From c325a32b150e3355f5086ab0ba34ab5638b4b91a Mon Sep 17 00:00:00 2001 From: Hugo Rosenkranz-Costa Date: Fri, 1 Mar 2024 10:57:34 +0100 Subject: [PATCH] feat: replace KMS `rotate` with `rekey` and `prune` --- .github/workflows/ci.yml | 16 ++++----- package-lock.json | 2 +- tests/KMS.test.ts | 18 ++++------ tests/cover_crypt.test.ts | 35 ++++++++++++++++--- .../non_regression_test_vector.json | 18 +++++----- 5 files changed, 56 insertions(+), 33 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index caabc662..b77eb2fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: with: subcommands: | npm test - kms-version: feature-covercrypt_rekey + kms-version: ghcr.io/cosmian/kms:feature-covercrypt_rekey kms-jwe-key: '{"kty": "OKP","d": "MPEVJwdRqGM_qhJOUb5hR0Xr9EvwMLZGnkf-eDj5fU8","use": "enc","crv": "X25519","kid": "DX3GC+Fx3etxfRJValQNbqaB0gs=","x": "gdF-1TtAjsFqNWr9nwhGUlFG38qrDUqYgcILgtYrpTY","alg": "ECDH-ES"}' @@ -49,7 +49,7 @@ jobs: uses: Cosmian/reusable_workflows/.github/workflows/cloudproof_kms_js.yml@develop with: branch: feature/covercrypt_rekey - kms-version: feature-covercrypt_rekey + kms-version: ghcr.io/cosmian/kms:feature-covercrypt_rekey cloudproof_java: needs: test @@ -60,7 +60,7 @@ jobs: extension: so destination: linux-x86-64 os: ubuntu-20.04 - kms-version: feature-covercrypt_rekey + kms-version: ghcr.io/cosmian/kms:feature-covercrypt_rekey findex-cloud-version: 0.3.1 copy_fresh_build: false copy_regression_files: | @@ -74,7 +74,7 @@ jobs: with: branch: feature/covercrypt-rekey target: x86_64-unknown-linux-gnu - kms-version: feature-covercrypt_rekey + kms-version: ghcr.io/cosmian/kms:feature-covercrypt_rekey findex-cloud-version: 0.3.1 copy_fresh_build: false copy_regression_files: | @@ -107,7 +107,7 @@ jobs: sleep 5 cd ../test node chrome.mjs http://localhost:8090 http://kms:9998 - kms-version: 4.11.3 + kms-version: ghcr.io/cosmian/kms:feature-covercrypt_rekey findex-cloud-version: 0.3.1 example_reactjs: @@ -123,7 +123,7 @@ jobs: sleep 5 cd ../test node chrome.mjs http://localhost:8090 http://kms:9998 - kms-version: 4.11.3 + kms-version: ghcr.io/cosmian/kms:feature-covercrypt_rekey findex-cloud-version: 0.3.1 example_browser: @@ -137,7 +137,7 @@ jobs: python3 -m http.server & sleep 3 node test.mjs - kms-version: 4.11.3 + kms-version: ghcr.io/cosmian/kms:feature-covercrypt_rekey findex-cloud-version: 0.3.1 example_webpack: @@ -159,7 +159,7 @@ jobs: cd examples/nodejs npm install node test.mjs 10 - kms-version: 4.11.3 + kms-version: ghcr.io/cosmian/kms:feature-covercrypt_rekey findex-cloud-version: 0.3.1 secrets: inherit diff --git a/package-lock.json b/package-lock.json index 94252021..101df930 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,7 +11,7 @@ "dependencies": { "base64-js": "^1.5.1", "better-sqlite3": "^8.0.1", - "cloudproof_kms_js": "3.1.2", + "cloudproof_kms_js": "file:../repos/cloudproof_kms_js/cloudproof_kms_js-3.1.2.tgz", "dotenv": "^16.3.1", "jose": "^4.14.4", "process": "^0.11.10", diff --git a/tests/KMS.test.ts b/tests/KMS.test.ts index e2b35ab3..92ba859b 100644 --- a/tests/KMS.test.ts +++ b/tests/KMS.test.ts @@ -362,16 +362,15 @@ test( } // rotate - const rotatedPolicy = await client.rotateCoverCryptAttributes(mskID, [ - "Department::FIN", - "Department::MKG", - ]) + await client.rekeyCoverCryptAccessPolicy( + mskID, + "Department::FIN || Department::MKG", + ) const rotatedMsk = await client.retrieveCoverCryptSecretMasterKey(mskID) expect(rotatedMsk.bytes()).not.toEqual(msk.bytes()) const rotatedMpk = await client.retrieveCoverCryptPublicMasterKey(mpkID) expect(rotatedMpk.bytes()).not.toEqual(mpk.bytes()) - expect(policy.toBytes()).not.toEqual(rotatedPolicy.toBytes()) // encryption const plaintext2 = new TextEncoder().encode("abcdefgh") @@ -543,7 +542,7 @@ test( return await client?.coverCryptDecrypt(temperedUserKeyID, ciphertext) }).rejects.toThrow() - await client.rotateCoverCryptAttributes(mskID, ["Security::TopSecret"]) + await client.rekeyCoverCryptAccessPolicy(mskID, "Security::TopSecret") await expect(async () => { return await client?.coverCryptDecrypt(userKeyID, ciphertext) @@ -648,13 +647,10 @@ test( oldPlaintext, ) - const newPolicyBytes = await client.rotateCoverCryptAttributes(mskID, [ - "Security::Simple", - ]) - const newPolicy = Policy.fromBytes(newPolicyBytes.toBytes()) + await client.rekeyCoverCryptAccessPolicy(mskID, "Security::Simple") const newPublicKey = await client.retrieveCoverCryptPublicMasterKey(mpkID) const newLocalEncryption = new CoverCryptHybridEncryption( - newPolicy, + policy, newPublicKey.bytes(), ) expect(newPublicKey.bytes()).not.toEqual(oldPublicKey.bytes()) diff --git a/tests/cover_crypt.test.ts b/tests/cover_crypt.test.ts index 3206cfb6..eb0a3c3b 100644 --- a/tests/cover_crypt.test.ts +++ b/tests/cover_crypt.test.ts @@ -316,9 +316,10 @@ test("Demo using KMS", async () => { await client.retrieveCoverCryptUserDecryptionKey(confidentialMkgUserKeyUid) // Now rotate the MKG attribute - all active keys will be rekeyed, the new policy should be used to encrypt - const updatedPolicy = client.rotateCoverCryptAttributes(masterSecretKeyUID, [ + await client.rekeyCoverCryptAccessPolicy( + masterSecretKeyUID, "Department::MKG", - ]) + ) // creating a new confidential marketing message const confidentialMkgData = new TextEncoder().encode( @@ -360,12 +361,38 @@ test("Demo using KMS", async () => { // newConfidentialMkgCiphertext try { // will throw - new CoverCryptHybridDecryption(oldConfidentialMkgUserKey.bytes()).decrypt( - newConfidentialMkgCiphertext, + let x = new CoverCryptHybridDecryption( + oldConfidentialMkgUserKey.bytes(), + ).decrypt(newConfidentialMkgCiphertext) + console.log(new TextDecoder("utf-8").decode(x.plaintext)) + } catch (error) { + // ==> the non rekeyed key cannot decrypt the new message after rotation + } + + // Prune: remove old keys for the MKG attribute + + await client.pruneCoverCryptAccessPolicy( + masterSecretKeyUID, + "Department::MKG", + ) + + // Decrypting old messages will fail even with the rekeyed key + try { + // will throw + await client.coverCryptDecrypt( + confidentialMkgUserKeyUid, + protectedMkgCiphertext, ) } catch (error) { // ==> the non rekeyed key cannot decrypt the new message after rotation } + + // Decrypting the new message will still work + const newConfidentialMkgCleartext_ = await client.coverCryptDecrypt( + confidentialMkgUserKeyUid, + newConfidentialMkgCiphertext, + ) + expect(confidentialMkgData).toEqual(newConfidentialMkgCleartext_.plaintext) }) test("Generate non-regression tests vector", async () => { diff --git a/tests/data/cover_crypt/non_regression/non_regression_test_vector.json b/tests/data/cover_crypt/non_regression/non_regression_test_vector.json index 0b54a2a0..acb1760d 100644 --- a/tests/data/cover_crypt/non_regression/non_regression_test_vector.json +++ b/tests/data/cover_crypt/non_regression/non_regression_test_vector.json @@ -1,37 +1,37 @@ { - "public_key": "+GfkiH4pEYfI4wDqiqNbEsQ0u12ji4lgeJ6vPdriRWzuXCt+qWauPtA6qVGYnqWIXlvxAyprnfgzow6yY3iLSxQCAQgAZtfuq+BdYsYFtVJXsvhPhT1lj74aeAzEzhLa+43+kXcCAgYABEOIBd/pcQNgB2I6ssEbANVQhMzusY7AmsNjrcj0lSkCBAgAoPU4Jn/HkpCsUEOLKUalVyUQRH/+oYasHw7wm8yjKUYCAwYAHptX2HS9zVKGH9C1j3eK4zMGpRDemWLGS8niv3Ln2RQCBAkA3D1nrsYhxqq+e3d8Sy4Q/Py0rbKDgJwkFqWDg09y7B8CAgcAxJvpfD0cJ+0X1PV8pMNoeyUtOev5g+PWjJwCjaQifS4CAQcA1HQVP4WCx2hkMdyiuFO7ae6MpDtcOabOZ1ODgG+vw3cCBQkARjPbTTC6QM3jQaJ2W1vtrNOFtM2QnDpWUOLZtUnrQCkCBQgA3KsfBTrQrckqxjZtGaRwPwx4xxLxfvdOQjPdl2Bn0hsCBQYAUiXg8RfJN5zHY2JADpSMfdOMQ4+t66Y9dQXg+Ql2OUICBAYAmJkjnnwIMZ1IrHiow8dz0Nx3cim5uNEgld7R0aR0I0gCBAcA0EH8CDUtRK4simZ9ePGOcrVHRZZXCfvH7QBgsEDlISYCAwgAAme7hFdeaCtgw3428ST0p7FeA5I0FAPKUl8MZs918HoCAgkAjtqjxHmtBJz2bYrERfygk/FR9ZT9XceqT0QSJgrSEBYCAQYAFjKPAlslhiZIl/YoehtKIz5XeUL/qYOG1kZO2JGpemsCAggAYqTIjwGlXr81yiBmazBgqr5qPobNjYkrcxgaYeuthF8CAQkAommhx/grMTVLii87gRRgJwXkycNj/ckk2mfnGbsNHzMCBQcA8jg8GpWQ3UxAUi9j6wAXZTYfGEINSyBwkfClMqF5VTICAwcAEDHXEb2jGIlo+nVVguOBVxinzUt/dSK0vOMosxCclVUCAwkABPdcHvX5Cdj83Gl+TXlVD/SY+YPYaL4HHjl05TLOn14=", - "master_secret_key": "WR7OWkhy8fdAqHjr88n0KPVdAxzK3sTa2D9F5EL3vApR/xnlJ3aE1rUoCVrGq/2N8yZyg7mb0LuGdkucwUytCl8GLse6RlTB+4CQ+Qo95KSrruGHCbsY4vnqhSLxp6AOFAIECADcsLR4jehhtZweuF69MM43fj4KOANVV8nZG2sO/Qu5DwIBCAD072PG1Ds/WGTzaiA6a5E/trgoYqrnCXy0X752zphKCwIFCADPwKLlHCiscpyjoAuNQeinxqvQnebZ1BCOgjmVdbNWBgIECQDjgpQhM69Dq5dymUicbx5Ry9cK6SCNfVvkIg6sFz26BAICBwB1Qfm4Lu9mXa0PWA0fmiTERpx7VLIlAGM93sET+uv9BAICCAApQIOaYmgWJDJGm1SAqkpzKMUonJpDLlLMCfSSLUm+AgIFBgAwLrVnaPrrni35WsCL9OcrI8Tq9LkgcbpZd1c8zch+CwIDCABGHR1Eum5500Jf9vm/Ak6wsRU9edmRTmsbq6dRU5y/AwIDCQCAby6a4I3PwQI9W7EBe4VP+nDg3nq1pRMUW7xvoMhoAgIFCQAsj1RBtNVfpRvQm1w8RSSYUGw/iAQq/u9VB4Tzge5zCgIBCQAalnLZ5YbzUWVIiJhjvI/oEXPaLaEltpLWib0elvzMBAIEBwD6pCqpUhOGq/i3NEACuZQ+uC33PpUCExpXMaQDarb0CwIDBgDWK5Vh/qnhCFU5iKwgIhNqGKt9I9CwywlR6F0DlVinAwIBBgApxhFd8vH7ZYX4IKNLog/cqX+xoQaNKyGK+hs3/gamAQICCQCNwg+F4A249NnQopvTHwm5mwdqS2gVKA2+zd0lXGQ9BwIBBwBFZeiAOHVK7lqKOzcz6Uyfp29BDF0NdLGlaqrE8f1ABgICBgD5H/yT1K8Hjp4oaUsYiFFUchUlhV1mMfLBbUEpkcvaBwIFBwBawm8F/D8GD2WsnaWc6UG1S7pIioM6r+OXdjHdU1pvDwIEBgCGhvqXlOj1Ad54Eq3f0XedUOAYpB5aK2TrAp8MtRzbCwIDBwCpbD/M8zrahk4r2VdP8TSN5hpxZVjCY92ehELyZIItAA==", - "policy": "eyJ2ZXJzaW9uIjoiVjEiLCJsYXN0X2F0dHJpYnV0ZV92YWx1ZSI6OSwibWF4X2F0dHJpYnV0ZV9jcmVhdGlvbnMiOjEwMCwiYXhlcyI6eyJTZWN1cml0eSBMZXZlbCI6eyJhdHRyaWJ1dGVfbmFtZXMiOlsiUHJvdGVjdGVkIiwiTG93IFNlY3JldCIsIk1lZGl1bSBTZWNyZXQiLCJIaWdoIFNlY3JldCIsIlRvcCBTZWNyZXQiXSwiaXNfaGllcmFyY2hpY2FsIjp0cnVlfSwiRGVwYXJ0bWVudCI6eyJhdHRyaWJ1dGVfbmFtZXMiOlsiUiZEIiwiSFIiLCJNS0ciLCJGSU4iXSwiaXNfaGllcmFyY2hpY2FsIjpmYWxzZX19LCJhdHRyaWJ1dGVzIjp7IlNlY3VyaXR5IExldmVsOjpMb3cgU2VjcmV0Ijp7InZhbHVlcyI6WzJdLCJlbmNyeXB0aW9uX2hpbnQiOiJDbGFzc2ljIn0sIlNlY3VyaXR5IExldmVsOjpUb3AgU2VjcmV0Ijp7InZhbHVlcyI6WzVdLCJlbmNyeXB0aW9uX2hpbnQiOiJDbGFzc2ljIn0sIkRlcGFydG1lbnQ6OlImRCI6eyJ2YWx1ZXMiOls2XSwiZW5jcnlwdGlvbl9oaW50IjoiQ2xhc3NpYyJ9LCJEZXBhcnRtZW50OjpNS0ciOnsidmFsdWVzIjpbOF0sImVuY3J5cHRpb25faGludCI6IkNsYXNzaWMifSwiRGVwYXJ0bWVudDo6RklOIjp7InZhbHVlcyI6WzldLCJlbmNyeXB0aW9uX2hpbnQiOiJDbGFzc2ljIn0sIlNlY3VyaXR5IExldmVsOjpQcm90ZWN0ZWQiOnsidmFsdWVzIjpbMV0sImVuY3J5cHRpb25faGludCI6IkNsYXNzaWMifSwiRGVwYXJ0bWVudDo6SFIiOnsidmFsdWVzIjpbN10sImVuY3J5cHRpb25faGludCI6IkNsYXNzaWMifSwiU2VjdXJpdHkgTGV2ZWw6Ok1lZGl1bSBTZWNyZXQiOnsidmFsdWVzIjpbM10sImVuY3J5cHRpb25faGludCI6IkNsYXNzaWMifSwiU2VjdXJpdHkgTGV2ZWw6OkhpZ2ggU2VjcmV0Ijp7InZhbHVlcyI6WzRdLCJlbmNyeXB0aW9uX2hpbnQiOiJDbGFzc2ljIn19fQ==", + "public_key": "RFpHnkIMOhx7k1mGUxvtOAT3KQ+suI6PZ317rTaRRT/K+4KHxqewyz8yp5peB0cdCAsZ2Yc2T0Mm+ic5FJnPVBQCAQYA8Fn7ViBa/pjQA7k/VoLI4ge/BPFYRt2yABDfgZyHwXkCAwYAztSmQAz/OrBJysJnAtugsphKwWvIW5zPHE/skRJp6lMCBQcAQLiRSJCJeglLyCfnp4uNCbB4G3rAIlPeEaCIoFY6JDUCBAcAEpaL5zTTotApTL3C+jj/TtozTjjyfUDvJ1FdZrj4RRcCAggAKJK+wexg3RJ7ZgyEg6+6suQU28HB319TZ0cb57rXxG8CAQgAgtomEmTkf29+vrdL1fOdlH+bIuYRwuljfpk+Gn0DI24CBAYAXqBR3UCmajgSEXy/T83FXBTAstY5aIYWb3EwiuPjkxkCAwkA7OI9eHamg07tSoK3Zar9QgFiyOMyf75hODHLs6HDeRkCAwgAOmkOEN5IZitHsR2v8kJeEukanm5dnfTS0NNINlgPHXYCBAkAmmFlZDBway8Om1UL15vvTYwVp31hndbFrzCiUKzzf20CAwcATgO/l4hhssHd/O/BD6AN/ZK/9yF77eGde2PhW9Gp/T4CAQkAksXwJvxSvJ+NzwoJmJO6z7nae7pOj0rh0SLQX738aEMCAgcA0HRkyuzPAKVaE7AzjtA2Qq1WRin3YX4/O9ath+DZ8h4CBAgArH/cIgDzTp5XKdpLV4NvAHG6Xc6Wvc9iwW1ELZFu6loCAgYAqi7CKud9YeXvaKTJ7v1A5K5rsXxEwtTIJ+TRMKkk4xQCBQYAIPrE3ca2Gy1gQmGHdHPeEP+112x5Cu2T9JPV6OD0FHwCAgkAtm0r6E5HUKLFuuHWkwJManksO8hFlFyomqx1/V58hCcCAQcAkm4yoY6/DNOm06A2LeHQC3GRfO2svKJ+rl2DZMJsGHICBQkATmvGBeMAAgRo+1lbKCKB7uifChZknptkZG0oAQGYOnQCBQgAdEQz1IVong00rN0zLm0bNapzN1w4oZpKyd84TY/y1g4=", + "master_secret_key": "a/JbRKmM5LI4jhun7QLYeBBFT9czUqxOc6/i7UNWjAo87c4HU/8TgtSSPkGuMLvBDr/zKyXB7SDkmxwxvcrEDJDwmd2qRnRTNnNkru0lMQqKIFdLySliZJKh4r74818LFAICCAEApjLQDjZG6l6LeWyOTSlS/Er4i3Cs85+M80Di8H+QXQ0CAQkBABBo0F6IRagY9QRC53eO1V51lo3bzxyM0SI8ByJJxMwBAgUHAQBMiyo9xzsP1iRqAFcXsKePDm0Db1kk1+uVh9dMzEJiDgIECAEA7GHPHRx3nf/SFNOVflka+URVcaa7l3Dafm9oZfRgegACAwgBAPVRvvpRgFA2IjjV+8ktUDc7nq+fv83CeObqmC9BarsGAgIGAQDbttzb7PZFWwcVQc77TnGSh6wN4zF/4Gbv/Po7axYaCgIBBgEAI0OJndYcymTLMcZuT84XyEK8HSKgfe22PGvZXgMSIAACBQkBAP7JiLGLcJVKFW4XoCTGupCzQoPxOTNwxvTaj0Aw9cgCAgEHAQBoI2oTgsZRpkv/AUYP9hZXNXmBsbkuouMh2mXlg2sbAgIEBwEA4vjHxoGD86+9Ck8zqzsXLccBkCTYn6PXTVKzwds/uQgCBQYBAHVahZ7QV7qjrZrxLI7isR+tFLHdSN/HE3IQHfuXwOsFAgMHAQAiPBStU7AcNJwBLgQ3FLDIKiPM24kKXWTYpbxkyKCJDwIFCAEA58sEzwEdCNm/Mv7emO+ZJm7vcKiyzmL4IPnEq3UJEAICBAYBAGDHyjXbD0W1ALYneH1kQqzLQxTduyCOYIjmsaK8m2EEAgIHAQCsFFrly6jDQeaGTrkNjuv8UO844pia012daHWWQPCXCwIDCQEA6GP16BOfxO7fb5wOCNQ+Gg6ko531uVA/nyrgW8GJDgQCAQgBAHaIcoLgtj7itPhhUxqQJk2fbAKkFXOGUctQiy6VVSsDAgMGAQBlhhRiDQVJpHO+VvVqCWo+RIgveLOKXDAP+JTSWkeeCwIECQEArRHP/0u1+gQbT36Ksc98qshHiAWPhVAQmaRHND+q+QYCAgkBAAakedM6+vO5pmEliEa5Wi39Znwht2qwwN7hYI8uIIQHOlpn3OB3pJntnKjNhAqgng==", + "policy": "eyJ2ZXJzaW9uIjoiVjIiLCJsYXN0X2F0dHJpYnV0ZV92YWx1ZSI6OSwiZGltZW5zaW9ucyI6eyJTZWN1cml0eSBMZXZlbCI6eyJPcmRlcmVkIjp7IlByb3RlY3RlZCI6eyJpZCI6MSwiZW5jcnlwdGlvbl9oaW50IjoiQ2xhc3NpYyIsIndyaXRlX3N0YXR1cyI6IkVuY3J5cHREZWNyeXB0In0sIkxvdyBTZWNyZXQiOnsiaWQiOjIsImVuY3J5cHRpb25faGludCI6IkNsYXNzaWMiLCJ3cml0ZV9zdGF0dXMiOiJFbmNyeXB0RGVjcnlwdCJ9LCJNZWRpdW0gU2VjcmV0Ijp7ImlkIjozLCJlbmNyeXB0aW9uX2hpbnQiOiJDbGFzc2ljIiwid3JpdGVfc3RhdHVzIjoiRW5jcnlwdERlY3J5cHQifSwiSGlnaCBTZWNyZXQiOnsiaWQiOjQsImVuY3J5cHRpb25faGludCI6IkNsYXNzaWMiLCJ3cml0ZV9zdGF0dXMiOiJFbmNyeXB0RGVjcnlwdCJ9LCJUb3AgU2VjcmV0Ijp7ImlkIjo1LCJlbmNyeXB0aW9uX2hpbnQiOiJDbGFzc2ljIiwid3JpdGVfc3RhdHVzIjoiRW5jcnlwdERlY3J5cHQifX19LCJEZXBhcnRtZW50Ijp7IlVub3JkZXJlZCI6eyJGSU4iOnsiaWQiOjksImVuY3J5cHRpb25faGludCI6IkNsYXNzaWMiLCJ3cml0ZV9zdGF0dXMiOiJFbmNyeXB0RGVjcnlwdCJ9LCJIUiI6eyJpZCI6NywiZW5jcnlwdGlvbl9oaW50IjoiQ2xhc3NpYyIsIndyaXRlX3N0YXR1cyI6IkVuY3J5cHREZWNyeXB0In0sIk1LRyI6eyJpZCI6OCwiZW5jcnlwdGlvbl9oaW50IjoiQ2xhc3NpYyIsIndyaXRlX3N0YXR1cyI6IkVuY3J5cHREZWNyeXB0In0sIlImRCI6eyJpZCI6NiwiZW5jcnlwdGlvbl9oaW50IjoiQ2xhc3NpYyIsIndyaXRlX3N0YXR1cyI6IkVuY3J5cHREZWNyeXB0In19fX19", "top_secret_mkg_fin_key": { - "key": "xAKfiVTXo78XGkQP/2GkZmebOMoYaxnJ7EseMNnHSQB7sCcSGX5WJ6/lH5I9XHuONIzGrQPyxwFzYL61fWvCAwoALI9UQbTVX6Ub0JtcPEUkmFBsP4gEKv7vVQeE84HucwoA3LC0eI3oYbWcHrhevTDON34+CjgDVVfJ2RtrDv0LuQ8Az8Ci5RworHKco6ALjUHop8ar0J3m2dQQjoI5lXWzVgYA44KUITOvQ6uXcplInG8eUcvXCukgjX1b5CIOrBc9ugQARh0dRLpuedNCX/b5vwJOsLEVPXnZkU5rG6unUVOcvwMA9O9jxtQ7P1hk82ogOmuRP7a4KGKq5wl8tF++ds6YSgsAGpZy2eWG81FlSIiYY7yP6BFz2i2hJbaS1om9Hpb8zAQAgG8umuCNz8ECPVuxAXuFT/pw4N56taUTFFu8b6DIaAIAjcIPheANuPTZ0KKb0x8JuZsHaktoFSgNvs3dJVxkPQcAKUCDmmJoFiQyRptUgKpKcyjFKJyaQy5SzAn0ki1JvgI=", + "key": "va2UH4Zyw1hkbC2qxD2rhjRsWAeBSffG2lR++xLNjw7f8N6n0wSdY+OiXpgwaR0nbgn7yJeQU6jdprM1NIeeCQoCAgkBAAakedM6+vO5pmEliEa5Wi39Znwht2qwwN7hYI8uIIQHAgMIAQD1Ub76UYBQNiI41fvJLVA3O56vn7/Nwnjm6pgvQWq7BgIFCQEA/smIsYtwlUoVbhegJMa6kLNCg/E5M3DG9NqPQDD1yAICBAgBAOxhzx0cd53/0hTTlX5ZGvlEVXGmu5dw2n5vaGX0YHoAAgQJAQCtEc//S7X6BBtPfoqxz3yqyEeIBY+FUBCZpEc0P6r5BgIBCQEAEGjQXohFqBj1BELnd47VXnWWjdvPHIzRIjwHIknEzAECAQgBAHaIcoLgtj7itPhhUxqQJk2fbAKkFXOGUctQiy6VVSsDAgIIAQCmMtAONkbqXot5bI5NKVL8SviLcKzzn4zzQOLwf5BdDQIFCAEA58sEzwEdCNm/Mv7emO+ZJm7vcKiyzmL4IPnEq3UJEAICAwkBAOhj9egTn8Tu32+cDgjUPhoOpKOd9blQP58q4FvBiQ4EOD/Qqj7MqrHOJ2JWqmftY24fqvjnD+teQQVrodhOC+Q=", "access_policy": "Security Level::Top Secret && (Department::MKG || Department::FIN)" }, "medium_secret_mkg_key": { - "key": "D8aq5phmMNSEpjNplrQ5Vf8PWyWiSU1ygwU6hd4tZw56BicJR8eyWNtF4cO7GyIz3uca2vnjM5lkVRuqDCxrDwMARh0dRLpuedNCX/b5vwJOsLEVPXnZkU5rG6unUVOcvwMAKUCDmmJoFiQyRptUgKpKcyjFKJyaQy5SzAn0ki1JvgIA9O9jxtQ7P1hk82ogOmuRP7a4KGKq5wl8tF++ds6YSgs=", + "key": "mgg9Z3gM+gPPklwb3Le/1HrrYldwktjOsfUM7wkwEwqj6M7Ii1EUhkN3rOc2YETvW/5rxkMHOWBtWaOmjX+yAAMCAQgBAHaIcoLgtj7itPhhUxqQJk2fbAKkFXOGUctQiy6VVSsDAgIIAQCmMtAONkbqXot5bI5NKVL8SviLcKzzn4zzQOLwf5BdDQIDCAEA9VG++lGAUDYiONX7yS1QNzuer5+/zcJ45uqYL0Fquwboa167tKvFlgu/6F6qihpzg1UKUfuU5vAoi7bBe7M9Pw==", "access_policy": "Security Level::Medium Secret && Department::MKG" }, "top_secret_fin_key": { - "key": "tAZx2AozFHlggtlYh0F5Sxqb1Nlwc5VICcu8pU5OFQzLDuBbR8hQd+LG/cjhyyUVMr1EcEyAb9/TXxsZWzJ7AgUAgG8umuCNz8ECPVuxAXuFT/pw4N56taUTFFu8b6DIaAIAGpZy2eWG81FlSIiYY7yP6BFz2i2hJbaS1om9Hpb8zAQA44KUITOvQ6uXcplInG8eUcvXCukgjX1b5CIOrBc9ugQAjcIPheANuPTZ0KKb0x8JuZsHaktoFSgNvs3dJVxkPQcALI9UQbTVX6Ub0JtcPEUkmFBsP4gEKv7vVQeE84Hucwo=", + "key": "F1X3brkDxWcpo2KZQjDtgV1uhOA4jswYa6grpWtFWwZIDfei3ET7aIfl9eYFh7RHw7/6Uzoahg/fBw75eyl2BwUCAwkBAOhj9egTn8Tu32+cDgjUPhoOpKOd9blQP58q4FvBiQ4EAgIJAQAGpHnTOvrzuaZhJYhGuVot/WZ8IbdqsMDe4WCPLiCEBwIECQEArRHP/0u1+gQbT36Ksc98qshHiAWPhVAQmaRHND+q+QYCAQkBABBo0F6IRagY9QRC53eO1V51lo3bzxyM0SI8ByJJxMwBAgUJAQD+yYixi3CVShVuF6AkxrqQs0KD8TkzcMb02o9AMPXIAhzJOeYoZYuFN8uMUklwx9ThxMR0OKmd5OZIy1u8nKEy", "access_policy": "Security Level::Top Secret && Department::FIN" }, "top_secret_mkg_test_vector": { "encryption_policy": "Department::MKG && Security Level::Top Secret", "plaintext": "VG9wU2VjcmV0TWtnUGxhaW50ZXh0", - "ciphertext": "YJ9hJ9VMTqK9zuQA/Hmh8AhMM+C5DG3OR4G8X6j5yjjCfZPjtQcEdRhd10HzZpfnl+20nCs2mXHiuw/wtYxZA+5edQDCiPzzmdVTZDy/IZUBAGZ3VupClImg04XK8/BUWGXugDisWlXzRdqg4RhjVxCFIm5L9IIMBQkyNpLp6/67PzpsTK7bcBU6YAndFSIQ9Ped0x6stdXb6tCP58XFSFmYjWnw67FZMZkYMr+vg+BaK4yHdzIssjPWdL7l0tjpLvHv3GB0", + "ciphertext": "PGxvFGCxXE9wIpxBif7x+ULyzB6Jb1TZ2taejFlPGyZI+HmPnDKxq1Lt705u/9Hpxhs06G3CjL8RaW+YB/TLN2sjohkZ+SxZuzqj0yE4Xv4BAGkkOfCo/v+NB52dNRJvCV6XuGye5EpuH1k+APD2p3suIjIfEYxGbAsk4jqyYHzc4is3xZdGG+sB+PCoLnrhqgJZUU/CUXymcspLJwvOdpngajX6C2DjP57zVDakbTBMVEwMQo+5YeeBztkerQKJau0tUeip", "header_metadata": "AQIDBAUJ", "authentication_data": "BwgJEw==" }, "low_secret_mkg_test_vector": { "encryption_policy": "Department::MKG && Security Level::Low Secret", "plaintext": "TG93U2VjcmV0TWtnUGxhaW50ZXh0", - "ciphertext": "BLih4ZDahm+OuitjsJtVI3gaFt6+Vz+rB4XWQLNfJRlSCn6DvxRfFc221yhZ1ry3wFXIh/H3id/zkeXDHfmMQL2MqxZju0Kgr0R+WwLjfy8BAK6p/UTFoH/SiYWoRcLPMRcTFnmlupz6Dv1kT2WCUyM4IuFXxXpRsZjOb8wG07sPwY0ExfrNRN0M5jBOhnKGkyvkbl1evL+b2ZvAh8dfsQbk9jDU5HB1YcaeyXwY2544AF0yd0HSvFqv4tNZvZRCeSWHIooV", + "ciphertext": "ks8IRZZhfAckxPX50HYmFwzTHex0KeGgCa5ELFJPlG/GmmWDedgnhSG48EA6q3WJak+vklofc76MzSlzQQ0WV+Q5EL1NdGXQfZs92T6Ru4oBALJ1k7nHRLHWIt0tarbhC83vZ+l3tVgpmDoOrVNn5pkDIrwM6+VMvPFHXLFrJs9oJir5my+QrxamqVED6U4apfgFH0WAJxrTuCNlZduH6ubNudhWQfCqpr6e30PXMprN6sYXwLcPMlSl1HWs8+PY300AfwA1", "header_metadata": "AQIDBAUJ", "authentication_data": "" }, "low_secret_fin_test_vector": { "encryption_policy": "Department::FIN && Security Level::Low Secret", "plaintext": "TG93U2VjcmV0RmluUGxhaW50ZXh0", - "ciphertext": "RDJ0Mu91gZ1mR9ozbTxx2jiTEbyektFbIeuSJE/+Ch3w+mFSMCb4pJnw9g7RNi2G7B003fTqDoQKUXAHcp7GG5PALdM0tI9hUpA66YHMH3UBAIdYSea14OpLegjqP3HDLZIUYxCMq1+0weRR74jV/7uFHMwgrmzWUI8R3lYgNWsMf2pTL0qcyBy2rSXcHNhw5Z6Quhp4UDBsEzcemMj6t+iygsOV++n4xZZbknMnsuL6R4MfS/EleBbAh2mwLx3z", + "ciphertext": "8t5Fl0YHHTyn2rlLY42WU71s5TVuVSoVVshVeoXaBTvegyruuMC8nCSl2plpssMvGXbvtTsV1qnVbWKLVP9IRTxBEvjJXWGUh/gqwxOv1twBAEhKCyxYO5VkHx6RzlRQvGHNAV28lRoWdEivGhnukHF1HAMPfBnHALFnFDioh+yv4AGcvbXNvigNrN326+VPDDcb78lGNstk4ZkHnQfDL0YiO/6wXvtlaP7qL2Q6Y4z8LGFfsXW7T0A9/svNeSht", "header_metadata": "", "authentication_data": "" }