public async Task ReadEncryptionKeyInfo_Success()
{
TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(encKeyA);
Assert.AreEqual(encKeyA, TKI.Name);
Assert.AreEqual(1, TKI.LatestVersionNum);
}
// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key
// encrypting with the key, etc.
// Note this tests when the key already exists. Should Fail.
public async Task RestoreKey_KeyAlreadyExists_ReturnsFalse()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256);
// E. Back it up.
TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key);
Assert.True(tbri.Success);
Assert.AreNotEqual(null, tbri.KeyBackup);
// B. Rotate the key a few times so we know the keys are different.
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
// Read key, prior to restore.
TransitKeyInfo tki = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(tki.Name, key);
// G. Restore the key
Assert.False(await _transitSecretEngine.RestoreKey(key, tbri));
}
public async Task Run_ReadKey(string key)
{
// Read an Encryption Key.
TransitKeyInfo TKI = await TB.ReadEncryptionKey(key);
Console.WriteLine("Encryption Key Read:");
Console.WriteLine(" - {0}", TKI.ToString());
}
public async Task RotateKey_Works()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256);
bool rotated = await _transitSecretEngine.RotateKey(key);
Assert.AreEqual(rotated, true);
// Retrieve key.
TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(TKI.LatestVersionNum, 2);
}
/// <summary>
/// Returns true or false if a given key exists.
/// </summary>
/// <param name="keyName">Name of the key you want to validate if it exists.</param>
/// <returns>True if key exists. False if it does not.</returns>
public async Task <bool> IfExists(string keyName)
{
try {
TransitKeyInfo TKI = await ReadEncryptionKey(keyName);
if (TKI != null)
{
return(true);
}
else
{
return(false);
}
}
catch (VaultInvalidPathException) { return(false); }
}
// Test that we can backup a key that is enabled for backup.
public async Task BackupKey_Success()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256, true);
// Allow Backup.
Dictionary <string, string> keyconfig = new Dictionary <string, string> {
{ TransitConstants.KeyConfig_Allow_Backup, "true" }
};
TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig);
// Back it up.
TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key);
Assert.True(tbri.Success);
Assert.AreNotEqual(null, tbri.KeyBackup);
}
public async Task Run_ReEncrypt(string key)
{
Console.WriteLine("Running Re-Encrypt Data Process:");
string a = "abcDEF123$%^";
TransitKeyInfo TKIA = await TB.ReadEncryptionKey(key);
Console.WriteLine(" -- Encryption Key Current Version is {0}", TKIA.LatestVersionNum);
TransitEncryptedItem response = await TB.Encrypt(key, a);
bool success = await TB.RotateKey(key);
if (!success)
{
Console.WriteLine(" -- Failed to rotate the key. Stopping the Re-Encryption test.");
return;
}
TransitKeyInfo TKIB = await TB.ReadEncryptionKey(key);
Console.WriteLine(" -- Encryption Key New Version is {0}", TKIB.LatestVersionNum);
TransitEncryptedItem response2 = await TB.ReEncrypt(key, response.EncryptedValue);
if (response2 != null)
{
Console.WriteLine(" -- Reencryption completed.");
// Now validate by decrypting original value and new value. Should be same.
TransitDecryptedItem decryptA = await TB.Decrypt(key, response.EncryptedValue);
TransitDecryptedItem decryptB = await TB.Decrypt(key, response2.EncryptedValue);
if (a == decryptB.DecryptedValue)
{
Console.WriteLine(" -- ReEncryption successfull. Original Data = {0} and after re-encrypt value = {1}", a, decryptB.DecryptedValue);
}
else
{
Console.WriteLine(" -- ReEncryption FAILED. Original value = {0}, re-Encryption value = {1}.", a, decryptB.DecryptedValue);
}
}
Console.WriteLine(" encrypted: {0} to {1}", a, response.EncryptedValue);
}
// Test to ensure that when executing a change to a key's config values that all valid values are accepted.
public async Task ChangeEncryptionKeyInfo_ValidParameters()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.rsa2048);
// Now make changes to key. These should all be valid.
Dictionary <string, string> iParams = new Dictionary <string, string>
{
{ TransitConstants.KeyConfig_Allow_Backup, "true" },
{ TransitConstants.KeyConfig_DeleteAllowed, "true" },
{ TransitConstants.KeyConfig_Exportable, "true" },
{ TransitConstants.KeyConfig_MinDecryptVers, "0" },
{ TransitConstants.KeyConfig_MinEncryptVers, "0" }
};
TransitKeyInfo tkiA = await _transitSecretEngine.UpdateKey(key, iParams);
Assert.NotNull(tkiA);
}
public async Task CreateEncryptionKey_ConvergentAndDerivedTrue()
{
string key = _uniqueKeys.GetKey("Key");
Assert.AreEqual(
true,
await _transitSecretEngine.CreateEncryptionKey(key, canBeExported: true, keyType: TransitEnumKeyType.chacha20, enableConvergentEncryption: true,
enableKeyDerivation: true));
// Now read key back and make sure parameters are correct.
TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(true, TKI.IsExportable);
Assert.AreEqual(true, TKI.IsDerivable);
Assert.AreEqual(true, TKI.SupportsConvergentEncryption);
Assert.AreEqual(true, TKI.SupportsDerivation);
Assert.AreEqual("chacha20-poly1305", TKI.Type);
}
// Test that Reencrypt results in same original un-encrypted value.
public async Task RencryptionResultsInSameStartingValue()
{
string valA = Guid.NewGuid().ToString();
string key = _uniqueKeys.GetKey();
// Create key, validate the version and then encrypt some data with that key.
Assert.True(await _transitSecretEngine.CreateEncryptionKey(key, true, true, TransitEnumKeyType.aes256));
TransitEncryptedItem encA = await _transitSecretEngine.Encrypt(key, valA);
TransitKeyInfo tkiA = await _transitSecretEngine.ReadEncryptionKey(key);
// Rotate Key, Read value of key version, Re-Encrypt data. Decrypt Data.
Assert.True(await _transitSecretEngine.RotateKey(key));
TransitKeyInfo tkiB = await _transitSecretEngine.ReadEncryptionKey(key);
TransitEncryptedItem encB = await _transitSecretEngine.ReEncrypt(key, encA.EncryptedValue);
TransitDecryptedItem decB = await _transitSecretEngine.Decrypt(key, encB.EncryptedValue);
// Validate Results. Key version incremented by 1.
Assert.AreEqual(tkiA.LatestVersionNum + 1, tkiB.LatestVersionNum, "Key Version should have been incremented.");
Assert.AreEqual(valA, decB.DecryptedValue,
"After Key Rotation and Rencryption, expected value of encrypted item to be same, but they are different");
}
// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key
// encrypting with the key, etc.
public async Task RestoreKey_Success()
{
string key = await Transit_InitWithKey(TransitEnumKeyType.aes256);
// A. Enable deletion of the key.
Dictionary <string, string> keyconfig = new Dictionary <string, string> {
{ TransitConstants.KeyConfig_DeleteAllowed, "true" }
};
TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig);
Assert.True(tki.CanDelete);
// B. Rotate the key a few times.
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
// C. Encrypt a piece of data.
string encryptedValue = "ABCzyx123";
TransitEncryptedItem encItem = await _transitSecretEngine.Encrypt(key, encryptedValue);
// D. Rotate Keys a few more times.
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
await _transitSecretEngine.RotateKey(key);
tki = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(tki.Name, key);
// E. Back it up.
TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key);
Assert.True(tbri.Success);
Assert.AreNotEqual(null, tbri.KeyBackup);
// F. Delete key.
Assert.True(await _transitSecretEngine.DeleteKey(key));
// G. Restore the key
Assert.True(await _transitSecretEngine.RestoreKey(key, tbri));
// H. Decrypt an item with restored key.
TransitDecryptedItem decItem = await _transitSecretEngine.Decrypt(key, encItem.EncryptedValue);
Assert.AreEqual(encryptedValue, decItem.DecryptedValue);
// I. Validate the restore.
TransitKeyInfo tkiRestore = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(tki.Type, tkiRestore.Type);
Assert.AreEqual(tki.LatestVersionNum, tkiRestore.LatestVersionNum);
Assert.AreEqual(tki.Name, tkiRestore.Name);
Assert.AreEqual(tki.Keys.Count, tkiRestore.Keys.Count);
}
// Validates that Bulk encryption, decryption and re-encryption works for Key Derivation encryption keys that need contexts.
public async Task BulkEncryptionDecryptionContextual_Works()
{
// Create key, validate the version and then encrypt some data with that key.
string key = _uniqueKeys.GetKey();
// Create key.
bool fa = await _transitSecretEngine.CreateEncryptionKey(key, true, true, TransitEnumKeyType.aes256, true);
Assert.True(fa);
// Confirm key is new:
TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(TKI.LatestVersionNum, 1);
// Confirm it supports key derivation.
Assert.AreEqual(true, TKI.SupportsDerivation);
// Step A. Build list of items to encrypt along with contextual encryption value.
List <KeyValuePair <string, string> > items = new List <KeyValuePair <string, string> >
{
new KeyValuePair <string, string>("abc", "123"),
new KeyValuePair <string, string>("ZYX", "argue"),
new KeyValuePair <string, string>("45332092214", "20180623")
};
// Step B.
// Encrypt several items in bulk. Storing both the item to encrypt and contextual encryption value.
List <TransitBulkItemToEncrypt> bulkEnc = new List <TransitBulkItemToEncrypt>();
foreach (KeyValuePair <string, string> item in items)
{
bulkEnc.Add(new TransitBulkItemToEncrypt(item.Key, item.Value));
}
// Encrypt.
TransitEncryptionResultsBulk bulkEncResponse = await _transitSecretEngine.EncryptBulk(key, bulkEnc);
int sentCnt = bulkEnc.Count;
int recvCnt = bulkEncResponse.EncryptedValues.Count;
// It's critical that items received = items sent.
Assert.AreEqual(sentCnt, recvCnt);
// Step C
// Decrypt in Bulk these Same Items. We need to send the encrypted item as well as the original context value that was used to encrypt
// that specific item.
List <TransitBulkItemToDecrypt> bulkDecrypt = new List <TransitBulkItemToDecrypt>();
for (int i = 0; i < recvCnt; i++)
{
bulkDecrypt.Add(new TransitBulkItemToDecrypt(bulkEncResponse.EncryptedValues [i].EncryptedValue, items [i].Value));
}
TransitDecryptionResultsBulk bulkDecResponse = await _transitSecretEngine.DecryptBulk(key, bulkDecrypt);
// Validate.
Assert.AreEqual(recvCnt, bulkDecResponse.DecryptedValues.Count);
for (int i = 0; i < recvCnt; i++)
{
Assert.AreEqual(items [i].Key, bulkDecResponse.DecryptedValues [i].DecryptedValue);
}
// Step D
// Rotate Key.
Assert.AreEqual(true, (await _transitSecretEngine.RotateKey(key)));
TransitKeyInfo TKI2 = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(TKI2.LatestVersionNum, 2);
// Step E.
// Re-encrypt in bulk.
List <TransitBulkItemToDecrypt> bulkRewrap = new List <TransitBulkItemToDecrypt>();
foreach (KeyValuePair <string, string> item in items)
{
bulkRewrap.Add(new TransitBulkItemToDecrypt(item.Key, item.Value));
}
TransitEncryptionResultsBulk rewrapResponse = await _transitSecretEngine.ReEncryptBulk(key, bulkRewrap);
Assert.AreEqual(bulkEnc.Count, rewrapResponse.EncryptedValues.Count);
// Step F.
// Decrypt once again in bulk.
List <TransitBulkItemToDecrypt> bulkDecrypt2 = new List <TransitBulkItemToDecrypt>();
for (int i = 0; i < recvCnt; i++)
{
bulkDecrypt2.Add(new TransitBulkItemToDecrypt(bulkEncResponse.EncryptedValues [i].EncryptedValue, items [i].Value));
}
TransitDecryptionResultsBulk bulkDecResponse2 = await _transitSecretEngine.DecryptBulk(key, bulkDecrypt2);
// Validate.
Assert.AreEqual(recvCnt, bulkDecResponse2.DecryptedValues.Count);
for (int i = 0; i < recvCnt; i++)
{
Assert.AreEqual(items [i].Key, bulkDecResponse2.DecryptedValues [i].DecryptedValue);
}
}
public async Task BulkEncryptionDecryption_Works()
{
// Create key, validate the version and then encrypt some data with that key.
string key = _uniqueKeys.GetKey();
bool fa = await _transitSecretEngine.CreateEncryptionKey(key, true, true, TransitEnumKeyType.aes256);
Assert.True(fa);
// Confirm key is new:
TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(TKI.LatestVersionNum, 1);
// Step A.
string valueA = "ABC";
string valueB = "def";
string valueC = "1234567890";
string valueD = Guid.NewGuid().ToString();
string valueE = "123456ABCDEFZYXWVU0987654321aaabbbcccddd";
// Step B.
// Encrypt several items in bulk.
List <TransitBulkItemToEncrypt> bulkEnc = new List <TransitBulkItemToEncrypt>
{
new TransitBulkItemToEncrypt(valueA),
new TransitBulkItemToEncrypt(valueB),
new TransitBulkItemToEncrypt(valueC),
new TransitBulkItemToEncrypt(valueD),
new TransitBulkItemToEncrypt(valueE)
};
TransitEncryptionResultsBulk bulkEncResponse = await _transitSecretEngine.EncryptBulk(key, bulkEnc);
int sentCnt = bulkEnc.Count;
int recvCnt = bulkEncResponse.EncryptedValues.Count;
Assert.AreEqual(sentCnt, recvCnt);
// Step C
// Decrypt in Bulk these Same Items.
List <TransitBulkItemToDecrypt> bulkDecrypt = new List <TransitBulkItemToDecrypt>();
foreach (TransitEncryptedItem item in bulkEncResponse.EncryptedValues)
{
bulkDecrypt.Add(new TransitBulkItemToDecrypt(item.EncryptedValue));
}
TransitDecryptionResultsBulk bulkDecResponse = await _transitSecretEngine.DecryptBulk(key, bulkDecrypt);
Assert.AreEqual(recvCnt, bulkDecResponse.DecryptedValues.Count);
Assert.AreEqual(valueA, bulkDecResponse.DecryptedValues [0].DecryptedValue);
Assert.AreEqual(valueB, bulkDecResponse.DecryptedValues [1].DecryptedValue);
Assert.AreEqual(valueC, bulkDecResponse.DecryptedValues [2].DecryptedValue);
Assert.AreEqual(valueD, bulkDecResponse.DecryptedValues [3].DecryptedValue);
Assert.AreEqual(valueE, bulkDecResponse.DecryptedValues [4].DecryptedValue);
// Step D
// Rotate Key.
Assert.AreEqual(true, (await _transitSecretEngine.RotateKey(key)));
TransitKeyInfo TKI2 = await _transitSecretEngine.ReadEncryptionKey(key);
Assert.AreEqual(TKI2.LatestVersionNum, 2);
// Step E.
// Re-encrypt in bulk.
List <TransitBulkItemToDecrypt> bulkRewrap = new List <TransitBulkItemToDecrypt>();
foreach (TransitEncryptedItem encItem in bulkEncResponse.EncryptedValues)
{
bulkRewrap.Add(new TransitBulkItemToDecrypt(encItem.EncryptedValue));
}
TransitEncryptionResultsBulk rewrapResponse = await _transitSecretEngine.ReEncryptBulk(key, bulkRewrap);
Assert.AreEqual(bulkEnc.Count, rewrapResponse.EncryptedValues.Count);
// Step F.
// Decrypt once again in bulk.
List <TransitBulkItemToDecrypt> bulkDecrypt2 = new List <TransitBulkItemToDecrypt>();
foreach (TransitEncryptedItem item in rewrapResponse.EncryptedValues)
{
bulkDecrypt2.Add(new TransitBulkItemToDecrypt(item.EncryptedValue));
}
TransitDecryptionResultsBulk bulkDecResponse2 = await _transitSecretEngine.DecryptBulk(key, bulkDecrypt2);
Assert.AreEqual(recvCnt, bulkDecResponse2.DecryptedValues.Count);
Assert.AreEqual(valueA, bulkDecResponse2.DecryptedValues [0].DecryptedValue);
Assert.AreEqual(valueB, bulkDecResponse2.DecryptedValues [1].DecryptedValue);
Assert.AreEqual(valueC, bulkDecResponse2.DecryptedValues [2].DecryptedValue);
Assert.AreEqual(valueD, bulkDecResponse2.DecryptedValues [3].DecryptedValue);
Assert.AreEqual(valueE, bulkDecResponse2.DecryptedValues [4].DecryptedValue);
}
