eelke/IdentityShroud
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

Browse source
This commit is contained in:
eelke 2026-02-26 16:53:02 +01:00
parent 644b005f2a
commit 650fe99990
36 changed files with 399 additions and 129 deletions
Download patch file Download diff file Expand all files Collapse all files

4
IdentityShroud.Api.Tests/Apis/RealmApisTests.cs
View file

@ -125,7 +125,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
public async Task GetJwks()
{
// setup
IEncryptionService encryptionService = _factory.Services.GetRequiredService<IEncryptionService>();
IDekEncryptionService dekEncryptionService = _factory.Services.GetRequiredService<IDekEncryptionService>();
using var rsa = RSA.Create(2048);
RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
@ -134,7 +134,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
{
Id = Guid.NewGuid(),
KeyType = "RSA",
Key = encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
Key = dekEncryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
CreatedAt = DateTime.UtcNow,
};

2
IdentityShroud.Api.Tests/Fixtures/ApplicationFactory.cs
View file

@ -28,7 +28,7 @@ public class ApplicationFactory : WebApplicationFactory<Program>, IAsyncLifetime
new Dictionary<string, string?>
{
["Db:ConnectionString"] = _postgresqlServer.GetConnectionString(),
["secrets:master:0:Id"] = "key1",
["secrets:master:0:Id"] = "94970f27-3d88-4223-9940-7dd57548f5b5",
["secrets:master:0:Active"] = "true",
["secrets:master:0:Algorithm"] = "AES",
["secrets:master:0:Key"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",

11
IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs
View file

@ -2,6 +2,7 @@ using System.Buffers.Text;
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using IdentityShroud.Core.Security.Keys;
using IdentityShroud.Core.Services;
using IdentityShroud.TestUtils.Substitutes;
@ -10,7 +11,9 @@ namespace IdentityShroud.Api.Tests.Mappers;
public class KeyServiceTests
{
private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
private readonly IDekEncryptionService _dekEncryptionService = EncryptionServiceSubstitute.CreatePassthrough();
//private readonly IDataEncryptionService _dataEncryptionService = Substitute.For<IDataEncryptionService>();
//private readonly IKeyProviderFactory _keyProviderFactory = Substitute.For<IKeyProviderFactory>();
[Fact]
@ -20,18 +23,20 @@ public class KeyServiceTests
using RSA rsa = RSA.Create(2048);
RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
DekId kid = DekId.NewId();
RealmKey realmKey = new()
{
Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
KeyType = "RSA",
Key = new("", rsa.ExportPkcs8PrivateKey()),
Key = new(EncryptionServiceSubstitute.KeyId, rsa.ExportPkcs8PrivateKey()),
CreatedAt = DateTime.UtcNow,
Priority = 10,
};
// Act
KeyService sut = new(_encryptionService, new KeyProviderFactory(), new ClockService());
KeyService sut = new(_dekEncryptionService, new KeyProviderFactory(), new ClockService());
var jwk = sut.CreateJsonWebKey(realmKey);
Assert.NotNull(jwk);