eelke
07393f57fc
Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
46 lines
1.5 KiB
C#
46 lines
1.5 KiB
C#
using System.Buffers.Text;
|
|
using System.Security.Cryptography;
|
|
using IdentityShroud.Core.Contracts;
|
|
using IdentityShroud.Core.Model;
|
|
using IdentityShroud.Core.Security;
|
|
using IdentityShroud.Core.Security.Keys;
|
|
using IdentityShroud.Core.Services;
|
|
using IdentityShroud.TestUtils.Substitutes;
|
|
|
|
namespace IdentityShroud.Api.Tests.Mappers;
|
|
|
|
public class KeyServiceTests
|
|
{
|
|
private readonly NullDekEncryptionService _dekEncryptionService = new();
|
|
|
|
[Fact]
|
|
public void Test()
|
|
{
|
|
// Setup
|
|
using RSA rsa = RSA.Create(2048);
|
|
|
|
RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
|
|
|
|
DekId kid = DekId.NewId();
|
|
|
|
RealmKey realmKey = new()
|
|
{
|
|
Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
|
|
KeyType = "RSA",
|
|
Key = new(_dekEncryptionService.KeyId, rsa.ExportPkcs8PrivateKey()),
|
|
CreatedAt = DateTime.UtcNow,
|
|
Priority = 10,
|
|
};
|
|
|
|
// Act
|
|
KeyService sut = new(_dekEncryptionService, new KeyProviderFactory(), new ClockService());
|
|
var jwk = sut.CreateJsonWebKey(realmKey);
|
|
|
|
Assert.NotNull(jwk);
|
|
Assert.Equal("RSA", jwk.KeyType);
|
|
Assert.Equal(realmKey.Id.ToString(), jwk.KeyId);
|
|
Assert.Equal("sig", jwk.Use);
|
|
Assert.Equal(parameters.Exponent, Base64Url.DecodeFromChars(jwk.Exponent));
|
|
Assert.Equal(parameters.Modulus, Base64Url.DecodeFromChars(jwk.Modulus));
|
|
}
|
|
}
|