public void InitializesIv(EncryptionAlgorithm algorithm)
{
// Use a 256-bit key which will be truncated based on the selected algorithm.
byte[] k = new byte[] { 0xe2, 0x7e, 0xd0, 0xc8, 0x45, 0x12, 0xbb, 0xd5, 0x5b, 0x6a, 0xf4, 0x34, 0xd2, 0x37, 0xc1, 0x1f, 0xeb, 0xa3, 0x11, 0x87, 0x0f, 0x80, 0xf2, 0xc2, 0xe3, 0x36, 0x42, 0x60, 0xf3, 0x1c, 0x82, 0xc8 };
JsonWebKey key = new JsonWebKey(new[] { KeyOperation.Encrypt, KeyOperation.Decrypt })
{
K = k,
};
AesCryptographyProvider provider = new AesCryptographyProvider(key, null, false);
byte[] plaintext = Encoding.UTF8.GetBytes("plaintext");
EncryptParameters encryptOptions = new EncryptParameters(algorithm, plaintext, null, null);
EncryptResult encrypted = provider.Encrypt(encryptOptions, default);
Assert.IsNotNull(encryptOptions.Iv);
CollectionAssert.AreEqual(encryptOptions.Iv, encrypted.Iv);
DecryptParameters decryptOptions = new DecryptParameters(algorithm, encrypted.Ciphertext, encrypted.Iv);
DecryptResult decrypted = provider.Decrypt(decryptOptions, default);
Assert.IsNotNull(decrypted);
// AES-CBC will be zero-padded.
StringAssert.StartsWith("plaintext", Encoding.UTF8.GetString(decrypted.Plaintext));
}
public IActionResult Decrypt([FromBody] DecryptParameters decryptParameters)
{
if (decryptParameters == null)
{
return(BadRequest());
}
return(Ok(Cryptography.Decrypt(_dirName, decryptParameters.Data)));
}
public void DecryptOptionsAll()
{
byte[] buffer = new byte[] { 0, 1, 2, 3 };
DecryptParameters options = CryptographyModelFactory.DecryptParameters(EncryptionAlgorithm.A128Cbc, buffer, buffer, buffer, buffer);
Assert.AreEqual(EncryptionAlgorithm.A128Cbc, options.Algorithm);
CollectionAssert.AreEqual(buffer, options.Ciphertext);
CollectionAssert.AreEqual(buffer, options.Iv);
CollectionAssert.AreEqual(buffer, options.AuthenticationTag);
CollectionAssert.AreEqual(buffer, options.AdditionalAuthenticatedData);
}
public void RequiresCiphertext()
{
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.Rsa15Parameters(null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.RsaOaepParameters(null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.RsaOaep256Parameters(null));
Assert.AreEqual("ciphertext", ex.ParamName);
}
public void OctEncryptDecryptSync()
{
TestEnvironment.AssertManagedHsm();
string managedHsmUrl = TestEnvironment.ManagedHsmUrl;
#region Snippet:OctKeysSample4CreateKey
var managedHsmClient = new KeyClient(new Uri(managedHsmUrl), new DefaultAzureCredential());
var octKeyOptions = new CreateOctKeyOptions($"CloudOctKey-{Guid.NewGuid()}")
{
KeySize = 256,
};
KeyVaultKey cloudOctKey = managedHsmClient.CreateOctKey(octKeyOptions);
#endregion
#region Snippet:OctKeySample4Encrypt
var cryptoClient = new CryptographyClient(cloudOctKey.Id, new DefaultAzureCredential());
byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
byte[] aad = Encoding.UTF8.GetBytes("additional authenticated data");
EncryptParameters encryptParams = EncryptParameters.A256GcmParameters(plaintext, aad);
EncryptResult encryptResult = cryptoClient.Encrypt(encryptParams);
#endregion
#region Snippet:OctKeySample4Decrypt
DecryptParameters decryptParams = DecryptParameters.A256GcmParameters(
encryptResult.Ciphertext,
encryptResult.Iv,
encryptResult.AuthenticationTag,
encryptResult.AdditionalAuthenticatedData);
DecryptResult decryptResult = cryptoClient.Decrypt(decryptParams);
#endregion
Assert.AreEqual(plaintext, decryptResult.Plaintext);
// Delete and purge the key.
DeleteKeyOperation operation = managedHsmClient.StartDeleteKey(octKeyOptions.Name);
// You only need to wait for completion if you want to purge or recover the key.
while (!operation.HasCompleted)
{
Thread.Sleep(2000);
operation.UpdateStatus();
}
managedHsmClient.PurgeDeletedKey(operation.Value.Name);
}
public async Task <IActionResult> Decrypt([FromBody] DecryptParameters decryptParameters)
{
using (var client = new HttpClient())
{
client.SetAcceptEncodingHeader(this.HttpContext.Request.Headers);
var content = new StringContent(JsonConvert.SerializeObject(decryptParameters), Encoding.UTF8, "application/json");
using (var response = await client.PostAsync(CreateInternalUri("crypto/decrypt"), content))
{
return(await response.GetActionResult());
}
}
}
static int Decrypt(DecryptParameters p)
{
_arguments = p;
EnsureCanOverwriteDestination(p);
var retryWithBase64 = false;
do
{
try
{
using (var encryptedStream = new FileStream(p.SourceFileName, FileMode.Open, FileAccess.Read, FileShare.None))
using (var decryptedStream = new FileStream(p.DestinationFileName, FileMode.Create, FileAccess.Write, FileShare.None))
using (var cipher = new EncryptedNewKeyCipher(p.Certificate))
{
cipher.Base64Encoded = retryWithBase64;
cipher.Decrypt(encryptedStream, decryptedStream);
retryWithBase64 = false;
}
}
catch (ArgumentException x) when(x.ParamName == "encryptedStream")
{
if (retryWithBase64)
{
throw;
}
using (var reader = new StreamReader(p.SourceFileName, Encoding.ASCII))
{
for (var i = 0; i < 5 && !reader.EndOfStream; i++)
{
var line = reader.ReadLine();
if (!Regex.IsMatch(line, _base64Regex))
{
throw;
}
}
retryWithBase64 = true;
}
}
}while (retryWithBase64);
return(0);
}
public async Task OctEncryptDecryptAsync()
{
TestEnvironment.AssertManagedHsm();
string managedHsmUrl = TestEnvironment.ManagedHsmUrl;
var managedHsmClient = new KeyClient(new Uri(managedHsmUrl), new DefaultAzureCredential());
var octKeyOptions = new CreateOctKeyOptions($"CloudOctKey-{Guid.NewGuid()}")
{
KeySize = 256,
};
KeyVaultKey cloudOctKey = await managedHsmClient.CreateOctKeyAsync(octKeyOptions);
var cryptoClient = new CryptographyClient(cloudOctKey.Id, new DefaultAzureCredential());
byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
byte[] aad = Encoding.UTF8.GetBytes("additional authenticated data");
EncryptParameters encryptParams = EncryptParameters.A256GcmParameters(plaintext, aad);
EncryptResult encryptResult = await cryptoClient.EncryptAsync(encryptParams);
DecryptParameters decryptParams = DecryptParameters.A256GcmParameters(
encryptResult.Ciphertext,
encryptResult.Iv,
encryptResult.AuthenticationTag,
encryptResult.AdditionalAuthenticatedData);
DecryptResult decryptResult = await cryptoClient.DecryptAsync(decryptParams);
Assert.AreEqual(plaintext, decryptResult.Plaintext);
// Delete and purge the key.
DeleteKeyOperation operation = await managedHsmClient.StartDeleteKeyAsync(octKeyOptions.Name);
// You only need to wait for completion if you want to purge or recover the key.
await operation.WaitForCompletionAsync();
managedHsmClient.PurgeDeletedKey(operation.Value.Name);
}
public void RequiresCiphertextIv()
{
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128CbcParameters(null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128CbcParameters(Array.Empty <byte>(), null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192CbcParameters(null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192CbcParameters(Array.Empty <byte>(), null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256CbcParameters(null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256CbcParameters(Array.Empty <byte>(), null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128CbcPadParameters(null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128CbcPadParameters(Array.Empty <byte>(), null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192CbcPadParameters(null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192CbcPadParameters(Array.Empty <byte>(), null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256CbcPadParameters(null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256CbcPadParameters(Array.Empty <byte>(), null));
Assert.AreEqual("iv", ex.ParamName);
}
public void RequiresOnlyCiphertextIvAuthenticationTag()
{
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128GcmParameters(null, null, null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128GcmParameters(Array.Empty <byte>(), null, null, null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), null, null));
Assert.AreEqual("authenticationTag", ex.ParamName);
Assert.DoesNotThrow(() => DecryptParameters.A128GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), Array.Empty <byte>(), null));
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192GcmParameters(null, null, null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192GcmParameters(Array.Empty <byte>(), null, null, null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), null, null));
Assert.AreEqual("authenticationTag", ex.ParamName);
Assert.DoesNotThrow(() => DecryptParameters.A192GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), Array.Empty <byte>(), null));
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256GcmParameters(null, null, null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256GcmParameters(Array.Empty <byte>(), null, null, null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), null, null));
Assert.AreEqual("authenticationTag", ex.ParamName);
Assert.DoesNotThrow(() => DecryptParameters.A256GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), Array.Empty <byte>(), null));
}
public async Task SerializeJsonWebKeyAsync()
{
// Environment variable with the Key Vault endpoint.
string keyVaultUrl = TestEnvironment.KeyVaultUrl;
var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 2048,
};
KeyVaultKey cloudRsaKey = await keyClient.CreateRsaKeyAsync(rsaKey);
Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}");
string dir = Path.Combine(TestContext.CurrentContext.WorkDirectory, "samples", nameof(Sample7_SerializeJsonWebKey));
Directory.CreateDirectory(dir);
string path = Path.Combine(dir, $"{nameof(SerializeJsonWebKeyAsync)}.json");
// Use `using` expression for clean sample, but scope it to close and dispose immediately.
{
using FileStream file = File.Create(path);
await JsonSerializer.SerializeAsync(file, cloudRsaKey.Key);
Debug.WriteLine($"Saved JWK to {path}");
}
// Use `using` expression for clean sample, but scope it to close and dispose immediately.
JsonWebKey jwk = null;
{
using FileStream file = File.Open(path, FileMode.Open);
jwk = await JsonSerializer.DeserializeAsync <JsonWebKey>(file);
Debug.WriteLine($"Read JWK from {path} with ID {jwk.Id}");
}
string content = "plaintext";
var encryptClient = new CryptographyClient(jwk);
byte[] plaintext = Encoding.UTF8.GetBytes(content);
EncryptResult encrypted = await encryptClient.EncryptAsync(EncryptParameters.RsaOaepParameters(plaintext));
Debug.WriteLine($"Encrypted: {Encoding.UTF8.GetString(plaintext)}");
byte[] ciphertext = encrypted.Ciphertext;
CryptographyClient decryptClient = keyClient.GetCryptographyClient(cloudRsaKey.Name, cloudRsaKey.Properties.Version);
DecryptResult decrypted = await decryptClient.DecryptAsync(DecryptParameters.RsaOaepParameters(ciphertext));
Debug.WriteLine($"Decrypted: {Encoding.UTF8.GetString(decrypted.Plaintext)}");
DeleteKeyOperation operation = await keyClient.StartDeleteKeyAsync(rsaKeyName);
// You only need to wait for completion if you want to purge or recover the key.
await operation.WaitForCompletionAsync();
// If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged.
keyClient.PurgeDeletedKey(rsaKeyName);
}
public async Task EncryptLocalDecryptOnManagedHsm([EnumValues(
nameof(EncryptionAlgorithm.A128Cbc),
nameof(EncryptionAlgorithm.A192Cbc),
nameof(EncryptionAlgorithm.A256Cbc),
nameof(EncryptionAlgorithm.A128CbcPad),
nameof(EncryptionAlgorithm.A192CbcPad),
nameof(EncryptionAlgorithm.A256CbcPad))] EncryptionAlgorithm algorithm)
{
int keySizeInBytes = algorithm.GetAesCbcEncryptionAlgorithm().KeySizeInBytes;
JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps);
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.ImportKeyAsync(
new ImportKeyOptions(keyName, jwk));
RegisterForCleanup(key.Name);
CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true);
CryptographyClient localClient = GetLocalCryptoClient(jwk);
byte[] plaintext = new byte[32];
Recording.Random.NextBytes(plaintext);
byte[] iv = new byte[16];
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc)
{
Recording.Random.NextBytes(iv);
}
EncryptParameters encryptParams = algorithm.ToString() switch
{
EncryptionAlgorithm.A128CbcValue => EncryptParameters.A128CbcParameters(plaintext, iv),
EncryptionAlgorithm.A192CbcValue => EncryptParameters.A192CbcParameters(plaintext, iv),
EncryptionAlgorithm.A256CbcValue => EncryptParameters.A256CbcParameters(plaintext, iv),
EncryptionAlgorithm.A128CbcPadValue => EncryptParameters.A128CbcPadParameters(plaintext, iv),
EncryptionAlgorithm.A192CbcPadValue => EncryptParameters.A192CbcPadParameters(plaintext, iv),
EncryptionAlgorithm.A256CbcPadValue => EncryptParameters.A256CbcPadParameters(plaintext, iv),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
EncryptResult encrypted = await localClient.EncryptAsync(encryptParams);
Assert.IsNotNull(encrypted.Ciphertext);
DecryptParameters decryptParameters = algorithm.ToString() switch
{
EncryptionAlgorithm.A128CbcValue => DecryptParameters.A128CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A192CbcValue => DecryptParameters.A192CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A256CbcValue => DecryptParameters.A256CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A128CbcPadValue => DecryptParameters.A128CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A192CbcPadValue => DecryptParameters.A192CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A256CbcPadValue => DecryptParameters.A256CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters);
Assert.IsNotNull(decrypted.Plaintext);
CollectionAssert.AreEqual(plaintext, decrypted.Plaintext);
}
public async Task AesGcmEncryptDecrypt([EnumValues(
nameof(EncryptionAlgorithm.A128Gcm),
nameof(EncryptionAlgorithm.A192Gcm),
nameof(EncryptionAlgorithm.A256Gcm)
)] EncryptionAlgorithm algorithm)
{
int keySizeInBytes = algorithm.ToString() switch
{
EncryptionAlgorithm.A128GcmValue => 128 >> 3,
EncryptionAlgorithm.A192GcmValue => 192 >> 3,
EncryptionAlgorithm.A256GcmValue => 256 >> 3,
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps);
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.ImportKeyAsync(
new ImportKeyOptions(keyName, jwk));
RegisterForCleanup(key.Name);
CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true);
byte[] plaintext = new byte[32];
Recording.Random.NextBytes(plaintext);
byte[] iv = new byte[16];
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc)
{
Recording.Random.NextBytes(iv);
}
EncryptParameters encryptParams = algorithm.ToString() switch
{
// TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM.
EncryptionAlgorithm.A128GcmValue => EncryptParameters.A128GcmParameters(plaintext),
EncryptionAlgorithm.A192GcmValue => EncryptParameters.A192GcmParameters(plaintext),
EncryptionAlgorithm.A256GcmValue => EncryptParameters.A256GcmParameters(plaintext),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
EncryptResult encrypted = await remoteClient.EncryptAsync(encryptParams);
Assert.IsNotNull(encrypted.Ciphertext);
DecryptParameters decryptParameters = algorithm.ToString() switch
{
// TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM.
EncryptionAlgorithm.A128GcmValue => DecryptParameters.A128GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
EncryptionAlgorithm.A192GcmValue => DecryptParameters.A192GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
EncryptionAlgorithm.A256GcmValue => DecryptParameters.A256GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters);
Assert.IsNotNull(decrypted.Plaintext);
CollectionAssert.AreEqual(plaintext, decrypted.Plaintext);
}
public Task <DecryptResult> DecryptAsync(DecryptParameters options, CancellationToken cancellationToken = default) => throw new CryptographicException(CRYPT_E_NO_PROVIDER);
public void EncryptDecryptRoundtrips(EncryptionAlgorithm algorithm)
{
// Use a 256-bit key which will be truncated based on the selected algorithm.
byte[] k = new byte[] { 0xe2, 0x7e, 0xd0, 0xc8, 0x45, 0x12, 0xbb, 0xd5, 0x5b, 0x6a, 0xf4, 0x34, 0xd2, 0x37, 0xc1, 0x1f, 0xeb, 0xa3, 0x11, 0x87, 0x0f, 0x80, 0xf2, 0xc2, 0xe3, 0x36, 0x42, 0x60, 0xf3, 0x1c, 0x82, 0xc8 };
byte[] iv = new byte[] { 0x89, 0xb8, 0xad, 0xbf, 0xb0, 0x73, 0x45, 0xe3, 0x59, 0x89, 0x32, 0xa0, 0x9c, 0x51, 0x74, 0x41 };
byte[] aad = Encoding.UTF8.GetBytes("test");
JsonWebKey key = new JsonWebKey(new[] { KeyOperation.Encrypt, KeyOperation.Decrypt })
{
K = k,
};
AesCryptographyProvider provider = new AesCryptographyProvider(key, null, false);
byte[] plaintext = Encoding.UTF8.GetBytes("plaintext");
EncryptParameters encryptOptions = new EncryptParameters(algorithm, plaintext, iv, aad);
EncryptResult encrypted = provider.Encrypt(encryptOptions, default);
Assert.IsNotNull(encrypted);
switch (algorithm.ToString())
{
// TODO: Move to new test to make sure CryptoClient and LocalCryptoClient initialize a null ICM for AES-CBC(PAD).
case EncryptionAlgorithm.A128CbcValue:
CollectionAssert.AreEqual(
new byte[] { 0x63, 0x23, 0x21, 0xaf, 0x94, 0xf9, 0xe1, 0x21, 0xc2, 0xbd, 0xb1, 0x1b, 0x04, 0x89, 0x8c, 0x3a },
encrypted.Ciphertext);
CollectionAssert.AreEqual(iv, encrypted.Iv);
Assert.IsNull(encrypted.AuthenticationTag);
Assert.IsNull(encrypted.AdditionalAuthenticatedData);
break;
case EncryptionAlgorithm.A192CbcValue:
CollectionAssert.AreEqual(
new byte[] { 0x95, 0x9d, 0x75, 0x91, 0x09, 0x8b, 0x70, 0x0b, 0x9c, 0xfe, 0xaf, 0xcd, 0x60, 0x1f, 0xaa, 0x79 },
encrypted.Ciphertext);
CollectionAssert.AreEqual(iv, encrypted.Iv);
Assert.IsNull(encrypted.AuthenticationTag);
Assert.IsNull(encrypted.AdditionalAuthenticatedData);
break;
case EncryptionAlgorithm.A256CbcValue:
CollectionAssert.AreEqual(
new byte[] { 0xf4, 0xe8, 0x5a, 0xa4, 0xa8, 0xb3, 0xff, 0xc3, 0x85, 0x89, 0x17, 0x9a, 0x70, 0x09, 0x96, 0x7f },
encrypted.Ciphertext);
CollectionAssert.AreEqual(iv, encrypted.Iv);
Assert.IsNull(encrypted.AuthenticationTag);
Assert.IsNull(encrypted.AdditionalAuthenticatedData);
break;
case EncryptionAlgorithm.A128CbcPadValue:
CollectionAssert.AreEqual(
new byte[] { 0xec, 0xb2, 0x63, 0x4c, 0xe0, 0x04, 0xe0, 0x31, 0x2d, 0x9a, 0x77, 0xb2, 0x11, 0xe5, 0x28, 0x7f },
encrypted.Ciphertext);
CollectionAssert.AreEqual(iv, encrypted.Iv);
Assert.IsNull(encrypted.AuthenticationTag);
Assert.IsNull(encrypted.AdditionalAuthenticatedData);
break;
case EncryptionAlgorithm.A192CbcPadValue:
CollectionAssert.AreEqual(
new byte[] { 0xc3, 0x4e, 0x1b, 0xe7, 0x6e, 0xa1, 0xf1, 0xc3, 0x24, 0xae, 0x05, 0x1b, 0x0e, 0x32, 0xac, 0xb4 },
encrypted.Ciphertext);
CollectionAssert.AreEqual(iv, encrypted.Iv);
Assert.IsNull(encrypted.AuthenticationTag);
Assert.IsNull(encrypted.AdditionalAuthenticatedData);
break;
case EncryptionAlgorithm.A256CbcPadValue:
CollectionAssert.AreEqual(
new byte[] { 0x4e, 0xbd, 0x78, 0xda, 0x90, 0x73, 0xc8, 0x97, 0x67, 0x2b, 0xa1, 0x0a, 0x41, 0x67, 0xf8, 0x99 },
encrypted.Ciphertext);
CollectionAssert.AreEqual(iv, encrypted.Iv);
Assert.IsNull(encrypted.AuthenticationTag);
Assert.IsNull(encrypted.AdditionalAuthenticatedData);
break;
}
DecryptParameters decryptOptions = new DecryptParameters(algorithm, encrypted.Ciphertext, encrypted.Iv);
DecryptResult decrypted = provider.Decrypt(decryptOptions, default);
Assert.IsNotNull(decrypted);
// AES-CBC will be zero-padded.
StringAssert.StartsWith("plaintext", Encoding.UTF8.GetString(decrypted.Plaintext));
}
public void SerializeJsonWebKeySync()
{
// Environment variable with the Key Vault endpoint.
string keyVaultUrl = TestEnvironment.KeyVaultUrl;
#region Snippet:KeysSample7KeyClient
var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
#endregion
#region Snippet:KeysSample7CreateKey
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 2048,
};
KeyVaultKey cloudRsaKey = keyClient.CreateRsaKey(rsaKey);
Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}");
#endregion
string dir = Path.Combine(TestContext.CurrentContext.WorkDirectory, "samples", nameof(Sample7_SerializeJsonWebKey));
Directory.CreateDirectory(dir);
string path = Path.Combine(dir, $"{nameof(SerializeJsonWebKeySync)}.json");
// Use `using` expression for clean sample, but scope it to close and dispose immediately.
{
#region Snippet:KeysSample7Serialize
using FileStream file = File.Create(path);
using (Utf8JsonWriter writer = new Utf8JsonWriter(file))
{
JsonSerializer.Serialize(writer, cloudRsaKey.Key);
}
Debug.WriteLine($"Saved JWK to {path}");
#endregion
}
#region Snippet:KeysSamples7Deserialize
byte[] buffer = File.ReadAllBytes(path);
JsonWebKey jwk = JsonSerializer.Deserialize <JsonWebKey>(buffer);
Debug.WriteLine($"Read JWK from {path} with ID {jwk.Id}");
#endregion
string content = "plaintext";
#region Snippet:KeysSample7Encrypt
var encryptClient = new CryptographyClient(jwk);
byte[] plaintext = Encoding.UTF8.GetBytes(content);
EncryptResult encrypted = encryptClient.Encrypt(EncryptParameters.RsaOaepParameters(plaintext));
Debug.WriteLine($"Encrypted: {Encoding.UTF8.GetString(plaintext)}");
#endregion
byte[] ciphertext = encrypted.Ciphertext;
#region Snippet:KeysSample7Decrypt
CryptographyClient decryptClient = keyClient.GetCryptographyClient(cloudRsaKey.Name, cloudRsaKey.Properties.Version);
DecryptResult decrypted = decryptClient.Decrypt(DecryptParameters.RsaOaepParameters(ciphertext));
Debug.WriteLine($"Decrypted: {Encoding.UTF8.GetString(decrypted.Plaintext)}");
#endregion
DeleteKeyOperation operation = keyClient.StartDeleteKey(rsaKeyName);
// You only need to wait for completion if you want to purge or recover the key.
while (!operation.HasCompleted)
{
Thread.Sleep(2000);
operation.UpdateStatus();
}
// If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged.
keyClient.PurgeDeletedKey(rsaKeyName);
}
