public async Task EncryptsHMACSecretInDatabase()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
var collection = Database.GetCollection <ClientDataRecordV2>(_collectionName);
var findResult = await collection.FindAsync <ClientDataRecordV2>(new ExpressionFilterDefinition <ClientDataRecordV2>(r => r.Id == client.Id));
var loaded = await findResult.SingleAsync();
loaded.SignatureAlgorithm.Parameter.Should().NotBeNullOrEmpty();
var unencryptedKey = Encoding.UTF8.GetString(hmac.Key);
var encryptedKey = new FakeStringProtector().Protect(unencryptedKey);
loaded.SignatureAlgorithm.Parameter.Should().Be(encryptedKey);
loaded.SignatureAlgorithm.IsParameterEncrypted.Should().BeTrue();
}
public SignatureAlgorithmDataRecordConverterTests()
{
FakeFactory.Create(out _stringProtectorFactory);
_sut = new SignatureAlgorithmDataRecordConverter(_stringProtectorFactory);
_stringProtector = new FakeStringProtector();
A.CallTo(() => _stringProtectorFactory.CreateSymmetric(A <string> ._))
.Returns(_stringProtector);
}
public void GivenHMACAlgorithm_ReturnsExpectedDataRecord()
{
using (var hmac = SignatureAlgorithm.CreateForVerification(_unencryptedKey, HashAlgorithmName.SHA384)) {
var actual = _sut.FromSignatureAlgorithm(hmac, _encryptionKey);
var encryptedKey = new FakeStringProtector().Protect(_unencryptedKey);
var expected = new SignatureAlgorithmDataRecordV2 {
Type = "HMAC",
HashAlgorithm = HashAlgorithmName.SHA384.Name,
IsParameterEncrypted = true,
Parameter = encryptedKey
};
actual.Should().BeEquivalentTo(expected);
}
}
