public async Task ReadEncryptionKeyInfo_Success() { TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(encKeyA); Assert.AreEqual(encKeyA, TKI.Name); Assert.AreEqual(1, TKI.LatestVersionNum); }
// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key // encrypting with the key, etc. // Note this tests when the key already exists. Should Fail. public async Task RestoreKey_KeyAlreadyExists_ReturnsFalse() { string key = await Transit_InitWithKey(TransitEnumKeyType.aes256); // E. Back it up. TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key); Assert.True(tbri.Success); Assert.AreNotEqual(null, tbri.KeyBackup); // B. Rotate the key a few times so we know the keys are different. await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); // Read key, prior to restore. TransitKeyInfo tki = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(tki.Name, key); // G. Restore the key Assert.False(await _transitSecretEngine.RestoreKey(key, tbri)); }
public async Task Run_ReadKey(string key) { // Read an Encryption Key. TransitKeyInfo TKI = await TB.ReadEncryptionKey(key); Console.WriteLine("Encryption Key Read:"); Console.WriteLine(" - {0}", TKI.ToString()); }
public async Task RotateKey_Works() { string key = await Transit_InitWithKey(TransitEnumKeyType.aes256); bool rotated = await _transitSecretEngine.RotateKey(key); Assert.AreEqual(rotated, true); // Retrieve key. TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(TKI.LatestVersionNum, 2); }
/// <summary> /// Returns true or false if a given key exists. /// </summary> /// <param name="keyName">Name of the key you want to validate if it exists.</param> /// <returns>True if key exists. False if it does not.</returns> public async Task <bool> IfExists(string keyName) { try { TransitKeyInfo TKI = await ReadEncryptionKey(keyName); if (TKI != null) { return(true); } else { return(false); } } catch (VaultInvalidPathException) { return(false); } }
// Test that we can backup a key that is enabled for backup. public async Task BackupKey_Success() { string key = await Transit_InitWithKey(TransitEnumKeyType.aes256, true); // Allow Backup. Dictionary <string, string> keyconfig = new Dictionary <string, string> { { TransitConstants.KeyConfig_Allow_Backup, "true" } }; TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig); // Back it up. TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key); Assert.True(tbri.Success); Assert.AreNotEqual(null, tbri.KeyBackup); }
public async Task Run_ReEncrypt(string key) { Console.WriteLine("Running Re-Encrypt Data Process:"); string a = "abcDEF123$%^"; TransitKeyInfo TKIA = await TB.ReadEncryptionKey(key); Console.WriteLine(" -- Encryption Key Current Version is {0}", TKIA.LatestVersionNum); TransitEncryptedItem response = await TB.Encrypt(key, a); bool success = await TB.RotateKey(key); if (!success) { Console.WriteLine(" -- Failed to rotate the key. Stopping the Re-Encryption test."); return; } TransitKeyInfo TKIB = await TB.ReadEncryptionKey(key); Console.WriteLine(" -- Encryption Key New Version is {0}", TKIB.LatestVersionNum); TransitEncryptedItem response2 = await TB.ReEncrypt(key, response.EncryptedValue); if (response2 != null) { Console.WriteLine(" -- Reencryption completed."); // Now validate by decrypting original value and new value. Should be same. TransitDecryptedItem decryptA = await TB.Decrypt(key, response.EncryptedValue); TransitDecryptedItem decryptB = await TB.Decrypt(key, response2.EncryptedValue); if (a == decryptB.DecryptedValue) { Console.WriteLine(" -- ReEncryption successfull. Original Data = {0} and after re-encrypt value = {1}", a, decryptB.DecryptedValue); } else { Console.WriteLine(" -- ReEncryption FAILED. Original value = {0}, re-Encryption value = {1}.", a, decryptB.DecryptedValue); } } Console.WriteLine(" encrypted: {0} to {1}", a, response.EncryptedValue); }
// Test to ensure that when executing a change to a key's config values that all valid values are accepted. public async Task ChangeEncryptionKeyInfo_ValidParameters() { string key = await Transit_InitWithKey(TransitEnumKeyType.rsa2048); // Now make changes to key. These should all be valid. Dictionary <string, string> iParams = new Dictionary <string, string> { { TransitConstants.KeyConfig_Allow_Backup, "true" }, { TransitConstants.KeyConfig_DeleteAllowed, "true" }, { TransitConstants.KeyConfig_Exportable, "true" }, { TransitConstants.KeyConfig_MinDecryptVers, "0" }, { TransitConstants.KeyConfig_MinEncryptVers, "0" } }; TransitKeyInfo tkiA = await _transitSecretEngine.UpdateKey(key, iParams); Assert.NotNull(tkiA); }
public async Task CreateEncryptionKey_ConvergentAndDerivedTrue() { string key = _uniqueKeys.GetKey("Key"); Assert.AreEqual( true, await _transitSecretEngine.CreateEncryptionKey(key, canBeExported: true, keyType: TransitEnumKeyType.chacha20, enableConvergentEncryption: true, enableKeyDerivation: true)); // Now read key back and make sure parameters are correct. TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(true, TKI.IsExportable); Assert.AreEqual(true, TKI.IsDerivable); Assert.AreEqual(true, TKI.SupportsConvergentEncryption); Assert.AreEqual(true, TKI.SupportsDerivation); Assert.AreEqual("chacha20-poly1305", TKI.Type); }
// Test that Reencrypt results in same original un-encrypted value. public async Task RencryptionResultsInSameStartingValue() { string valA = Guid.NewGuid().ToString(); string key = _uniqueKeys.GetKey(); // Create key, validate the version and then encrypt some data with that key. Assert.True(await _transitSecretEngine.CreateEncryptionKey(key, true, true, TransitEnumKeyType.aes256)); TransitEncryptedItem encA = await _transitSecretEngine.Encrypt(key, valA); TransitKeyInfo tkiA = await _transitSecretEngine.ReadEncryptionKey(key); // Rotate Key, Read value of key version, Re-Encrypt data. Decrypt Data. Assert.True(await _transitSecretEngine.RotateKey(key)); TransitKeyInfo tkiB = await _transitSecretEngine.ReadEncryptionKey(key); TransitEncryptedItem encB = await _transitSecretEngine.ReEncrypt(key, encA.EncryptedValue); TransitDecryptedItem decB = await _transitSecretEngine.Decrypt(key, encB.EncryptedValue); // Validate Results. Key version incremented by 1. Assert.AreEqual(tkiA.LatestVersionNum + 1, tkiB.LatestVersionNum, "Key Version should have been incremented."); Assert.AreEqual(valA, decB.DecryptedValue, "After Key Rotation and Rencryption, expected value of encrypted item to be same, but they are different"); }
// Performs a complex set of operations to ensure a backup and restore of a key is successful. Including rotating the key // encrypting with the key, etc. public async Task RestoreKey_Success() { string key = await Transit_InitWithKey(TransitEnumKeyType.aes256); // A. Enable deletion of the key. Dictionary <string, string> keyconfig = new Dictionary <string, string> { { TransitConstants.KeyConfig_DeleteAllowed, "true" } }; TransitKeyInfo tki = await _transitSecretEngine.UpdateKey(key, keyconfig); Assert.True(tki.CanDelete); // B. Rotate the key a few times. await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); // C. Encrypt a piece of data. string encryptedValue = "ABCzyx123"; TransitEncryptedItem encItem = await _transitSecretEngine.Encrypt(key, encryptedValue); // D. Rotate Keys a few more times. await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); await _transitSecretEngine.RotateKey(key); tki = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(tki.Name, key); // E. Back it up. TransitBackupRestoreItem tbri = await _transitSecretEngine.BackupKey(key); Assert.True(tbri.Success); Assert.AreNotEqual(null, tbri.KeyBackup); // F. Delete key. Assert.True(await _transitSecretEngine.DeleteKey(key)); // G. Restore the key Assert.True(await _transitSecretEngine.RestoreKey(key, tbri)); // H. Decrypt an item with restored key. TransitDecryptedItem decItem = await _transitSecretEngine.Decrypt(key, encItem.EncryptedValue); Assert.AreEqual(encryptedValue, decItem.DecryptedValue); // I. Validate the restore. TransitKeyInfo tkiRestore = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(tki.Type, tkiRestore.Type); Assert.AreEqual(tki.LatestVersionNum, tkiRestore.LatestVersionNum); Assert.AreEqual(tki.Name, tkiRestore.Name); Assert.AreEqual(tki.Keys.Count, tkiRestore.Keys.Count); }
// Validates that Bulk encryption, decryption and re-encryption works for Key Derivation encryption keys that need contexts. public async Task BulkEncryptionDecryptionContextual_Works() { // Create key, validate the version and then encrypt some data with that key. string key = _uniqueKeys.GetKey(); // Create key. bool fa = await _transitSecretEngine.CreateEncryptionKey(key, true, true, TransitEnumKeyType.aes256, true); Assert.True(fa); // Confirm key is new: TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(TKI.LatestVersionNum, 1); // Confirm it supports key derivation. Assert.AreEqual(true, TKI.SupportsDerivation); // Step A. Build list of items to encrypt along with contextual encryption value. List <KeyValuePair <string, string> > items = new List <KeyValuePair <string, string> > { new KeyValuePair <string, string>("abc", "123"), new KeyValuePair <string, string>("ZYX", "argue"), new KeyValuePair <string, string>("45332092214", "20180623") }; // Step B. // Encrypt several items in bulk. Storing both the item to encrypt and contextual encryption value. List <TransitBulkItemToEncrypt> bulkEnc = new List <TransitBulkItemToEncrypt>(); foreach (KeyValuePair <string, string> item in items) { bulkEnc.Add(new TransitBulkItemToEncrypt(item.Key, item.Value)); } // Encrypt. TransitEncryptionResultsBulk bulkEncResponse = await _transitSecretEngine.EncryptBulk(key, bulkEnc); int sentCnt = bulkEnc.Count; int recvCnt = bulkEncResponse.EncryptedValues.Count; // It's critical that items received = items sent. Assert.AreEqual(sentCnt, recvCnt); // Step C // Decrypt in Bulk these Same Items. We need to send the encrypted item as well as the original context value that was used to encrypt // that specific item. List <TransitBulkItemToDecrypt> bulkDecrypt = new List <TransitBulkItemToDecrypt>(); for (int i = 0; i < recvCnt; i++) { bulkDecrypt.Add(new TransitBulkItemToDecrypt(bulkEncResponse.EncryptedValues [i].EncryptedValue, items [i].Value)); } TransitDecryptionResultsBulk bulkDecResponse = await _transitSecretEngine.DecryptBulk(key, bulkDecrypt); // Validate. Assert.AreEqual(recvCnt, bulkDecResponse.DecryptedValues.Count); for (int i = 0; i < recvCnt; i++) { Assert.AreEqual(items [i].Key, bulkDecResponse.DecryptedValues [i].DecryptedValue); } // Step D // Rotate Key. Assert.AreEqual(true, (await _transitSecretEngine.RotateKey(key))); TransitKeyInfo TKI2 = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(TKI2.LatestVersionNum, 2); // Step E. // Re-encrypt in bulk. List <TransitBulkItemToDecrypt> bulkRewrap = new List <TransitBulkItemToDecrypt>(); foreach (KeyValuePair <string, string> item in items) { bulkRewrap.Add(new TransitBulkItemToDecrypt(item.Key, item.Value)); } TransitEncryptionResultsBulk rewrapResponse = await _transitSecretEngine.ReEncryptBulk(key, bulkRewrap); Assert.AreEqual(bulkEnc.Count, rewrapResponse.EncryptedValues.Count); // Step F. // Decrypt once again in bulk. List <TransitBulkItemToDecrypt> bulkDecrypt2 = new List <TransitBulkItemToDecrypt>(); for (int i = 0; i < recvCnt; i++) { bulkDecrypt2.Add(new TransitBulkItemToDecrypt(bulkEncResponse.EncryptedValues [i].EncryptedValue, items [i].Value)); } TransitDecryptionResultsBulk bulkDecResponse2 = await _transitSecretEngine.DecryptBulk(key, bulkDecrypt2); // Validate. Assert.AreEqual(recvCnt, bulkDecResponse2.DecryptedValues.Count); for (int i = 0; i < recvCnt; i++) { Assert.AreEqual(items [i].Key, bulkDecResponse2.DecryptedValues [i].DecryptedValue); } }
public async Task BulkEncryptionDecryption_Works() { // Create key, validate the version and then encrypt some data with that key. string key = _uniqueKeys.GetKey(); bool fa = await _transitSecretEngine.CreateEncryptionKey(key, true, true, TransitEnumKeyType.aes256); Assert.True(fa); // Confirm key is new: TransitKeyInfo TKI = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(TKI.LatestVersionNum, 1); // Step A. string valueA = "ABC"; string valueB = "def"; string valueC = "1234567890"; string valueD = Guid.NewGuid().ToString(); string valueE = "123456ABCDEFZYXWVU0987654321aaabbbcccddd"; // Step B. // Encrypt several items in bulk. List <TransitBulkItemToEncrypt> bulkEnc = new List <TransitBulkItemToEncrypt> { new TransitBulkItemToEncrypt(valueA), new TransitBulkItemToEncrypt(valueB), new TransitBulkItemToEncrypt(valueC), new TransitBulkItemToEncrypt(valueD), new TransitBulkItemToEncrypt(valueE) }; TransitEncryptionResultsBulk bulkEncResponse = await _transitSecretEngine.EncryptBulk(key, bulkEnc); int sentCnt = bulkEnc.Count; int recvCnt = bulkEncResponse.EncryptedValues.Count; Assert.AreEqual(sentCnt, recvCnt); // Step C // Decrypt in Bulk these Same Items. List <TransitBulkItemToDecrypt> bulkDecrypt = new List <TransitBulkItemToDecrypt>(); foreach (TransitEncryptedItem item in bulkEncResponse.EncryptedValues) { bulkDecrypt.Add(new TransitBulkItemToDecrypt(item.EncryptedValue)); } TransitDecryptionResultsBulk bulkDecResponse = await _transitSecretEngine.DecryptBulk(key, bulkDecrypt); Assert.AreEqual(recvCnt, bulkDecResponse.DecryptedValues.Count); Assert.AreEqual(valueA, bulkDecResponse.DecryptedValues [0].DecryptedValue); Assert.AreEqual(valueB, bulkDecResponse.DecryptedValues [1].DecryptedValue); Assert.AreEqual(valueC, bulkDecResponse.DecryptedValues [2].DecryptedValue); Assert.AreEqual(valueD, bulkDecResponse.DecryptedValues [3].DecryptedValue); Assert.AreEqual(valueE, bulkDecResponse.DecryptedValues [4].DecryptedValue); // Step D // Rotate Key. Assert.AreEqual(true, (await _transitSecretEngine.RotateKey(key))); TransitKeyInfo TKI2 = await _transitSecretEngine.ReadEncryptionKey(key); Assert.AreEqual(TKI2.LatestVersionNum, 2); // Step E. // Re-encrypt in bulk. List <TransitBulkItemToDecrypt> bulkRewrap = new List <TransitBulkItemToDecrypt>(); foreach (TransitEncryptedItem encItem in bulkEncResponse.EncryptedValues) { bulkRewrap.Add(new TransitBulkItemToDecrypt(encItem.EncryptedValue)); } TransitEncryptionResultsBulk rewrapResponse = await _transitSecretEngine.ReEncryptBulk(key, bulkRewrap); Assert.AreEqual(bulkEnc.Count, rewrapResponse.EncryptedValues.Count); // Step F. // Decrypt once again in bulk. List <TransitBulkItemToDecrypt> bulkDecrypt2 = new List <TransitBulkItemToDecrypt>(); foreach (TransitEncryptedItem item in rewrapResponse.EncryptedValues) { bulkDecrypt2.Add(new TransitBulkItemToDecrypt(item.EncryptedValue)); } TransitDecryptionResultsBulk bulkDecResponse2 = await _transitSecretEngine.DecryptBulk(key, bulkDecrypt2); Assert.AreEqual(recvCnt, bulkDecResponse2.DecryptedValues.Count); Assert.AreEqual(valueA, bulkDecResponse2.DecryptedValues [0].DecryptedValue); Assert.AreEqual(valueB, bulkDecResponse2.DecryptedValues [1].DecryptedValue); Assert.AreEqual(valueC, bulkDecResponse2.DecryptedValues [2].DecryptedValue); Assert.AreEqual(valueD, bulkDecResponse2.DecryptedValues [3].DecryptedValue); Assert.AreEqual(valueE, bulkDecResponse2.DecryptedValues [4].DecryptedValue); }