enriched-partialglm/Common/DTS.Common.Security.md

---
source_files:
  - Common/DTS.Common.Security/Encryption.cs
generated_at: "2026-04-16T11:36:14.772984+00:00"
model: "zai-org/GLM-5-FP8"
schema_version: 1
sha256: "2d41661347ec3dbc"
---

# Documentation: DTS.Common.Security.Encryption

## 1. Purpose
The `Encryption` static class provides symmetric encryption and decryption utilities for the DTS system. It serves as a wrapper around the `AesCryptoServiceProvider` to securely convert plaintext strings into byte arrays and vice versa. This module centralizes AES encryption logic to ensure consistent cryptographic handling across the application.

## 2. Public Interface

### `public static byte[] EncryptStringToBytes(string plainText, byte[] key, byte[] iv)`
Encrypts a specified plaintext string into an array of bytes using the AES algorithm.
*   **Parameters:**
    *   `plainText` (string): The text to encrypt.
    *   `key` (byte[]): The secret key for the symmetric algorithm.
    *   `iv` (byte[]): The initialization vector (IV) for the symmetric algorithm.
*   **Returns:** A byte array containing the encrypted data.
*   **Exceptions:** Throws `ArgumentNullException` if `plainText`, `key`, or `iv` are null or empty.

### `public static string DecryptStringFromBytes(byte[] cipherText, byte[] key, byte[] iv)`
Decrypts a specified byte array back into a plaintext string using the AES algorithm.
*   **Parameters:**
    *   `cipherText` (byte[]): The byte array containing encrypted data.
    *   `key` (byte[]): The secret key used for encryption.
    *   `iv` (byte[]): The initialization vector used for encryption.
*   **Returns:** The decrypted plaintext string.
*   **Exceptions:** Throws `ArgumentNullException` if `cipherText`, `key`, or `iv` are null or empty.

## 3. Invariants
*   **Null Checks:** All input parameters (`plainText`, `cipherText`, `key`, `iv`) must be non-null and have a length greater than zero. Failure to meet this condition results in an `ArgumentNullException`.
*   **Algorithm Consistency:** Both methods utilize `AesCryptoServiceProvider` (AES). The key and IV provided to `DecryptStringFromBytes` must match those used in `EncryptStringToBytes` for decryption to succeed.
*   **Stream Encoding:** The implementation uses `StreamWriter` and `StreamReader` for stream transformations. The specific character encoding is not explicitly defined in the method signatures, relying on the default encoding of the underlying stream writer/reader (typically UTF-8).

## 4. Dependencies
*   **Internal Dependencies:** None identified within the provided source.
*   **External Dependencies:**
    *   `System`: For basic types and exceptions.
    *   `System.IO`: Used for `MemoryStream`, `StreamWriter`, and `StreamReader` to handle data flow during encryption/decryption.
    *   `System.Security.Cryptography`: Used for `AesCryptoServiceProvider` and `CryptoStream` to perform the cryptographic operations.
*   **Unused Dependencies:** The file imports `System.Collections.Generic`, `System.Linq`, `System.Text`, and `System.Threading.Tasks`, but none of these namespaces appear to be utilized in the current implementation.

## 5. Gotchas
*   **Copy-Paste Error in Validation:** In both `EncryptStringToBytes` and `DecryptStringFromBytes`, the validation check for the `iv` parameter throws an exception naming the `key` parameter instead.
    *   *Source Reference:* `if (iv == null || iv.Length <= 0) throw new ArgumentNullException(nameof(key));`
    *   This will report "key" as the null argument in the exception message when the `iv` is actually the invalid parameter, complicating debugging.
*   **Variable Naming Mismatch:** The `AesCryptoServiceProvider` instance is named `rijAlg` in both methods. This is likely a legacy artifact from a previous implementation using `RijndaelManaged`, which may cause confusion as the code now explicitly uses AES.
*   **Key/IV Management:** The class provides no mechanism for key or IV generation. Callers are responsible for generating and managing valid AES keys and IVs. Passing invalid key/IV lengths will cause the underlying `AesCryptoServiceProvider` to throw a `CryptographicException`, which is not caught by this wrapper.
init 2026-04-17 14:55:32 -04:00			`---`
			`source_files:`
			`- Common/DTS.Common.Security/Encryption.cs`
			`generated_at: "2026-04-16T11:36:14.772984+00:00"`
			`model: "zai-org/GLM-5-FP8"`
			`schema_version: 1`
			`sha256: "2d41661347ec3dbc"`
			`---`

			`# Documentation: DTS.Common.Security.Encryption`

			`## 1. Purpose`
			The `Encryption` static class provides symmetric encryption and decryption utilities for the DTS system. It serves as a wrapper around the `AesCryptoServiceProvider` to securely convert plaintext strings into byte arrays and vice versa. This module centralizes AES encryption logic to ensure consistent cryptographic handling across the application.

			`## 2. Public Interface`

			### `public static byte[] EncryptStringToBytes(string plainText, byte[] key, byte[] iv)`
			`Encrypts a specified plaintext string into an array of bytes using the AES algorithm.`
			`* Parameters:`
			* `plainText` (string): The text to encrypt.
			* `key` (byte[]): The secret key for the symmetric algorithm.
			* `iv` (byte[]): The initialization vector (IV) for the symmetric algorithm.
			`* Returns: A byte array containing the encrypted data.`
			* Exceptions: Throws `ArgumentNullException` if `plainText`, `key`, or `iv` are null or empty.

			### `public static string DecryptStringFromBytes(byte[] cipherText, byte[] key, byte[] iv)`
			`Decrypts a specified byte array back into a plaintext string using the AES algorithm.`
			`* Parameters:`
			* `cipherText` (byte[]): The byte array containing encrypted data.
			* `key` (byte[]): The secret key used for encryption.
			* `iv` (byte[]): The initialization vector used for encryption.
			`* Returns: The decrypted plaintext string.`
			* Exceptions: Throws `ArgumentNullException` if `cipherText`, `key`, or `iv` are null or empty.

			`## 3. Invariants`
			* Null Checks: All input parameters (`plainText`, `cipherText`, `key`, `iv`) must be non-null and have a length greater than zero. Failure to meet this condition results in an `ArgumentNullException`.
			* Algorithm Consistency: Both methods utilize `AesCryptoServiceProvider` (AES). The key and IV provided to `DecryptStringFromBytes` must match those used in `EncryptStringToBytes` for decryption to succeed.
			* Stream Encoding: The implementation uses `StreamWriter` and `StreamReader` for stream transformations. The specific character encoding is not explicitly defined in the method signatures, relying on the default encoding of the underlying stream writer/reader (typically UTF-8).

			`## 4. Dependencies`
			`* Internal Dependencies: None identified within the provided source.`
			`* External Dependencies:`
			* `System`: For basic types and exceptions.
			* `System.IO`: Used for `MemoryStream`, `StreamWriter`, and `StreamReader` to handle data flow during encryption/decryption.
			* `System.Security.Cryptography`: Used for `AesCryptoServiceProvider` and `CryptoStream` to perform the cryptographic operations.
			* Unused Dependencies: The file imports `System.Collections.Generic`, `System.Linq`, `System.Text`, and `System.Threading.Tasks`, but none of these namespaces appear to be utilized in the current implementation.

			`## 5. Gotchas`
			* Copy-Paste Error in Validation: In both `EncryptStringToBytes` and `DecryptStringFromBytes`, the validation check for the `iv` parameter throws an exception naming the `key` parameter instead.
			* Source Reference: `if (iv == null \|\| iv.Length <= 0) throw new ArgumentNullException(nameof(key));`
			* This will report "key" as the null argument in the exception message when the `iv` is actually the invalid parameter, complicating debugging.
			* Variable Naming Mismatch: The `AesCryptoServiceProvider` instance is named `rijAlg` in both methods. This is likely a legacy artifact from a previous implementation using `RijndaelManaged`, which may cause confusion as the code now explicitly uses AES.
			* Key/IV Management: The class provides no mechanism for key or IV generation. Callers are responsible for generating and managing valid AES keys and IVs. Passing invalid key/IV lengths will cause the underlying `AesCryptoServiceProvider` to throw a `CryptographicException`, which is not caught by this wrapper.