public async Task EncryptsHMACSecretInDatabase()
{
using (var sut = new SqlServerClientStore(
new SqlServerClientStoreSettings {
ConnectionString = _connectionString,
SharedSecretEncryptionKey = new SharedSecretEncryptionKey("The_Big_Secret")
},
new SignatureAlgorithmConverter(new FakeStringProtectorFactory()))) {
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await sut.Register(client);
var loaded = await LoadFromDb(client.Id);
loaded.SigParameter.Should().NotBeNullOrEmpty();
var unencryptedKey = Encoding.UTF8.GetString(hmac.Key);
var encryptedKey = new FakeStringProtector().Protect(unencryptedKey);
loaded.SigParameter.Should().Be(encryptedKey);
loaded.IsSigParameterEncrypted.Should().BeTrue();
}
}
public SignatureAlgorithmConverterTests()
{
FakeFactory.Create(out _stringProtectorFactory);
_sut = new SignatureAlgorithmConverter(_stringProtectorFactory);
_stringProtector = new FakeStringProtector();
A.CallTo(() => _stringProtectorFactory.CreateSymmetric(A <string> ._))
.Returns(_stringProtector);
}
public void GivenHMACAlgorithm_ReturnsExpectedDataRecord()
{
using (var hmac = SignatureAlgorithm.CreateForVerification(_unencryptedKey, HashAlgorithmName.SHA384)) {
_sut.SetSignatureAlgorithm(_dataRecord, hmac, _encryptionKey);
_dataRecord.SigType.Should().Be("HMAC");
_dataRecord.SigHashAlgorithm.Should().Be(HashAlgorithmName.SHA384.Name);
_dataRecord.IsSigParameterEncrypted.Should().BeTrue();
var encryptedKey = new FakeStringProtector().Protect(_unencryptedKey);
_dataRecord.SigParameter.Should().Be(encryptedKey);
}
}
