Improve the binary storage format of encrypted secrets. Move the related code from AesGcmHelper into the EncryptionService.

2026-02-22 19:11:17 +01:00 · 2026-02-22 19:11:17 +01:00 · 4201d0240d
commit 4201d0240d
parent ac08956339
11 changed files with 110 additions and 131 deletions
--- a/IdentityShroud.Core.Tests/IdentityShroud.Core.Tests.csproj
+++ b/IdentityShroud.Core.Tests/IdentityShroud.Core.Tests.csproj
@ -30,8 +30,4 @@
      <ProjectReference Include="..\IdentityShroud.TestUtils\IdentityShroud.TestUtils.csproj" />
    </ItemGroup>

-    <ItemGroup>
-      <Folder Include="Model\" />
-    </ItemGroup>
-
 </Project>
--- a/IdentityShroud.Core.Tests/JwtSignatureGeneratorTests.cs
+++ b/IdentityShroud.Core.Tests/JwtSignatureGeneratorTests.cs
@ -72,8 +72,8 @@ public class JwtSignatureGeneratorTests
        var rsa = RSA.Create();
        var parameters = new RSAParameters
        {
-            Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus),
-            Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent)
+            Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus!),
+            Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent!)
        };
        
        rsa.ImportParameters(parameters);
--- a/IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs
+++ b/IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs
@ -1,21 +0,0 @@
-using System.Security.Cryptography;
-using System.Text;
-using IdentityShroud.Core.Security;
-
-namespace IdentityShroud.Core.Tests.Security;
-
-public class AesGcmHelperTests
-{
-    [Fact]
-    public void EncryptDecryptCycleWorks()
-    {
-        string input = "Hello, world!";
-
-        var encryptionKey = RandomNumberGenerator.GetBytes(32);
-
-        var cypher = AesGcmHelper.EncryptAesGcm(Encoding.UTF8.GetBytes(input), encryptionKey);
-        var output = AesGcmHelper.DecryptAesGcm(cypher, encryptionKey);
-        
-        Assert.Equal(input, Encoding.UTF8.GetString(output));
-    }
-}
--- a/IdentityShroud.Core.Tests/Services/EncryptionServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/EncryptionServiceTests.cs
@ -1,3 +1,4 @@
+using System.Buffers.Text;
 using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Services;
@ -9,18 +10,43 @@ public class EncryptionServiceTests
    [Fact]
    public void RoundtripWorks()
    {
+        // Note this code will tend to only test the latest verion.
+        
        // setup
-        string key = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
        var secretProvider = Substitute.For<ISecretProvider>();
-        secretProvider.GetSecret("Master").Returns(key);
+        secretProvider.GetSecret("Master").Returns("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
            
-        EncryptionService sut = new(secretProvider);
-        byte[] input = RandomNumberGenerator.GetBytes(16);
+        ReadOnlySpan<byte> input = "Hello, World!"u8;
        
        // act
-        var cipher = sut.Encrypt(input);
-        var result = sut.Decrypt(cipher);
+        EncryptionService sut = new(secretProvider);
+        byte[] cipher = sut.Encrypt(input.ToArray());
+        byte[] result = sut.Decrypt(cipher);

+        // verify
        Assert.Equal(input, result);
    }
+
+    [Fact]
+    public void DecodeV1_Success()
+    {
+        // When introducing a new version we need version specific tests to 
+        // make sure decoding of legacy data still works.
+        
+        // setup
+        Span<byte> cipher =
+        [
+            1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
+            193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
+        ];
+        var secretProvider = Substitute.For<ISecretProvider>();
+        secretProvider.GetSecret("Master").Returns("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
+
+        // act
+        EncryptionService sut = new(secretProvider);
+        byte[] result = sut.Decrypt(cipher.ToArray());
+
+        // verify
+        Assert.Equal("Hello, World!"u8, result);
+    }
 }
--- a/IdentityShroud.Core.Tests/UnitTest1.cs
+++ b/IdentityShroud.Core.Tests/UnitTest1.cs
@ -66,9 +66,9 @@ public static class JwtReader
        return new JsonWebToken()
        {
            Header = JsonSerializer.Deserialize<JsonWebTokenHeader>(
-                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot))),
+                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot)))!,
            Payload = JsonSerializer.Deserialize<JsonWebTokenPayload>(
-                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1)))),
+                Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1))))!,
            Signature = WebEncoders.Base64UrlDecode(jwt, secondDot + 1, jwt.Length - (secondDot + 1))
        };
    }