github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/ca/keyutils/keyutils_test.go (about) 1 package keyutils 2 3 import ( 4 "encoding/pem" 5 "testing" 6 7 "github.com/stretchr/testify/assert" 8 "github.com/stretchr/testify/require" 9 ) 10 11 var ( 12 decryptedPKCS1 = `-----BEGIN EC PRIVATE KEY----- 13 MIHbAgEBBEHECF7HdJ4QZ7Dx0FBzzV/6vgI+bZNZGWtmbVwPIMu/bZE1p2qz5HGS 14 EFsmor5X6t7KYLa4nQNqbloWaneRNNukk6AHBgUrgQQAI6GBiQOBhgAEAW4hBUpI 15 +ckv40lP6HIUTr/71yhrZWjCWGh84xNk8LxNA54oy4DV4hS7E9+NLHKJrwnLDlnG 16 FR9il6zgU/9IsJdWAVcqVY7vsOKs8dquQ1HLXcOos22TOXbQne3Ua66HC0mjJ9Xp 17 LrnqZrqoHphZCknCX9HFSrlvdq6PEBSaCgfe3dd/ 18 -----END EC PRIVATE KEY----- 19 ` 20 encryptedPKCS1 = `-----BEGIN EC PRIVATE KEY----- 21 Proc-Type: 4,ENCRYPTED 22 DEK-Info: AES-256-CBC,8EE2B3B5A92822309E6157EBFFB238ED 23 24 clpdzQaCjXy2ZNLEsiGSpt0//DRdO1haJ4wrDTrhb78npiWrWjVsyAEwBoSPRwPW 25 ZnGKjAV+tv7w4XujycwijsSBVCzGvCbMYnzO+n0zApD6eo1SF/bRCZqEPcWDnsCK 26 UtLuqa3o8F0q3Bh8woOJ6NOq8dNWA2XHNkNhs77aqTh+bDR+jruDjFDB5/HZxDU2 27 aCpI96TeakB+8upn+/1wkpxfAJLpbkOdWDIgTEMhhwZUBQocoZezEORn4JIpYknY 28 0fOJaoM+gMMVLDPvXWUZFulP+2TpIOsHWspY2D4mYUE= 29 -----END EC PRIVATE KEY----- 30 ` 31 decryptedPKCS8 = `-----BEGIN PRIVATE KEY----- 32 MHgCAQAwEAYHKoZIzj0CAQYFK4EEACEEYTBfAgEBBBwCTYvOWrsYitgVHwD6F4GH 33 1re5Oe05CtZ4PUgkoTwDOgAETRlz5X662R8MX3tcoTTZiE2psZScMQNo6X/6gH+L 34 5xPO1GTcpbAt8U+ULn/4S5Bgq+WIgA8bI4g= 35 -----END PRIVATE KEY----- 36 ` 37 encryptedPKCS8 = `-----BEGIN ENCRYPTED PRIVATE KEY----- 38 MIHOMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiGRncJ5A+72AICCAAw 39 HQYJYIZIAWUDBAEqBBA0iGGDrKda4SbsQlW8hgiOBIGA1rDEtNqghfQ+8AtdB7kY 40 US05ElIO2ooXviNo0M36Shltv+1ntd/Qxn+El1B+0BT8MngB8yBV6oFach1dfKvR 41 PkeX/+bOnd1WTKMx3IPNMWxbA9YPTeoaObaKI7awvI03o51HLd+a5BuHJ55N2CX4 42 aMbljbOLAjpZS3/VnQteab4= 43 -----END ENCRYPTED PRIVATE KEY----- 44 ` 45 decryptedPKCS8Block, _ = pem.Decode([]byte(decryptedPKCS8)) 46 encryptedPKCS8Block, _ = pem.Decode([]byte(encryptedPKCS8)) 47 decryptedPKCS1Block, _ = pem.Decode([]byte(decryptedPKCS1)) 48 encryptedPKCS1Block, _ = pem.Decode([]byte(encryptedPKCS1)) 49 ) 50 51 func TestIsPKCS8(t *testing.T) { 52 // Check PKCS8 keys 53 assert.True(t, IsPKCS8([]byte(decryptedPKCS8Block.Bytes))) 54 assert.True(t, IsPKCS8([]byte(encryptedPKCS8Block.Bytes))) 55 56 // Check PKCS1 keys 57 assert.False(t, IsPKCS8([]byte(decryptedPKCS1Block.Bytes))) 58 assert.False(t, IsPKCS8([]byte(encryptedPKCS1Block.Bytes))) 59 } 60 61 func TestIsEncryptedPEMBlock(t *testing.T) { 62 // Check PKCS8 63 assert.False(t, IsEncryptedPEMBlock(decryptedPKCS8Block)) 64 assert.True(t, IsEncryptedPEMBlock(encryptedPKCS8Block)) 65 66 // Check PKCS1 67 assert.False(t, IsEncryptedPEMBlock(decryptedPKCS1Block)) 68 assert.True(t, IsEncryptedPEMBlock(encryptedPKCS1Block)) 69 } 70 71 func TestDecryptPEMBlock(t *testing.T) { 72 // Check PKCS8 keys in both FIPS and non-FIPS mode 73 for _, util := range []Formatter{Default, FIPS} { 74 _, err := util.DecryptPEMBlock(encryptedPKCS8Block, []byte("pony")) 75 require.Error(t, err) 76 77 decryptedDer, err := util.DecryptPEMBlock(encryptedPKCS8Block, []byte("ponies")) 78 require.NoError(t, err) 79 require.Equal(t, decryptedPKCS8Block.Bytes, decryptedDer) 80 } 81 82 // Check PKCS1 keys in non-FIPS mode 83 _, err := Default.DecryptPEMBlock(encryptedPKCS1Block, []byte("pony")) 84 require.Error(t, err) 85 86 decryptedDer, err := Default.DecryptPEMBlock(encryptedPKCS1Block, []byte("ponies")) 87 require.NoError(t, err) 88 require.Equal(t, decryptedPKCS1Block.Bytes, decryptedDer) 89 90 // Try to decrypt PKCS1 in FIPS 91 _, err = FIPS.DecryptPEMBlock(encryptedPKCS1Block, []byte("ponies")) 92 require.Error(t, err) 93 } 94 95 func TestEncryptPEMBlock(t *testing.T) { 96 // Check PKCS8 keys in both FIPS and non-FIPS mode 97 for _, util := range []Formatter{Default, FIPS} { 98 encryptedBlock, err := util.EncryptPEMBlock(decryptedPKCS8Block.Bytes, []byte("knock knock")) 99 require.NoError(t, err) 100 101 // Try to decrypt the same encrypted block 102 _, err = util.DecryptPEMBlock(encryptedBlock, []byte("hey there")) 103 require.Error(t, err) 104 105 decryptedDer, err := Default.DecryptPEMBlock(encryptedBlock, []byte("knock knock")) 106 require.NoError(t, err) 107 require.Equal(t, decryptedPKCS8Block.Bytes, decryptedDer) 108 } 109 110 // Check PKCS1 keys in non FIPS mode 111 encryptedBlock, err := Default.EncryptPEMBlock(decryptedPKCS1Block.Bytes, []byte("knock knock")) 112 require.NoError(t, err) 113 114 // Try to decrypt the same encrypted block 115 _, err = Default.DecryptPEMBlock(encryptedBlock, []byte("hey there")) 116 require.Error(t, err) 117 118 decryptedDer, err := Default.DecryptPEMBlock(encryptedBlock, []byte("knock knock")) 119 require.NoError(t, err) 120 require.Equal(t, decryptedPKCS1Block.Bytes, decryptedDer) 121 122 // Try to encrypt PKCS1 123 _, err = FIPS.EncryptPEMBlock(decryptedPKCS1Block.Bytes, []byte("knock knock")) 124 require.Error(t, err) 125 } 126 127 func TestParsePrivateKeyPEMWithPassword(t *testing.T) { 128 // Check PKCS8 keys in both FIPS and non-FIPS mode 129 for _, util := range []Formatter{Default, FIPS} { 130 _, err := util.ParsePrivateKeyPEMWithPassword([]byte(encryptedPKCS8), []byte("pony")) 131 require.Error(t, err) 132 133 _, err = util.ParsePrivateKeyPEMWithPassword([]byte(encryptedPKCS8), []byte("ponies")) 134 require.NoError(t, err) 135 136 _, err = util.ParsePrivateKeyPEMWithPassword([]byte(decryptedPKCS8), nil) 137 require.NoError(t, err) 138 } 139 140 // Check PKCS1 keys in non-FIPS mode 141 _, err := Default.ParsePrivateKeyPEMWithPassword([]byte(encryptedPKCS1), []byte("pony")) 142 require.Error(t, err) 143 144 _, err = Default.ParsePrivateKeyPEMWithPassword([]byte(encryptedPKCS1), []byte("ponies")) 145 require.NoError(t, err) 146 147 _, err = Default.ParsePrivateKeyPEMWithPassword([]byte(decryptedPKCS1), nil) 148 require.NoError(t, err) 149 150 // Try to parse PKCS1 in FIPS mode 151 _, err = FIPS.ParsePrivateKeyPEMWithPassword([]byte(encryptedPKCS1), []byte("ponies")) 152 require.Error(t, err) 153 }