public void OctEncryptDecryptSync()
{
TestEnvironment.AssertManagedHsm();
string managedHsmUrl = TestEnvironment.ManagedHsmUrl;
#region Snippet:OctKeysSample4CreateKey
var managedHsmClient = new KeyClient(new Uri(managedHsmUrl), new DefaultAzureCredential());
var octKeyOptions = new CreateOctKeyOptions($"CloudOctKey-{Guid.NewGuid()}")
{
KeySize = 256,
};
KeyVaultKey cloudOctKey = managedHsmClient.CreateOctKey(octKeyOptions);
#endregion
#region Snippet:OctKeySample4Encrypt
var cryptoClient = new CryptographyClient(cloudOctKey.Id, new DefaultAzureCredential());
byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
byte[] aad = Encoding.UTF8.GetBytes("additional authenticated data");
EncryptParameters encryptParams = EncryptParameters.A256GcmParameters(plaintext, aad);
EncryptResult encryptResult = cryptoClient.Encrypt(encryptParams);
#endregion
#region Snippet:OctKeySample4Decrypt
DecryptParameters decryptParams = DecryptParameters.A256GcmParameters(
encryptResult.Ciphertext,
encryptResult.Iv,
encryptResult.AuthenticationTag,
encryptResult.AdditionalAuthenticatedData);
DecryptResult decryptResult = cryptoClient.Decrypt(decryptParams);
#endregion
Assert.AreEqual(plaintext, decryptResult.Plaintext);
// Delete and purge the key.
DeleteKeyOperation operation = managedHsmClient.StartDeleteKey(octKeyOptions.Name);
// You only need to wait for completion if you want to purge or recover the key.
while (!operation.HasCompleted)
{
Thread.Sleep(2000);
operation.UpdateStatus();
}
managedHsmClient.PurgeDeletedKey(operation.Value.Name);
}
public async Task OctEncryptDecryptAsync()
{
TestEnvironment.AssertManagedHsm();
string managedHsmUrl = TestEnvironment.ManagedHsmUrl;
var managedHsmClient = new KeyClient(new Uri(managedHsmUrl), new DefaultAzureCredential());
var octKeyOptions = new CreateOctKeyOptions($"CloudOctKey-{Guid.NewGuid()}")
{
KeySize = 256,
};
KeyVaultKey cloudOctKey = await managedHsmClient.CreateOctKeyAsync(octKeyOptions);
var cryptoClient = new CryptographyClient(cloudOctKey.Id, new DefaultAzureCredential());
byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
byte[] aad = Encoding.UTF8.GetBytes("additional authenticated data");
EncryptParameters encryptParams = EncryptParameters.A256GcmParameters(plaintext, aad);
EncryptResult encryptResult = await cryptoClient.EncryptAsync(encryptParams);
DecryptParameters decryptParams = DecryptParameters.A256GcmParameters(
encryptResult.Ciphertext,
encryptResult.Iv,
encryptResult.AuthenticationTag,
encryptResult.AdditionalAuthenticatedData);
DecryptResult decryptResult = await cryptoClient.DecryptAsync(decryptParams);
Assert.AreEqual(plaintext, decryptResult.Plaintext);
// Delete and purge the key.
DeleteKeyOperation operation = await managedHsmClient.StartDeleteKeyAsync(octKeyOptions.Name);
// You only need to wait for completion if you want to purge or recover the key.
await operation.WaitForCompletionAsync();
managedHsmClient.PurgeDeletedKey(operation.Value.Name);
}
public void RequiresOnlyCiphertextIvAuthenticationTag()
{
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128GcmParameters(null, null, null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128GcmParameters(Array.Empty <byte>(), null, null, null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A128GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), null, null));
Assert.AreEqual("authenticationTag", ex.ParamName);
Assert.DoesNotThrow(() => DecryptParameters.A128GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), Array.Empty <byte>(), null));
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192GcmParameters(null, null, null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192GcmParameters(Array.Empty <byte>(), null, null, null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A192GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), null, null));
Assert.AreEqual("authenticationTag", ex.ParamName);
Assert.DoesNotThrow(() => DecryptParameters.A192GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), Array.Empty <byte>(), null));
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256GcmParameters(null, null, null, null));
Assert.AreEqual("ciphertext", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256GcmParameters(Array.Empty <byte>(), null, null, null));
Assert.AreEqual("iv", ex.ParamName);
ex = Assert.Throws <ArgumentNullException>(() => DecryptParameters.A256GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), null, null));
Assert.AreEqual("authenticationTag", ex.ParamName);
Assert.DoesNotThrow(() => DecryptParameters.A256GcmParameters(Array.Empty <byte>(), Array.Empty <byte>(), Array.Empty <byte>(), null));
}
public async Task AesGcmEncryptDecrypt([EnumValues(
nameof(EncryptionAlgorithm.A128Gcm),
nameof(EncryptionAlgorithm.A192Gcm),
nameof(EncryptionAlgorithm.A256Gcm)
)] EncryptionAlgorithm algorithm)
{
int keySizeInBytes = algorithm.ToString() switch
{
EncryptionAlgorithm.A128GcmValue => 128 >> 3,
EncryptionAlgorithm.A192GcmValue => 192 >> 3,
EncryptionAlgorithm.A256GcmValue => 256 >> 3,
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps);
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.ImportKeyAsync(
new ImportKeyOptions(keyName, jwk));
RegisterForCleanup(key.Name);
CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true);
byte[] plaintext = new byte[32];
Recording.Random.NextBytes(plaintext);
byte[] iv = new byte[16];
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc)
{
Recording.Random.NextBytes(iv);
}
EncryptParameters encryptParams = algorithm.ToString() switch
{
// TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM.
EncryptionAlgorithm.A128GcmValue => EncryptParameters.A128GcmParameters(plaintext),
EncryptionAlgorithm.A192GcmValue => EncryptParameters.A192GcmParameters(plaintext),
EncryptionAlgorithm.A256GcmValue => EncryptParameters.A256GcmParameters(plaintext),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
EncryptResult encrypted = await remoteClient.EncryptAsync(encryptParams);
Assert.IsNotNull(encrypted.Ciphertext);
DecryptParameters decryptParameters = algorithm.ToString() switch
{
// TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM.
EncryptionAlgorithm.A128GcmValue => DecryptParameters.A128GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
EncryptionAlgorithm.A192GcmValue => DecryptParameters.A192GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
EncryptionAlgorithm.A256GcmValue => DecryptParameters.A256GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters);
Assert.IsNotNull(decrypted.Plaintext);
CollectionAssert.AreEqual(plaintext, decrypted.Plaintext);
}