services.AddHostedService(); } - services.AddHealthChecks() - .AddCheck("RsaHealthCheckService"); + if (!settings.RsaKey.AwsUseSymmetricEncryption) + { + services.AddHealthChecks() + .AddCheck("RsaHealthCheckService"); + } } public void Configure(IApplicationBuilder app, IWebHostEnvironment env, KeyConnectorSettings settings) @@ -73,9 +76,14 @@ namespace Bit.KeyConnector app.UseAuthentication(); app.UseAuthorization(); - app.UseEndpoints(endpoints => { + app.UseEndpoints(endpoints => + { endpoints.MapDefaultControllerRoute(); - endpoints.MapHealthChecks("~/health").AllowAnonymous(); + + if (!settings.RsaKey.AwsUseSymmetricEncryption) + { + endpoints.MapHealthChecks("~/health").AllowAnonymous(); + } }); }