Fixed decrypt process for byte arrays and improve unit tests

Author: Eastrall

README.md

@@ -11,7 +11,7 @@
 
 This library has been developed initialy for a personal project of mine. It provides a simple way to encrypt column data.
 
-I **do not** take responsability if you use this in a production environment and loose your encryption key.
+I **do not** take responsability if you use this in a production environment and loose your encryption key or corrupt your data.
 
 ## How to install
 

src/EntityFrameworkCore.DataEncryption/EntityFrameworkCore.DataEncryption.csproj

@@ -17,10 +17,10 @@
 		<GenerateDocumentationFile>true</GenerateDocumentationFile>
 		<PackageTags>entity-framework-core, extensions, dotnet-core, dotnet, encryption, fluent-api</PackageTags>
 		<PackageIcon>icon.png</PackageIcon>
-		<Copyright>Filipe GOMES PEIXOTO © 2019 - 2022</Copyright>
+		<Copyright>Filipe GOMES PEIXOTO © 2019 - 2023</Copyright>
 		<Description>A plugin for Microsoft.EntityFrameworkCore to add support of encrypted fields using built-in or custom encryption providers.</Description>
 		<PackageLicenseFile>LICENSE</PackageLicenseFile>
-		<PackageReleaseNotes>Add support for .NET 5 and .NET 6</PackageReleaseNotes>
+		<PackageReleaseNotes>https://github.com/Eastrall/EntityFrameworkCore.DataEncryption/releases/tag/v4.0.0</PackageReleaseNotes>
 		<PackageReadmeFile>README.md</PackageReadmeFile>
 	</PropertyGroup>
 
@@ -34,11 +34,8 @@
 	<ItemGroup Condition="('$(TargetFramework)' == 'netcoreapp3.1')">
 		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="[3.1,6)" />
 	</ItemGroup>
-	<ItemGroup Condition="('$(TargetFramework)' == 'netstandard2.1')">
-		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="[5,)" />
-	</ItemGroup>
 	<ItemGroup Condition="('$(TargetFramework)' == 'net6.0')">
-		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="[6,)" />
+		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="[6,7)" />
 	</ItemGroup>
 	<ItemGroup Condition="('$(TargetFramework)' == 'net7.0')">
 		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="[7,)" />

src/EntityFrameworkCore.DataEncryption/Providers/AesProvider.cs

@@ -1,4 +1,5 @@
-using System.IO;
+using System;
+using System.IO;
 using System.Security.Cryptography;
 
 namespace Microsoft.EntityFrameworkCore.DataEncryption.Providers;
@@ -19,9 +20,9 @@ public class AesProvider : IEncryptionProvider
     public const int InitializationVectorSize = 16;
 
     private readonly byte[] _key;
+    private readonly byte[] _iv;
     private readonly CipherMode _mode;
     private readonly PaddingMode _padding;
-    private readonly byte[] _iv;
 
     /// <summary>
     /// Creates a new <see cref="AesProvider"/> instance used to perform symmetric encryption and decryption on strings.
@@ -32,8 +33,8 @@ public class AesProvider : IEncryptionProvider
     /// <param name="padding">Padding mode used in the symmetric encryption.</param>
     public AesProvider(byte[] key, byte[] initializationVector, CipherMode mode = CipherMode.CBC, PaddingMode padding = PaddingMode.PKCS7)
     {
-        _key = key;
-        _iv = initializationVector;
+        _key = key ?? throw new ArgumentNullException(nameof(key), "");
+        _iv = initializationVector ?? throw new ArgumentNullException(nameof(initializationVector), "");
         _mode = mode;
         _padding = padding;
     }
@@ -46,25 +47,16 @@ public byte[] Encrypt(byte[] input)
             return null;
         }
 
-        using var aes = CreateCryptographyProvider(_key, _mode, _padding);
-        using var memoryStream = new MemoryStream();
-
-        byte[] initializationVector = _iv;
-        if (initializationVector is null)
-        {
-            aes.GenerateIV();
-            initializationVector = aes.IV;
-            memoryStream.Write(initializationVector, 0, initializationVector.Length);
-        }
+        using Aes aes = CreateCryptographyProvider(_key, _iv, _mode, _padding);
+        using ICryptoTransform transform = aes.CreateEncryptor(aes.Key, aes.IV);
+        using MemoryStream memoryStream = new();
+        using CryptoStream cryptoStream = new(memoryStream, transform, CryptoStreamMode.Write);
 
-        using var transform = aes.CreateEncryptor(_key, initializationVector);
-        using var crypto = new CryptoStream(memoryStream, transform, CryptoStreamMode.Write);
-        crypto.Write(input, 0, input.Length);
-        crypto.FlushFinalBlock();
+        cryptoStream.Write(input, 0, input.Length);
+        cryptoStream.FlushFinalBlock();
+        memoryStream.Seek(0L, SeekOrigin.Begin);
 
-        memoryStream.Seek(0, SeekOrigin.Begin);
-
-        return memoryStream.ToArray();
+        return StreamToBytes(memoryStream);
     }
 
     /// <inheritdoc />
@@ -75,39 +67,46 @@ public byte[] Decrypt(byte[] input)
             return null;
         }
 
-        using var memoryStream = new MemoryStream(input);
+        using Aes aes = CreateCryptographyProvider(_key, _iv, _mode, _padding);
+        using ICryptoTransform transform = aes.CreateDecryptor(aes.Key, aes.IV);
+        using MemoryStream memoryStream = new(input);
+        using CryptoStream cryptoStream = new(memoryStream, transform, CryptoStreamMode.Read);
+
+        return StreamToBytes(cryptoStream);
+    }
 
-        byte[] initializationVector = _iv;
-        if (initializationVector is null)
+    /// <summary>
+    /// Converts a <see cref="Stream"/> into a byte array.
+    /// </summary>
+    /// <param name="stream">Stream.</param>
+    /// <returns>The stream's content as a byte array.</returns>
+    internal static byte[] StreamToBytes(Stream stream)
+    {
+        if (stream is MemoryStream ms)
         {
-            initializationVector = new byte[InitializationVectorSize];
-            memoryStream.Read(initializationVector, 0, initializationVector.Length);
+            return ms.ToArray();
         }
 
-        using var aes = CreateCryptographyProvider(_key, _mode, _padding);
-        using var transform = aes.CreateDecryptor(_key, initializationVector);
-
-        using var outputStream = new MemoryStream();
-        using var crypto = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read);
-
-        crypto.CopyTo(outputStream);
-
-        return outputStream.ToArray();
+        using var output = new MemoryStream();
+        stream.CopyTo(output);
+        return output.ToArray();
     }
 
     /// <summary>
     /// Generates an AES cryptography provider.
     /// </summary>
     /// <returns></returns>
-    private static Aes CreateCryptographyProvider(byte[] key, CipherMode mode, PaddingMode padding)
+    private static Aes CreateCryptographyProvider(byte[] key, byte[] iv, CipherMode mode, PaddingMode padding)
     {
         var aes = Aes.Create();
 
-        aes.BlockSize = AesBlockSize;
         aes.Mode = mode;
+        aes.KeySize = key.Length * 8;
+        aes.BlockSize = AesBlockSize;
+        aes.FeedbackSize = AesBlockSize;
         aes.Padding = padding;
         aes.Key = key;
-        aes.KeySize = key.Length * 8;
+        aes.IV = iv;
 
         return aes;
     }

test/EntityFrameworkCore.DataEncryption.Test/Context/AuthorEntity.cs

@@ -2,7 +2,6 @@
 using System.Collections.Generic;
 using System.ComponentModel.DataAnnotations;
 using System.ComponentModel.DataAnnotations.Schema;
-using System.Security;
 
 namespace Microsoft.EntityFrameworkCore.DataEncryption.Test.Context;
 
@@ -19,14 +18,13 @@ public sealed class AuthorEntity
     public string FirstName { get; set; }
 
     [Required]
-    [Encrypted]
+    [Encrypted(StorageFormat.Binary)]
+    [Column(TypeName = "BLOB")]
     public string LastName { get; set; }
 
     [Required]
     public int Age { get; set; }
 
-    //public SecureString Password { get; set; }
-
     public IList<BookEntity> Books { get; set; }
 
     public AuthorEntity(string firstName, string lastName, int age)

test/EntityFrameworkCore.DataEncryption.Test/Context/BookEntity.cs

@@ -29,10 +29,16 @@ public sealed class BookEntity
     [Column(TypeName = "TEXT")]
     public byte[] Content { get; set; }
 
-    public BookEntity(string name, int numberOfPages)
+    [Encrypted]
+    [Column(TypeName = "BLOB")]
+    public byte[] Summary { get; set; }
+
+    public BookEntity(string name, int numberOfPages, byte[] content, byte[] summary)
     {
         Name = name;
         NumberOfPages = numberOfPages;
         UniqueId = Guid.NewGuid();
+        Content = content;
+        Summary = summary;
     }
 }

test/EntityFrameworkCore.DataEncryption.Test/PropertyBuilderExtensionsTest.cs

@@ -1,17 +1,21 @@
-using Microsoft.EntityFrameworkCore.DataEncryption;
+using Bogus;
+using Microsoft.EntityFrameworkCore.DataEncryption;
 using Microsoft.EntityFrameworkCore.DataEncryption.Internal;
 using Microsoft.EntityFrameworkCore.DataEncryption.Providers;
 using Microsoft.EntityFrameworkCore.DataEncryption.Test.Context;
 using Microsoft.EntityFrameworkCore.Infrastructure;
 using Microsoft.EntityFrameworkCore.Metadata;
 using System;
 using System.ComponentModel.DataAnnotations;
+using System.Linq;
 using Xunit;
 
 namespace Microsoft.EntityFrameworkCore.Encryption.Test;
 
 public class PropertyBuilderExtensionsTest
 {
+    private static readonly Faker _faker = new();
+
     [Fact]
     public void PropertyBuilderShouldNeverBeNullTest()
     {
@@ -24,29 +28,84 @@ public void PropertyShouldHaveEncryptionAnnotationsTest()
         AesKeyInfo encryptionKeyInfo = AesProvider.GenerateKey(AesKeySize.AES256Bits);
         var provider = new AesProvider(encryptionKeyInfo.Key, encryptionKeyInfo.IV);
 
+        string name = _faker.Name.FullName();
+        byte[] bytes = _faker.Random.Bytes(_faker.Random.Int(10, 30));
+
+        UserEntity user = new()
+        {
+            Name = name,
+            NameAsBytes = name,
+            ExtraData = bytes,
+            ExtraDataAsBytes = bytes
+        };
+
         using var contextFactory = new DatabaseContextFactory();
-        using var context = contextFactory.CreateContext<FluentDbContext>(provider);
-        Assert.NotNull(context);
+        using (var context = contextFactory.CreateContext<FluentDbContext>(provider))
+        {
+            Assert.NotNull(context);
+
+            IEntityType entityType = context.GetUserEntityType();
+            Assert.NotNull(entityType);
 
-        IEntityType entityType = context.GetUserEntityType();
-        Assert.NotNull(entityType);
+            AssertPropertyAnnotations(entityType.GetProperty(nameof(UserEntity.Name)), true, StorageFormat.Default);
+            AssertPropertyAnnotations(entityType.GetProperty(nameof(UserEntity.NameAsBytes)), true, StorageFormat.Binary);
+            AssertPropertyAnnotations(entityType.GetProperty(nameof(UserEntity.ExtraData)), true, StorageFormat.Base64);
+            AssertPropertyAnnotations(entityType.GetProperty(nameof(UserEntity.ExtraDataAsBytes)), true, StorageFormat.Binary);
+            AssertPropertyAnnotations(entityType.GetProperty(nameof(UserEntity.Id)), false, StorageFormat.Default);
 
-        IProperty property = entityType.GetProperty("Name");
+            context.Users.Add(user);
+            context.SaveChanges();
+        }
+
+        using (var context = contextFactory.CreateContext<FluentDbContext>(provider))
+        {
+            UserEntity u = context.Users.First();
+
+            Assert.NotNull(u);
+            Assert.Equal(name, u.Name);
+            Assert.Equal(name, u.NameAsBytes);
+            Assert.Equal(bytes, u.ExtraData);
+            Assert.Equal(bytes, u.ExtraDataAsBytes);
+        }
+    }
+
+    private static void AssertPropertyAnnotations(IProperty property, bool shouldBeEncrypted, StorageFormat expectedStorageFormat)
+    {
         Assert.NotNull(property);
 
         IAnnotation encryptedAnnotation = property.FindAnnotation(PropertyAnnotations.IsEncrypted);
-        IAnnotation formatAnnotation = property.FindAnnotation(PropertyAnnotations.StorageFormat);
-        Assert.NotNull(encryptedAnnotation);
-        Assert.True((bool)encryptedAnnotation.Value);
-        Assert.NotNull(formatAnnotation);
-        Assert.Equal(StorageFormat.Default, formatAnnotation.Value);
+
+        if (shouldBeEncrypted)
+        {
+            Assert.NotNull(encryptedAnnotation);
+            Assert.True((bool)encryptedAnnotation.Value);
+
+            IAnnotation formatAnnotation = property.FindAnnotation(PropertyAnnotations.StorageFormat);
+            Assert.NotNull(formatAnnotation);
+            Assert.Equal(expectedStorageFormat, formatAnnotation.Value);
+        }
+        else
+        {
+            Assert.Null(encryptedAnnotation);
+            Assert.Null(property.FindAnnotation(PropertyAnnotations.StorageFormat));
+        }
     }
 
     private class UserEntity
     {
         public int Id { get; set; }
 
+        // Encrypted as default (Base64)
         public string Name { get; set; }
+
+        // Encrypted as raw byte array.
+        public string NameAsBytes { get; set; }
+
+        // Encrypted as Base64 string
+        public byte[] ExtraData { get; set; }
+
+        // Encrypted as raw byte array.
+        public byte[] ExtraDataAsBytes { get; set; }
     }
 
     private class FluentDbContext : DbContext
@@ -72,6 +131,9 @@ protected override void OnModelCreating(ModelBuilder modelBuilder)
             userEntityBuilder.HasKey(x => x.Id);
             userEntityBuilder.Property(x => x.Id).IsRequired().ValueGeneratedOnAdd();
             userEntityBuilder.Property(x => x.Name).IsRequired().IsEncrypted();
+            userEntityBuilder.Property(x => x.NameAsBytes).IsRequired().HasColumnType("BLOB").IsEncrypted(StorageFormat.Binary);
+            userEntityBuilder.Property(x => x.ExtraData).IsRequired().HasColumnType("TEXT").IsEncrypted(StorageFormat.Base64);
+            userEntityBuilder.Property(x => x.ExtraDataAsBytes).IsRequired().HasColumnType("BLOB").IsEncrypted(StorageFormat.Binary);
 
             modelBuilder.UseEncryption(_encryptionProvider);
         }