From ccc00d8e80e385dce9a528ff2099e8a3140a4ea8 Mon Sep 17 00:00:00 2001
From: eelke <eelke@eelkeklein.nl>
Date: Thu, 26 Feb 2026 20:39:48 +0100
Subject: [PATCH] Pass Span instead of Memory

---
 .../Mappers/KeyServiceTests.cs                |  7 ++-----
 .../Services/ClientServiceTests.cs            |  7 +------
 .../Contracts/IDataEncryptionService.cs       |  2 +-
 .../Contracts/IDekEncryptionService.cs        |  2 +-
 IdentityShroud.Core/Security/Encryption.cs    |  4 ++--
 .../Services/DataEncryptionService.cs         |  2 +-
 .../Services/DekEncryptionService.cs          |  2 +-
 .../EncryptionServiceSubstitute.cs            | 21 -------------------
 .../Substitutes/NullDataEncryptionService.cs  | 18 ++++++++++++++++
 .../Substitutes/NullDekEncryptionService.cs   | 18 ++++++++++++++++
 10 files changed, 45 insertions(+), 38 deletions(-)
 delete mode 100644 IdentityShroud.TestUtils/Substitutes/EncryptionServiceSubstitute.cs
 create mode 100644 IdentityShroud.TestUtils/Substitutes/NullDataEncryptionService.cs
 create mode 100644 IdentityShroud.TestUtils/Substitutes/NullDekEncryptionService.cs

diff --git a/IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs b/IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs
index b6350cf..f423f54 100644
--- a/IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs
+++ b/IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs
@@ -11,10 +11,7 @@ namespace IdentityShroud.Api.Tests.Mappers;
 
 public class KeyServiceTests
 {
-    private readonly IDekEncryptionService _dekEncryptionService = EncryptionServiceSubstitute.CreatePassthrough();
-
-    //private readonly IDataEncryptionService _dataEncryptionService = Substitute.For<IDataEncryptionService>();
-    //private readonly IKeyProviderFactory _keyProviderFactory = Substitute.For<IKeyProviderFactory>();
+    private readonly NullDekEncryptionService _dekEncryptionService = new(); 
 
     [Fact]
     public void Test()
@@ -30,7 +27,7 @@ public class KeyServiceTests
         {
             Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
             KeyType = "RSA",
-            Key = new(EncryptionServiceSubstitute.KeyId, rsa.ExportPkcs8PrivateKey()),
+            Key = new(_dekEncryptionService.KeyId, rsa.ExportPkcs8PrivateKey()),
             CreatedAt = DateTime.UtcNow,
             Priority = 10,
         };
diff --git a/IdentityShroud.Core.Tests/Services/ClientServiceTests.cs b/IdentityShroud.Core.Tests/Services/ClientServiceTests.cs
index 5b08563..d0269e6 100644
--- a/IdentityShroud.Core.Tests/Services/ClientServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/ClientServiceTests.cs
@@ -1,6 +1,5 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
-using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Services;
 using IdentityShroud.Core.Tests.Fixtures;
 using IdentityShroud.TestUtils.Substitutes;
@@ -11,17 +10,13 @@ namespace IdentityShroud.Core.Tests.Services;
 public class ClientServiceTests : IClassFixture<DbFixture>
 {
     private readonly DbFixture _dbFixture;
-    //private readonly IDekEncryptionService _dekEncryptionService = EncryptionServiceSubstitute.CreatePassthrough();
-    private readonly IDataEncryptionService _dataEncryptionService = Substitute.For<IDataEncryptionService>();
+    private readonly NullDataEncryptionService _dataEncryptionService = new();
     
     private readonly IClock _clock = Substitute.For<IClock>();
     private readonly Guid _realmId = new("a1b2c3d4-0000-0000-0000-000000000001");
 
     public ClientServiceTests(DbFixture dbFixture)
     {
-        _dataEncryptionService.Encrypt(Arg.Any<ReadOnlyMemory<byte>>())
-            .Returns(x => new EncryptedValue(DekId.NewId(), x.ArgAt<ReadOnlyMemory<byte>>(0).ToArray()));
-        
         _dbFixture = dbFixture;
         using Db db = dbFixture.CreateDbContext();
         if (!db.Database.EnsureCreated())
diff --git a/IdentityShroud.Core/Contracts/IDataEncryptionService.cs b/IdentityShroud.Core/Contracts/IDataEncryptionService.cs
index 55eafe2..2810aaa 100644
--- a/IdentityShroud.Core/Contracts/IDataEncryptionService.cs
+++ b/IdentityShroud.Core/Contracts/IDataEncryptionService.cs
@@ -4,6 +4,6 @@ namespace IdentityShroud.Core.Contracts;
 
 public interface IDataEncryptionService
 {
-    EncryptedValue Encrypt(ReadOnlyMemory<byte> plain);
+    EncryptedValue Encrypt(ReadOnlySpan<byte> plain);
     byte[] Decrypt(EncryptedValue input);
 }
\ No newline at end of file
diff --git a/IdentityShroud.Core/Contracts/IDekEncryptionService.cs b/IdentityShroud.Core/Contracts/IDekEncryptionService.cs
index 45e9b3f..3032040 100644
--- a/IdentityShroud.Core/Contracts/IDekEncryptionService.cs
+++ b/IdentityShroud.Core/Contracts/IDekEncryptionService.cs
@@ -6,6 +6,6 @@ namespace IdentityShroud.Core.Contracts;
 
 public interface IDekEncryptionService
 {
-    EncryptedDek Encrypt(ReadOnlyMemory<byte> plain);
+    EncryptedDek Encrypt(ReadOnlySpan<byte> plain);
     byte[] Decrypt(EncryptedDek input);
 }
\ No newline at end of file
diff --git a/IdentityShroud.Core/Security/Encryption.cs b/IdentityShroud.Core/Security/Encryption.cs
index a80a273..47344c1 100644
--- a/IdentityShroud.Core/Security/Encryption.cs
+++ b/IdentityShroud.Core/Security/Encryption.cs
@@ -12,7 +12,7 @@ public static class Encryption
         new(1, 12, 16), // version 1
     ];
     
-    public static byte[] Encrypt(ReadOnlyMemory<byte> plaintext, ReadOnlySpan<byte> key)
+    public static byte[] Encrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> key)
     {
         const int versionNumber = 1; 
         AlgVersion versionParams = _versions[versionNumber];
@@ -31,7 +31,7 @@ public static class Encryption
         // use the spans to place the data directly in its place
         RandomNumberGenerator.Fill(nonce);
         using var aes = new AesGcm(key, versionParams.TagSize);
-        aes.Encrypt(nonce, plaintext.Span, cipher, tag);
+        aes.Encrypt(nonce, plaintext, cipher, tag);
         return result;
     }
     
diff --git a/IdentityShroud.Core/Services/DataEncryptionService.cs b/IdentityShroud.Core/Services/DataEncryptionService.cs
index 603f833..a06cbae 100644
--- a/IdentityShroud.Core/Services/DataEncryptionService.cs
+++ b/IdentityShroud.Core/Services/DataEncryptionService.cs
@@ -31,7 +31,7 @@ public class DataEncryptionService(
         return Encryption.Decrypt(input.Value, key);
     }
 
-    public EncryptedValue Encrypt(ReadOnlyMemory<byte> plain)
+    public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
     {
         var dek = GetActiveDek();
         var key = dekCryptor.Decrypt(dek.KeyData);
diff --git a/IdentityShroud.Core/Services/DekEncryptionService.cs b/IdentityShroud.Core/Services/DekEncryptionService.cs
index c147662..add9267 100644
--- a/IdentityShroud.Core/Services/DekEncryptionService.cs
+++ b/IdentityShroud.Core/Services/DekEncryptionService.cs
@@ -22,7 +22,7 @@ public class DekEncryptionService : IDekEncryptionService
         //     throw new Exception("Key must be 256 bits (32 bytes) for AES‑256‑GCM.");
     }
 
-    public EncryptedDek Encrypt(ReadOnlyMemory<byte> plaintext)
+    public EncryptedDek Encrypt(ReadOnlySpan<byte> plaintext)
     {
         var encryptionKey = ActiveKey;
         byte[] cipher = Encryption.Encrypt(plaintext, encryptionKey.Key);
diff --git a/IdentityShroud.TestUtils/Substitutes/EncryptionServiceSubstitute.cs b/IdentityShroud.TestUtils/Substitutes/EncryptionServiceSubstitute.cs
deleted file mode 100644
index 009629e..0000000
--- a/IdentityShroud.TestUtils/Substitutes/EncryptionServiceSubstitute.cs
+++ /dev/null
@@ -1,21 +0,0 @@
-using IdentityShroud.Core.Contracts;
-using IdentityShroud.Core.Security;
-
-namespace IdentityShroud.TestUtils.Substitutes;
-
-public static class EncryptionServiceSubstitute
-{
-    public static KekId KeyId { get; } = KekId.NewId(); 
-    
-    public static IDekEncryptionService CreatePassthrough()
-    {
-        var encryptionService = Substitute.For<IDekEncryptionService>();
-        encryptionService
-            .Encrypt(Arg.Any<ReadOnlyMemory<byte>>())
-            .Returns(x => new EncryptedDek(KeyId, x.ArgAt<ReadOnlyMemory<byte>>(0).ToArray()));
-        encryptionService
-            .Decrypt(Arg.Any<EncryptedDek>())
-            .Returns(x => x.ArgAt<EncryptedDek>(0).Value);
-        return encryptionService;
-    }
-}
\ No newline at end of file
diff --git a/IdentityShroud.TestUtils/Substitutes/NullDataEncryptionService.cs b/IdentityShroud.TestUtils/Substitutes/NullDataEncryptionService.cs
new file mode 100644
index 0000000..4e97bfc
--- /dev/null
+++ b/IdentityShroud.TestUtils/Substitutes/NullDataEncryptionService.cs
@@ -0,0 +1,18 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.TestUtils.Substitutes;
+
+public class NullDataEncryptionService : IDataEncryptionService
+{
+    public DekId KeyId { get; } = DekId.NewId(); 
+    public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
+    {
+        return new(KeyId, plain.ToArray());
+    }
+
+    public byte[] Decrypt(EncryptedValue input)
+    {
+        return input.Value;
+    }
+}
\ No newline at end of file
diff --git a/IdentityShroud.TestUtils/Substitutes/NullDekEncryptionService.cs b/IdentityShroud.TestUtils/Substitutes/NullDekEncryptionService.cs
new file mode 100644
index 0000000..879f932
--- /dev/null
+++ b/IdentityShroud.TestUtils/Substitutes/NullDekEncryptionService.cs
@@ -0,0 +1,18 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.TestUtils.Substitutes;
+
+public class NullDekEncryptionService : IDekEncryptionService
+{
+    public KekId KeyId { get; } = KekId.NewId(); 
+    public EncryptedDek Encrypt(ReadOnlySpan<byte> plain)
+    {
+        return new(KeyId, plain.ToArray());
+    }
+
+    public byte[] Decrypt(EncryptedDek input)
+    {
+        return input.Value;
+    }
+}
\ No newline at end of file