public void ParameterizedTests( IEnvelopeEncryption <byte[]> envelopeEncryptionJson, Mock <IMetastorePersistence <JObject> > metastorePersistence, KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK, AppEncryptionPartition appEncryptionPartition) { using (AppEncryption <JObject, byte[]> appEncryptionJsonImpl = new AppEncryptionJsonImpl <byte[]>(envelopeEncryptionJson)) { EncryptMetastoreInteractions encryptMetastoreInteractions = new EncryptMetastoreInteractions(cacheIK, metaIK, cacheSK, metaSK); DecryptMetastoreInteractions decryptMetastoreInteractions = new DecryptMetastoreInteractions(cacheIK, cacheSK); // encrypt with library object(appEncryptionJsonImpl) byte[] encryptedPayload = appEncryptionJsonImpl.Encrypt(payload); Assert.NotNull(encryptedPayload); VerifyEncryptFlow(metastorePersistence, encryptMetastoreInteractions, appEncryptionPartition); metastorePersistence.Invocations.Clear(); JObject decryptedPayload = appEncryptionJsonImpl.Decrypt(encryptedPayload); VerifyDecryptFlow(metastorePersistence, decryptMetastoreInteractions, appEncryptionPartition); Assert.True(JToken.DeepEquals(payload, decryptedPayload)); } }
private void TestGetAppEncryptionPartitionWithPartition() { AppEncryptionPartition appEncryptionPartition = appEncryptionSessionFactory.GetAppEncryptionPartition(TestPartitionId); Assert.Equal(TestPartitionId, appEncryptionPartition.PartitionId); Assert.Equal(TestSystemId, appEncryptionPartition.SystemId); Assert.Equal(TestProductId, appEncryptionPartition.ProductId); }
internal static Mock <MemoryPersistenceImpl <JObject> > CreateMetastoreMock( AppEncryptionPartition appEncryptionPartition, KeyManagementService kms, KeyState metaIK, KeyState metaSK, CryptoKeyHolder cryptoKeyHolder) { // TODO Change this to generate a mock dynamically based on the Metastore type Mock <MemoryPersistenceImpl <JObject> > metastorePersistenceSpy = new Mock <MemoryPersistenceImpl <JObject> > { CallBase = true }; CryptoKey systemKey = cryptoKeyHolder.SystemKey; if (metaSK != KeyState.Empty) { if (metaSK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = systemKey.GetCreated(); systemKey = systemKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord( systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked()); metastorePersistenceSpy.Object.Store( appEncryptionPartition.SystemKeyId, systemKeyRecord.Created, systemKeyRecord.ToJson()); } if (metaIK != KeyState.Empty) { CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey; if (metaIK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = intermediateKey.GetCreated(); intermediateKey = intermediateKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord( intermediateKey.GetCreated(), new KeyMeta(appEncryptionPartition.SystemKeyId, systemKey.GetCreated()), Crypto.EncryptKey(intermediateKey, systemKey), intermediateKey.IsRevoked()); metastorePersistenceSpy.Object.Store( appEncryptionPartition.IntermediateKeyId, intermediateKeyRecord.Created, intermediateKeyRecord.ToJson()); } metastorePersistenceSpy.Reset(); return(metastorePersistenceSpy); }
private static object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK) { AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition( cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), DefaultProductId); // TODO Update to create KeyManagementService based on config/param once we plug in AWS KMS KeyManagementService kms = new StaticKeyManagementServiceImpl(KeyManagementStaticMasterKey); CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK(); // TODO Pass Metastore type to enable spy generation once we plug in external metastore types Mock <MemoryPersistenceImpl <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock(appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder); CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder); // Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder() .WithKeyExpirationDays(KeyExpiryDays) .WithRevokeCheckMinutes(int.MaxValue) .WithCanCacheIntermediateKeys(false) .WithCanCacheSystemKeys(false) .Build(); SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache; SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache; EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl( appEncryptionPartition, metastorePersistence.Object, systemKeyCache, new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache), new BouncyAes256GcmCrypto(), cryptoPolicy, kms); IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson); // Need to manually set a no-op metrics instance IMetrics metrics = new MetricsBuilder() .Configuration.Configure(options => options.Enabled = false) .Build(); MetricsUtil.SetMetricsInstance(metrics); return(new object[] { envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK, appEncryptionPartition }); }
private object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK) { AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition( cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), DefaultProductId); KeyManagementService kms = configFixture.KeyManagementService; CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK(); Mock <IMetastorePersistence <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock( appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder, configFixture.MetastorePersistence); CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder); // Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder() .WithKeyExpirationDays(KeyExpiryDays) .WithRevokeCheckMinutes(int.MaxValue) .WithCanCacheIntermediateKeys(false) .WithCanCacheSystemKeys(false) .Build(); SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache; SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache; EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl( appEncryptionPartition, metastorePersistence.Object, systemKeyCache, new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache), new BouncyAes256GcmCrypto(), cryptoPolicy, kms); IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson); return(new object[] { envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK, appEncryptionPartition }); }
public EnvelopeEncryptionJsonImpl( AppEncryptionPartition partition, IMetastorePersistence <JObject> metastorePersistence, SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache, SecureCryptoKeyDictionaryFactory <DateTimeOffset> intermediateKeyCacheFactory, AeadEnvelopeCrypto aeadEnvelopeCrypto, CryptoPolicy cryptoPolicy, KeyManagementService keyManagementService) { this.partition = partition; this.metastorePersistence = metastorePersistence; this.systemKeyCache = systemKeyCache; intermediateKeyCache = intermediateKeyCacheFactory.CreateSecureCryptoKeyDictionary(); crypto = aeadEnvelopeCrypto; this.cryptoPolicy = cryptoPolicy; this.keyManagementService = keyManagementService; }
private void VerifyDecryptFlow( Mock <IMetastorePersistence <JObject> > metastorePersistence, DecryptMetastoreInteractions metastoreInteractions, AppEncryptionPartition appEncryptionPartition) { // If IK is loaded from metastore if (metastoreInteractions.ShouldLoadIK()) { metastorePersistence.Verify( x => x.Load(appEncryptionPartition.IntermediateKeyId, It.IsAny <DateTimeOffset>()), Times.Once); } // If SK is loaded from metastore if (metastoreInteractions.ShouldLoadSK()) { metastorePersistence.Verify( x => x.Load(appEncryptionPartition.SystemKeyId, It.IsAny <DateTimeOffset>()), Times.Once); } }
public AppJsonEncryptionImplTest() { appEncryptionPartition = new AppEncryptionPartition("PARTITION", "SYSTEM", "PRODUCT"); Dictionary <string, JObject> memoryPersistence = new Dictionary <string, JObject>(); dataPersistence = new AdhocPersistence <JObject>( key => memoryPersistence.TryGetValue(key, out JObject result) ? result : Option <JObject> .None, (key, jsonObject) => memoryPersistence.Add(key, jsonObject)); metastorePersistence = new MemoryPersistenceImpl <JObject>(); keyManagementService = new DummyKeyManagementService(); AeadEnvelopeCrypto aeadEnvelopeCrypto = new BouncyAes256GcmCrypto(); // Generate a dummy systemKey document CryptoKey systemKey = aeadEnvelopeCrypto.GenerateKey(); byte[] encryptedSystemKey = keyManagementService.EncryptKey(systemKey); EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord(DateTimeOffset.UtcNow, null, encryptedSystemKey); // Write out the dummy systemKey record memoryPersistence.TryAdd(appEncryptionPartition.SystemKeyId, systemKeyRecord.ToJson()); }
public AppEncryptionPartitionTest() { appEncryptionPartition = new AppEncryptionPartition(TestPartitionId, TestSystemId, TestProductId); }
private void VerifyEncryptFlow( Mock <IMetastorePersistence <JObject> > metastorePersistence, EncryptMetastoreInteractions metastoreInteractions, AppEncryptionPartition appEncryptionPartition) { // If IK is stored to metastore if (metastoreInteractions.ShouldStoreIK()) { metastorePersistence.Verify( x => x.Store(appEncryptionPartition.IntermediateKeyId, It.IsAny <DateTimeOffset>(), It.IsAny <JObject>()), Times.Once); } // If SK is stored to metastore if (metastoreInteractions.ShouldStoreSK()) { metastorePersistence.Verify( x => x.Store(appEncryptionPartition.SystemKeyId, It.IsAny <DateTimeOffset>(), It.IsAny <JObject>()), Times.Once); } // If neither IK nor SK is stored if (!metastoreInteractions.ShouldStoreIK() && !metastoreInteractions.ShouldStoreSK()) { metastorePersistence.Verify( x => x.Store(It.IsAny <string>(), It.IsAny <DateTimeOffset>(), It.IsAny <JObject>()), Times.Never); } // NOTE: We do not read IK from the metastore in case of Encrypt // If SK is loaded from metastore if (metastoreInteractions.ShouldLoadSK()) { metastorePersistence.Verify( x => x.Load(appEncryptionPartition.SystemKeyId, It.IsAny <DateTimeOffset>()), Times.Once); } else { metastorePersistence.Verify( x => x.Load(It.IsAny <string>(), It.IsAny <DateTimeOffset>()), Times.Never); } // If latest IK is loaded from metastore if (metastoreInteractions.ShouldLoadLatestIK()) { metastorePersistence.Verify( x => x.LoadLatestValue(appEncryptionPartition.IntermediateKeyId), Times.Once); } // If latest SK is loaded from metastore if (metastoreInteractions.ShouldLoadLatestSK()) { metastorePersistence.Verify( x => x.LoadLatestValue(appEncryptionPartition.SystemKeyId), Times.Once); } // If neither latest IK or SK is loaded from metastore if (!metastoreInteractions.ShouldLoadLatestSK() && !metastoreInteractions.ShouldLoadLatestIK()) { metastorePersistence.Verify( x => x.LoadLatestValue(It.IsAny <string>()), Times.Never); } }
internal static Mock <IMetastorePersistence <JObject> > CreateMetastoreMock( AppEncryptionPartition appEncryptionPartition, KeyManagementService kms, KeyState metaIK, KeyState metaSK, CryptoKeyHolder cryptoKeyHolder, IMetastorePersistence <JObject> metaStore) { CryptoKey systemKey = cryptoKeyHolder.SystemKey; Mock <IMetastorePersistence <JObject> > metaStorePersistenceSpy = new Mock <IMetastorePersistence <JObject> >(); metaStorePersistenceSpy .Setup(x => x.Load(It.IsAny <string>(), It.IsAny <DateTimeOffset>())) .Returns <string, DateTimeOffset>(metaStore.Load); metaStorePersistenceSpy .Setup(x => x.LoadLatestValue(It.IsAny <string>())) .Returns <string>(metaStore.LoadLatestValue); metaStorePersistenceSpy .Setup(x => x.Store(It.IsAny <string>(), It.IsAny <DateTimeOffset>(), It.IsAny <JObject>())) .Returns <string, DateTimeOffset, JObject>(metaStore.Store); if (metaSK != KeyState.Empty) { if (metaSK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = systemKey.GetCreated(); systemKey = systemKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord( systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked()); metaStore.Store( appEncryptionPartition.SystemKeyId, systemKeyRecord.Created, systemKeyRecord.ToJson()); } if (metaIK != KeyState.Empty) { CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey; if (metaIK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = intermediateKey.GetCreated(); intermediateKey = intermediateKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord( intermediateKey.GetCreated(), new KeyMeta(appEncryptionPartition.SystemKeyId, systemKey.GetCreated()), Crypto.EncryptKey(intermediateKey, systemKey), intermediateKey.IsRevoked()); metaStore.Store( appEncryptionPartition.IntermediateKeyId, intermediateKeyRecord.Created, intermediateKeyRecord.ToJson()); } return(metaStorePersistenceSpy); }