Fix unexpected OAEP algorithm downgrade

- add integration test with Config Server
- move non-hex salt theory data to AesTextDecryptorTest
- add docker-compose for integration tests to repo root

Author: TimHess

.github/workflows/Steeltoe.All.yml

@@ -54,6 +54,13 @@ jobs:
           eureka.client.serviceUrl.defaultZone: http://eurekaServer:8761/eureka
           eureka.instance.hostname: localhost
           eureka.instance.instanceId: localhost:configServer:8888
+          encrypt.keyStore.location: file:///workspace/server.jks
+          encrypt.keyStore.password: letmein
+          encrypt.keyStore.alias: mytestkey
+          encrypt.rsa.algorithm: OAEP
+          encrypt.rsa.salt: deadbeef
+          encrypt.rsa.strong: "false"
+        options: --name steeltoe-config
         ports:
         - 8888:8888
 
@@ -83,6 +90,15 @@ jobs:
       with:
         persist-credentials: false
 
+    - name: Provide jks file for Config Server container
+      if: ${{ matrix.runDockerContainers }}
+      # The Config Server container starts before checkout, when server.jks is not yet available.
+      # Copy it into the container now and restart so Config Server can pick up the keystore.
+      shell: bash
+      run: |
+        docker cp src/Configuration/test/Encryption.Test/Cryptography/server.jks steeltoe-config:/workspace/server.jks
+        docker restart steeltoe-config
+
     - name: Restore packages
       run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal
 

.github/workflows/component-shared-workflow.yml

@@ -45,6 +45,13 @@ jobs:
           eureka.client.serviceUrl.defaultZone: http://eurekaServer:8761/eureka
           eureka.instance.hostname: localhost
           eureka.instance.instanceId: localhost:configServer:8888
+          encrypt.keyStore.location: file:///workspace/server.jks
+          encrypt.keyStore.password: letmein
+          encrypt.keyStore.alias: mytestkey
+          encrypt.rsa.algorithm: OAEP
+          encrypt.rsa.salt: deadbeef
+          encrypt.rsa.strong: "false"
+        options: --name steeltoe-config
         ports:
         - 8888:8888
 
@@ -74,6 +81,15 @@ jobs:
       with:
         persist-credentials: false
 
+    - name: Provide jks file for Config Server container
+      if: ${{ inputs.runDockerContainers }}
+      # The Config Server container starts before checkout, when server.jks is not yet available.
+      # Copy it into the container now and restart so Config Server can pick up the keystore.
+      shell: bash
+      run: |
+        docker cp src/Configuration/test/Encryption.Test/Cryptography/server.jks steeltoe-config:/workspace/server.jks
+        docker restart steeltoe-config
+
     - name: Restore packages
       run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal
 

docker-compose.yml

@@ -0,0 +1,42 @@
+# Starts Eureka Server and Spring Cloud Config Server for running Configuration integration tests locally.
+#
+# Usage:
+#   docker compose up -d
+#   Start-Sleep -Seconds 15   # wait for servers to be ready
+#
+# Run all Configuration integration tests:
+#   dotnet test src/Configuration --filter "Category=Integration"
+#
+# To generate a new OAEP-encrypted test vector (for Encryption.Test):
+#   Invoke-RestMethod -Method Post -Uri "http://localhost:8888/encrypt" `
+#       -Body "encrypt the world" -ContentType "text/plain"
+
+services:
+  eureka-server:
+    image: steeltoe.azurecr.io/eureka-server
+    pull_policy: always
+    container_name: eureka-server
+    ports:
+      - "8761:8761"
+
+  config-server:
+    image: steeltoe.azurecr.io/config-server
+    pull_policy: always
+    container_name: steeltoe-config
+    depends_on:
+      - eureka-server
+    ports:
+      - "8888:8888"
+    volumes:
+      - ./src/Configuration/test/Encryption.Test/Cryptography/server.jks:/workspace/server.jks:ro
+    environment:
+      eureka.client.enabled: "true"
+      eureka.client.serviceUrl.defaultZone: http://eureka-server:8761/eureka
+      eureka.instance.hostname: localhost
+      eureka.instance.instanceId: localhost:configServer:8888
+      encrypt.keyStore.location: file:///workspace/server.jks
+      encrypt.keyStore.password: letmein
+      encrypt.keyStore.alias: mytestkey
+      encrypt.rsa.algorithm: OAEP
+      encrypt.rsa.salt: deadbeef
+      encrypt.rsa.strong: "false"

src/Configuration/src/Encryption/Cryptography/RsaKeyStoreDecryptor.cs

@@ -40,7 +40,7 @@ private IBufferedCipher CreateCipher(string algorithm)
         return algorithm.ToUpperInvariant() switch
         {
             "DEFAULT" => CipherUtilities.GetCipher("RSA/NONE/PKCS1Padding"),
-            "OAEP" => CipherUtilities.GetCipher("RSA/ECB/PKCS1"),
+            "OAEP" => CipherUtilities.GetCipher("RSA/NONE/OAEPWithSHA1AndMGF1Padding"),
             _ => throw new ArgumentException("algorithm should be one of DEFAULT or OAEP")
         };
     }

src/Configuration/test/ConfigServer.Integration.Test/ConfigServerConfigurationExtensionsIntegrationTest.cs

@@ -9,14 +9,11 @@
 
 namespace Steeltoe.Configuration.ConfigServer.Integration.Test;
 
-// NOTE: Some of the tests assume a running Spring Cloud Config Server is started
+// NOTE: These tests assume Spring Cloud Config Server (and sometimes Eureka Server) is running
 //       with repository data for application: foo, profile: development
 //
-//       The easiest way to get that to happen is clone the spring-cloud-config
-//       repo and run the config-server.
-//          e.g. git clone https://github.com/spring-cloud/spring-cloud-config.git
-//               cd spring-cloud-config\spring-cloud-config-server
-//               mvn spring-boot:run
+//       The easiest way to run the servers is with docker compose
+//       (see docker-compose.yml at the repo root)
 public sealed class ConfigServerConfigurationExtensionsIntegrationTest
 {
     [Fact]

src/Configuration/test/ConfigServer.Integration.Test/PlaceholderEncryptionIntegrationTest.cs

@@ -26,7 +26,7 @@ public void PlaceholderInsideDecryptionProvider_ReturnsDecryptedValuesInPlacehol
             ["encrypt:rsa:algorithm"] = "OAEP",
             ["encrypt:rsa:salt"] = "deadbeef",
             ["encrypted"] =
-                "{cipher}AQATBPXCmri0MCEoCam0noXJgKGlFfE/chVN7XhH1V23MqJ8sI3lI61PyvsryJP3LlfNn38gUuulMeslAs/gUCoPFPV/zD7M8x527wQUbmWD6bR0ZMJ4hu3DisK6Diw2YAOxXSsm3Zh46cPFQcowfOG1x2OXj+5uL4T+VBGdt3Nr6dHCOumkTJ1KAtaJMfASf3J8G4M27v6m4Y2EdBqP1zWwDhAZ3R0u9uTP9xYUqQiKsUeOixrhOaCvtb1Q+Zg6A41CxM4cjL3Ty6miNYLx3QkxRvfkdo0iqo7jTrWWAT1aeRV6t5U5iMlWnD4eXzad60E3ZSINhvDiB03xPPPuHKC6qUTRJEEbQFegmn/KIPMMn9WaH/JLLZNvQYMuaFszZ84AE3aQcH0be+sNFDSjHNHL",
+                "{cipher}AQBoKgZNlxY+EWcGG0CXhyfV4q/u7lJjCBS+9liSKpu/w4gNmJhTYvjDJ3XIExVSVit41po5n91LVI3h777QlY7b0D2zOI0f4YR/9MtAdsq/cgRGZ4uzcv69bmVnQ0yt5ilxV021TH0EsVEmwmgyY+n1mKcD7aXWQwS2lAvJycgVgrDfbj2qz2c7aPn+8mXvG8EAbNmEhCbATCdPDlmBUPjLvuSweDlzlefQJ+jVSxLHfOcQ+g17arhIH1j0nZEAGywoNBGS1xg6DQ+8sW0GiYennTrnKslzMFjPTQ8QJSONzYysdRLGbV2Bi73ifUd+4AnMuSKcIRNiRACRtt+i7ZhrgTWRV1F+F8vfIiqf3SfzHdyclHkoCVkPhNBc9ySq0XRubPtg7UnW2KPZufZ0D7xx",
             ["placeholder"] = "${encrypted}"
         };
 
@@ -59,7 +59,7 @@ public void DecryptionInsidePlaceholderProvider_ReturnsDecryptedValuesInPlacehol
             ["encrypt:rsa:algorithm"] = "OAEP",
             ["encrypt:rsa:salt"] = "deadbeef",
             ["encrypted"] =
-                "{cipher}AQATBPXCmri0MCEoCam0noXJgKGlFfE/chVN7XhH1V23MqJ8sI3lI61PyvsryJP3LlfNn38gUuulMeslAs/gUCoPFPV/zD7M8x527wQUbmWD6bR0ZMJ4hu3DisK6Diw2YAOxXSsm3Zh46cPFQcowfOG1x2OXj+5uL4T+VBGdt3Nr6dHCOumkTJ1KAtaJMfASf3J8G4M27v6m4Y2EdBqP1zWwDhAZ3R0u9uTP9xYUqQiKsUeOixrhOaCvtb1Q+Zg6A41CxM4cjL3Ty6miNYLx3QkxRvfkdo0iqo7jTrWWAT1aeRV6t5U5iMlWnD4eXzad60E3ZSINhvDiB03xPPPuHKC6qUTRJEEbQFegmn/KIPMMn9WaH/JLLZNvQYMuaFszZ84AE3aQcH0be+sNFDSjHNHL",
+                "{cipher}AQBoKgZNlxY+EWcGG0CXhyfV4q/u7lJjCBS+9liSKpu/w4gNmJhTYvjDJ3XIExVSVit41po5n91LVI3h777QlY7b0D2zOI0f4YR/9MtAdsq/cgRGZ4uzcv69bmVnQ0yt5ilxV021TH0EsVEmwmgyY+n1mKcD7aXWQwS2lAvJycgVgrDfbj2qz2c7aPn+8mXvG8EAbNmEhCbATCdPDlmBUPjLvuSweDlzlefQJ+jVSxLHfOcQ+g17arhIH1j0nZEAGywoNBGS1xg6DQ+8sW0GiYennTrnKslzMFjPTQ8QJSONzYysdRLGbV2Bi73ifUd+4AnMuSKcIRNiRACRtt+i7ZhrgTWRV1F+F8vfIiqf3SfzHdyclHkoCVkPhNBc9ySq0XRubPtg7UnW2KPZufZ0D7xx",
             ["placeholder"] = "${encrypted}"
         };
 

src/Configuration/test/Encryption.Test/Cryptography/AesTextDecryptorTest.cs

@@ -23,11 +23,13 @@ public static TheoryData<string, string, string, string> GetTestVector()
         List<(string Salt, string Key, string Cipher, string PlainText)> data =
         [
             ("deadbeef", "12345678901234567890", "23f97efeed4ab62294432e8ef6b2905e336c245ecb1d5122b2c288c4deeae1b737952312e97e2cf013dd31a28fc60704",
-                "encrypt the world"), // from Spring Cloud Config documentation
+                "encrypt the world"),
             ("deadbeef", "foo", "682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda", "mysecret"),
             ("deadbeef", "12345678901234567890", "e31b13ab248f96f3cc22be5942d9ebec19a6b50318b2f5d30ea515064971bdebff6974890197626f0dcd5b648950e96f",
                 "encrypt the world"),
             ("deadbeef", "12345678901234567890", "e401ca0578839c9e5207f52d0ae4dc836f8c6530cdc90f14b544180f6fdb9265b80d6ace9fbbab700c7af32141171358",
+                "encrypt the world"),
+            ("nohexsaltvalue", "12345678901234567890", "000102030405060708090a0b0c0d0e0f31fb8ea24a48e4ffed43352dfacfc9b89cd5ff630715fb4ffeb536c02111dd53",
                 "encrypt the world")
         ];
 

src/Configuration/test/Encryption.Test/Cryptography/RsaKeyStoreDecryptorTest.cs

@@ -2,6 +2,7 @@
 // The .NET Foundation licenses this file to you under the Apache 2.0 License.
 // See the LICENSE file in the project root for more information.
 
+using System.Text;
 using Steeltoe.Configuration.Encryption.Cryptography;
 
 namespace Steeltoe.Configuration.Encryption.Test.Cryptography;
@@ -42,8 +43,8 @@ public void Constructor_WithUnsupportedAlgorithmThrows()
     }
 
     [Theory]
-    [MemberData(nameof(GetTestVector))]
-    public void Decode_TestForSpringConfigCipher_WithDefaultKey(string salt, string strong, string algorithm, string cipher, string plainText)
+    [MemberData(nameof(GetSpringConfigServerTestVectors))]
+    public void Decrypt_WithSpringCipherText_UsingDefaultKeyAlias(string salt, string strong, string algorithm, string cipher, string plainText)
     {
         var decryptor = new RsaKeyStoreDecryptor(_keyProvider, "mytestkey", salt, bool.Parse(strong), algorithm);
         string decrypted = decryptor.Decrypt(cipher);
@@ -52,33 +53,51 @@ public void Decode_TestForSpringConfigCipher_WithDefaultKey(string salt, string
     }
 
     [Theory]
-    [MemberData(nameof(GetTestVector))]
-    public void Decode_TestForSpringConfigCipher_WithSpecifiedKey(string salt, string strong, string algorithm, string cipher, string plainText)
+    [MemberData(nameof(GetSpringConfigServerTestVectors))]
+    public void Decrypt_WithSpringCipherText_UsingExplicitKeyAlias(string salt, string strong, string algorithm, string cipher, string plainText)
     {
         var decryptor = new RsaKeyStoreDecryptor(_keyProvider, "someKey", salt, bool.Parse(strong), algorithm);
         string decrypted = decryptor.Decrypt(cipher, "mytestkey");
 
         decrypted.Should().Be(plainText);
     }
 
-    public static TheoryData<string, string, string, string, string> GetTestVector()
+    // Requires Config Server to be running with OAEP encryption configured (see docker-compose.yml at the repo root)
+    [Fact]
+    [Trait("Category", "Integration")]
+    public async Task Decrypt_WithOaepAlgorithm_CanDecryptSpringConfigServerCipherText()
+    {
+        // ReSharper disable once ShortLivedHttpClient
+        using var httpClient = new HttpClient();
+
+        HttpResponseMessage response = await httpClient.PostAsync(new Uri("http://localhost:8888/encrypt"),
+            new StringContent("encrypt the world", Encoding.UTF8, "text/plain"), TestContext.Current.CancellationToken);
+
+        response.EnsureSuccessStatusCode();
+        string springCipherText = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
+
+        var decryptor = new RsaKeyStoreDecryptor(_keyProvider, "mytestkey", "deadbeef", false, "OAEP");
+        string decrypted = decryptor.Decrypt(springCipherText);
+
+        decrypted.Should().Be("encrypt the world");
+    }
+
+    // Pre-generated ciphertext is from Spring Cloud Config Server (steeltoe.azurecr.io/config-server:4.3.1)
+    public static TheoryData<string, string, string, string, string> GetSpringConfigServerTestVectors()
     {
         List<(string Salt, string Strong, string Algorithm, string Cipher, string PlainText)> data =
         [
             ("deadbeef", "false", "OAEP",
-                "AQATBPXCmri0MCEoCam0noXJgKGlFfE/chVN7XhH1V23MqJ8sI3lI61PyvsryJP3LlfNn38gUuulMeslAs/gUCoPFPV/zD7M8x527wQUbmWD6bR0ZMJ4hu3DisK6Diw2YAOxXSsm3Zh46cPFQcowfOG1x2OXj+5uL4T+VBGdt3Nr6dHCOumkTJ1KAtaJMfASf3J8G4M27v6m4Y2EdBqP1zWwDhAZ3R0u9uTP9xYUqQiKsUeOixrhOaCvtb1Q+Zg6A41CxM4cjL3Ty6miNYLx3QkxRvfkdo0iqo7jTrWWAT1aeRV6t5U5iMlWnD4eXzad60E3ZSINhvDiB03xPPPuHKC6qUTRJEEbQFegmn/KIPMMn9WaH/JLLZNvQYMuaFszZ84AE3aQcH0be+sNFDSjHNHL",
-                "encrypt the world"),
-            ("deadbeef", "false", "OAEP",
-                "AQBoZM07gyw+GN0SXCkARLiSDjhN0flk07QP9+BsNnPEQD+alfH6A5FJwwuEf7d/kNJozppaZuHcPpDnRZbzmsRcqOcO0BiJFjsbX5K9o8jcAsGhDmLAf0jy/Ry1de6bELjZ4MPArbVN9numHTre4plXBXun2AVeNNBYG3yHed0A68o6FCc6UR/Pfdo/H+oTburn2qVKaZL+DAqIKHntcZjTLg/ZRa7MKUMCKiFEtV88U3lg+1YUqgz+XUmg2zyUsHgHNzYlTOtJWkFW51wNz/M2C92Zsu4R6bF1ewb2RM0N8VmjQAw6GpfLNX+CB3gGlDPsfGjc9qiF3zNsJSk88dm1+NruXeon5Nth691NQJ6DpgMXhhFzv7L/eyZKL/kZpGIVZK6dW3iePzsBtuFdrjiZ",
+                "AQA5BZk2Pg7/nbcuTrJ/i4MDOIc831GfHLUg1GQlBtOvRJm2iXngfbPKcnTjbtZZ9X+qPnbdkUcTVbgYcsszY3uoqWIN5Yybwg+dHsqZTv1/XSvwR/kwflDg+I6C+dxg3GepoCAZSPi+J5/MsfCYJAp6KI3WW34tbqkqNlJq1TmF4b/AQHmP7Pth6cIsFE7svQ0xDQRhY61lJESLvLZ1Em4XpA4cfiye1YQhNud7/AKTtyENf7oPT/7siWBN82gyCB63/HEMRNtSLobOKO1XzgWNc96ms4pIhACOA3cZarTDUqaKY+B84ATV5QKgfkQ/ihI6r2oeYB24ApKwjNyE4F4b0bFH1cchdsbooreJlflgn0U9gK0oo8t7cVGnih3lccJs3t0uAFVm+SrJGMG/8rgp",
                 "encrypt the world"),
             ("beefdead", "true", "OAEP",
-                "AQAbWqohCeQ+TTqyJ3ZlNvAtx5cC2I3PmJetuSR82yRRyX+wWd7mTkUXuN/wANJ+nr1ySdzPudjml1lHaxZn42I9szkIKSkNT+6Yg+zNaREMetcE5SXA1awtSbEaFY2NcualSzPVWs8ulsUkKlYyyh6XP9gT/kODbmX0mS6DCtxalJgjei7WujLaJaPjc3jk+EhV9M1TovexqI7XoLlsgrGf6/1gQE+SSOamTFJopWpYEeSpSEwY2dXZfct5KCFWGJVA7eDPRJk0dT6EWIvqd6J4YoMWonxgVy4nG/Gq0NTisXv9XpJHAPYBg0c8B0WrWi2PG/Q00wvFRqGmYQ1hQIVmbJm8z+f0WoCxKwnCZvvdLlgrx2qeK1S21dPdgtmLXlj5bRUrektFrNhlevlENW7wgg==",
+                "AQAwoGhHV/Z82UWIrmqmTT92L510iKkwiF+EhlroV/No3dLwamUovEB9n/4IF+j6wfv8q1Baqekn5y6folcQmiMJd86JHW2n+WNeKUlbjf3Rk5uwgSTL2ST1JZ8w6sZ0PZVE2tqaQoc9mHRmjT7hqRm1lQVsHsic5tCxdTmhYVdGp5J6UGTRPQNfyJBR34w+LFjtgyaOrF//o8Z5ZF9XUx3MGaoe4HnURIYRq5HHcd4yVFINaBpW19ndgPV+nWRANxnmltLgPUbLWBJSvJ8czHOfZvZnTSJrWDBp1GIHN0OFkObJAIl7hmOdCh3vFPkxOL9gH4690VlMOCWYI8elsvuFsOdPG++FtJVSbuGgYC3AnuFo955yBfy8tgdegQ5Zzb2sOS2mwqsWr4mly4Pis+bgpw==",
+                "encrypt the world"),
+            ("deadbeef", "false", "DEFAULT",
+                "AQBSAVVzUP21aZXVAnuTMBDQ+/HGatD/+6H2YT/EbVofx5pWNJIjOlq1ioDpLHRB/JS86nI5oC9scEVBajc/gcWiYJAOtG4+g0Sw2ixzmi3jmho/CYxhtbxGFrkrTOC0r/0I6gcGgCo5ZrQCtaQDUMnHn+aFwo8baduKQ2N6qMyGHvfXIqqJFabnTkYDlLlqgNa3jpI3oKicaDTvPU3jFO42fJyVFWyAdQ8YS0RZdOXV+0xQdRnHrHHjhR8W7D7e0Jyx05RKq1ZEXvN7+x+YSE7ajrwy8riGuxR9a8smZAKkXC8T7KcZMRqtkd/9bpNS10bpw21KSxxp2GF52ekbu0xZYIIPdIj57me7HGubwNd1kXXgV+3L6sZ1IUAN0xnOOEUQD3z6hOWkrTEAmSbNRdYM",
                 "encrypt the world"),
             ("beefdead", "true", "DEFAULT",
                 "AQAhwKArLZqxrc44G2sG6+EwWeqn9JytaIyBpf/Yz2UZ0bLZthR3HPtGgOoKY9AkWpBuRzrw3zQ20ZRkq6q7XU+Stp1kB4OXhrmgbwydNUtYJmuTlpGohtHH8wVoT2n0bd7NuL9rJ2OAbkPXg8K1kJMSgen7Hyg3b+LFZmaA8wCHXdmHuP63Rk4NhSec4Ul/gRRn5jftojmbxVVQ6xRGAeFTZi70oAZ+tzdyXZmukorRZsUtnlgj94aSmGdMCGkukanCiEHHrh130Nigxba4qZ2F2e5n46De7+7EVwnIWWYa2sQH+3BQ+cp5OCebWMiGPdylqZzyTagkwo2jHv/OzW0/ytIF1Qo3AblMQgympSL3/PMPggllopaf2al4o7w63vWczXdv6YzdLchQMrdXRdkLrw==",
-                "encrypt the world"),
-            ("nohexsaltvalue", "true", "DEFAULT",
-                "AQA+sdMQ94WuW7DMBX7ZJQeWaybtFWJqAeVv9kmHyVCwil3yobQPXMxuoF/FGpZgYQu+9JyK52jnuIXiARdyqqaDKxY7ECN/8GLVXdcQi5ooO+ewyOrL53fycyyB2iQtZphbdgmzU2qKQkXvFcWQkauHCCtni6IemITLX/y9O3I6Ss9LEK86lSAWKD1Tikf9ly78vJsCJ01ahQhEQVMbkpTixnnFRgqSL7XZo+2FGMvsyYKHp9pQwEnLkbehI8AFODQlFsTcQ9YYab5lGa4OoYw+5oS3fFH8XlIvVSTfxipI18iyphppz3EefvuGd8FwgSGCbfIeQ2R2zcYxykfWgCgSH5ckev2EqeLaiyaK3tXFanumQBeLiSg7Uii80jg9LLJ62jyrR16m0+8CGqaw6uzZkQ==",
                 "encrypt the world")
         ];