private void RoundTripGeneric(string testData, AeadEnvelopeCrypto aeadEnvelopeCrypto) { CryptoPolicy cryptoPolicy = new DummyCryptoPolicy(); using (SecureCryptoKeyDictionary <DateTimeOffset> secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <DateTimeOffset>(cryptoPolicy.GetRevokeCheckPeriodMillis())) { IEnvelopeEncryption <JObject> envelopeEncryptionJsonImpl = new EnvelopeEncryptionJsonImpl( partition, metastore, secureCryptoKeyDictionary, new SecureCryptoKeyDictionary <DateTimeOffset>(cryptoPolicy.GetRevokeCheckPeriodMillis()), aeadEnvelopeCrypto, cryptoPolicy, keyManagementService); using (Session <JObject, JObject> sessionJsonImpl = new SessionJsonImpl <JObject>(envelopeEncryptionJsonImpl)) { Asherah.AppEncryption.Util.Json testJson = new Asherah.AppEncryption.Util.Json(); testJson.Put("Test", testData); string persistenceKey = sessionJsonImpl.Store(testJson.ToJObject(), dataPersistence); Option <JObject> testJson2 = sessionJsonImpl.Load(persistenceKey, dataPersistence); Assert.True(testJson2.IsSome); string resultData = ((JObject)testJson2)["Test"].ToObject <string>(); Assert.Equal(testData, resultData); } } }
private void TestPutAndGetUsableWithUpdateRevokedShouldMarkRevokedAndReturnNotNull() { // Give it enough time to account for timing differences using (SecureCryptoKeyDictionary <string> secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <string>(50)) { secureCryptoKeyDictionary.PutAndGetUsable("test", cryptoKeyMock.Object); CryptoKey getResult = secureCryptoKeyDictionary.Get("test"); Assert.NotNull(getResult); // Sleep for enough time to get null result Thread.Sleep(100); getResult = secureCryptoKeyDictionary.Get("test"); Assert.Null(getResult); // Put back in as revoked so we can get non-null result again cryptoKeyMock.Setup(x => x.IsRevoked()).Returns(true); secureCryptoKeyDictionary.PutAndGetUsable("test", cryptoKeyMock.Object); getResult = secureCryptoKeyDictionary.Get("test"); Assert.NotNull(getResult); // Sleep for enough time to get null result and verify we still get non-null Thread.Sleep(30); getResult = secureCryptoKeyDictionary.Get("test"); Assert.NotNull(getResult); } }
private void TestGetLastWithRevokeCheckExpiredShouldReturnNull() { using (SecureCryptoKeyDictionary <string> secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <string>(1)) { string key = "some_key"; secureCryptoKeyDictionary.PutAndGetUsable(key, sharedCryptoKeyMock.Object); // sleep to trigger period check flow Thread.Sleep(3); CryptoKey actualCryptoKey = secureCryptoKeyDictionary.GetLast(); Assert.Null(actualCryptoKey); } }
private static object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK) { AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition( cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), DefaultProductId); // TODO Update to create KeyManagementService based on config/param once we plug in AWS KMS KeyManagementService kms = new StaticKeyManagementServiceImpl(KeyManagementStaticMasterKey); CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK(); // TODO Pass Metastore type to enable spy generation once we plug in external metastore types Mock <MemoryPersistenceImpl <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock(appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder); CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder); // Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder() .WithKeyExpirationDays(KeyExpiryDays) .WithRevokeCheckMinutes(int.MaxValue) .WithCanCacheIntermediateKeys(false) .WithCanCacheSystemKeys(false) .Build(); SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache; SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache; EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl( appEncryptionPartition, metastorePersistence.Object, systemKeyCache, new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache), new BouncyAes256GcmCrypto(), cryptoPolicy, kms); IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson); // Need to manually set a no-op metrics instance IMetrics metrics = new MetricsBuilder() .Configuration.Configure(options => options.Enabled = false) .Build(); MetricsUtil.SetMetricsInstance(metrics); return(new object[] { envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK, appEncryptionPartition }); }
public SessionFactory( string productId, string serviceId, IMetastore <JObject> metastore, SecureCryptoKeyDictionaryFactory <DateTimeOffset> secureCryptoKeyDictionaryFactory, CryptoPolicy cryptoPolicy, KeyManagementService keyManagementService) { this.productId = productId; this.serviceId = serviceId; this.metastore = metastore; this.secureCryptoKeyDictionaryFactory = secureCryptoKeyDictionaryFactory; systemKeyCache = secureCryptoKeyDictionaryFactory.CreateSecureCryptoKeyDictionary(); this.cryptoPolicy = cryptoPolicy; this.keyManagementService = keyManagementService; }
/// <summary> /// Initializes a new instance of the <see cref="EnvelopeEncryptionJsonImpl"/> class using the provided /// parameters. This is an implementation of <see cref="IEnvelopeEncryption{TD}"/> which uses /// <see cref="JObject"/> as the Data Row Record format. /// </summary> /// /// <param name="partition">A <see cref="GoDaddy.Asherah.AppEncryption.Partition"/> object.</param> /// <param name="metastore">A <see cref="IMetastore{T}"/> implementation used to store system & intermediate /// keys.</param> /// <param name="systemKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation for /// caching system keys.</param> /// <param name="intermediateKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation /// for caching intermediate keys.</param> /// <param name="aeadEnvelopeCrypto">An implementation of /// <see cref="GoDaddy.Asherah.Crypto.Envelope.AeadEnvelopeCrypto"/>, used to encrypt/decrypt keys and /// envelopes.</param> /// <param name="cryptoPolicy">A <see cref="GoDaddy.Asherah.Crypto.CryptoPolicy"/> implementation that dictates /// the various behaviors of Asherah.</param> /// <param name="keyManagementService">A <see cref="GoDaddy.Asherah.AppEncryption.Kms.KeyManagementService"/> /// implementation that generates the top level master key and encrypts the system keys using the master key. /// </param> public EnvelopeEncryptionJsonImpl( Partition partition, IMetastore <JObject> metastore, SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache, SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache, AeadEnvelopeCrypto aeadEnvelopeCrypto, CryptoPolicy cryptoPolicy, KeyManagementService keyManagementService) { this.partition = partition; this.metastore = metastore; this.systemKeyCache = systemKeyCache; this.intermediateKeyCache = intermediateKeyCache; crypto = aeadEnvelopeCrypto; this.cryptoPolicy = cryptoPolicy; this.keyManagementService = keyManagementService; }
/// <summary> /// Initializes a new instance of the <see cref="SessionFactory"/> class. /// </summary> /// /// <param name="productId">A unique identifier for a product.</param> /// <param name="serviceId">A unique identifier for a service.</param> /// <param name="metastore">A <see cref="IMetastore{T}"/> implementation used to store system & intermediate /// keys.</param> /// <param name="systemKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation for /// caching system keys.</param> /// <param name="cryptoPolicy">A <see cref="GoDaddy.Asherah.Crypto.CryptoPolicy"/> implementation that dictates /// the various behaviors of Asherah.</param> /// <param name="keyManagementService">A <see cref="GoDaddy.Asherah.AppEncryption.Kms.KeyManagementService"/> /// implementation that generates the top level master key and encrypts the system keys using the master key. /// </param> public SessionFactory( string productId, string serviceId, IMetastore <JObject> metastore, SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache, CryptoPolicy cryptoPolicy, KeyManagementService keyManagementService) { this.productId = productId; this.serviceId = serviceId; this.metastore = metastore; this.systemKeyCache = systemKeyCache; this.cryptoPolicy = cryptoPolicy; this.keyManagementService = keyManagementService; semaphoreLocks = new ConcurrentDictionary <string, object>(); SessionCache = new MemoryCache(new MemoryCacheOptions()); }
private object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK) { Partition partition = new Partition( cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), DefaultProductId); KeyManagementService kms = configFixture.KeyManagementService; CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK(); Mock <IMetastore <JObject> > metastoreMock = MetastoreMock.CreateMetastoreMock( partition, kms, metaIK, metaSK, cryptoKeyHolder, configFixture.Metastore); CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder); // Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder() .WithKeyExpirationDays(KeyExpiryDays) .WithRevokeCheckMinutes(int.MaxValue) .WithCanCacheIntermediateKeys(false) .WithCanCacheSystemKeys(false) .Build(); SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache; SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache; EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl( partition, metastoreMock.Object, systemKeyCache, new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache), new BouncyAes256GcmCrypto(), cryptoPolicy, kms); IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson); return(new object[] { envelopeEncryptionByteImpl, metastoreMock, cacheIK, metaIK, cacheSK, metaSK, partition }); }
private void TestPutAndGetUsableWithNotRevokedShouldUpdateReturnNullAfterCheckPeriodAndNotNullAfterPutRefreshes() { // Give it enough time to account for timing differences using (SecureCryptoKeyDictionary <string> secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <string>(50)) { secureCryptoKeyDictionary.PutAndGetUsable("test", cryptoKeyMock.Object); CryptoKey getResult = secureCryptoKeyDictionary.Get("test"); Assert.NotNull(getResult); // Sleep for enough time to get null result Thread.Sleep(100); getResult = secureCryptoKeyDictionary.Get("test"); Assert.Null(getResult); // Put back in to refresh cached time so we can get non-null result again secureCryptoKeyDictionary.PutAndGetUsable("test", cryptoKeyMock.Object); getResult = secureCryptoKeyDictionary.Get("test"); Assert.NotNull(getResult); } }
private CacheMock(SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache, SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache) { SystemKeyCache = systemKeyCache; IntermediateKeyCache = intermediateKeyCache; }
public SecureCryptoKeyDictionaryTest() { cryptoKeyMock = new Mock <CryptoKey>(); sharedCryptoKeyMock = new Mock <SharedCryptoKey>(cryptoKeyMock.Object); secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <string>(RevokeCheckPeriodMillis); }
public FakeSecureCryptoKeyDictionaryFactory(SecureCryptoKeyDictionary <T> secureCryptoKeyDictionary) : base(null) { this.secureCryptoKeyDictionary = secureCryptoKeyDictionary; }