github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/kbfs/kbfscrypto/encrypted_data_test.go (about)

     1  // Copyright 2017 Keybase Inc. All rights reserved.
     2  // Use of this source code is governed by a BSD
     3  // license that can be found in the LICENSE file.
     4  
     5  package kbfscrypto
     6  
     7  import (
     8  	"testing"
     9  
    10  	"github.com/keybase/client/go/libkb"
    11  	"github.com/pkg/errors"
    12  	"github.com/stretchr/testify/assert"
    13  	"github.com/stretchr/testify/require"
    14  	"golang.org/x/crypto/nacl/box"
    15  )
    16  
    17  func TestEncryptDecryptDataSuccess(t *testing.T) {
    18  	data := []byte{0x20, 0x30}
    19  	key := [32]byte{0x40, 0x45}
    20  	encryptedData, err := encryptData(data, key)
    21  	require.NoError(t, err)
    22  
    23  	nonce, err := encryptedData.Nonce24()
    24  	require.NoError(t, err)
    25  
    26  	decryptedData, err := decryptData(encryptedData, key, nonce)
    27  	require.NoError(t, err)
    28  	require.Equal(t, data, decryptedData)
    29  }
    30  
    31  func TestEncryptDecryptDataV2Success(t *testing.T) {
    32  	data := []byte{0x20, 0x30}
    33  	key := [32]byte{0x40, 0x45}
    34  	tlfCryptKey := TLFCryptKey{privateByte32Container{key}}
    35  	half := [32]byte{0x50, 0x51}
    36  	blockServerHalf := BlockCryptKeyServerHalf{publicByte32Container{half}}
    37  	encryptedBlock, err := EncryptPaddedEncodedBlock(
    38  		data, tlfCryptKey, blockServerHalf, EncryptionSecretboxWithKeyNonce)
    39  	require.NoError(t, err)
    40  	require.Equal(
    41  		t, EncryptionSecretboxWithKeyNonce,
    42  		encryptedBlock.encryptedData.Version)
    43  
    44  	decryptedData, err := DecryptBlock(
    45  		encryptedBlock, tlfCryptKey, blockServerHalf)
    46  	require.NoError(t, err)
    47  	require.Equal(t, data, decryptedData)
    48  }
    49  
    50  func TestDecryptDataFailure(t *testing.T) {
    51  	// Test various failure cases for decryptMetadata().
    52  	data := []byte{0x20, 0x30}
    53  	key := [32]byte{0x40, 0x45}
    54  	encryptedData, err := encryptData(data, key)
    55  	require.NoError(t, err)
    56  
    57  	// Wrong nonce for v2.
    58  
    59  	encryptedDataWrongNonce := encryptedData
    60  	encryptedDataWrongNonce.Version++
    61  	tlfCryptKey := TLFCryptKey{privateByte32Container{key}}
    62  	half := [32]byte{0x50, 0x51}
    63  	blockServerHalf := BlockCryptKeyServerHalf{publicByte32Container{half}}
    64  	_, err = DecryptBlock(
    65  		EncryptedBlock{encryptedDataWrongNonce},
    66  		tlfCryptKey, blockServerHalf)
    67  	assert.Equal(t,
    68  		InvalidNonceError{encryptedDataWrongNonce.Nonce},
    69  		errors.Cause(err))
    70  
    71  	// Wrong version.
    72  
    73  	encryptedDataWrongVersion := encryptedData
    74  	encryptedDataWrongVersion.Version += 2
    75  	nonce, err := encryptedDataWrongVersion.Nonce24()
    76  	require.NoError(t, err)
    77  	_, err = decryptData(encryptedDataWrongVersion, key, nonce)
    78  	assert.Equal(t,
    79  		UnknownEncryptionVer{encryptedDataWrongVersion.Version},
    80  		errors.Cause(err))
    81  
    82  	// Wrong nonce size.
    83  
    84  	encryptedDataWrongNonceSize := encryptedData
    85  	encryptedDataWrongNonceSize.Nonce = encryptedDataWrongNonceSize.Nonce[:len(encryptedDataWrongNonceSize.Nonce)-1]
    86  	_, err = encryptedDataWrongNonceSize.Nonce24()
    87  	assert.Equal(t,
    88  		InvalidNonceError{encryptedDataWrongNonceSize.Nonce},
    89  		errors.Cause(err))
    90  
    91  	// Corrupt key.
    92  
    93  	keyCorrupt := key
    94  	keyCorrupt[0] = ^keyCorrupt[0]
    95  	_, err = decryptData(encryptedData, keyCorrupt, nonce)
    96  	assert.IsType(t, errors.Cause(err), libkb.DecryptionError{})
    97  
    98  	// Corrupt data.
    99  
   100  	encryptedDataCorruptData := encryptedData
   101  	encryptedDataCorruptData.EncryptedData[0] = ^encryptedDataCorruptData.EncryptedData[0]
   102  	_, err = decryptData(encryptedDataCorruptData, key, nonce)
   103  	assert.IsType(t, errors.Cause(err), libkb.DecryptionError{})
   104  }
   105  
   106  // Test that EncryptTLFCryptKeyClientHalf() encrypts its passed-in
   107  // client half properly.
   108  func TestCryptoCommonEncryptTLFCryptKeyClientHalf(t *testing.T) {
   109  	ephPublicKey, ephPrivateKey, err := MakeRandomTLFEphemeralKeys()
   110  	require.NoError(t, err)
   111  
   112  	cryptKey, err := MakeRandomTLFCryptKey()
   113  	require.NoError(t, err)
   114  
   115  	privateKey := MakeFakeCryptPrivateKeyOrBust("fake key")
   116  	publicKey := privateKey.GetPublicKey()
   117  
   118  	serverHalf, err := MakeRandomTLFCryptKeyServerHalf()
   119  	require.NoError(t, err)
   120  
   121  	clientHalf := MaskTLFCryptKey(serverHalf, cryptKey)
   122  
   123  	encryptedClientHalf, err := EncryptTLFCryptKeyClientHalf(ephPrivateKey, publicKey, clientHalf)
   124  	require.NoError(t, err)
   125  	require.Equal(t, EncryptionSecretbox, encryptedClientHalf.Version)
   126  
   127  	expectedEncryptedLength := len(clientHalf.Data()) + box.Overhead
   128  	require.Equal(t, expectedEncryptedLength,
   129  		len(encryptedClientHalf.EncryptedData))
   130  	require.Equal(t, 24, len(encryptedClientHalf.Nonce))
   131  
   132  	var nonce [24]byte
   133  	copy(nonce[:], encryptedClientHalf.Nonce)
   134  	require.NotEqual(t, [24]byte{}, nonce)
   135  
   136  	ephPublicKeyData := ephPublicKey.Data()
   137  	privateKeyData := privateKey.Data()
   138  	decryptedData, ok := box.Open(
   139  		nil, encryptedClientHalf.EncryptedData, &nonce,
   140  		&ephPublicKeyData, &privateKeyData)
   141  	require.True(t, ok)
   142  
   143  	require.Equal(t, len(clientHalf.Data()), len(decryptedData))
   144  
   145  	var clientHalf2Data [32]byte
   146  	copy(clientHalf2Data[:], decryptedData)
   147  	clientHalf2 := MakeTLFCryptKeyClientHalf(clientHalf2Data)
   148  	require.Equal(t, clientHalf, clientHalf2)
   149  }