public void InitializesIv([EnumValues] EncryptionAlgorithm algorithm) { EncryptOptions options = new EncryptOptions(algorithm, Array.Empty <byte>()); options.Initialize(); if (algorithm.GetAesCbcEncryptionAlgorithm() != null) { byte[] iv = options.Iv; Assert.IsNotNull(options.Iv); CollectionAssert.IsNotEmpty(options.Iv); // Calling it again should not overwrite. options.Initialize(); Assert.AreSame(iv, options.Iv); } else { Assert.IsNull(options.Iv); } }
public async Task EncryptLocalDecryptOnManagedHsm([EnumValues( nameof(EncryptionAlgorithm.A128Cbc), nameof(EncryptionAlgorithm.A192Cbc), nameof(EncryptionAlgorithm.A256Cbc), nameof(EncryptionAlgorithm.A128CbcPad), nameof(EncryptionAlgorithm.A192CbcPad), nameof(EncryptionAlgorithm.A256CbcPad))] EncryptionAlgorithm algorithm) { int keySizeInBytes = algorithm.GetAesCbcEncryptionAlgorithm().KeySizeInBytes; JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps); string keyName = Recording.GenerateId(); KeyVaultKey key = await Client.ImportKeyAsync( new ImportKeyOptions(keyName, jwk)); RegisterForCleanup(key.Name); CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true); CryptographyClient localClient = GetLocalCryptoClient(jwk); byte[] plaintext = new byte[32]; Recording.Random.NextBytes(plaintext); byte[] iv = new byte[16]; if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc) { Recording.Random.NextBytes(iv); } EncryptParameters encryptParams = algorithm.ToString() switch { EncryptionAlgorithm.A128CbcValue => EncryptParameters.A128CbcParameters(plaintext, iv), EncryptionAlgorithm.A192CbcValue => EncryptParameters.A192CbcParameters(plaintext, iv), EncryptionAlgorithm.A256CbcValue => EncryptParameters.A256CbcParameters(plaintext, iv), EncryptionAlgorithm.A128CbcPadValue => EncryptParameters.A128CbcPadParameters(plaintext, iv), EncryptionAlgorithm.A192CbcPadValue => EncryptParameters.A192CbcPadParameters(plaintext, iv), EncryptionAlgorithm.A256CbcPadValue => EncryptParameters.A256CbcPadParameters(plaintext, iv), _ => throw new NotSupportedException($"{algorithm} is not supported"), }; EncryptResult encrypted = await localClient.EncryptAsync(encryptParams); Assert.IsNotNull(encrypted.Ciphertext); DecryptParameters decryptParameters = algorithm.ToString() switch { EncryptionAlgorithm.A128CbcValue => DecryptParameters.A128CbcParameters(encrypted.Ciphertext, encrypted.Iv), EncryptionAlgorithm.A192CbcValue => DecryptParameters.A192CbcParameters(encrypted.Ciphertext, encrypted.Iv), EncryptionAlgorithm.A256CbcValue => DecryptParameters.A256CbcParameters(encrypted.Ciphertext, encrypted.Iv), EncryptionAlgorithm.A128CbcPadValue => DecryptParameters.A128CbcPadParameters(encrypted.Ciphertext, encrypted.Iv), EncryptionAlgorithm.A192CbcPadValue => DecryptParameters.A192CbcPadParameters(encrypted.Ciphertext, encrypted.Iv), EncryptionAlgorithm.A256CbcPadValue => DecryptParameters.A256CbcPadParameters(encrypted.Ciphertext, encrypted.Iv), _ => throw new NotSupportedException($"{algorithm} is not supported"), }; DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters); Assert.IsNotNull(decrypted.Plaintext); CollectionAssert.AreEqual(plaintext, decrypted.Plaintext); }
public async Task AesGcmEncryptDecrypt([EnumValues( nameof(EncryptionAlgorithm.A128Gcm), nameof(EncryptionAlgorithm.A192Gcm), nameof(EncryptionAlgorithm.A256Gcm) )] EncryptionAlgorithm algorithm) { int keySizeInBytes = algorithm.ToString() switch { EncryptionAlgorithm.A128GcmValue => 128 >> 3, EncryptionAlgorithm.A192GcmValue => 192 >> 3, EncryptionAlgorithm.A256GcmValue => 256 >> 3, _ => throw new NotSupportedException($"{algorithm} is not supported"), }; JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps); string keyName = Recording.GenerateId(); KeyVaultKey key = await Client.ImportKeyAsync( new ImportKeyOptions(keyName, jwk)); RegisterForCleanup(key.Name); CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true); byte[] plaintext = new byte[32]; Recording.Random.NextBytes(plaintext); byte[] iv = new byte[16]; if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc) { Recording.Random.NextBytes(iv); } EncryptParameters encryptParams = algorithm.ToString() switch { // TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM. EncryptionAlgorithm.A128GcmValue => EncryptParameters.A128GcmParameters(plaintext), EncryptionAlgorithm.A192GcmValue => EncryptParameters.A192GcmParameters(plaintext), EncryptionAlgorithm.A256GcmValue => EncryptParameters.A256GcmParameters(plaintext), _ => throw new NotSupportedException($"{algorithm} is not supported"), }; EncryptResult encrypted = await remoteClient.EncryptAsync(encryptParams); Assert.IsNotNull(encrypted.Ciphertext); DecryptParameters decryptParameters = algorithm.ToString() switch { // TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM. EncryptionAlgorithm.A128GcmValue => DecryptParameters.A128GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag), EncryptionAlgorithm.A192GcmValue => DecryptParameters.A192GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag), EncryptionAlgorithm.A256GcmValue => DecryptParameters.A256GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag), _ => throw new NotSupportedException($"{algorithm} is not supported"), }; DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters); Assert.IsNotNull(decrypted.Plaintext); CollectionAssert.AreEqual(plaintext, decrypted.Plaintext); }