Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

2026-02-26 16:53:02 +01:00 · 2026-02-26 16:53:02 +01:00 · 650fe99990
commit 650fe99990
parent 644b005f2a
36 changed files with 399 additions and 129 deletions
--- a/IdentityShroud.Core.Tests/Security/ConfigurationSecretProviderTests.cs
+++ b/IdentityShroud.Core.Tests/Security/ConfigurationSecretProviderTests.cs
@ -28,13 +28,13 @@ public class ConfigurationSecretProviderTests
                "secrets": {
                    "master": [
                        {
-                            "Id": "first",
+                            "Id": "5676d159-5495-4945-aa84-59ee694aa8a2",
                            "Active": true,
                            "Algorithm": "AES",
                            "Key": "yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="
                        },
                        {
-                            "Id": "second",
+                            "Id": "b82489e7-a05a-4d64-b9a5-58d2f2c0dc39",
                            "Active": false,
                            "Algorithm": "AES",
                            "Key": "YSWK6vTJXCJOGLpCo+TtZ6anKNzvA1VT2xXLHbmq4M0="
@ -47,15 +47,17 @@ public class ConfigurationSecretProviderTests

        ConfigurationSecretProvider sut = new(BuildConfigFromJson(jsonConfig));

+        // act
        var keys = sut.GetKeys("master");

+        // verify
        Assert.Equal(2, keys.Length);
        var active = keys.Single(k => k.Active);
-        Assert.Equal("first", active.Id);
+        Assert.Equal(new Guid("5676d159-5495-4945-aa84-59ee694aa8a2"), active.Id.Id);
        Assert.Equal("AES", active.Algorithm);
        Assert.Equal(Convert.FromBase64String("yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="), active.Key);

        var inactive = keys.Single(k => !k.Active);
-        Assert.Equal("second", inactive.Id);
+        Assert.Equal(new Guid("b82489e7-a05a-4d64-b9a5-58d2f2c0dc39"), inactive.Id.Id);
    }
 }