5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
2026-02-27 17:57:42 +00:00 · 2026-02-27 17:57:42 +00:00 · 07393f57fc
commit 07393f57fc
parent 138f335af0
87 changed files with 1903 additions and 533 deletions
--- a/IdentityShroud.Core.Tests/Services/DekEncryptionServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/DekEncryptionServiceTests.cs
@ -0,0 +1,123 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+using IdentityShroud.Core.Services;
+
+namespace IdentityShroud.Core.Tests.Services;
+
+public class DekEncryptionServiceTests
+{
+    [Fact]
+    public void RoundtripWorks()
+    {
+        // Note this code will tend to only test the latest verion.
+
+        // setup
+        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        var secretProvider = Substitute.For<ISecretProvider>();
+        KeyEncryptionKey[] keys =
+        [
+            new KeyEncryptionKey(KekId.NewId(), true, "AES", keyValue)
+        ];
+        secretProvider.GetKeys("master").Returns(keys);
+        
+            
+        ReadOnlySpan<byte> input = "Hello, World!"u8;
+        
+        // act
+        DekEncryptionService sut = new(secretProvider);
+        EncryptedDek cipher = sut.Encrypt(input.ToArray());
+        byte[] result = sut.Decrypt(cipher);
+
+        // verify
+        Assert.Equal(input, result);
+    }
+
+    [Fact]
+    public void DetectsCorruptInput()
+    {
+        // When introducing a new version we need version specific tests to 
+        // make sure decoding of legacy data still works.
+        KekId kid = KekId.NewId();
+        // setup
+        byte[] cipher = // NOTE INCORRECT CIPHER DO NOT USE IN OTHER TESTS
+        [
+            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
+            193, 75, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
+        ];
+        EncryptedDek secret = new(kid, cipher);
+        
+        byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        var secretProvider = Substitute.For<ISecretProvider>();
+        KeyEncryptionKey[] keys =
+        [
+            new KeyEncryptionKey(kid, true, "AES", keyValue)
+        ];
+        secretProvider.GetKeys("master").Returns(keys);
+
+        // act
+        DekEncryptionService sut = new(secretProvider);
+        Assert.Throws<InvalidOperationException>(
+            () => sut.Decrypt(secret),
+            ex => ex.Message.Contains("Decryption failed") ? null : "Expected Decryption failed in message");
+    }
+
+    [Fact]
+    public void DecodeSelectsRightKey()
+    {
+        // The key is marked inactive also it is the second key
+        
+        // setup
+        KekId kid1 = KekId.NewId();
+        KekId kid2 = KekId.NewId();
+
+        byte[] cipher =
+        [
+            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
+            193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
+        ];
+        EncryptedDek secret = new(kid1, cipher);
+        
+        byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
+        var secretProvider = Substitute.For<ISecretProvider>();
+        KeyEncryptionKey[] keys =
+        [
+            new KeyEncryptionKey(kid2, true, "AES", keyValue2),
+            new KeyEncryptionKey(kid1, false, "AES", keyValue1),
+        ];
+        secretProvider.GetKeys("master").Returns(keys);
+
+        // act
+        DekEncryptionService sut = new(secretProvider);
+        byte[] result = sut.Decrypt(secret);
+
+        // verify
+        Assert.Equal("Hello, World!"u8, result);
+    }
+    
+    [Fact]
+    public void EncryptionUsesActiveKey()
+    {
+        // setup
+        KekId kid1 = KekId.NewId();
+        KekId kid2 = KekId.NewId();
+
+        byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+        byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
+        var secretProvider = Substitute.For<ISecretProvider>();
+        KeyEncryptionKey[] keys =
+        [
+            new KeyEncryptionKey(kid1, false, "AES", keyValue1),
+            new KeyEncryptionKey(kid2, true, "AES", keyValue2),
+        ];
+        secretProvider.GetKeys("master").Returns(keys);
+
+        ReadOnlySpan<byte> input = "Hello, World!"u8;
+        // act
+        DekEncryptionService sut = new(secretProvider);
+        EncryptedDek cipher = sut.Encrypt(input.ToArray());
+        
+        // Verify
+        Assert.Equal(kid2, cipher.KekId);
+    }
+}