public void SetStoreNameApproperiatelyFromMasterKeyPathRegardlessOfCase(string masterKeyPath)
{
var provider = new SqlColumnEncryptionCertificateStoreProvider();
byte[] ciphertext = provider.EncryptColumnEncryptionKey(masterKeyPath, ENCRYPTION_ALGORITHM, new byte[] { 1, 2, 3, 4, 5 });
Assert.NotNull(ciphertext);
}
public void TestRoundTripWithCSPAndCertStoreProvider()
{
const string providerName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
string providerType = "24";
string certificateName = string.Format(@"AETest - {0}", providerName);
CertificateUtilityWin.CreateCertificate(certificateName, StoreLocation.CurrentUser.ToString(), providerName, providerType);
try
{
X509Certificate2 cert = CertificateUtilityWin.GetCertificate(certificateName, StoreLocation.CurrentUser);
string cspPath = CertificateUtilityWin.GetCspPathFromCertificate(cert);
string certificatePath = String.Concat(@"CurrentUser/my/", cert.Thumbprint);
SqlColumnEncryptionCertificateStoreProvider certProvider = new SqlColumnEncryptionCertificateStoreProvider();
SqlColumnEncryptionCspProvider cspProvider = new SqlColumnEncryptionCspProvider();
byte[] columnEncryptionKey = DatabaseHelper.GenerateRandomBytes(32);
byte[] encryptedColumnEncryptionKeyUsingCert = certProvider.EncryptColumnEncryptionKey(certificatePath, @"RSA_OAEP", columnEncryptionKey);
byte[] columnEncryptionKeyReturnedCert2CSP = cspProvider.DecryptColumnEncryptionKey(cspPath, @"RSA_OAEP", encryptedColumnEncryptionKeyUsingCert);
Assert.True(columnEncryptionKey.SequenceEqual(columnEncryptionKeyReturnedCert2CSP));
byte[] encryptedColumnEncryptionKeyUsingCSP = cspProvider.EncryptColumnEncryptionKey(cspPath, @"RSA_OAEP", columnEncryptionKey);
byte[] columnEncryptionKeyReturnedCSP2Cert = certProvider.DecryptColumnEncryptionKey(certificatePath, @"RSA_OAEP", encryptedColumnEncryptionKeyUsingCSP);
Assert.True(columnEncryptionKey.SequenceEqual(columnEncryptionKeyReturnedCSP2Cert));
}
finally
{
CertificateUtilityWin.RemoveCertificate(certificateName, StoreLocation.CurrentUser);
}
}
public void AcceptEncryptionAlgorithmRegardlessOfCase(string algorithm)
{
var provider = new SqlColumnEncryptionCertificateStoreProvider();
byte[] ciphertext = provider.EncryptColumnEncryptionKey(MASTER_KEY_PATH, algorithm, new byte[] { 1, 2, 3, 4, 5 });
Assert.NotNull(ciphertext);
}
public void ThrowExceptionWithInvalidParameterWhileEncryptingColumnEncryptionKey(string errorMsg, Type exceptionType, string masterKeyPath, string encryptionAlgorithm, byte[] bytes)
{
var provider = new SqlColumnEncryptionCertificateStoreProvider();
Exception ex = Assert.Throws(exceptionType, () => provider.EncryptColumnEncryptionKey(masterKeyPath, encryptionAlgorithm, bytes));
Assert.Equal(errorMsg, ex.Message);
}
public void ThrowExceptionWithInvalidParameterWhileSigningColumnMasterKeyMetadata(string errorMsg, Type exceptionType, string masterKeyPath)
{
var provider = new SqlColumnEncryptionCertificateStoreProvider();
Exception ex = Assert.Throws(exceptionType, () => provider.SignColumnMasterKeyMetadata(masterKeyPath, true));
Assert.Equal(errorMsg, ex.Message);
}
public void ThrowPlatformNotSupportedExceptionInUnix()
{
var provider = new SqlColumnEncryptionCertificateStoreProvider();
Assert.Throws <PlatformNotSupportedException>(() => provider.EncryptColumnEncryptionKey("", "", new byte[] { }));
Assert.Throws <PlatformNotSupportedException>(() => provider.DecryptColumnEncryptionKey("", "", new byte[] { }));
Assert.Throws <PlatformNotSupportedException>(() => provider.SignColumnMasterKeyMetadata("", false));
Assert.Throws <PlatformNotSupportedException>(() => provider.VerifyColumnMasterKeyMetadata("", false, new byte[] { }));
}
public void FailToVerifyColumnMasterKeyMetadataWithWrongCertificate(bool allowEnclaveComputations)
{
var provider = new SqlColumnEncryptionCertificateStoreProvider();
byte[] signature = provider.SignColumnMasterKeyMetadata(MASTER_KEY_PATH, allowEnclaveComputations);
Assert.NotNull(signature);
Assert.False(
provider.VerifyColumnMasterKeyMetadata("CurrentUser/My/4281446463C6F7F5B8EDFFA4BD6E345E46857CAD", allowEnclaveComputations, signature));
}
public void SignAndVerifyColumnMasterKeyMetadataSuccessfully(bool allowEnclaveComputations)
{
var provider = new SqlColumnEncryptionCertificateStoreProvider();
byte[] signature = provider.SignColumnMasterKeyMetadata(MASTER_KEY_PATH, allowEnclaveComputations);
Assert.NotNull(signature);
Assert.True(provider.VerifyColumnMasterKeyMetadata(MASTER_KEY_PATH, allowEnclaveComputations, signature));
Assert.False(provider.VerifyColumnMasterKeyMetadata(MASTER_KEY_PATH, !allowEnclaveComputations, signature));
}
public void EncryptAndDecryptDataSuccessfully()
{
var input = new byte[] { 1, 2, 3, 4, 5 };
var provider = new SqlColumnEncryptionCertificateStoreProvider();
byte[] ciphertext = provider.EncryptColumnEncryptionKey(MASTER_KEY_PATH, ENCRYPTION_ALGORITHM,
new byte[] { 1, 2, 3, 4, 5 });
byte[] output =
provider.DecryptColumnEncryptionKey(MASTER_KEY_PATH, ENCRYPTION_ALGORITHM, ciphertext);
Assert.Equal(input, output);
}
public void EncryptKeyAndThenDecryptItSuccessfully(int dataSize)
{
var provider = new SqlColumnEncryptionCertificateStoreProvider();
var columnEncryptionKey = new byte[dataSize];
var randomNumberGenerator = new Random();
randomNumberGenerator.NextBytes(columnEncryptionKey);
byte[] encryptedData = provider.EncryptColumnEncryptionKey(MASTER_KEY_PATH, ENCRYPTION_ALGORITHM, columnEncryptionKey);
byte[] decryptedData = provider.DecryptColumnEncryptionKey(MASTER_KEY_PATH, ENCRYPTION_ALGORITHM, encryptedData);
Assert.Equal(columnEncryptionKey, decryptedData);
}
internal static bool VerifyRsaSignatureDirectly(byte[] hashedCek, byte[] signedCek, byte[] rsaPfx)
{
Debug.Assert(rsaPfx != null && rsaPfx.Length > 0);
X509Certificate2 x509 = new X509Certificate2(rsaPfx, @"P@zzw0rD!SqlvN3x+");
Debug.Assert(x509.HasPrivateKey);
SqlColumnEncryptionCertificateStoreProvider rsaProvider = new SqlColumnEncryptionCertificateStoreProvider();
Object RsaVerifySignatureResult = SqlColumnEncryptionCertificateStoreProviderRSAVerifySignature.Invoke(rsaProvider, new object[] { hashedCek, signedCek, x509 });
return((bool)RsaVerifySignatureResult);
}
internal static byte[] DecryptRsaDirectly(byte[] rsaPfx, byte[] ciphertextCek, string masterKeyPath)
{
Debug.Assert(rsaPfx != null && rsaPfx.Length > 0);
// The rest of the parameters may be invalid for exception handling test cases
X509Certificate2 x509 = new X509Certificate2(rsaPfx, @"P@zzw0rD!SqlvN3x+");
Debug.Assert(x509.HasPrivateKey);
SqlColumnEncryptionCertificateStoreProvider rsaProvider = new SqlColumnEncryptionCertificateStoreProvider();
Object RsaDecryptionResult = SqlColumnEncryptionCertificateStoreProviderRSADecrypt.Invoke(rsaProvider, new object[] { ciphertextCek, x509 });
return((byte[])RsaDecryptionResult);
}
private static string GetEncryptionKey(string thumbprint)
{
var randomBytes = new byte[32];
using (var rng = new RNGCryptoServiceProvider())
{
rng.GetBytes(randomBytes);
}
//get the built in sql certificate store provider
var provider = new SqlColumnEncryptionCertificateStoreProvider();
//get the column master key
var encryptedKey = provider.EncryptColumnEncryptionKey($"LocalMachine/My/{thumbprint}", "RSA_OAEP", randomBytes);
//create encrypted data thats used to create the column encryption key
var encryptedKeySerialized = "0x" + BitConverter.ToString(encryptedKey).Replace("-", "");
return(encryptedKeySerialized);
}
static byte[] GetEncryptedColumnEncryptonKey()
{
int cekLength = 32;
String certificateStoreLocation = "CurrentUser";
String certificateThumbprint = "FCA2F7B54CC3A3A80C478A418C600205325C6757";
// Generate the plaintext column encryption key.
byte[] columnEncryptionKey = new byte[cekLength];
RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
rngCsp.GetBytes(columnEncryptionKey);
// Encrypt the column encryption key with a certificate.
string keyPath = String.Format(@"{0}/My/{1}", certificateStoreLocation, certificateThumbprint);
SqlColumnEncryptionCertificateStoreProvider provider = new SqlColumnEncryptionCertificateStoreProvider();
return(provider.EncryptColumnEncryptionKey(keyPath, @"RSA_OAEP", columnEncryptionKey));
}
public SQLSetupStrategyCertStoreProvider() : base()
{
CertStoreProvider = new SqlColumnEncryptionCertificateStoreProvider();
SetupDatabase();
}
