Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
CacheableKeyRing.WithTemporaryExtendedLifetime should not extend the cache lifetime beyond the lifetime of the key ring's default key in order to avoid protecting data with an expired key. It only extends by two minutes but, AFAICT, it can be extended repeatedly, if each new attempt fails.
Expected Behavior
Unfortunately, CacheableKeyRing doesn't expose a way to get to the default IKey - only the IAuthenticatedEncryptor, which doesn't have an expiration date. It would be straightforward to expose it on IKeyRing, but that type is public for historical reasons.
Steps To Reproduce
I think you'd have to start the app in a state where the only available key was about to expire and then have generation of a new key fail (e.g. because of lack of access to AKV). But this is just theoretical and it's possible it can't arise in practice.
Exceptions (if any)
No response
.NET Version
No response
Anything else?
No response