public void ParameterizedTests(
IEnvelopeEncryption <byte[]> envelopeEncryptionJson,
Mock <IMetastorePersistence <JObject> > metastorePersistence,
KeyState cacheIK,
KeyState metaIK,
KeyState cacheSK,
KeyState metaSK,
AppEncryptionPartition appEncryptionPartition)
{
using (AppEncryption <JObject, byte[]> appEncryptionJsonImpl =
new AppEncryptionJsonImpl <byte[]>(envelopeEncryptionJson))
{
EncryptMetastoreInteractions encryptMetastoreInteractions =
new EncryptMetastoreInteractions(cacheIK, metaIK, cacheSK, metaSK);
DecryptMetastoreInteractions decryptMetastoreInteractions =
new DecryptMetastoreInteractions(cacheIK, cacheSK);
// encrypt with library object(appEncryptionJsonImpl)
byte[] encryptedPayload = appEncryptionJsonImpl.Encrypt(payload);
Assert.NotNull(encryptedPayload);
VerifyEncryptFlow(metastorePersistence, encryptMetastoreInteractions, appEncryptionPartition);
metastorePersistence.Invocations.Clear();
JObject decryptedPayload = appEncryptionJsonImpl.Decrypt(encryptedPayload);
VerifyDecryptFlow(metastorePersistence, decryptMetastoreInteractions, appEncryptionPartition);
Assert.True(JToken.DeepEquals(payload, decryptedPayload));
}
}
private void TestGetAppEncryptionPartitionWithPartition()
{
AppEncryptionPartition appEncryptionPartition =
appEncryptionSessionFactory.GetAppEncryptionPartition(TestPartitionId);
Assert.Equal(TestPartitionId, appEncryptionPartition.PartitionId);
Assert.Equal(TestSystemId, appEncryptionPartition.SystemId);
Assert.Equal(TestProductId, appEncryptionPartition.ProductId);
}
internal static Mock <MemoryPersistenceImpl <JObject> > CreateMetastoreMock(
AppEncryptionPartition appEncryptionPartition,
KeyManagementService kms,
KeyState metaIK,
KeyState metaSK,
CryptoKeyHolder cryptoKeyHolder)
{
// TODO Change this to generate a mock dynamically based on the Metastore type
Mock <MemoryPersistenceImpl <JObject> > metastorePersistenceSpy = new Mock <MemoryPersistenceImpl <JObject> > {
CallBase = true
};
CryptoKey systemKey = cryptoKeyHolder.SystemKey;
if (metaSK != KeyState.Empty)
{
if (metaSK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = systemKey.GetCreated();
systemKey = systemKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord(
systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked());
metastorePersistenceSpy.Object.Store(
appEncryptionPartition.SystemKeyId,
systemKeyRecord.Created,
systemKeyRecord.ToJson());
}
if (metaIK != KeyState.Empty)
{
CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey;
if (metaIK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = intermediateKey.GetCreated();
intermediateKey = intermediateKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord(
intermediateKey.GetCreated(),
new KeyMeta(appEncryptionPartition.SystemKeyId, systemKey.GetCreated()),
Crypto.EncryptKey(intermediateKey, systemKey),
intermediateKey.IsRevoked());
metastorePersistenceSpy.Object.Store(
appEncryptionPartition.IntermediateKeyId,
intermediateKeyRecord.Created,
intermediateKeyRecord.ToJson());
}
metastorePersistenceSpy.Reset();
return(metastorePersistenceSpy);
}
private static object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK)
{
AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition(
cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
DefaultProductId);
// TODO Update to create KeyManagementService based on config/param once we plug in AWS KMS
KeyManagementService kms = new StaticKeyManagementServiceImpl(KeyManagementStaticMasterKey);
CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK();
// TODO Pass Metastore type to enable spy generation once we plug in external metastore types
Mock <MemoryPersistenceImpl <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock(appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder);
CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder);
// Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings
CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
.WithKeyExpirationDays(KeyExpiryDays)
.WithRevokeCheckMinutes(int.MaxValue)
.WithCanCacheIntermediateKeys(false)
.WithCanCacheSystemKeys(false)
.Build();
SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache;
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache;
EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl(
appEncryptionPartition,
metastorePersistence.Object,
systemKeyCache,
new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache),
new BouncyAes256GcmCrypto(),
cryptoPolicy,
kms);
IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson);
// Need to manually set a no-op metrics instance
IMetrics metrics = new MetricsBuilder()
.Configuration.Configure(options => options.Enabled = false)
.Build();
MetricsUtil.SetMetricsInstance(metrics);
return(new object[] { envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK, appEncryptionPartition });
}
private object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK)
{
AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition(
cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() +
"_" + Random.Next(),
cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
DefaultProductId);
KeyManagementService kms = configFixture.KeyManagementService;
CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK();
Mock <IMetastorePersistence <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock(
appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder, configFixture.MetastorePersistence);
CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder);
// Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings
CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
.WithKeyExpirationDays(KeyExpiryDays)
.WithRevokeCheckMinutes(int.MaxValue)
.WithCanCacheIntermediateKeys(false)
.WithCanCacheSystemKeys(false)
.Build();
SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache;
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache;
EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl(
appEncryptionPartition,
metastorePersistence.Object,
systemKeyCache,
new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache),
new BouncyAes256GcmCrypto(),
cryptoPolicy,
kms);
IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl =
new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson);
return(new object[]
{
envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK,
appEncryptionPartition
});
}
public EnvelopeEncryptionJsonImpl(
AppEncryptionPartition partition,
IMetastorePersistence <JObject> metastorePersistence,
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache,
SecureCryptoKeyDictionaryFactory <DateTimeOffset> intermediateKeyCacheFactory,
AeadEnvelopeCrypto aeadEnvelopeCrypto,
CryptoPolicy cryptoPolicy,
KeyManagementService keyManagementService)
{
this.partition = partition;
this.metastorePersistence = metastorePersistence;
this.systemKeyCache = systemKeyCache;
intermediateKeyCache = intermediateKeyCacheFactory.CreateSecureCryptoKeyDictionary();
crypto = aeadEnvelopeCrypto;
this.cryptoPolicy = cryptoPolicy;
this.keyManagementService = keyManagementService;
}
private void VerifyDecryptFlow(
Mock <IMetastorePersistence <JObject> > metastorePersistence,
DecryptMetastoreInteractions metastoreInteractions,
AppEncryptionPartition appEncryptionPartition)
{
// If IK is loaded from metastore
if (metastoreInteractions.ShouldLoadIK())
{
metastorePersistence.Verify(
x => x.Load(appEncryptionPartition.IntermediateKeyId, It.IsAny <DateTimeOffset>()), Times.Once);
}
// If SK is loaded from metastore
if (metastoreInteractions.ShouldLoadSK())
{
metastorePersistence.Verify(
x => x.Load(appEncryptionPartition.SystemKeyId, It.IsAny <DateTimeOffset>()),
Times.Once);
}
}
public AppJsonEncryptionImplTest()
{
appEncryptionPartition = new AppEncryptionPartition("PARTITION", "SYSTEM", "PRODUCT");
Dictionary <string, JObject> memoryPersistence = new Dictionary <string, JObject>();
dataPersistence = new AdhocPersistence <JObject>(
key => memoryPersistence.TryGetValue(key, out JObject result) ? result : Option <JObject> .None,
(key, jsonObject) => memoryPersistence.Add(key, jsonObject));
metastorePersistence = new MemoryPersistenceImpl <JObject>();
keyManagementService = new DummyKeyManagementService();
AeadEnvelopeCrypto aeadEnvelopeCrypto = new BouncyAes256GcmCrypto();
// Generate a dummy systemKey document
CryptoKey systemKey = aeadEnvelopeCrypto.GenerateKey();
byte[] encryptedSystemKey = keyManagementService.EncryptKey(systemKey);
EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord(DateTimeOffset.UtcNow, null, encryptedSystemKey);
// Write out the dummy systemKey record
memoryPersistence.TryAdd(appEncryptionPartition.SystemKeyId, systemKeyRecord.ToJson());
}
public AppEncryptionPartitionTest()
{
appEncryptionPartition =
new AppEncryptionPartition(TestPartitionId, TestSystemId, TestProductId);
}
private void VerifyEncryptFlow(
Mock <IMetastorePersistence <JObject> > metastorePersistence,
EncryptMetastoreInteractions metastoreInteractions,
AppEncryptionPartition appEncryptionPartition)
{
// If IK is stored to metastore
if (metastoreInteractions.ShouldStoreIK())
{
metastorePersistence.Verify(
x => x.Store(appEncryptionPartition.IntermediateKeyId, It.IsAny <DateTimeOffset>(), It.IsAny <JObject>()),
Times.Once);
}
// If SK is stored to metastore
if (metastoreInteractions.ShouldStoreSK())
{
metastorePersistence.Verify(
x => x.Store(appEncryptionPartition.SystemKeyId, It.IsAny <DateTimeOffset>(), It.IsAny <JObject>()),
Times.Once);
}
// If neither IK nor SK is stored
if (!metastoreInteractions.ShouldStoreIK() && !metastoreInteractions.ShouldStoreSK())
{
metastorePersistence.Verify(
x => x.Store(It.IsAny <string>(), It.IsAny <DateTimeOffset>(), It.IsAny <JObject>()),
Times.Never);
}
// NOTE: We do not read IK from the metastore in case of Encrypt
// If SK is loaded from metastore
if (metastoreInteractions.ShouldLoadSK())
{
metastorePersistence.Verify(
x => x.Load(appEncryptionPartition.SystemKeyId, It.IsAny <DateTimeOffset>()),
Times.Once);
}
else
{
metastorePersistence.Verify(
x => x.Load(It.IsAny <string>(), It.IsAny <DateTimeOffset>()),
Times.Never);
}
// If latest IK is loaded from metastore
if (metastoreInteractions.ShouldLoadLatestIK())
{
metastorePersistence.Verify(
x => x.LoadLatestValue(appEncryptionPartition.IntermediateKeyId),
Times.Once);
}
// If latest SK is loaded from metastore
if (metastoreInteractions.ShouldLoadLatestSK())
{
metastorePersistence.Verify(
x => x.LoadLatestValue(appEncryptionPartition.SystemKeyId),
Times.Once);
}
// If neither latest IK or SK is loaded from metastore
if (!metastoreInteractions.ShouldLoadLatestSK() && !metastoreInteractions.ShouldLoadLatestIK())
{
metastorePersistence.Verify(
x => x.LoadLatestValue(It.IsAny <string>()),
Times.Never);
}
}
internal static Mock <IMetastorePersistence <JObject> > CreateMetastoreMock(
AppEncryptionPartition appEncryptionPartition,
KeyManagementService kms,
KeyState metaIK,
KeyState metaSK,
CryptoKeyHolder cryptoKeyHolder,
IMetastorePersistence <JObject> metaStore)
{
CryptoKey systemKey = cryptoKeyHolder.SystemKey;
Mock <IMetastorePersistence <JObject> > metaStorePersistenceSpy = new Mock <IMetastorePersistence <JObject> >();
metaStorePersistenceSpy
.Setup(x => x.Load(It.IsAny <string>(), It.IsAny <DateTimeOffset>()))
.Returns <string, DateTimeOffset>(metaStore.Load);
metaStorePersistenceSpy
.Setup(x => x.LoadLatestValue(It.IsAny <string>()))
.Returns <string>(metaStore.LoadLatestValue);
metaStorePersistenceSpy
.Setup(x => x.Store(It.IsAny <string>(), It.IsAny <DateTimeOffset>(), It.IsAny <JObject>()))
.Returns <string, DateTimeOffset, JObject>(metaStore.Store);
if (metaSK != KeyState.Empty)
{
if (metaSK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = systemKey.GetCreated();
systemKey = systemKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord(
systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked());
metaStore.Store(
appEncryptionPartition.SystemKeyId,
systemKeyRecord.Created,
systemKeyRecord.ToJson());
}
if (metaIK != KeyState.Empty)
{
CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey;
if (metaIK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = intermediateKey.GetCreated();
intermediateKey = intermediateKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord(
intermediateKey.GetCreated(),
new KeyMeta(appEncryptionPartition.SystemKeyId, systemKey.GetCreated()),
Crypto.EncryptKey(intermediateKey, systemKey),
intermediateKey.IsRevoked());
metaStore.Store(
appEncryptionPartition.IntermediateKeyId,
intermediateKeyRecord.Created,
intermediateKeyRecord.ToJson());
}
return(metaStorePersistenceSpy);
}
