public virtual void TestKeyMaterial()
{
byte[] key1 = new byte[] { 1, 2, 3, 4 };
KeyProvider.KeyVersion obj = new KeyProvider.KeyVersion("key1", "key1@1", key1);
Assert.Equal("key1@1", obj.GetVersionName());
Assert.AssertArrayEquals(new byte[] { 1, 2, 3, 4 }, obj.GetMaterial());
}
public virtual void TestGenerateEncryptedKey()
{
// Generate a new EEK and check it
KeyProviderCryptoExtension.EncryptedKeyVersion ek1 = kpExt.GenerateEncryptedKey(encryptionKey
.GetName());
Assert.Equal("Version name of EEK should be EEK", KeyProviderCryptoExtension
.Eek, ek1.GetEncryptedKeyVersion().GetVersionName());
Assert.Equal("Name of EEK should be encryption key name", EncryptionKeyName
, ek1.GetEncryptionKeyName());
NUnit.Framework.Assert.IsNotNull("Expected encrypted key material", ek1.GetEncryptedKeyVersion
().GetMaterial());
Assert.Equal("Length of encryption key material and EEK material should "
+ "be the same", encryptionKey.GetMaterial().Length, ek1.GetEncryptedKeyVersion
().GetMaterial().Length);
// Decrypt EEK into an EK and check it
KeyProvider.KeyVersion k1 = kpExt.DecryptEncryptedKey(ek1);
Assert.Equal(KeyProviderCryptoExtension.Ek, k1.GetVersionName(
));
Assert.Equal(encryptionKey.GetMaterial().Length, k1.GetMaterial
().Length);
if (Arrays.Equals(k1.GetMaterial(), encryptionKey.GetMaterial()))
{
NUnit.Framework.Assert.Fail("Encrypted key material should not equal encryption key material"
);
}
if (Arrays.Equals(ek1.GetEncryptedKeyVersion().GetMaterial(), encryptionKey.GetMaterial
()))
{
NUnit.Framework.Assert.Fail("Encrypted key material should not equal decrypted key material"
);
}
// Decrypt it again and it should be the same
KeyProvider.KeyVersion k1a = kpExt.DecryptEncryptedKey(ek1);
Assert.AssertArrayEquals(k1.GetMaterial(), k1a.GetMaterial());
// Generate another EEK and make sure it's different from the first
KeyProviderCryptoExtension.EncryptedKeyVersion ek2 = kpExt.GenerateEncryptedKey(encryptionKey
.GetName());
KeyProvider.KeyVersion k2 = kpExt.DecryptEncryptedKey(ek2);
if (Arrays.Equals(k1.GetMaterial(), k2.GetMaterial()))
{
NUnit.Framework.Assert.Fail("Generated EEKs should have different material!");
}
if (Arrays.Equals(ek1.GetEncryptedKeyIv(), ek2.GetEncryptedKeyIv()))
{
NUnit.Framework.Assert.Fail("Generated EEKs should have different IVs!");
}
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="GeneralSecurityException"/>
public virtual KeyProviderCryptoExtension.EncryptedKeyVersion GenerateEncryptedKey
(string encryptionKeyName)
{
// Fetch the encryption key
KeyProvider.KeyVersion encryptionKey = keyProvider.GetCurrentKey(encryptionKeyName
);
Preconditions.CheckNotNull(encryptionKey, "No KeyVersion exists for key '%s' ", encryptionKeyName
);
// Generate random bytes for new key and IV
CryptoCodec cc = CryptoCodec.GetInstance(keyProvider.GetConf());
byte[] newKey = new byte[encryptionKey.GetMaterial().Length];
cc.GenerateSecureRandom(newKey);
byte[] iv = new byte[cc.GetCipherSuite().GetAlgorithmBlockSize()];
cc.GenerateSecureRandom(iv);
// Encryption key IV is derived from new key's IV
byte[] encryptionIV = KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV(iv);
Encryptor encryptor = cc.CreateEncryptor();
encryptor.Init(encryptionKey.GetMaterial(), encryptionIV);
int keyLen = newKey.Length;
ByteBuffer bbIn = ByteBuffer.AllocateDirect(keyLen);
ByteBuffer bbOut = ByteBuffer.AllocateDirect(keyLen);
bbIn.Put(newKey);
bbIn.Flip();
encryptor.Encrypt(bbIn, bbOut);
bbOut.Flip();
byte[] encryptedKey = new byte[keyLen];
bbOut.Get(encryptedKey);
return(new KeyProviderCryptoExtension.EncryptedKeyVersion(encryptionKeyName, encryptionKey
.GetVersionName(), iv, new KeyProvider.KeyVersion(encryptionKey.GetName(), Eek,
encryptedKey)));
}
