[PM-1348] Fix AWS expecting symmetric key (#34)

* [PM-1348] switch to asymmetric key for aws encrypt/decrypt

* [PM-1348] provide setting to use symmetric key on aws

* [PM-1348] import system for exceptions

* [PM-1348] add InvalidKeyTypeException

* [PM-1348] allow InvalidKeyTypeException to be serializable

* [PM-1348] add context to exception message

* [PM-1348] actually add context to exception message

src/KeyConnector/Exceptions/InvalidKeyTypeException.cs

@@ -0,0 +1,20 @@
+using System;
+using System.Runtime.Serialization;
+
+namespace Bit.KeyConnector.Exceptions
+{
+    [Serializable]
+    public class InvalidKeyTypeException : Exception
+    {
+        public InvalidKeyTypeException()
+            : base("This type of key cannot perform this action.") { }
+
+        public InvalidKeyTypeException(string message) : base(message) { }
+
+        public InvalidKeyTypeException(string message, Exception innerException)
+            : base(message, innerException) { }
+
+        protected InvalidKeyTypeException(SerializationInfo info, StreamingContext context)
+            : base(info, context) { }
+    }
+}

src/KeyConnector/KeyConnectorSettings.cs

@@ -57,6 +57,7 @@
             public string AwsAccessKeySecret { get; set; }
             public string AwsRegion { get; set; }
             public string AwsKeyId { get; set; }
+            public bool AwsUseSymmetricEncryption { get; set; }
             // pkcs11
             //      Providers:
             //      yubihsm

src/KeyConnector/Services/AwsKmsRsaKeyService.cs

@@ -4,6 +4,7 @@ using System.Threading.Tasks;
 using Amazon;
 using Amazon.KeyManagementService;
 using Amazon.KeyManagementService.Model;
+using Bit.KeyConnector.Exceptions;
 
 namespace Bit.KeyConnector.Services
 {
@@ -26,7 +27,10 @@ namespace Bit.KeyConnector.Services
             var request = new EncryptRequest
             {
                 KeyId = _settings.RsaKey.AwsKeyId,
-                Plaintext = dataStream
+                Plaintext = dataStream,
+                EncryptionAlgorithm = _settings.RsaKey.AwsUseSymmetricEncryption
+                    ? EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT
+                    : EncryptionAlgorithmSpec.RSAES_OAEP_SHA_256
             };
             var response = await _kmsClient.EncryptAsync(request);
             return response.CiphertextBlob.ToArray();
@@ -38,7 +42,10 @@ namespace Bit.KeyConnector.Services
             var request = new DecryptRequest
             {
                 KeyId = _settings.RsaKey.AwsKeyId,
-                CiphertextBlob = dataStream
+                CiphertextBlob = dataStream,
+                EncryptionAlgorithm = _settings.RsaKey.AwsUseSymmetricEncryption
+                    ? EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT
+                    : EncryptionAlgorithmSpec.RSAES_OAEP_SHA_256
             };
             var response = await _kmsClient.DecryptAsync(request);
             return response.Plaintext.ToArray();
@@ -46,6 +53,10 @@ namespace Bit.KeyConnector.Services
 
         public async Task<byte[]> SignAsync(byte[] data)
         {
+            if (_settings.RsaKey.AwsUseSymmetricEncryption)
+            {
+                throw new InvalidKeyTypeException("Cannot sign using symmetric key");
+            }
             using var dataStream = new MemoryStream(data);
             var request = new SignRequest
             {
@@ -60,6 +71,10 @@ namespace Bit.KeyConnector.Services
 
         public async Task<bool> VerifyAsync(byte[] data, byte[] signature)
         {
+            if (_settings.RsaKey.AwsUseSymmetricEncryption)
+            {
+                throw new InvalidKeyTypeException("Cannot sign using symmetric key");
+            }
             using var dataStream = new MemoryStream(data);
             using var signatureStream = new MemoryStream(data);
             var request = new VerifyRequest
@@ -76,6 +91,10 @@ namespace Bit.KeyConnector.Services
 
         public async Task<byte[]> GetPublicKeyAsync()
         {
+            if (_settings.RsaKey.AwsUseSymmetricEncryption)
+            {
+                throw new InvalidKeyTypeException("Cannot retrieve public key as symmetric keys do not have public keys");
+            }
             var request = new GetPublicKeyRequest
             {
                 KeyId = _settings.RsaKey.AwsKeyId

src/KeyConnector/Services/GoogleCloudKmsRsaKeyService.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Security.Cryptography;
 using System.Threading.Tasks;
 using Google.Cloud.Kms.V1;

src/KeyConnector/Startup.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Globalization;
 using System.Security.Claims;
 using Bit.KeyConnector.Repositories;
@@ -54,8 +54,11 @@ namespace Bit.KeyConnector
                 services.AddHostedService<HostedServices.DatabaseMigrationHostedService>();
             }
 
-            services.AddHealthChecks()
+            if (!settings.RsaKey.AwsUseSymmetricEncryption)
-                .AddCheck<RsaHealthCheckService>("RsaHealthCheckService");
+            {
+                services.AddHealthChecks()
+                    .AddCheck<RsaHealthCheckService>("RsaHealthCheckService");
+            }
         }
 
         public void Configure(IApplicationBuilder app, IWebHostEnvironment env, KeyConnectorSettings settings)
@@ -73,9 +76,14 @@ namespace Bit.KeyConnector
             app.UseAuthentication();
             app.UseAuthorization();
 
-            app.UseEndpoints(endpoints => {
+            app.UseEndpoints(endpoints =>
+            {
                 endpoints.MapDefaultControllerRoute();
-                endpoints.MapHealthChecks("~/health").AllowAnonymous();
+
+                if (!settings.RsaKey.AwsUseSymmetricEncryption)
+                {
+                    endpoints.MapHealthChecks("~/health").AllowAnonymous();
+                }
             });
         }