Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs

@@ -2,6 +2,7 @@ using System.Buffers.Text;
 using System.Security.Cryptography;
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Security.Keys;
 using IdentityShroud.Core.Services;
 using IdentityShroud.TestUtils.Substitutes;
@@ -10,7 +11,9 @@ namespace IdentityShroud.Api.Tests.Mappers;
 
 public class KeyServiceTests
 {
-    private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
+    private readonly IDekEncryptionService _dekEncryptionService = EncryptionServiceSubstitute.CreatePassthrough();
+
+    //private readonly IDataEncryptionService _dataEncryptionService = Substitute.For<IDataEncryptionService>();
     //private readonly IKeyProviderFactory _keyProviderFactory = Substitute.For<IKeyProviderFactory>();
 
     [Fact]
@@ -20,18 +23,20 @@ public class KeyServiceTests
         using RSA rsa = RSA.Create(2048);
 
         RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
+
+        DekId kid = DekId.NewId();
         
         RealmKey realmKey = new()
         {
             Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
             KeyType = "RSA",
-            Key = new("", rsa.ExportPkcs8PrivateKey()),
+            Key = new(EncryptionServiceSubstitute.KeyId, rsa.ExportPkcs8PrivateKey()),
             CreatedAt = DateTime.UtcNow,
             Priority = 10,
         };
         
         // Act
-        KeyService sut = new(_encryptionService, new KeyProviderFactory(), new ClockService());
+        KeyService sut = new(_dekEncryptionService, new KeyProviderFactory(), new ClockService());
         var jwk = sut.CreateJsonWebKey(realmKey);
 
         Assert.NotNull(jwk);