github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/ca/pkcs8/pkcs8_test.go

github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/ca/pkcs8/pkcs8_test.go (about)

     1  package pkcs8
     2  
     3  import (
     4  	"encoding/pem"
     5  	"testing"
     6  
     7  	"github.com/cloudflare/cfssl/helpers"
     8  	"github.com/stretchr/testify/assert"
     9  	"github.com/stretchr/testify/require"
    10  )
    11  
    12  var (
    13  	ecKeyPEM = `-----BEGIN EC PRIVATE KEY-----
    14  MGgCAQEEHAJNi85auxiK2BUfAPoXgYfWt7k57TkK1ng9SCSgBwYFK4EEACGhPAM6
    15  AARNGXPlfrrZHwxfe1yhNNmITamxlJwxA2jpf/qAf4vnE87UZNylsC3xT5Quf/hL
    16  kGCr5YiADxsjiA==
    17  -----END EC PRIVATE KEY-----
    18  `
    19  	decryptedPEM = `-----BEGIN PRIVATE KEY-----
    20  MHgCAQAwEAYHKoZIzj0CAQYFK4EEACEEYTBfAgEBBBwCTYvOWrsYitgVHwD6F4GH
    21  1re5Oe05CtZ4PUgkoTwDOgAETRlz5X662R8MX3tcoTTZiE2psZScMQNo6X/6gH+L
    22  5xPO1GTcpbAt8U+ULn/4S5Bgq+WIgA8bI4g=
    23  -----END PRIVATE KEY-----
    24  `
    25  	encryptedPEM = `-----BEGIN ENCRYPTED PRIVATE KEY-----
    26  MIHOMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiGRncJ5A+72AICCAAw
    27  HQYJYIZIAWUDBAEqBBA0iGGDrKda4SbsQlW8hgiOBIGA1rDEtNqghfQ+8AtdB7kY
    28  US05ElIO2ooXviNo0M36Shltv+1ntd/Qxn+El1B+0BT8MngB8yBV6oFach1dfKvR
    29  PkeX/+bOnd1WTKMx3IPNMWxbA9YPTeoaObaKI7awvI03o51HLd+a5BuHJ55N2CX4
    30  aMbljbOLAjpZS3/VnQteab4=
    31  -----END ENCRYPTED PRIVATE KEY-----
    32  `
    33  	encryptedPEMInvalidPadding = `-----BEGIN ENCRYPTED PRIVATE KEY-----
    34  MIHOMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAjxk6v6kjceLAICCAAw
    35  HQYJYIZIAWUDBAEqBBBVCqGMzL53rwf6Bv4OEPeJBIGAEuEUhjZd/d1BEbntAoZU
    36  3cCB6ewYMqj97p6MncR1EFq+a26R/ehoCZg7O2L5AJrZK8K6UuZG8HxpZkraS5Mh
    37  L5dg6PPGclig3Xn1sCPUmHi13x+DPISBuUdkQEep5lEpqxLSRQerllbXmhaTznAk
    38  aqc20eq8ndE9DjZ7gDPnslY=
    39  -----END ENCRYPTED PRIVATE KEY-----`
    40  )
    41  
    42  func TestIsEncryptedPEMBlock(t *testing.T) {
    43  	decryptedPEMBlock, _ := pem.Decode([]byte(decryptedPEM))
    44  	encryptedPEMBlock, _ := pem.Decode([]byte(encryptedPEM))
    45  
    46  	assert.False(t, IsEncryptedPEMBlock(decryptedPEMBlock))
    47  	assert.True(t, IsEncryptedPEMBlock(encryptedPEMBlock))
    48  }
    49  
    50  func TestDecryptPEMBlock(t *testing.T) {
    51  	expectedBlock, _ := pem.Decode([]byte(decryptedPEM))
    52  	block, _ := pem.Decode([]byte(encryptedPEM))
    53  
    54  	_, err := DecryptPEMBlock(block, []byte("pony"))
    55  	require.EqualError(t, err, "pkcs8: incorrect password")
    56  
    57  	decryptedDer, err := DecryptPEMBlock(block, []byte("ponies"))
    58  	require.NoError(t, err)
    59  	require.Equal(t, expectedBlock.Bytes, decryptedDer)
    60  
    61  	// Try to decrypt an already decrypted key
    62  	decryptedKeyBlock, _ := pem.Decode([]byte(decryptedPEM))
    63  	_, err = DecryptPEMBlock(decryptedKeyBlock, []byte("ponies"))
    64  	require.Error(t, err)
    65  
    66  	// Decrypt a key with 32bit padding length
    67  	invalidPadLenKeyBlock, _ := pem.Decode([]byte(encryptedPEMInvalidPadding))
    68  	_, err = DecryptPEMBlock(invalidPadLenKeyBlock, []byte("poonies"))
    69  	require.EqualError(t, err, "pkcs8: invalid padding size")
    70  }
    71  
    72  func TestEncryptPEMBlock(t *testing.T) {
    73  	block, _ := pem.Decode([]byte(decryptedPEM))
    74  	encryptedBlock, err := EncryptPEMBlock(block.Bytes, []byte("knock knock"))
    75  	require.NoError(t, err)
    76  
    77  	// Try to decrypt the same encrypted block
    78  	_, err = DecryptPEMBlock(encryptedBlock, []byte("hey there"))
    79  	require.Error(t, err)
    80  
    81  	decryptedDer, err := DecryptPEMBlock(encryptedBlock, []byte("knock knock"))
    82  	require.NoError(t, err)
    83  	require.Equal(t, block.Bytes, decryptedDer)
    84  }
    85  
    86  func TestParsePrivateKeyPEMWithPassword(t *testing.T) {
    87  	_, err := ParsePrivateKeyPEMWithPassword([]byte(encryptedPEM), []byte("pony"))
    88  	require.Error(t, err)
    89  
    90  	_, err = ParsePrivateKeyPEMWithPassword([]byte(encryptedPEM), []byte("ponies"))
    91  	require.NoError(t, err)
    92  
    93  	_, err = ParsePrivateKeyPEMWithPassword([]byte(decryptedPEM), nil)
    94  	require.NoError(t, err)
    95  }
    96  
    97  func TestConvertECPrivateKeyPEM(t *testing.T) {
    98  	_, err := ConvertECPrivateKeyPEM([]byte(`garbage pem`))
    99  	require.Error(t, err)
   100  
   101  	_, err = ConvertECPrivateKeyPEM([]byte(`-----BEGIN EC PRIVATE KEY-----
   102  garbage key
   103  -----END EC PRIVATE KEY-----`))
   104  	require.Error(t, err)
   105  
   106  	out, err := ConvertECPrivateKeyPEM([]byte(ecKeyPEM))
   107  	require.NoError(t, err)
   108  
   109  	_, err = helpers.ParsePrivateKeyPEM([]byte(ecKeyPEM))
   110  	require.NoError(t, err)
   111  	_, err = helpers.ParsePrivateKeyPEM(out)
   112  	require.NoError(t, err)
   113  	require.Equal(t, []byte(decryptedPEM), out)
   114  }
   115  
   116  func TestConvertToECPrivateKeyPEM(t *testing.T) {
   117  	_, err := ConvertToECPrivateKeyPEM([]byte(`garbage pem`))
   118  	require.Error(t, err)
   119  
   120  	_, err = ConvertToECPrivateKeyPEM([]byte(`-----BEGIN PRIVATE KEY-----
   121  garbage key
   122  -----END PRIVATE KEY-----`))
   123  	require.Error(t, err)
   124  
   125  	out, err := ConvertToECPrivateKeyPEM([]byte(decryptedPEM))
   126  	require.NoError(t, err)
   127  
   128  	_, err = helpers.ParsePrivateKeyPEM([]byte(decryptedPEM))
   129  	require.NoError(t, err)
   130  	_, err = helpers.ParsePrivateKeyPEM(out)
   131  	require.NoError(t, err)
   132  	require.Equal(t, []byte(ecKeyPEM), out)
   133  }