// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key
// encrypting with the key, etc.
// Note this tests when the key already exists. Should Fail.
public async Task RestoreKey_KeyAlreadyExists_ReturnsFalse()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256);
// E. Back it up.
TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key);
Assert.True(tbri.Success);
Assert.AreNotEqual(null, tbri.KeyBackup);
// B. Rotate the key a few times so we know the keys are different.
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
// Read key, prior to restore.
TransitKeyInfo tki = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(tki.Name, key);
// G. Restore the key
Assert.False(await _transitSecretEngine.RestoreKey(key, tbri));
}
/// <summary>
/// Restores the given key to the Vault.
/// </summary>
/// <param name="keyName">Name of encryption key that should be restored.</param>
/// <param name="tbri">TransitBackupRestoreItem containing the backup value.</param>
/// <returns>True if success.</returns>
public async Task <bool> RestoreKey(string keyName, TransitBackupRestoreItem tbri)
{
string path = MountPointPath + "restore/" + keyName;
// Setup Post Parameters in body.
Dictionary <string, string> contentParams = new Dictionary <string, string>();
try {
// Build the parameter list.
contentParams.Add("backup", tbri.KeyBackup);
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "RestoreKey", contentParams);
return(vdro.Success);
}
catch (VaultInternalErrorException e) {
if (e.Message.Contains("already exists"))
{
return(false);
}
else
{
throw e;
}
}
}
// Test that we get an error when trying to backup a key that cannot be backed up.
public async Task BackupKey_ThrowsError_WhenNotExportable()
{
// Cannot use the Transit_InitWithKey function. It sets Backup to true and once set that value cannot be changed.
string key = _uniqueKeys.GetKey("Key");
// Create key.
bool rc = await _transitSecretEngine.CreateEncryptionKey(key, false, true, TransitEnumKeyType.aes256);
Assert.True(rc);
// Back it up.
TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key);
Assert.False(tbri.Success);
Assert.True(tbri.ErrorMsg.Contains("Key is not exportable"));
}
// Test that we can backup a key that is enabled for backup.
public async Task BackupKey_Success()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256, true);
// Allow Backup.
Dictionary <string, string> keyconfig = new Dictionary <string, string> {
{ TransitConstants.KeyConfig_Allow_Backup, "true" }
};
TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig);
// Back it up.
TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key);
Assert.True(tbri.Success);
Assert.AreNotEqual(null, tbri.KeyBackup);
}
/// <summary>
/// Returns a plaintext backup of the requested key. Backups contains all configuration data and all keys of all versions along with the
/// HMAC key. The TransitBackupRestoreItem can be used with the RestoreKey method to restore the given key. Callers should check the
/// TransitBackupRestoreItem Success flag to determine if it worked and ErrorMsg to identify any errors if it did not. The 2 most common
/// errors are: Export is disabled and PlainTextBackup is disabled. These need to be enabled on the key prior to backing up.
/// </summary>
/// <param name="keyName">Name of the encryption key to backup.</param>
/// <returns>TransitBackupRestoreItem containing the full backup of the key.</returns>
public async Task <TransitBackupRestoreItem> BackupKey(string keyName)
{
string path = MountPointPath + "backup/" + keyName;
try {
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.GetAsync_B(path, "BackupKey");
// Pull out the results and send back.
TransitBackupRestoreItem tbri = await vdro.GetDotNetObject <TransitBackupRestoreItem>();
if (tbri.KeyBackup != null)
{
tbri.Success = true;
}
return(tbri);
}
catch (VaultInternalErrorException e) {
string errMsg = "";
if (e.Message.Contains("exporting is disallowed"))
{
errMsg = "Key is not exportable. Must be exportable to be backed up.";
}
else if (e.Message.Contains("plaintext backup is disallowed on the policy"))
{
errMsg = "Key has PlainTextBackup disabled. Backup not possible.";
}
else
{
throw e;
}
TransitBackupRestoreItem tbri = new TransitBackupRestoreItem()
{
Success = false,
ErrorMsg = errMsg
};
return(tbri);
}
}
// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key
// encrypting with the key, etc.
public async Task RestoreKey_Success()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256);
// A. Enable deletion of the key.
Dictionary <string, string> keyconfig = new Dictionary <string, string> {
{ TransitConstants.KeyConfig_DeleteAllowed, "true" }
};
TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig);
Assert.True(tki.CanDelete);
// B. Rotate the key a few times.
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
// C. Encrypt a piece of data.
string encryptedValue = "ABCzyx123";
TransitEncryptedItem encItem = await _transitSecretEngine.Encrypt(key, encryptedValue);
// D. Rotate Keys a few more times.
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
tki = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(tki.Name, key);
// E. Back it up.
TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key);
Assert.True(tbri.Success);
Assert.AreNotEqual(null, tbri.KeyBackup);
// F. Delete key.
Assert.True(await _transitSecretEngine.DeleteKey(key));
// G. Restore the key
Assert.True(await _transitSecretEngine.RestoreKey(key, tbri));
// H. Decrypt an item with restored key.
TransitDecryptedItem decItem = await _transitSecretEngine.Decrypt(key, encItem.EncryptedValue);
Assert.AreEqual(encryptedValue, decItem.DecryptedValue);
// I. Validate the restore.
TransitKeyInfo tkiRestore = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(tki.Type, tkiRestore.Type);
Assert.AreEqual(tki.LatestVersionNum, tkiRestore.LatestVersionNum);
Assert.AreEqual(tki.Name, tkiRestore.Name);
Assert.AreEqual(tki.Keys.Count, tkiRestore.Keys.Count);
}
