public void Should_throw_for_no_key_in_config()
{
var config = new EncryptionServiceConfig();
var exception = Assert.Throws <Exception>(() => ConfigureAesEncryptionService.ConvertConfigToAesService(config));
Assert.AreEqual("The EncryptionServiceConfig has an empty 'Key' property.", exception.Message);
}
internal static void ValidateConfigSection(EncryptionServiceConfig section)
{
if (section == null)
{
throw new Exception("No EncryptionServiceConfig defined. Specify a valid 'EncryptionServiceConfig' in the application's configuration file.");
}
if (section.ExpiredKeys == null)
{
throw new Exception("EncryptionServiceConfig.ExpiredKeys is null.");
}
if (string.IsNullOrWhiteSpace(section.Key))
{
throw new Exception("The EncryptionServiceConfig has an empty 'Key' property.");
}
if (EncryptionServiceConfigValidations.ExpiredKeysHaveWhiteSpace(section))
{
throw new Exception("The EncryptionServiceConfig has a 'ExpiredKeys' property defined however some keys have no 'Key' property set.");
}
if (EncryptionServiceConfigValidations.OneOrMoreExpiredKeysHaveNoKeyIdentifier(section))
{
Log.Warn("The EncryptionServiceConfig has a 'ExpiredKeys' property defined however some keys have no 'KeyIdentifier' property value. Verify if this is intentional.");
}
if (EncryptionServiceConfigValidations.EncryptionKeyListedInExpiredKeys(section))
{
throw new Exception("The EncryptionServiceConfig has a 'Key' that is also defined inside the 'ExpiredKeys'.");
}
if (EncryptionServiceConfigValidations.ExpiredKeysHaveDuplicateKeys(section))
{
throw new Exception("The EncryptionServiceConfig has overlapping ExpiredKeys defined. Ensure that no keys overlap in the 'ExpiredKeys' property.");
}
if (EncryptionServiceConfigValidations.ConfigurationHasDuplicateKeyIdentifiers(section))
{
throw new Exception("The EncryptionServiceConfig has duplicate KeyIdentifiers defined with the same key identifier. Key identifiers must be unique in the complete configuration section.");
}
}
public static bool ExpiredKeysHaveWhiteSpace(EncryptionServiceConfig section)
{
return(section
.ExpiredKeys
.Cast <ExpiredKey>()
.Any(x => string.IsNullOrWhiteSpace(x.Key)));
}
public void Should_correctly_convert_base64_key()
{
byte[] key = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F };
var base64 = Convert.ToBase64String(key);
var section = new EncryptionServiceConfig()
{
Key = base64,
KeyFormat = KeyFormat.Base64,
KeyIdentifier = "1",
ExpiredKeys =
{
new ExpiredKey
{
KeyIdentifier = "2",
Key = base64,
KeyFormat = KeyFormat.Base64
}
}
};
var keys = ConfigureAesEncryptionService.ExtractKeysFromConfigSection(section);
Assert.AreEqual(key, keys["1"], "Key in configuration root incorrectly converted");
Assert.AreEqual(key, keys["2"], "Key in expired keys incorrectly converted");
}
public static bool EncryptionKeyListedInExpiredKeys(EncryptionServiceConfig section)
{
return(section
.ExpiredKeys
.Cast <ExpiredKey>()
.Any(x => x.Key == section.Key));
}
public static bool OneOrMoreExpiredKeysHaveNoKeyIdentifier(EncryptionServiceConfig section)
{
return(section
.ExpiredKeys
.Cast <ExpiredKey>()
.Any(x => string.IsNullOrEmpty(x.KeyIdentifier)));
}
public void Should_correctly_convert_ascii_key_when_no_value()
{
const string asciiKey = "0123456789123456";
var key = Encoding.ASCII.GetBytes("0123456789123456");
var section = new EncryptionServiceConfig
{
Key = asciiKey,
KeyIdentifier = "1",
ExpiredKeys =
{
new ExpiredKey
{
KeyIdentifier = "2",
Key = asciiKey
}
}
};
var keys = ConfigureAesEncryptionService.ExtractKeysFromConfigSection(section);
Assert.AreEqual(key, keys["1"], "Key in configuration root incorrectly converted");
Assert.AreEqual(key, keys["2"], "Key in expired keys incorrectly converted");
}
public void Should_correctly_parse_key_identifiers_containing_multiple_keys()
{
var section = new EncryptionServiceConfig
{
KeyIdentifier = "1",
ExpiredKeys =
{
new ExpiredKey
{
KeyIdentifier = "2",
Key = "Key"
}
}
};
var keys = ConfigureAesEncryptionService.ExtractKeysFromConfigSection(section);
ICollection <string> expected = new[]
{
"1",
"2"
};
Assert.AreEqual(expected, keys.Keys);
}
public static bool ExpiredKeysHaveDuplicateKeys(EncryptionServiceConfig section)
{
var items = section
.ExpiredKeys
.Cast <ExpiredKey>()
.ToList();
return(items.Count != items.Select(x => x.Key).Distinct().Count());
}
internal static List <byte[]> ExtractDecryptionKeysFromConfigSection(EncryptionServiceConfig section)
{
var o = new List <byte[]>();
o.Add(ParseKey(section.Key, section.KeyFormat));
o.AddRange(section.ExpiredKeys
.Cast <ExpiredKey>()
.Select(x => ParseKey(x.Key, x.KeyFormat)));
return(o);
}
internal static IEncryptionService ConvertConfigToAesService(EncryptionServiceConfig section)
{
ValidateConfigSection(section);
var keys = ExtractKeysFromConfigSection(section);
var decryptionKeys = ExtractDecryptionKeysFromConfigSection(section);
return(BuildAesEncryptionService(
section.KeyIdentifier,
keys,
decryptionKeys
));
}
internal static Dictionary <string, byte[]> ExtractKeysFromConfigSection(EncryptionServiceConfig section)
{
var result = new Dictionary <string, byte[]>();
AddKeyIdentifierItems(section, result);
foreach (ExpiredKey item in section.ExpiredKeys)
{
AddKeyIdentifierItems(item, result);
}
return(result);
}
public void Should_be_true_when_key_identifier_not_in_expired_keys()
{
var section = new EncryptionServiceConfig
{
ExpiredKeys =
{
new ExpiredKey {
Key = "Key"
}
}
};
Assert.IsTrue(EncryptionServiceConfigValidations.OneOrMoreExpiredKeysHaveNoKeyIdentifier(section));
}
public void Should_be_true_when_key_has_whitespace()
{
var section = new EncryptionServiceConfig
{
ExpiredKeys =
{
new ExpiredKey {
Key = " "
}
}
};
Assert.IsTrue(EncryptionServiceConfigValidations.ExpiredKeysHaveWhiteSpace(section));
}
public void Should_be_true_when_encryption_key_in_expirede_keys()
{
var section = new EncryptionServiceConfig
{
Key = "Key",
ExpiredKeys = new ExpiredKeyCollection
{
new ExpiredKey {
Key = "Key"
},
}
};
Assert.IsTrue(EncryptionServiceConfigValidations.EncryptionKeyListedInExpiredKeys(section));
}
public void Should_be_false_when_encryption_key_not_in_expired_keys()
{
var section = new EncryptionServiceConfig()
{
Key = "Key",
ExpiredKeys = new ExpiredKeyCollection
{
new ExpiredKey {
Key = "AnotherKey"
},
}
};
Assert.IsFalse(EncryptionServiceConfigValidations.EncryptionKeyListedInExpiredKeys(section));
}
public static bool ConfigurationHasDuplicateKeyIdentifiers(EncryptionServiceConfig section)
{
// Combine all key identifier values, filter the empty ones, split them
return(section
.ExpiredKeys
.Cast <ExpiredKey>()
.Select(x => x.KeyIdentifier)
.Union(new[]
{
section.KeyIdentifier
})
.Where(x => !string.IsNullOrEmpty(x))
.Select(x => x.Split(';'))
.SelectMany(x => x)
.GroupBy(x => x)
.Any(x => x.Count() > 1));
}
public void Should_be_true_when_duplicate_key_identifier_in_concat_expired_keys()
{
var section = new EncryptionServiceConfig
{
KeyIdentifier = "2",
ExpiredKeys =
{
new ExpiredKey {
Key = "A", KeyIdentifier = "1;4"
},
new ExpiredKey {
Key = "B", KeyIdentifier = "3;4"
}
}
};
Assert.IsTrue(EncryptionServiceConfigValidations.ConfigurationHasDuplicateKeyIdentifiers(section));
}
public void Should_have_correct_number_of_extracted_keys_without_key_identifier()
{
var section = new EncryptionServiceConfig
{
Key = "a",
ExpiredKeys =
{
new ExpiredKey
{
Key = "b"
}
}
};
var result = ConfigureAesEncryptionService.ExtractDecryptionKeysFromConfigSection(section);
Assert.AreEqual(2, result.Count, "Key count");
}
public void Should_throw_when_expired_keys_has_duplicate_keys()
{
var section = new EncryptionServiceConfig
{
ExpiredKeys =
{
new ExpiredKey {
Key = "Key"
},
}
};
Assert.Throws <ConfigurationErrorsException>(() =>
{
section.ExpiredKeys.Add(new ExpiredKey
{
Key = "Key",
KeyIdentifier = "ID"
});
}, "The entry 'Key' has already been added.");
}
