Added cmdlets: Protect-Data, Unprotect-Data

alan-null · alan-null · commit 272151931689 · 2022-10-21T20:39:14.000+02:00
diff --git a/Crypto.AES/Public/Protect-Data.ps1 b/Crypto.AES/Public/Protect-Data.ps1
@@ -0,0 +1,47 @@
+function Protect-Data {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "Key" )]
+        [byte[]]$Key,
+        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "GCM" )]
+        [System.Security.Cryptography.AesGcm]$GCM,
+        [Parameter(Mandatory = $true, Position = 1 )]
+        [byte[]]$Data,
+        [Parameter(Mandatory = $false, Position = 2 )]
+        [byte[]]$Nonce,
+        [Parameter(Mandatory = $false, Position = 3 )]
+        [Switch]$Combined
+    )
+
+    begin {
+        Write-Verbose "Cmdlet Protect-Data - Begin"
+    }
+
+    process {
+        Write-Verbose "Cmdlet Protect-Data - Process"
+        if (!$Nonce) {
+            $Nonce = [byte[]]::new(12)
+        }
+        $cipherOutput = [byte[]]::new($Data.Length)
+        $tag = [byte[]]::new(16)
+
+        if ($PSCmdlet.ParameterSetName -eq 'Key') {
+            $gcm = [System.Security.Cryptography.AesGcm]::new($Key)
+        }
+
+        $gcm.Encrypt($Nonce, $Data, $cipherOutput, $tag)
+
+        if ($Combined) {
+            return $tag + $cipherOutput + $Nonce
+        }
+        @{
+            CipherText = $cipherOutput
+            Nonce      = $Nonce
+            Tag        = $tag
+        }
+    }
+
+    end {
+        Write-Verbose "Cmdlet Protect-Data - End"
+    }
+}
diff --git a/Crypto.AES/Public/Unprotect-Data.ps1 b/Crypto.AES/Public/Unprotect-Data.ps1
@@ -0,0 +1,34 @@
+function Unprotect-Data {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "Key" )]
+        [byte[]]$Key,
+        [Parameter(Mandatory = $true, Position = 0, ParameterSetName = "GCM" )]
+        [System.Security.Cryptography.AesGcm]$GCM,
+        [Parameter(Mandatory = $true, Position = 1 )]
+        [byte[]]$Data,
+        [Parameter(Mandatory = $true, Position = 2 )]
+        [byte[]]$Nonce,
+        [Parameter(Mandatory = $true, Position = 3 )]
+        [byte[]]$Tag
+    )
+
+    begin {
+        Write-Verbose "Cmdlet Unprotect-Data - Begin"
+    }
+
+    process {
+        Write-Verbose "Cmdlet Unprotect-Data - Process"
+        $decrypted = [byte[]]::new($Data.Length)
+
+        if ($PSCmdlet.ParameterSetName -eq 'Key') {
+            $gcm = [System.Security.Cryptography.AesGcm]::new($Key)
+        }
+        $gcm.Decrypt($nonce, $Data, $Tag, $decrypted)
+        $decrypted
+    }
+
+    end {
+        Write-Verbose "Cmdlet Unprotect-Data - End"
+    }
+}
diff --git a/Tests/Crypto.AES.Tests.ps1 b/Tests/Crypto.AES.Tests.ps1
@@ -27,4 +27,112 @@ Describe 'Crypto.AES.Tests' {
             $v1 | Should -Not -Be $v2
         }
     }
+
+    Context "Protect-Data - Result" {
+        $Key = [byte[]]::new(32)
+        $nonce = [byte[]]::new(12)
+        $data = $encoding.GetBytes("Test")
+
+        It "has correct size" {
+            $r_key = Protect-Data -Key $Key -Data $data -Nonce $nonce
+
+            $r_key.CipherText.Length | Should -BeExactly $data.Length
+            $r_key.Nonce.Length | Should -BeExactly $nonce.Length
+            $r_key.Tag.Length | Should -BeExactly 16
+        }
+
+        It "combined=false" {
+            $r = Protect-Data -Key $Key -Data $data -Nonce $nonce
+
+            $r.CipherText | Should -Not -BeNullOrEmpty
+            $r.Nonce | Should -Not -BeNullOrEmpty
+            $r.Tag | Should -Not -BeNullOrEmpty
+            $r | Should -BeOfType [hashtable]
+
+        }
+
+        It "combined=true" {
+            $r = Protect-Data -Key $Key -Data $data -Nonce $nonce -Combined
+
+            $r.CipherText | Should -BeNullOrEmpty
+            $r.Nonce | Should -BeNullOrEmpty
+            $r.Tag | Should -BeNullOrEmpty
+            $r -is [System.Object[]] | Should -BeTrue
+            $r.Length | Should -BeExactly ($data.Length + $nonce.Length + 16)
+        }
+    }
+
+    Context "Protect-Data - signature" {
+        $Key = [byte[]]::new(32)
+        $nonce = [byte[]]::new(12)
+        $data = $encoding.GetBytes("Test")
+
+
+        It "optional nonce" {
+            $r_explicit = Protect-Data -Key $Key -Data $data -Nonce $nonce
+            $r_default = Protect-Data -Key $Key -Data $data -Nonce $null
+
+            $r_explicit.CipherText | Should -BeExactly $r_default.CipherText
+            $r_explicit.Nonce | Should -BeExactly $r_default.Nonce
+            $r_explicit.Tag | Should -BeExactly $r_default.Tag
+        }
+
+        It "different parameter sets = same result" {
+            $r_key = Protect-Data -Key $Key -Data $data -Nonce $nonce
+
+            $gcm = [System.Security.Cryptography.AesGcm]::new($Key)
+            $r_gcm = Protect-Data $gcm -Data $data -Nonce $nonce
+
+            $r_key.CipherText | Should -BeExactly $r_gcm.CipherText
+            $r_key.Nonce | Should -BeExactly $r_gcm.Nonce
+            $r_key.Tag | Should -BeExactly $r_gcm.Tag
+        }
+    }
+
+    Context "Protect-Data - nonce" {
+        $Key = [byte[]]::new(32)
+        $nonce = [byte[]]::new(12)
+        $data = $encoding.GetBytes("Test")
+
+        It "the same nonce" {
+            $a = Protect-Data -Key $Key -Data $data -Nonce $nonce
+            $b = Protect-Data -Key $Key -Data $data -Nonce $nonce
+
+            $a.CipherText | Should -BeExactly $b.CipherText
+            $a.Tag | Should -BeExactly $b.Tag
+            $a.Nonce | Should -BeExactly $b.Nonce
+        }
+        It "different nonce" {
+            $a = Protect-Data -Key $Key -Data $data -Nonce $nonce
+            $different = $nonce[0..11]
+            $different[11]++
+
+            $b = Protect-Data -Key $Key -Data $data -Nonce $different
+
+            $a.CipherText | Should -not -BeExactly $b.CipherText
+            $a.Tag | Should -not -BeExactly $b.Tag
+            $a.Nonce | Should -not -BeExactly $b.Nonce
+        }
+    }
+
+    Context "Unprotect-Data" {
+        $Key = [byte[]]::new(32)
+        [byte[]]$nonce = @(228, 132, 78, 5, 31, 60, 78, 70, 192, 119, 50, 184)
+        [byte[]]$tag = @(188, 136, 244, 158, 253, 2, 183, 117, 127, 2, 193, 66, 39, 37, 94, 188)
+        $data = @(48, 22, 117, 218 )
+
+        It "has correct size" {
+            $r_key = Unprotect-Data -Key $Key -Data $data -Nonce $nonce -Tag $tag
+            $r_key.Length | Should -BeExactly $data.Length
+        }
+
+        It "different parameter sets = same result" {
+            $r_key = Unprotect-Data -Key $Key -Data $data -Nonce $nonce -Tag $tag
+
+            $gcm = [System.Security.Cryptography.AesGcm]::new($Key)
+            $r_gcm = Unprotect-Data $gcm -Data $data -Nonce $nonce -Tag $tag
+
+            $r_key | Should -BeExactly $r_gcm
+        }
+    }
 }
