Skip to content

Commit 65e4b82

Browse files
herveyw-msftherveyw-msft
committed
Add KeyVaultKeyResolver tests for retrieving secrets as symmetric keys
1 parent e486d63 commit 65e4b82

File tree

5 files changed

+156
-133
lines changed

5 files changed

+156
-133
lines changed

services/keyvault/azure-keyvault-extensions/src/test/java/com/microsoft/azure/keyvault/extensions/test/KeyVaultKeyResolverTest.java

Lines changed: 152 additions & 132 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,21 @@
11
package com.microsoft.azure.keyvault.extensions.test;
22

3+
import static org.junit.Assert.assertArrayEquals;
4+
import static org.junit.Assert.fail;
5+
6+
import java.security.NoSuchAlgorithmException;
37
import java.util.concurrent.ExecutionException;
48
import java.util.concurrent.Future;
59

10+
import org.apache.commons.codec.binary.Base64;
611
import org.junit.Assert;
712
import org.junit.Test;
813

914
import com.microsoft.azure.keyvault.core.IKey;
1015
import com.microsoft.azure.keyvault.extensions.KeyVaultKeyResolver;
16+
import com.microsoft.azure.keyvault.extensions.SymmetricKey;
1117
import com.microsoft.azure.keyvault.models.KeyBundle;
18+
import com.microsoft.azure.keyvault.models.Secret;
1219

1320
//
1421
//Copyright © Microsoft Corporation, All Rights Reserved
@@ -29,7 +36,10 @@
2936

3037
public class KeyVaultKeyResolverTest extends KeyVaultExtensionsIntegrationTestBase {
3138

32-
private static final String KEY_NAME = "JavaExtensionKey";
39+
private static final String KEY_NAME = "JavaExtensionKey";
40+
private static final String SECRET_NAME = "JavaExtensionSecret";
41+
42+
private static final Base64 _base64 = new Base64(-1, null, true);
3343

3444
@Test
3545
public void KeyVault_KeyVaultKeyResolver_Key() throws InterruptedException, ExecutionException
@@ -63,186 +73,196 @@ public void KeyVault_KeyVaultKeyResolver_Key() throws InterruptedException, Exec
6373
}
6474
}
6575

66-
/*
67-
68-
/// <summary>
69-
/// Test resolving a key from a 128bit secret encoded as base64 in a vault using various KeyVaultKeyResolver constructors.
70-
/// </summary>
71-
[Fact]
72-
public async Task KeyVault_KeyVaultKeyResolver_Secret128Base64()
76+
/*
77+
* Test resolving a key from a 128bit secret encoded as base64 in a vault using various KeyVaultKeyResolver constructors.
78+
*/
79+
@Test
80+
public void KeyVault_KeyVaultKeyResolver_Secret128Base64() throws InterruptedException, ExecutionException
7381
{
7482
// Arrange
75-
var client = CreateKeyVaultClient();
76-
var vault = ConfigurationManager.AppSettings["VaultUrl"];
77-
78-
var keyBytes = new byte[128 >> 3];
83+
byte[] keyBytes = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F };
84+
byte[] CEK = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, (byte) 0x88, (byte) 0x99, (byte) 0xAA, (byte) 0xBB, (byte) 0xCC, (byte) 0xDD, (byte) 0xEE, (byte) 0xFF };
85+
byte[] EK = { 0x1F, (byte) 0xA6, (byte) 0x8B, 0x0A, (byte) 0x81, 0x12, (byte) 0xB4, 0x47, (byte) 0xAE, (byte) 0xF3, 0x4B, (byte) 0xD8, (byte) 0xFB, 0x5A, 0x7B, (byte) 0x82, (byte) 0x9D, 0x3E, (byte) 0x86, 0x23, 0x71, (byte) 0xD2, (byte) 0xCF, (byte) 0xE5 };
7986

80-
new RNGCryptoServiceProvider().GetNonZeroBytes( keyBytes );
8187

82-
var secret = await client.SetSecretAsync( vault, "TestSecret", Convert.ToBase64String( keyBytes ), null, "application/octet-stream" ).ConfigureAwait( false );
88+
Future<Secret> futureSecret = keyVaultClient.setSecretAsync(getVaultUri(), SECRET_NAME, _base64.encodeAsString(keyBytes), "application/octet-stream", null, null );
89+
Secret secret = futureSecret.get();
8390

8491
if ( secret != null )
8592
{
8693
try
8794
{
8895
// ctor with client
89-
var resolver = new KeyVaultKeyResolver( client );
90-
91-
var baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
92-
var versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
93-
94-
Assert.Equal( baseKey.Kid, versionKey.Kid );
95-
96-
// ctor with authentication callback
97-
resolver = new KeyVaultKeyResolver( GetAccessToken );
98-
99-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
100-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
101-
102-
Assert.Equal( baseKey.Kid, versionKey.Kid );
103-
104-
// ctor with vault name and client
105-
resolver = new KeyVaultKeyResolver( vault, client );
106-
107-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
108-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
109-
110-
Assert.Equal( baseKey.Kid, versionKey.Kid );
111-
112-
// ctor with vault name and authentication callback
113-
resolver = new KeyVaultKeyResolver( vault, GetAccessToken );
114-
115-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
116-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
117-
118-
Assert.Equal( baseKey.Kid, versionKey.Kid );
96+
KeyVaultKeyResolver resolver = new KeyVaultKeyResolver( keyVaultClient );
97+
98+
IKey baseKey = resolver.resolveKeyAsync( secret.getSecretIdentifier().getBaseIdentifier() ).get();
99+
IKey versionKey = resolver.resolveKeyAsync( secret.getSecretIdentifier().getIdentifier() ).get();
100+
101+
// Check for correct key identifiers
102+
Assert.assertEquals( baseKey.getKid(), versionKey.getKid() );
103+
104+
// Ensure key operations give the expected results
105+
byte[] encrypted = null;
106+
107+
try {
108+
encrypted = baseKey.wrapKeyAsync(CEK, "A128KW").get().getLeft();
109+
} catch (InterruptedException e) {
110+
fail("InterrupedException");
111+
} catch (ExecutionException e) {
112+
fail("ExecutionException");
113+
} catch (NoSuchAlgorithmException e) {
114+
fail("NoSuchAlgorithmException");
115+
}
116+
117+
// Assert
118+
assertArrayEquals(EK, encrypted);
119+
120+
try {
121+
encrypted = versionKey.wrapKeyAsync(CEK, "A128KW").get().getLeft();
122+
} catch (InterruptedException e) {
123+
fail("InterrupedException");
124+
} catch (ExecutionException e) {
125+
fail("ExecutionException");
126+
} catch (NoSuchAlgorithmException e) {
127+
fail("NoSuchAlgorithmException");
128+
}
129+
130+
// Assert
131+
assertArrayEquals(EK, encrypted);
119132
}
120133
finally
121134
{
122135
// Delete the key
123-
client.DeleteSecretAsync( vault, "TestSecret" ).GetAwaiter().GetResult();
136+
keyVaultClient.deleteSecretAsync( getVaultUri(), SECRET_NAME ).get();
124137
}
125138
}
126139
}
127140

128-
/// <summary>
129-
/// Test resolving a key from a 192bit secret encoded as base64 in a vault using various KeyVaultKeyResolver constructors.
130-
/// </summary>
131-
[Fact]
132-
public async Task KeyVault_KeyVaultKeyResolver_Secret192Base64()
141+
/*
142+
* Test resolving a key from a 128bit secret encoded as base64 in a vault using various KeyVaultKeyResolver constructors.
143+
*/
144+
@Test
145+
public void KeyVault_KeyVaultKeyResolver_Secret192Base64() throws InterruptedException, ExecutionException
133146
{
134147
// Arrange
135-
var client = CreateKeyVaultClient();
136-
var vault = ConfigurationManager.AppSettings["VaultUrl"];
137-
138-
var keyBytes = new byte[192 >> 3];
148+
byte[] keyBytes = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17 };
149+
byte[] CEK = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, (byte) 0x88, (byte) 0x99, (byte) 0xAA, (byte) 0xBB, (byte) 0xCC, (byte) 0xDD, (byte) 0xEE, (byte) 0xFF };
150+
byte[] EK = { (byte) 0x96, 0x77, (byte) 0x8B, 0x25, (byte) 0xAE, 0x6C, (byte) 0xA4, 0x35, (byte) 0xF9, 0x2B, 0x5B, (byte) 0x97, (byte) 0xC0, 0x50, (byte) 0xAE, (byte) 0xD2, 0x46, (byte) 0x8A, (byte) 0xB8, (byte) 0xA1, 0x7A, (byte) 0xD8, 0x4E, 0x5D };
139151

140-
new RNGCryptoServiceProvider().GetNonZeroBytes( keyBytes );
141-
142-
var secret = await client.SetSecretAsync( vault, "TestSecret", Convert.ToBase64String( keyBytes ), null, "application/octet-stream" ).ConfigureAwait( false );
152+
Future<Secret> futureSecret = keyVaultClient.setSecretAsync(getVaultUri(), SECRET_NAME, _base64.encodeAsString(keyBytes), "application/octet-stream", null, null );
153+
Secret secret = futureSecret.get();
143154

144155
if ( secret != null )
145156
{
146157
try
147158
{
148159
// ctor with client
149-
var resolver = new KeyVaultKeyResolver( client );
150-
151-
var baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
152-
var versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
153-
154-
Assert.Equal( baseKey.Kid, versionKey.Kid );
155-
156-
// ctor with authentication callback
157-
resolver = new KeyVaultKeyResolver( GetAccessToken );
158-
159-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
160-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
161-
162-
Assert.Equal( baseKey.Kid, versionKey.Kid );
163-
164-
// ctor with vault name and client
165-
resolver = new KeyVaultKeyResolver( vault, client );
166-
167-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
168-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
169-
170-
Assert.Equal( baseKey.Kid, versionKey.Kid );
171-
172-
// ctor with vault name and authentication callback
173-
resolver = new KeyVaultKeyResolver( vault, GetAccessToken );
174-
175-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
176-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
177-
178-
Assert.Equal( baseKey.Kid, versionKey.Kid );
160+
KeyVaultKeyResolver resolver = new KeyVaultKeyResolver( keyVaultClient );
161+
162+
IKey baseKey = resolver.resolveKeyAsync( secret.getSecretIdentifier().getBaseIdentifier() ).get();
163+
IKey versionKey = resolver.resolveKeyAsync( secret.getSecretIdentifier().getIdentifier() ).get();
164+
165+
// Check for correct key identifiers
166+
Assert.assertEquals( baseKey.getKid(), versionKey.getKid() );
167+
168+
// Ensure key operations give the expected results
169+
byte[] encrypted = null;
170+
171+
try {
172+
encrypted = baseKey.wrapKeyAsync(CEK, "A192KW").get().getLeft();
173+
} catch (InterruptedException e) {
174+
fail("InterrupedException");
175+
} catch (ExecutionException e) {
176+
fail("ExecutionException");
177+
} catch (NoSuchAlgorithmException e) {
178+
fail("NoSuchAlgorithmException");
179+
}
180+
181+
// Assert
182+
assertArrayEquals(EK, encrypted);
183+
184+
try {
185+
encrypted = versionKey.wrapKeyAsync(CEK, "A192KW").get().getLeft();
186+
} catch (InterruptedException e) {
187+
fail("InterrupedException");
188+
} catch (ExecutionException e) {
189+
fail("ExecutionException");
190+
} catch (NoSuchAlgorithmException e) {
191+
fail("NoSuchAlgorithmException");
192+
}
193+
194+
// Assert
195+
assertArrayEquals(EK, encrypted);
179196
}
180197
finally
181198
{
182199
// Delete the key
183-
client.DeleteSecretAsync( vault, "TestSecret" ).GetAwaiter().GetResult();
200+
keyVaultClient.deleteSecretAsync( getVaultUri(), SECRET_NAME ).get();
184201
}
185202
}
186203
}
187204

188-
/// <summary>
189-
/// Test resolving a key from a 256bit secret encoded as base64 in a vault using various KeyVaultKeyResolver constructors.
190-
/// </summary>
191-
[Fact]
192-
public async Task KeyVault_KeyVaultKeyResolver_Secret256Base64()
205+
/*
206+
* Test resolving a key from a 256bit secret encoded as base64 in a vault using various KeyVaultKeyResolver constructors.
207+
*/
208+
@Test
209+
public void KeyVault_KeyVaultKeyResolver_Secret256Base64() throws InterruptedException, ExecutionException
193210
{
194211
// Arrange
195-
var client = CreateKeyVaultClient();
196-
var vault = ConfigurationManager.AppSettings["VaultUrl"];
197-
198-
var keyBytes = new byte[256 >> 3];
212+
byte[] keyBytes = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F };
213+
byte[] CEK = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, (byte) 0x88, (byte) 0x99, (byte) 0xAA, (byte) 0xBB, (byte) 0xCC, (byte) 0xDD, (byte) 0xEE, (byte) 0xFF };
214+
byte[] EK = { 0x64, (byte) 0xE8, (byte) 0xC3, (byte) 0xF9, (byte) 0xCE, 0x0F, 0x5B, (byte) 0xA2, 0x63, (byte) 0xE9, 0x77, 0x79, 0x05, (byte) 0x81, (byte) 0x8A, 0x2A, (byte) 0x93, (byte) 0xC8, 0x19, 0x1E, 0x7D, 0x6E, (byte) 0x8A, (byte) 0xE7 };
199215

200-
new RNGCryptoServiceProvider().GetNonZeroBytes( keyBytes );
201-
202-
var secret = await client.SetSecretAsync( vault, "TestSecret", Convert.ToBase64String( keyBytes ), null, "application/octet-stream" ).ConfigureAwait( false );
216+
Future<Secret> futureSecret = keyVaultClient.setSecretAsync(getVaultUri(), SECRET_NAME, _base64.encodeAsString(keyBytes), "application/octet-stream", null, null );
217+
Secret secret = futureSecret.get();
203218

204219
if ( secret != null )
205220
{
206221
try
207222
{
208223
// ctor with client
209-
var resolver = new KeyVaultKeyResolver( client );
210-
211-
var baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
212-
var versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
213-
214-
Assert.Equal( baseKey.Kid, versionKey.Kid );
215-
216-
// ctor with authentication callback
217-
resolver = new KeyVaultKeyResolver( GetAccessToken );
218-
219-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
220-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
221-
222-
Assert.Equal( baseKey.Kid, versionKey.Kid );
223-
224-
// ctor with vault name and client
225-
resolver = new KeyVaultKeyResolver( vault, client );
226-
227-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
228-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
229-
230-
Assert.Equal( baseKey.Kid, versionKey.Kid );
231-
232-
// ctor with vault name and authentication callback
233-
resolver = new KeyVaultKeyResolver( vault, GetAccessToken );
234-
235-
baseKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.BaseIdentifier, default( CancellationToken ) ).ConfigureAwait( false );
236-
versionKey = await resolver.ResolveKeyAsync( secret.SecretIdentifier.Identifier, default( CancellationToken ) ).ConfigureAwait( false );
237-
238-
Assert.Equal( baseKey.Kid, versionKey.Kid );
224+
KeyVaultKeyResolver resolver = new KeyVaultKeyResolver( keyVaultClient );
225+
226+
IKey baseKey = resolver.resolveKeyAsync( secret.getSecretIdentifier().getBaseIdentifier() ).get();
227+
IKey versionKey = resolver.resolveKeyAsync( secret.getSecretIdentifier().getIdentifier() ).get();
228+
229+
// Check for correct key identifiers
230+
Assert.assertEquals( baseKey.getKid(), versionKey.getKid() );
231+
232+
// Ensure key operations give the expected results
233+
byte[] encrypted = null;
234+
235+
try {
236+
encrypted = baseKey.wrapKeyAsync(CEK, "A256KW").get().getLeft();
237+
} catch (InterruptedException e) {
238+
fail("InterrupedException");
239+
} catch (ExecutionException e) {
240+
fail("ExecutionException");
241+
} catch (NoSuchAlgorithmException e) {
242+
fail("NoSuchAlgorithmException");
243+
}
244+
245+
// Assert
246+
assertArrayEquals(EK, encrypted);
247+
248+
try {
249+
encrypted = versionKey.wrapKeyAsync(CEK, "A256KW").get().getLeft();
250+
} catch (InterruptedException e) {
251+
fail("InterrupedException");
252+
} catch (ExecutionException e) {
253+
fail("ExecutionException");
254+
} catch (NoSuchAlgorithmException e) {
255+
fail("NoSuchAlgorithmException");
256+
}
257+
258+
// Assert
259+
assertArrayEquals(EK, encrypted);
239260
}
240261
finally
241262
{
242263
// Delete the key
243-
client.DeleteSecretAsync( vault, "TestSecret" ).GetAwaiter().GetResult();
264+
keyVaultClient.deleteSecretAsync( getVaultUri(), SECRET_NAME ).get();
244265
}
245266
}
246267
}
247-
*/
248268
}

0 commit comments

Comments
 (0)