public void SetRevoked_Respected()
        {
            // Arrange
            var now = DateTimeOffset.UtcNow;
            var key = new Key(Guid.Empty, now, now, now, new Mock<IAuthenticatedEncryptorDescriptor>().Object);

            // Act & assert
            Assert.False(key.IsRevoked);
            key.SetRevoked();
            Assert.True(key.IsRevoked);
        }
        public void CreateEncryptorInstance()
        {
            // Arrange
            var expected = new Mock<IAuthenticatedEncryptor>().Object;
            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(expected);

            var now = DateTimeOffset.UtcNow;
            var key = new Key(Guid.Empty, now, now, now, mockDescriptor.Object);

            // Act
            var actual = key.CreateEncryptorInstance();

            // Assert
            Assert.Same(expected, actual);
        }
        public void Ctor_Properties()
        {
            // Arrange
            var keyId = Guid.NewGuid();
            var creationDate = DateTimeOffset.Now;
            var activationDate = creationDate.AddDays(2);
            var expirationDate = creationDate.AddDays(90);

            // Act
            var key = new Key(keyId, creationDate, activationDate, expirationDate, new Mock<IAuthenticatedEncryptorDescriptor>().Object);

            // Assert
            Assert.Equal(keyId, key.KeyId);
            Assert.Equal(creationDate, key.CreationDate);
            Assert.Equal(activationDate, key.ActivationDate);
            Assert.Equal(expirationDate, key.ExpirationDate);
        }
        public void Protect_Unprotect_RoundTripsProperly()
        {
            // Arrange
            byte[] plaintext = new byte[] { 0x10, 0x20, 0x30, 0x40, 0x50 };
            Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration(new AuthenticatedEncryptionOptions()).CreateNewDescriptor());
            var keyRing = new KeyRing(key, new[] { key });
            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);

            var protector = new KeyRingBasedDataProtector(
                keyRingProvider: mockKeyRingProvider.Object,
                logger: null,
                originalPurposes: null,
                newPurpose: "purpose");

            // Act - protect
            byte[] protectedData = protector.Protect(plaintext);
            Assert.NotNull(protectedData);
            Assert.NotEqual(plaintext, protectedData);

            // Act - unprotect
            byte[] roundTrippedPlaintext = protector.Unprotect(protectedData);
            Assert.Equal(plaintext, roundTrippedPlaintext);
        }
        public void Unprotect_IsNotDefaultKey_Success_RequiresMigration()
        {
            // Arrange
            Guid defaultKeyId = new Guid("ba73c9ce-d322-4e45-af90-341307e11c38");
            Guid embeddedKeyId = new Guid("9b5d2db3-299f-4eac-89e9-e9067a5c1853");
            byte[] expectedCiphertext = new byte[] { 0x03, 0x05, 0x07, 0x11, 0x13, 0x17, 0x19 };
            byte[] protectedData = BuildProtectedDataFromCiphertext(embeddedKeyId, expectedCiphertext);
            byte[] expectedAad = BuildAadFromPurposeStrings(embeddedKeyId, "purpose");
            byte[] expectedPlaintext = new byte[] { 0x23, 0x29, 0x31, 0x37 };

            var mockEncryptor = new Mock<IAuthenticatedEncryptor>();
            mockEncryptor
                .Setup(o => o.Decrypt(It.IsAny<ArraySegment<byte>>(), It.IsAny<ArraySegment<byte>>()))
                .Returns<ArraySegment<byte>, ArraySegment<byte>>((actualCiphertext, actualAad) =>
                {
                    Assert.Equal(expectedCiphertext, actualCiphertext);
                    Assert.Equal(expectedAad, actualAad);
                    return expectedPlaintext;
                });
            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(mockEncryptor.Object);

            Key defaultKey = new Key(defaultKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new Mock<IAuthenticatedEncryptorDescriptor>().Object);
            Key embeddedKey = new Key(embeddedKeyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
            var keyRing = new KeyRing(defaultKey, new[] { defaultKey, embeddedKey });
            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);

            IDataProtector protector = new KeyRingBasedDataProtector(
                keyRingProvider: mockKeyRingProvider.Object,
                logger: null,
                originalPurposes: null,
                newPurpose: "purpose");

            // Act & assert - IDataProtector
            byte[] retVal = protector.Unprotect(protectedData);
            Assert.Equal(expectedPlaintext, retVal);

            // Act & assert - IPersistedDataProtector
            bool requiresMigration, wasRevoked;
            retVal = ((IPersistedDataProtector)protector).DangerousUnprotect(protectedData,
                ignoreRevocationErrors: false,
                requiresMigration: out requiresMigration,
                wasRevoked: out wasRevoked);
            Assert.Equal(expectedPlaintext, retVal);
            Assert.True(requiresMigration);
            Assert.False(wasRevoked);
        }
        public void Unprotect_KeyRevoked_RevocationDisallowed_ThrowsKeyRevoked()
        {
            // Arrange
            Guid keyId = new Guid("654057ab-2491-4471-a72a-b3b114afda38");
            byte[] protectedData = BuildProtectedDataFromCiphertext(
                keyId: keyId,
                ciphertext: new byte[0]);

            var mockDescriptor = new Mock<IAuthenticatedEncryptorDescriptor>();
            mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);

            // the keyring has only one key
            Key key = new Key(keyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
            key.SetRevoked();
            var keyRing = new KeyRing(key, new[] { key });
            var mockKeyRingProvider = new Mock<IKeyRingProvider>();
            mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);

            IDataProtector protector = new KeyRingBasedDataProtector(
                keyRingProvider: mockKeyRingProvider.Object,
                logger: null,
                originalPurposes: null,
                newPurpose: "purpose");

            // Act & assert
            var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(protectedData));
            Assert.Equal(Error.Common_KeyRevoked(keyId).Message, ex.Message);
        }