public async Task Run_EncryptData(string key)
{
try {
string a = "abcDEF123$%^";
TransitEncryptedItem response = await TB.Encrypt(key, a);
Console.WriteLine("Encrypt Data Routine:");
Console.WriteLine(" encrypted: {0} to {1}", a, response.EncryptedValue);
}
catch (Exception e) {
Console.WriteLine("Errors - {0}", e.Message);
Console.WriteLine(e.ToString());
}
}
public async Task Run_ReEncrypt(string key)
{
Console.WriteLine("Running Re-Encrypt Data Process:");
string a = "abcDEF123$%^";
TransitKeyInfo TKIA = await TB.ReadEncryptionKey(key);
Console.WriteLine(" -- Encryption Key Current Version is {0}", TKIA.LatestVersionNum);
TransitEncryptedItem response = await TB.Encrypt(key, a);
bool success = await TB.RotateKey(key);
if (!success)
{
Console.WriteLine(" -- Failed to rotate the key. Stopping the Re-Encryption test.");
return;
}
TransitKeyInfo TKIB = await TB.ReadEncryptionKey(key);
Console.WriteLine(" -- Encryption Key New Version is {0}", TKIB.LatestVersionNum);
TransitEncryptedItem response2 = await TB.ReEncrypt(key, response.EncryptedValue);
if (response2 != null)
{
Console.WriteLine(" -- Reencryption completed.");
// Now validate by decrypting original value and new value. Should be same.
TransitDecryptedItem decryptA = await TB.Decrypt(key, response.EncryptedValue);
TransitDecryptedItem decryptB = await TB.Decrypt(key, response2.EncryptedValue);
if (a == decryptB.DecryptedValue)
{
Console.WriteLine(" -- ReEncryption successfull. Original Data = {0} and after re-encrypt value = {1}", a, decryptB.DecryptedValue);
}
else
{
Console.WriteLine(" -- ReEncryption FAILED. Original value = {0}, re-Encryption value = {1}.", a, decryptB.DecryptedValue);
}
}
Console.WriteLine(" encrypted: {0} to {1}", a, response.EncryptedValue);
}
// Test decrypting a convergent encrypted value with an invalid context. Should throw error.
public async Task DerivedEncryptDecrypt_WithBadContextFails()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256, true);
// Get a random value to encrypt.
string toEncrypt = "123456abcdefzyx";
// Set the "Context" value for derived encryption.
string toContext = "ZYXabc";
// Now encrypt with that key.
TransitEncryptedItem response = await _transitSecretEngine.Encrypt(key, toEncrypt, toContext);
Assert.IsNotEmpty(response.EncryptedValue);
// Now decrypt it, but pass invalid context.
Assert.That(() => _transitSecretEngine.Decrypt(key, response.EncryptedValue, "zyxabc"),
Throws.Exception.TypeOf <VaultInternalErrorException>()); //.With.Property("Message").Contains("unable to decrypt"));
}
public async Task DerivedEncryptDecrypt_ResultsInSameValue()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256, true);
// Get a random value to encrypt.
string toEncrypt = Guid.NewGuid().ToString();
// Set the "Context" value for derived encryption.
string toContext = "ZYXabc";
// Now encrypt with that key.
TransitEncryptedItem response = await _transitSecretEngine.Encrypt(key, toEncrypt, toContext);
Assert.IsNotEmpty(response.EncryptedValue);
// Now decrypt it.
TransitDecryptedItem responseB = await _transitSecretEngine.Decrypt(key, response.EncryptedValue, toContext);
Assert.AreEqual(responseB.DecryptedValue, toEncrypt);
}
// Tests that when using derivation encryption the same encryption string value is unique even with same context key.
public async Task KeyDerivationEncryption_ProducesEncryptionWithDifferentValue()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256, true);
// Get a random value to encrypt.
string toEncrypt = "ABCXYXZ";
// Set the "Context" value for derived encryption.
string toContext = "ZYXabc";
// Now encrypt with that key.
TransitEncryptedItem response = await _transitSecretEngine.Encrypt(key, toEncrypt, toContext);
Assert.IsNotEmpty(response.EncryptedValue);
// Now encrypt another item with same unencrypted value and same context. Should produce same results.
TransitEncryptedItem response2 = await _transitSecretEngine.Encrypt(key, toEncrypt, toContext);
Assert.IsNotEmpty(response.EncryptedValue);
Assert.AreNotEqual(response.EncryptedValue, response2.EncryptedValue);
}
public async Task EncryptDecrypt_ResultsInSameValue()
{
// Get a random value to encrypt.
string toEncrypt = Guid.NewGuid().ToString();
string encKey = Guid.NewGuid().ToString();
// Create an encryption key.
bool rc = await _transitSecretEngine.CreateEncryptionKey(encKey, true, true, TransitEnumKeyType.rsa4096);
Assert.AreEqual(true, rc);
// Now encrypt with that key.
TransitEncryptedItem response = await _transitSecretEngine.Encrypt(encKey, toEncrypt);
Assert.IsNotEmpty(response.EncryptedValue);
// Now decrypt it.
TransitDecryptedItem responseB = await _transitSecretEngine.Decrypt(encKey, response.EncryptedValue);
Assert.AreEqual(responseB.DecryptedValue, toEncrypt);
}
// Test that Reencrypt results in same original un-encrypted value.
public async Task RencryptionResultsInSameStartingValue()
{
string valA = Guid.NewGuid().ToString();
string key = _uniqueKeys.GetKey();
// Create key, validate the version and then encrypt some data with that key.
Assert.True(await _transitSecretEngine.CreateEncryptionKey(key, true, true, TransitEnumKeyType.aes256));
TransitEncryptedItem encA = await _transitSecretEngine.Encrypt(key, valA);
TransitKeyInfo tkiA = await _transitSecretEngine.ReadEncryptionKey(key);
// Rotate Key, Read value of key version, Re-Encrypt data. Decrypt Data.
Assert.True(await _transitSecretEngine.RotateKey(key));
TransitKeyInfo tkiB = await _transitSecretEngine.ReadEncryptionKey(key);
TransitEncryptedItem encB = await _transitSecretEngine.ReEncrypt(key, encA.EncryptedValue);
TransitDecryptedItem decB = await _transitSecretEngine.Decrypt(key, encB.EncryptedValue);
// Validate Results. Key version incremented by 1.
Assert.AreEqual(tkiA.LatestVersionNum + 1, tkiB.LatestVersionNum, "Key Version should have been incremented.");
Assert.AreEqual(valA, decB.DecryptedValue,
"After Key Rotation and Rencryption, expected value of encrypted item to be same, but they are different");
}
// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key
// encrypting with the key, etc.
public async Task RestoreKey_Success()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256);
// A. Enable deletion of the key.
Dictionary <string, string> keyconfig = new Dictionary <string, string> {
{ TransitConstants.KeyConfig_DeleteAllowed, "true" }
};
TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig);
Assert.True(tki.CanDelete);
// B. Rotate the key a few times.
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
// C. Encrypt a piece of data.
string encryptedValue = "ABCzyx123";
TransitEncryptedItem encItem = await _transitSecretEngine.Encrypt(key, encryptedValue);
// D. Rotate Keys a few more times.
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
tki = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(tki.Name, key);
// E. Back it up.
TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key);
Assert.True(tbri.Success);
Assert.AreNotEqual(null, tbri.KeyBackup);
// F. Delete key.
Assert.True(await _transitSecretEngine.DeleteKey(key));
// G. Restore the key
Assert.True(await _transitSecretEngine.RestoreKey(key, tbri));
// H. Decrypt an item with restored key.
TransitDecryptedItem decItem = await _transitSecretEngine.Decrypt(key, encItem.EncryptedValue);
Assert.AreEqual(encryptedValue, decItem.DecryptedValue);
// I. Validate the restore.
TransitKeyInfo tkiRestore = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(tki.Type, tkiRestore.Type);
Assert.AreEqual(tki.LatestVersionNum, tkiRestore.LatestVersionNum);
Assert.AreEqual(tki.Name, tkiRestore.Name);
Assert.AreEqual(tki.Keys.Count, tkiRestore.Keys.Count);
}
