private void RoundTripGeneric(string testData, AeadEnvelopeCrypto aeadEnvelopeCrypto)
{
CryptoPolicy cryptoPolicy = new DummyCryptoPolicy();
using (SecureCryptoKeyDictionary <DateTimeOffset> secureCryptoKeyDictionary =
new SecureCryptoKeyDictionary <DateTimeOffset>(cryptoPolicy.GetRevokeCheckPeriodMillis()))
{
IEnvelopeEncryption <JObject> envelopeEncryptionJsonImpl = new EnvelopeEncryptionJsonImpl(
partition,
metastore,
secureCryptoKeyDictionary,
new SecureCryptoKeyDictionary <DateTimeOffset>(cryptoPolicy.GetRevokeCheckPeriodMillis()),
aeadEnvelopeCrypto,
cryptoPolicy,
keyManagementService);
using (Session <JObject, JObject> sessionJsonImpl =
new SessionJsonImpl <JObject>(envelopeEncryptionJsonImpl))
{
Asherah.AppEncryption.Util.Json testJson = new Asherah.AppEncryption.Util.Json();
testJson.Put("Test", testData);
string persistenceKey = sessionJsonImpl.Store(testJson.ToJObject(), dataPersistence);
Option <JObject> testJson2 = sessionJsonImpl.Load(persistenceKey, dataPersistence);
Assert.True(testJson2.IsSome);
string resultData = ((JObject)testJson2)["Test"].ToObject <string>();
Assert.Equal(testData, resultData);
}
}
}
private void TestPutAndGetUsableWithUpdateRevokedShouldMarkRevokedAndReturnNotNull()
{
// Give it enough time to account for timing differences
using (SecureCryptoKeyDictionary <string> secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <string>(50))
{
secureCryptoKeyDictionary.PutAndGetUsable("test", cryptoKeyMock.Object);
CryptoKey getResult = secureCryptoKeyDictionary.Get("test");
Assert.NotNull(getResult);
// Sleep for enough time to get null result
Thread.Sleep(100);
getResult = secureCryptoKeyDictionary.Get("test");
Assert.Null(getResult);
// Put back in as revoked so we can get non-null result again
cryptoKeyMock.Setup(x => x.IsRevoked()).Returns(true);
secureCryptoKeyDictionary.PutAndGetUsable("test", cryptoKeyMock.Object);
getResult = secureCryptoKeyDictionary.Get("test");
Assert.NotNull(getResult);
// Sleep for enough time to get null result and verify we still get non-null
Thread.Sleep(30);
getResult = secureCryptoKeyDictionary.Get("test");
Assert.NotNull(getResult);
}
}
private void TestGetLastWithRevokeCheckExpiredShouldReturnNull()
{
using (SecureCryptoKeyDictionary <string> secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <string>(1))
{
string key = "some_key";
secureCryptoKeyDictionary.PutAndGetUsable(key, sharedCryptoKeyMock.Object);
// sleep to trigger period check flow
Thread.Sleep(3);
CryptoKey actualCryptoKey = secureCryptoKeyDictionary.GetLast();
Assert.Null(actualCryptoKey);
}
}
private static object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK)
{
AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition(
cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
DefaultProductId);
// TODO Update to create KeyManagementService based on config/param once we plug in AWS KMS
KeyManagementService kms = new StaticKeyManagementServiceImpl(KeyManagementStaticMasterKey);
CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK();
// TODO Pass Metastore type to enable spy generation once we plug in external metastore types
Mock <MemoryPersistenceImpl <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock(appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder);
CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder);
// Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings
CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
.WithKeyExpirationDays(KeyExpiryDays)
.WithRevokeCheckMinutes(int.MaxValue)
.WithCanCacheIntermediateKeys(false)
.WithCanCacheSystemKeys(false)
.Build();
SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache;
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache;
EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl(
appEncryptionPartition,
metastorePersistence.Object,
systemKeyCache,
new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache),
new BouncyAes256GcmCrypto(),
cryptoPolicy,
kms);
IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson);
// Need to manually set a no-op metrics instance
IMetrics metrics = new MetricsBuilder()
.Configuration.Configure(options => options.Enabled = false)
.Build();
MetricsUtil.SetMetricsInstance(metrics);
return(new object[] { envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK, appEncryptionPartition });
}
public SessionFactory(
string productId,
string serviceId,
IMetastore <JObject> metastore,
SecureCryptoKeyDictionaryFactory <DateTimeOffset> secureCryptoKeyDictionaryFactory,
CryptoPolicy cryptoPolicy,
KeyManagementService keyManagementService)
{
this.productId = productId;
this.serviceId = serviceId;
this.metastore = metastore;
this.secureCryptoKeyDictionaryFactory = secureCryptoKeyDictionaryFactory;
systemKeyCache = secureCryptoKeyDictionaryFactory.CreateSecureCryptoKeyDictionary();
this.cryptoPolicy = cryptoPolicy;
this.keyManagementService = keyManagementService;
}
/// <summary>
/// Initializes a new instance of the <see cref="EnvelopeEncryptionJsonImpl"/> class using the provided
/// parameters. This is an implementation of <see cref="IEnvelopeEncryption{TD}"/> which uses
/// <see cref="JObject"/> as the Data Row Record format.
/// </summary>
///
/// <param name="partition">A <see cref="GoDaddy.Asherah.AppEncryption.Partition"/> object.</param>
/// <param name="metastore">A <see cref="IMetastore{T}"/> implementation used to store system & intermediate
/// keys.</param>
/// <param name="systemKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation for
/// caching system keys.</param>
/// <param name="intermediateKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation
/// for caching intermediate keys.</param>
/// <param name="aeadEnvelopeCrypto">An implementation of
/// <see cref="GoDaddy.Asherah.Crypto.Envelope.AeadEnvelopeCrypto"/>, used to encrypt/decrypt keys and
/// envelopes.</param>
/// <param name="cryptoPolicy">A <see cref="GoDaddy.Asherah.Crypto.CryptoPolicy"/> implementation that dictates
/// the various behaviors of Asherah.</param>
/// <param name="keyManagementService">A <see cref="GoDaddy.Asherah.AppEncryption.Kms.KeyManagementService"/>
/// implementation that generates the top level master key and encrypts the system keys using the master key.
/// </param>
public EnvelopeEncryptionJsonImpl(
Partition partition,
IMetastore <JObject> metastore,
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache,
SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache,
AeadEnvelopeCrypto aeadEnvelopeCrypto,
CryptoPolicy cryptoPolicy,
KeyManagementService keyManagementService)
{
this.partition = partition;
this.metastore = metastore;
this.systemKeyCache = systemKeyCache;
this.intermediateKeyCache = intermediateKeyCache;
crypto = aeadEnvelopeCrypto;
this.cryptoPolicy = cryptoPolicy;
this.keyManagementService = keyManagementService;
}
/// <summary>
/// Initializes a new instance of the <see cref="SessionFactory"/> class.
/// </summary>
///
/// <param name="productId">A unique identifier for a product.</param>
/// <param name="serviceId">A unique identifier for a service.</param>
/// <param name="metastore">A <see cref="IMetastore{T}"/> implementation used to store system & intermediate
/// keys.</param>
/// <param name="systemKeyCache">A <see cref="ConcurrentDictionary{TKey,TValue}"/> based implementation for
/// caching system keys.</param>
/// <param name="cryptoPolicy">A <see cref="GoDaddy.Asherah.Crypto.CryptoPolicy"/> implementation that dictates
/// the various behaviors of Asherah.</param>
/// <param name="keyManagementService">A <see cref="GoDaddy.Asherah.AppEncryption.Kms.KeyManagementService"/>
/// implementation that generates the top level master key and encrypts the system keys using the master key.
/// </param>
public SessionFactory(
string productId,
string serviceId,
IMetastore <JObject> metastore,
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache,
CryptoPolicy cryptoPolicy,
KeyManagementService keyManagementService)
{
this.productId = productId;
this.serviceId = serviceId;
this.metastore = metastore;
this.systemKeyCache = systemKeyCache;
this.cryptoPolicy = cryptoPolicy;
this.keyManagementService = keyManagementService;
semaphoreLocks = new ConcurrentDictionary <string, object>();
SessionCache = new MemoryCache(new MemoryCacheOptions());
}
private object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK)
{
Partition partition = new Partition(
cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() +
"_" + Random.Next(),
cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
DefaultProductId);
KeyManagementService kms = configFixture.KeyManagementService;
CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK();
Mock <IMetastore <JObject> > metastoreMock = MetastoreMock.CreateMetastoreMock(
partition, kms, metaIK, metaSK, cryptoKeyHolder, configFixture.Metastore);
CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder);
// Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings
CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
.WithKeyExpirationDays(KeyExpiryDays)
.WithRevokeCheckMinutes(int.MaxValue)
.WithCanCacheIntermediateKeys(false)
.WithCanCacheSystemKeys(false)
.Build();
SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache;
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache;
EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl(
partition,
metastoreMock.Object,
systemKeyCache,
new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache),
new BouncyAes256GcmCrypto(),
cryptoPolicy,
kms);
IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl =
new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson);
return(new object[]
{
envelopeEncryptionByteImpl, metastoreMock, cacheIK, metaIK, cacheSK, metaSK,
partition
});
}
private void TestPutAndGetUsableWithNotRevokedShouldUpdateReturnNullAfterCheckPeriodAndNotNullAfterPutRefreshes()
{
// Give it enough time to account for timing differences
using (SecureCryptoKeyDictionary <string> secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <string>(50))
{
secureCryptoKeyDictionary.PutAndGetUsable("test", cryptoKeyMock.Object);
CryptoKey getResult = secureCryptoKeyDictionary.Get("test");
Assert.NotNull(getResult);
// Sleep for enough time to get null result
Thread.Sleep(100);
getResult = secureCryptoKeyDictionary.Get("test");
Assert.Null(getResult);
// Put back in to refresh cached time so we can get non-null result again
secureCryptoKeyDictionary.PutAndGetUsable("test", cryptoKeyMock.Object);
getResult = secureCryptoKeyDictionary.Get("test");
Assert.NotNull(getResult);
}
}
private CacheMock(SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache, SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache)
{
SystemKeyCache = systemKeyCache;
IntermediateKeyCache = intermediateKeyCache;
}
public SecureCryptoKeyDictionaryTest()
{
cryptoKeyMock = new Mock <CryptoKey>();
sharedCryptoKeyMock = new Mock <SharedCryptoKey>(cryptoKeyMock.Object);
secureCryptoKeyDictionary = new SecureCryptoKeyDictionary <string>(RevokeCheckPeriodMillis);
}
public FakeSecureCryptoKeyDictionaryFactory(SecureCryptoKeyDictionary <T> secureCryptoKeyDictionary)
: base(null)
{
this.secureCryptoKeyDictionary = secureCryptoKeyDictionary;
}
