/// <exception cref="System.IO.IOException"/>
/// <exception cref="GeneralSecurityException"/>
public virtual KeyProvider.KeyVersion DecryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion
encryptedKeyVersion)
{
// Fetch the encryption key material
string encryptionKeyVersionName = encryptedKeyVersion.GetEncryptionKeyVersionName
();
KeyProvider.KeyVersion encryptionKey = keyProvider.GetKeyVersion(encryptionKeyVersionName
);
Preconditions.CheckNotNull(encryptionKey, "KeyVersion name '%s' does not exist",
encryptionKeyVersionName);
Preconditions.CheckArgument(encryptedKeyVersion.GetEncryptedKeyVersion().GetVersionName
().Equals(KeyProviderCryptoExtension.Eek), "encryptedKey version name must be '%s', is '%s'"
, KeyProviderCryptoExtension.Eek, encryptedKeyVersion.GetEncryptedKeyVersion().GetVersionName
());
// Encryption key IV is determined from encrypted key's IV
byte[] encryptionIV = KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV(encryptedKeyVersion
.GetEncryptedKeyIv());
CryptoCodec cc = CryptoCodec.GetInstance(keyProvider.GetConf());
Decryptor decryptor = cc.CreateDecryptor();
decryptor.Init(encryptionKey.GetMaterial(), encryptionIV);
KeyProvider.KeyVersion encryptedKV = encryptedKeyVersion.GetEncryptedKeyVersion();
int keyLen = encryptedKV.GetMaterial().Length;
ByteBuffer bbIn = ByteBuffer.AllocateDirect(keyLen);
ByteBuffer bbOut = ByteBuffer.AllocateDirect(keyLen);
bbIn.Put(encryptedKV.GetMaterial());
bbIn.Flip();
decryptor.Decrypt(bbIn, bbOut);
bbOut.Flip();
byte[] decryptedKey = new byte[keyLen];
bbOut.Get(decryptedKey);
return(new KeyProvider.KeyVersion(encryptionKey.GetName(), Ek, decryptedKey));
}
public virtual void TestGenerateEncryptedKey()
{
// Generate a new EEK and check it
KeyProviderCryptoExtension.EncryptedKeyVersion ek1 = kpExt.GenerateEncryptedKey(encryptionKey
.GetName());
Assert.Equal("Version name of EEK should be EEK", KeyProviderCryptoExtension
.Eek, ek1.GetEncryptedKeyVersion().GetVersionName());
Assert.Equal("Name of EEK should be encryption key name", EncryptionKeyName
, ek1.GetEncryptionKeyName());
NUnit.Framework.Assert.IsNotNull("Expected encrypted key material", ek1.GetEncryptedKeyVersion
().GetMaterial());
Assert.Equal("Length of encryption key material and EEK material should "
+ "be the same", encryptionKey.GetMaterial().Length, ek1.GetEncryptedKeyVersion
().GetMaterial().Length);
// Decrypt EEK into an EK and check it
KeyProvider.KeyVersion k1 = kpExt.DecryptEncryptedKey(ek1);
Assert.Equal(KeyProviderCryptoExtension.Ek, k1.GetVersionName(
));
Assert.Equal(encryptionKey.GetMaterial().Length, k1.GetMaterial
().Length);
if (Arrays.Equals(k1.GetMaterial(), encryptionKey.GetMaterial()))
{
NUnit.Framework.Assert.Fail("Encrypted key material should not equal encryption key material"
);
}
if (Arrays.Equals(ek1.GetEncryptedKeyVersion().GetMaterial(), encryptionKey.GetMaterial
()))
{
NUnit.Framework.Assert.Fail("Encrypted key material should not equal decrypted key material"
);
}
// Decrypt it again and it should be the same
KeyProvider.KeyVersion k1a = kpExt.DecryptEncryptedKey(ek1);
Assert.AssertArrayEquals(k1.GetMaterial(), k1a.GetMaterial());
// Generate another EEK and make sure it's different from the first
KeyProviderCryptoExtension.EncryptedKeyVersion ek2 = kpExt.GenerateEncryptedKey(encryptionKey
.GetName());
KeyProvider.KeyVersion k2 = kpExt.DecryptEncryptedKey(ek2);
if (Arrays.Equals(k1.GetMaterial(), k2.GetMaterial()))
{
NUnit.Framework.Assert.Fail("Generated EEKs should have different material!");
}
if (Arrays.Equals(ek1.GetEncryptedKeyIv(), ek2.GetEncryptedKeyIv()))
{
NUnit.Framework.Assert.Fail("Generated EEKs should have different IVs!");
}
}
public virtual void TestEncryptDecrypt()
{
// Get an EEK
KeyProviderCryptoExtension.EncryptedKeyVersion eek = kpExt.GenerateEncryptedKey(encryptionKey
.GetName());
byte[] encryptedKeyIv = eek.GetEncryptedKeyIv();
byte[] encryptedKeyMaterial = eek.GetEncryptedKeyVersion().GetMaterial();
// Decrypt it manually
Cipher cipher = Cipher.GetInstance("AES/CTR/NoPadding");
cipher.Init(Cipher.DecryptMode, new SecretKeySpec(encryptionKey.GetMaterial
(), "AES"), new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV
(encryptedKeyIv)));
byte[] manualMaterial = cipher.DoFinal(encryptedKeyMaterial);
// Test the createForDecryption factory method
KeyProviderCryptoExtension.EncryptedKeyVersion eek2 = KeyProviderCryptoExtension.EncryptedKeyVersion
.CreateForDecryption(eek.GetEncryptionKeyName(), eek.GetEncryptionKeyVersionName
(), eek.GetEncryptedKeyIv(), eek.GetEncryptedKeyVersion().GetMaterial());
// Decrypt it with the API
KeyProvider.KeyVersion decryptedKey = kpExt.DecryptEncryptedKey(eek2);
byte[] apiMaterial = decryptedKey.GetMaterial();
Assert.AssertArrayEquals("Wrong key material from decryptEncryptedKey", manualMaterial
, apiMaterial);
}
/// <summary>
/// Decrypts an encrypted byte[] key material using the given a key version
/// name and initialization vector.
/// </summary>
/// <param name="encryptedKey">
/// contains keyVersionName and IV to decrypt the encrypted
/// key material
/// </param>
/// <returns>
/// a KeyVersion with the decrypted key material, the version name is
/// 'EK' (For Encryption Key)
/// </returns>
/// <exception cref="System.IO.IOException">thrown if the key material could not be decrypted
/// </exception>
/// <exception cref="GeneralSecurityException">
/// thrown if the key material could not be
/// decrypted because of a cryptographic issue.
/// </exception>
public virtual KeyProvider.KeyVersion DecryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion
encryptedKey)
{
return(GetExtension().DecryptEncryptedKey(encryptedKey));
}