public void InitializesIv([EnumValues] EncryptionAlgorithm algorithm)
{
EncryptOptions options = new EncryptOptions(algorithm, Array.Empty <byte>());
options.Initialize();
if (algorithm.GetAesCbcEncryptionAlgorithm() != null)
{
byte[] iv = options.Iv;
Assert.IsNotNull(options.Iv);
CollectionAssert.IsNotEmpty(options.Iv);
// Calling it again should not overwrite.
options.Initialize();
Assert.AreSame(iv, options.Iv);
}
else
{
Assert.IsNull(options.Iv);
}
}
public async Task EncryptLocalDecryptOnManagedHsm([EnumValues(
nameof(EncryptionAlgorithm.A128Cbc),
nameof(EncryptionAlgorithm.A192Cbc),
nameof(EncryptionAlgorithm.A256Cbc),
nameof(EncryptionAlgorithm.A128CbcPad),
nameof(EncryptionAlgorithm.A192CbcPad),
nameof(EncryptionAlgorithm.A256CbcPad))] EncryptionAlgorithm algorithm)
{
int keySizeInBytes = algorithm.GetAesCbcEncryptionAlgorithm().KeySizeInBytes;
JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps);
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.ImportKeyAsync(
new ImportKeyOptions(keyName, jwk));
RegisterForCleanup(key.Name);
CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true);
CryptographyClient localClient = GetLocalCryptoClient(jwk);
byte[] plaintext = new byte[32];
Recording.Random.NextBytes(plaintext);
byte[] iv = new byte[16];
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc)
{
Recording.Random.NextBytes(iv);
}
EncryptParameters encryptParams = algorithm.ToString() switch
{
EncryptionAlgorithm.A128CbcValue => EncryptParameters.A128CbcParameters(plaintext, iv),
EncryptionAlgorithm.A192CbcValue => EncryptParameters.A192CbcParameters(plaintext, iv),
EncryptionAlgorithm.A256CbcValue => EncryptParameters.A256CbcParameters(plaintext, iv),
EncryptionAlgorithm.A128CbcPadValue => EncryptParameters.A128CbcPadParameters(plaintext, iv),
EncryptionAlgorithm.A192CbcPadValue => EncryptParameters.A192CbcPadParameters(plaintext, iv),
EncryptionAlgorithm.A256CbcPadValue => EncryptParameters.A256CbcPadParameters(plaintext, iv),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
EncryptResult encrypted = await localClient.EncryptAsync(encryptParams);
Assert.IsNotNull(encrypted.Ciphertext);
DecryptParameters decryptParameters = algorithm.ToString() switch
{
EncryptionAlgorithm.A128CbcValue => DecryptParameters.A128CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A192CbcValue => DecryptParameters.A192CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A256CbcValue => DecryptParameters.A256CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A128CbcPadValue => DecryptParameters.A128CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A192CbcPadValue => DecryptParameters.A192CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A256CbcPadValue => DecryptParameters.A256CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters);
Assert.IsNotNull(decrypted.Plaintext);
CollectionAssert.AreEqual(plaintext, decrypted.Plaintext);
}
public async Task AesGcmEncryptDecrypt([EnumValues(
nameof(EncryptionAlgorithm.A128Gcm),
nameof(EncryptionAlgorithm.A192Gcm),
nameof(EncryptionAlgorithm.A256Gcm)
)] EncryptionAlgorithm algorithm)
{
int keySizeInBytes = algorithm.ToString() switch
{
EncryptionAlgorithm.A128GcmValue => 128 >> 3,
EncryptionAlgorithm.A192GcmValue => 192 >> 3,
EncryptionAlgorithm.A256GcmValue => 256 >> 3,
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps);
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.ImportKeyAsync(
new ImportKeyOptions(keyName, jwk));
RegisterForCleanup(key.Name);
CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true);
byte[] plaintext = new byte[32];
Recording.Random.NextBytes(plaintext);
byte[] iv = new byte[16];
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc)
{
Recording.Random.NextBytes(iv);
}
EncryptParameters encryptParams = algorithm.ToString() switch
{
// TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM.
EncryptionAlgorithm.A128GcmValue => EncryptParameters.A128GcmParameters(plaintext),
EncryptionAlgorithm.A192GcmValue => EncryptParameters.A192GcmParameters(plaintext),
EncryptionAlgorithm.A256GcmValue => EncryptParameters.A256GcmParameters(plaintext),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
EncryptResult encrypted = await remoteClient.EncryptAsync(encryptParams);
Assert.IsNotNull(encrypted.Ciphertext);
DecryptParameters decryptParameters = algorithm.ToString() switch
{
// TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM.
EncryptionAlgorithm.A128GcmValue => DecryptParameters.A128GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
EncryptionAlgorithm.A192GcmValue => DecryptParameters.A192GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
EncryptionAlgorithm.A256GcmValue => DecryptParameters.A256GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters);
Assert.IsNotNull(decrypted.Plaintext);
CollectionAssert.AreEqual(plaintext, decrypted.Plaintext);
}