up

src/__Libraries/StellaOps.Cryptography.Kms/KmsSigner.cs

@@ -0,0 +1,55 @@
+using System.Security.Cryptography;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.Tokens;
+using StellaOps.Cryptography;
+
+namespace StellaOps.Cryptography.Kms;
+
+internal sealed class KmsSigner : ICryptoSigner
+{
+    private readonly IKmsClient _client;
+    private readonly string _keyId;
+    private readonly string _versionId;
+    private readonly string _algorithm;
+
+    public KmsSigner(IKmsClient client, KmsSigningRegistration registration)
+    {
+        _client = client;
+        _keyId = registration.KeyId;
+        _versionId = registration.VersionId;
+        _algorithm = registration.Algorithm;
+    }
+
+    public string KeyId => _keyId;
+
+    public string AlgorithmId => _algorithm;
+
+    public async ValueTask<byte[]> SignAsync(ReadOnlyMemory<byte> data, CancellationToken cancellationToken = default)
+    {
+        var result = await _client.SignAsync(_keyId, _versionId, data, cancellationToken).ConfigureAwait(false);
+        return result.Signature;
+    }
+
+    public ValueTask<bool> VerifyAsync(ReadOnlyMemory<byte> data, ReadOnlyMemory<byte> signature, CancellationToken cancellationToken = default)
+        => new(_client.VerifyAsync(_keyId, _versionId, data, signature, cancellationToken));
+
+    public JsonWebKey ExportPublicJsonWebKey()
+    {
+        var material = _client.ExportAsync(_keyId, _versionId).GetAwaiter().GetResult();
+        var jwk = new JsonWebKey
+        {
+            Kid = material.KeyId,
+            Alg = material.Algorithm,
+            Kty = JsonWebAlgorithmsKeyTypes.EllipticCurve,
+            Use = JsonWebKeyUseNames.Sig,
+            Crv = JsonWebKeyECTypes.P256,
+        };
+
+        jwk.KeyOps.Add("sign");
+        jwk.KeyOps.Add("verify");
+        jwk.X = Base64UrlEncoder.Encode(material.Qx);
+        jwk.Y = Base64UrlEncoder.Encode(material.Qy);
+        return jwk;
+    }
+}