key ring based part

Author: DeagleGross

src/DataProtection/DataProtection/src/AuthenticatedEncryption/AuthenticatedEncryptorExtensions.cs

@@ -32,6 +32,21 @@ public static byte[] Encrypt(this IAuthenticatedEncryptor encryptor, ArraySegmen
         }
     }
 
+#if NET10_0_OR_GREATER
+    public static bool TryEncrypt(
+        this IAuthenticatedEncryptor encryptor,
+        ReadOnlySpan<byte> plaintext,
+        ReadOnlySpan<byte> additionalAuthenticatedData,
+        Span<byte> destination,
+        uint preBufferSize,
+        uint postBufferSize,
+        out int bytesWritten)
+    {
+        var plaintextWithOffsets = plaintext.Slice((int)preBufferSize, plaintext.Length - (int)(preBufferSize + postBufferSize));
+        return encryptor.TryEncrypt(plaintextWithOffsets, additionalAuthenticatedData, destination, out bytesWritten);
+    }
+#endif
+
     /// <summary>
     /// Performs a self-test of this encryptor by running a sample payload through an
     /// encrypt-then-decrypt operation. Throws if the operation fails.

src/DataProtection/DataProtection/src/AuthenticatedEncryption/IAuthenticatedEncryptor.cs

@@ -35,6 +35,6 @@ public interface IAuthenticatedEncryptor
 
 #if NET10_0_OR_GREATER
     int GetEncryptedSize(int plainTextLength);
-    bool TryEncrypt(ReadOnlySpan<byte> plainText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);
+    bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);
 #endif
 }

src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs

@@ -101,9 +101,51 @@ public int GetProtectedSize(ReadOnlySpan<byte> plainText)
         return defaultEncryptor.GetEncryptedSize(plainText.Length);
     }
 
-    public bool TryProtect(ReadOnlySpan<byte> plainText, Span<byte> destination, out int bytesWritten)
+    public bool TryProtect(ReadOnlySpan<byte> plaintext, Span<byte> destination, out int bytesWritten)
     {
-        throw new NotImplementedException();
+        try
+        {
+            // Perform the encryption operation using the current default encryptor.
+            var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+            var defaultKeyId = currentKeyRing.DefaultKeyId;
+            var defaultEncryptorInstance = currentKeyRing.DefaultAuthenticatedEncryptor;
+            CryptoUtil.Assert(defaultEncryptorInstance != null, "defaultEncryptorInstance != null");
+
+            if (_logger.IsDebugLevelEnabled())
+            {
+                _logger.PerformingProtectOperationToKeyWithPurposes(defaultKeyId, JoinPurposesForLog(Purposes));
+            }
+
+            // We'll need to apply the default key id to the template if it hasn't already been applied.
+            // If the default key id has been updated since the last call to Protect, also write back the updated template.
+            var aad = _aadTemplate.GetAadForKey(defaultKeyId, isProtecting: true);
+
+            // We allocate a 20-byte pre-buffer so that we can inject the magic header and key id into the return value.
+            var success = defaultEncryptorInstance.TryEncrypt(
+                plaintext: plaintext,
+                additionalAuthenticatedData: aad,
+                destination: destination,
+                preBufferSize: (uint)(sizeof(uint) + sizeof(Guid)),
+                postBufferSize: 0,
+                out bytesWritten);
+
+            // At this point: destination := { 000..000 || encryptorSpecificProtectedPayload },
+            // where 000..000 is a placeholder for our magic header and key id.
+
+            // Write out the magic header and key id
+            BinaryPrimitives.WriteUInt32BigEndian(destination.Slice(0, sizeof(uint)), MAGIC_HEADER_V0);
+            var writeKeyIdResult = defaultKeyId.TryWriteBytes(destination.Slice(sizeof(uint), sizeof(Guid)));
+            Debug.Assert(writeKeyIdResult, "Failed to write Guid to destination.");
+
+            // At this point, destination := { magicHeader || keyId || encryptorSpecificProtectedPayload }
+            // And we're done!
+            return success;
+        }
+        catch (Exception ex) when (ex.RequiresHomogenization())
+        {
+            // homogenize all errors to CryptographicException
+            throw Error.Common_EncryptionFailed(ex);
+        }
     }
 #endif
 

src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Buffers.Binary;
 using System.Globalization;
 using System.Net;
 using System.Text;
@@ -619,6 +620,12 @@ public void CreateProtector_ChainsPurposes()
         Assert.Equal(expectedProtectedData, retVal);
     }
 
+    [Fact]
+    public void GetProtectedSize_TryProtect_CorrectlyEstimatesDataLength()
+    {
+        // TODO!
+    }
+
     private static byte[] BuildAadFromPurposeStrings(Guid keyId, params string[] purposes)
     {
         var expectedAad = new byte[] { 0x09, 0xF0, 0xC9, 0xF0 } // magic header

src/DataProtection/Extensions/src/BitHelpers.cs

@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System;
+
 namespace Microsoft.AspNetCore.DataProtection;
 
 internal static class BitHelpers
@@ -36,4 +38,20 @@ public static void WriteUInt64(byte[] buffer, int offset, ulong value)
         buffer[offset + 6] = (byte)(value >> 8);
         buffer[offset + 7] = (byte)(value);
     }
+
+    /// <summary>
+    /// Writes an unsigned 64-bit integer to <paramref name="buffer"/> starting at
+    /// offset <paramref name="offset"/>. Data is written big-endian.
+    /// </summary>
+    public static void WriteUInt64(Span<byte> buffer, int offset, ulong value)
+    {
+        buffer[offset + 0] = (byte)(value >> 56);
+        buffer[offset + 1] = (byte)(value >> 48);
+        buffer[offset + 2] = (byte)(value >> 40);
+        buffer[offset + 3] = (byte)(value >> 32);
+        buffer[offset + 4] = (byte)(value >> 24);
+        buffer[offset + 5] = (byte)(value >> 16);
+        buffer[offset + 6] = (byte)(value >> 8);
+        buffer[offset + 7] = (byte)(value);
+    }
 }

src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs

@@ -126,13 +126,25 @@ byte[] IDataProtector.Unprotect(byte[] protectedData)
         return Unprotect(protectedData, out _);
     }
 
+#if NET10_0_OR_GREATER
     public int GetProtectedSize(ReadOnlySpan<byte> plainText)
     {
-        throw new NotImplementedException();
+        var dataProtector = GetInnerProtectorWithTimeLimitedPurpose();
+        var size = dataProtector.GetProtectedSize(plainText);
+
+        // prepended the expiration time as a 64-bit UTC tick count takes 8 bytes;
+        // see Protect(byte[] plaintext, DateTimeOffset expiration) for details
+        return size + 8;
     }
 
-    public bool TryProtect(ReadOnlySpan<byte> plainText, Span<byte> destination, out int bytesWritten)
+    public bool TryProtect(ReadOnlySpan<byte> plaintext, Span<byte> destination, out int bytesWritten)
+        => TryProtect(plaintext, destination, DateTimeOffset.MaxValue, out bytesWritten);
+
+    public bool TryProtect(ReadOnlySpan<byte> plaintext, Span<byte> destination, DateTimeOffset expiration, out int bytesWritten)
     {
+        // we cant prepend the expiration time as a 64-bit UTC tick count
+        // because input is ReadOnlySpan<byte>
         throw new NotImplementedException();
     }
+#endif
 }