/// <exception cref="System.IO.IOException"/>
            /// <exception cref="GeneralSecurityException"/>
            public virtual KeyProvider.KeyVersion DecryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion
                                                                      encryptedKeyVersion)
            {
                // Fetch the encryption key material
                string encryptionKeyVersionName = encryptedKeyVersion.GetEncryptionKeyVersionName
                                                      ();

                KeyProvider.KeyVersion encryptionKey = keyProvider.GetKeyVersion(encryptionKeyVersionName
                                                                                 );
                Preconditions.CheckNotNull(encryptionKey, "KeyVersion name '%s' does not exist",
                                           encryptionKeyVersionName);
                Preconditions.CheckArgument(encryptedKeyVersion.GetEncryptedKeyVersion().GetVersionName
                                                ().Equals(KeyProviderCryptoExtension.Eek), "encryptedKey version name must be '%s', is '%s'"
                                            , KeyProviderCryptoExtension.Eek, encryptedKeyVersion.GetEncryptedKeyVersion().GetVersionName
                                                ());
                // Encryption key IV is determined from encrypted key's IV
                byte[] encryptionIV = KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV(encryptedKeyVersion
                                                                                              .GetEncryptedKeyIv());
                CryptoCodec cc        = CryptoCodec.GetInstance(keyProvider.GetConf());
                Decryptor   decryptor = cc.CreateDecryptor();

                decryptor.Init(encryptionKey.GetMaterial(), encryptionIV);
                KeyProvider.KeyVersion encryptedKV = encryptedKeyVersion.GetEncryptedKeyVersion();
                int        keyLen = encryptedKV.GetMaterial().Length;
                ByteBuffer bbIn   = ByteBuffer.AllocateDirect(keyLen);
                ByteBuffer bbOut  = ByteBuffer.AllocateDirect(keyLen);

                bbIn.Put(encryptedKV.GetMaterial());
                bbIn.Flip();
                decryptor.Decrypt(bbIn, bbOut);
                bbOut.Flip();
                byte[] decryptedKey = new byte[keyLen];
                bbOut.Get(decryptedKey);
                return(new KeyProvider.KeyVersion(encryptionKey.GetName(), Ek, decryptedKey));
            }
 public virtual void TestGenerateEncryptedKey()
 {
     // Generate a new EEK and check it
     KeyProviderCryptoExtension.EncryptedKeyVersion ek1 = kpExt.GenerateEncryptedKey(encryptionKey
                                                                                     .GetName());
     Assert.Equal("Version name of EEK should be EEK", KeyProviderCryptoExtension
                  .Eek, ek1.GetEncryptedKeyVersion().GetVersionName());
     Assert.Equal("Name of EEK should be encryption key name", EncryptionKeyName
                  , ek1.GetEncryptionKeyName());
     NUnit.Framework.Assert.IsNotNull("Expected encrypted key material", ek1.GetEncryptedKeyVersion
                                          ().GetMaterial());
     Assert.Equal("Length of encryption key material and EEK material should "
                  + "be the same", encryptionKey.GetMaterial().Length, ek1.GetEncryptedKeyVersion
                      ().GetMaterial().Length);
     // Decrypt EEK into an EK and check it
     KeyProvider.KeyVersion k1 = kpExt.DecryptEncryptedKey(ek1);
     Assert.Equal(KeyProviderCryptoExtension.Ek, k1.GetVersionName(
                      ));
     Assert.Equal(encryptionKey.GetMaterial().Length, k1.GetMaterial
                      ().Length);
     if (Arrays.Equals(k1.GetMaterial(), encryptionKey.GetMaterial()))
     {
         NUnit.Framework.Assert.Fail("Encrypted key material should not equal encryption key material"
                                     );
     }
     if (Arrays.Equals(ek1.GetEncryptedKeyVersion().GetMaterial(), encryptionKey.GetMaterial
                           ()))
     {
         NUnit.Framework.Assert.Fail("Encrypted key material should not equal decrypted key material"
                                     );
     }
     // Decrypt it again and it should be the same
     KeyProvider.KeyVersion k1a = kpExt.DecryptEncryptedKey(ek1);
     Assert.AssertArrayEquals(k1.GetMaterial(), k1a.GetMaterial());
     // Generate another EEK and make sure it's different from the first
     KeyProviderCryptoExtension.EncryptedKeyVersion ek2 = kpExt.GenerateEncryptedKey(encryptionKey
                                                                                     .GetName());
     KeyProvider.KeyVersion k2 = kpExt.DecryptEncryptedKey(ek2);
     if (Arrays.Equals(k1.GetMaterial(), k2.GetMaterial()))
     {
         NUnit.Framework.Assert.Fail("Generated EEKs should have different material!");
     }
     if (Arrays.Equals(ek1.GetEncryptedKeyIv(), ek2.GetEncryptedKeyIv()))
     {
         NUnit.Framework.Assert.Fail("Generated EEKs should have different IVs!");
     }
 }
        public virtual void TestEncryptDecrypt()
        {
            // Get an EEK
            KeyProviderCryptoExtension.EncryptedKeyVersion eek = kpExt.GenerateEncryptedKey(encryptionKey
                                                                                            .GetName());
            byte[] encryptedKeyIv       = eek.GetEncryptedKeyIv();
            byte[] encryptedKeyMaterial = eek.GetEncryptedKeyVersion().GetMaterial();
            // Decrypt it manually
            Cipher cipher = Cipher.GetInstance("AES/CTR/NoPadding");

            cipher.Init(Cipher.DecryptMode, new SecretKeySpec(encryptionKey.GetMaterial
                                                                  (), "AES"), new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV
                                                                                                      (encryptedKeyIv)));
            byte[] manualMaterial = cipher.DoFinal(encryptedKeyMaterial);
            // Test the createForDecryption factory method
            KeyProviderCryptoExtension.EncryptedKeyVersion eek2 = KeyProviderCryptoExtension.EncryptedKeyVersion
                                                                  .CreateForDecryption(eek.GetEncryptionKeyName(), eek.GetEncryptionKeyVersionName
                                                                                           (), eek.GetEncryptedKeyIv(), eek.GetEncryptedKeyVersion().GetMaterial());
            // Decrypt it with the API
            KeyProvider.KeyVersion decryptedKey = kpExt.DecryptEncryptedKey(eek2);
            byte[] apiMaterial = decryptedKey.GetMaterial();
            Assert.AssertArrayEquals("Wrong key material from decryptEncryptedKey", manualMaterial
                                     , apiMaterial);
        }
 /// <summary>
 /// Decrypts an encrypted byte[] key material using the given a key version
 /// name and initialization vector.
 /// </summary>
 /// <param name="encryptedKey">
 /// contains keyVersionName and IV to decrypt the encrypted
 /// key material
 /// </param>
 /// <returns>
 /// a KeyVersion with the decrypted key material, the version name is
 /// 'EK' (For Encryption Key)
 /// </returns>
 /// <exception cref="System.IO.IOException">thrown if the key material could not be decrypted
 ///     </exception>
 /// <exception cref="GeneralSecurityException">
 /// thrown if the key material could not be
 /// decrypted because of a cryptographic issue.
 /// </exception>
 public virtual KeyProvider.KeyVersion DecryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion
                                                           encryptedKey)
 {
     return(GetExtension().DecryptEncryptedKey(encryptedKey));
 }